The purpose of the Access Device Statute is to curb unauthorized access to accounts; theft of money, products, and services; and similar crimes. It does so by criminalizing the pos- session, use, or trafficking of counterfeit or unauthorized access devices or device-making equipment, and other similar activities (described shortly) to prepare for, facilitate, or engage in unauthorized access to money, goods, and services. It defines and establishes penalties for fraud and illegal activity that can take place by the use of such counterfeit access devices.
Theelementsof a crime are generally the things that need to be shown in order for someone to be prosecuted for that crime. These elements include consideration of the potentially illegal activity in light of the precise meaning of “access device,” “counterfeit access device,” “unauthorized access device,” “scanning receiver,” and other definitions that together help to define the scope of application of the statute.
The term “access device” refers to a type of application or piece of hardware that is created specifically to generate access credentials (passwords, credit card numbers,
PARTI
long-distance telephone service access codes, PINs, and so on) for the purpose of unau- thorized access. Specifically, it is defined broadly to mean:
…any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other
telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument).
For example,phreakers(telephone system attackers) use a software tool to generate a long list of telephone service codes so that they can acquire free long-distance services and sell these services to others. The telephone service codes that they generate would be considered to be within the definition of an access device, since they are codes or elec- tronic serial numbers that can be used, alone or in conjunction with another access device, to obtain services. They would be counterfeit access devices to the extent that the software tool generated false numbers that were counterfeit, fictitious, or forged. Finally, a crime would occur with each of the activities of producing, using, or selling these codes, since the Access Device Statute is violated by whoever “knowingly and with intent to defraud, produces, uses, or traffics in one or more counterfeit access devices.”
Another example of an activity that violates the Access Device Statute is the activity of crackers,who use password dictionaries to generate thousands of possible passwords that users may be using to protect their assets.
“Access device” also refers to the actual credential itself. If an attacker obtains a pass- word, credit card number, or bank PIN, or if a thief steals a calling card number, and this value is used to access an account or obtain a product or service or to access a network or a file server, it would be considered to be an act that violated the Access Device Statute.
A common method that attackers use when trying to figure out what credit card num- bers merchants will accept is to use an automated tool that generates random sets of potentially usable credit card values. Two tools (easily obtainable on the Internet) that generate large volumes of credit card numbers are Credit Master and Credit Wizard. The attackers submit these generated values to retailers and others with the goal of fraudu- lently obtaining services or goods. If the credit card value is accepted, the attacker knows that this is a valid number, which they then continue to use (or sell for use) until the activity is stopped through the standard fraud protection and notification systems that are employed by credit card companies, retailers, and banks. Because this attack type has worked so well in the past, many merchants now require users to enter a unique card identifier when making online purchases. This is the three-digit number located on the back of the card that is unique to each physical credit card (not just unique to the account). Guessing a 16-digit credit card number is challenging enough, but factoring in another three-digit identifier makes the task much more difficult, and next to impossi- ble without having the card in hand.
Another example of an access device crime isskimming.In June 2006, the Department of Justice (DOJ), in an operation appropriately named “Operation French Fry,” arrested eight persons (a ninth was indicted and declared a fugitive) in an identity theft ring where waiters had skimmed debit card information from more than 150 customers at restaurants in the Los Angeles area. The thieves had used access device–making equip- ment to restripe their own cards with the stolen account information, thus creating counterfeit access devices. After requesting new PINs for the compromised accounts, they would proceed to withdraw money from the accounts and use the funds to pur- chase postal money orders. Through this scheme, the group was allegedly able to steal over $1 million in cash and money orders.
Table 2-1 outlines the crime types addressed in section 1029 and their corresponding punishments. These offenses must be committed knowingly and with intent to defraud for them to be considered federal crimes.
A further example of a crime that can be punished under the Access Device Statute is the creation of a website or the sending of e-mail “blasts” that offer false or fictitious products or services in an effort to capture credit card information, such as products that promise to enhance one’s sex life in return for a credit card charge of $19.99. (The snake oil miracle workers who once had wooden stands filled with mysterious liquids and herbs next to dusty backcountry roads have now found the power of the Internet.) These phony websites capture the submitted credit card numbers and use the information to purchase the staples of hackers everywhere: pizza, portable game devices, and, of course, additional resources to build other malicious websites.
The types and seriousness of fraudulent activities that fall within the Access Device Stat- ute are increasing every year. The U.S. Justice Department reported in July 2006 that 6.7 percent of white-collar prosecutions that month were related to Title 18 USC 1029. The Access Device Statute was among the federal crimes cited as violated in 17 new court cases that were filed in the U.S. district courts in that month, ranking this set of cybercrimes sixth overall among white-collar crimes. This level of activity represents a 340 percent increase over the same month in 2005 (when there were only five district court filings), and a 425 percent increase over July 2001 (when there were only four such filings).
Because the Internet allows for such a high degree of anonymity, these criminals are generally not caught or successfully prosecuted. As our dependency upon technology increases and society becomes more comfortable with carrying out an increasingly broad range of transactions electronically, such threats will only become more preva- lent. Many of these statutes, including Section 1029, seek to curb illegal activities that cannot be successfully fought with just technology alone. So basically you need several tools in your bag of tricks to fight the bad guys—technology, knowledge of how to use the technology, and the legal system. The legal system will play the role of a sledgeham- mer to the head that attackers will have to endure when crossing the boundaries.
Section 1029 addresses offenses that involve generating or illegally obtaining access cre- dentials. This can involve just obtaining the credentials or obtaining andusingthem. These activities are considered criminalwhether or nota computer is involved. This is different from the statute discussed next, which pertains to crimes dealing specifically with computers.
PARTI
Crime Penalty Example Producing, using, or trafficking in
one or more counterfeit access devices
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense
Creating or using a software tool to generate credit card numbers
Using an access device to gain unauthorized access and obtain anything of value totaling $1,000 or more during a one-year period
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Using a tool to capture credentials and using the credentials to break into the Pepsi-Cola network and stealing their soda recipe Possessing 15 or more
counterfeit or unauthorized access devices
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Hacking into a database and obtaining 15 or more credit card numbers
Producing, trafficking, having control or possession of device- making equipment
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $1,000,000 and/or up to 20 years if repeat offense
Creating, having, or selling devices to illegally obtain user credentials for the purpose of fraud Effecting transactions with
access devices issued to another person in order to receive payment or other thing of value totaling $1,000 or more during a one-year period
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Setting up a bogus website and accepting credit card numbers for products or service that do not exist
Soliciting a person for the purpose of offering an access device or selling information regarding how to obtain an access device
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense
A person obtains advance payment for a credit card and does not deliver that credit card
Using, producing, trafficking in, or having a telecommunications instrument that has been modified or altered to obtain unauthorized use of telecommunications services
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense
Cloning cell phones and reselling them or using them for personal use
Using, producing, trafficking in, or having custody or control of a scanning receiver
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense
Scanners used to intercept electronic communication to obtain electronic serial numbers, mobile identification numbers for cell phone recloning purposes Producing, trafficking, having
control or custody of hardware or software used to alter or modify telecommunications instruments to obtain unauthorized access to telecommunications services
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Using and selling tools that can reconfigure cell phones for fraudulent activities; PBX telephone fraud and different phreaker boxing techniques to obtain free telecommunication service
Causing or arranging for a person to present, to a credit card system member or its agent for payment, records of transactions made by an access device
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Creating phony credit card transactions records to obtain products or refunds
Table 2-1 Access Device Statute Laws
PARTI
References
U.S. Department of Justice www.cybercrime.gov/cccases.html
Federal Agents Dismantle Identity Theft Ring www.usdoj.gov/usao/cac/pr2006/078.html Orange County Identity Theft Task Force Cracks Criminal Operation www.usdoj.gov/usao/
cac/pr2006/133.html
Find Law http://news.corporate.findlaw.com
TracReports http://trac.syr.edu/tracreports/bulletins/white_collar_crime/monthlyjul06
18 USC Section 1030 of The Computer Fraud