Title : PWN/Part 2
Author : Datastream Cowboy
==Phrack Inc.==
Volume Four, Issue Thirty-Nine, File 11 of 13
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXIX / Part Two of Four PWN
PWN PWN
PWN Compiled by Datastream Cowboy PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
The Charge Of The Carders May 26, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~
By Joshua Quittner (<New York> Newsday)(Page 45)
Computer criminals are after your credit-card numbers --
to steal with, sell and swap.
THE KID, from Springfield Gardens, Queens, was a carder, of course.
He was doing what carders do: trying to talk a salesman into overnight-
expressing him a $4,000 computer system -- and using a stolen credit-card
number for payment.
The salesman was playing right along on the phone; he had also notified a co-
worker to alert the New York State Police, said William Murphy, a customer
service manager at Creative Computers, who described the event as it was
unfolding on a recent Tuesday morning. Murphy said that on a typical day, as
many as a dozen times, carders would call and try to buy everything from modems
to whole computer systems.
Murphy said that these days, the security people at Creative Computers are able
to stop virtually all of them, either by not delivering the goods, or by
delivering them UPS -- that's United Police Service.
He sighed: "It's amazing that they even try."
But try they do. And at other places, they're successful. Where once hacking
into a credit bureau was a kind of rite of passage for computer intruders, who
generally did little more than look up credit histories on people like Mike
Dukakis, now computer criminals are mining national credit bureaus and mail-
order houses, coming away with credit-card numbers to sell, swap or use for
mail-order purchases.
Underground electronic bulletin board systems help spread not only the
passwords, but the techniques used to tap into different systems. In
San Diego on April 30, for instance, police raided a bulletin board called
Scantronics, which offered among other things, step-by-step manuals on how to
hack into Equifax Credit Information Services and TRW Information Services, the
largest credit bureaus in the nation, the San Diego Tribune reported.
"The potential for fraud is enormous, it's almost limitless," said Joel Lisker,
Mastercard International's vice president of security and risk management, who
noted that computer intruders accessed "thousands" of credit-card account
numbers in another recent case.
MASTERCARD is putting together a task force of its bank members to address the
problem, and is considering inviting hackers in to learn what they can do to
tighten up computer access to credit bureaus, he said.
Mastercard estimates it lost $57 million to counterfeit scams last year; Lisker
said it is impossible to say how much carders contributed. But based on the
volume of arrests lately, he figures carding has become a big problem.
"It's kind of like a farmer that sees a rat," Lisker said. "If he sees one, he
knows he has several. And if he sees several he knows he has a major
infestation. This is a major infestation."
"It's clearly something we should be concerned about," agreed Scott Charney,
chief of the U.S. Justice Department's new Computer Crime Unit. Charney said
that roughly 20 percent of the unit's current caseload involves credit-card
fraud, a number that, if nothing else, colors the notion that all hackers are
misunderstood kids, innocently exploring the world of computer networks.
"Whether such noble hackers exist, the fact of the matter is we're seeing
people out there whose motives are not that pure," he said.
On May 11, New York State Police arrested three teenagers in Springfield
Gardens when one of them went to pick up what he hoped was an Amiga 3000
computer system from Creative Computers, at a local UPS depot.
"What he wanted was a computer, monitor and modem. What he got was arrested,"
said John Kearey, a state police investigator who frequently handles computer
and telecommunications crimes. Police posed as UPS personnel and arrested the
youth, who led them to his accomplices.
Kearey said the teens said they got the stolen credit-card number from a
"hacker who they met on a bridge, they couldn't remember his name" -- an
interesting coincidence because the account number was for a next-door neighbor
of one of the youths. Police suspect that the teens, who claimed to belong to
a small hacking group called the MOB (for Men of Business) either hacked into a
credit bureau for the number, got someone else to do it, or went the low-tech
route -- "dumpster diving" for used carbon copies of credit receipts.
Indeed, most credit-card fraud has nothing to do with computer abusers.
Boiler-room operations, in which fast-talking con men get cardholders to
divulge their account numbers and expiration dates in exchange for the promise
of greatly discounted vacations or other too-good-to-be-true deals, are far and
away the most common scams, said Gregory Holmes, a spokesman for Visa.
But carders have an advantage over traditional credit-card cheats: By using
their PCs to invade credit bureaus, they can find credit-card numbers for
virtually anyone. This is useful to carders who pick specific credit-card
numbers based on location -- a neighbor is out of town for a week, which means
all you have to do is get his account number, stake out his porch and sign for
the package when the mail comes. Another advantage is address and ZIP code
verifications, once a routine way of double-checking a card's validity, are no
longer useful because carders can get that information from an account record.
"It's tough," Holmes said. "Where it becomes a major problem is following the
activity of actually getting the credit-card number; it's sent out on the black
market to a vast group of people" generally over bulletin boards. From there,
a large number of purchases can be racked up in a short period of time, well
before the cardholder is aware of the situation. While the cardholder is not
liable, the victims usually are businesses like Creative Computers, or the
credit-card company.
Murphy said his company used to get burned, although he would not divulge the
extent of its losses. "It happened until we got wise enough to their ways," he
said.
Now, with arrangements among various law enforcement agencies, telephone
companies and mail carriers, as well as a combination of call-tracing routines
and other verification methods, carders "rarely" succeed, he said. Also, a
dozen employees work on credit-card verification now, he said. "I feel sorry
for the companies that don't have the resources to devote departments to filter
these out. They're the ones that are getting hit hard."
In New York, federal, state and local police have been actively investigating
carder cases. Computers were seized and search warrants served on a number of
locations in December, as part of an ongoing federal investigation into
carding. City police arrested two youths in Queens in April after attempting
to card a $1,500 computer system from Creative Computers. They were arrested
when they tried to accept delivery.
"It's a legitimate way to make money. I know people who say they do it,"
claimed a 16-year-old Long Island hacker who uses the name JJ Flash.
While he says he eschews carding in favor of more traditional, non-malicious
hacking, JJ Flash said using a computer to break into a credit bureau is as
easy as following a recipe. He gave a keystroke-by-keystroke description of
how it's done, a fairly simple routine that involved disguising the carder's
calling location by looping through a series of packet networks and a Canadian
bank's data network, before accessing the credit bureau computer. Once
connected to the credit bureau computer, JJ Flash said a password was needed --
no problem, if you know what underground bulletin boards to check.
"It's really easy to do. I learned to do it in about thirty seconds. If you
put enough time and energy into protecting yourself, you'll never get caught,"
he said. For instance, an expert carder knows how to check his own phone line
to see if the telephone company is monitoring it, he claimed. By changing the
location of a delivery at the last minute, he said carders have evaded capture.
J J FLASH said that while most carders buy computers and equipment for
themselves, many buy televisions, videocassette recorders and other goods that
are easy to sell. "You can usually line up a buyer before its done," he said.
"If you have a $600 TV and you're selling it for $200, you will find a buyer."
He said that while TRW has tightened up security during the past year, Equifax
was still an easy target.
But John Ford, an Equifax spokesman, said he believes that hackers greatly
exaggerate their exploits. He said that in the recent San Diego case, only 12
records were accessed. "It seems to me the notion that anybody who has a PC
and a modem can sit down and break in to a system is patently untrue," he said.
"We don't have any evidence that suggests this is a frequent daily occurrence."
Regardless, Ford said his company is taking additional steps to minimize the
risk of intrusion. "If one is successful in breaking into the system, then we
are instituting some procedures that would render the information that the
hacker receives virtually useless."
Also, by frequently altering customers' passwords, truncating account
information so that entire credit-card numbers were not displayed, and possibly
encrypting other information, the system will become more secure.
"We take very seriously our responsibility to be the stewards of consumer
information," Ford said.
But others say that the credit bureaus aren't doing enough. Craig Neidorf,
publisher of Phrack, an underground electronic publication "geared to computer
and telecommunications enthusiasts," said that hacking into credit bureaus has
been going on, and has been easy to do "as long as I've been around." Neidorf
said that although he doesn't do it, associates tell him that hacking into
credit bureau's is "child's play" -- something the credit bureaus have been
careless about.
"For them not to take some basic security steps to my mind makes them
negligent," Neidorf said. "Sure you can go ahead and have the kids arrested
and yell at them, but why isn't Equifax or any of the other credit bureaus not
stopping the crime from happening in the first place? It's obvious to me that
whatever they're doing probably isn't enough."
A Recent History Of Carding
September 6, 1991: An 18-year-old American emigre, living in Israel, was
arrested there for entering military, bank and credit bureau computers. Police
said he distributed credit-card numbers to hackers in Canada and the United
States who used them to make unknown amounts of cash withdrawals.
January 13, 1992: Four university students in San Luis Obispo, California,
were arrested after charging $250,000 in merchandise to Mastercard and Visa
accounts. The computer intruders got access to some 1,600 credit-card
accounts, and used the numbers to buy, among other things: Four pairs of $130
sneakers; a $3,500 stereo; two gas barbecues and a $3,000 day at Disneyland.
February 13, 1992: Two teenagers were arrested when one of them went to pick
up two computer systems in Bellevue, Wash., using stolen credit-card numbers.
One told police that another associate had hacked into the computer system of a
mail-order house and circulated a list of 14,000 credit-card numbers through a
bulletin board.
April 17, 1992: Acting on a tip from San Diego police, two teenagers in Ohio
were arrested in connection with an investigation into a nationwide computer
hacking scheme involving credit-card fraud. Police allege "as many as a
thousand hackers" have been sharing information for four years on how to use
their computers to tap into credit bureau databases. Equifax, a credit bureau
that was penetrated, admits that a dozen records were accessed.
April 22, 1992: Two Queens teens were arrested for carding computer equipment.
_______________________________________________________________________________
Invading Your Privacy May 24, 1992
~~~~~~~~~~~~~~~~~~~~~
By Rob Johnson (The Atlanta Journal and Constitution)(Page A9)
Some do it for fun, others have more criminal intent. Regardless, computer
users have a range of techniques and weaponry when breaking into files.
"Rooting" forbidden files is hog heaven for hackers
Within an instant, he was in.
Voodoo Child, a 20-year-old college student with a stylish haircut and a well-
worn computer, had been cruising a massive researchers' network called Internet
when he stumbled upon a member account he hadn't explored for a while.
The institution performed "Star Wars" research, he later found out, but that
didn't interest him. "I don't know or care anything about physics," he said
recently. "I just wanted to get root."
And "getting root," hackers say, means accessing the very soul of a computer
system.
Working through the network, he started a program within the research
institute's computers, hoping to interrupt it at the right moment. "I figured
I just had a second," he said, gesturing with fingers arched above an imaginary
keyboard. Suddenly he pounced on the phantom keys. "And it worked."
He soon convinced the computer he was a system operator, and he built himself a
back door to Internet: He had private access to exotic supercomputers and
operating systems around the world.
Before long, though, the Atlanta-area hacker was caught, foiled by an MCI
investigator following his exploits over the long-distance phone lines.
National security experts sweated over a possible breach of top-secret
research; the investigation is continuing.
And Voodoo Child lost his computer to law enforcement.
"I was spending so much time on the computer, I failed out of college," he
said. "I would hack all night in my room, go to bed and get up at 4 in the
afternoon and start all over."
In college, he and a friend were once discovered by campus police dumpster-
diving behind the university computer building, searching for any scraps of
paper that might divulge an account number or a password that might help them
crack a computer.
Now he's sweating it out while waiting for federal agents to review his case.
"I'm cooperating fully," he said. "I don't want to go to prison. I'll do
whatever they want me to."
In the meantime, he's back in college and has taken up some art projects he'd
abandoned for the thrill of computer hacking.
The free-form days of computer hacking have definitely soured a bit -- even for
those who haven't been caught by the law.
"It's a lot more vicious," Voodoo Child said as a friend nodded in agreement.
"Card kids" -- young hackers who ferret out strangers' credit card numbers and
calling card accounts -- are wrecking the loose communal ethic that defined
hacking's earlier, friendlier days.
And other computer network users, he said, are terrified of the tactics of
sophisticated hackers who routinely attack other computer users' intelligence,
reputation and data.
"I used to run a BBS [electronic bulletin board system] for people who wanted
to learn about hacking," Voodoo Child said. "But I never posted anything
illegal. It was just for people who had questions, who wanted to do it
properly."
Doing it properly, several Atlanta-area hackers say, means exploring the gaps
in computer networks and corporate systems. They say it's an intellectual
exercise -- and an outright thrill -- to sneak into someone else's computer.
During a recent interview, Voodoo Child and a friend with a valid Internet
account dialed up the giant network, where some of their counterparts were
waiting for a reporter to ask them some questions.
"Did you get that information on the Atlanta Constitution reporter you were
asking about?" a faceless stranger asked.
A startled reporter saw his credit report and credit card numbers flashed
across the screen. Voodoo Child offered up the keyboard -- an introduction of
sorts to a mysterious, intimidating accomplice from deep inside the digital
otherworld. "Go ahead," he said. "Ask him anything you want."
_______________________________________________________________________________
KV4FZ: Guilty Of Telephone Toll Fraud May 15, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By John Rice (rice@ttd.teradyne.com) in TELECOM Digest V12 #412
St. Croix ham operator, Herbert L. "Herb" Schoenbohm, KV4FZ, has been found
guilty in federal court of knowingly defrauding a Virgin Islands long-distance
telephone service reseller. He was convicted April 24th of possessing and
using up to fifteen unauthorized telephone access devices in interstate and
foreign commerce nearly five years ago.
The stolen long distance telephone access codes belonged to the Caribbean
Automated Long Lines Service, Inc. (CALLS) of St. Thomas, U.S. Virgin Islands.
Schoenbohm was found to have made more than $1,000 in unauthorized telephone
calls -- although the prosecution said he was responsible for far more.
According to the Virgin Islands Daily News, Schoenbohm, who is also the St.
Croix Police Chief of Communications, showed no emotion when he was pronounced
guilty of the charges by a 12 member jury in U.S District Court in
Christiansted. The case was heard by visiting District Judge Anne Thompson.
Neither Schoenbohm or his defense attorney, Julio Brady, would comment on the
verdict. The jury deliberated about seven hours. The sentencing, which has
been set for June 26, 1992, will be handled by another visiting judge not
familiar with the case.
Schoenbohm, who is Vice Chairman of the V.I. Republican Committee, has been
released pending sentencing although his bail was increased from $5,000 to
$25,000. While he could receive a maximum of ten years on each count,
Assistant U.S. Attorney Alphonse Andrews said Schoenbohm probably will spend no
more than eight months in prison since all three counts are similar and will be
merged.
Much of the evidence on the four day trial involved people who received
unauthorized telephone calls from KV4FZ during a 1987 period recorded by the
CALLS computer. Since the incident took place more than five years ago, many
could not pinpoint the exact date of the telephone calls.
The prosecution produced 20 witnesses from various U.S locations, including
agents from the Secret Service, the U.S. Marshals Service, Treasury Department
and Federal Communications Commission. In addition ham operators testified for
the prosecution.
Schoenbohm was portrayed as a criminal who had defrauded calls out of hundreds
of thousands of dollars. Schoenbohm admitted using the service as a paying
customer, said it did not work and that he terminated the service and never
used it again. He feels that there was much political pressure to get him
tried and convicted since he had been writing unfavorably articles about
Representative DeLugo, a non-voting delegate to Congress from the Virgin
Islands, including his writing of 106 bad checks during the recent rubbergate
scandal.
Most, but not all the ham operators in attendance were totally opposed to
KV4FZ. Bob Sherrin, W4ASX from Miami attended the trial as a defense character
witness. Sherrin told us that he felt the conviction would be overturned on
appeal and that Schoenbohm got a raw deal. "They actually only proved that he
made $50 in unauthorized calls but the jury was made to believe it was $1,000."
Schoenbohm's attorney asked for a continuance due to newly discovered evidence,
but that was denied. There also is a question as to whether the jury could
even understand the technology involved. "Even his own lawyer couldn't
understand it, and prepared an inept case," Sherrin said. "I think he was
railroaded. They were out to get him. There were a lot of ham net members
there and they were all anti-Herb Schoenbohm. The only people that appeared
normal and neutral were the FCC. The trial probably cost them a million
dollars. All his enemies joined to bring home this verdict."
Schoenbohm had been suspended with pay from the police department job since
being indicted by the St. Croix grand jury. His status will be changed to
suspension without pay if there is an appeal. Termination will be automatic if
the conviction is upheld. Schoenbohm's wife was recently laid off from her job
at Pan Am when the airline closed down. Financially, it could be very
difficult for KV4FZ to organize an appeal with no money coming in.
The day after the KV4FZ conviction, Schoenbohm who is the Republican Committee
vice chairman was strangely named at a territorial convention as one of eight
delegates to attend the GOP national convention in Houston this August. He was
nominated at the caucus even though his felony conviction was known to
everyone. Schoenbohm had even withdrawn his name from consideration since he
was now a convicted felon.
The Virgin Island Daily News later reported that Schoenbohm will not be
attending the GOP national convention. "Schoenbohm said he came to the
conclusion that my remaining energies must be spent in putting my life back
together and doing what I can to restore my reputation. I also felt that any
publicity in association with my selection may be used by critics against the
positive efforts of the Virgin Islands delegation."
Schoenbohm has been very controversial and vocal on the ham bands. Some ham
operators now want his amateur radio license pulled -- and have made certain
that the Commission is very much aware of his conviction.
_______________________________________________________________________________
AT&T Launches Program To Combat Long-Distance Theft May 13, 1992
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Virginia Randall (United Press International/UPI)
Citing the mushrooming cost of long-distance telephone fraud, American
Telephone & Telegraph Co. announced plans to combat theft of long-distance
telephone services from customers.
AT&T's program, dubbed NetProtect, is an array of software, consulting,
customer education and monitoring services for businesses. One program limits
customer liability to the first $25,000 of theft, while another ends customer
liability entirely under certain circumstances.
By law, companies are liable for the cost of calls made on their systems,
authorized or not.
Jerre Stead, president of AT&T's Business Communications unit, said, "The
program not only offers financial relief to victims of long-distance fraud.
It also gives our customers new products and services specifically designed to
prevent and detect fraud."
Long-distance calling fraud ranges from a few dollars to the hundreds of
thousands of dollars for victims. The Communications Fraud Control
Association, an industry group, estimates long-distance calling fraud costs
more than $1 billion a year, said Peggy Snyder, an association spokeswoman.
NetProtect Basic Service, offered free with long-distance and domestic 800
service, consists of ongoing monitoring around the clock for unusual activity.
The company will start this service this week.
NetProtect Enhanced and Premium services offer more customized monitoring and
limit customer liability to $25,000 per incident or none at all, depending on
the program selected.
Pricing and permission to provide the Enhanced and Premium services are
dependent on Federal Communication Commission approval. AT&T expects to offer
these programs beginning August 1.
Other offerings are a $1,995 computer software package called "Hacker Tracker,"
consulting services and the AT&T Fraud Intervention Service, a swat team of
specialists who will detect and stop fraud while it is in progress.
The company also will provide a Security Audit Service that will consult with
customers on possible security risks. Pricing will be calculated on a case-by-
case basis, depending on complexity.
The least expensive option for customers is AT&T's Security Handbook and
Training, a self-paced publication available for $65 which trains users on
security features for AT&T's PBX, or private branch exchanges, and voice mail
systems.
Fraud occurs through PBX systems, which are used to direct the external
telephone calls of a business.
Company employees use access codes and passwords to gain entry to their PBX
system. A typical use, the industry fraud group's Snyder said, would be a
sales force on the road calling into their home offices for an open line to
call other customers nationally or worldwide.
These access codes can be stolen and used to send international calls through
the company's network, billable to the company.
Unauthorized access to PBXs occur when thieves use an automatic dialing feature
in home computers to dial hundreds of combinations of phone numbers until they
gain access to a company's PBX system.
These thieves, also known as hackers, phone freaks or phrackers, then make
their own calls through the PBX system or sell the number to a third party to
make calls.
Others use automatic dialing to break into PBX systems through voice mail
systems because such systems have remote access features.
Calls from cellular phones also are at risk if they are remotely accessed to a
PBX. Electronic mail systems for intracompany calls are not affected because
they don't require PBX systems.
According to Bob Neresian of AT&T, most fraud involves long-distance calls to
certain South American and Asian countries, especially Columbia and Pakistan.
There is no profile of a typical company at risk for telephone fraud, said
Snyder.
"Any company of any size with long-distance service is at risk," she said.
"Criminals don't care who the long distance provider is or how big the company
they're stealing from is."
She said the industry recognized the dimensions of telephone theft in 1985,
when the Communications Fraud Control Association was formed in Washington D.C.
The group consists of providers of long-distance service, operator services,
private payphones, end-users of PBX systems, federal, state and local law
enforcement agencies and prosecutors.
Janice Langley, a spokeswoman for US Sprint Corp. in Kansas City, Mo., called AT&T's announcement similar to a program her company announced March 31.
That service, SprintGuard Plus, is available to companies with a call volume
of $30,000 a month. Sprint also offers basic monitoring program to customers
without charge.
"We don't have minimum billing requirements for any of these services or
systems," responded AT&T's Neresian. "All the carriers have seen the problem
and have been working on their own approaches," he said.
Jim Collins, a spokesman for MCI Communications in Washington, said his company
had been conducting phone fraud workshops free of charge for customers for four
years.
_______________________________________________________________________________