New evidence I have gathered for my work as an expert witness in defence cases
shows that thousands of cases under Operation Ore have been built on the
shakiest of foundations - the use of credit card details to sign up for
pornography websites. In many cases, the card details were stolen; the sites
contained nothing or legal material only; and the people who allegedly signed
up to visit the sites never went there.
The probe - Britain's biggest ever computer crime investigation - started from
1990s activity by a Texan porn portal called Landslide.com. People could sign
up with their credit cards to access affiliated porn sites: the porn site got
65% of the sign-up fee, while Landslide took the rest, and dealt with the
credit card companies.
In 1999 the US Postal Inspection Service investigated sites linked to Landslide
that seemed to be dealing in child pornography. The company was raided by 50
agents, who took computers listing the credit card details of thousands of
Britons. These were handed to the British police, who thought they had a
goldmine. All they needed to do was seize the computers of those people, find
evidence of having viewed child pornography on the sites and secure a
conviction - the perfect case. Society would be protected and the police's
reputation for defeating computer-based child abuse would be boosted.
The fraud factor
But the police had not allowed for fraud - which was carried out to a huge
degree against Landslide and unwitting Britons by website owners acquiring or
trading in stolen credit card details.
Late in 2006, copies of six hard drives seized from Landslide were flown to
Britain to be examined by defence computer experts (including myself). They
showed that Landslide had been plagued by a range of credit card fraud rackets,
known in the industry as Card Not Present (CNP) frauds. In the UK, CNP fraud
has increased exponentially in the past decade, from £6.5m in 1996 to £212.6m
in 2006, becoming the largest type of card fraud. Online, criminal groups trade
thousands of stolen credit card details (including number, expiry date, name,
address, and even date of birth, email, password and mother's maiden name),
priced by potential fraud value, ranging from $30 (£15) for an unexploited Visa
Gold card to $2.50 each for a bumper file of 4,000 stolen American Express card
and user details. There's everything required for complete and convincing
fraud.
One method used from 1999 by criminals, including the Gambino mafia family in
the US, was to offer free tours, or access for a credit card payment as small
as $1.95, to adult sex sites. Customers had to provide name, address, card
details, and email address and password. The criminals then reused the data or
traded them online with other fraudsters.
Operating out of Indonesia, Russia or Brazil, many of the webmasters linked via
Landslide appear to have obtained and swapped lists of stolen cards and charged
them up through different portals, usually for amounts of less than $50 - small
enough that unwary people might not spot them on a credit card statement.
Computer experts employed by the police have claimed in court cases they could
find no evidence of hacking or fraud when credit card details were provided to
porn sites. But when Dr Sam Type of Geek Ltd was asked during one case held at
Northampton Crown Court whether she had looked for evidence of fraud, she
replied: "No I didn't, no ... I haven't specifically looked for it." The
defendant was convicted, but is now appealing, based on the new evidence
uncovered (but not disclosed by the Crown Prosecution Service) that fraud was
endemic.
Tens or hundreds of thousands of people fell victim, including some who later
became targets of Operation Ore. One was 'John' , a top city banker. In 1998
and 1999, his family credit card was repeatedly charged by Gambino internet
organisations, and its details then shared with other fraudsters: in June 1999,
his card was charged twice more to make payments to one of Landslide's
top-earning webmasters - who was also a child porn merchant.
Seven years later, 'John' was targeted in Operation Ore: in May 2006, he stood
aghast as police entered his home and trawled through his family's intimate
possessions. He says that police officers "sneered" when he and his lawyers
told them about credit card fraud. "They said they had never heard of it
happening," he told me. Only after a two-day High Court case last September did
the police agree that he was above suspicion, and apologised to him.
Police mistakes
Even innocent transactions were not safe. Some British victims of card fraud
who later suffered from police mistakes in Operation Ore believe their troubles
began after they bought bicycle parts - or even a honeymoon hotel stay - over
the internet or on the phone from the US.
Landslide's computers also contained 54,348 sets of stolen credit card
information, including information on dozens of UK residents apparently stolen
from a Florida-based luxury goods company; some were later used to pay for porn
websites operated by Landslide. The company whose customer data were stolen,
Levenger Inc of Delray Beach, Florida, has declined to comment.
Were the big frauds coming from outside Landslide? Certainly. Its owner, Thomas
Reedy, first spotted systematic fraud late one night in August 1998. "I was
running over the logs and saw something funny," he told a friend in an email.
What he noticed was streams of different credit cards being signed up in
batches from the same internet address to the same website. It could only be
fraud.
That meant trouble for Landslide, and Reedy. When someone signed up via
Landslide to view a particular porn site, the linked site was passed 65% of the
sign-up fee, while Landslide did the transaction with the credit card company.
If someone used a stolen card, Landslide had to bear the loss if there was a
chargeback from the card issuer - often for the original amount and a penalty
fee. So a stream of stolen cards was bad news for Landslide.
Reedy quickly traced the source of the traffic to Pakistan-based webmaster
Imran Mirza and his Rare Nude Celebs website: in just three days Mirza had
charged more than $14,000 to stolen cards. Reedy knew that the credit card
industry imposed a 1% maximum for chargebacks, and required a penalty fee every
time one was applied. Landslide would end up the loser.
Reedy reacted by setting up a new web service, Badcard.com, to trap card
numbers coming from the same internet address, and drew up checklists of
addresses and card numbers he suspected were in the hands of criminals. It
didn't work well enough: fraudsters started switching internet addresses with
each new, false sign-up.
Topping the league were a trio who traded under the pseudonym Miranda, part of
a gang of Indonesian webmasters who had registered over one thousand real or
fake websites, and supplied their names and addresses for, sometimes, $100,000
monthly cheques.
More than half of the money Landslide took from credit cards was paid to their
ring. The gang was supplying extremely unpleasant pornography over the
internet, some of it depicting young children being raped and abused. But the
undisclosed computer evidence shows they were also in the simpler and less
risky business of card fraud.
And every time a stolen British card was used, its owner's name was added as a
potential suspect for the future Operation Ore. On Landslide websites which
computer records show were simply vehicles for fraud, 90% of the people cheated
never noticed or complained. The total level of fraud was probably well over
50%.
By August 1999, the enormous level and cost of chargebacks had sunk Landslide.
Reedy is now in US federal prison serving a 180-year sentence for allowing it
to be used for child porn trafficking.
But how can we be sure that the card details really were stolen, and not being
used by their owners? Jim Bates of Computer Investigations, who acted as an
expert witness for a number of defence cases, examined the newly uncovered
Landslide website log of all recent activity. The log recorded when credit
cards were signed up and charged - and, critically, whether the person putting
in the card details then went on to visit the porn site they had paid for.
Bates found that not only did thousands of the supposed porn buyers not go to
get their porn; many of the sites had been set up purely for fraud. His checks
were evidential tests that the UK police seem to have forgotten to take.
The CPS was asked by the Guardian to comment on whether this step was taken,
but at the time of going to press, it had not responded.
Top of the list of spurious websites was Keyzsexyplace, set up on April 4 1999
by young Brazilian hacker Antonio Francisco "Nino" Tornisiello, from
Piracicaba, near Sao Paulo in Brazil. By the time Landslide collapsed,
Tornisiello had logged 3,181 sign-ups, most of them using stolen British credit
card data. "Tornisiello's hacking stood out like a sore thumb," Bates told me.
"The police experts couldn't have failed to notice it if they were competent,
but they claimed they saw nothing."
Among Tornisiello's many British victims were prominent computer programmers
and businessmen. Some were lucky. The Operation Ore police haven't got round to
knocking at their doors - yet. Nevertheless, their names are now falsely listed
in police files as suspected child abusers. This month, Tornisiello admitted to
me that his Keyzsexyplace website had been a sham that held only "a page with
pictures of celebrities I found over the internet. It was nothing to do with
child pornography." He said he was "choked" to learn that his actions meant
innocent people have been accused of paedophilia.
Operation Ore has become a byword for our police's investigation into the
murkiest of online worlds - but hundreds, perhaps thousands, of the cases show
that the police were misled and confused by criminals whose computer expertise
was years ahead of theirs.
Be safe online:
· Before you enter your details, ask yourself: do you trust this site?
· Beware of phishing sites, which pretend to be trusted sites: check the site
address in the browser bar
· Are you being asked for superfluous detail? Your birthdate isn't really
needed for any transaction
· Note the date and amount of online purchases
· Check credit card transactions often
· Contact the card issuer with queries
Duncan Campbell is a freelance investigative journalist, unrelated to the
Guardian writer of the same name. A longer version of this piece appears in PC
Pro magazine, published today
The Guardian
