Identify Theft and Cyber Crime
Identify Theft and Cyber Crime
Testimony of Steven M. Martinez,
Deputy Assistant Director, Federal Bureau of Investigation, Before the House
Government Reform Committee's Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census, September 22, 2004.
FBI, Washington D.C.
Good morning Mr. Chairman and members of the subcommittee. I
want to thank you for the opportunity to testify before you today about the
FBI's efforts to combat Identity Theft, as well as other overlapping cyber crime
Some studies show that more than 10 million Americans were victimized by
Identity Theft in the space of one year, with estimated losses exceeding 50
billion dollars. These estimates demonstrate the significant impact on U.S
citizens and businesses. Accordingly, targeting Identity Theft, and related
cyber crime activity, will remain a priority of the FBI.
As you may be aware, the FBI prioritized and restructured its approach to cyber
crime, in its many forms, a little more than two years ago, with the
establishment of the Cyber Division. Several important premises were
acknowledged as the foundation for this re-tooling. These included the need for
increased law enforcement collaboration and the recognition that Subject Matter
Experts (SMEs) from industry are often better positioned to identify and develop
information regarding cyber crime incidents before law enforcement. Also, cyber
crime does not often lend itself to a constricted list of terms or definitions.
In fact, one incident of cyber crime can often be characterized using different
labels such as Identity Theft, Phishing, Credit Card Fraud, Account Hijacking,
Computer Intrusion, Hacking, and even theft of Intellectual Property. Even if a
more narrow definition of Identity Theft was adopted by law enforcement, it is
important to note that the general public bases its definition on that which is
portrayed through the TV, print and web-based media, which to date has been very
In recognition of this fact, and the overriding need to gather the most complete
and accurate intelligence as quickly as possible, in December of 2003 the FBI's
Internet Fraud Complaint Center was renamed the Internet Crime Complaint Center
(IC3). Also during this time period, the FBI focused its efforts on developing
joint investigative initiatives with our partners in law enforcement, as well as
key Internet E-commerce stake holders. These initiatives targeted escalating
cyber crimes, both domestically and internationally, and invariably included
numerous incidents which could be characterized as Identity Theft.
It should be noted that Identity Theft in its many forms is a growing problem
and is manifested in many ways, including large scale intrusions into third
party credit card processors; theft from the mails of printed checks,
pre-approved credit card offers and mortgage documents; credit card skimming;
Phishing schemes; telephone and bank frauds and other crimes.
When FBI Cyber Division Assistant Director Jana Monroe
testified before the Senate Committee on Commerce, Science, and Transportation
in May of this year, she reported on the FBI's SLAM-Spam initiative, which was
developed jointly with law enforcement, industry, and the Federal Trade
Commission, and which continues today. This initiative targets significant
criminal spammers, as well as companies and individuals that use spammers and
their techniques to market their products. The SLAM-Spam initiative also
investigates the techniques and tools used by spammers to expand their targeted
audience, to circumvent filters and other countermeasures implemented by
consumers and industry, and to defraud customers with misrepresented or
As you may be aware, SPAM is often the "Front End" of a number of cyber crime
scenarios. SPAM, which in some cases has been criminalized with the passage of
the Can Spam Act of 2003, is used to invite unsuspecting consumers to provide
personal, financial, or credit card information, or to visit another site where
malicious code, spyware, or another form of a so-called "Trojan horse" (back
door) can be installed on their computer for later use. As a result of this
initiative, more than 20 Cyber Task Forces are actively pursuing more than 30
criminal and, in some cases, joint civil proceedings against subjects identified
Several cases against such spammers were recently included in
Operation WEB-SNARE, which, on August 26, 2004, was characterized by the
Attorney General as the most successful cyber crime initiative to date. In
WEB-SNARE, more than 150 investigations were successfully advanced, in which
more than 150,000 victims lost more than $215 million. This initiative included
150 subjects who were charged, and the execution of 170 search and/or seizure
warrants. Many of the investigations included in WEB-SNARE could potentially be
characterized as Identity Theft, or related to Identity Theft.
Prior to WEB-SNARE, the IC3 coordinated the development and
execution of Operations E-Con and Cyber Sweep with our law enforcement and
industry partners. In those initiatives, more than 200 investigations were
coordinated among the various law enforcement agencies, resulting in arrests and/or
charges of more than 250 individuals for engaging in a variety of cyber crimes
including Identity Theft.
In addition to demonstrating law enforcement's continued emphasis on cyber crime
matters, such initiatives serve as a vehicle to alert consumers and industry
about new or evolving schemes to which they may fall victim. Integral to each
such initiative are Public Service Advisories or Consumer Be-Ware tips, which
are developed in coordination with our federal partners in law enforcement and
the FTC, and are included in materials distributed or posted on both law
enforcement and industry web-sites. Some examples of these advisories and alerts
which have been included in these initiatives have been warnings/alerts
regarding Internet employment scams, the Reshipper Fraud, and information
regarding Phishing attacks.
Phishing schemes have a consistent nexus to Identity Theft.
Phishing is the creation and use of fraudulent but legitimate looking e-mails
and web sites to obtain Internet users' identities and financial account
information for criminal purposes. Internet users, who believe they have
received an authentic solicitation for information from an entity with which the
user has a trusted relationship, are duped into providing their sensitive
personal information to criminals who have "spoofed" the e-mails and web sites
of the trusted companies and/or government agencies with whom the victims
believe they are interacting. The most frequent targets of interest for
criminals conducting such attacks are web sites belonging to the financial
services sector, ISPs, and on-line auction venues.
Criminals who engage in Phishing often employ spamming (mass e-mail) techniques
to send the Phishing e-mails to thousands or even millions of potential victims
nearly simultaneously. Thus, Phishing can be a lucrative criminal enterprise
even if only a small percentage of the recipients are deceived into disclosing
their personal financial and/or other sensitive information.
Using the Public/Private Alliance model developed for the SLAM-Spam project
which proved effective in bringing law enforcement and SMEs to a common venue to
address cyber crime, a spin-off initiative is currently being developed to
target Phishing. This project is being jointly developed with approximately 40
SMEs from 25 separate industry organizations that have agreed to join law
enforcement in this project. This project is being developed jointly between the
FBI, U.S. Postal Inspection Service, United States Secret Service, and the FTC,
and is expected to be officially launched over the next 30 days.
The Cyber Division is also working closely with the FBI's Criminal Investigative
Division, our law enforcement partners, and private industry, on an Identity
Theft Working Group, which is actively engaged in intelligence sharing and
coordination of public/private investigative efforts to address this crime
The FBI, through the IC3, has observed a continuing increase
in both volume and potential impact of cyber crime with significant
international elements. Identifying such trends, as well as formulating an
aggressive and proactive counter-attack strategy, remains a fundamental
objective of the FBI's Cyber Division.
In a growing number of cases, Eastern European subjects solicit victims though
job postings, email solicitations, and chat-rooms to provide detailed personal
information. Once that information is obtained, they use their identities to
post auctions on well-known auction sites. Funds obtained through the auction
are transferred through several shell accounts, both in the U.S and abroad, and
the items sold are never delivered.
In a similar "work at home" variation of this scheme, victims are also required
to provide sensitive personal information as part of the application process.
Such information is often used to register fraudulent auction sites or to obtain
bogus credit cards and may be considered Identity Theft. Once "hired," victims
receive packages containing computers and other high-price electronic equipment
(usually purchased from on-line retailers with stolen/fraudulent credit cards)
with instructions to repackage the items and ship them to locations in Eastern
Europe. The victim is provided a cashier's check as payment, typically for
several thousand dollars over the amount of the victims' agreed upon salary.
Victims are instructed to deposit the check, deduct their salary, and wire the
balance to the parent company located in Eastern Europe. Of course, the
cashier's checks are later determined to be counterfeit.
These rapidly expanding schemes often originate in West
Africa. A typical scenario includes subject purchases of merchandise from
on-line vendors with stolen/fraudulent credit cards, listing a "domestic ship-to
location" to allay concerns regarding suspicious international shipping orders,
which are scrutinized and often denied by many E-Commerce merchants.
An expansive network of re-shippers continues to be recruited and utilized by
subjects of these schemes. Recruitment is done via Internet Relay Chat (IRC)
chat rooms, web based job postings, and even telephone solicitations. In return
for the use of their residence or business address, the recruited re-shippers
are often allowed to keep certain merchandise as payment, or are paid with
counterfeit cashiers checks. New information indicates this scam may also have a
European nexus. The potential economic impact is estimated to exceed $10
In coordination with law enforcement and industry partners, the FBI through the
IC3, has identified 19,000 fraudulent transactions this year alone, involving
more than $11 million in losses. Through recently enhanced cooperation with
International Law Enforcement in Ghana and Nigeria, 31 individuals have been
arrested and 34 seizures conducted in those countries involving approximately $1
million in merchandise.
The IC3 is a joint project between the FBI and the National
White Collar Crime Center (NW3C). The IC3 receives, on average, more than 17,000
complaints every month from consumers alone (18,999 in July 2004) and
additionally receives a growing volume of referrals from key E-commerce
stakeholders. Currently, over 25 percent of all complaints to the IC3 involve
some use of spam electronic mail.
Of the more than 400,000 complaints referred to the IC3 since its opening in May
of 2000, more than 100,000 were either characterized as Identity Theft, or
involved conduct that could be characterized as Identity Theft.
Currently the FBI has more than 2,700 pending investigations of cyber crime
matters, not including cases involving online sexual exploitation of children
(i.e., our "Innocent Images" initiative). Of the more than 1,800 cyber crime
investigations opened in FY 2004, 346 individuals have been convicted with more
than 942 million dollars in restitutions and recoveries.
Computer intrusions, or hackers, can significantly contribute
to the impact and scope of identity theft. In one FBI investigation initiated in
1999, the computer network of a now defunct software E-commerce company was
compromised, and credit card information for approximately eight million
accounts was obtained by the hackers. The compromised E-commerce company was
contacted via email by the hackers who demanded money to keep them from publicly
posting the obtained information on the Internet.
The FBI became aware of this crime when numerous field offices received
complaints from citizens who were all incorrectly charged for similar small
amounts on their credit card statements. Through investigative efforts, these
complaints were all linked to the hacking of the E-commerce company's system.
This case has expanded into a major FBI initiative in which field offices across
the country have opened approximately 50 spin-off investigations in the network
compromise and extortion of over 100 United States banks and E-commerce
providers by Eastern European hacking groups.
Thirty million credit card accounts, including subscriber information, have been
stolen as a result of these systems being compromised. The subscribers'
information obtained through these computer intrusions contained enough
information to create false identifications, open bank accounts, apply for loans,
and otherwise pose as the original cardholder. Based on a consensus figure of
$500 per account, this represents a potential loss of $15 billion.
This investigation required the FBI to build upon its international
relationships and establish strong ties with foreign law enforcement agencies.
Thus far, three of the main subjects of this group have been prosecuted in the
U.S., and two others have been prosecuted abroad. Currently, there are five
outstanding complaints against the remaining international subjects.
InfraGard is an FBI program that began in the Cleveland Field
Office in 1996 as a local effort to gain support from the information technology
industry and academia for the FBI's investigative efforts in the cyber arena.
Today InfraGard has expanded to all FBI Field Offices with approximately 13,000
members ranging from representatives of Fortune 500 companies to the owners of
At its most basic level, InfraGard is a cooperative undertaking dedicated to
sharing information and intelligence derived from various FBI cyber related
investigations. InfraGard provides a forum for dialogue and relationship
building between policy makers, private companies, and the law enforcement
community on a number of issues. Its goal is to enable two way information flow
so that the owners and operators of systems and networks can better protect
themselves, and, as a result, the United States Government can better discharge
its law enforcement and national security responsibilities.
The InfraGard membership regularly provides intelligence and referrals that
assist law enforcement's efforts to identify and counter the most significant
criminal and national security threats to our country's networks.
In addition to the CAN SPAM ACT of 2003, such schemes might
be prosecuted through Title 18, USC 1028 (Fraud and related activity in
connection with Identity documents), Title 18, USC 1029 (Fraud and related
activity in connection with Access Devices), Title 18, USC 1030 (Fraud and
related activity in connection with computers), Title 18 USC 2319 (Criminal
Infringement of a copyright), Title 18 USC 1343 (Fraud by Wire), Title 18 USC
1341 (Mail Fraud), and Title18 USC 1028A (Identity theft penalty enhancements).
Once again, I appreciate the opportunity to come before you
today and share the work that the Cyber Division has undertaken to address the
problem of Identity Theft. The FBI's efforts in this arena will continue, and we
will continue to keep Congress informed of our progress in protecting the
America's citizens and economy.