Will Indictments Curb Card Fraud?Experts Weigh the Impact of Cybercrime Case
Gonzalez was helping law enforcement track other hackers involved in a worldwide cybercrime ring known as the "Shadowcrew" at the time of some of these attacks, which he helped organize. In March 2010, Gonzalez was sentenced to 20 years in prison, the longest sentence at the time handed down for a computer crime in a U.S. court.
David Navetta, a cybersecurity attorney and co-founder of the Information Law Group, doesn't expect the latest fraud indictments to have much of an effect on card fraud and security breaches.
"While it is obviously a good thing that the perpetrators of this massive fraud are caught and will no longer be able to conduct such activities again, there are plenty of others who will (and who have already) fill their shoes," he says.
But Shawn Henry, former assistant director of the Federal Bureau of Investigation and president of cybersecurity and intelligence firm Crowd Strike Services, contends that if the indictments result in tough sentences, they could provide a significant cybercrime deterrent.
"Taking actions like this does two things," he says. "Those actors involved are taken off the field, and so their efforts are certainly mitigated. But part of an effective law enforcement strategy is to set an example and to discourage others from taking part in similar crimes. Deterrence is a key part of this."
(For more about the breached companies, see Card Fraud Scheme: The Breached Victims).
The Hackers Charged
On July 25, federal authorities in New Jersey announced they had indicted four Russians and a Ukrainian for the roles they allegedly played in a credit and debit card fraud scheme that compromised card numbers stolen from payments processors Global Payments and Heartland Payment Systems, grocery chain Hannaford Brothers and others. The estimated losses linked to the nearly seven-year scheme are in the hundreds of millions of dollars, investigators say.
(For more about how the scheme worked, see Massive Fraud Scheme: How It Happened.)
Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov and Dmitriy Smilianets have been charged with conspiracy to gain unauthorized access to computers and conspiracy to commit wire fraud. If convicted on both charges, each faces a maximum 35-year sentence and fines totaling $1.25 million.
Drinkman, Kalinin, Kotov and Smilianets also have been charged with unauthorized access to computers and wire fraud. If convicted of both charges, each faces an additional maximum 35-year sentence and $1.25 million in fines.
Authorities report Drinkman and Smilianets were arrested while traveling in the Netherlands on June 28, 2012, on charges stemming from the 2009 indictment that charged Gonzalez with masterminding five corporate data breaches, including the attack on Heartland.
Smilianets was extradited Sept. 7, 2012, and remains in federal custody. Drinkman is in custody in the Netherlands pending extradition, authorities say. Kalinin, Kotov and Rytikov remain at large.
All of the defendants are Russian nationals except for Rytikov, who is a citizen of Ukraine.
"Today's indictment will no doubt serve as a serious warning to those who would utilize illegal and fraudulent means to steal sensitive information online," says Mythili Raman, acting assistant attorney general for the Department of Justice's Criminal Division.
James Mottola, U.S. Secret Service special agent in charge, says cross-border collaboration solved the case. "This case demonstrates the global investigative steps that U.S. Secret Service Special Agents are taking to ensure that criminals will be pursued and prosecuted no matter where they reside," he says.
Sentences Not A Deterrent?
But Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite Group, contends the sentences handed down in this case won't be much of a deterrent for cybercriminals.
"There is simply so much money to be made; the risk will not outweigh the potential reward for these fraudsters," she says. "The money a bank robber steals is a paltry sum compared to the money cyberthieves can make, and they will continue to believe they are too clever to be caught. If they are caught, if they have hidden the funds well enough, the money will be waiting for them after serving a very few years."
Navetta, the attorney, also predicts that fraudsters will continue to infiltrate networks and compromise card data, despite the high-profile indictments.
"Some will go after the fat targets like payment processors that store or process millions of cards at a time," he says. "But increasingly, the focus has been on widespread, scalable and automated attacks on the tens of thousands of smaller, less sophisticated merchants whose security is weak, who have common vulnerabilities, and who are viewed as easy targets" (see MAPCO Attack Highlights Retail Trend).
Navetta says indicting hackers is like putting a finger in a dam. "It is a victory, but it does not really address the bigger issues," he says. "Ultimately, I think law enforcement is less the answer as compared to the business community working hard to secure and protect themselves. Whether the payment card community has the desire or incentive to do that currently is an open question."
But Henry of Crowd Strike says technological defenses are only part of the solution.
"The only way to truly address the problem is to identify the actors," Henry says. "We as Americans have been focused on authentication and defenses for 20 years. ... Today's cybercriminals are capable of bypassing the most elaborate security. Just by focusing on the defenses, you're not going to stop them. Sooner or later, they are going to get in."
By enhancing collaboration among the FBI, the Secret Service and international law enforcement, the industry sets an example that shows cybercriminals will be pursued, regardless of where they reside in the world.