Fighting U.S. Card Data Fraud OverseasFeds Advocate Law Changes to Ease Prosecution of Fraudsters
To help take down international "carding" rings, the U.S. Justice Department wants to expand current law so it can prosecute those who commit fraud anywhere in the world that involves U.S. payment card data. But legal experts warn such a move could invite legal reprisals from other countries.
See Also: Tools and Tactics for Modern Crimeware
The Justice Department's criminal division says in a blog post that it's too difficult today for U.S. law enforcement agencies to disrupt all parts of the carding ecosystem. That includes organized crime gangs, which often harvest large amounts of payment card data, as well as those who buy the data to commit online fraud, create and sell fake cards or prepaid cards or employ low-level money mules to commit in-person fraud, using these fake cards at retailers or ATMs.
"Cybercriminals often take advantage of international borders and differences in legal systems, hoping to evade extradition to face justice," Justice Department spokesman Peter Carr tells Information Security Media Group. "Through international cooperation, the Department of Justice is committed to bringing cybercriminals to justice in the United States, wherever they may commit their crimes."
But the Justice Department says it's currently quite difficult to pursue the middlemen in this ecosystem who run the carding forums that offer "dumps" of card data for sale.
So the Obama administration is proposing amendments to Title 18, the federal government's criminal and penal code. "The amendments are aimed at making sure that these middlemen - those who profit from the sale of stolen financial data of Americans - can be brought to justice even if they are operating outside of the United States," the Justice Department says.
The changes would be to a section of Title 18 that covers fraud - and related crimes - in connection with "access devices," which is legalese that can refer to payment cards.
"The problem is, under federal law, unless a statute is explicitly extraterritorial ... the U.S. government has no authority to make something a crime that occurs outside the United States," attorney Mark Rasch, who created the computer crime unit at the U.S. Department of Justice, tells ISMG.
So the government wants to expand the current law so it can prosecute those who commit fraud anywhere in the world that involves U.S. payment card data. "The government [currently] has to prove either that an 'article' used in committing the offense moved though the United States, or that the criminal is holding his illicit profits in an American bank," the Justice Department says. "But when you steal only digital data, it's not clear what 'article' could be involved. And of course, foreign criminals generally move their money back to their home country."
Related legislation was introduced in the House on March 24 by Rep. Jim Langevin, D-R.I. The Cybercrime Anti-Resale Deterrent and Extraterritoriality Revision Act of 2015 would amend Title 18 "to provide greater extraterritorial criminal jurisdiction over certain credit card and other access device fraud offenses."
But criminal defense attorney A. Jeff Ifrah, co-author of Federal Sentencing for Business Crimes, questions the Justice Department's proposal, which he says is all too indicative of a U.S. federal and legislative mindset bent on tackling crime by trying to write more laws. "There's no doubt that if that type of crime occurs, there should be a statute that covers it, for sure, and there probably already is one," he tells ISMG.
While Ifrah acknowledges that the proposed amendment to the current law would no doubt make it easier for prosecutors to pursue foreign suspects, he argues that a better approach would be for U.S. officials to work through diplomatic channels to encourage other countries to pass and apply tougher cybercrime laws. "It's a very complicated process to pursue a foreign citizen, indict them, extradite them, bring them here, charge them and then, after they serve their sentence, ship them back," he says. "That's just millions and millions of dollars. ... But come on, isn't there something that can be done at a higher level of government to deal with this issue so that those folks can be prosecuted in their own countries? I hope so, anyway."
Rasch notes that there are less expensive ways than extradition to bring suspects located overseas to trial, especially if they're residing in a country that doesn't have a formal extradition treaty with the United States. "You can do what's called 'informal extradition,' because kidnapping is such a dirty word," he says.
Attorney Mark Rasch discusses U.S. extradition techniques.
The Justice Department continues to employ this tactic, for example in the case of accused Russian hacker Roman Seleznev, who the U.S. Secret Service grabbed in 2014 while he was vacationing in the Maldives. "It can be a long, cold winter in Russia. A lot of these people have a lot of money. It's pretty tempting to travel somewhere warmer," Assistant Attorney General Leslie Caldwell, chief of the Justice Department's criminal division, tells The New York Times.
Rasch, however, also isn't sold on the Justice Department's push to extend U.S. cybercrime jurisdiction worldwide. "There is some rationale for it; it's not completely outrageous," he says.
The problem, however, is the potential for reciprocity. "What happens is that some U.S. citizen can find themselves being thrown in jail in Iran, North Korea, Syria or Chad, because of something that they did that's perfectly legal in the United States, but which violates the law in some other country, even if they've never been in that country - and even if they have no knowledge of, or reason to believe, that there's a connection to that country," he says.