Saturday, October 15, 2011

CSIS spies must follow same rules abroad, watchdog says

The watchdog body for Canada’s intelligence service has issued its spies a reminder: Rules governing their conduct do not relax once they leave the country.

A partly censored review of the Canadian Security Intelligence Service’s role in interrogating Afghan prisoners overseas was released Thursday. While it cleared CSIS of complicity in any detainee abuse, the report did criticize the country’s spymasters for lax record keeping and for sending CSIS officers overseas without sufficient guidance.


“The standards don’t change because of the arena and theatre that you’re working in,” Arthur Porter, chair of the Security Intelligence Review Committee, said in an interview with The Globe. “We are in a learning curve and we need to point out where things could get tightened up.”

The Security Intelligence Review Committee report concludes the spy service must “ensure that the management of its operations abroad mirrors, to the extent practicable, the standard of accountability and professionalism that is set and maintained domestically.”

Formed in 1984 as a domestic spy service, CSIS has grown increasingly inclined to venture overseas to gather intelligence. Yet Parliament has never given it much direction on its overseas intelligence-gathering – what to do and what not to do.

Dr. Porter pointed out in the interview that Canada’s intelligence operations had been going on in Afghanistan since 2002, but for CSIS “it wasn’t until 2007 and 2008 that the directives matched the field operations.”

One major policy question was how CSIS operatives were to work with agencies who busied themselves with capturing and interrogating Taliban prisoners – including Canadian Special Forces teams and Afghanistan’s notorious National Directorate of Security. Recurring accounts of brutal NDS practices have led NATO countries in Afghanistan to suspend prisoner transfers.

During the review, CSIS officials stressed their role in prison interviews was “very limited.”
“We’re effectively sitting in on CANSOF [Canadian Special Operations] interviews and providing advice if/when warranted,” one said.

The SIRC report finds CSIS operatives never witnessed any prison abuse or torture. Though CSIS tended to espouse that such brutality was unconfirmed, it still took a very “cautious” approach to any information emanating from Afghan prisons – giving much of it “low weight,” the report says.

The problems SIRC did identify were technical. For example, CSIS was so lax in logging prison interviews that it couldn’t say how many it sat in on. “Should CSIS continue to expand its activities abroad .... it will need to improve its record management practices,” the report says.

There was also a lack of guidance from CSIS headquarters as to how field operatives were to weigh and circulate intelligence that might be regarded as tainted.

By Colin Freeze

Friday, October 14, 2011

Biggest ID Theft Bust in History

The biggest ID theft bust in history is the result of equally impressive international cooperation, observers say.

On Oct. 7, the District Attorney of Queens County, N.Y., and City of New York Police announced the results of a two-year investigation that resulted in the biggest identity theft takedown in U.S. history.
The elaborate scheme, which involved five organized crime rings with ties to Europe, Asia, Africa and the Middle East, resulted in financial losses exceeding $13 million over a 16-month period.
So far, 111 individuals have been indicted, and authorities say 86 are now in custody.

McAfee consultant Robert Siciliano says the bust is a reflection of more international cooperation. "Despite bad blood between countries and their politics, when it comes to fraud regarding economic systems, governments and their security forces are coming together like never before," he says.

 

The Bust

Dubbed "Operation Swiper," the investigation involved physical surveillance, intelligence gathering and court-authorized electronic eavesdropping on dozens of telephone conversations, many of which required translation from Russian, Mandarin Chinese and Arabic. The fraudsters' focus: credit card fraud, which exploited magnetic-stripe weaknesses the criminals could use to their buying advantage in the United States. Chip-and-PIN technology, known as the Europay, MasterCard, Visa standard in other parts of the world, is not widely deployed in U.S.

More than 90 of the defendants have been charged with Enterprise Corruption under New York State's Organized Crime Control Act. They are accused of being members and associates of organized criminal enterprises that operated in Queens County and elsewhere. Between May 2010 and September 2011, the defendants allegedly defrauded thousands of unsuspecting consumers, financial institutions and card brands, including American Express, Visa, MasterCard and Discover Card.
According to the indictments, the defendants fraudulently obtained credit card numbers that were used to create counterfeit credit and identification cards.

Card numbers are believed to have been sent to crime bosses from individuals in Russia, Libya, Lebanon and China. U.S. employees at restaurants, bars, retail stores and financial institutions also have been linked, using handheld skimming devices and illegal websites to collect consumers' card details.

The counterfeit cards were supplied to hired shoppers who were instructed to purchase high-end electronics and other merchandise, items that could easily be fenced and re-sold, usually over the Internet. Some of the shoppers also have been accused of using counterfeit cards to stay in five-star hotels and rent luxury cars during their so-called shops. In one case, a shopper allegedly commissioned a private jet to travel from New York to Florida.
Fraud analyst and consultant Jerry Silva says the busts should serve as a wake-up call about the growing threat of insider fraud. The use of money mules at restaurants and bank branches is a particularly disturbing part of the case.

"For banks, this calls for renewed focus on employment policies, security measures at the point of customer contact and, at the legislative level, new and stiffer laws and penalties covering workers entrusted with sensitive information - and I would include waiters and merchants in the same breath as bank tellers and representatives - that are found to be misusing or collecting financial data."
Some 20 defendants also have been linked to suspicions of burglaries and robberies throughout Queens County. Seven have been accused of stealing approximately $850,000 worth of computer equipment from the Citigroup Building in Long Island City.

"This is by far the largest - and certainly among the most sophisticated - identity theft/credit card fraud cases that law enforcement has come across," said District Attorney Brown. "Credit card fraud and identity theft are two of the fastest growing crimes in the United States, afflicting millions of victims and costing billions of dollars in losses to consumers, businesses and financial institutions. ... Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years."

 

EMV: Lessons for the Financial Industry

International cooperation among various law enforcement agencies and governments cannot be ignored. John Buzzard, who tracks card transaction anomalies for FICO's Card Alert Service, says that level of global interaction is helping to bring down more crime rings than the average consumer realizes.

But the case also highlights the need for a more global approach to payments security. The United States' slow migration away from mag-stripe payments is definitely enabling a sweet spot for fraud.
"The move to chip cards will make an enormous difference in the way our industry manages risk, with the ultimate goal being a significant reduction [in fraud]," Buzzard says. "The U.S. has finally set its sights on chip cards, and over the course of the next three to four years we are going to see a tidal wave of work (and some critical debate) for getting this incredible milestone accomplished. The U.S. is a criminal's playground right now, but this arrest is an excellent beginning."

It's clear the U.S. needs to move to EMV, many experts agree. And Visa's recent announcement to support such a move will undoubtedly prove to be the catalyst U.S. card issuers need.
"MasterCard and the other card brands need to do the same thing, beyond the small ATM-Maestro-related announcement by MasterCard following the Visa one, in order for the global card industry to finally eliminate the Achilles heel of the card industry - magnetic stripes on the back of the cards," says Gartner analyst Avivah Litan.

 

Enforcement and Global Cooperation

Litan says the international perspective of this bust is interesting. "I think this does point out that U.S. law enforcement has beefed up in multilingual capabilities in Russian, Mandarin and Arabic, which is critical to its activities, and is a big improvement over the situation pre- 9/11," she says.

The bust also highlights the growing global nature of financial fraud. That said, organized crime rings are not localized, but their operations often are, says Aite analyst Julie McNelley. "While the operation spanned the five continents, the focus of this bust appears to be the hub of the operation in Queens," she says.

Unfortunately, many more entities were likely involved and will never get charged.
Neal O'Farrell says scams like the one in Queens are taking place in most large cities, and most times go undetected, uninvestigated and unprosecuted.

"We know there are scams like this being run in almost every city, usually in the $500,000 to $1 million range. That usually makes them too big for local law enforcement to investigate and too small for federal agencies to pick up," O'Farrell says. "The big problem we're seeing is that because the low- to mid-level crooks and gangs are going unchallenged, they simply have more time to get better, perfect their art, steal more, and hide their tracks. By the time law enforcement uncovers them, there's little left to prosecute."

http://www.bankinfosecurity.com/articles.php?art_id=4138