
U.S. Agent Lures Romanian Hackers in Subway Data Heist - adventured
http://www.bloomberg.com/news/2014-04-17/u-s-agent-lures-romanian-hackers-in-subway-data-heist.html
======
shutupalready
> _As for the hackers, they didn’t make much profit -- Oprea, the ring leader,
> made only $40,000. He paid a steep price for the estimated $12.5 million in
> losses inflicted on financial institutions_

The article doesn't explain the discrepancy between the tiny earnings of the
hackers and the enormous loss of the banks. Which one of these is it?:

1) The hackers lied and have millions stashed away some place?

2) The middlemen who buy the card data from the hackers and get mules to make
fraudulent charges and withdrawals are the ones raking it in?

3) The banks are puffing up their losses in order to get tax deductions or
make insurance claims, or maybe just to get the Secret Service interested
enough in the case to do an investigation?

The banks can exaggerate their loss in all kinds of ways: including in the
loss payments that they were able to later reverse, or including losses that
were eaten by the merchants and not the bank, or including the salary of every
member of their security and fraud department, etc.

~~~
leaveyou
Judging by the Subway example which spent "5 millions $" to upgrade its "cyber
security systems" (what?), almost any direct or indirect loss or cost incurred
during or after the hacker attack can be imputed to the perpetrator. It's like
if I have a weak entrance door and some thief enters and steals something then
I can say that he caused me loses of millions because I had to upgrade all the
doors in the house and hire detectives and a security company to guard me
better from now on.

~~~
happyscrappy
Portray them as victims if it helps your world view, but I will not lose any
sleep over their fines that will never be repaid.

~~~
x0x0
Trying to lay the bill for making your systems secure at the feet of the
individual hackers who got into your systems seems wrong. I'm not arguing that
what these guys did was legal or good or that they shouldn't be prosecuted,
but something about that grates; it's an expense the company (should have)
paid beforehand and these guys wouldn't have been able to do what they did.

If a system is on the internet, securing it is a cost that has to be born by
the retailer.

------
skndr
_> He paid a steep price for the estimated $12.5 million in losses inflicted
on financial institutions and the $5 million Subway spent upgrading its cyber
security systems._

Seems a bit silly to say they're annoyed that they had to spend money to
upgrade their broken security.

~~~
Perdition
Not really, these companies would be happy to have broken security as long as
break ins didn't cost them money.

This is why network security is such a joke, most companies only do enough to
mitigate the last disaster instead of designing a system that is actually
secure.

------
viseztrance
15 years in prison for a 26 year old who made 40.000 USD by hacking and
pleaded guilty? This is nothing more than a morbid joke. The justice system's
goal is to rehabilitate, not obliterate one's future.

~~~
tzs
> 15 years in prison for a 26 year old

Why is his age relevant? Would you be OK with 15 years if he were 30? 50?

> who made 40.000 USD

Why is how much he made relevant, rather than how much he cost his victims?

If I steal millions in precious gems from you, but only sell them for
hundreds, would you argue that my crime is only a misdemeanor?

~~~
nnq
Even having a sentence dependent on "how much he cost his victims" is _very_
wrong imho. The sentence should only depend on how violent the crime was, how
much effort was made to avoid being caught and how "malevolent" or carefully
planned / premeditated it was. Maybe it should matter how much of the stolen
money he actually spent (simply because money spent by a criminal tends to get
into other criminals' hands and fuels crime by the process of being spent), or
whether any company actually went out of business because of the losses, but
even this stretches it quite a bit...

The value of money is relative. Stealing $100M from a hedge fund or a bank
could have very little impact on society as a whole. Doing an armed robbery
for $1K on the other hand is actually very dangerous because things can get
easily out of hand and innocent people can easily get killed.

Now, whether the criminal stole the $100M by pointing a gun at someone's head
or threatening to kill someone's family in exchange for some access codes, or
he just "hacked" them, _that_ tells you a lot about how dangerous the thief
actually is to other people, what other crimes he would be capable of
committing and whether he can actually be "rehabilitated" or not, and this is
what the sentence should be based on.

(Yeah, I know this is not how the the US legal system works, and I get that
there are current advantages to the way it works now, mainly being good-enough
at deterring large scale white-collar crime, but still, I think it's just
plain wrong...)

------
jotm
It's interesting how these smart people can organize theft, but not a real
business - seems like it would be easier and of course, less risky.

Also, the most impressive part was that the two hackers were able to actually
get to the US :-) (unless they got their visas with some help from the
FBI/Secret Service - can they do that?)

~~~
nnq
Running a real business requires actual hard work and determination... not
just brains. Sometimes the technical brains don't even matter that much
because you can hire them. Also, in most parts of the world entrepreneurship
is a much harder "career" to pick and there are more bureaucratic hurdles and
social friction. Keeping your lazy ass parked on a sofa while you steal some
info that happens to be cc numbers and then sell them is much easier...

> Also, the most impressive part was that the two hackers were able to
> actually get to the US :-)

No, it's not. Travel visas are easy to get in US-friendly countries (Romania
is _much more_ US-friendly or "eager to kiss US ass" than most other European
countries). Also, if you read on... "He took the traditional route with Oprea.
The U.S. government sought the Romanian’s extradition. It worked". They
could've done the same for the rest, the Romanian gov would have just handed
them on a silver plate. Also, if they had been trialed in their country they
would have most likely gotten similar sentences - $40k is not enough to safely
bribe your way through the justice system and the prosecutors would have been
either fair or most likely quite harsh on them. Maybe they were unsure they
got all the evidence to effectively prosecute them in the US or most likely
they just needed the elaborate phishing operation to make themselves look cool
and get more funding for their department in the future, hence the excessive
media coverage too, wasting tax payers money while jerking off with this role-
play...

It's incredibly easy to catch stupid hackers in pro-US states, what they did
could probably have been done by a smarter-than-average sysadmin helping a
regular us police detective at 1% of the cost of all this "elaborate
operation"...

EDIT+: My point is that the ss guys just picked themselves a few very low
hanging fruits, got themselves excessive media coverage for it and spent way
too much time and money on this.

------
hanley
I like the photo of the Secret Service Agents using Google Maps.

------
broolstoryco
opsec 0/10

~~~
meowface
Not really. DPR was a 0/10 or 1/10.

In this case the Secret Service agent wasn't even able to get a name on his
guy until he called the Romanian white collar unit.

From what I can tell the people involved in this actually put some effort into
hiding themselves. This seems more like a 3/10.

------
ballard
Thomas, sounds like a possible new client or two.

------
sentientmachine
I guess we should give up on trying to keep the definition of the word
"Hacker" as "brilliant programmer and technical expert".

We can't continue going around calling ourselves "Criminals", and that when we
do a brilliant piece of work on an intractable software problem that we really
"Hacked" it together, meaning we broke the law to steal it and kept all the
money for ourselves.

The word "Hacker" has got to go, it is the same as the word "Criminal",
"Burglar" or "Felon" now.

~~~
pacificmint
> The word "Hacker" has got to go, it is the same as the word "Criminal",
> "Burglar" or "Felon" now.

Now? To the majority of the population, it has had that meaning since the 80s.

It's only in tech circles that people have insistent it has another meaning,
but that is useless if the majority doesn't share that meaning.

~~~
__david__
That hardly makes it useless, it just mean you have to be cognizant of both
meanings and who your audience is.

