In a bone-chilling demonstration, FIU alumnus and Secret Service Agent Robert Villanueva recently directed an operative to commit cybertheft from the comfort of the MARC Pavilion.
Shielded from view by a black curtain, the man with a Russian accent spoke over a microphone while his interaction with the “Deep Web”—the part of the Internet not accessible through standard search engines because it serves to facilitate illicit activity—was projected onto a large overhead screen. Attendees of FIU’s “Trends in Cybersecurity” conference followed along in rapt attention as he purchased active credit card numbers and, in one case, an American citizen’s social security number, each for a few dollars.
“There are thousands of people doing this online,” said Villanueva, who heads the Electronic Crimes Task Force in South Florida. “I’m not going to sugarcoat it. I want the academics to know. I want the community to know what’s really happening out there.”
Presented by the Department of Electrical & Computer Engineering within the College of Engineering & Computing, the conference focused on credit card fraud, which nationally totals $8.6 billion per year. Miami-Dade County is number one for such crimes, Villanueva told the audience, and just earlier this month his unit shut down a large operation in Kendall that was printing counterfeit credit cards with numbers purchased off the Deep Web.
Most of that data was acquired through major security breaches, such as the one at Target in December of 2013 and Home Depot last year. Overseas hackers, almost exclusively Russian nationals or other Russian speakers living around the world, take the information and sell it in bulk to vendors who then parse it out online to anyone looking to buy.
“The position of the United States Secret Service headquarters is that cybercrime originating from Eastern Europe is the biggest threat to the financial infrastructure of the United States of America by far,” Villaneuva said. “I’m not talking about people hacking into your computer networks to steal intellectual property or hacking the Department of Defense for national secrets. These are cybercriminals, cyberthieves that are online. They’re in it for the profit, period.”
The current upgrade to credit cards embedded with EMV chips—a security measure common in Europe and now required in the United States—should cut down on the stealing of card information associated with on-site purchases, as discussed in a panel session during the conference. At the point of purchase, the chip encrypts data in a way that protects it from, for example, being recorded by “skimmers,” the hidden machinery that thieves attach to credit card swipers at ATMs and gas stations.
The conference brought together FIU faculty and students with industry professionals and experts to drive home the seriousness of the matter and spread the word.
“Security has only become an issue over the last 10 years. Before that we were thinking about functionality, performance, making life easier for us. And then people started taking advantage of all that,” said Alexander Pons, a lecturer in the Department of Electrical & Computer Engineering.
“We trust too much, and I think that’s our biggest liability in some cases,” he said.
Pons gave the example of how easily people relinquish control of their credit cards, be it at a restaurant to pay a bill or at a doctor’s office to satisfy a copay. “One of the things that amazes me is how people hand their credit cards to an individual they don’t know. What stops that individual from easily taking your number, taking your security code on the back and the expiration date?”
Graduate student Swheata Upputolla, already interested in the subject and enrolled in the department’s network security track, said the live demo strengthened her commitment to research in cybersecurity. “I never knew actually that this would happen, [that] in minutes you can buy a stolen credit card. I was completely shocked.”
Even the chair of the department, Shekhar Bhansali, who organized the conference and hopes to make it an annual affair, recalled his own credit card woes while chatting during a break. Soon after using his card to pay for a meal in a Coconut Grove restaurant, his account registered a $6,000 purchase at a nearby shopping center. It drove home for him that individuals must take responsibility for safeguarding their information and stay vigilant.
“Ninety percent of the battle,” he said, “is just being aware of what footprint you are leaving and where.”
Tips for avoiding credit card fraud
- Use cash to avoid small credit card transactions in which your card is taken out of sight for payment processing. An unscrupulous employee might copy down your information.
- For the same reason as above, when paying at a restaurant, speak up if your server does not return promptly with your credit card. Coming soon: “Table safe” payments in which the cardholder pays tableside.
- Choose your bank’s ATM machine over those at gas stations or other questionable locations as the latter have a higher likelihood of being compromised.
- When making online purchases, restrict your shopping to reputable, larger companies, as they are more likely than smaller ones to be in compliance with industry security standards. (Even then, there are no guarantees, as the examples of the Target and Home Depot data breaches make clear.)
- Separately, to avoid identity theft and the risk of someone opening credit cards in your name, do not share your social security number when completing most paperwork. While employers and financial institutions (including some credit card issuers) require the information, and various governments need it when you file income taxes or apply for a driver’s license or government benefits, no one else should be asking for it.