On October 21, 2010, Malaysian citizen Lin Mun Poo landed at the JFK airport in New York and and hit the streets to make a business deal. He was taken into custody a few hours later, after meeting with a "carder" who had offered to give him $1,000 cash for 30 active credit and debit card numbers. When the meet went down, in Queens, New York, it turns out the carder was an undercover Secret Service agent. His laptop computer was searched and found to contain thousands of stolen credit and/or debit card numbers, as well as log files indicating multiple servers belonging to various financial institutions had been infiltrated. (From Case 1:10-mj-01240-VVP, PACER)
He was arrested and arraigned on a probable cause affidavit from the US Secret Service stating that "in or about and between September 2010 and October 21, 2010, both dates being approximate and inclusive, within the Eastern District of New York and elsewhere, the defendant LIN MUN POO did knowingly and with intent to defraud produce, use and traffic in one or more unauthorized access devices, and by such conduct did obtain $1,000 or more during that period."
As the affidavit makes clear, that wasn't all that was going to be charged, but this violation of Title 18 USC § 1029(a)(2) - "Fraud and related activity in connection with access devices" - was enough to get POO picked up and held.
Poo was taken into custody, and Justice argued he would be a flight risk, so he should be held. *UPDATE 22NOV2010 @ 1300* - Poo was arraigned today, pleading not guilty. He was remanded into custody and will be held without bail until at least his next hearing on December 20th! A copy of his Detention Letter is available courtesy of the Eastern District of New York.
A Press Release from the Eastern District of New York Department of Justice has the headline Malaysian National Indicted for Hacking into Federal Reserve Bank and continues "Defendant's Criminal Activities Extended to the National Security Sector."
Poo was in possession of 400,000 stolen credit and debit card numbers at the time of his arrest. According to the Press Release, "the defendant made a career of compromising computer servers belonging to financial institutions, defense contractors, and major corporations, among others, and selling or trading the information contained therein for exploitation by others."
While the headline is all about the Federal Reserve Bank of Cleveland, Ohio, an SC Magazine article by Dan Kaplan downplays that aspect of the story. In a statement Dan received for his story, Malaysian Man Charged with Hacking into Bank Systems, Fed spokeswoman June Gates said "There's been some confusion based on the wording in the Department of Justice news release. The incident here involved a test computer that is used to test software and applications. No Federal Reserve data or information was accessed or compromised."
The confusion comes from a misunderstanding of the Detention Request filed by justice, which states:
the defendant admitted that he compromised a computer network of the Federal Reserve Bank (“FRB”) by exploiting a vulnerability he found within their secure system. The FRB in Cleveland, Ohio has confirmed that an
FRB computer network was hacked in approximately June 2010, resulting in thousands of dollars in damages, affecting ten or more FRB computers, and forming the basis for Counts Three and Four.
It is not necessary to steal data to cause thousands of dollars in damages.
What should be of bigger concern are the other victims of Poo's hacking. One of these was FedComp, described as a data processor for federal credit unions. As a result of the FedComp breach, the New York Press Release says Poo "was able to gain unauthorized access to the data of various federal credit unions, such as the Firemen's Association of the State of New York and the Mercer County New Jersey Teachers." Another was a system belonging to a DoD contractor "that provides systems management for military transport and other military operations, potentially compromising highly sensitive military logistics information," according to the Press Release.
The four-count indictment against Poo, filed Nov 18, 2010 in Brooklyn, charges the following:
COUNT ONE - Access Device Fraud
"knowingly and with intent to defraud possess fifteen or more unauthorized access devices, to wit: credit and debit card account numbers, in a manner affecting interstate and foreign commerce."
(See: Title 18 USC §§ 1029(a)(3), 1029(c)(1)(A)(i),
Fraud and related activity in connection with access devices )
COUNT TWO - Aggravated Identity Theft
"knowingly and intentionally possess, without lawful authority, means of identification of one or more persons, to wit: credit and debit card account numbers of individuals, knowing that the means of identification belonged to said persons."
(See: Title 18 USC §§ 1028A(a)(1), 1028A(b), 1028A(c)(4)
Aggrevated Identity Theft )
COUNT THREE - Unlawful Transmission of Computer Code and Commands - Federal Reserve Bank
"knowingly and intentionally cause and attempt to cause the transmission of one or more programs, infomration, codes and commands, to wit: malicious codes and commands, and as a result of such conduct, did intentionally cause damage without authorization to one or more protected computer, to wit: computer of the Federal Reserve Bank, which offense caused, and if completed would have caused, loss to one or more persons during a one-year period aggregating at least $5,000 in value, and damage affecting ten or more protected computers during a one-year period."
(See: Title 18 USC §§ 1030(a)(5)(A), 1030(b), 1030(c)(4)(B), 2 and 3551 et seq)
COUNT FOUR - Unauthorized Computer Access Involving Government Information
"knowingly and intentionally access and attempt to access one or more computers without authorization, to wit: computers of the Federal Reserve Bank, and thereby obtained and attempted to obtain information from a department and agency of the United States, to wit: the Federal Reserve Bank, which offense was committed for the purpose of commercial advantage and private financial gain.
(See: Title 18 USC §§ 1030(a)(2)(B), 1030(b), 1030(c)(2)(B)(i), 2 and 3551 et seq.)
Fraud and related activity in connection with computers