As it turned out, Lisa was right; I did like Agent Carter. The moment Lisa and I walked into his office I recognized him as the fidgety man who asked the easy questions at the table during my interrogation. He introduced himself to me with a broad smile and a firm handshake. He clapped his hand on my shoulder as he pumped my hand. Lisa was greeted in a similar manner. The unpleasantness of two days previous was furthest from his mind. He was determined to do all he could to drive those thoughts from my mind as well.
After pulling out two chairs in front of his desk and waiting for Lisa and I to be seated, Agent Carter circled around behind his desk. Without sitting down himself, he explained that he was taking the lead on this investigation and that I would be working with him. He went on to describe his background in detail.
Agent Jonny Carter joined the FBI straight out of college. He obtained his BS degree in Political Science from Georgetown University in Washington D.C. He grew up in Maryland, not far from Baltimore. He married young and he and his wife now have two children, both girls. He is now working in the division that handles computer crime, with an emphasis on banking. Agent Carter was quick to point out that there are other groups in the FBI that handle other aspects of computer crime such as mail fraud. His group concentrates on ATM crime, EFT crime, and other aspects of automated banking. This was already too wide a focus as far as he was concerned. Too many incidents and not enough investigators. Allowing some frustration to show, Jonny said that sometimes he feels that he alone is concerned with computer crime in the banking industry.
The number of actual computer crimes is far greater than police and FBI records show, explained Jonny, still standing behind his desk. He paced back and forth and fidgeted as he spoke. He explained that the number of reported cases is low partly because victems fear embarrassment in the press. For example, banks and other financial institutions are a favorite target for hackers. However, banks base their entire business on trust. Once customers begin to doubt the ability of a bank to protect their assets, the bank is in serious trouble. Every bank must factor the reduced customer base that results from embarrassing press coverage into any decisions concerning computer crimes. For example, suppose bank X fully expects to lose about $1 million per year in computer theft. How much should that bank spend to correct the problem? There are options available to the bank, such as installing firewalls and making wiser use of cryptography, but these cost money. On the face of it, it would seem that $5 million is quite reasonable; the bank can expect the solution to ``pay for itself'' within a few years. However, this fails to take into account the very real losses that result from admitting that there is a problem in the first place.
Fixing a problem requires first acknowledging that the problem exists. Acknowledging that a hacker problem exists results in a severe drop in public confidence. Once lost, public confidence is very hard to regain. It may take several years, even after the new remedies are in place. The loss is made all the worse if all other banks continue to deny the problem exists, thereby making the one honest bank appear to be sloppy and vulnerable when in fact exactly the opposite is true!
Lisa pointed out that the area that is most vulnereable is the Internet. Everybody is racing to move serious applications and businesses to the Internet and nobody is willing to wait for strong security to be incorporated into the Internet Protocol (IP). Instead, most proponents of Electronic Commerce prefer to downplay the risks and fool even themselves into complacency.
Agent Carter agreed. The Internet will never be free of hackers, he said. Even if stringent laws are passed protecting privacy and integrity on the net, without a technical solution that prevents such activity, we are reduced to relying upon deterants. And deterants alone are unlikely to solve the problem, no matter how harsh they may be. Students, being the free-spirits they are, young and anxious to learn through experimentation, will continue to tinker with the net in every manner they can.
I pointed out that it is hard to distinguish ``innocent'' probing from malicious hacks. For example, the traceroute command looks like a suspicious attempt to use source-routing for a man-in-the-middle attack. Often an apparent attack --- one that sets off alarms in a firewall --- is nothing more than an innocent mistake by a naive user who isn't familiar with the application he or she is trying to run (e.g. a first-time user of telnet). This is one of the greatest challenges in firewall design.
``That's right,'' Jonny agreed. ``I don't know the technical details, but I can appreciate what you are saying Carl. This is what makes my job so tough.''
Jonny explained that it is not at all unusual today for a systems administrator to correct a problem when an attack occurs but not bother investigating the actual crime. Very few people make even a feable effort to find the culprits. It is simply too costly. It took Clifford Stoll the better part of a year to track down the hacker he first detected on the machines at Lawrence Berkeley labs in 1988. Tsutomu Shimomura succeeded in tracking down Kevin Mitnick in only a couple of months, but he had the help of numerous people and he himself worked on the case full-time (and even over-time) during those months. Shimomura was relentless. A corporation, faced with the option of spending many person-months pursuing an intruder, with a very real possibility that the culprit will turn out to be a prankster trying to impress his cronies or girlfriend, is more than likely going to choose to repair the damage and get back to the business of making money. Even a very diligent company, one that opts to pursue an intruder, is going to have difficulty enlisting the help of other companies and organizations. For example, if the intruder is traced back to a university, the systems administrators at that university are more than likely to be somewhat jaded; no doubt they recieve complaints about hacking on a regular basis.
Jonny tapped his pencil on his knee as he said this. He had a good point. I was in complete agreement. The benifits to tenaciously pursuing an intruder are even more questionable when one considers the possibility that the intruder may not be an American. Dealing with the miriad of foriegn laws, and lack of laws, can be more trouble than it is worth. When researchers at AT&T traced a hacker on their system back to a Dutch computer, they discovered that hacking was not a crime in the Netherlands. There was little AT&T and numerous other victems in the USA could do. It was not until after Dutch companies began to fall prey to hacking that the Netherlands officially recognized computer crimes. Buferd, as the AT&T hacker had been dubbed, was eventually arrested by police in the Netherlands.
Given this environment, it is far more prudent to concentrate on prevention rather than detection. Detection does little good if nobody is motivated to investigate. And, because nobody is motivated to investigate, it is foolish for a cautious company to rely upon the security practices of other organizations. Instead, a cautious company should take measures that can be taken unilaterally. Fortunately, there are substantial measures a single site can take on its own. A good firewall is a start... but only a start. For any sensitive data that leaves the site, cryptography can be used to protect the data from prying eyes and also to protect the data from tampering or mis-use. In this way, the cautious company can prevent trouble before it ever occurs. Both the high cost of investigations and the small reward for successful investigations become a moot point.
Jonny straightened abruptly as a heavy-set woman with wavy dark hair walked into the room. She had olive skin and a wide mouth. Her lipstick was dark red, her eyes brown and penetrating. She appeared to be in her forties.
``Is this him?'' she asked Jonny curtly. He nodded.
``Hello Mr. Raymond,'' said the woman as she turned to face me. ``My name is Agnes Brown. I am Agent Carter's immediate superior. In a few moments we will be joined by the chair of the American Bankers Association. We have a few questions to ask you. Our conversation will be recorded. I expect your full cooperation.'' She turned and walked behind Jonny's desk. She sat down in the seat that Jonny vacated when she entered the room.
I nodded my head once in reply and remained silent. This woman was all business. Had I not spoken to Jonny first, Agnes Brown would have reinforced my image of the FBI: cold, inpersonal, aloof, arrogant, and still enthralled with 1960's technology. My conversation with Jonny had gone a long way in dispelling that image. He was not at all what I would have expected from an FBI agent. Far from being a technically inept policeman with pretensions of being an expert on computer crime, he was both knowledgable and well aware of the limits of his knowledge. For the first time I appreciated the difficulty that he and his bretheren have when trying to enforce conventional laws in a new and rapidly changing environment. I understood and sympathized with his frustration over the task of investigating crimes that nobody, not even the victems, are motivated to solve. Very few people fully grasp the seriousness of these crimes and fewer still have the energy to investigate them.
I had already decided that I would do all I could to help Jonny at the point when Agnes Brown strode into the room. After talking to Jonny, my motivation grew beyond self-preservation. No longer was I only concerned with staying out of jail and staying close to Lisa's pretty face. Now, for the first time I had more honorable motives. Somebody was stealing large amounts of money from a US bank and there was a good chance he would get away with it. The FBI was ill-equipped to handle the case, not because of any short-comings on their part, but because of a general lack of concern in society and because of a lack of earnest effort by the banks. I was now determined to do all I could to help Jonny solve this case.
A young blonde receptionist tapped gently on the open door. She had a pencil tucked in her hair behind her ear. Her winged bangs hung down to almost cover the glasses she was wearing. She looked at Agnes and said, ``Mr. Templemeyer with the ABA is here.''
``Fine Ms. Reynolds. Show him in,'' came the curt reply. Then, when a tall slender man with grey temples and short blond hair on his crown stepped in the room, Mrs. Brown stood up and walked around to the front of Jonny's desk.
``Hello Mr. Templemeyer. Nice to see you again,'' she said while extending her hand and shaking his. He wore a light grey suit. His tie was navy blue but appeared almost black in contrast to his white shirt. He appeared to be in his early sixties. There were crows-feet on the outsides of his eyes, which lent an amused twinkle to his features. He manner was amiable and unassuming.
After the introductions and brief pleasantries were over, Agnes explained that Mr. Templemeyer had requested the meeting so that he might learn first-hand all that I had uncovered. He wanted a full explanation of the money mill. I told him the story from the top, beginning with my initial observations on the 11th. I explained how, because First Chicago Trust sent error messages for all of the EFT's from Bendix of St. Louis on that day, that Bendix resent the EFT's the next day, on the 12th. This meant that First Chicago Trust got three copies of all of the EFT's: the legitimate copies which First Chicago rejected as part of their delaying tactics; my copies which followed close on the heels of the rejected copies; and the copies sent by Bendix the next day in response to the error messages from First Chicago.
``What did First Chicago do with all of these copies?'' asked Mr Templemeyer.
``Because the versions I sent were the first ones to arrive after the supposed transmission error, they were the ones that were accepted by First Chicago Trust. My versions were the ones that actually caused money to change hands.
``The copies sent by Bendix the next day were replays of EFT's that had already been processed and, save for the two EFT's on Ms. Cryer's account, they were rejected.''
Templemeyer furrowed his brow and looked at the ceiling for a moment. He lowered his head and nodded toward Lisa. ``And we still don't know why those two transfers on this young lady's account made it through twice?'' he asked.
Lisa answered. ``We know that somebody forged those EFT's; they did not originate from Bendix of St. Louis. And they certainly do not represent legitimate payments I made or recieved.''
``Right,'' I added, ``somebody has found a way to forge the message authentication codes used in funds transfers. We don't know how they are doing it. As unlikely as it seems, he or she may have found a way to crack DES. DES -- the Digital Encryption Standard -- is a widely used encryption algorithm. So long as adequate key sizes are used, it is believed to be very strong, with no known weaknesses to speak of.''
``How vulnerable is the banking industry if DES has been cracked,'' asked Templemeyer.
``Very. It forms the basis of EFT security.''
He took this news well. He nodded his head slowly and turned to Agnes. ``Do you have any leads?''
``We have some. Our team has made progress since the last update I gave you, but it is not something I'm prepared to discuss at this time,'' she said as she glanced in the direction of Lisa and me.
There was an awkward silence that followed. Templemeyer eased the tension by asking for clarification on some points. ``Why did the forgeries go through when the legitimate EFT's didn't?'' he wanted to know.
``Well,'' Lisa began, ``since those EFT's were forged and inserted into the message stream by the hacker, when Bendix got the error messages from First Chicago, those forged EFT's were not included in the batch of repeated transmissions. From the vantage point of workers at First Chicago, it appeared as if somebody had tried to duplicate all the EFT's except two. There was Carl's set of messages, which included all the EFT's including the forgeries, and there was Bendix re-transmission, which included only the legitimate EFT's that Bendix actually created. The duplicates were easily spotted and rejected, but the non-duplicated EFT's --- the forgeries --- were accepted. The fact that these two EFT's were the only ones that weren't duplicated focused attention on them. These are the two transfers that netted about $17,000 into my account. That focused attention on me.''
Templemeyer nodded slowly. ``OK, so the point here is that the forged EFT's were not treated in the same way as the legitimate ones when Bendix tried to correct for the errors reported by First Chicago. I can understand that.''
``And,'' Lisa continued, ``since the hacker thought that his EFT's had been been rejected by First Chicago, he did not bother following up with a second batch of EFT's to withdraw his money out of my account and move it on to another account. Normally he leaves the account balances unchanged and only passes money through accounts.''
Now Templemeyer was confused again. ``How does the hacker profit from this?''
``The hacker profits on the float,'' Lisa explained.
``What does that mean?'' This time it was Agent Carter that was puzzled.
Lisa smiled. This is the question she was waiting for. ``It means that the hacker is profiting from the flow of money. We are certain that somewhere in the tangle of bogus EFT's, there is a bank account owned by the hacker and that he is earning interest on continuous 24-hour loans. By routing large amounts money through his bank account, the hacker collects interest. By making sure that he returns the money quickly, and by borrowing only a small amount of money from any individual account, the hacker ensures that nobody misses their money. By using error-correcting EFT's, the hacker avoids leaving any evidence on customers' monthly statements.''
Lisa looked around the room to make sure that her point had sunk in. It had. Jonny whistled softly. Templemeyer nodded slowly to himself. Agnes was not as impressed.
``Surely it is an easy matter to determine which bank account is the focal point for all of the bogus EFT's,'' she snappped. ``We can put a stop to this soon enough.''
``It isn't that easy,'' said Lisa. ``The hacker is quite clever and has obscured his activities by generating thousands of decoys. It is hard enough to recognize a bogus EFT --- because they are perfect forgeries --- without the added complication of chasing down false leads caused by decoys. It simply takes too long to track down every bogus EFT and trace the flow of counterfeit money.''
``That problem is easily solved,'' Agnes interrupted. ``I can assign more people to the case.''
Lisa shook her head. ``There are too many. Tens of thousands of bogus EFT's daily, only a small fraction of which will lead to the hacker. Some of the EFT's are for only a few pennies. In many cases a single deposit is seperated into several withdrawals. For example a deposit of $500 might be balanced by five withdrawals of $100. Now tracing one route through the banking network becomes a matter of tracing five routes. A few more splits like that and very soon we find ourselves tracing hundreds of routes just to see what happens to the original $500. And it isn't like there is an obvious place to start looking. In that last example, the original $500 EFT is part of a larger loop. Keep in mind that very rarely is money stolen... only borrowed.''
Jonny leaned back in his chair and twirled his pencil in his hand. He fumbled it. As he leaned forward to pick it up he cleared his throat to speak. He directed his comments toward me.
``Can't you write a program to track the money throught the system?''
``We have,'' Lisa said before I could respond. ``But the shear number of paths the money takes is too much even for a computer to track. Path enumeration in a graph is an NP-complete problem.''
She was met with blank stares. Struggling to find the right words, she pressed on. ``We have written a program to trace the flow of illicit money through the system, just as you suggest, but it is unlikely that we will ever uncover anything. The millwright is smart enough to use lots of decoys. He must be using a computer himself to generate the decoys and to route them through the system so that they move money in long convoluted circles. The money is divided and re-combined in complex patterns. Our program might never find the millrace no matter how long we let it run.''
The amused twinkle returned to Templemeyer's eyes despite the gravity of the situation described by Lisa. ``The millwright?'' he asked. ``Did you say millwright Ms. Cryer?''
Lisa smiled sheepishly and shrugged her shoulders. She glanced at me, embarrased. I straightened up and came to her support.
``It is the name we have given the hacker,'' I explained. ``The flow of small amounts of counterfeit money throughout a complex network, with profits derived from the carefully engineered redirection of the flow, conjures up the image of a water mill. The bank accounts where interest payments are collected by the hacker would be analogous to the water wheel. A millwright is a person that runs a mill. A millrace is the chute that directs water over the wheel.
``We need to find the millrace. Find that, and we can find the water wheel --- the bank account owned by the millwright.''
``I see,'' Templemeyer said with with some amusement. ``You people have been investigating this matter for some time I suppose. You seem to have a good understanding of the nature of the crimes. How do you propose we go about solving this case?'' Then, with a light chuckle, he rephrased his question. ``How do we find the millrace and thereby expose the millwright?''
``The program Lisa mentioned is a start,'' I said. ``However, as Lisa said, it is a long-shot. An NP-complete problem is a computer problem for which there are no known efficient solutions. Tracing money throughout the EFT network happens to be an example of such a problem. If the money we are tracing is divided into several seperate transactions before it is moved to the next account, and then if each of those transactions is divided still further before being routed to the accounts after that, then the number of paths that we must trace increases dramatically in very short order. If the millwright divides transactions into ten parts each step of the way, then after tracking the money through four such divisions, we are up to ten thousand paths. It is even worse than that because the forgeries are indistinguishable from the real EFT traffic. It is like following a gallon of water as it flows down a river, where the river splits, joins other rivers, reunites, splits again, and so on. Like the gallon of water, bogus EFT's are indistinguishable from real EFT's. Like the gallon of water, the money of the original EFT is seperated, with a few pennies going here and few pennies going there.''
``But then how can the hacker keep it all straight?'' asked Agnes, letting her exasperation show as she threw her hands in the air.
``I don't know,'' I replied. ``He must be using a computer to orchestrate the whole thing. The decoy paths are generated by a program. I am certain of it. It is easy to write a program to generate an NP problem --- solving one is the tricky part.''
Templemeyer's face turned pale. ``Are you telling me that this is unstoppable? Is that what you two Computer Scientists are saying? Is there no way to track down the counterfiet money?''
``Not that I can see.''
``I... I don't think anybody at the ABA anticipated an attack which uses computers to such a degree. Hundreds, no thousands of forged transfers ocurring daily! Most of them mere decoys to obscure a small number of profitable counterfeits... and even those are laundered through many different accounts...
``How long has this been going on?'' he asked imploringly.
``I don't know,'' I replied curtly. I feared that it had been going on for a long time. Why not? It was the perfect crime. We would still be ignorant of the entire matter if not for the triple coincidence of my replays, the delay scam, and the mill. It was the interference pattern of these three seperate attacks that lead to the detection of all three. Without the other two, any one of these attacks would have gone undetected. This is especially true for the money mill, for it was disguised in a truelly ingenious manner.
``For all we know the mill has been running for years,'' I said. This news brought out muttered curses from everybody in the room. Templemeyer was near panic. He turned to Agnes.
``What do we do?''
Agnes refused to be rattled. Her reply was calm and her thinking clear. ``If Carl is right and this criminal activity has been taking place of a long time -- maybe even years -- then there is no immediate threat. We have survived thus far while the mill is in full swing; we can survive a while longer. If computer-aided investigation won't work then we must try more conventional forensics. This we are already doing. I will have Mr. Levinski brought in for questioning. Clearly he has a great deal of information to share with us. Carl, I want you and Lisa to sit down with Agent Carter and give him a full briefing. I was told that you have a second computer program that is also supposed to help with the investigation; be sure to give Agent Carter a full explanation of both programs. He is an expert in computers.''
She leaned over her desk and looked around the room at her make-shift team. One FBI agent, one scared banker, and two computer geeks. If she was dissappointed with what she saw she did not let it show. Her clenched fists pressed against her desk-top as she used her straightened arms to support herself.
``I want to get to the bottom of this... now! Let's move quickly on this. Templemeyer, I'm going to take this matter up with Samuelson and I want you in attendance.''
Templemeyer nodded and wet his lips. He still had not recovered from his shock over the gravity of the situation. Agnes slammed a fist on her desk. She turned to me as she continued to issue instructions.
``Carl, I want you and Lisa to get those programs running as soon as possible. Carter, make sure they have all the hardware they need. Also, talk to Agent Peterson and arrange for a trip to St. Louis.''
The lathargic bohemith had been prodded out of apathy. The government had been awakened. The FBI was in full gear now. This would be one electronic banking crime that would not go unreported. The FBI would have their chance. This crime was too large for banks to ignore, too great for banks to bear the cost without working to prevent repeat episodes.
I was filled with renewed hope. No longer would I have to illegally eavesdrop on conversations to collect information. No longer did I have to fear every pedestrian on the sidewalk and every slow moving car. Everything was in the open now. With our new alliance, the FBI, Lisa, and I would undoubtedly make substantial progress.