Monday’s New York County District Attorney’s Office news release says an indictment from 2007 has been updated and now has 173-counts against seventeen men. They are charged with operating a multi-national criminal enterprise from November 2001 to August 2007.

The Western Express Cybercrime Group is responsible for over $4 million worth of identified credit card fraud, and trafficked in well over 95,000 stolen credit card numbers. These figures reflect the levels of fraud and stolen credit numbers which have been identified thus far.

The news release is related to the arrest of two of the men in Prague on July 30, 2008 (Viatcheslav Vasilyev and Vladimir Kramarenko) who were just extradited last week to the US and arraigned in NY Supreme Court on Monday. Only two of the seventeen have yet to be arrested; Oleg Kovelin and Dzimitry Burak.

Quick math on those numbers (4 million / 17 men / 5 years) suggests they were making about $50K a year each from their complex operation, described in the news release:

The Western Express Cybercrime Group carried out its criminal operations through a structure consisting of vendors, buyers, cybercrime services providers, and money movers. The vendors were individuals who sold large volumes of stolen credit card numbers and other personal identifying information through the Internet. The buyers used the Internet to purchase that information from the vendors, for the purpose of committing additional crimes such as larceny and identity theft. The cybercrime services providers promoted, facilitated, and aided in the purchase, sale and fraudulent use of stolen credit card numbers and other personal identifying information through various computer services that they provided to the vendors and the buyers. Finally, other defendants operated as money movers. Those defendants provided financial services and conducted financial transactions for other participants in the criminal enterprise in order to move funds and launder the proceeds of criminal activity. The money movers relied on anonymous digital currencies, such as Egold and Webmoney, to buy, sell, and launder the proceeds of criminal transactions, and conducted their business online, using Web sites, instant messaging, and email. Some of the defendants charged in the indictment played more than one role.

In other words a business was setup to convert stolen payment card information into cash. Someone sold the card information and someone bought it using someone who provided an online market. Someone then laundered the money paid for the stolen card information.

This reinforces my argument that Gonzales was hardly a hacker mastermind but more like a manager or officer of an organization that brought together various people with specialized skills. The Secret Service supposedly let him continue to operate so they could monitor him and apprehend additional suspects. Some might say Gonzales exploited this relationship and expanded his damage but obviously he was caught and this indictment confirms that his operation is now defunct.

The question is now whether criminals are going to step up into the vacuum left by Western Express to take over the market, or if they will shift to other forms of crime or even legitimate operations.

The answer might be found in the history of fighting organized crime. Along with drugs, arms, gambling, loans/extortion, cornering contracting etc. criminal gangs obviously now could operate in stolen card information. A typical explanation of the process goes something like this:

The relative ease with which large sums of money could be obtained by drug trafficking provided a solid financial underpinning for gangs, increased the solidarity of existing gangs, and offered strong incentives for the development of new ones.

With this in mind, the US Justice Department’s National Gang Intelligence Center report says that gangs are the “primary retail-level distributors of most illicit drugs…with 1 million members responsible for up to 80 percent of crimes in communities across the nation”. Drugs obviously present different market forces than cardholder information (e.g. addiction) but there are still many important security lessons that can be learned by studying the broader fight against long-term underground economies.

The Security Standards Council (SSC) of PCI reminded us today that a scope statement still requires validation. A scope should be reduced only after a thorough assessment of controls.

Secure treatment of data (e.g. hashing) could reduce the number of systems that are kept within scope but this needs to be assessed and verified. Another example is an entity that claims it has no wireless. This claim must be tested and they must have a regular process and control capability (wireless scanner) to manage risk going forward. Assessors will look for supporting documentation before they can allow scope to change. When scope is done properly it generates confidence on exactly where to look based on tests and evidence.

This is not to say that it is easy. A major retail executive once told me his company had no need for antivirus on their point of sale devices. Why? He believed his systems had no viruses, therefore he saw no need for antivirus. I had to convince him that he should be taking the opposite approach. Use of antivirus would confirm the lack of viruses. An absence of empirical data, let alone awareness of helpdesk and incident reports, did not register with this executive. This is a fine case of why risk is something that can not always be left to intuition alone or to market forces. Many actors operate with trust or hope rather than a complete or reasonable data set. A month after installing antivirus the executive was extremely thankful — he soon found a clear path to reduce point of sale outages and thus his operating costs were significantly reduced.

The steps to take after hearing “no” and “out of scope” are illustrated nicely in the SSC Wireless Guidelines decision tree:

The PCI SSC just released a document on how to detect and prevent skimming.

Skimming, as the word implies, is capturing data as it passes through a device. That means devices are usually modified so they will copy and record data to unauthorized storage or they will send it out over an unauthorized network connection.

The guide includes many images of skimming devices as well as an easy risk assessment form to help outline potential areas of vulnerability such as physical location, hours of operation, personnel and technology. In a nutshell the advice is the usual “watch for anything suspicious”. This means anything that accepts cards should have a known safe appearance (wires, stickers) as well as a clean/safe space around it. Staff should be trained such that any changes to the appearance or items introduced into the safe space should raise suspicion and be reported.

If you see Tetris running on Chip and PIN terminal, for example, you should not assume all is well with security.

Criminals will try anything to get access to the card data. Have you seen those charity boxes that often sit on a counter near a register? These have been known to be used to place hidden cameras next to a device to record PIN information. Here is another example from the guide:

All things in moderation could be the byline of this story. Computerworld brings to light a CDC study that apparently says gamers are 35, overweight and sad

The average gamer, far from being a teen, is actually a 35-year-old man who is overweight, aggressive, introverted — and often depressed, according to a report out this week from the Centers for Disease Control and Prevention (CDC)

The study correlates gaming with indoor inactivity, which then correlates to health problems and loneliness. This hardly seems to be a direct causation argument. Perhaps that is why the CDC is not issuing a statement that games cause obesity and depression.

I noted that the data is derived from an online survey of fewer than 600 people in Seattle, Washington between the ages of 19-90. Is someone in the target group most likely to buy a game, especially if they live in a cold and rainy climate, or can we blame gaming for them becoming the target group? Must be tricky to make conclusions about teens when the majority (13-18) aren’t even in the survey (probably to avoid the complication of surveying minors).

The study notes that half of gamers are between 18 and 49 years old, while 25% are 50 and older. The CDC also pointed out that of online gamers aged 8 to 34, nearly 12% showed multiple signs of addiction.

The percentage might go up if more teens were allowed to answer the survey. On top of suspicious data collection gaps, it also seems some are quick to expand the study findings to anything related to a computer.

Jim McGregor, an analyst at In-Stat, noted that his concern isn’t just with gaming but with social networks, as well.

“My issue is that it’s not just gaming. It’s social networking. It’s the Web in general,” said McGregor. “We’ve gained so much, but still it puts people in front of a computer screen for hours on end. It gives Americans just another reason to be fat, dumb and lazy.”

Harsh words considering a causal connection is missing. It’s the web. It’s social networking. It’s information. Clearly, as found in this study of a small group in Seattle, filling your head with facts and data and sitting around and working at a desk is the route to being dumb and lazy. Save yourself now. Why are you still reading this? Go away (not to Seattle) and run on a treadmill until you’re smart and happy.

In an apparent contradiction to the above survey results, Computerworld also wants you to know that men aged 25-49 are the group most likely to be found in cafes with their computer. They don’t just sit at home anymore.

The survey also found that 67% of cafe Wi-Fi users were 25-49, 74% were male and 66% had a household income of $50,000 or more. About 44% of the cafe users reported working for small companies of fewer than 99 workers, indicating the value of a Wi-Fi-enabled cafe as a kind of nomadic office.

This all suggests that surveys of groups using computers will find a majority of them are middle-aged men with a steady income. Some of them stay at home, some go out. Some are happy, some sad, some overweight, some fit. This does not suggest to me that using a computer will make you a middle-aged man with a steady-income, or that the flow of information that comes from a computer causes depression and obesity…