Wednesday, November 07, 2007

Catch Him If You Can

If you saw the movie “Catch Me If You Can,” you’ll know who Frank Abagnale is (think Leo). He gave an interview to ComputerWorld about the greater ease of doing now what he did then and, along the way, spelled out the hypocrisies and inconsistencies in corrections sentencing policy today. He also noted what would have to change for us to start getting our act together while, inadvertently maybe, making it sound impossible. The whole interview is as fascinating as his career, which had a movie made about it, after all, but here are a couple of key responses:

Is there anything we can do to make illicit computer-related activity a less attractive pursuit for young people? There are about four reasons why we have crime to begin with. One of them is, of course, that we live in an extremely unethical society. We live in a society that doesn't teach ethics at home, a society that doesn't teach ethics in school because the teacher would be accused of teaching morality. We live in a society where you can't find a four-year college course on ethics. I have three sons who went through graduate school; only the one who went to law school had a course even offered on ethics. So today you have a lot of young people who have no character, no ethics and they find no problem in defrauding somebody or stealing from somebody or cheating somebody. Until we change that, crime is just going to get easier, faster, more global, harder to detect. I've spent 32 years at the FBI, and I've witnessed crime only got a lot easier to do. Obviously, there's a lot less threat of being caught. When I was caught, I was just a teenager, and they sent me to prison for five years. Today, I'd probably get probation and community service; I might get 18 months and serve six months in jail. So there really is no threat of going to prison to keep somebody in line. I really think the more technology there is in the world, the more you have to instill character and ethics. You can build all the security systems in the world; you can build the most sophisticated technology, and all it takes is one weak link -- someone who operates that technology -- to bring it all down. People don't like to talk about that issue, because they think it's over-simplified. But the fact is, in all my experience, that's where the problem lies. Until that changes, crime is always going to be with us.

Any thoughts on how we can bring that change about? I think you need to bring character and ethics back into schools, and you certainly need to bring it back into colleges and universities as part of a curriculum. Only about half of Fortune 500 companies even have a code of ethics or code of conduct. The ones that do have one publish it every five years on an inside page of their annual report to appease their shareholders. So, obviously, there's no big effort out there to bring about that change. Rutgers just finished a five-year study that found that 56% of MBA students cheated. There are really no con men anymore like there were in my day, because you really don't have to associate with anyone. You don't have to be well dressed and well groomed and well spoken. Everything's done on a computer; there are no witnesses. So even if you know who's doing it, you probably don't have the ability to go capture them. Chances are you have no idea what they look like; they can sit in their pajamas and commit all these crimes.
How are we doing domestically? We have a lot of stupid laws. There's Check 21 [the Check Clearing for the 21st Century Act, which requires banks to accept paper documents with check images in place of original paper checks] -- the whole concept is ridiculous. Basically, what happens today is you give me a check for $2,500. I take the check and alter it to $25,000; I go to my bank and deposit it. My bank takes an image of it, which is a 600 dpi black-and-white copier image. It transmits that to your bank; they pay it, then they physically destroy the check. A month later, you reconcile and your auditor goes, "You wrote Abagnale a check for $2,500, obviously Abagnale has altered the check." So you sign an affidavit to your bank saying this is a forgery, the physical check has been altered. Under Check 21, they have to go back to the first bank of deposit, which is my bank. They tell my bank, "You have to give us some money back, this is a forged check, we have an affidavit from our client." Then, of course, the bank calls me and they say, "Computerworld said they gave you a check for $2,500 and you altered it to $25,000." I say, "They did? Do you have the check? No? Talk to you later." There is no evidence -- it's just absurd. There are a lot of stupid laws passed every day. I always say, criminals must have lobbyists in Washington.

What's the single biggest oversight companies make with respect to computer security? First of all, there is no foolproof system. If you believe you have a foolproof system, then you have failed to take into consideration the creativity of fools. My experience is if there's a man or woman who designed it, there's a man or woman who can defeat it. So I think most companies fail to take into consideration that they've developed this great system, but then they've failed to look at the person who's operating the system, the person who has information about the system -- his background and how much that person can be trusted. Companies hire people today with very little background checking; they're put into positions or they earn their way up to positions where they can do something to harm or cheat that company. So we have to pay a lot more attention to that weak link -- the human part of the system.

Would you say the greater security threat to a company is internal or external? I think it's internal. What you have today is a lot of influence from the outside. For example, if I'm trying to get inside a company, I'm going to find out who works in that weak-link position. I may find him in a bar or a restaurant, I'm going to get to know him and eventually I'm going to say, "I don't know what they pay you, but I will triple or quintuple what they pay you if would simply get this information for me." I'm not saying to steal something physical, to go rob some money. I'm saying to somebody, "Pull this up on the screen, write it down on a Post-it note, give me the Post-it note, and I'll give you $50,000. Nobody's going to know you did it, you'll never see me or hear from me again." It's very appealing to someone who has very little character and ethics in their background.

(h/t Psychology and Crime News)

No comments: