Future Crimes

by Marc Goodman

  Fatal System Error

  We now live in an “in screen we trust” world. We look first and foremost to computers for guidance and direction. We depend on screens to give us answers, and all too infrequently do we question the results. But if your programming is poor or your primary data incorrect, these errors will be reflected in the results you receive. Garbage in, garbage out is one of the axioms of computer science. In the past, our limited reliance on technology insulated and protected us from many of these mistakes. In the age of big data, however, the calculus has shifted—big-time. We are all affected by database errors in one way or another, and the implications of these inaccuracies are growing every day. According to the Federal Trade Commission, nearly 25 percent of all consumer credit reports contain errors, and data brokers such as Acxiom have admitted that 30 percent of the data they maintain on you may be inaccurate.

  When the forty million to fifty million Americans affected by these errors attempt to rent an apartment, buy a car, get a mortgage, or apply for a job, they soon discover that somebody else’s mistake has now become their nightmare. If “according to our computer” you are a credit risk, you are, no ifs, ands, or buts. Today, millions of decisions are made every day with faulty, incomplete, or imprecise data, often with no further verification. If the problem were limited to credit reports, it might be tolerable, if only barely. But living in the land of “in screen we trust” means computer errors can affect not only your finances but also your life and your liberty.

  As the world of medicine rushes to digitize patient records in an effort to save money, improve efficiency, and yield new big-data insights on disease, there has been an unintended cost: accuracy. Tens of millions of electronic medical records contain incorrect information about patients, and erroneous data on computer screens can quite literally kill. Gary Foster, a twenty-seven-year-old from Essex, England, died at University College Hospital in London when a glitch in the facility’s computer system meant the young man received an overdose of cancer drugs during his stay. The hospital staff, following an inaccurately entered prescription order, provided him with lethal doses of chemotherapy for his testicular cancer treatments. Not only can too much faith in computer screens kill, but also it can have a deleterious impact on public safety.

  In California, a computer glitch led to the release of 450 dangerous criminals after a system error directed prison guards to set some of the state’s most violent offenders free. Gang members, rapists, armed robbers, and inmates classified as having a “high risk for violence” walked out of prisons statewide because officials accepted the information on their screens as the truth. Of course, errors in criminal justice data are common, and these mistakes not only free the guilty but also inculpate the innocent. In Britain, police officials at the national Criminal Records Bureau admitted that more than twenty thousand people had been wrongly branded as criminals because of data errors in their system. The massive blunder meant that thousands of innocent individuals were given criminal records for offenses they never committed. “But, Officer, you’ve got the wrong person” is a refrain cops are used to hearing; unfortunately for those involved, what is on the screen is the truth, until proven otherwise. Across the U.K., victims of these errors were denied jobs and volunteer positions and had their reputations destroyed, all because of our unyielding faith in our screens.

  Today we face a confluence of phenomena, both human and technical, that are coming together like a perfect storm to pose particularly striking dangers for our society. With each successive generation, we grow deeply comfortable, even if only unconsciously, with blindly following the directions provided to us by machines. Garbage in, garbage out has been supplanted by garbage in, gospel out: if the computer says so, it must be true. The problem with such reasoning is that we as a society are relying on incorrect data all the time, a festering problem that will come back to bite us. Filter bubbles, invisible search engine censorship, national firewalls, and faulty data mean we have a fundamental integrity problem with the way we see the world, or more precisely with the way the world is presented to us, mediated through our screens.

  When Seeing Ain’t Believing

  In the preceding chapters, we focused extensively on what happens when your data leak and your information confidentiality is breached. No doubt, criminals are having a field day with all the opportunities they have generated by stealing your data. But there is a much more profound and insidious threat to the world’s information—changing it. Criminals, hackers, terrorists, and governments are increasingly breaking into data systems, not to steal information, but to surreptitiously manipulate its presentation on our screens, as we saw in Natanz. As a result, the very integrity of the world’s information is under attack. Slowly, imperceptibly, and with great precision, attackers can enter our data systems and covertly modify any and all of the underlying information. When hackers attack, stealing our data may be the best-case scenario compared with altering the information without our knowledge.

  In the 1995 movie The Net, Sandra Bullock plays a reclusive systems analyst who accidentally uncovers a plot by a diabolical cyber-terrorist organization to take over the world’s information systems. The film opens with the undersecretary of defense committing suicide after learning he has tested positive for HIV at the Bethesda Naval Hospital. As it turns out, the official was never HIV positive; rather, hackers changed the results on his medical tests, in retaliation for the undersecretary’s pursuit of international cyber villains, information that his doctor dutifully reported based on the data on his computer screen. The shame of the test results was too much for the conservative undersecretary, precipitating his suicide.

  This is the world of information warfare, where computer disinformation disseminated through an array of blinking screens carries real-world impact. The events depicted in the film are decidedly possible today. Police data systems have been successfully hacked globally, including in Australia, England, Italy, Memphis, Montreal, Hong Kong, and Honolulu. In 2013, the Danish police national driver’s license registry was breached, and it was believed the hackers made changes to the underlying law enforcement data systems. In Philadelphia, also in 2013, a classified database of witnesses to some of the city’s most notorious crimes was breached by a local criminal group. As a result, the names, addresses, and photographs of dozens of protected witnesses were posted on Instagram with the tagline “Expose the Rats.” Many of the individuals exposed had testified in secret grand jury hearings, and within a few days there were nearly eight thousand followers for the Instagram account user known as rats215. One nineteen-year-old witness who had testified in a homicide case was later targeted for retaliation in a shooting. In what amounted to mass witness intimidation, numerous visitors to the site posted comments such as “exterminate the rats” and “put out a hit on them.”

  In Massachusetts, a prisoner already serving time for computer hacking was allowed access to the prison’s library computer for the purposes of legal research on his own case. Once his fingers touched the keyboard, he was able to tunnel through the computer network at the Department of Correction and obtain access to case files on other inmates, as well as the names, dates of birth, Social Security numbers, home addresses, and phone numbers of the prison’s eleven hundred guards. Given the insecurity of criminal justice systems, how many prisoners have been wrongly released, like the 450 violent offenders in California, because the underlying data were falsified and purposefully tampered with? The answer is, we simply do not know, and government officials are loath to discuss the matter.

  As open and vulnerable as law enforcement computers are, they are a veritable Fort Knox compared with our electronic medical records. Forget for the moment the millions of accidental errors previously noted; the Department of Health and Human Services (HHS) has determined that at least twenty-one million Americans have had their electronic medical records accessed without authorization since 2009. In fact, HHS has documented more than nine hundred such breaches at
hospitals across the United States. But how many more weren’t reported? Federal law only mandates reporting if more than five hundred records per incident are targeted. Organized criminals are targeting medical data in a wide variety of ways, ranging from Medicare fraud to extortion. In Virginia, hackers accessed eight million patient records and thirty-five million prescriptions maintained by the state’s Department of Health and threatened to post the information online unless Virginia paid a $10 million ransom. Globally, electronic medical data systems are deeply porous, and bad actors are fully capable of leveraging these data with deadly consequences.

  Time and time again, doctors, nurses, and technicians will follow the directions presented to them on computer screens, even when the information is incorrect, as we saw previously when describing the fatal hospital system errors that led to the death of Gary Foster. If the screen says you are HIV positive, the hospital will deliver that news to you. Worse, if your blood type is listed as O positive and a hacker, enemy, or adversary switches it in the hospital’s database to A negative before you go into surgery, the operation will likely result in death. The same would be true if somebody maliciously erased your allergy to penicillin from your digital chart and a nurse innocuously carried out a medical order directing her to inject five hundred milligrams of the drug into your IV.

  The profound consequences of the “in screen we trust” mentality can open the door to an array of new crimes, including new ways to commit murder. In response, criminals have developed a panoply of methodologies to profit from a world that has subsumed human intelligence in favor of the digital and the virtual. Nefarious actors are proving particularly adept at so-called man-in-the-middle attacks, wherein they insert themselves between reality and the data we see on our screens. The result? An all-out assault on the integrity of the information we’re stockpiling as a result of the big-data revolution.

  Screen of the Crime

  For every screen in your life, criminals have developed a plan of attack. One of the most common such scams on the Internet is the phenomenon of phishing—a technique by which criminals masquerade as a legitimate Web site in order to acquire information such as passwords and credit card numbers. The term “phishing” is a hacker spelling of the word “fishing,” and the technique involves trying to get an innocent fish to take the bait of a malicious link and bite. The organized crime groups that run phishing cons try to trick users into clicking on a link that takes them to a fake Web site controlled by fraudsters. Phishing messages arrive in our in-boxes, via SMS, tweets, instant messages, and Facebook status updates. They allegedly come from our banks, cable companies, retirement plans, social media outlets, and mobile phone operators and target users around the world, with the greatest number of victims in the United States, the U.K., and Germany.

  In the end, all phishing attacks depend on an unsuspecting user clicking on a link or attachment in a message that will either take the unsuspecting party to a fraudulent Web site or install malware on the user’s machine. Criminals take advantage of HTML hypertext links and embed their attacks in hidden computer code. Phishing messages arrive as fake e-cards, e-mails from our bank, job offers, coupons, or deals too good to be true on social media. These malicious communiqués, replete with grammatical and spelling errors in years past, have become highly professionalized and are today virtually indistinguishable from the real thing. Criminals know exactly how to subvert the trust you have placed in your screens by visually mimicking the sites they impersonate and tricking your senses with a digital sleight of hand.

  A typical message might arrive from an address such as security@​bankofamerica.​com, informing you that you need to update your profile or that your account has been suspended because of suspicious activity. Uh-oh, seems important, better look into it, you think. What you may not know is that the e-mail address that shows up in your in-box is ridiculously easy to spoof or fake. Anytime you set up a new mail account in any mail software program such as Outlook, Mac Mail, or Thunderbird, you will be asked to enter a name and e-mail address. If a crook types “Bank of America Security Team” as the name in an e-mail program, that’s what will show up in your in-box. It’s just that simple. Only by examining the message headers might you note that the e-mail address used by the bad guys was actually notifications@​security-​bankofamerica.​com—still close enough to fool the average bear.

  In every way, the message looks as if it were from your bank—same font, same color, same logo—but it’s not. Though the visible link may say www.bankofamerica.com, you will instead be taken to www.bank0famerica.com (0 instead of o) or even bankofamerica.accountupdates.com (accountupdates.com is the actual domain you are visiting, owned by the criminals; Bank of America is just a folder on their site to fool you); www.citibank.com will be supplanted by www.citiibank.com (two i’s in the fake address, barely noticeable). Phishing messages all subtly scream what they want you to do by making the embedded link containing the poison pill impossible to miss, written in a large font or having a big colorful button: “To update security settings and protect your account, click here.” And now they own you.

  The fateful click will take you to the Citiibank.​com Web site, where you will be prompted to log in and provide your credentials, and when you do, the thieves capture your log-in name and password, as well as a bevy of other personal information. And now is when the criminals really go to work. Phishing is a gateway crime, a fundamental first step that provides thieves with the data they need to perpetrate step two in their plot against you, including identity theft, financial fraud, tax fraud, and insurance fraud. Just as the nuclear engineers in Natanz were presented with a compelling but completely fictional reality on their screens, you too are beset by criminals knocking at your door every day using similar deception techniques.

  For criminals, the costs of pulling off such digital charades are ridiculously low. Fully automated phishing kits sold on the digital underground to send scam messages to 500,000 e-mail addresses cost a mere $65, and as mentioned before, criminals take advantage of “sock puppet” accounts to scale up. As a result, more than 100 million phishing messages arrive in our in-boxes every day. According to a study on the economics of these attacks by Cisco, approximately eight people out of a million will succumb to the ruse, with an average loss of $2,000 per victim. Thus for about $130, crooks can generate $16,000, a 12,000 percent return on investment. With 36 billion phishing messages sent annually, the scale, scope, and profitability of cyber crime comes into focus. Although the returns from bulk phishing attacks are impressive, they pale in comparison to “spear phishing,” a technique that does not send bulk fraudulent messages to millions, but rather carefully targets specific individuals or organizations.

  Spear-phishing attacks have become the go-to tool of choice for those committing industrial espionage, and the costs in those cases can be gargantuan, as the global beverage giant Coca-Cola discovered. As part of its Asian expansion, Coke had entered into advanced-stage negotiations to purchase China’s Huiyuan Juice Group. All was proceeding according to plan with the acquisition, until it inexplicably fell apart. Something fishy was going on, and Coke wanted answers. It conducted a full investigation into the matter and began to examine the deal in detail, including communications between Coke and representatives at the Huiyuan Juice Group. In the end, Coke discovered that the Chinese government was aggressively monitoring the deal and pursuing nonpublic insights into Coke’s bidding plans and intentions. How did the Chinese ultimately get the access they needed? By manipulating the screen of Paul Etchells, the deputy president of Coca-Cola’s Pacific Group.

  Etchells opened an e-mail that had been spoofed to appear as if it had come from a senior executive in Coke’s legal department. The subject line was enticing: “Save Power, Save Money—from Coke’s CEO.” Etchells knew his boss at Coke had been heavily pushing energy savings in the company (as did the Chinese who had infiltrated Coke’s corporate information systems). The perpetrators of the attack spo
ofed reality by making the message appear as if it came from a trusted colleague, on the internal corporate network, with a subject line that was compelling and contextually made sense. When Coke’s deputy president innocently clicked on the link, he also silently downloaded malware onto his workstation, including a keystroke logger that captured everything the executive typed. As a result, the Chinese were able to download a barrage of computer files related to the deal. While Coke has refused to publicly comment on “security matters,” what is clear is that one single spear-phishing attack against a senior Coke official cost the firm its $2.4 billion acquisition of China’s Huiyuan Juice Group. Coke is not alone in having succumbed to spear phishing: it has become the preferred method of attack for online criminals and digital spies, responsible for a full 91 percent of all targeted cyber attacks.

  Criminals can now even change what you see on your screen in real time, including your financial statements. But what if your bank account balance were zero, and you didn’t know it? There are so many thousands of malware programs that will steal money from your bank account these days; the whole process has become both routine and even automated by the bad guys. Criminals infect your computer or mobile phone, capture your log-in credentials, and then use them to drain your account balance. Of course should you yourself happen to log in and notice the low balance, you may have a shot at notifying your bank’s fraud department and stopping the flow of the funds. Banks usually reserve settlement periods of a day or so, particularly internationally, in which they can cancel, stop, or reverse a transfer or wire, but the time frame to do so is incredibly short. To this end, criminals will go to great lengths to ensure that what you see on your computer screen is not what you have in your bank account. Highly specialized Trojan horse software, such as SpyEye and URLZone, not only steals your money but will even offer you false reassurances that it is still in your bank account. The magic of these Trojans is that they give thieves more time to use your banking, debit, and credit card information without your realizing what is happening. Your first clue there is a problem is when you try to use your own bank card to make a withdrawal, only to learn you are overdrawn and there are insufficient funds.