An Inside Look at the Secret Service’s Battle to Hobble the Hackers

The August indictments of three individuals allegedly responsible for the theft of 130 million credit and debit card numbers in the Heartland Payment Systems Inc. data breach made headlines across the world. Yet little attention is paid to the laborious investigative work needed to track down the criminals behind these types of infiltrations into computer systems and wireless networks. In the case of Heartland, the U.S. Secret Service first came across the alleged ringleader, Albert Gonzalez, in August 2008 while investigating data breaches dating back to 2004, according to Ken Jenkins, deputy special agent in charge, U.S. Secret Service criminal investigation division. Jenkins's office arrested Gonzalez in the Heartland case (Digital Transactions News, Aug. 18). The Secret Service first linked Gonzalez to an earlier record payment card data breach at off-price retailer TJX Cos., and later tied him to the even larger breach at Heartland. (Gonzalez made a plea agreement on federal charges in New York and Boston related to the TJX and other hackings, but has pleaded not guilty in U.S. District Court in New Jersey to the Heartland-related charges.) But getting enough evidence to indict Gonzalez and other criminals operating so-called carder Web sites can take years of painstaking investigation, including the use of informants and undercover agents. “In most cases, all you've got is a nickname,” Jenkins tells Digital Transactions News. “From an investigative standpoint, you've got to research that nickname and try to find that one piece that will lead you to the identity of this guy or gal. Most of our cases are based off of a nickname and working backwards on that.” To learn the identity of the criminal, Secret Service agents attempt to infiltrate carder sites, “but it's very difficult just to go in there cold and get them to deal with you,” he says. Often, agents will use previously arrested criminals to help them operate undercover on the site. Agents also will monitor carder sites to become well versed in the types of data being sold and at what price to further authenticate their undercover identity as a criminal. Even then, it may take a long time to gain enough credibility to gain access to the site, Jenkins says. “Many of these individuals?even in the Gonzalez crew?do not know each other in real life,” he says. “It's all according to your street cred[ability] on these boards. You have to have been in business quite some time and your knowledge and expertise vetted numerous times before you're brought into some of these groups.” Investigators also may come across a nickname or an e-mail address on a computer hard drive confiscated from another criminal and use that information to track down the operator of a carder site, Jenkins says. Although shutting down the carder site might seem a simple solution, the Secret Service and other law-enforcement agencies have had better luck in going after the criminals administering the site, Jenkins says. “A lot of these sites are now proxied through multiple places,” he says. “We may run it back to being listed as hosted in Poland or the Netherlands, and in reality, the site is actually sitting in Hong Kong. You can knock it down the first time but it's usually up in three to four hours at another site.” Instead, the Secret Service uses the sites “to work our way up their organizational ladder to get to the top individuals, which is time-consuming and difficult at times,” Jenkins says. “The methodology is if we can arrest the hackers?the folks with the technological ability to pull these intrusions off?we will impact the supply of stolen information online.” Law enforcement has succeeded in shutting down several carder sites, including one operated by the Shadowcrew criminal organization in 2004 in which the Secret Service took over the site for a period of time. In a more recent case, the Federal Bureau of Investigation in 2008 closed down a carder forum known as “Dark Market” after a two-year operation in which an undercover FBI agent known as Master Splynter acted as one of the site's administrators. “There are long, ongoing investigations at many of these sites,” Jenkins says. While law enforcement is making “drastic headway” in investigating the operators behind carder sites, “it's going to be a continuing problem, especially as technology continues to change,” he says. To meet the ongoing challenge, the Secret Service has 28 electronic crime task forces throughout the country that partner with financial institutions, private industry, academia, and local law enforcement to exchange information on the latest data-breach techniques and related topics. And organizations that become victims of data breaches also can play a crucial role in tracking down cyber criminals, according to Jenkins. “The faster we get notified and brought in on an intrusion?if it's still active?we have a lot better opportunity of using some aggressive techniques to forward the investigation,” he says.