The head of the agency's Criminal Investigations Division speaks about the evolution of USSS global cybercrime fighting efforts and a possible federal data breach standard.
If a man shows up in the lobby of your business and says he's from the Secret Service, what are the odds that the president just wanted to drop by? Turns out they're not so good. It's far more likely that the guy with the shield has arrived to inform you that your firm just experienced a data breach -- possibly a very costly, troublesome data breach.
In March 2012, that's how data giant Experian learned it had a particularly troubling data breach -- a contact from the U.S. Secret Service (USSS). The case involved Court Ventures, a company that Experian had recently acquired without realizing it had some security serious issues.
"After the acquisition, the U.S. Secret Service notified Experian that Court Ventures had been and was reselling data from U.S. Info Search to a third party that the U.S. Secret Service was investigating as possibly engaged in illegal activity," Michael Troncale told idRADAR News during a February 2014 interview.
Just last week, The Houstonian, a luxury hotel, announced it had been hacked; the company learned the bad news from the Secret Service.
While many businesses are familiar with the agency's role in the cybercrime arena, most citizens are still puzzled to hear the Secret Service mentioned when a big breach splashes across TV news screens. In reality, the service has had its hands in most of the big-breach investigations of recent years. A 2014 agency "to-do" list included tracking down the intruders who hit Target, Neiman Marcus, Michael's and P. F. Chang's China Bistro, among others.
The agency tries hard to live up to its name by remaining silent about most of its efforts.
"We're not known for speaking about ourselves. It's what we do. We're very quiet about ourselves," Special Agent in Charge Ed Lowery, who heads the Criminal Investigative Division (CID), told idRADAR News during a lengthy interview on June 26.
With more than 20 years of personal experience with the Secret Service, Lowery has seen a lot of financial fraudsters. He acknowledged that folks often wonder aloud why his team is on the scene.
"We do get that question a lot," Lowery said. "We are one of two agencies that share concurrent jurisdiction. Us and the FBI. It's a natural segue because we were always involved in financial crimes."
Historically Wired for This Job
It's true that most of us will never have a swarm of Secret Service agents flanking us as we address a joint session of Congress, yet that's the image that springs to mind when you hear the words "Secret Service" -- presidential protection. In reality, USSS has a second and much older mission -- that of protecting all Americans and their wallets. So it's a logical transition to cybercrime fighting for one of America's first law enforcement agencies that began more than a century before the internet was invented.
After the Civil War, an estimated one-third or more of the country's currency was counterfeit. In 1865, the USSS was created as a branch of the Treasury Department to root out counterfeiters. It was not until nearly 30 years later that the service's "other" mission directive -- protecting the president -- was codified as a timeline on the agency's website outlines.
While the presidential protection detail may be the high-profile arm of USSS, the bulk of the organization's employees are assigned to investigations. Financial crimes have always been the driving imperative. With a clear mission to protect the nation's financial systems, it's no wonder that the USSS eventually entered the world arena of cybercrime. USSS created the first Electronic Crimes Task Force (ECTF) in 1995 in New York City. The 2001 Patriot Act expanded the ECTF concept nationwide.
"The concept of the ECTF network is to bring together not only federal, state and local law enforcement, but also prosecutors, private industry and academia," the agency's website says. "The common purpose is the prevention, detection, mitigation and aggressive investigation of attacks on the nation's financial and critical infrastructures."
Making Concurrent Jurisdiction Work
With some hacks such as the PayTime Payroll Inc. breach in Pennsylvania in early 2014, you might expect state authorities would be asked to assist, but usually it's the feds who get the call. Odds are that the USSS will have a role as they did with PayTime.
It may be challenging for outsiders to understand when to call the FBI and when to call USSS, but Lowery said it's a fairly easy split. The FBI catches cases that involve a clear national security factor; the Secret Service is all about the money trail. However, the breached business can also influence the decision.
"What it often comes down to is prior relationships with a victim. We work very collaboratively with [businesses]. We end up getting a lot of phone calls and a lot of early notifications, especially from the financial sector, because of that trust we've built," Lowery said.
Part of that trust goes back to the word "secret" in the agency name.
"We don't speak to the press," he said. "[Businesses] know we're going to come in and investigate fully, and they can worry about their branding, etc."
It's true that the media gets little out of the Secret Service or its press office until a case is neatly wrapped up. At most, the agency will confirm that a breach investigation is underway in its early stages.
Giving a business time to evolve a breach response plan --- Michaels stores took months to confirm their recent breach -- sometimes angers customers who want to know as soon as the business knows. To Lowery, it makes sense that hacked companies take time to develop a solid plan first, but he said his agency rarely asks businesses to delay notification.
"We absolutely [don't object to] any information sharing with the public," Lowery said. "There have been a few times we've asked companies not to notify. We would only make that request if there was a pressing operational need."
As Challenges Evolve, So Do Tactics
"Criminals have leveraged technology at least as well as everyone else, if not better," said Lowery, who acknowledged that playing catch-up has always been the lot of law enforcement.
"Patience is a virtue" might well be the agency's mantra. The patient approach stressed at CID has paid off repeatedly in recent weeks.
The July 5 arrest of Roman Seleznev demonstrates how seriously Lowery and his team take that belief. The 30-year-old Russian was indicted in connection with point-of-sale, credit-card data theft in 2011, but he was only apprehended this month after a multiyear USSS investigation.
"This important arrest sends a clear message: despite the increasingly borderless nature of transitional organized crime, the long arm of justice --- and this department --- will continue to disrupt and dismantle sophisticated criminal organizations," Homeland Security Secretary Jeh Johnson said after the arrest.
The 29-count indictment alleges that Seleznev "created and operated infrastructure to facilitate the theft and sales of credit-card data and used servers located all over the world to facilitate the operation."
While the focus of the indictment was point-of-sale compromises in the Pacific Northwest, the alleged crimes touched many nations illustrating why USSS currently operates offices in more than 20 countries. The document detailed how Seleznev's carder network allegedly stored data, then shipped it to servers in Russia and Ukraine.
Key Bank, Chase, Citibank and Capitol One are just a few of his alleged victims. The now-defunct Broadway Grille restaurant in Seattle had its point-of-sale system compromised for roughly 10 months, according to court files. It's believed that the suspect was also responsible for similar hacks in 10 more U.S. states.
While the U.S. government characterized the Russian known as Track2 or Bulba as a "prolific" fraudster, not everyone agrees with that description. Seleznev's father is currently a Russian lawmaker and now an outspoken critic of the USSS.
Valery Seleznyov told Russia Today last week that the USSS kidnapped his son, whom he described as having "scant consumer skills" and incapable of being a master hacker.
"For all I know, they may be demanding a ransom tomorrow. Or try to exchange him for [NSA whistleblower Edward] Snowden or somebody. One can only wonder."
Snowden, a U.S. citizen who currently lives in exile in Russia, faces treason charges in the U.S. for his role in exposing National Security Agency spying efforts. The Russian government has also blasted the USSS for allegedly kidnapping Seleznev, who's currently being held by U.S. authorities in Guam after being apprehended in the Maldives.
Outside of Russia, critics of USSS activities are hard to find. In fact, it's tough to find anyone with positive dealings to go on the record, either. idRADAR News asked a number of U.S.-based companies to discuss their USSS relationships. We sought comment from numerous sources, including a large credit-card issuer, a credit-card processing company, several private firms, a large university and several data security experts. None would discuss the subject, perhaps because they, too, find value in secrecy.
How Success Is Measured
USSS receives a relatively small government budget, and its budget for words is small, too. Success can be summed up in just one --- ShadowCrew.
"ShadowCrew was the first time USSS took over a criminal site and ran it for a year," Lowery said, remembering a favorite success story.
The case involved the eventual takedown of a lucrative carder forum --- a black-market website that traded in stolen data, including credit-card numbers. Albert Gonzales, a high-ranking member of the forum, was identified, then turned into a government asset. He became a highly valued informant who guided USSS through the shadowy world of black-market carding for an extended period of time.
Gonzalez and 10 other ShadowCrew members eventually were indicted after being linked to data breaches at TJ Maxx, BJ's Wholesale Club, Boston Market, Barnes & Noble, DSW, Sports Authority, Forever 21 and OfficeMax.
The agency's demonstrated technical skills and thorough knowledge of online criminal forums has paid off repeatedly for USSS since the ShadowCrew experience.
In fiscal year 2013 alone, the service investigated 1,400 cyber criminals tied to more than $235 million in actual loss to financial and retail institutions. USSS operations were credited with the prevention of an estimated $1.2 billion in potential losses. In most cases, its persistence and patience paid dividends.
"We've been extremely successful in identifying individuals behind the intrusions," said Lowery, who described his team's goal as being very good at very few things. "For the service to stay in our lanes and develop this specialty ... to get the kind of respect ... we do ... is very satisfying."
There are times that the effort doesn't pay off exactly as scripted, but the agency has adjusted its expectations as the cybercrime world has evolved.
"I wouldn't call any of [our cases] failures. A few years ago, U.S. law enforcement wanted to grab the guy and bring them back to the U.S. Now we are more than satisfied if we can provide info to a foreign partner, and they end up sitting in a foreign jail."
Another success story involves eradicating what Lowery termed "unlimited cash-out" scams. In those instances, hackers alter control mechanisms that restrict the cash that can be pumped out of an ATM.
"You haven't seen any of those recently," he said. "There might be a reason for that. I can't go into it now, but there should be some reporting on it shortly. That's how we measure success."
As the successes mount up, Lowery hopes the agency will be viewed as a major deterrent. He's awaiting the arrival of Verizon's next data breach report due in February 2015, which is expected to document the deterrent elements now battling in the cybercrime universe.
Not every case has a clear or satisfactory ending; efforts sometimes can fall short. A recent case involving a suspected data breach at the California Department of Motor Vehicles has yet to yield fruit. Last month, the DMV quietly announced it had closed its investigation with no breach found despite the fact that law enforcement officials and several banks felt they'd pinpointed an intrusion. It remains unclear whether the Secret Service is done with its own investigation into that case, but a spokesman told idRADAR News: "USSS does not have any comment on [DMV's announcement]." When asked whether USSS was still investigating DMV's payment processor, Evalon, the reply was: "USSS does not have any comment on Evalon."
ID Theft and Other Areas
It would be a mistake to pigeonhole USSS as only involved with financial crimes.
"Yes, that's our bread and butter. Financial. However, the theft of someone's identity is a much more devastating thing. We worked the University of Maryland intrusion. That PII [personally identifiable information] stolen opens up a lot of doors to cyber criminals."
With the UMD case, hackers accessed more than 287,000 individual files and siphoned off gigabytes of personal info, including Social Security data. USSS is well aware of the future identity theft risks those victims face, and Lowery acknowledged it's far greater than the short-term inconvenience of a compromised credit card.
The agency is also tapped to investigate so-called advance fees or 4-1-9 schemes. Those financial crimes --- most associated with Nigeria and named after a law outlawing bogus requests for monetary help --- can involve emails or phone calls appearing to be from relatives in dire need of funds. The electronic wire transfers involved in those 4-1-9 schemes also can involve the agency.
In the Near Future
While hacker tactics change, one thing remains constant -- the need to change constantly.
"Back in the day with [the TJMaxx breach], the intruders would break into a system and find existing logs on the system or put in a sniffer to create the logs," Lowery said, reflecting on how cybercrimes have evolved during his tenure.
The TJ Maxx case was a big success for USSS. Then payment card industry (PCI) standards changed. It was no longer permissible to store payment card data on a retailer's server. Hackers rolled out a new approach with the 2009 Heartland payment card breach, grabbing credit-card data from magnetic stripes as it does when processing. PCI standards currently require that the data had to be encrypted during transmission, so the hack trend is now to attack the data and siphon it off in the instant before encryption.
For consumers and crime fighters alike, it is difficult to guard personal data after it's been taken, but knowing about a breach is key.
Some time in the "near future," Lowery predicts Congress will adopt a national data breach law, which could simplify reporting for businesses and give consumers more rapid notifications. While efforts currently appear stalled in Congress, he's optimistic such a law will soon be enacted.
"I've never seen as much talk of it as I am seeing now," Lowery said. "We'll be part of that conversation at some point."
Hopefully, the agency can give Congress an earful. Lowery and his teams of undercover agents know the dark corners of the internet better than most, and they have earned the right to call themselves a deterrent force. Americans may not understand their role, but targets do.
"There are only a certain number of individuals out there that can do this sort of crime," Lowery said. "We're strategically going after those individuals. The high levels in Eastern European cybercrime know exactly who we are."
Jeanne Price is managing editor of the News Division of idRADAR.com and writes about identity theft and data security issues. She has more than 15 years' experience as a journalist and also served as head of a government consumer protection agency. Price's passion is solving puzzles like the recent PayTime Payroll data breach that impacted a number of security clearance holders and uncovering valuable lessons in recent data breaches.
The Next Step: Get Veteran Jobs Tips
Looking for transition and veteran jobs tips? Military.com has you covered. Subscribe to Military.com to have military news, updates and job resources delivered directly to your inbox.
