I would have liked to have slept in the following morning but that was not an option. I was awakened at 6:30 by the telephone beside my bed. It was Fisk's secretary, informing me that I was to report to his office at 8:30. That left me just enough time to pull myself out of bed and prepare a quick breakfast before walking down the street to catch the bus to downtown Chicago.
As it was, I was late, arriving at the FBI building at close to 9:00. Still bleary eyed, I mumbled my name to the receptionist and was escorted without comment to a large conference room at the end of the hall. I still had not fully recovered from the previous day's mad dash across town with Lisa at the wheel of her off-road Mustang convertable.
Nobody seemed to notice my tardiness, as a large number of people had been requested to attend the debriefing and many of the others were late too. Lisa was already there by the time I had arrived however. The attendees included all of the people that had been at the meeting in D.C. Rudy Levinski was there, sitting near the back. I later learned that each and every person that was aware of the money mill was in attendance, with the exception of the President and his cabinet. The main message that was conveyed at the meeting was that no part of the entire incident would be released to the public. Anybody who leaked word of the the EFT crimes to the press would be treated in a manner in accordance with the importance of the secrecy of the entire affair. Nobody dared to ask what this meant, especially me. I feared that I would be the prime suspect if there were a leak. Everybody knew that my involvement was not due to a professional obligation nor my political stance. Or, to be more accurate, my involvement was due to my political stance on computer security, but that initial involvement was more closely related to the crimes rather than the shutting down of the mill. I said very little during the entire debriefing, speaking up only when Samuelson stated that we had entered a new era; law enforcement can no longer preserve public safety. This sounded too much like a lead-in to the argument for key escrow. It was at this point that I interjected into the proceedings. Far from being cause for trepidation and consternation, the shift to electronic banking should be reason to be optimistic. If deployed carefully and responsibly, digital messaging systems and Electronic Commerce can be far more reliable than more conventional means of conducting banking and business. With digital commerce, we have a theoretical basis upon which to pin our confidence.
Digital signatures are unforgeable without access to the private key. The private key can be stored on tamper-resistant smart-cards such that nobody --- not even the cardbearer --- can read the key off the card. The signing functions are implemented in hardware on the card. Modern public-key cryptography can be used for key-exchange in a way that avoids the sort of attack used to run the money mill. Indeed, in the modern era of cryptology, there is little justification for continued use of shared-key key-exchange protocols such as X9.17. It would behoove the ABA to give serious consideration to a public-key-based protocol for key exchange.
To further avoid future trouble in the EFT network, the member banks should employ secret-sharing procedures. Secret sharing is similar in concept to the procedures for launching nuclear weapons where two officers must simultaneously insert physical keys into keyholes on opposite sides of the room. The idea is that neither officer can unilaterally make the decision to launch; it requires the full cooperation of both officers. Cryptographic key-sharing divides a key into several parts and entrusts different people with each part. Knowing only one part of the key is of no practical value toward the reconstruction of the key. Secret sharing is based upon strong cryptographic theory, enabling cryptologists to prove with mathematical rigor that knowledge of only a limited number of key-shares is useless. Not only would this have prevented Susan Ignassi from causing all the trouble she did, but even a renegade bank president would be unable to obtain his own bank's master key without the cooperation of other officers of the bank. Susan Ignassi was able to learn the key-encrypting key used by Fourth Nationwide Bank of California because of her position as a manager of the security department. Agent Jonny Carter had diagnosed part of the problem correctly; Ignassi provided compelling evidence of the danger of the NASA syndrome in international banking. Without secret-sharing procedures to eliminate the possibility of any one individual learning the entire master key, the banking industry is vulnerable to dishonest security officers. Combined with the sloppy procedures and lax attitudes in these same banks, it appears that Susan Ignassi is not an anomaly.
Digital signatures and secret-sharing are not the only recent advances in cryptology. Zero-knowledge proofs make it possible to establish that a remote party knows a secret without either party ever divulging to eavesdroppers what that key is, all without the use of encryption! These only touch upon the surface of the tremendous volumes of powerful new information-sharing and information-protection features that are now achievable using modern cryptography. We live in an era with great reason for confidence. Ours is a time of exciting potential. Information is something to be held sacred. There is no pursuit more noble than the pursuit of knowledge and information. Key-escrow and export limitations on cryptographic tools only hinder the free exchange of information over public networks.
All of this assumes that strong cryptographic tools are used. Fortunately, such technology is available today. Very strong encryption algorithms are widely known and easy to implement. Admittedly, perfect security is not obtainable, but very good security is. We live in a time where the cost of security grows at a rate similar to a logarithm function. At relatively little expense it is possible to deploy very tight information protection. Additional dollars beyond that initial cost have a low marginal return. The result is that even small enterprises can implement strong encryption and only extremely powerful entities, such as the NSA, can develop encryption algorithms that are significantly stronger than the status quo.
Development of good cryptographic protocols is a different matter. Unfortunately good protocols are closely tied to the applications they serve. This makes it harder to deploy them widely and defray costs. For this reason the weakest component of most cryptographic systems is the protocol. It is not surprising that the money mill exploited a weakness in X9.17 and not a weakness in DES. DES has been submitted to more extensive analysis and has been field tested in far more systems than has X9.17.
The solution is two-fold. First, a basic level of protection should be built into infra-structure. There is no reason why we, as consumers, should accept insecure digital communications. Every cordless phone and cell phone should support encryption. The Internet should have strong authentication and privacy. Phone cloning and eavesdropping are preventable. IP spoofing is preventable.
It is absurd for phone companies to spend millions to monitor cell-phone traffic and discontinue accounts with sharp changes in calling patterns. It would be far better to spend less and actually solve the problem.
Second, we must recognize that the supply of cryptographic products is market driven. Until consumers recognize the need for better protection, and until consumers learn to distinguish true protection from the silly platitudes of companies like Pseudo-One, we will continue to get the same slip-shod systems. It is time to start paying the developers and stop paying the insurance companies and those in the legal or law enforcement professions. The tools and technology are available to prevent hacking; let's start using them. No longer must be live with the threat of another money mill or a disaster of the magnitude of Weld's hypothetical scenario. Internet E-mail can be elevated to a status better than that of a simple postcard. We should not have to change cell-phone numbers every few months.
To use strong encryption we have to be willing to pay for it. The principal cost is protocol development and protocol analysis. Excellent encryption programs are cheap (even free) and readily available, but current market research leads all but a few companies to opt for off-the-shelf solutions that either use a protocol originally intended for some other purpose, or else use a half-baked protocol developed by novices. Due to the extreme sensitivity of security properties in cryptographic protocols, a solid off-the-shelf cryptographic protocol is very nearly a contradiction in terms. The money spent on development of a security protocol should be proportional to the size of the threat. Lisa, Rudy, and I were able to detect the mill in a week. With the help of the NSA, the FBI, and the Information Security departments of two banks, we were able to crack the case and arrest Ignassi in less than a month. This is good evidence that the X9.17 flaw that made the mill possible was avoidable. In one night of analysis I discovered the flaw. Had the ABA recognized that protocols are the single most likely point of failure in a cryptographic system, and had they put an appropriate emphasis (e.g. time and money) into design and analysis of X9.17, then the flaw would have been discovered early on and it would have been repaired before any thefts were carried out. Our banking infra-structure was on the brink of collapse not because the flaw was too subtle to be found ahead of time, but because those in a position to do so did not appreciate the likelihood that such a flaw might be there to be found. I have no doubt that next time they will be more careful.
Even after it is repaired, it is important to recognize that X9.17, like any cryptographic protocol, is very sensitive to the trust model and the operating environment. X9.17 was designed for wholesale banking. Using it for any other purpose requires careful analysis to validate it for the new purpose. If X9.17 is used in an environment where there is open hostility between some members of the network, the flaw that made the money mill possible becomes even more ominous. The design specifications for X9.17 state that key exchanges between parties A and B should be protected from tampering and eavesdropping by C, even if C is a legitimate member of the network. Because of the flaw, this property does not hold. Luckily, the protocol appears to protect key exchanges from entities outside the network (i.e. you and me). Susan Ignassi was an insider and already had legitimate access to the master key for one bank in the network.
I am troubled when I see a protocol that was designed for one purpose being deployed for an entirely different application. The 1992 NIST recommendation that X9.17 be used for all government applications is unwise. Such recommendations should be made only after a very careful study of the protocol... the sort of study that surely would have uncovered the money mill flaw. The use of X9.17 in DES modems is questionable for the same reasons. The argument that ``it is good enough for banking applications so it must be good enough for your applications'' does not hold water. With such careless attitudes we were lucky the mill had not been even more damaging. We are lucky that Weld's scenario remains hypothetical.
My attention returned to the meeting when somebody asked Samuelson what would become of Susan Ignassi. Samuelson explained to the audience that she would be fired for misconduct and accused of international banking crimes. The FBI was seeking, and expected to get, a plea-bargaining arrangement so that the case would not go to trial. Allowing the case to go to trial would make it difficult to suppress the extent of the EFT counterfeiting and the possibility of economic catastrophe that was very nearly realized by Ignassi's crimes. The US government was unwilling to allow this to happen, and had the support of numerous other governments.
As it turns out, the FBI profile was not far off the mark. They had erred only in failing to consider that the millwright might be the mother of the man for whom they had developed their profile. George Ignassi was the son of Susan Ignassi. George, who was 29 years old, had a PhD in Number Theory and studied cryptology at Rice University. His undergraduate degree in Computer Science was also from Rice University. Single and living in San Jose, George's social life fit the FBI profile of a computer geek. He had few friends and tended to spend most of his free time alone in his apartment playing with his computers. He worked for a small computer security company that sells DES modems.
It was George that discovered the X9.17 flaw and told his mother. At first Susan tried to alert her superiors of the flaw, but she was met with warnings that if she wished to continue to work in banking security it would be in her best interests not to stir up trouble. The banking industry was far too heavily reliant upon X9.17, she was told. Revisions to the protocol are a slow and tedious process. Susan's superiors explained that by informing them of flaws, she was doing the bank a disservice, for now Fourth Nationwide Bank of California could not claim ignorance of the flaw in the event of a lawsuit.
For several years Susan did nothing more about the flaw. Apparently, George too, did nothing. But when George lost his life a year ago in car accident, Susan's attitude about many things changed. It had been raining heavily when George's Geo Metro was struck head-on by a Dodge Ram, but rain was not the cause of the accident. The driver of the Ram was charged with Driving Under the Influence. He was not charged with involuntary manslaughter. Evidence that George may have been speeding, as well as the high standing in the community of the defendant, quickly quieted state prosecutors who might have otherwise pressed more zealously for manslaughter charges. The driver of the Dodge Ram was a popular sports figure and had already expressed remorse. Susan had been in attendance the day the hockey hero limped into the courtroom for his DUI hearing. His left leg was still sore from the accident. There was some concern that he might not be ready in time for opening day later that month. Team officials said that he would be 100% for the playoffs.
When the team made the playoffs eight months later, Susan did not watch. She never watched another hockey game after the accident. Alone for the first time in her life, Susan had no parents, no husband, and no son. The digital money mill was devised during the hockey playoffs that year. The mill was in operation just five weeks later. It was motivated partly as a tribute to the discovery of her late son, partly out of bitterness toward her superiors, and partly out of selfishness.
She seeded the mill with money stolen from the accounts of several hockey teams. Later she went after other sports teams. She was able to run the mill for a full year before anybody was even aware of its existence. Then, after twelve months of gradual escalation, her downfall was brought about by the serendipitous concurrency of three seperate attacks on the EFT network. By that time the millrace had spread to include numerous individual accounts in nearly every bank in the network. And yet no alarms were triggered. Nobody noticed the thefts, for no individual person or institution was disproportionately harmed; money was created in the form of interest payments on a massive number of negligible loans... surrepticious loans.
The FBI estimates that Ignassi was accumulating about $300 a day in interest payments. Nobody is sure, but the FBI believes that over the lifetime of the mill, the cumulative thefts amounted to nearly $250,000, with most of the money aquired in the last three months.
Samuelson informed us that Susan Ignassi would not be going to jail for her crimes (a trial would make it impossible to bury the incident). This did not give me satisfaction. Her sex was not the only attribute of Susan Ignassi that did not fit my mental image of the millwright. I had envisioned our adversary as the very embodiment of evil. Now, far from being a devious and sinister member of the under-world, Susan Ignassi was an unhappy widow with no surviving children. Pilfering pennies out of the bank accounts of countless innocent people had been her way of lending credence to the unheeded warnings of the son she lost.
I could not help but feel empathy for this woman I had never met... and never will meet. Samuelson had pulled me aside before the meeting and told me that the government would appreciate it if I refrained from any communications with Susan Ignassi. He said that while the FBI now realized that I had not played a part in the money mill, they would not be disposing of my file. He said that my ``liberal political stance and tendancy to play computer hacking games'' were sufficient cause for the FBI to continue to keep tabs on me. He did soften this message with a faint smile and a congratulatory handshake for the uncovering of the money mill.
The FBI was not the only agency in my own government to treat me with with a dichotomous mix of distrust and friendship. My friends at the NSA thanked me for my services by confiscating my machine. They had already removed it from my apartment by the time I got back from Jonny's office the day before. This seems to be the reason Lorenzo directed Lisa and me back to the FBI building after we gave him the updates for BIF. Apparently the FBI got court approval to enter my apartment at the same time they got approval to arrest Ignassi. They weren't taking any chances that Lorenzo had left some inadvertent tell-tale evidence of the manner in which he broke through my firewall. Lorenzo must have used some top-secret methods that the NSA does not want leaking out to the public. There isn't much point in protesting; I don't have any room to negotiate. The NSA reminded me that everything that had occurred in the last month goes in the ``never happened'' category. The strange interruption to international banking that occurred on July 31st was blamed on a computer error at a key exchange center. There was no mention of any wrong-doing. In fact, when one TV station inquired if there had been any thefts that may have been caused by the computer error, the ABA released a strongly worded statement claiming that no money was stolen from any accounts and that no funds were in jeopardy at any time.
The backlog of funds transfers that would normally have been sent on July 31st were sent the next day instead. All banking activity returned to normal. The only difference is that the Key Translation service for X9.17 is no longer offered. All banks must use the Point-to-Point Environment or the Key Distribution Environment. Those banks that had been using the Key Translation Environment were forced to switch over to the Key Distribution Environment. Since the key distribution service places no additional operational requirements on the participating banks, this is an easy switch to make and even these banks were able to resume normal EFT operations the next day. The public would remain forever oblivious of the peril that the banking infrastructure had suffered just days before. The United States had been brought to the brink of economic collapse. People that just days before had stood at the precipice and witnessed the near-plunge, filed slowly out of the room. The debriefing was over. There were only fifty of us, not counting the President and his cabinet. And it would remain fifty forever more. This was the theme that was emphasized most heavily in the debriefing: tell no one. Not ever.
As I walked out of the debriefing room with Lisa, neither one of us spoke. The meeting had ended on a somber note. We had been the first to leave, exiting quietly and promptly after the meeting concluded. While I considered several of the people in that room my friends, I was not sure I wanted to play in their world. Too dark, sinister, and secretive. Lisa and I walked down the empty hallway side by side. Lisa pushed the button to summon the elevator. The elevator doors opened and we stepped in. Lisa pressed the button for the lobby. The doors shut. She heaved a great sigh. ``I want to forget everything and everybody from the last month,'' she said. ``If I never see another FBI agent in my life I'll be happy... although Jonny was kinda cute,'' she added with a smirk. Then her face contorted back into one of of complete exhaustion. ``It has been exciting, I must admit. Nonetheless I'm glad it is over.''
As we stepped out of the elevator I suddenly realized that it was indeed over. Lisa and I would be going our separate ways. Apparently she was in a hurry to resume the life she was living a few weeks prior, before I interfered with her financial transactions. We had come together due to a coincidence: hers was one of the accounts that the millwright had selected on July 11th; and it was on that same day that I decided to study EFT error-handling procedures at First Chicago. Now, that which had brought us together was resolved.
``I guess this is it,'' I offered.
``Yup. Finally! Now everything can return to normal,'' she replied.
Yes, normal. The last few weeks had been wild; it would take me a while to settle back into my old routine... I was going to miss her.
``It was nice meeting you...'' I let the words trail off.
She cocked her head to one side and adjusted the flap on her collar with her left hand. I tried to read her expression but couldn't. Was she sorry to be saying goodbye? Her comments and attitude in the elevator would lead one to believe that she was all too happy to part ways.
``Well...'' I didn't know what to say next. I took a few steps toward the door.
``Uh... Carl,'' she said. ``Where do you think you're going?''
``Umm... I dunno.''
The corners of her mouth twitched upward in a hint of a smile while her eyes sparkled with obvious amusement. She stepped closer. Her hand slipped behind my head and her fingers slid up my neck and into my hair. She gently brought my head down to hers. Her lips gently brushed against mine. They were warm, her breath warmer still. I reached out and wrapped my arms around her midriff. She pressed her abdomen against mine; I hugged her tighter. Her flesh was firm and yet it welcomed the pressure from mine. Her breathing came faster.
Ding!
The elevator doors parted wide. I felt Lisa's frame stiffen as she straightened up. I ungrasped my hands and let my arms fall away from her waist. She busied herself straightening the front of her blouse. A man I did not recognize stepped out of the elevator, glanced in our direction, nodded his head slightly, and walked on by and out the revolving door. Lisa looked up at me and smiled sheepishly.
``Well, where are you headed Mr. Hacker-Cracker?''
I didn't know. I had no plans; I had not looked ahead beyond the resolution of the money mill.
``Uh. I'm following you... umm... wherever you go.''
``In that case, you're heading to Carl Raymond's apartment,'' she said. ``He is a good friend of mine... one that I would like to get to know better.''
We walked through the revolving door together and out into the sunlight. It was early August in Chicago. The sky was cloudy but bright; it looked as if it might rain but it was more likely to remain clear. A gentle breeze kept the temperature in check.
Months later,
far away, an electronic signal was racing through a
phone wire, up a satellite link, back down, and through a T1 line
into an X9.17 Key Translation Center in Atlanta.
The signal was interpreted as a bit-stream and was separated into a
series of fixed-length fields.
It was an RFS (Request for Service) message.
The ORG field indicated that the sender was a bank in Germany.
Curiously, the KD field was not notarized as the newly revised
protocol required. The message was rejected.
Moments later another RFS message was received by the same center
in Atlanta. This one also appeared to originate from Germany.
This time the KD field was notarized, but curiously the MAC had
not been computed properly. The authentication procedure failed
and the message was rejected.
Shortly thereafter a third message was received by the Atlanta
key center. By this time German authorities had been notified of
an attempted attack on the EFT infra-structure. There were no
more peculiar messages.