Extra tool could offer one additional charge for cybercriminals
By Eric Tucker
Associated Press
WASHINGTON (AP) — Working to combat an increasingly lucrative crime that crosses national boundaries, Justice Department officials are pressing for a new law to help them prosecute criminals overseas who traffic in stolen credit cards.
Authorities say the current law is too weak because it allows people in other countries to avoid prosecution if they buy and sell stolen card data entirely outside the United States.
The Justice Department is asking Congress to amend the law to make it illegal for an international criminal to possess, buy or sell a stolen credit card issued by a U.S. bank no matter where in the world the transaction occurs.
Though prosecutors do have existing tools and have brought international cybertheft cases in the past year, the Justice Department says a new law is needed at a time when criminals operating largely in Eastern Europe are able to gobble up millions of stolen credit card numbers and commit widespread fraud in a matter of mouse clicks. Companies and banks, too, have been stung by faraway hackers who have siphoned away personal information.
“It’s a very simple fix, and it makes perfect sense to fix it,” Assistant Attorney General Leslie Caldwell, the Justice Department’s criminal division chief, said in an interview. “This is a huge law enforcement issue when it’s our financial institutions and our citizens’ credit card data that’s being stolen ... by overseas people who never set foot in the United States.”
The problem, though certainly not new, has evolved to the point that “a lot of these folks who are trafficking in these devices are overseas,” Caldwell said.
The issue is more than hypothetical, Caldwell told a Senate subcommittee, as law enforcement agencies have identified criminals in other nations who are selling large quantities of stolen credit cards without passing the business through the U.S.
Officials say the crime is facilitated by online marketplaces where participants, cloaked in the anonymity of the Internet and trading data with the ease of eBay commodities, advertise, buy and sell credit card information stolen in data breaches. The credit cards are valued at different prices, generally depending on the balance, and swapped on web forums that often operate in foreign languages and are primarily hosted in non-U.S. countries.
The cards are sometimes used to purchase valuable goods and sometimes converted into gift cards, Caldwell said. Some schemes dispatch bands of criminals to make withdrawals from automated teller machines.
“It’s a well built-up and sophisticated marketplace,” said Chris Wysopal, a computer security expert and chief technology officer of the software-security firm Veracode.
The legislative request comes as prosecutors deal, more generally, with a growing cybercrime threat. Several recent cases illustrate the ease with which cybercriminals have managed to steal personal information.
In June, prosecutors brought charges against a prolific Russian hacker accused of running an operation that infected computers with malicious software, captured bank account numbers and passwords and then siphoned away millions of dollars. The man, Evgeniy Bogachev, remains at large.
The following month, authorities arrested the son of a Russian lawmaker on charges that he hacked into computerized cash registers and stole hundreds of thousands of credit card numbers. Roman Seleznev has pleaded not guilty in federal court in Seattle.
The Justice Department is hardly toothless in fighting the illegal sale of credit cards and has been able to make do with current statutes. Existing law would cover, among other crimes, anyone abroad who hacks into a U.S. computer, uses a stolen credit card inside the U.S. or transfers money into the country. And prosecutors can still bring a conspiracy charge when they can prove the suspect is part of a broader operation that reaches into the U.S.
But authorities say the loophole surfaced in the case of Vladislav Horohorin, an international credit card trafficker arrested in France in 2010 for his role in the theft of more than $9 million from an Atlanta-based credit card processor. He was ultimately convicted for crimes committed in the United States, including selling stolen credit cards to an undercover agent, but the 2.5 million credit cards he was found with at the time of his arrest were not, by themselves, enough for a prosecution.
Given the difficulty of locating and arresting foreign hackers, it’s unlikely that any expanded cybercrime law would open the door to substantially more prosecutions. But an extra tool could offer one additional charge for cybercriminals who are actually caught.
“The likelihood that a hacker in Russia can be brought to prosecution in the United States is very low,” said Thomas Holt, an associate professor and cyberhacking expert at Michigan State University. “Any mechanism that can be employed to improve the potential for prosecution is absolutely a necessity at this point.”
Caldwell laid out the dilemma in a July appearance before the Senate Judiciary crime and terrorism subcommittee. The panel’s chairman, Sen. Sheldon Whitehouse, D-R.I., was interested in addressing the problem as part of a bill targeting “botnets” — networks of computers infected with malicious software — he was drafting with Sen. Lindsey Graham, R-S.C., his office said.
Even though the criminal conduct occurs outside the country’s borders, its impact is still felt by U.S. banks and financial institutions, Caldwell said in the interview.
“These credit cards are basically the key to the American financial system for these people, and they can just unlock people’s accounts and take their money,” she said.