Massive ID Theft Charges Betray Government Trust

This week, a federal grand jury indicted three people on charges of hacking into the files of a credit and debit card processing company. The government alleges that they stole data from more than 130 million cards and sold it. What makes this even more remarkable is that one of the accused, Albert Gonzalez, has worked for the government as an informant. Host Scott Simon talks to Mark Rasch, a former Justice Department cybercrime prosecutor and co-founder of a security consulting firm.

Copyright © 2009 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

SCOTT SIMON, host:

This week, a federal grand jury indicted three people on charges of hacking into the files of a credit and debit card processing company. The government alleges that they stole data for more than 130 million cards and sold it. What makes this even more remarkable is that one of the accused, Albert Gonzales, has worked for the U.S. government as an informant.

Mark Rasch is a former cyber crime prosecutor at the U.S. Justice Department and co-founder of Secure IT Experts, a security consulting firm. He joins us in our studios. Thanks very much.

Mr. MARK RASCH (Secure IT Experts): Good morning, Scott.

SIMON: Do you already have my Visa number?

Mr. RASCH: Well, somebody does.

(Soundbite of laughter)

SIMON: The most incredible part of this story for many people is how -recognizing that indictments aren't convictions - how could somebody who has been a government informant, and presumably is under all kinds of scrutiny, be participating in a crime of this magnitude?

Mr. RASCH: Well, the government tries to pick people to be informants, particularly in cyberspace, who have two things: one, the ability to do hacking, and second, knowledge of the community. So they know the underworld of the hacker community, particularly the Russian organized crime community.

Well, those two skills are a perfect skill set for somebody to continue to be a hacker.

SIMON: But don't they park a van in front of their apartment? Don't they monitor even their Web communications?

Mr. RASCH: The problem is that you have to monitor their Web communications on every possible Internet connection they might have. And this guy was using dozens and dozens of different screen names and Internet connections to get through. And they're not the babysitter. They're not sitting there under electronic arrest until the person is actually arrested. They're simply a cooperating citizen or a confidential informant providing them with information.

They're probably monitoring the communications that they direct him to do against other hacker groups, but not every email and not every communication on every network.

SIMON: Did you recognize the name Albert Gonzales when you heard it?

Mr. RASCH: Yes, he's been around for quite a while now. He's fairly well known in the hacker community. Certainly he's been under arrest for over a year for a number of more notorious computer hacks as well. He's sort of a mid-level hacker.

SIMON: You mean he's not the best?

Mr. RASCH: He's not the best. He's not even close to the best. He has decent computer hacking skills. The techniques that he used here, which are described in the indictment called the sequel injection attack, are fairly well known and fairly common and fairly easy for companies to prevent.

SIMON: Now, according to news reports I've read, he was known for living large in Miami. Now, of course I love Miami, but that may raise fewer red flags in Miami than some other places.

Mr. RASCH: That's right. I mean, living large in Miami is practically a way of life in Miami. But even for that, this was a person who was at the time 24, 25 years old, no visible means of support other than his hacking skills, and that raised red flags as well.

SIMON: What kind of work did he do as an informant? Worked for the Secret Service?

Mr. RASCH: Yeah, Gonzales worked for the Secret Service, providing them information about computer hacker groups and about their tools and techniques that they were using to break into networks and systems.

SIMON: Does the Gonzales indictment, in your mind, raise any questions about government use of hacker informants?

Mr. RASCH: Absolutely. I mean, whenever the government uses an informant, it has to treat it with a gigantic grain of salt. Because these people have already demonstrated their willingness to commit a crime and their capability for deceit and dishonesty.

There are a number of interesting things about the indictment itself. The first is that it lists a number of victims as Company A, Company B and Company C without naming them. This is part of the Secret Service's effort and the Justice Department's effort to protect the identity of victims so that they don't get released.

But ultimately if this case goes to trial, those names are going to have to be released. So I think this provides the defendant with a little bit of leverage to say, hey, if you want to keep these things secret, cut me some kind of a deal.

SIMON: Oh my gosh, so if you don't want to bring down this company that I've tried to victimize, which would have sorry economic implications at this particular time, let me cut a deal with you.

Mr. RASCH: That's exactly right. He wants to cut a deal in return for keeping some information confidential.

One of the other interesting things about the case when you read the indictment is they have listed an unindicted co-conspirator just by their initials. And typically when you don't indict a co-conspirator, it's either because you don't have enough evidence against them or, more likely, that the unindicted coconspirator is actually an informant helping you in the case.

So it's quite likely that the government is using an informant against Gonzales, their previous informant.

SIMON: But they could keep playing this games for years.

Mr. RASCH: And they do.

SIMON: Mark Rasch, cofounder of Secure IT Experts Consulting Firm in Bethesda, Maryland. Thanks very much.

Mr. RASCH: You're welcome. Thank you, Scott.

Copyright © 2009 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.