Here’s another good example of an actual cybercrime that was allowed to occur because poor of safeguards on computers provided for public use.
On January 9, 2008, Mario Simbaqueba Bonilla plead guilty to installing keylogger software on hotel business center and Internet cafe computers located in hotels throughout the world that allowed him to access the bank and other financial accounts of over 600 individuals.
“According to the indictment, Mario Simbaqueba Bonilla, 40, alone and in concert with a co-conspirator, engaged in a complex series of computer intrusions, aggravated identity thefts and credit card frauds designed to steal money from payroll, bank and other accounts of their victims. Much of the identity theft activity ‚Äì initiated by Simbaqueba Bonilla from computers in Colombia ‚Äì targeted individuals residing in the U.S., including Department of Defense personnel.
Simbaqueba Bonilla used the money to buy expensive electronics and luxury travel and accommodations in various countries, including Hong Kong, Turks and Caicos, France, Jamaica, Italy, Chile, and the United States.”
“Simbaqueba Bonilla, as outlined in the indictment and the proffer of facts offered at his guilty plea hearing, engaged in a conspiracy that began with illegally installing keystroke logging software on computers located in hotel business centers and internet lounges around the world. This software would collect the personal information of those who used the computers, including passwords and other personal identifying information the victims used to access their bank, payroll, brokerage and other accounts online. Simbaqueba Bonilla used the data he intercepted from his victims, who were typically guests at hotels throughout the country, to steal or divert money from their accounts into other accounts he had created in the names of other people he had victimized in the same way. Then, through a complex series of electronic transactions designed to cover his trail, Simbaqueba Bonilla would transfer the stolen money to credit, cash or debit cards and have the cards mailed to himself and others at Pak Mail and other commercial mailing addresses he opened across the country.”
This demonstrates the increased risks of using public computers, and shows that crimes really *DO* occur through their use.
The computers available in these hotels did not have proper security implemented to allow this type of keylogger activity to occur. I have stayed at many hotels in recent years, and I always try to ask the hotel personnel about the security of the computers they make available in their lobbies, business lounges, etc. It is typical for them to indicate they use anti-virus software, and a smaller percentage of hotels say they use firewalls. However, when getting onto the computers I have always found that I could install software if I wanted to. When I ask the hotel managers about this, it is typical to find that the manager him/herself is responsible for the computer, and they don’t have any background or experience in information security.
I’ve often heard folks say, “Oh, those public computers are safe enough to use. The company wouldn’t provide them if they weren’t!”
This case demonstrates how making such assumptions can lead to cybercrime, fraud and identity theft.
* Communicate to your personnel, via awareness communications and within information security training, that using public computers is very risky, and explain the risks. Use this case as example of what can happen. Make your personnel aware of how widely keystroke loggers are used. Let personnel know that just because a computer has malicious code prevention software and firewalls implemented does not make it safe; particularly if it is available for public use.
* If your organization provides computers for public or shared use, implement controls to keep keylogger software, or any other type of non-authorized software for that matter, from being loaded on the computer.
Tags: awareness and training, cybercrime, fraud, identity theft, Information Security, IT compliance, keylogger, policies and procedures, privacy, privacy policy, risk management, security awareness, security training, Simbaqueba Bonilla