Tracking hackers to their lair: Then what?

I consider myself a relatively computer-savvy individual, which is good news since I cover the region’s technology industry for the Business Report.

“Relatively computer savvy” means that while I don’t write code and am not likely to build a CPU in my basement, I am aware of the responsibilities and dangers of using a computer.

I know what a firewall is and why it is important. I know that the widow of the former owner of a petroleum company in Bahrain is not going to wire me millions of dollars, and I haven’t won the Euro lottery. I’m positive that my bank, credit union, PayPal or any other organization is not going to ask me for my account information online – especially when I don’t have an account there.

Spotting such attempts at identity theft and fraud have become so much a part of the average computer user’s life that we don’t even register such requests anymore – they go straight to the spam filter or “delete” file.

But what happens when being safe and informed is not enough? My fiancé and I found out exactly what, the hard way.

In early February, my fiancé – we’ll call him Dan for reasons of security and ever-increasing paranoia – was unable to access his Yahoo! e-mail account, which is his primary source of digital communication. He spent two days trying, and in the process, found he could view his user profile without actually logging in. User profiles, which are publicly available, are part of the Yahoo! member directory.

In his profile, his first and last names were replaced with a hacker’s calling card that read: “cracked by mystical_forever” with a Web site address. (I’ve changed this name, too, even though I’m not too keen on protecting this person’s identity.)

Tracking hackers

Dan visited the hacker site, after running security checks on our PC to make sure that it would not be invaded by unwanted packets upon connecting. The site looked simple, yet ominous, with a slate background and neon lettering.

When he found the profile page of the hacker who cracked his account, Dan discovered more than 50 accounts on the hacker’s “hit list,” including his. Other users of the site had similar lists; all of them listed only Yahoo! e-mail accounts, and many of them were up for auction.

Any doubts that this was a site of ill-repute were dispelled by the terms of service, which require users to affirm: “You are not affiliated with any government, anti-piracy group, Yahoo! Inc. or any other related group, or were formally (sic) a worker of one.” Anyone in those groups is not permitted to enter the site and that doing so (irony alert!) is a violation of the Internet Privacy Act, according to the TOS.

Hours later, Dan sat mesmerized by the unhealthy glow of our flat-screen monitor. But he wasn’t in a state of shock. He was spying on the hacker chat room.

Using a screen name similar to that of his hacker’s he was able to provoke the chat room into an angry nerd frenzy. “Why would someone do such a thing?” they typed. Why, indeed.

By simply lurking on the chat, he was able to elicit enough information about the hacker to identify her. We were also able to find the name of her husband, also a member of the Web forum, as well as their address and phone number. We even found out that they breed beagles and that the husband is an avid hunter/trapper.

It’s pretty scary what an online search can turn up – go ahead, Google yourself, and then map your house.

Armed with all of this information, we began the process of protecting Dan’s identity.

Fighting back

The first step when you suspect that your personal information has been compromised is to contact banks, credit card issuers, Social Security Administration, credit reporting agencies, etc., to alert them to possible unauthorized use.

Second, you should contact the local police department to file a report. They aren’t likely to launch an investigation – I’d almost guarantee it – but having the incident reported will help you dispute future charges or smears on your credit.

Since Dan and I had the identity of the would-be identity thief, we also contacted her local police, who told us that just hacking an e-mail account is not illegal. Only when hackers actually attempt to use information contained in the account to fraudulently obtain something is it considered a crime.

In addition to local law enforcement, several organizations and agencies take reports on identity theft, fraud and Internet crimes. I contacted the Colorado Attorney General’s Office of Consumer Fraud to see what else we could do. An official there suggested we file a complaint with the Internet Fraud Control Center – IC3.gov – a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.

The Federal Trade Commission also accepts complaints. It recently released a fraud and identity theft report that showed that consumers in the 18 to 29 age group accounted for 29 percent of all identity theft complaints – the largest group. I suspect that many in this age bracket, like Dan and myself, feel impervious to such crimes because we grew up with a monitor in our faces and a mouse in our hands.

No safe harbor

But no one is safe from Internet security breaches, according to Todd Massey, founder and chief technology officer of Fort Collins-based e-mail security company Privacy Networks. He said that about 70 percent of all Web sites can be hacked because most companies don’t know enough about security to stop it.

Capturing a password can be as simple as running a program that enters every possible password available. Because people tend to use the same user names and passwords everywhere, a hacker could get a password to a secure site by first cracking it at an unsecured site.

In Dan’s case, Massey guessed, the hacker was probably a script kiddie – someone who runs a hacking program created by someone else without understanding how it works.

Massey said that this is not a new phenomenon.

“The concept of hacker boards has existed since the ’80s,” he said.

In the 1980s, hackers frequented “phreak boards,” online bulletin board services that posted information about how to hack modems, how to access credit card accounts, and other nefarious activities. Phreak boards were a target of the Computer Fraud and Abuse Act of 1986, which makes it a federal crime to “knowingly and with intent to defraud traffic in any password or similar information through which a computer may be accessed without authorization, if such trafficking affects interstate or foreign commerce; or such computer is used by or for the Government of the United States.”

However, Massey said, no one seems to remember that these laws already exist. Or the resources needed to even make a dent in enforcement could be too great.

Privacy vs. security

“The problem is that the Internet is inherently not secure,” Massey explained. Making it more secure would come at the expense of privacy.

Dan hoped that he could recapture his account by contacting Yahoo! and explaining the situation. But that’s where privacy comes in.

Dan created his e-mail account about 10 years ago and cannot for the life of him remember the answer to his “secret question.” I created my Yahoo! account about five years ago, and don’t even remember there being a secret question.

Apparently, without the answer, Yahoo! personnel cannot help you access your account – even if it has been hijacked. Yahoo! will only give access to an e-mail account without the secret password under very limited circumstances. For example, if a Yahoo! user dies, relatives can present a death certificate and other identifying information to have the account closed, but cannot gain access to the contents.

After several calls to Yahoo!’s customer service line and many e-mails to its security team, Dan was no closer to getting the account back. He even asked if the account could just be closed, so that if it is auctioned, the buyer won’t use the information in it to wreak havoc.

It wasn’t until I contacted Yahoo! to ask questions regarding e-mail security for this column that we got a more concerned response. However, the account is still in the hands of someone who could auction it off for money, or arcade points, or Lindens, or whatever hackers use for currency these days.

Kristen S. Bastian covers technology for the Northern Colorado Business Report. She can be reached at (970) 221-5400, ext. 219 or [email protected].

on Facebook on LinkedIn