Online Theft

Pubdate: Thu, 15 Dec 2005
Source: USA Today (US)
Page: 1A - Front Page Feature Article
Copyright: 2005 USA TODAY, a division of Gannett Co. Inc
Contact:  http://www.usatoday.com/printedition/news/index.htm
Details: http://www.mapinc.org/media/466
Author: Byron Acohido and Jon Swartz, USA TODAY
Bookmark: http://www.mapinc.org/meth.htm (Methamphetamine)
Bookmark: http://www.mapinc.org/find?241 (Methamphetamine - Canada)

METH ADDICTS' OTHER HABIT: ONLINE THEFT

Methamphetamine Addicts Skilled in Identity Theft Are Turning to 
Computers and the Internet to Expand Their Reach.

USA TODAY Examines the Inner Workings of One Small Ring of Addicts 
Who Began Partnering With Global Internet Crime Groups to Trade in 
Stolen Identity Data and Launder Hijacked Funds.

EDMONTON, Alberta -- Hot on the trail of identity thieves, veteran 
Edmonton Police Service detectives Al Vonkeman and Bob Gauthier last 
winter hustled to a local motel, a cinder-block establishment where 
rooms rent by the hour.

Twice before, police had descended on locations in Edmonton and 
Calgary, 200 miles away, chasing down a tip about someone accessing a 
dial-up Internet account linked to an e-mail folder full of stolen 
identity data. Each time, the user logged off and vacated the 
premises before police arrived.

This time the motel's manager told the detectives that the phone in 
Room 24 was in use. As Vonkeman and Gauthier prepared to bust down 
the door, out strolled a garrulous drug addict, 25, whom they'd 
arrested before, followed by a younger man -- a 21-year-old computer 
whiz -- both sky-high on methamphetamine.

Inside Room 24 the detectives found meth pipes, stolen credit cards, 
notebooks with handwritten notations about fraudulent transactions 
and printouts of stolen identity data. The distinctive smell of 
street meth pervaded the air. "They were just starting to set up," 
recalls Vonkeman, an economic crimes analyst.

On the motel room bed, connected to a wall phone jack, a laptop 
computer was downloading something. Before going to work on stolen ID 
data, the younger man was downloading the latest version of his 
favorite video game. "But it was a dial-up modem, so it was taking 
forever," says Gauthier, a veteran drug unit detective.

Vonkeman, 44, and Gauthier, 48, had flushed out the roving nerve 
center of a loose-knit ring of meth addicts running identity-theft 
scams. Evidence in the motel room would ultimately lead them to a 
much bigger revelation: The Edmonton ring had gone global.

It no longer relied solely on dumpster-diving, mailbox-pilfering 
street addicts to supply stolen credit cards, checks and account 
statements, the grist for local thefts. Instead, it had advanced to 
complex joint ventures, conducted over the Internet, in partnership 
with organized cybercrime rings outside the country.

What's happening in Edmonton is happening to one degree or another in 
communities across the USA and Canada -- anywhere meth addicts are 
engaging in identity theft and can get on the Internet, say police, 
federal law enforcement officials and Internet security experts.

Internet Relay Chat channels, private areas on the Internet where 
real-time text messaging takes place, are rife with communications 
between organized cybercrime groups and meth users and traffickers 
discussing how they can assist each other. "It's big time," says San 
Diego-based security consultant Lance James, who monitors IRC channels.

Such collaboration seems almost preordained. "This hits at the 
intersection of two of the more complex law enforcement 
investigations: computer crimes and drug crimes," says Howard 
Schmidt, CEO of R&H Security Consulting and former White House 
cyber-security adviser.

Identity theft has fast become the crime of preference among meth 
users for three reasons: It is non-violent, criminal penalties for 
first-time offenders are light -- usually a few days or weeks in jail 
- -- and the use of computers and the Internet offers crooks anonymity 
and speed with which to work. Meth is a cheap, highly addictive 
street derivative of amphetamine pills; it turns users into 
automatons willing to take on risky, street-level crime.

Meanwhile, global cybercrime groups control e-mail phishing attacks, 
keystroke-stealing Trojan horse programs and insider database thefts 
that swell the pool of stolen personal and financial information. 
They also have ready access to hijacked online-banking accounts. But 
converting assets in compromised accounts into cash is never easy. 
That's where the meth users come in.

Sophisticated meth theft rings, like the one in Edmonton, control 
local bank accounts -- and underlings who are willing to extract 
ill-gotten funds from such accounts. The two men at the seedy motel 
were helping outside crime groups link up with local accounts under 
their control when a tipster guided police to them in December 2004.

Edmonton police granted USA TODAY exclusive access to cases 
investigated by Vonkeman and Gauthier from early 2003 to the present. 
The newspaper examined police evidence files and interviewed two 
central ring members, ages 37 and 22. In this story, they are 
referred to as Mary and Frank.

Police set up the interviews but required that the suspects' real 
names, as well as the true identities of the two men arrested at the 
motel, be withheld for the safety of the individuals and to preserve 
the integrity of ongoing investigations. In this story, the two men 
arrested at the motel are called Martin and Socks -- not their real names.

Police participated in USA TODAY'S phone interviews with Mary and 
Frank, then arranged for a reporter to interview Mary in person, with 
no police present. She took the reporter on a daylong tour of 
locations in Edmonton where the ring had committed ID thefts and fraud.

What emerges is the tale of how one cadre of meth addicts, from 
ordinary backgrounds, found extraordinary ways to steal and 
manipulate sensitive personal and financial data -- data they 
discovered to be rather haphazardly protected. Here is their story:

Mary had to think quickly. The security guard had appeared out of 
nowhere. She was sitting in her black sedan, waiting for Frank to 
yank garbage bags out of a dumpster behind Neiman Marcus' Edmonton 
call center, where the upscale U.S. retailer routes calls from customers.

A soft-spoken, attractive blonde with a friendly demeanor, Mary 
passed herself off as an absent-minded employee hunting for a lost 
day-planner. She sweet-talked the guard into helping Frank load bags 
into the sedan. "He says, 'Oh I'll help you, maybe it's in one of 
these,' " she recalled during an interview conducted while showing a 
reporter dumpsters she helped scope.

Mary, 37, met Frank in the summer of 2003 through her boyfriend, a 
meth dealer who was Frank's supplier. Up until her divorce in 2001, 
Mary says, she was a "model citizen": She was college-educated and 
had two children and a management career. But then her marriage hit 
the skids. Her boyfriend, the meth dealer, "was domineering, and I 
was vulnerable from the divorce," she says.

Frank, 22, passionate, creative but easily manipulated, says he 
became a meth addict at age 14. He quickly demonstrated a high 
aptitude for committing fraud. A fellow addict who was an employee of 
Canadian cellphone company Rogers Communications showed him how to 
open new cellphone accounts over the phone and on the Internet, using 
data from customer records plucked from Rogers' dumpsters.

As a high school student, Frank had possession of stolen cellphones 
to use and sell. He soon advanced to using stolen credit card numbers 
to shop online. He found that he loved manipulating data on his 
computer almost as much as conning customer-service reps over the 
phone. "I needed to feed my drug habit and make a living," Frank said 
in a phone interview from an Edmonton police station in October. 
"That's when I began to look into using my PC."

During the summer and fall of 2003, the Neiman Marcus call center was 
a favorite stop on a route of dumpsters Mary and Frank mined behind 
banks, trust companies, telecom companies, hotels, car rental 
agencies, restaurants, video rental stores -- anywhere a business 
might throw out paperwork.

Neiman Marcus spokeswoman Ginger Reeder says no records of sensitive 
customer information are printed out at the call center. If any such 
information made it into the trash, "It would be a breach of company 
policy and an isolated incident," says Reeder.

Frank and Mary say their dumpster route yielded copies of credit card 
transactions, loan applications, customer-service reports, employee 
manuals and internal phone directories -- all with potentially useful 
information. "Nothing was shredded," says Frank. "All the information 
you wanted was (in the dumpsters)."

One dumpster behind a call center in suburban Mill Woods proved to be 
a jackpot. In a nondescript strip mall just two blocks from the 
spacious three-bedroom apartment where Frank lived with his divorced 
dad, it brimmed with valuable data. The company using the dumpster, 
Convergys, often tossed out paperwork related to customer-service 
calls from Sprint cellphone subscribers in the USA, Mary says.

"We'd get credit check information from Equifax, credit card numbers 
to make payments, Social Security numbers, date of birth, addresses," 
Mary says. "They would make a printout, then just throw it out."

Convergys spokeswoman Lauri Roderick disputes Mary's account. The 
Cincinnati-based company has a "strict clean-desk policy" that 
requires shredding of any sensitive paperwork, she says. And Sprint 
customer-service calls, she says, were never handled by the 1,200 
workers at the Mill Woods facility, one of 14 in Canada. "We're 
confident there has been no breach in security of our customers' 
data," Roderick says.

Mary's management skills and Frank's computer savvy were a profitable 
match. By late 2003, they had delegated dumpster diving to others and 
concentrated on fine-tuning schemes to make the most of pilfered 
data. They became adept at developing what they referred to as "full profiles."

Given just a name and home address, Mary would dispatch a street 
addict to the residence with instructions to scour the occupant's 
garbage for bank statements (a big score) or even a debit card 
receipt (still valuable). Depending on whether the victim was a woman 
or man, she or Frank would phone the victim's bank and pose as the customer.

If the bank rep asked for a recent transaction as proof of identity, 
information from a receipt plucked from the garbage, along with a bit 
of improvised play acting, often sufficed to win the rep's help. They 
could then change a billing address, request a replacement debit card 
and PIN number, apply for credit cards and credit line increases, and 
add other account users.

Frank used stolen credit card numbers to order the tools of their 
trade online: computers, graphics software to manufacture fake IDs, 
and online services, such as Vonage phone accounts. Vonage, like 
other Internet-based phone services, allows subscribers to pick any 
area code they want. That's useful for ID thieves who want to take 
control of financial accounts surreptitiously. Mary could order up 
area codes matching those of the location of breached accounts 
outside of Edmonton. The numbers appeared to be local, but actually 
routed back to her.

Stolen credit card numbers, Social Security numbers, and Canadian 
Social Insurance Numbers emerged as valuable commodities. Frank 
progressed to buying and selling them online. He maneuvered his way 
onto Internet Relay Chat channels where such trading takes place, and 
began transacting with crime rings in Romania, Austria and Egypt. 
"Whatever you wanted to buy or sell, it was there," he says.

Meanwhile, Mary and Martin, a longtime fixture in the Edmonton meth 
crowd, focused on assembling a street-level distribution network. 
Martin, 25, from a well-to-do family, had a knack for recruiting 
underlings. "If he was in the business world, he'd be a headhunter," 
Detective Vonkeman says.

Soon the Edmonton ring controlled a matrix of local bank accounts, 
some stolen, some opened by addicts using their real names, others 
opened by addicts using assumed identities and fake IDs supplied by Frank.

Mary, Frank and Martin began to test financial websites. They 
exploited e-mail cash transfers -- a service offered by Canadian 
banks, by which account holders can conveniently e-mail up to $1,000 
to an individual.

They sent runners to withdraw cash from ATMs just before and after a 
unit was serviced late at night, thus getting two days' of maximum 
withdrawals in the same hour. They set up shell companies to exploit 
bill-paying services that allow online payments of up to $10,000 to 
business accounts.

And they tapped online payment services, like PayPal and NETeller, to 
bypass the 48-hour hold on international bank-to-bank cash transfers.

They stayed awake for days at a time in hotel rooms or dingy 
residences -- called sketch pads -- where meth addicts congregated. 
The three of them plotted intricate variations of scams or concocted 
wild, blockbuster capers. Sleep-deprived, they were paranoid about 
two things: the police and their larcenous fellow addicts.

Frank migrated from sketch pad to sketch pad, rarely going home to 
his father's apartment. "I stayed until the cops knocked on the door 
- -- or someone ripped me off," Frank says.

Mary often fantasized about a big score that would give her the 
impetus to return to a normal life.

"But nothing ever got really big," she says. "Somebody rips you off, 
or you never collect what you're owed. You feel like you can do 
anything (when high on meth). But you can't stay focused. You lose 
your train of thought. You have to move fast when you're doing fraud, 
and speeders don't move fast."

By the time 2003 drew to a close, Frank had been arrested twice and 
released on bail. A judge ordered him to avoid contact with the meth 
crowd and banned him from using a computer.

Frank was trying to stay low when Mary introduced him to Socks, an 
acquaintance. Then 20, Socks was idle and had time on his hands. He 
had never used meth or committed ID theft. But he had just been laid 
off from his job as a computer technician.

A somewhat introverted video game fanatic, Socks began smoking 
crystal meth and associating with Mary, Frank and Martin. When the 
extroverted Frank bragged about his prowess at scams, Socks paid 
close attention. Then he began delving deeper than Frank ever did.

Socks began wheeling and dealing with cybercrime rings in Quebec, 
Romania and Egypt via Internet Relay Chat channels. "What we saw with 
Socks was interactions that were more with the dark side of the 
Internet," Vonkeman says.

The global contacts Socks developed put the Edmonton ring in a 
position to make a profound transition. Instead of going through the 
labor-intensive process of building profiles of local marks, it began 
to buy ready-made full profiles of identity theft victims in the USA.

Milking a victim from Tallahassee, Fla., had become as easy as 
bilking someone from nearby Banff. Mary could easily attach a Vonage 
IP phone number, say, with a Tallahassee area code, onto a hijacked 
account and use PayPal or Western Union to transfer funds across 
international borders.

Besides, going after U.S. victims seemed less risky; and the going 
rate for a full profile of a U.S. consumer seemed a bargain: $200 
American for data that typically included the mark's bank account 
password, credit card number with security code, even his or her 
Social Security number.

It was such a good deal, Martin insisted on using clean money sent 
via Western Union to make the purchase. "We didn't want to screw it 
up and use fraud money that might get them caught," Mary says.

The Edmonton ring also began helping outside crime groups launder 
hijacked funds through local bank accounts. A street addict would 
take the last -- and riskiest -- step: making a cash withdrawal. 
Martin would use Western Union to wire some of the cash back to the 
crime group and divide the rest locally.

Yet, the maxim "there is no honor among thieves" has never been truer 
than with meth addicts. "They're very networked and quite social, but 
when you arrest and debrief these people, they'll give you a ton of 
information," Vonkeman says.

Someone ratted out Frank in the summer of 2004, leading to his third 
arrest -- and an 11-month jail sentence. Mary and Martin got arrested 
multiple times at sketch pad raids. Released on bail, they'd lie low 
for a few weeks before starting up again. Meanwhile, copycat cells 
cropped up to try to imitate their success.

"It's like plugging your finger in the dike," Gauthier says. "For all 
the people we catch and take out of action, there could be 10 more 
networking and already starting to form another cell."

Socks was arrested three times in an eight-month span. He is now 
serving a two-year sentence for various drug and theft crimes.

Until his initial arrest at the motel in December 2004, Socks had 
been a mystery figure to Vonkeman and Gauthier. The detectives heard 
rumors about a new techie on the scene with access to thousands of 
credit card numbers. But Socks had no rap sheet, nothing, really, to 
tie him to the meth crowd.

He was also clever. Socks knew investigators could monitor Internet 
traffic going into and out of his laptop computer, so he had made it 
a point to move around.

For two months in early 2004, Socks, Mary and a friend of Frank's 
worked from inside a plush GMC camper van parked in an alley 
alongside a rundown, three-story apartment building a half-mile from 
downtown Edmonton.

Socks extended a phone cable from the van, down a stairwell to the 
building's telephone-access panel. When a tenant left for work or 
appeared to be sleeping, he'd patch into the person's phone line to 
get on the Internet. "We needed a safe place to use the computer, and 
it was so nice in there," Mary says.

As an extra precaution, Socks stored nothing of importance on his 
laptop's hard drive. He uploaded all incriminating stolen identity 
data to an e-mail folder that came with the dial-up Internet account 
he'd been given by a fellow addict who worked for an Internet service provider.

But when that accomplice got arrested on another criminal matter, the 
accomplice promptly disclosed the existence of the account. Vonkeman 
asked the Internet service provider to leave the account open and 
alert him anytime anyone logged on.

Ironically, it was that e-mail folder, Socks' protective buffer, that 
drew Vonkeman and Gauthier to the motel to see who had logged on.

Released on bail soon after the motel arrest, Socks skipped a court 
appearance and was on the run until Gauthier arrested him again last 
March. He had become more involved than ever with overseas cybercrooks.

On his person Socks had a slip of paper with log-ons and passwords 
for 15 hijacked Canadian bank accounts, which he said came from 
Romanian cybercrooks, including one account with access to six 
figures' worth of funds. Police believe the accounts served partly as 
a show of good faith to cement a partnership with the Edmonton ring.

Sentenced to house arrest after pleading guilty on several drug- and 
fraud-related counts after the March incident, Socks took off again, 
Gauthier says.

Then last July, an informant guided Gauthier to a north Edmonton 
apartment where the detective caught Socks in the act of using a 
laptop computer to manufacture fake IDs.

Socks reacted calmly, Gauthier says. "He says, 'Hi, Bob. I've been 
wondering when you were coming to get me.' " 
- ---
MAP posted-by: Richard Lake