The Art of the Steal

8

[THE CYBERTHIEF]

Not long ago, I was faced with a real dilemma. One of my sons had a birthday coming up, and he wanted a guitar he’d seen on eBay. That particular guitar, and no other. I know that eBay is part of the pulse of daily life for many consumers, who regularly log onto the auction site to buy everything from car tires to knight’s helmets. But it isn’t part of my life. The Internet frightens me. I think it’s a wondrous invention and there are many things I love about it, but it unnerves me because of all the possibilities for fraud. A firm rule of mine is never to buy anything over the Internet with a credit card, and I tell my wife and kids the same thing. I just don’t trust the feeble amount of security that’s been incorporated into most websites.

But now there was this guitar and my son’s birthday. So I logged onto eBay and found the guitar. In order to purchase it, I had to go to a feature called Pay Pal. It required that I enter my credit card number. Given my convictions, I was very reluctant to do that, but I was even more reluctant to disappoint my son. So I went through the drill and typed in my MasterCard number and expiration date. Just as I was about to complete the transaction, I got panicky and had a change of heart. I pressed cancel. I’m not going to do this, I told myself. It violates all my principles. I signed off, unaware of my impending fate.

Fortunately, eBay tells you how to contact the owner of any item offered on its website, and so I sent an e-mail to the guy who was selling the guitar and asked him to call me. When he did, I talked to him for a bit and felt comfortable that he was legitimate. I told him I’d like to buy the guitar, but I wasn’t going to give out my credit card on the Internet. I said I’d send him a cashier’s check for the amount, and give him my Federal Express number so he could ship it to me. He agreed, I got the guitar, and my son was delighted.

Soon after, I received my MasterCard bill in the mail, and there was a two hundred fifty dollar charge from Pay Pal. I called and said that I hadn’t bought anything. They told me to write a letter contesting it and they’d remove the charge. Then a package arrived at my house addressed to me. I opened it up and it was some ski pants. I hadn’t ordered any ski pants. I didn’t even recognize the company.

I called them up and was told it was an Internet purchase made on my MasterCard. I explained that I would never buy anything over the Internet. Obviously, someone had gotten hold of my credit card number, and the only way he could have done it was through that Pay Pal entry. Okay, the guy said, just put the pants in the box and send them back and I’d get a credit. I asked him why someone would use my credit card to buy something and then ship it to me? What probably happened, he said, was it was someone in my area. Most people are at work when packages arrive, and they get left on the porch. Thieves will order them, find out when they’re to be delivered, and then steal them off the porch. Another possibility was the thief tried to have it delivered to a different address, but as a precaution, this company only shipped merchandise to the billing address on the card. Not wanting to arouse suspicion, the thief probably allowed it to be sent anyway. What did he care? He wasn’t paying for it.

Once I got off the phone with the ski pants company, I called MasterCard and alerted them to the shenanigans with my card. The representative checked my account activity. As of that moment, it showed purchases of $3,600, none of which I had made. They were all Internet purchases, since there was no need for a signature or anything. My card was canceled, and I had to send a notarized affidavit attesting that those were not my charges.

So here I was, one more victim of Internet fraud. The sole time in my life that I used the Internet to attempt to buy something, and just for a minute, I got scammed. I never even completed the transaction, and yet my card number was preserved on the site and someone got hold of it. If this happened to me, who’s constantly on the alert for swindles, it shows you how vulnerable computers have made us.

THE PORTABLE THIEF

There’s no question about it: the Internet is a criminal’s dream come true. Forty million people use the Internet every day, and to a thief, that translates into the ability to cheat an immense number of people all at the same time. Estimates are that more than 5 percent of Internet transactions are fraudulent, compared to less than half of one percent for brick-and-mortar retailers. Every day, thieves are sitting before their terminals, trying to break into somebody’s system, working on that way to bypass security.

With the Internet, a thief doesn’t need to come to your business or your home to steal from you. He does it by computer. A con man normally had only the ability to reach people through the medium of himself, and so he could only cheat a limited amount of people in a small area. Back in my days pushing bad paper, I was constantly on the move, and I had to be. Part of the reason was to evade capture, but also I needed to find new victims I hadn’t yet fleeced. A con man today never has to board a plane. Using the Internet, he can deceive people all over the world, without having to talk to them. He doesn’t even have to get dressed.

When it comes to fraud, appearance used to matter. When I started doing check forging, I was sixteen, but I was over six-feet tall. I looked like an adult, and I was able to act the part. If I’d been a bashful, pimply-faced teenager, there would have been no way I could have gotten away with what I did. But with electronic fraud, you don’t know who the criminal is. You can’t see him or her, because the person is sheltered by the technology’s anonymity. You have literally opened yourself up to millions of criminals, and not only domestic ones. When you’re on the Internet, you don’t know if you’re dealing with someone from Nigeria, Syria, Hong Kong, Malaysia, or Buffalo. And have you ever tried to get a refund from another continent? You won’t enjoy the experience.

Computer crime, or cybercrime as it’s called, is one of the newer forms of fraud, but it’s a tremendous growth industry. One of the frightening things about fraud with computers is the speed at which it happens. When people use the Internet, they talk of going on “Internet time,” meaning that everything transpires at warp speed. Well, criminals like Internet time too. A well-executed bank robbery, the physical stealing of the money, is going to take a half-hour, easily. With an electronic heist, we’re talking a couple of milliseconds.

So much about computers make me uncomfortable, because they’re the doorway to limitless amounts of money. Money is continually transferred electronically between banks and financial institutions, trillions of dollars a day flying around the world as electronic pulses. If a hacker slips inside a bank’s computer, he can commit bank robbery of unprecedented proportions, with a mouse rather than a gun. Here’s a statistic that shocks even me: only 6 percent of all websites are considered secure by experts. That means that 94 percent aren’t. The 6 percent are almost all big financial institutions, because they’re the only ones willing and able to spend the money to do it. It can cost at least $50 million for a bank to secure a website. Every day, ten thousand new websites are added, 94 percent of which are not secure. Despite this, most of us fail to acknowledge the fact that the computer is like a weapon. For the purposes of robbing someone, it’s the same as a gun. The only difference is semantics. With a gun, it’s called armed robbery. With a computer, it’s called white-collar crime.

THEY SHOULD FRISK FOR A MOUSE

Computers have become such a potent weapon that in 1999, the U.S. Parole Commission made some telling changes in its rules. High-risk parolees can now be restricted from using computers and the Internet without written approval. In other words, don’t just keep guns out of the hands of repeat offenders; keep these guys away from the computers.

And for good reason. In 1994, Vladimir Levin, a thirty-year-old Russian payroll programmer with thick glasses, used a rather primitive computer to steal $10 million from Citicorp’s wealthier customers. With the help of some confederates, he managed to transfer the money into accounts with phony names scattered among obscure banks in the Middle East, Europe, and elsewhere. Then accomplices would go in and withdraw the sums. A stool pigeon ultimately turned him in, or he might never have been caught. He was arrested when he left Russia to go to London for a computer exhibition. Levin was generally considered to be the first online bank robber, and his theft was the largest computer crime on record.

As Levin’s crime illustrates, a big difference with electronic fraud is the quantities involved. With regular fraud, the amounts are often fairly small and only add up over time. With electronic fraud, we’re often talking about losses of millions of dollars in each caper. The FBI says that total losses from computer-related crime exceeded $250 million in 2000, double what they were in 1999, and since so much of it is under-reported, it could be in the billions.

Unfortunately, law enforcement has not kept pace in its training of agents in how to combat computer crime. One recent study of cybercrime found that only a tiny amount of the federal government’s law enforcement budget is spent on computer-crime training and staffing. Many police officers don’t even have e-mail.

Incidentally, outright theft of computers—the actual machines themselves—is itself a big problem. Security experts say computer theft is now second only to auto theft, and it’s much easier getting your car back than your computer.

HACKERS AND CRACKERS

If you have any doubt about the seriousness of electronic theft, think about this: six out of ten American companies and government agencies have been hacked so far, including the FBI, the CIA, the Secret Service, and the White House.

A twenty-year-old computer hacker confessed to breaking into two computers of the National Aeronautics and Space Administration (NASA) that were normally used to design satellites and for e-mail and internal functions. The hacker installed a program onto the computers that allowed him to host a chat room. On his chat room, he advised people to visit a particular pornographic website, and he earned eighteen cents for each visit someone made to it. Before long, he was making three hundred dollars to four hundred dollars a week.

A sixteen-year-old Miami boy broke into computers of the Defense Department and NASA, downloaded software, intercepted messages, stole data, and caused some of the computers to be shut down for three weeks. He repeatedly penetrated computers that monitor threats to the United States from nuclear, biological, and chemical weapons, as well as traditional arms. Too bad they didn’t monitor attacks from sixteen-year-old hackers. Fortunately, the government said none of the affected computers was related to the command and control system, so the kid wasn’t on the brink of launching a rocket or knocking a satellite out of orbit, but I hear these things and have to wonder, what’s next?

A few years ago, a band of German hackers wrote their own Microsoft ActiveX control. The control designed by the Germans made a slight adjustment in the popular personal-finance program Quicken. Whenever the user paid a bill online using Quicken, he would also make a small contribution to the account of the hackers. Stealing money a small slice at a time like this is known as a “salami” attack, and a computer can make a lot of salami.

There’s so much invasion of computers that distinct subcultures have emerged. The term “hacker” is now most commonly used to refer to teenagers who break into computer systems for kicks, the way kids of earlier generations smashed eggs on windshields or did graffiti. It gets them bragging rights among their peers. To them, bringing down the computer network of the Joint Chiefs of Staff is the same as playing Donkey Kong. After a sixteen-year-old boy was caught prowling in government and business computer systems, he explained, “All the girls thought it was cool.”

Full-fledged thieves who invade computers as a profession are referred to as “crackers.” There’s quite a robust underground market in cracking. Adept crackers can command ten thousand dollars and up for breaking into a corporate website, and just as baseball players arrange bonuses if they hit a certain number of home runs or pitch so many innings, they merit bonuses for stealing trade secrets or doing damage to a competitor’s computer system.

THE PROGRAM THAT LAUNCHED

ONE THOUSAND SCAMS

We all learned how the Greeks won the Trojan War by concealing themselves inside a large hollow wooden horse that got them into the walled city of Troy. The simplest method crackers use today to invade a computer is a piece of software that operates by a similar deception—a Trojan Horse program.

Just like with the real Trojan Horse, a Trojan Horse program has two functions operating simultaneously, one that you see and one that you don’t. It does something overtly innocent like demonstrate a game, show a greeting card, or offer an mp3 song. But while that benign activity is going on, something insidious is happening. Basically, the criminal dupes you into running something whose exclusive purpose is to burrow its way into your computer without you knowing about it.

Trojan Horse programs take different forms, and you can find dozens of them offered free right on the Internet. One common scam works like this. The criminal sends you an ordinary e-mail. It’s easy enough to find out anyone’s e-mail address through a routine Internet search. The e-mail says, “Hey, how you doing? Want to see something cool?” and contains an attachment. The key is the attachment. When you open it, there might be a game demo or some little piece of entertainment. You watch it and have a few chuckles. But invisibly embedded in that demo is a Trojan Horse program known as a keystroke recorder, whose subcommands instruct the computer to record everything the user types on the keyboard. That information then gets sent to the computer of the criminal. He now knows your passwords and account numbers, and your credit is at his disposal. These programs were originally designed so employers and parents could check on what their employees and kids were up to, but like so many legitimate ideas, they’ve been put to alternative, malicious purposes by thieves.

The Trojan Horse could also carry a more elaborate desktop monitoring program that functions almost exactly like a surveillance camera. Now when you’re on line, the criminal views live on his computer everything that you type and see on your screen. He could be in Turkey, but it’s as if he were sitting beside you. If you log on to your bank account, entering your account number and your PIN, the thief in Turkey sees precisely what you’re doing. He can then log on to your account and have your bank send him a check that cleans out your savings. And you never even knew he was there.

A Trojan Horse can also deposit a remote access program that not only enables a crook to see what someone is doing, but also lets him get into that person’s computer, fool with his files, and disrupt his system. The best known of these snooping devices is Back Orifice. It was devised by a hacker group called the Cult of the Dead Cow. The program’s name spoofs Microsoft’s Back Office software. Again, these programs have a legitimate purpose. The majority of companies have them so employees can work from home or while they’re traveling. Well, thieves like to telecommute, too.

One of the more ingenious and remarkable Trojan Horse scams was pulled a few years ago by three men on Long Island. They set up several voyeuristic websites named beavisbutthead.com, sexygirls.com, and ladult.com that advertised free “adult” pictures. Internet users who happened upon the sites in their Web surfing were instructed to download a viewer program that would allow them to see the sexy pictures, and a lot of men did just that. What did they have to lose? The pictures were free, weren’t they?

Unfortunately, however, the viewer that was to furnish the pornographic pictures turned out to be more than just a viewer. It also housed a Trojan Horse that commanded your computer to do a few other things. It shut down your volume control so you wouldn’t hear anything coming out of your speakers. Then it hung up your modem line and dialed a phone number in Moldova, a tiny nation you probably rarely called that was one of the former Soviet republics. With the speakers shut off, you couldn’t hear that scratchy telltale sound of a modem dialing a number. The call to Moldova was answered by a computer that reconnected you to the adult site and caused a photo of an unclothed girl to show up on your screen. While you were admiring her curves, you were paying big-time for a transatlantic call.

It got worse. There was only one photo, and it wasn’t that great, so most people abandoned beavisbutthead pretty quickly. But leaving the site didn’t disconnect the call to Moldova. Even when you signed off the Internet and went on to write some poetry in your word processing program, your modem was still talking to Moldova. The hijacking of your modem call didn’t end until you shut off your computer, which could have been hours later. If you left it on all night, you were in for a really rude surprise. Some people found charges as high as three thousand dollars on their phone bill. In just six weeks, the scam attracted 800,000 phone minutes to Moldova. Never was the country so popular.

WHAT TO DO

There are plenty of tools designed to thwart Trojan Horses, but it’s a constant battle against criminal ingenuity. Anti-Trojan Horse programs and anti-virus software are widely available, but they need to be updated regularly if they’re going to succeed against the latest Trojan Horses and viruses. And you need to use some common sense. Don’t download attachments from people you don’t know, and don’t download software off the Internet unless you’re sure of the site that’s offering it. If you download a program from a website you’re unfamiliar with, that’s about the same as ordering your prescription drugs from Nigeria. You need to know the source and content of every file you download. Even if the file says it comes from a friend, be doubly sure before you download an attachment.

THE HIDDEN AGENDA

Criminals think differently than most people. To avoid being scammed, you have to start thinking the way a criminal does. For instance, I visited a company while it was going through the frantic preparations for the Y2K rollover, when everyone feared computers might misconstrue dates after January 1, 2000. Everywhere I looked, programmers were scooting around the premises, fixing computer code.

I asked the executives, “Who are you using to prepare your computers?”

“Oh, these guys from India,” they said. “They’re really sharp. And they’re cheap.”

“Really?” I’d said. “Did you check out their backgrounds? Did you have them bonded? How do you know you can trust them?”

They looked at me and their jaws dropped. They didn’t know if they could trust them.

Their thinking was, these guys know computers and they’re inexpensive, as were a lot of other off-shore firms from India, Russia, and Taiwan that were fixing Y2K problems.

But I was thinking, this is a golden opportunity for cyberthieves. When else have so many computers been opened up and touched by strange hands, with the blessings of their owners? I knew that any dishonest programmer could easily implant a so-called “back door” or “trap door,” a hidden entryway for him to get into the system whenever he wanted and steal data or funds. I have no doubt that many trap doors were part of the Y2K packages that companies got such a great deal on. Whenever you allow programmers to work on your computer system, for whatever reason, look into their background so you know who they are. A bank doesn’t allow just anyone to fix the locks to their vault. The same thinking should apply to your computer.

GOING, GOING, GONE

The number one source of crime on the Internet is online auctions, in large part because so many people use them and they’re such perfect settings for deceit. The FBI gets hundreds of complaints a week about them. There are stories of fraudulent paintings and “rare” Barbie dolls that are not so rare, of nonexistent kidneys sold for transplants. There are auction sites that sell suspect dinosaur fossils and pieces of meteorites. Sometimes the con artists use established auction sites to run their cons. Often, though, they set up their own auction sites and advertise expensive items like Cartier watches and personal computers that a lot of consumers would be interested in. They ask victims to send money for the goods and then deliver nothing, or a counterfeit version of what they wanted. And it may be months before consumers realize what they got was counterfeit. Once enough money comes in, the sites vanish.

One of the most common auction scams is when a con artist maintains he bought a nonrefundable but transferable airplane ticket. Unfortunately, something came up and he no longer can use it. It’s always for a popular destination and a time of year when plenty of people would be interested. He’s willing to sacrifice it at a loss; he just doesn’t want to have to eat the entire amount. The winner gets rewarded with a counterfeit ticket or nothing at all. Frequent flier mileage also turns up a lot on auction sites. The con artist claims his miles are good for a ticket anywhere in the world. The bidder sends the money and gets a letter saying, “Unfortunately, I just learned that I can’t transfer the miles. Don’t worry, I’ll send you a refund.” People have been waiting years for their refunds.

Every Christmas sees a predictable surge in auction fraud. There’s always a hot toy that every child must have, but there’s insufficient supply. So, con artists advertise on auction sites that they’ve got the toy. The Sony Playstation2 was the toy of Christmas 2000. Many people ordered them from phony auction sites and got nothing but an encounter with fraud. The address for the business that operated one site offering Playstations was a derelict house in Canada. The toll-free number consumers were invited to call was in California. The fax number to which they were told to send copies of their credit calls to speed their order was in the state of Washington. The money the company collected was wired to a bank in Florida. Does that sound like any business you want to deal with?

If you’re going to buy merchandise from online auctions, and many people swear by them, research the seller carefully. Look for the person on other websites. Some auctions allow members to furnish feedback on their experiences with different sellers. Even the feedback option is susceptible to fraud, however, as unsavory sellers will post glowing reports on themselves. Some auction sites like eBay provide limited insurance. Probably the best type of auction to get involved in is one that offers an escrow service, where you pay a small fee and the money is held until your goods have been received.

THE MYTH OF SECURITY

Just about any type of scam gets a boost from the Internet, but the web has really opened up a new world of opportunity for credit card thieves. As I so rudely found out, whenever you use your card to buy something online, you’re putting your account at risk. Crooks just love to log on to steal your card number.

One of their primary hacking tactics is “sniffing.” When you type something on the Internet, it doesn’t go straight to the website you’re visiting. Rather, the data gets divided up into what are known as packets. These packets get routed from computer to computer, until they all coalesce at the intended web destination. Criminals will plant “sniffers” on website computers, most commonly those hosting shopping sites, and the sniffers intercept the packets, copy down the information, and then allow the packets to proceed to the website. Packets destined for shopping sites naturally contain loads of credit card numbers, and they’re the sweetest smell of all.

This data then gets relayed to the computer of the criminals, where they sort it out and use it for ill-gotten gains. The whole process is essentially the Internet version of wiretapping.

But the chief way credit cards are stolen with computers is by breaking into the storage computers of sizable e-commerce companies and copying the extensive inventory of credit card numbers housed in their data bases. In late 1999, in the weeks leading up to Christmas, a rather brazen intruder helped himself to an early present when he broke into the computers of CD Universe, an online music store, and swiped more than three hundred thousand customer credit card numbers on file. Identifying himself as Maxim—he told the reporters he communicated with that he was sixteen and from Russia—he e-mailed CD Universe and demanded one hundred thousand dollars. If the website didn’t pay, he threatened to divulge the card numbers on the Internet. If he was paid, he said he would fix CD Universe’s security bugs, destroy the stolen card files, and forget about their store forever.

Well, CD Universe officials refused to respond to blackmail. On Christmas Day, Maxim made good on his threat. He set up a website that he called Maxus Credit Card Pipeline and began listing some of the stolen credit card numbers, adding new numbers on a daily basis. With a click of one’s mouse, anyone who logged onto the site could pick up a credit card number, name, and address.

The website operated for two weeks before some security experts found out about it, and alerted the Internet system that was carrying the site without its knowledge. It promptly shut it down. By that point, however, a traffic counter suggested that a few thousand visitors had downloaded more than 25,000 credit card numbers. Maxim also claimed that he had used some of the cards himself to raise some money.

The e-mail trail on the hacker suggested that he was indeed somewhere in Eastern Europe, making it difficult for American law enforcement to touch him.

Not long ago, someone broke into Western Union’s website and accessed 23,000 credit card numbers and expiration dates. Western Union had to call all 23,000 customers and tell them to cancel their credit cards. These were people who, a week before, had innocently transferred money through Western Union using their cards. You’d think a company the magnitude of Western Union would have a secure website, but it didn’t.

An editor at MSNBC, hearing about hackers wreaking havoc day after day, said that if it’s so easy to break into websites, why can’t my reporters do it? So he told two of his reporters to go home and get online and see if they could download credit card names, numbers, and expiration dates. He assumed it would take a couple of days. They were back within a few hours with 2500 credit card accounts.

The problem is, too many e-commerce companies don’t care if credit cards get stolen over their site, because it’s generally the credit card companies’ problem, and it costs staggering amounts to ensure security. If you’re Bank of America or Citicorp, it’s worthwhile to spend $50 million or $100 million to secure your site. But if you and I are selling outdoor lightbulbs or cheese, we’re not going to spend $50 million. Where would we get it?

WHAT’S BEING DONE

The Internet is so widely considered to be lacking in security, that companies have been forced to conceive of new ways to pay online. Late in 2000, American Express announced what it called a “private payments” service for credit card charges on the Internet. In effect, it’s a disposable credit card. We’ve got disposable cameras and disposable contact lenses, so why not a disposable credit card? The way it works is that a customer registers on American Express’s website, entering a name, password, and account number. Then the customer gets a private payment number that can be used once and only once. When you make a purchase online, you use that number rather than your regular credit card. As soon as the transaction clears, the number is worthless to anyone who gets hold of it. So if you want to send some flowers to Mom, you punch in the number, you’ve got the flowers, and the credit card number is immediately void.

American Express also offers a Blue card. If you order one, the company supplies you with a Smart-Card reader that gets attached to your home computer. It works pretty much the same way that a card reader does at the gas station or department store. The card has to be swiped through the reader, which authenticates purchases only after the correct PIN number is typed in.

Visa has been testing an online verification system of its own. One version goes like this: when you make a purchase over the Internet at a retailer’s website, a tiny window appears on the screen that asks for a password. When you type it in, that password is transmitted not to the store’s site, but to the bank that issued the card. This makes it harder for someone who has a stolen card to use it, because without that password being verified by the bank, the transaction won’t be processed.

In my view, these one-time use cards for Internet buying are a good thing. We need them, because there’s no faith in the security of online transactions.

If you’re going to give your credit card number over the Internet, at least make sure that the site uses S.S.L., or secure sockets layer, encryption technology. The way to tell is if the screen shows either a closed lock or an unbroken key icon. Another sign is if the merchant’s web address shifts from “http” to “https” when it processes a transaction. This is far from a secure site, but it’s better than a site that doesn’t have encryption technology.

WHAT TO DO

Computer crime can be so much harder to track down than traditional criminal activity, and I find that you need to approach it differently. As soon as fraud is suspected, it’s important to call in an expert before the evidence can be hidden. That means don’t let anyone touch the computer system. What the security experts will do is undertake a forensic investigation of a computer, using a technique known as imaging, where experts take a copy of the contents so they can be studied without disturbing the original.

Sophisticated crackers know how to shred electronic files and create self-destructing e-mail, but forensic experts have their own ways of finding data, no matter how many times it’s been deleted. There are file undeleting programs that often will catch rookie thieves, more elaborate tools like hex editors that enable you to view even deleted data, and magnetic sensors and electron microscopes that seize on the fact that every file deposits magnetic traces on the disk. Measuring changes in magnetic fields allows experts to reconstruct deleted files or overwritten areas.

Security experts also use things like a “honey pot” or “goat file,” which is a collection of phony files meant to lure a hacker. If he bites and tries to steal them, the system is alerted so he can be traced.

As I’ve mentioned, things you yourself can do to prevent electronic theft include using encryption tools, firewalls, virus scanners, Trojan Horse cleaners, and intrusion detection programs. There are e-mail filters to block messages from known spammers. You can also subscribe to an e-mail filtering service that will scan e-mail for spam because they’re endlessly tricky—sometimes their ruse is even an invitation: “If you don’t want future mailings from us, reply to this address.” You think they’re being considerate. They’re not. If they get a reply, the scammers know you’re a live address and they’ll sell it to endless other scam artists. But spammers keep creating new addresses, so it’s a constant battle. And there are so-called Tiger Teams, computer experts, some of them reformed hackers, who come in and try to penetrate your system and then suggest ways to secure it. Just keep in mind that there is no such thing as an invincible system.

The FBI says if it had one tip to share to help catch cyberthieves, it would be to make certain your computer’s internal clock is synchronized to national standards, because that helps agents trace a thief’s steps.

Employees also need to do a better job of protecting their passwords into their systems. A common scam is for hackers to call employees, identify themselves as part of the company’s technology staff, and say they’re doing a routine check of passwords. Needless to say, if you receive one of these calls, always check with your company before divulging information. You need to choose a difficult password, a mix of letters and numbers, and you ought to change it every six months. Hackers have their own password-cracking software that tests words from lists of commonly used passwords—ordinary names, cartoon characters, rock bands. You wouldn’t believe how many people, for simplicity’s sake, use “password” as their password. Many others unimaginatively use their first name, or actually use none at all but have the “enter” key be their password.

Above all, consumers have to be smarter. When you go online, blind faith doesn’t work. Know who you’re dealing with. Don’t be deceived by some highly-professional looking website. That doesn’t mean it’s legitimate. And no matter how you pay for something, you need to keep records of purchases, because they’re your best defense against fraud.

It’s obvious to me that electronic theft will only get worse, and cyberthieves will become even craftier at stealing and covering their tracks. There’s a familiar saying in the computer underground: if you’re a good hacker, everyone knows your name, but if you’re a great hacker, no one knows who you are. A lot of criminals haven’t even moved online yet, and you can bet they will. Electronic commerce is still growing at a dizzying pace. So as criminals see more opportunity, they’ll be logging on looking for their cut.