Bullseye Breach – Cybercrime Seminar

Bullseye Breach now has its own website!  Click or tap here.

Here is an excerpt from the opening chapter introducing the main characters.  Thanks to editor Steve LeBeau for conceiving and writing the first draft of this chapter.  It’s a better introduction than what I (Greg) came up with.  Enjoy your preview!

 


Beneath every inch of the Internet superhighway is a vast sewer system, the underground home of cybercriminals who —

Jerry Barkley abruptly paused in the middle of his speech on cybercrime, because he suddenly realized he was the only man in the room not wearing a suit.  He gazed across the audience at the Retail Council monthly luncheon tucked in a second floor conference room in the Minneapolis Convention Center.  These executives and their staffs represented the entire gamut of retail stores in Minneapolis, from Fortune 500 companies to small businesses.  Some wore custom tailored Italian silks, some wore off-the-rack polyester, but they all wore suits.  Jerry didn’t feel inferior as much as he just felt out of place.  Most of his friends were people in low places, regular folks who valued him for his independent spirit and practical knowledge of computers and networking.  They didn’t care that he wore tennis shoes and slightly faded khakis. Besides, for this lunchtime talk wore his very best sweater, the one with all the swirly colors that reminded him of modern art.  As far as Jerry was concerned, he was plenty dressed up for the occasion.

There were just a few women in the room, and most of them wore suits, or businesslike dresses.  Wait – there’s a cute brunette wearing blue jeans back at the Bullseye Corp. table.  Jerry didn’t realize he had broken into a big grin when he saw her, but when she smiled back and their eyes met, the shock quickly brought him to his senses.

— uhh, so these cybercriminals could be anywhere in the world with an Internet connection, and while you’re sleeping, they’re wide awake and thinking of new ways to rip you off.  I cannot emphasize enough the importance of standing guard against credit card fraud…

This last comment caught the attention of Bullseye CEO Daniel Berger, who was wearing a splendid blue suit from London that probably cost more than Jerry’s car.  Bullseye was a giant among big box discount retailers, with over 2,000 stores in the U.S. and Canada.  Berger leaned over and whispered to his Chief Information Officer sitting next to him, Liz Isaacs.

“Liz, do we have a credit card problem?”

“Hardly,” she replied.  “It’s negligible and decreasing each year.  Our biggest crimes are shoplifting and employee theft.”

“That’s what I thought.  So why am I here listening to this?  What I’m really interested in is the spring shopping forecast.”

But Berger knew exactly why he had to be there – because the Bullseye board of directors wanted him there.  Mostly at the insistence of one director in particular, Henri Carpentier, who was on a security kick.  Carpentier also sat on the board of a multi-national bank, so he heard plenty of scare stories.  And he liked to retell one of his own stories from his days as Chief Operating Officer at digital media conglomerate WooHoo, Inc. about an Alaskan politician.  Berger was tired of hearing it.

Ordinarily Berger would have fought coming to something like this, but he was already in the doghouse because of the company’s performance.  For one thing, the Canadian store roll-out was a nightmare.  There were problems with construction, zoning, operations, sales, pricing – everything.  When he soft-pedaled the situation at the last board meeting by saying the Canadian stores were “performing slightly below expectations,” the other board members rolled their eyes.  The US same store quarterly numbers were also troubling, and that was after a subpar 2012 holiday season.  Berger was counting on record 2013 holiday sales to save his butt.  Credit card fraud?  The only security he needed was his own job security.

…and of course the concept of the Trojan horse goes back to ancient Greece, where the Athenian army tricked the people of Troy by offering them a large wooden horse as a token of their surrender. The Athenians pretended to sail away, so the Trojans rolled the giant horse into the city, proud of the gift that honored their victory. But hidden inside that wooden statue were Athenian soldiers. When night fell they crawled out of the horse, opened the gates of the city, and let in the Athenian army to conquer Troy at last.

Today’s clever cybercriminals also use trickery.  If you see an email with an attachment you can open for a screensaver or maybe a link for free Viagra, don’t open it.  It probably has a little program buried inside that will sit dormant for a while until it unleashes its payload.  That’s why I always warn my customers to “Beware of Geeks Bearing Gifts.”

Jerry stopped for a second to let the laughter roll in, but it didn’t.  There were scattered groans around the room but most people sat expressionless.  A few smiled politely, but the only audible chuckle came from the Bullseye table.  “At least that lady in the blue jeans got a kick out of it,” thought Jerry.  “What’s wrong with these people?”

Berger leaned over to Liz again and asked, “What do you think of this guy?”

“Well,” said Liz, “How can you take him seriously?  He’s wearing tennis shoes!”

Liz Isaacs was impeccably dressed in an Armani muted gray cashmere blazer, an ivory blouse by Gucci, and a vintage Dior plaid skirt.  She had been dressing for success since grade school.  Nearly six feet tall and strikingly pretty with brown hair down to her chin, Liz could have been a model, but she wanted a CEO’s corner office some day and all the status that came with it.

“And that sweater,” she continued, “Have you ever seen anything so horrendous?”

“That’s one of ours,” piped in Jesse Jonsen – the one in the blue jeans.  “We sell those at Bullseye.”

All Liz could do was glare at her.  Liz saved a more intense dirty look for Berger, one that said, “How dare you sell this crap in our stores?  It never would have happened when I was a buyer!”

Liz hated Berger because he put profit ahead of the product.  She joined Bullseye 20 years ago as an assistant buyer because she loved the quirky charm of their products.  Buyers traveled the world to find small factories that could produce low cost household products and clothing that had their own unique style.  She would never forget her first trip to Taipei to look for a line of women’s spring shoes.  The idea was to create low end “chic” merchandise that women could blend with their designer clothes.

But since Berger took over, that feeling of fun with a strong fashion sense disappeared.  When the recession hit, he cut most overseas travel.  And instead of investing in fun products or fun advertising, he expanded the grocery sections and turned Bullseye into a convenience store on steroids.  The greedy pig.

Jesse didn’t care about fashion, not since she was a teenager anyway. She wore a black off-brand blazer with a red turtleneck.  And of course, blue jeans.  She was more concerned with comfort than dressing for success.  She took her job more seriously than her appearance.  Her dark brown hair was cut in a pixie style, which – combined with her youthful face — made her look like a teenager, even though she was in her early 30s.  Jesse was also a good foot shorter than Liz, so when the two of them walked down the hallway together, people joked it was “Bring Your Daughter to Work Day.”

Liz was still riled up.  “That sweater is totally inappropriate,” she said.  “I haven’t seen anything this bad since…”  And then she looked over at Berger’s ill-fitting toupee.  He looked every bit the CEO, trim and fit for a man in his mid-50s, tailored suits, good tan.  But that stupid hairpiece…

“Ryan, what do you think of the presenter?” asked Liz, determined to quit talking before she said something that might offend Berger.

Ryan MacMillan was Director of Server Operations at Bullseye, Inc., reporting directly to the CIO.  An important title that meant Ryan was a Windows System Administrator.  At age 37, he did his best to blend into the corporate culture with his crisp new Dockers and buttoned-down pin-stripe shirts.  He enjoyed the tech challenges and prestige from overseeing thousands of servers deployed across the country.  Especially the prestige.

“This guy’s a total idiot,” said Ryan. “He still wears his phone on his belt.  Nobody does that anymore.  I don’t.  Besides, I know all this stuff.  The only reason this meeting isn’t a total washout is the company paid for lunch.  And the chicken was pretty good.  This time.”

“We don’t have to worry at Bullseye because we have state-of-the art security and an outfit in India monitoring all our Internet traffic 24/7.  If anything looks suspicious, they’ll contact Jesse.”

“Whoopee,” thought Jesse.  Before the recession she headed Bullseye’s fraud department.  Those were the good old days, when her team was one of the best in the country.  But then Berger outsourced the entire department to Bangalore to save a few bucks.  His bonus went up again that year.  Jesse was reduced to monitoring the monitors.  Her job wasn’t fun anymore.

“Well I think he’s making some good points,” said Jesse.  “The criminal mind never stops.  They enjoy finding new ways to take advantage of clueless people.  That’s a big part of their motivation – along with the money of course.”

“How come you know so much about the criminal mind?” asked Liz.

Jesse ignored that question.

“You know, I bought that same sweater for my brother last Christmas,” said Jesse. “And look, this Barkley guy’s going prematurely bald, but he’s man enough not to try to hide it.”

Berger snapped his head around and gave Jesse a dirty look.

Jesse bit her lip to keep from laughing, and fixed her eyes on the podium.

Credit card fraud may be a very small problem for the average retailer, but if you get hit, you get hit big.  We’ve had periodic major data breaches for nearly 30 years, starting with Sears TRW – the credit rating agency – where crooks exposed 90 million credit histories to card forgers.

“Ridiculous,” said Berger.  “What’s anybody going to do with 90 million cards?  Even if you started using 20 of them every day, it would still take years and years.”

“Just over twelve thousand,” said Jesse.  “But you’re not thinking like a criminal.  They don’t use all the cards themselves any more than drug lords consume all of their drugs.  They find middlemen who imprint batches of the numbers onto phony cards, and then sell them to consumers.  I think you’d call it a retail business model.”

Berger did a slow burn and frowned in her general direction.  He thought to himself, “If she’s expecting a holiday bonus this year, she’s nuts.”

…even after all those fixes, crooks hit 94 million TJ Maxx customers in 2007.  The Heartland Payment Systems breach in 2008 exposed 130 million cards – and they’re a company that processes credit card payments!  Sony was hit for several million card numbers in 2011, and just last week – Say, how many of you follow the online blog, “Lincoln On Security?”

A half a dozen hands went up around the room, including Jesse’s.

Anyone interested in Internet security should read Henry Lincoln’s blog.  He’s an investigative reporter who turned his aim on the vast dark side of the Internet.  He knows more than anyone about the patterns of criminal behavior in the underground chat rooms and websites.

Well then, a few of you know already that last week Lincoln reported that Adobe had a breach of 3.8 million cards.  It’s not over folks.  The pattern in all of these cases is that the crooks don’t always try to go in the front door and attack your system head-on.  More and more they’re finding weak spots though third-party vendors and infiltrating your systems through the back door.

So in closing, I’d like to leave you with the wise words that the mother told her son who sat down on a freshly painted bench:  Watch your breeches!”

Jerry couldn’t help but smile at his pun, and he was pleasantly surprised to hear a few chuckles mixed in with the groans.  All that was soon drowned out by applause, once everybody woke up and figured out Jerry was done speaking.

People started getting up from their tables, but Ryan MacMillan stayed anchored in his seat with his clenched hands squeezing the arms of his chair in anger.

“What?  No dessert?!”

Jesse ignored him, and went up to the front of the room to greet the speaker.  Several men in cheap suits surrounded Jerry and shook his hand while taking one of his business cards.  Liz and Berger headed for the escalator.  Ryan eventually discovered the self-serve dessert table on the other end of the room and went on a mission for cookies.

Jesse waited for a gap in the crowd and then plunged forward to shake hands with Jerry. He gave her such a big smile that she felt a little tongue-tied.  She rehearsed a clever way to congratulate him, but all she could blurt out was, “I like your tennis shoes.”

Delighted, Jerry beamed back, “Thanks, I like your jeans.”

Awkward silence followed.

Figuring he said something stupid, Jerry was determined not to say another word.  They continued to shake hands until Jesse murmured “Thanks” and then headed for the door.

After a few minutes the meeting room was mostly empty, and Jerry stood chatting with a few remaining small business owners.  Then out of the corner of his eye he saw the servers starting to clear away the food table.  He abruptly abandoned his cohorts and ran over to the dessert table.

“Hey wait a minute! I need a couple of those!”  He grabbed two oranges.  “Thanks for waiting, Ma’am.”

“Sure, whatever,” the pink-haired server replied.

It was an unusually warm day for mid-February in Mineapolis and an outside walk looked inviting.  So instead of using the skyway, he rode the escalator down to the main lobby and stepped outside onto South 2nd Avenue.  The fresh air felt invigorating.  He crossed 2nd Avenue and followed the snow shoveled walkway into a glass pod above the underground parking garage, and walked downstairs to find his car.

And then he realized he didn’t park in the underground ramp.  He had parked on the street, across 12th street, one block away.  “Dork,” he said to himself as he walked back up the stairs.

He remembered he wanted some cereal to eat in the car on the way to a customer appointment early the next morning.  “No sense driving somewhere,” he thought.  “As long as I’m already out walking, may as well just head down the street and buy some at Bullseye.”

So instead of crossing 12th Street to his car in the metered parking in front of the ramp, he followed 12th Street to Nicollet Mall and walked the two and a half blocks to the store.  He found his cereal and got into the express check-out lane.  He must have stared at the short woman in front of him for a solid minute before he realized it was the Bullseye lady from the luncheon who liked his tennis shoes.

Without thinking he blurted out, “Hey lady, I like your jeans!”

She instantly turned around and was ready to slap him. “What’s wrong with you, assho—oh, it’s you.  Hey, tennis shoes!”

They both laughed.  No awkward silence now.

“So you big shots at Bullseye actually patronize your own stores, huh?”

“Well, I’m not exactly a big shot, and I’m not sure how long I’ll be working for them anyway.”

“Moving on up, huh?”

“More like moving on out.”

They went quickly through the line and swiped their cards to pay for their purchases.

“Want to grab some coffee?” Jesse asked, “I’m not exactly anxious to get back to my office.  Can you spare a few minutes?”

“Sure,” Jerry replied, “I have unlimited time on my meter.”

“Unlimited time?”

“Sure, it’s Presidents Day, February 18.”

“Presidents Day?  I don’t get it.”

“Presidents Day’s a municipal holiday.  In Minneapolis all the parking meters are free on holidays.  That’s one reason I said yes to the Retail Council today, free parking.  I don’t like paying twelve bucks to park in some ramp.”

“Smart.  How about this Charbucks?  Their cafes are connected with quite a few Bullseyes.”

“I’d rather go across the street to Manitou Coffee, if you don’t mind.  They’re a client. And they give me a 10% discount.”

“Don’t tell me you fix espresso machines on the side?”

“I wish.  No, they had an issue and I took care of it.”

“What happened?”

“The owner’s a franchisee with five stores in Minneapolis, and all of a sudden last spring he discovers his busiest store isn’t making any money.  Or hardly any.  At first he thought it was employee theft, but then I discovered the only money they could account for was cash sales. The debit and credit card sales total was a solid zero.  Some days negative.  With employee theft it’s the other way around.  They take the cash.  It turned out to be some two-bit bozos.  They’d sit in the shop all day on their laptops.  What they were doing was getting into the Point of Sale system using the store’s own wi-fi, and then refunding their credit cards.  When random customers bought a sandwich or a coffee, they refunded double or triple the sale amount to their own cards.  They spread it out all day long with different credit cards and small transactions so nobody noticed it.  The more the store sold, the more money those clowns made.”

“How’d they get in?”

“The wifi was wide-open and the POS vendor must have delivered the systems with factory default passwords.”

“Unbelievable.  So then what happened?”

“We called law enforcement and nothing happened.”

“You’re kidding!”

“Nope.  I’m still mad about that.  But I promise you they’re locked down now.”

Jesse shook her head.  By now, they were at the counter.  Jesse ordered a latte.  Jerry ordered a cup of tap water.  They walked to a table and sat down.

“Bullseye must have thousands of POS systems,” said Jerry.

“Yeah, about 20,000 of them.”

“Wow.  And they all run an old version of Windows, right?”

“Yeah.”

“So they must be prime targets.”

“Exactly.”

“What are you guys doing about it?”

“Not enough.  I tried to sell Liz on isolating the store POS systems so nobody can put any software on them we don’t want.  Especially after that Lincoln on Security post about a new worm that supposedly can steal credit card numbers from POS systems.”

“Yeah, I saw that.  Nasty.  I wouldn’t want to be in the middle of one of those.  ”

“That’s what I told her.  But Liz doesn’t know what a worm is.  She’s a retailer at heart and doesn’t understand technology.  And when she learned my proposal cost money, she said if it didn’t directly contribute to retail sales, it would have to wait.”

“This must be driving you crazy.”

“Yup.  Can you keep a secret?”

“Of course.  I work in security, don’t I?”

“When I get back to my office, I’m submitting my two-week’s notice.  Uncle Sam Bank made me an offer last Friday to work in their fraud department.  It’s my dream job.”

“But what about Bullseye?  Why isn’t that a dream job?”

“It used to be, until Berger took over and farmed out the guts of our online fraud department to India.  Instead of running the operation, I’m an overpriced secretary.  To make things worse, our C-level executives think Bullseye is invincible.  They’ve never been hit hard and think they never will.  They’re more than arrogant.  They don’t have a clue how the criminal mind works.”

“And you do?”

“Can you keep another secret?”

“Sure, I’ll bury it inside the first one.”

“I learned about the criminal mind from first-hand experience.”

“What?  You’re friends with a criminal?  Don’t tell me you married one?”

“It’s worse than that.  I was one.”

“You?  No way.”

“I was young, very young.  As a little girl I was able to sense how to take advantage of people who were clueless.  I called them suckers.  It was from an old comedy movie I saw on TV late one night when I was supposed to be asleep.  This guy had a big nose and was very funny. He would say, ‘Never give a sucker an even break.’ “

“That was W.C. Fields.”

“That’s right.  So that became my mantra, ‘Never give a sucker an even break.’ I got a thrill figuring out how to cheat people.  I’d steal candy, toys, little things.  As I got older it would be clothes and CDs.  It wasn’t because we were poor or anything.  I did it for the pure excitement of it.  It was a game.”

“What happened?”

“Well, I wasn’t careful enough, or maybe I just quit caring about it.  You know, I was a teenager by then.  I told my mom I could afford nice clothes and things because I worked at Dairy Queen, and one day she went out to buy a cone and the manager told her he’d never heard of me.”

“So your mom sent you up the river?”

“Not exactly.  Because I cooperated I stayed out of hard core reform school.  They sent me to a sort of halfway house for juvenile offenders.”

“That must have been terrible.”

“It wasn’t so bad.  The people were nice, and that’s where I learned about computers. Part of our service learning program was to repair and upgrade old computers so they could be used in inner city schools.”

“Nice.”

“And that’s where I learned to make lemonade.”

“Huh?”

“You know, lemonade, as in the old saying, ‘When life gives you lemons, make lemonade.’  That means you take a bad thing and turn it into a good thing.  In my case the bad thing was I was born with a criminal mind.  I just decided to use it for a good purpose.  Thinking like a criminal makes me a very good fraud detector.  My new thrill is outthinking the criminals. They’re the suckers now.  I try to be one step ahead of them, and I’m not about to give them an even break.”

“Very commendable.  I wish you all the best in your new job.  I’ll bet Bullseye will miss you.”

“They won’t even know I’m gone, believe me.”

“This is all very interesting.  Tell you what.  Why don’t you take my business card, in case you ever need my services over there.”

“Sure, you never know.”

“Wait a minute. I don’t even know your name.  I can’t just call over there and ask for Ms. Blue Jeans.”

“Maybe you could.  I’m not planning to change my wardrobe.  Just kidding.  I’m Jesse Jonsen.  Here, I’ll give you my old Bullseye card.  You can cross out the office number but the cell phone will still be good.”

“Pleased, to meet you Jesse.”

And for the second time that day, Jerry and Jesse shook hands.

 


I hope I whetted  your appetite to find out what happens next.  You’ll be glad you checked it out.  Available April 19.