This story won't get much publicity, so I'll echo it here:
Minneapolis - A College Park, Maryland, computer hacker was sentenced today in federal court in Minneapolis for defrauding two companies out of nearly $500,000. Larry Edward McPhillips, age 39, who pled guilty to computer fraud in December of 2005, was sentenced by U.S. District Court Judge Joan Ericksen to thirty months in federal prison. He also was ordered to pay the two companies victimized by his crime, Innuity, Inc., and Digital River, Inc., $497,793 in restitution.
According to court documents, McPhillips founded CCNow Incorporated (“CCNow”), a company that collected credit card payments on behalf of Internet vendors. In 2000, he sold CCNow to Innuity, Inc. (“Innuity”), a Minnesota-based company. After the sale, McPhillips continued to work in the CCNow division of Innuity. Beginning in July of 2001, he used his intimate knowledge of the CCNow business and its computer system to hack into Innuity’s computer server. After accessing the server, McPhillips created false credit card transactions. Those transactions caused Innuity to make payments to bank accounts controlled by McPhillips. He repeated his illegal hacking twice a month, every month. Over the next year, those fraudulent payments to McPhillips totaled $388,397.
In March of 2002, Digital River, Inc. (“Digital River”), another Minnesota computer company, acquired the CCNow business from Innuity. Following that acquisition, McPhillips began to hack into the Digital River computer server. Using the same scheme, McPhillips caused Digital River to make fraudulent payments to bank accounts controlled by him until his illegal hacking was uncovered in July, 2002. Losses to Digital River amounted to$109,395.
After sentencing, the prosecutor in this case, Assistant United States Attorney Joseph T. Dixon, said, “The public needs to know that computer hacking is illegal and will be prosecuted. Individuals who access institutional computer systems without authority are on notice. They are breaking federal law and will face serious consequences. In this case specifically, I want to thank Digital River for bringing this criminal offense to the attention of federal authorities, so Mr. McPhillips could be brought to justice. Without the support of corporations, such as Digital River, many of these crimes would go unnoticed and undeterred.”
Originally at: http://www.usdoj.gov/usao/mn/press/econ/econ0091.htm
Woah. I *play* with hacking stuff all the time -- my own stuff. In a legitimate sense, I have to get onto computers at work that have had all their user accounts screwed up, or open files that were encrypted with passwords that the author then forgot. Recovering data, reconfiguring things.
As a proof-of-concept only, and with full consent from all relevant parties, I have hacked into a couple interesting systems at work. The real question, of course, is what one astute coworker asked me once after I told him about one of the jobs: "So how can you make it so nobody can do that again?"
Developers have a great deal of access and power in corporate networks. Sensitive systems really do need to be designed to protect against abuse from internal agents and should be audited thoroughly by outside agents. One of the scary aspects of the McPhilips story is that his fraud was apparently never detected at Innuity -- the company that sustained the greater damage. If he hadn't continued his illegal activity at Digital River, if CCNow had been purchased by a different company where that attack wouldn't have worked, he might never have been caught. Innuity might never have realized what happened.
This is all particularly relevant because I work at the entity that is now Innuity. (A descendant of the Innuity mentioned in the article, though much changed from 2001.) We have a CC processing division and I wonder how different the security is today. (I'm sure it's much better.) Wild.