Another unanswered question about the Stratfor hack: why weren't the credit card victims notified?
From Stratfor's official statement:
I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. . . . That immediate problem was solved when the FBI told us it had informed the various credit card companies and had provided those companies with a list of compromised cards while omitting that it had come from us. Our customers were therefore protected . . .
And from Stratfor's FAQ about the hack:
3. How were credit card companies informed?
The FBI notified credit card companies in early December.
There is no evidence that the FBI notified credit card companies in early December, or ever. None. To the contrary, virtually all victims who publicly discussed the matter, and a few I heard about from an individual subscriber who spoke to others, found out about the hack from a reporter or from unauthorized charges on their credit card(s) in late December. I haven't seen a single journalist try to figure out what happened here, despite the glaring contradiction between Stratfor's statements and what actually happened.
I dare anyone to find one Stratfor hacking victim who was notified by their bank before fraudulent charges were attempted.
Credit card fraud has already been well-documented in this incident, said Identity Finder's CEO, Todd Feinman. . . (Quoting i-force.be, Dec. 28, 2011. The report by Identity Finder was originally at http://www.identityfinder.com/blog/post/Identity-Finder-Releases-Detailed-Analysis-of-Personal-Information-e28098Anonymouse28099-Attack-on-Stratfor.aspx, but appears to have been removed from the public website.)
Specific examples have been cited in various articles. Choosing one somewhat at random:
One receipt -- to the American Red Cross -- had Allen Barr's name on it.
Barr, of Austin, Texas, recently retired from the Texas Department of Banking and said he discovered last Friday that a total of $700 had been spent from his account. Barr, who has spent more than a decade dealing with cybercrime at banks, said five transactions were made in total.
"It was all charities, the Red Cross, CARE, Save the Children. So when the credit card company called my wife she wasn't sure whether I was just donating," said Barr, who wasn't aware until a reporter with the AP called that his information had been compromised when Stratfor's computers were hacked.
[Emphasis added. Associated Press, Dec. 25, 2011.]
How did this happen, if "the FBI notified credit card companies in early December"?
This contradiction exists even in the "Government's Memorandum of Law With Respect To Sentencing" of Jeremy Hammond. We get this on page 20:
As a result of the FBI's control of this server, the FBI was able to mitigate the harm by, for example, notifying credit card companies about the compromised cards.
yet it comes after this on page 10:
When a Stratfor subscriber expressed outrage on a social media site, Hammond located among the Stratfor data he had stolen the subscriber's personal information, including the subscriber's credit card data, email address and home address; pasted it in a chat channel visible to his co-conspirators; noted that the credit card information was still good; and directed his co-conspirators to make fraudulent charges against it. [Emphasis added]
This is most likely a reference to Victor Gebilaguin, who expressed his outrage by posting on Stratfor's Facebook wall: "The hackers ought to be shot then hanged upside down in public." Gebilaguin's post has apparently since been deleted, but was made a day or two after the Stratfor hack became public knowledge on Christmas Eve.
Here are some (unverified) responses to Stratfor's Facebook post about the credit card breach, all made on December 26 or 27, 2011:
Stephen Hunter: I have been calling names on the list and warning the poor souls. Out of the 600 I have reached so far 500 didnt even know what had happened. [It isn't clear which list he was working from.]
Gusgus Baratta: great. someone just used my cc number to buy software here http://eu.blizzard.com/store/details.xml?id=221004077 Apparently they used my home address and a different name.
Bruce Henderson: Fraudulent charges showing up on my card today.
Gord Lawson: I was a Stratfor customer. How did I find out? My bank phoned me and advised me to cancel the credit card. [I'm assuming this was shortly before his Facebook post, and probably in response to fraudulent charges like others describe.]
Alexandros Fox Boufesis: I was contacted by my credit card service today, they informed me that someone tried to steal money!
Peter Francis: I was a victim, My card was hacked. I'm just pissed because my bank shut my card down and now I have no netflix. I sad.
In light of the above, I would not be surprised if some of the credit card numbers are still being used fraudulently. Not everyone checks their statements carefully, or at all. A recurring charge of, say, $10 or $20 may go unnoticed, and may continue even after the expiration date of the card. According to this site:
Thanks to some under-the-radar rules that work out in favor of vendors who charge recurring card fees, most credit card carriers allow a "recurring indicator" to be included in vendor/customer credit card transactions. In layman's terms, that means there are data bytes in your credit card payment DNA that allows companies to bypass credit card expiration dates and keep charging you anyway, even if your card has expired.
Worse, there are loopholes in credit card regulations that enable vendors to get new credit card information if the old card was closed due to fraud, or even if you switched cards for a better rate. In either case, the recurring charges continue.
According to the Identity Finder report referenced above, the hackers obtained 50,277 unique credit card numbers, of which 9,651 were not expired. If even a tiny fraction of those victims never check their statements, thieves could have walked away with — could still be collecting — a decent income.
I was hoping that additional details might be revealed by the class action lawsuit against Stratfor, but unfortunately the documents made public were disappointingly uninformative.
What went wrong with the victim notification? There are a few possibilities. First let's discount a few that seem unlikely.
I don't think Stratfor lied about what the FBI told them. Stratfor had every incentive to minimize negative fallout from the hack, and would have (further) angered both their customers and the FBI by lying about this. So let's assume that someone at the FBI told Stratfor that they would take care of it.
I think it's also safe to assume that the FBI (as an institution) intended to notify the victims, or thought that they had notified the victims. Like Stratfor, the FBI had every incentive to minimize negative fallout from the hack, especially as one of their own informants was intimately involved. The FBI employees who made representations to Stratfor and the courts could face sanctions/discipline if they were found to have intentionally lied.
I don't think we can blame the banks. If we assume that the FBI notified them, then we'd have to assume that they all dropped the ball by failing to notify customers. All of them? I just don't see it, especially as banks tend to be good about such things.
So we are left with only a few possibilities.
Again referring to Hanlon's razor, incompetence is the simplest and most likely explanation. It's easy to imagine a scenario in which there was a miscommunication between FBI employees about who was responsible for notifying the banks. Obviously this shouldn't happen. There should be a system in place to prevent such oversights, and an attentive supervisor to notice and rectify failures.
We can also explore scenarios which are less likely but unfortunately still possible. One is callous indifference on the part of the FBI: "Thousands of people are at risk of fraudulent credit card charges? Pffft, who cares?"
Another possibility is that one or more people within the FBI profited from (or intended to profit from) the stolen credit card numbers (which could have been with or without the hackers' knowledge). Although rare, it's not unheard of for an agent to conspire with an informant or other individual to commit crimes.
I know that the Stratfor hack is old news, but if anyone is still interested in these issues, I'd very much like to see a journalist attempt to answer the following questions:
- If "the FBI notified credit card companies in early December" (according to Stratfor), why were so many fraudulent charges able to go through in late December? Can the FBI provide any documentation that they actually notified the banks?
- If someone dropped the ball (whether at the FBI or the banks), has the FBI taken any steps to prevent this problem from recurring?
- Can the FBI verify that all credit card victims were eventually notified (whether by Stratfor, a bank, or the FBI), or might there still be fraudulent charges going through?
- Has the FBI attempted to ascertain whether any FBI personnel might be complicit in the fraudulent use (or ability to keep using) the credit card numbers? (Possibly related: Sabu's handler let him repeatedly warn people that he was an informant and incite worldwide criminality.)
Until these questions are answered, all credit card holders should be skeptical of any FBI claims that they have notified victims of credit card theft.
(Sorry, I don't have my website set up for comments. If you're on Twitter, please tweet at me. Or post your reply somewhere on the internet and I'll probably come across it.)
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.