Wednesday, September 23, 2009

Internet Fraud Case–Vladimir Levin: Hacking Genius

Vladimir Leonidovich Levin, born on March 11, 1971, a biochemistry graduate of St. Petersburg's Tekhnologichesky University in mathematics, led a Russian hacker group in the first international bank robbery over a network.

Vladimir, who worked for AO Saturn, a trading company in St. Petersburg, befriended a former St. Petersburg bus driver who had turned entrepreneur in San Francisco, according to recently unsealed court documents. Levin allegedly told his new friend he had found out how to wire-transfer money out of the bank's computer system. Twice already, he allegedly bragged, he had squirreled substantial amounts into his own account in Finland. Court documents say Levin's colleague became a partner in what would become a multinational hacker ring.

Just a few weeks later, transfers were made to BankAmerica accounts held by Primorye (roughly translated as "Shoreland" in Russian) Corp. and Shore Corp., both of San Francisco. The companies were owned by Levin's friend Jevgenij Korolkov. By this time, the bank officials had begun to suspect foul play and started questioning Korolkov. Korolkov left the country but apparently was not deterred. Instead, the two pressed on and recruited new partners around the globe, authorities say. By October 1994, he broke into the bank's computerized cash management system and attempted forty illegal transactions to California, Israel, Germany, Holland, and Switzerland.

Vladimir was allegedly using his office computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into the bank's computers and then obtained a list of customer codes and passwords. In July 1994 customers complained of $400,000 mysteriously "disappearing" from two bank accounts. the bank's security system flagged two transfers in August 1994, one for $26,800 and another for $304,000. Bank officials then contacted the FBI, who tracked Levin as he trespassed on the bank's system and made more illegal transfers. He logged on 18 times over a period of few weeks and between June and October 1994 transferred more than $10 million in funds from three corporate customers of the bank to bank accounts through wire transfers to accounts his group controlled in the United States, Finland, Netherlands, Germany, and Israel.

Court documents allege he accomplished the illegal transfers by dialing into the bank's cash management system. The bank indicated that Levin gained access to the company’s cash management system through valid accounts that weren’t protected by encryption. There has been speculation that someone inside the bank served as Levin’s accomplice. The bank, however, denies such claims and evidence to the contrary never surfaced. The system allows The bank's customers to initiate their own fund transfers to other banks; daily turnover is about $500 billion. Authorities say that to avoid causing suspicion, Levin dialed in from his house in Russia late at night. Conducting transactions during New York business hours would less likely raise alarms. Levin apparently used valid user IDs and passwords of other banks, among them Banco del Sud in Argentina and Bank Artha Graha in Indonesia. How he got those passwords, given the bank's extensive security, is unclear. Inside help seems likely, but the bank claims that no employees were involved.

When the bank noticed the transfers, they contacted the FBI authorities, who working with the bank tracked Levin making illegal transfers. They were further assisted by Russian telephone company employees, who helped them trace the source of the transfers to Levin’s employer in St. Petersburg, Russia. Levin was finally arrested at Heathrow airport, London in March 1995 as he stepped off an incoming flight from Moscow. Thirty months later in 1997, he was extradited to New York - the extradition and the actual charges underscore the legal problems encountered with the multi-jurisdictional nature of cyber-crime. Vladimir fought extradition for 30 months, but lost, and was transferred to the US for trial.

When Levin was extradited to the U.S. in 1997, he was described in the newspapers as the mastermind behind the Internet's first-ever bank raid. Some security experts dispute that claim, however. Levin, they say, used telecommunications systems, not the Internet, to break into the bank. He was able to intercept the bank's customers' phone calls and, as the customers authenticated their accounts by punching in their account numbers and PINs, obtain the information he needed to commit the fraudulent transactions.

Levin pleaded guilty in January 1998 and admitted using passwords and codes stolen from the bank's customers to make transfers to his accounts. The bank was able to recover all but $400,000 of the $10 million that was siphoned from its accounts. Finally, in February 24, 1998 a U.S. judge sentenced Levin to three years in prison, and ordered him to pay the bank $240,015. Four members of Levin's group pleaded guilty to conspiracy to commit bank fraud, and served various sentences.

While the bank's spokespeople have indicated that Levin gained access to the company's cash management system through valid accounts that weren't protected by encryption, there has been speculation that someone inside The bank served as Levin's accomplice. The bank denies such claims and evidence to the contrary has never surfaced.

Other Little-known facts:

  1. 1. Levin claimed that one of the lawyers assigned to defend him was actually an FBI agent.
  2. 2. The bank reportedly lost 20 top clients, who thought that the bank’s systems were not secure enough.
  3. 3. The sentence of 3 years was strangely less than the one given to Kevin Mitnick captured in 1995, who had stolen 20000 credit card numbers.
  4. 4. In the UK at the extradition hearing Levin’s lawyer claimed that no computers in the US were used to access The bank’s accounts and extradition was unwarranted. When plot failed Levin’s US attorney argued that none of the transactions technically passed through New York, where Levin was being tried as The bank’s computer is over the river in New Jersey.

2. Other issues relating to Case

This case was not only a serious embarrassment for the perceived integrity of global banking systems but more pertinently for the bank itself. The bank said it was the first time its payment system had been successfully compromised – but they deserve praise for the way in which they both reported it to the authorities and took the resultant adverse publicity on the chin. Turning potentially damaging publicity to their advantage the bank said the only reason $10 million was transferred from the New York accounts was because the bank cooperated with US authorities investigating the scheme. After the first $400,000 was stolen, the bank said, other illegal transactions were allowed to occur so an electronic trail could be laid that would identify all of the conspirators.

Yet there was a critical gap in security procedures at the bank that also helped allow the crimes to be committed. Before a corporate transaction is finally approved, most banks require users to swipe a credit-card-like pass smart card through a terminal. The card is encoded with an electronic signature unique to the user and if the signature isn’t present the transaction is voided. The bank didn’t make these cards available to clients before Vladimir Levin penetrated the bank’s network, although it said it has done so since the crime was discovered.

All the accounts that were hit by Levin are known as Cash Management Systems, designed for use by corporate customers who can transfer money between their accounts. Further, all the accounts targeted were not encrypted, giving Levin easy access to the money. The bank took immediate action so this event would not occur for a second time. The bank has since implemented a security system known as the Dynamic Encryption Card. The card looks like a pocket calculator. The user turns the card on and enters a personal identification number. The card then generates a password to enable users to log into the system. The password can only be used once, heightening security and taking away the responsibility of customers to frequently change their password. As far as The bank is aware, it is the only financial organization using such a system.

The bank said that no current or former employees of the bank were involved in the scheme, but some bankers speculated that someone with inside knowledge of the bank’s security procedures helped perpetrate the crime.

Issues for discussion

1.What do you think was the weakest link in the security, which caused the hacking to take place?

2.What in your view helped the bank to recover almost the entire amount?

3.Considering the fact that 20 clients left the bank and that the bank was sure that it would not


loose more that $400,000, do you think it was right for the bank to go to FBI?

4.What do you think could have helped US to seek extradition of hackers and what do you think are the lessons for us to draw?

No comments:

Related Posts Plugin for WordPress, Blogger...