> “I don’t know of anyone who has come close to causing more material harm than Ngo did to the average American,” O’Neill said.
> Throughout the court proceedings, Ngo sat through story after dreadful story of how his work had ruined the financial lives of people harmed by his services.
He made it easier for people to steal money from banks and credit card companies. Its a pretty stupid system that forces the "average American" to be on the hook for that. We shouldn't even be calling it "Identify Theft", this is just bank fraud.
I have to say this is what I found most surprising. In most other countries, the bank will transparently cover such losses through their insurance, most of the time they won't even require evidence, just a phone call.
What about cases where card-holders don't check their credit statements or transaction history or have alerts set up? Many may never even notice some of the fraudulent transactions.
It's true that this is largely bank fraud rather than theft of consumers' money, but it's still technically both, and in some cases literally both. Carders justify their actions by saying they're just ripping off huge corporations, and, yes, it's undoubtedly more ethical than burglarizing someone's home or something, but it's still major fraud.
The other thing thats true is that the most wealthy corporations on earth have twisted language and law to make these breaches of their [bank] security the failing and responsibility of the individuals who trust the bank-- or, often didn't even have anything to do with the bank (in the case of new lines of credit being opened in your name at a different institution)
I'm certainly no fan of giant banks, but this isn't concerning breaches of bank security. The fraudsters discussed in the article are generally stealing people's credit card numbers by installing malware on their devices. Sometimes it's them putting a skimmer on ATMs, but the bank's security isn't necessarily to blame for that if they aren't the ones that operate the ATM. Sometimes it's hacking a company like Target and compromising all of their payment systems; but Target is really at fault, there.
>to make these breaches of their [bank] security the failing and responsibility of the individuals who trust the bank
It's really the opposite: the consumer fucks up, by torrenting something and running Game of Thrones.exe, or whatever, and the bank is 100% on the hook for the consumer's lack of caution. It's actually quite amazing that anyone who has their money stolen gets all of their money back if it was stolen using a credit or debit card. The banks could easily just say "unless you can prove this was our fault (and it rarely is), you're on your own", but they reimburse you with no questions asked every time.
This is due to laws, not the banks' own good will, but it's still quite a nice situation for card-holders, if they realize their card has been used without their knowledge. (Often it's the bank who detects it and informs them.) That's why the fraudsters justify the ethics of their actions: the bank takes the hit, not the card-holder.
Your comment almost directly contradicts the article. This isn't about just stealing credit cards:
> “Many of them told us the same thing: Buying identities was so much better for them than stolen payment card data, because card data could be used once or twice before it was no good to them anymore. But identities could be used over and over again for years.”
And your part about "The banks could easily just say "unless you can prove this was our fault (and it rarely is)":
> “But during my case, the federal court received like 13,000 letters from victims who complained they lost their houses, jobs, or could no longer afford to buy a home or maintain their financial life because of me. That made me feel really bad, and I realized I’d been a terrible person.”
That doesn't sound like the banks were very forgiving for those 13,000 people, and it is 100% not their fault that Experian published on the public internet enough personal data about them to open new credit cards.
Sorry, you're absolutely right, I was mistaken and somehow ended up only skimming the parts of the article that were more about his personal story (and I guess overlooked the thread and article title, as well). Maybe partly due to reading some other previous Krebs posts about carders. Identity theft definitely is far more damaging to consumers than carding is, and banks and financial institutions are definitely a lot less forgiving.
People should disregard my above post. I think I just fell into the unfortunate HN stereotype of getting wrapped up in the comment section instead of RTFA.
> But based on the records they did have, the government estimated that Ngo’s service enabled approximately $1.1 billion in new account fraud at banks and retailers throughout the United States...
Krebs really should have pressed this issue. Law enforcement always inflates these numbers significantly. They use sentencing guidelines to arrive at "financial losses" that aren't real.
For those who aren't aware, US Federal Sentencing Guidelines are how federal courts determine what punishment someone will receive. In many types of crimes they don't use true loss values because it would be very hard or impossible to determine. Instead they assign a fixed amount per instance.
For example, a single stolen credit card number may be considered $500 in fraud, even if the card was never used by the person being sentenced. I don't know if this is the current amount but it was 15 years ago when I was sentenced.
If someone has a database of 1000 credit card number they hacked, the court considers it to be $500,000 worth of fraud.
It makes sense in small cases but in larger ones like this it vastly inflates the amount of actual fraud.
The story was clear that this was only an estimate of damages. It also stated clearly that the investigators were somewhat constrained by the fact that Ngo's services did not keep reliable records of sales -- only what customers searched for.
I should add that in this case, a search for John Smith in Massachusetts would turn up all the John Smiths in Mass. The resulting sale (if there was one) could have been for all of the John Smiths in Mass, some of them, or just one. We don't know. This also made the notification of victims much more difficult.
> “He was selling the personal information on more than 200 million Americans and allowing anyone to buy it for pennies apiece.”
If 1% of those is used to commit $500 in credit card fraud that's $1B in hard losses without considering the cost to those 2M people cleaning up the mess.
This kind of reasoning also makes it hard in pyramid-scheme calculations.
When people say they lost X Billions from Madoff or whoever it's hard to know how much of that was on-paper losses. If I put in $10, got told I had $100 in earnings, then got $0 back, did I lose $10 (+ opportunity costs) or $100?
It depends on how they do it. In my case I had a DB on my computer with thousands of cards. They could have used those cards as part of my sentencing but didn't. Instead they tried to estimate losses based on cards they believed I used.
I don't know if it was correct but it seemed like a more reasonable way to do it.
It seems like the data brokers did most of the dirty work of collecting, storing and giving away the data to anyone who asked nicely. This guy managed to get access to all that sensitive data by just a single instance of social engineering. The data brokers' executives should be rotting in jail alongside him on much longer sentences.
The data brokers have accumulated towering piles of toxic data, creating a situation where spillage — and the resulting terrible harm to the innocent — becomes statistically inevitable.
I've noticed that if I am very careful people will often skip authentication steps and even just ignore them if they're lazy.
In my opinion we need to value these positions more. Higher salaries for these positions and more prerequisite education should be required. I don't think it'll happen without regulation though.
And that's the problem. Experian has insufficient incentive to keep this data safely stored away. Experian acts as if the data belongs to Experian, allowing them to sell it under a TOS, but when criminals get a hold of it, no harm comes to Experian — it's not a physical asset they can lose ownership of entirely. Instead, all the harm crashes down on the individuals whose identities are swimming in that data.
This really, really pisses me off about society today. Never once has my identity been compromised by my actions, in the 4 times it happened, it was due to credit card companies and credit agencies. I have zero control over how they protect my data.
But their ad campaigns would have me believe that I have to take control of my data to protect myself. How? I don't even know what you have about me, where it's stored, how it's stored, how it's accessed, why it's accessed, and how to lock it. How could the individual possibly be on the hook for this nonsense? Why is this allowed?
One solution would be to have PII, especially sensitive PII, be owned by the person it identifies. Of course, this would cause lots of problems for businesses like credit reporting agencies.
Equifax and Experian took our most personal financial information without our permission, made money from it and completely failed to protect it. These A-#&@# are the ones who should have gone to jail.
“I don’t know of anyone who has come close to causing more material harm than Ngo did to the average American,” O’Neill said.
Noit trying to minimize his crime, but since he was reselling data from legit data brokers, would that not imply the latter are also “causing material harm to the average American,”?
> “We interviewed a number of Ngo’s customers, who were pretty open about why they were using his services,” O’Neill said. “Many of them told us the same thing: Buying identities was so much better for them than stolen payment card data, because card data could be used once or twice before it was no good to them anymore. But identities could be used over and over again for years.”
<sarcasm>good thing the few companies who had to pay damages to those leaks covered a few dollars for one or two years of some useless data-protection scams, who do no good other than having your data pulverized to another potential data leak</sarcasm>
Can't wait for a time where PGP is part of the k12 curriculum and we can have a decent solution for all that.
Outside the US, it is a norm to have government sponsored hard online verification with two-factor authentication. Examples include Estonian eResidency, online bank verification in Nordics and infamous Aadhaar in India.
Though this gives government more power, it makes simple online identity fraud, like tax refund schemes, impossible.
“When I was in jail at Beaumont, Texas I talked to one of the correctional officers there who shared with me a story about her friend who lost her identity and then lost everything after that,” Ngo recalled. “Her whole life fell apart. I don’t know if that lady was one of my victims, but that story made me feel sick. I know now that was I was doing was just evil.”
Earnest question. Other than a sociopath or psychopath, how could an adult human not know from the beginning that their actions are immoral and unethical?
But when you make clear (by say a trip to the landfill dump) that there is no magical "away" that will swallow rubbish forever, they begin to think differently.
In this case, Ngo was stealing from a magical pool of people who "would only be minimally inconvenienced", those "Others" not of his social group that are rich and can afford it.
But when confronted with a direct result of actions, thinks differently...
Would I trust Ngo now though? Nope.
Ngo burnt more "trust" than an Aussie bushfire disaster.
Maybe he figured it would be no problem. The credit card company would reverse the fraudulent transactions and issue a new number and the person would be on their way.
Anecdote: I help run a gaming community (think public large Rust, Ark, etc. servers); we routinely have players, anywhere from 14-20+ age, try to "help us out" by donating large amounts with stolen cards, hacked PayPal accounts, and the like. Almost always the country is BD/PK/BR/VN/ID/LK. We don't have CIS (RU/UA/...) players, so assume that's excluded from this anecdote.
I'm unsure why, whether it's cultural or socioeconomic or otherwise. They don't see anything wrong in doing it, and when aggressively questioned (because we've banned their game accounts from our servers for fraud) the answer is always "what's wrong I am just trying to help" and "everyone here does this, no one wants to pay $[50+] for [GTAV/other AAAgame/etc], everyone buys hacked or keylogged accounts off secondhand market for $2"; some of them outright just try to offer lists of cards ("dumps?") in exchange for privileges/virtual titles on the forum/etc because they don't want to go through the effort of cashing them out. Of course we're like WTF in response.
If you look on r/gaming or other forums, it's super common to have someone "buy" your hacked account and when you reset it and recover it, you get a barely-comprehensible angry email asking why you stole the account they purchased legitimately and paid $1-2 for.
Some of us may try to claim the moral high ground, but we aren't fully in control - not until much later in life.
If you are a teen and all your friends do this, you'd be a sucker for paying the "full" (read: non-stolen) price. Because they don't fully realize what's involved in getting these 'goods' to them.
From the article:
> “When I was running the service, I didn’t really care because I didn’t know my customers and I didn’t know much about what they were doing with it,” Ngo said. “But during my case, the federal court received like 13,000 letters from victims who complained they lost their houses, jobs, or could no longer afford to buy a home or maintain their financial life because of me. That made me feel really bad, and I realized I’d been a terrible person.”
He may be a psychopath and faking it. But probably not. When harm happens that far away from you, it's easy to brush aside.
I'm from one of the countries in your list - won't specify which so as not to invite flames. Suffice to say that there's a baseline level of corruption that's tolerated, if not encouraged. Tax evasion, pirated software, contraband, you name it. The population is really abused by the government (very high taxes, lots of bureaucracy, terrible public services, corrupt officials) so I guess that's how some people survive. And then it creeps into other areas in their lives via network effects. That's one of the reasons I left.
> Throughout the court proceedings, Ngo sat through story after dreadful story of how his work had ruined the financial lives of people harmed by his services.
He made it easier for people to steal money from banks and credit card companies. Its a pretty stupid system that forces the "average American" to be on the hook for that. We shouldn't even be calling it "Identify Theft", this is just bank fraud.
https://www.youtube.com/watch?v=CS9ptA3Ya9E