The head of the agency's Criminal Investigations Division speaks about the evolution of USSS global cyber crime fighting efforts and a possible federal data breach standard.
If a man shows up in the lobby of your business and says he's from the Secret Service, what are the odds that the President just wanted to drop by? Turns out they're not so good. It's far more likely that the guy with the shield has arrived to inform you that your firm just experienced a data breach – possibly a very costly, troublesome data breach.
In March 2012, that's how data giant Experian learned it had a particularly troubling data breach -- a contact from the US Secret Service (USSS). The case involved Court Ventures, a company that Experian had recently acquired without realizing it had some security serious issues.
"After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was reselling data from US Info Search to a third party that the US Secret Service was investigating as possibly engaged in illegal activity," Michael Troncale told idRADAR News during a February 2014 interview.
Just last week luxury hotel The Houstonian announced they had been hacked; the company learned the bad news from the USSS.
While many businesses are familiar with the agency's role in the cyber crime arena, most citizens are still puzzled to hear the USSS mentioned when a big breach splashes across TV News screens. In reality, the Service has had its hands in most of the big breach investigations of recent years. A 2014 agency ‘To Do' list included tracking down the intruders who hit Target, Neiman Marcus, Michael's and P. F. Chang's China Bistro amongst others.
The agency tries hard to live up to its name by remaining silent about its most of its efforts.
"We're not known for speaking about ourselves. It's what we do. We're very quiet about ourselves," Special Agent in Charge Ed Lowery who heads the Criminal Investigative Division (CID) told idRADAR News during a lengthy interview on June 26th.
With over 20 years of personal experience at USSS, Lowery has seen a lot of financial fraudsters. He acknowledged that folks often wonder aloud why his team is on the scene.
"We do get that question a lot," Lowery said. "We are one of two agencies that share concurrent jurisdiction. Us and the FBI. It's a natural segue because we were always involved in financial crimes."
Historically wired for this job
It's true that most of us will never have a swarm of USSS agents flanking us as we address a joint session of Congress yet that's the image that springs to mind when you hear the words ‘Secret Service' – Presidential protection. In reality, USSS has a second and much older mission -- that of protecting all Americans and their wallets. So it's a logical transition to cyber crime fighting for one of America's first law enforcement agencies that began over a century before the invention of the Internet.
Following the Civil War, an estimated 1/3 or more of the country's currency was counterfeit. In 1865, the USSS was created as a branch of the US Treasury to root out counterfeiters. It was not until nearly 30 years later that the Service's ‘other' mission directive – protecting the President – was codified as a timeline on the agency's website outlines.
While the Presidential protection detail may be the high profile arm of USSS, the bulk of the organization's employees are assigned to investigations. Financial crimes have always been the driving imperative. With a clear mission to protect the nation's financial systems, it's no wonder that the USSS eventually entered the world arena of cyber crime. USSS created the first Electronic Crimes Task Force (ECTF) in 1995 in New York City. The 2001 Patriot Act expanded the ECTF concept nationwide.
"The concept of the ECTF network is to bring together not only federal, state and local law enforcement, but also prosecutors, private industry and academia," the agency's website says. "The common purpose is the prevention, detection, mitigation and aggressive investigation of attacks on the nation's financial and critical infrastructures."
Making concurrent jurisdiction work
With some hacks like the PayTime Payroll Inc. breach in Pennsylvania in early 2014, you might expect state authorities would be asked to assist but usually it's the Feds who get the call. Odds are the USSS will have a role as they did with PayTime.
It may be challenging for outsiders to understand when to call the FBI and when to call USSS but Lowery said it's a fairly easy split. The FBI catches cases that involve a clear national security factor; USSS is all about the money trail. However the breached business can also influence the decision.
"What it often comes down to is prior relationships with a victim. We work very collaboratively with (businesses). We end up getting a lot of phone calls and a lot of early notifications especially from the financial sector because of that trust we've built," Lowery said.
Part of that trust goes back to the word ‘secret' in the agency name.
"We don't speak to the press," he explained. "(Businesses) know we're going to come in and investigate fully and they can worry about their branding, etc."
It's true that the media gets little out of the USSS or its press office until a case is neatly wrapped up. At most, the agency will confirm that a breach investigation is underway in its early stages.
Giving a business time to evolve a breach response plan – Michaels Stores took months to confirm their recent breach -- sometimes angers customers who want to know as soon as the business knows. To Lowery it makes sense that hacked companies take time develop a solid plan first but he said his agency rarely asks businesses to delay notification.
"We absolutely (don't object to) any information sharing with the public. There have been a few times we've asked companies not to notify. We would only make that request if there was a pressing operational need."
As challenges evolve, so do tactics
"Criminals have leveraged technology at least as well as everyone else if not better," said Lowery who acknowledged that playing catch up has always been the lot of law enforcement.
‘Patience is a virtue' might well be the agency's mantra. The patient approach stressed at CID has paid off repeatedly in recent weeks.
The July 5th arrest of Roman Seleznev demonstrates how seriously Lowery and his team take that belief. The 30-year-old Russian was indicted in connection with point-of-sale credit card data theft back in 2011 but he was only apprehended this month after a multi-year USSS investigation.
"This important arrest sends a clear message: despite the increasingly borderless nature of transitional organized crime, the long arm of justice –and this Department –will continue to disrupt and dismantle sophisticated criminal organizations," said Secretary of Homeland Security Jeh Johnson following the arrest.
The 29-count indictment alleges that Seleznev "created and operated infrastructure to facilitate the theft and sales of credit card data and used servers located all over the world to facilitate the operation."
While the focus of the indictment was point of sale compromises in the Pacific Northwest, the alleged crimes touched many nations illustrating why USSS currently operates offices in over 20 different countries. The document detailed how Seleznev's carder network allegedly stored data then shipped it to servers in Russia and the Ukraine.
Key Bank, Chase, Citibank and Capitol One just a few of his alleged victims. The now defunct Broadway Grille restaurant in Seattle had its point of sale system compromised for roughly 10 months according to court files. It's believed that the suspect was also responsible for similar hacks in 10 more US states.
While the US government characterized the Russian known as Track2 or Bulba as a "prolific" fraudster, not everyone agrees with that description. Seleznev's father is currently Russian lawmaker and now an outspoken critic of the USSS.
Valery Seleznyov told Russia Today last week that the USSS kidnapped his son whom he described as having "scant consumer skills" and incapable of being a master hacker.
"For all I know they may be demanding a ransom tomorrow. Or try to exchange him for [NSA whistleblower Edward] Snowden or somebody. One can only wonder."
Snowden, a US citizen who currently lives in exile in Russia, faces treason charges in the US for his role in exposing NSA spying efforts. The Russian government has also blasted the USSS for allegedly kidnapping Seleznev who's currently being held by US authorities in Guam after being apprehended in the Maldives.
Outside of Russia, critics of USSS activities are hard to find. In fact, it's tough to find anyone with positive dealings to go on the record either. idRADAR News asked a number of US-based companies to discuss their USSS relationships. We sought comment from numerous sources including a large credit card issuer, a credit card processing company, several private firms, a large university and several data security experts. None would discuss the subject – perhaps because they too find value in secrecy.
How success is measured
USSS receives a relatively small government budget and their budget for words is small also. Success can be summed up in just one – ShadowCrew.
"ShadowCrew was the first time USSS took over a criminal site and ran it for a year," Lowery said remembering a favorite success stories.
The case involved the eventual takedown of a lucrative carder forum – a black market website that traded in stolen data including credit card numbers. Albert Gonzales, a high-ranking member of the forum, was identified then turned into a government asset. He became a highly valued informant who guided USSS through the shadowy world of black market carding for an extended period of time.
Eventually Gonzalez and 10 other ShadowCrew members were indicted after being linked to data breaches at TJ Maxx, BJ's Wholesale Club, Boston Market, Barnes & Noble, DSW, Sports Authority, Forever 21 and OfficeMax.
The agency's demonstrated technical skills and thorough knowledge of online criminal forums has paid off repeatedly for USSS since the ShadowCrew experience.
In fiscal year 2013 alone, the Service investigated 1,400 cyber criminals tied to over $235 million in actual loss to financial and retail institutions. USSS operations were credited with the prevention of an estimated $1.2 billion in potential losses. In most cases, it was persistence and patience paid dividends.
"We've been extremely successful in identifying individuals behind the intrusions," said Lowery who described his team's goal as being very good at a very few things. "For the Service to stay in our lanes and develop this specialty…to get the kind of respect…we do…is very satisfying."
There are times that the effort doesn't pay off exactly as scripted but the agency has adjusted its expectations as the cyber crime world has evolved.
"I wouldn't call any of (our cases) failures. A few years ago, US law enforcement wanted to grab the guy and bring them back to the US. Now we are more than satisfied if we can provide info to a foreign partner and they end up sitting in a foreign jail."
Another success story involves eradicating what Lowery termed "Unlimited Cash Out" scams. In those instances, hackers alter control mechanisms that restrict the cash that can be pumped out of an ATM.
"You haven't seen any of those recently. There might be a reason for that. I can't go into it now but there should be some reporting on it shortly. That's how we measure success," he said.
As the successes mount up, Lowery hopes the agency will be viewed as a major deterrent. He's awaiting the arrival of Verizon's next data breach report due out in February 2015, which is expected to document the deterrent elements now battling in the cyber crime universe.
Not every case has a clear or satisfactory ending; sometimes efforts can fall short. A recent case involving a suspected data breach at the California Department of Motor Vehicles has yet to yield fruit. Last month, DMV quietly announced it had closed its investigation with no breach found despite the fact that law enforcement officials and several banks felt they'd pinpointed an intrusion. It remains unclear whether USSS is done with its own investigation into that case but a spokesman told idRADAR News "USSS does not have an comment on (DMV's announcement)." When asked whether USSS was still investigating DMV's payment processor Evalon, the reply was "USSS does not have any comment on Evalon."
ID theft and other areas
It would be a mistake to pigeonhole USSS as only involved with financial crimes.
"Yes that's our bread and butter. Financial. However, the theft of someone's identity is a much more devastating thing. We worked the University of Maryland intrusion. That PII (personally identifiable information) stolen opens up a lot of doors to cyber criminals."
With the UMD case, hackers accessed over 287,000 individual files and siphoned off gigabytes of personal info including Social Security data. USSS is well aware of the future identity theft risks those victims face and Lowery acknowledged it's far greater than the short-term inconvenience of a compromised credit card.
The agency is also tapped to investigate so called advance fee or 4-1-9 schemes. Those financial crimes – most associated with Nigeria and named after a law outlawing bogus requests for monetary help – can involve emails or phone calls appearing to be from relatives in dire need of funds. The electronic wire transfers involved in those 4-1-9 schemes also can involve the agency.
In the near future
While hacker tactics change, one thing remains constant – the need to constantly change.
"Back in the day with (the TJMaxx breach), the intruders would break into a system and find existing logs on the system or put in a sniffer to create the logs," Lowery said reflecting on how cyber crimes have evolved during his tenure.
The TJ Maxx case was a big success for USSS. Then PCI or payment card industry standards changed. It was no longer permissible to store payment card data on a retailer's server. Hackers rolled out a new approach with the 2009 Heartland payment card breach grabbing credit card data from magnetic stripes as it when to processing. Currently PCI standards require that the data had to be encrypted during transmission so the hack trend is now to attack the data and siphon it off in the instant before encryption.
For consumers and crime fighters alike, it is difficult to guard personal data after it's been taken but knowing about a breach is key.
Some time in the "near future," Lowery predicts Congress will adopt a national data breach law, which could simplify reporting for businesses and give consumers more rapid notifications. While efforts currently appear stalled in Congress, he's optimistic such a law will soon become law.
"I've never seen as much talk of it as I am seeing now," Lowery explained. "We'll be part of that conversation at some point."
Hopefully, the agency can give Congress an earful. Lowery and his teams of undercover agents know the dark corners of the Internet better than most and they have earned the right to call themselves a deterrent force. Americans may not understand their role but targets do.
"There are only a certain number of individuals out there that can do this sort of crime," Lowery said. "We're strategically going after those individuals. The high levels in Eastern European cyber crime know exactly who we are."
Jeanne Price is managing editor of the News Division of idRADAR.com and writes about identity theft and data security issues. She has over 15 years' experience as a journalist and prior to her current career also served as head of a government consumer protection agency. Jeanne's passion is solving puzzles like the recent PayTime Payroll data breach that impacted a number of security clearance holders and uncovering valuable lessons in recent data breaches.