The FBI has recently made at least six more arrests in New York -- bringing the total to 10 -- thanks to information from arrested scam suspects, a lucky traffic stop, and an undercover operation that at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear. Six months after the 2007 breach, Wired.com is receiving scattered reports of Citibank customers still suffering mysterious withdrawals from their bank accounts.
The FBI believes the brains behind the operation is a Russian man, who's receiving the lion's share of the profits through international wire transfers and online-payment systems. While Citibank and federal officials are being closed-mouthed about the PIN theft and the ensuing fraud, the Citibank heist provides a rare look at how a single high-value breach reverberates through the international "carding" community of bank-card fraudsters. What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry.
The case is unfolding in the media and the finger pointing will continue on where the breach occurred. Was it on a Citibank network or an outsourced third party supplier of 7-Eleven who operates the retail stores where the ATM's are located? ID Theft is not the real issue here as much as a bold database hack of accounts, PIN's and counterfeiting of ATM cards.
This facet of Operational Risk is another lesson learned about the safety and security of customer data especially when it is outside your own corporate domain. Service Level Agreements (SLA) are too often the only item that is consistently presented as evidence of the due diligence of auditing a third-party processor of customer data. The actual physical audits are few and typically are not done on a rigid schedule. Resources and funding are the excuse more often than a total lack of oversight.
Transnational crimes such as piracy, illegal traffic of drugs and humans, counterfeiting and intellectual property theft or espionage is not new to the Operational Risk Managers of global enterprises and international organizations. What the financial motivations are and where the proceeds are going is potentially the greatest challenge any investigator has on their agenda. Where does it all lead? What does the target plan to do with the money gained from these illegal activities and incidents?
The answer is that there is no single target. The target is a network. And like a starfish, it can reconstitute itself from any severed part; there is no brain. Douglas Farah captures the thinking on why leaderless networks are a continuous threat:
Any one piece of the leaderless network can reconstitute itself with little difficulty, without waiting around for someone to give an order and for that order to move down the chain of command.
Clearly, it seems, there are better and worse individuals within the network, and taking out the really good ones takes something of a toll. And leaderless groups are not highly efficient. But they survive.
If you have a system of enterprising freelance operations acting on impulses (the urge for profit, the urge to carry out attacks, the urge to acquire weapons etc.), these impulses will overlap. The actions will be taken to benefit all parties, and the networks can thrive with no one person making the important decisions.
This strikes me a perhaps the most dangerous mutation that both organized crime groups and terrorist groups (particularly Islamist terror groups, who seem more adept at moving through nerve impulses, without specific orders, than most), can take.
Successfully countering these groups and their growing reach will require a radical new assessment of both strategy and tactics in the military, intelligence community and law enforcement. But that will require a willingness to dump old assumptions and paradigms, something that has not really happened since 9-11.