==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 11 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIX / Part Two of Four PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN The Charge Of The Carders May 26, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~ By Joshua Quittner ( Newsday)(Page 45) Computer criminals are after your credit-card numbers -- to steal with, sell and swap. THE KID, from Springfield Gardens, Queens, was a carder, of course. He was doing what carders do: trying to talk a salesman into overnight- expressing him a $4,000 computer system -- and using a stolen credit-card number for payment. The salesman was playing right along on the phone; he had also notified a co- worker to alert the New York State Police, said William Murphy, a customer service manager at Creative Computers, who described the event as it was unfolding on a recent Tuesday morning. Murphy said that on a typical day, as many as a dozen times, carders would call and try to buy everything from modems to whole computer systems. Murphy said that these days, the security people at Creative Computers are able to stop virtually all of them, either by not delivering the goods, or by delivering them UPS -- that's United Police Service. He sighed: "It's amazing that they even try." But try they do. And at other places, they're successful. Where once hacking into a credit bureau was a kind of rite of passage for computer intruders, who generally did little more than look up credit histories on people like Mike Dukakis, now computer criminals are mining national credit bureaus and mail- order houses, coming away with credit-card numbers to sell, swap or use for mail-order purchases. Underground electronic bulletin board systems help spread not only the passwords, but the techniques used to tap into different systems. In San Diego on April 30, for instance, police raided a bulletin board called Scantronics, which offered among other things, step-by-step manuals on how to hack into Equifax Credit Information Services and TRW Information Services, the largest credit bureaus in the nation, the San Diego Tribune reported. "The potential for fraud is enormous, it's almost limitless," said Joel Lisker, Mastercard International's vice president of security and risk management, who noted that computer intruders accessed "thousands" of credit-card account numbers in another recent case. MASTERCARD is putting together a task force of its bank members to address the problem, and is considering inviting hackers in to learn what they can do to tighten up computer access to credit bureaus, he said. Mastercard estimates it lost $57 million to counterfeit scams last year; Lisker said it is impossible to say how much carders contributed. But based on the volume of arrests lately, he figures carding has become a big problem. "It's kind of like a farmer that sees a rat," Lisker said. "If he sees one, he knows he has several. And if he sees several he knows he has a major infestation. This is a major infestation." "It's clearly something we should be concerned about," agreed Scott Charney, chief of the U.S. Justice Department's new Computer Crime Unit. Charney said that roughly 20 percent of the unit's current caseload involves credit-card fraud, a number that, if nothing else, colors the notion that all hackers are misunderstood kids, innocently exploring the world of computer networks. "Whether such noble hackers exist, the fact of the matter is we're seeing people out there whose motives are not that pure," he said. On May 11, New York State Police arrested three teenagers in Springfield Gardens when one of them went to pick up what he hoped was an Amiga 3000 computer system from Creative Computers, at a local UPS depot. "What he wanted was a computer, monitor and modem. What he got was arrested," said John Kearey, a state police investigator who frequently handles computer and telecommunications crimes. Police posed as UPS personnel and arrested the youth, who led them to his accomplices. Kearey said the teens said they got the stolen credit-card number from a "hacker who they met on a bridge, they couldn't remember his name" -- an interesting coincidence because the account number was for a next-door neighbor of one of the youths. Police suspect that the teens, who claimed to belong to a small hacking group called the MOB (for Men of Business) either hacked into a credit bureau for the number, got someone else to do it, or went the low-tech route -- "dumpster diving" for used carbon copies of credit receipts. Indeed, most credit-card fraud has nothing to do with computer abusers. Boiler-room operations, in which fast-talking con men get cardholders to divulge their account numbers and expiration dates in exchange for the promise of greatly discounted vacations or other too-good-to-be-true deals, are far and away the most common scams, said Gregory Holmes, a spokesman for Visa. But carders have an advantage over traditional credit-card cheats: By using their PCs to invade credit bureaus, they can find credit-card numbers for virtually anyone. This is useful to carders who pick specific credit-card numbers based on location -- a neighbor is out of town for a week, which means all you have to do is get his account number, stake out his porch and sign for the package when the mail comes. Another advantage is address and ZIP code verifications, once a routine way of double-checking a card's validity, are no longer useful because carders can get that information from an account record. "It's tough," Holmes said. "Where it becomes a major problem is following the activity of actually getting the credit-card number; it's sent out on the black market to a vast group of people" generally over bulletin boards. From there, a large number of purchases can be racked up in a short period of time, well before the cardholder is aware of the situation. While the cardholder is not liable, the victims usually are businesses like Creative Computers, or the credit-card company. Murphy said his company used to get burned, although he would not divulge the extent of its losses. "It happened until we got wise enough to their ways," he said. Now, with arrangements among various law enforcement agencies, telephone companies and mail carriers, as well as a combination of call-tracing routines and other verification methods, carders "rarely" succeed, he said. Also, a dozen employees work on credit-card verification now, he said. "I feel sorry for the companies that don't have the resources to devote departments to filter these out. They're the ones that are getting hit hard." In New York, federal, state and local police have been actively investigating carder cases. Computers were seized and search warrants served on a number of locations in December, as part of an ongoing federal investigation into carding. City police arrested two youths in Queens in April after attempting to card a $1,500 computer system from Creative Computers. They were arrested when they tried to accept delivery. "It's a legitimate way to make money. I know people who say they do it," claimed a 16-year-old Long Island hacker who uses the name JJ Flash. While he says he eschews carding in favor of more traditional, non-malicious hacking, JJ Flash said using a computer to break into a credit bureau is as easy as following a recipe. He gave a keystroke-by-keystroke description of how it's done, a fairly simple routine that involved disguising the carder's calling location by looping through a series of packet networks and a Canadian bank's data network, before accessing the credit bureau computer. Once connected to the credit bureau computer, JJ Flash said a password was needed -- no problem, if you know what underground bulletin boards to check. "It's really easy to do. I learned to do it in about thirty seconds. If you put enough time and energy into protecting yourself, you'll never get caught," he said. For instance, an expert carder knows how to check his own phone line to see if the telephone company is monitoring it, he claimed. By changing the location of a delivery at the last minute, he said carders have evaded capture. J J FLASH said that while most carders buy computers and equipment for themselves, many buy televisions, videocassette recorders and other goods that are easy to sell. "You can usually line up a buyer before its done," he said. "If you have a $600 TV and you're selling it for $200, you will find a buyer." He said that while TRW has tightened up security during the past year, Equifax was still an easy target. But John Ford, an Equifax spokesman, said he believes that hackers greatly exaggerate their exploits. He said that in the recent San Diego case, only 12 records were accessed. "It seems to me the notion that anybody who has a PC and a modem can sit down and break in to a system is patently untrue," he said. "We don't have any evidence that suggests this is a frequent daily occurrence." Regardless, Ford said his company is taking additional steps to minimize the risk of intrusion. "If one is successful in breaking into the system, then we are instituting some procedures that would render the information that the hacker receives virtually useless." Also, by frequently altering customers' passwords, truncating account information so that entire credit-card numbers were not displayed, and possibly encrypting other information, the system will become more secure. "We take very seriously our responsibility to be the stewards of consumer information," Ford said. But others say that the credit bureaus aren't doing enough. Craig Neidorf, publisher of Phrack, an underground electronic publication "geared to computer and telecommunications enthusiasts," said that hacking into credit bureaus has been going on, and has been easy to do "as long as I've been around." Neidorf said that although he doesn't do it, associates tell him that hacking into credit bureau's is "child's play" -- something the credit bureaus have been careless about. "For them not to take some basic security steps to my mind makes them negligent," Neidorf said. "Sure you can go ahead and have the kids arrested and yell at them, but why isn't Equifax or any of the other credit bureaus not stopping the crime from happening in the first place? It's obvious to me that whatever they're doing probably isn't enough." A Recent History Of Carding September 6, 1991: An 18-year-old American emigre, living in Israel, was arrested there for entering military, bank and credit bureau computers. Police said he distributed credit-card numbers to hackers in Canada and the United States who used them to make unknown amounts of cash withdrawals. January 13, 1992: Four university students in San Luis Obispo, California, were arrested after charging $250,000 in merchandise to Mastercard and Visa accounts. The computer intruders got access to some 1,600 credit-card accounts, and used the numbers to buy, among other things: Four pairs of $130 sneakers; a $3,500 stereo; two gas barbecues and a $3,000 day at Disneyland. February 13, 1992: Two teenagers were arrested when one of them went to pick up two computer systems in Bellevue, Wash., using stolen credit-card numbers. One told police that another associate had hacked into the computer system of a mail-order house and circulated a list of 14,000 credit-card numbers through a bulletin board. April 17, 1992: Acting on a tip from San Diego police, two teenagers in Ohio were arrested in connection with an investigation into a nationwide computer hacking scheme involving credit-card fraud. Police allege "as many as a thousand hackers" have been sharing information for four years on how to use their computers to tap into credit bureau databases. Equifax, a credit bureau that was penetrated, admits that a dozen records were accessed. April 22, 1992: Two Queens teens were arrested for carding computer equipment. _______________________________________________________________________________ Invading Your Privacy May 24, 1992 ~~~~~~~~~~~~~~~~~~~~~ By Rob Johnson (The Atlanta Journal and Constitution)(Page A9) Some do it for fun, others have more criminal intent. Regardless, computer users have a range of techniques and weaponry when breaking into files. "Rooting" forbidden files is hog heaven for hackers Within an instant, he was in. Voodoo Child, a 20-year-old college student with a stylish haircut and a well- worn computer, had been cruising a massive researchers' network called Internet when he stumbled upon a member account he hadn't explored for a while. The institution performed "Star Wars" research, he later found out, but that didn't interest him. "I don't know or care anything about physics," he said recently. "I just wanted to get root." And "getting root," hackers say, means accessing the very soul of a computer system. Working through the network, he started a program within the research institute's computers, hoping to interrupt it at the right moment. "I figured I just had a second," he said, gesturing with fingers arched above an imaginary keyboard. Suddenly he pounced on the phantom keys. "And it worked." He soon convinced the computer he was a system operator, and he built himself a back door to Internet: He had private access to exotic supercomputers and operating systems around the world. Before long, though, the Atlanta-area hacker was caught, foiled by an MCI investigator following his exploits over the long-distance phone lines. National security experts sweated over a possible breach of top-secret research; the investigation is continuing. And Voodoo Child lost his computer to law enforcement. "I was spending so much time on the computer, I failed out of college," he said. "I would hack all night in my room, go to bed and get up at 4 in the afternoon and start all over." In college, he and a friend were once discovered by campus police dumpster- diving behind the university computer building, searching for any scraps of paper that might divulge an account number or a password that might help them crack a computer. Now he's sweating it out while waiting for federal agents to review his case. "I'm cooperating fully," he said. "I don't want to go to prison. I'll do whatever they want me to." In the meantime, he's back in college and has taken up some art projects he'd abandoned for the thrill of computer hacking. The free-form days of computer hacking have definitely soured a bit -- even for those who haven't been caught by the law. "It's a lot more vicious," Voodoo Child said as a friend nodded in agreement. "Card kids" -- young hackers who ferret out strangers' credit card numbers and calling card accounts -- are wrecking the loose communal ethic that defined hacking's earlier, friendlier days. And other computer network users, he said, are terrified of the tactics of sophisticated hackers who routinely attack other computer users' intelligence, reputation and data. "I used to run a BBS [electronic bulletin board system] for people who wanted to learn about hacking," Voodoo Child said. "But I never posted anything illegal. It was just for people who had questions, who wanted to do it properly." Doing it properly, several Atlanta-area hackers say, means exploring the gaps in computer networks and corporate systems. They say it's an intellectual exercise -- and an outright thrill -- to sneak into someone else's computer. During a recent interview, Voodoo Child and a friend with a valid Internet account dialed up the giant network, where some of their counterparts were waiting for a reporter to ask them some questions. "Did you get that information on the Atlanta Constitution reporter you were asking about?" a faceless stranger asked. A startled reporter saw his credit report and credit card numbers flashed across the screen. Voodoo Child offered up the keyboard -- an introduction of sorts to a mysterious, intimidating accomplice from deep inside the digital otherworld. "Go ahead," he said. "Ask him anything you want." _______________________________________________________________________________ KV4FZ: Guilty Of Telephone Toll Fraud May 15, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Rice (rice@ttd.teradyne.com) in TELECOM Digest V12 #412 St. Croix ham operator, Herbert L. "Herb" Schoenbohm, KV4FZ, has been found guilty in federal court of knowingly defrauding a Virgin Islands long-distance telephone service reseller. He was convicted April 24th of possessing and using up to fifteen unauthorized telephone access devices in interstate and foreign commerce nearly five years ago. The stolen long distance telephone access codes belonged to the Caribbean Automated Long Lines Service, Inc. (CALLS) of St. Thomas, U.S. Virgin Islands. Schoenbohm was found to have made more than $1,000 in unauthorized telephone calls -- although the prosecution said he was responsible for far more. According to the Virgin Islands Daily News, Schoenbohm, who is also the St. Croix Police Chief of Communications, showed no emotion when he was pronounced guilty of the charges by a 12 member jury in U.S District Court in Christiansted. The case was heard by visiting District Judge Anne Thompson. Neither Schoenbohm or his defense attorney, Julio Brady, would comment on the verdict. The jury deliberated about seven hours. The sentencing, which has been set for June 26, 1992, will be handled by another visiting judge not familiar with the case. Schoenbohm, who is Vice Chairman of the V.I. Republican Committee, has been released pending sentencing although his bail was increased from $5,000 to $25,000. While he could receive a maximum of ten years on each count, Assistant U.S. Attorney Alphonse Andrews said Schoenbohm probably will spend no more than eight months in prison since all three counts are similar and will be merged. Much of the evidence on the four day trial involved people who received unauthorized telephone calls from KV4FZ during a 1987 period recorded by the CALLS computer. Since the incident took place more than five years ago, many could not pinpoint the exact date of the telephone calls. The prosecution produced 20 witnesses from various U.S locations, including agents from the Secret Service, the U.S. Marshals Service, Treasury Department and Federal Communications Commission. In addition ham operators testified for the prosecution. Schoenbohm was portrayed as a criminal who had defrauded calls out of hundreds of thousands of dollars. Schoenbohm admitted using the service as a paying customer, said it did not work and that he terminated the service and never used it again. He feels that there was much political pressure to get him tried and convicted since he had been writing unfavorably articles about Representative DeLugo, a non-voting delegate to Congress from the Virgin Islands, including his writing of 106 bad checks during the recent rubbergate scandal. Most, but not all the ham operators in attendance were totally opposed to KV4FZ. Bob Sherrin, W4ASX from Miami attended the trial as a defense character witness. Sherrin told us that he felt the conviction would be overturned on appeal and that Schoenbohm got a raw deal. "They actually only proved that he made $50 in unauthorized calls but the jury was made to believe it was $1,000." Schoenbohm's attorney asked for a continuance due to newly discovered evidence, but that was denied. There also is a question as to whether the jury could even understand the technology involved. "Even his own lawyer couldn't understand it, and prepared an inept case," Sherrin said. "I think he was railroaded. They were out to get him. There were a lot of ham net members there and they were all anti-Herb Schoenbohm. The only people that appeared normal and neutral were the FCC. The trial probably cost them a million dollars. All his enemies joined to bring home this verdict." Schoenbohm had been suspended with pay from the police department job since being indicted by the St. Croix grand jury. His status will be changed to suspension without pay if there is an appeal. Termination will be automatic if the conviction is upheld. Schoenbohm's wife was recently laid off from her job at Pan Am when the airline closed down. Financially, it could be very difficult for KV4FZ to organize an appeal with no money coming in. The day after the KV4FZ conviction, Schoenbohm who is the Republican Committee vice chairman was strangely named at a territorial convention as one of eight delegates to attend the GOP national convention in Houston this August. He was nominated at the caucus even though his felony conviction was known to everyone. Schoenbohm had even withdrawn his name from consideration since he was now a convicted felon. The Virgin Island Daily News later reported that Schoenbohm will not be attending the GOP national convention. "Schoenbohm said he came to the conclusion that my remaining energies must be spent in putting my life back together and doing what I can to restore my reputation. I also felt that any publicity in association with my selection may be used by critics against the positive efforts of the Virgin Islands delegation." Schoenbohm has been very controversial and vocal on the ham bands. Some ham operators now want his amateur radio license pulled -- and have made certain that the Commission is very much aware of his conviction. _______________________________________________________________________________ AT&T Launches Program To Combat Long-Distance Theft May 13, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Virginia Randall (United Press International/UPI) Citing the mushrooming cost of long-distance telephone fraud, American Telephone & Telegraph Co. announced plans to combat theft of long-distance telephone services from customers. AT&T's program, dubbed NetProtect, is an array of software, consulting, customer education and monitoring services for businesses. One program limits customer liability to the first $25,000 of theft, while another ends customer liability entirely under certain circumstances. By law, companies are liable for the cost of calls made on their systems, authorized or not. Jerre Stead, president of AT&T's Business Communications unit, said, "The program not only offers financial relief to victims of long-distance fraud. It also gives our customers new products and services specifically designed to prevent and detect fraud." Long-distance calling fraud ranges from a few dollars to the hundreds of thousands of dollars for victims. The Communications Fraud Control Association, an industry group, estimates long-distance calling fraud costs more than $1 billion a year, said Peggy Snyder, an association spokeswoman. NetProtect Basic Service, offered free with long-distance and domestic 800 service, consists of ongoing monitoring around the clock for unusual activity. The company will start this service this week. NetProtect Enhanced and Premium services offer more customized monitoring and limit customer liability to $25,000 per incident or none at all, depending on the program selected. Pricing and permission to provide the Enhanced and Premium services are dependent on Federal Communication Commission approval. AT&T expects to offer these programs beginning August 1. Other offerings are a $1,995 computer software package called "Hacker Tracker," consulting services and the AT&T Fraud Intervention Service, a swat team of specialists who will detect and stop fraud while it is in progress. The company also will provide a Security Audit Service that will consult with customers on possible security risks. Pricing will be calculated on a case-by- case basis, depending on complexity. The least expensive option for customers is AT&T's Security Handbook and Training, a self-paced publication available for $65 which trains users on security features for AT&T's PBX, or private branch exchanges, and voice mail systems. Fraud occurs through PBX systems, which are used to direct the external telephone calls of a business. Company employees use access codes and passwords to gain entry to their PBX system. A typical use, the industry fraud group's Snyder said, would be a sales force on the road calling into their home offices for an open line to call other customers nationally or worldwide. These access codes can be stolen and used to send international calls through the company's network, billable to the company. Unauthorized access to PBXs occur when thieves use an automatic dialing feature in home computers to dial hundreds of combinations of phone numbers until they gain access to a company's PBX system. These thieves, also known as hackers, phone freaks or phrackers, then make their own calls through the PBX system or sell the number to a third party to make calls. Others use automatic dialing to break into PBX systems through voice mail systems because such systems have remote access features. Calls from cellular phones also are at risk if they are remotely accessed to a PBX. Electronic mail systems for intracompany calls are not affected because they don't require PBX systems. According to Bob Neresian of AT&T, most fraud involves long-distance calls to certain South American and Asian countries, especially Columbia and Pakistan. There is no profile of a typical company at risk for telephone fraud, said Snyder. "Any company of any size with long-distance service is at risk," she said. "Criminals don't care who the long distance provider is or how big the company they're stealing from is." She said the industry recognized the dimensions of telephone theft in 1985, when the Communications Fraud Control Association was formed in Washington D.C. The group consists of providers of long-distance service, operator services, private payphones, end-users of PBX systems, federal, state and local law enforcement agencies and prosecutors. Janice Langley, a spokeswoman for US Sprint Corp. in Kansas City, Mo., called AT&T's announcement similar to a program her company announced March 31. That service, SprintGuard Plus, is available to companies with a call volume of $30,000 a month. Sprint also offers basic monitoring program to customers without charge. "We don't have minimum billing requirements for any of these services or systems," responded AT&T's Neresian. "All the carriers have seen the problem and have been working on their own approaches," he said. Jim Collins, a spokesman for MCI Communications in Washington, said his company had been conducting phone fraud workshops free of charge for customers for four years. _______________________________________________________________________________