The Green Sheet Online Edition
May 11, 2009 • Issue 09:05:01
Terrorism funded with stolen data
Andrew R. Cochran, founder and Co-Editor of the Counterterrorism Blog, delivered a statement dated March 31, 2009, to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Hearing, United States House Committee on Homeland Security. The statement entitled "Do the Payment Card Industry Data Standards Reduce Cybercrime?" outlined a number of instances in which stolen U.S. credit cards were used to fund terrorist attacks.
Cochran asked the subcommittee to review the evidence he was presenting and "the effectiveness of the PCI standards to reduce data breaches, identity theft and the potential funding of terrorism." He also extended an offer to assist them in that mission. The Counterterrorism Blog, with its host of experts from both the government and private sector, reports on and analyzes terrorist attacks and counterterrorism policies.
Cochran chaired a special panel in February 2009, Meta-Terror: Terrorism and the Virtual World. His statement to the subcommittee summarized information from that event and pertinent entries in the Counterterrorism Blog by its experts, including Dennis Lormel, who led the FBI's investigation into the financing of the Sept. 11 terrorist attacks. The following was included in his summary.
The plastic trail
- The 2004 Madrid train bombings and the 2005 London transportation system attack were paid for in part by credit card fraud.
- Indonesian and Jamaah Islamiah terrorist, Imam Samudra, who masterminded the 2002 Bali nightclub bombings, wrote a manifesto in prison in 2004 in which he recommended that Muslim radicals attack U.S. computers, which he described as vulnerable to hacking, credit card fraud and money laundering. That same year, Indonesian police noted that their country had the greatest incidence of credit card fraud in the world.
- Three terrorists set up shop on the Internet to provide forums, training, education, recruitment and outfitting for terrorists worldwide. They used computer viruses and stolen credit card accounts to fund the operation.
- The Liberation Tigers of Tamil Eelam financed international terrorist activities with credit card fraud.
#h4 Call for collaboration
Tom Donlea, Executive Director of the Merchant Risk Council, said, "We feel there is a need for greater collaboration from the various players involved with protecting the security of online transactions. ... There are barriers between private industries and government for collaboration, and as a nonprofit trade association, we can play a facilitating role and help increase the connectivity and collaboration. "Businesses get tired of giving information to law enforcement and government and never hearing anything back. ... A lot of [the fraud information] is originated with various government entities, and they're not coordinating with each other. So merchants have to hunt around in six or seven different places."
After his keynote address to the MRC's 7th Annual e-Commerce Payments and Risk Conference in March 2009, former U.S. Congressman, Governor of Pennsylvania and the country's first Secretary of Homeland Security, Tom Ridge, said, "When I was in the White House, Dick Clarke, Howard Schmidt and a few other people built a national strategy for cyber security. It got a little notoriety and then it was ignored."
Ridge said the fight against cybercrime won't be won without collaboration with the private sector. Theodore Svoronos, Vice President, Business Development & Strategic Partnerships with Group ISO Inc., said, "The public sector and the private sector are running parallel tracks with no intersection. ... There is a huge disconnect between the two sectors. The federal government doesn't understand our side of the industry well enough to know what's needed and how to roll it out - and how to actually monitor it." Svoronos said the government has resources to test security that the private sector lacks.
Svoronos added that there need to be greater consequences for not properly securing sensitive data. The obvious consequence of lax security is data breaches. But there doesn't seem to be a consequence for not being compliant with the Payment Card Industry (PCI) Data Security Standard (DSS) before a breach occurs. No one is really enforcing the PCI DSS, according to Svoronos.
Ridge suggested that the government should "take the intellectual firepower of the private sector, and all that experience and all that expertise and embed it - I mean we embedded journalists fighting the war on terror - [the government ] ought to embed the private sector cyber experts into our operations around the United States to come up with a more holistic solution."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.