From: dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM)
Date: Wed, 18 Sep 1996 15:12:15 +0800
To: cypherpunks@toad.com
Subject: [NEWS] Crypto-relevant wire clippings
Message-ID: <7VJFuD100w165w@bwalk.dm.com>
MIME-Version: 1.0
Content-Type: text/plain


Los Angeles Times: Monday, August 26, 1996

Credit Sting Involves Hacker And Citibank Cardholders

By JIM NEWTON, TIMES STAFF WRITER

When U.S. Secret Service agents set a trap for a young computer operator
who had expressed an interest in stealing credit information, they
baited it well: with real credit card numbers from real customers.

The young man, Ari Burton of Las Vegas, went for it, was arrested and
was charged with possession of stolen credit information--charges to
which he ultimately pleaded guilty. That ended the case against Burton,
but the cardholders' information did not stay secret with the Secret
Service. Detailed credit histories of 35 Citibank cardholders, none of
whom gave their permission for their files to be accessed, ended up with
the defendant, his lawyers and anyone else who got a copy of the case
file.

Included in it: names, addresses, home phone numbers, Social Security
numbers, credit card numbers, available credit lines and outstanding
balances--more than enough for anyone to run up huge tabs on
unsuspecting customers.

The cardholders were never warned that their information had been used
in a sting, or that it had subsequently been shared with the defendant
and others. In fact, a few of the cardholders only learned of the
disclosure when the defendant's father wrote asking whether they had
authorized the release of the information. Others found out just last
week, three years after the information was first released, when
contacted by The Times.

Told of their unwitting involvement in a federal sting, many were
furious.

"I'm upset, I'm real upset," said Joe Becker of Costa Mesa. "I want to
know how this happened."

"I never authorized anything like that," said Sarah DiBoise, who lives
in Atherton. "I am certainly bothered by it."

And Sam Zadeh, who lives in New York, deplored what he called the "bank
and law enforcement agency invading our privacy."

The same revelations that left cardholders smoldering also raised
troubling questions about the conduct of the government and of the bank
that released private information to the Secret Service. Some of those
questions ripple into delicate areas of criminal law--topics such as the
right of defendants to evaluate evidence against them and the right of
uninvolved citizens to maintain their privacy while federal agents try
to corral bad guys.

Why, lawyers, cardholders and others asked, would the Secret Service use
real cardholder information for sting operations? And even if, for legal
reasons, it feels compelled to use actual credit histories, why not seek
permission from cardholders first?

Finally there is this question: How many cardholders nationally are
exposed to disclosure of their credit information through government
operations? Authorities in some other parts of the country say they do
not use real credit information, and Citibank stresses that the Burton
case was an aberration. But investigators and prosecutors in Las Vegas
said the techniques used to nab Ari Burton are employed in other
instances.

In fact, Secret Service agents in Las Vegas say the use of real credit
information is forced upon them by federal law requiring authorities to
demonstrate that a suspect actually possessed something illegal in order
to win in court.

"In something of this nature, the crime is the illegal obtaining of what
is called the access device," said Jerry Wyatt, assistant special agent
in charge of the Secret Service office in Las Vegas. "Unless the access
device is a real number, it's just a number."

Following that theory, some authorities argued that if the Secret
Service had supplied Burton with fake credit card information, Burton
could not have been found guilty of attempting to steal real credit card
histories.

But that reading of the law is hotly contested by experienced lawyers.
Although it is a violation of federal law to have unauthorized
possession of an access device--another name for a credit card
number--it also is against the law to attempt to possess such a device,
even if that attempt turns out not to be successful.

Legal experts said agents could make up fictitious customers and
generate false credit histories, then use that information in sting
operations. Even without a handoff of real credit information,
prosecutors still could charge the objects of the stings with attempting
to steal credit card numbers, an approach that might slightly complicate
criminal cases but that would protect cardholders.

Wyatt said he was not familiar enough with the facts of the Burton case
to know why that approach was not adopted. Nor could he say how many
cases each year involve the knowing transfer of actual credit
information from the government to criminal suspects--only that such
cases are not unusual.

At the U.S. attorney's office in Las Vegas, the chief of that office's
criminal division agreed that other tactics might have minimized the
risk to cardholders in the Burton case, but he said the Las

Vegas office typically uses real credit card numbers of actual
cardholders in luring suspects such as Burton.

"We're sensitive to disclosing too much personal information," said John
Ham of the U.S. attorney's office. "But whenever we charge credit card
cases, we include names and numbers."

As for its role, Citibank acknowledged releasing the files to the
government but defended its actions by saying it meant no harm and by
stressing that its customers' privacy is its highest priority.

"We would never do anything to jeopardize our customers," said Maria
Mendler, a spokeswoman for the bank, which has a reputation for vigorous
protection of its cardholders' privacy. She acknowledged that real
information was supplied in the Burton case, but she said the bank did
not intend for that information ever to surface in a court file or
otherwise become available to the defendant and others.

In 1993, the bank also defended its actions in a letter to a lawyer by
noting that while information had been released, it had not been done to
hurt anyone. "We submit that the actions as alleged do not include the
requisite element of an intention to do harm to those customers whose
information was disclosed," an associate general counsel for Citibank
wrote at the time.

Those explanations hold little sway with Citibank customers, however,
many of whom complained that if their personal credit histories were
going to be used in a sting operation, they at least deserved to be
notified so that they could apply for new card numbers once the
operation was over.

Instead, sensitive information about them and their credit has been
kicking around a court file for more than three years--available to,
among others, Burton, a man who has admitted that he tried to steal
credit information. There is no evidence that Burton or anyone else used
the card information gathered in that case to ring up bills, but that,
too, is little comfort to the cardholders.

"Financial information is private, and I have a right to privacy," said
Becker, one of those whose credit information was used by the Secret
Service. "I'm worried about how this information might be used now that
it's out there."

Experienced defense and civil rights lawyers, who are used to analyzing
government conduct and subjecting it to harsh scrutiny, said they were
taken aback by the actions of the Secret Service and Citibank in the
Burton case.

"I would think these people could sue for invasion of privacy," Century
City defense lawyer Harland W. Braun said of the cardholders.

Paul Hoffman, a Los Angeles civil rights lawyer, said he too was
surprised by the use of private information in a sting.

"It does seem amazing to me," he said. "These people have rights, too."

Legal experts with both defense and prosecution backgrounds acknowledged
that problems might have confronted the Secret Service had it tried to
avoid offending customers by fabricating card numbers or inventing fake
credit histories. But they said those problems probably could have been
overcome, and added that in any event, they did not pose enough of an
obstacle to justify accessing credit information without permission.

"The answer to that is you get real people who are willing to have their
credit cards used that way," said Hoffman. "If you're doing a sting in a
house, it doesn't mean you go into a neighborhood and take a house. Why
should this be different?"

Complicating the issue still further is a decision by the prosecutor in
the case. Once the Secret Service and Citibank had used real credit
histories to bait the trap for the sting, the U.S. attorney in Las Vegas
was presented with a case in which the evidence against the defendant
involved personal information whose disclosure might harm innocent
citizens.

That type of situation can pose a difficult dilemma for a prosecutor:
Federal rules require that prosecutors share evidence with their defense
counterparts so that defendants know what they might face at trial, and
failing to do so can allow suspects to go free. On the other hand,
disclosing the information might put other people at risk.

In general, careful prosecutors tend to err on the side of providing
information to the defense even if it may create hazards for others.

In the Burton case, however, some experts argue that the privacy rights
of the cardholders should have outweighed the defendant's right to
confront the specific identifying information; an edited list of
cardholder information should have sufficed in a case such as this one,
they said.

The solution, according to those experts, would have been for
prosecutors to ask the judge to impose a protective order that would
have shielded the personal, private information from either the defense
lawyer or from the defendant himself.

But others maintain that Burton's lawyers were entitled to the
information because it was evidence against Burton, and therefore
evidence that his lawyers had a right to assess and consider in deciding
their legal strategy.

Ham, the chief of the Las Vegas office's criminal division, echoed that
view, saying his office had no choice.

"We have to provide documents that support the charges," he said. If
prosecutors had not done so, he added, a judge undoubtedly would have
forced them to. Ham said no protective order was sought to keep the
information from being shared with people other than the defense lawyer.

The prosecutor, said noted Los Angeles defense lawyer Donald Re,
"probably had the obligation to provide the material in discovery." Re
added, however, that a protective order might have been tailored to
allow Burton's lawyers to review the material on the condition that they
not share it with anyone else, including their client.

Because there was no such order, Burton effectively received the same
information in discovery that he had sought illegally. Within a month of
being arrested, the same government that was charging him with a crime
provided him with the list of cardholders and their personal
information.

"They handed it right back to me," Burton said in an interview.

At the same time, Re and others stressed that the prosecutor's decision
was a close call and difficult to second-guess. Far more troubling, they
said, were the actions that led to it: the bank's disclosure of the
material and the Secret Service's decision to hand it over to a suspect.

And given the statements by investigators and prosecutors that the
techniques used in the Burton case are widely practiced in other
investigations, many experts warned that ill-advised government
practices may be putting cardholders across the country at risk.

"There are a lot of situations where they create a scenario like this
where you want to show actual possession, not just an attempt," said Re.
"But in those situations, you get consent from somebody. You have a
security officer who sets up an account, and you use that account number
in the sting. Then there's no harm, no foul.

"But you don't give out real information," Re added. "That's just
crazy."


USA Today: Wednesday, August 28, 1996

Citibank Tightens Rules on Disclosure to Law Enforcement

By Jeff Mangum

Stung by a sting that nabbed a Las Vegas man for possession of stolen
credit information, Citibank says it has changed how it works with law
enforcement agencies.

Citibank agreed in 1993 to give the U.S. Secret Service credit card
information on 35 customers, without their knowledge, to help catch a
man who eventually pleaded guilty. Customers' names, addresses, home
phone numbers, Social Security numbers, credit card numbers, available
credit lines and outstanding balances ``ended up with the defendant, his
lawyers and anyone else who got a copy of the case file,'' the Los
Angeles Times reported Monday.

``Citibank trusted that the criminal justice system would keep this
information safe and confidential,'' the bank said Tuesday. ``As it
turned out, that was a mistake.''

Citibank says a relative of the defendant subsequently contacted the
affected customers, asking them to join a class-action lawsuit against
the bank. That, spokesman Mark Rodgers says, prompted Citibank to
contact the customers and change its policy in 1993. ``Were we to
consent to a similar operation (now), for example, we would only do so
with the express consent of that customer,'' Citibank said Tuesday.

Federal law generally prohibits disclosure of financial records. But
there are exceptions. ``The general rule of thumb is there has to be a
subpoena or a person's consent,'' says Mitch Montagna, a spokesman for
AT&T;Universal Card. The American Bankers Association says ``99.9% of
the time, customer information is safe and secure.''


Denver Post: Tuesday, September 10, 1996

Editorial

U.S. Invades Privacy in Nevada Credit-Card Sting

Americans who say they worry about invasions of their privacy have a new
reason to fret: In a recent case, the federal government and a major
bank willingly gave a suspected crook the credit card numbers and
personal histories of citizens -- without their permission or knowledge.

The breach of privacy in this Las Vegas, Nev., case was egregious and
outrageous. The Clinton administration should reprimand the agents
involved, and Congress should amend the laws so that such an affront to
citizens' rights never reoccurs.

In the case, U.S. Secret Service agents wanted to snare a computer
operator who had expressed interest in illegally obtaining credit-card
information. They asked Citibank for the names, addresses, Social
Security numbers and other credit information on some of the bank's card
holders. Citibank complied with the request - but never got the card
holders' permission to divulge such personal information, according to a
story in the Los Angeles Times. In other words, law enforcement agents
handed a suspected credit swindler the very information he would need to
carry out a crime.

The suspect ultimately pleaded guilty to some of the charges.

Many of the card holders heard that their personal records were used to
bait a credit-card sting only when the defendant's father contacted
them. Others learned about the episode through a newspaper reporter who
was covering the case.

In theory, there are laws to protect consumers from people prying into
their credit histories without their permission. Obviously, these
statutes aren't nearly strong enough.


American Banker: Monday, September 16, 1996

FUTUREBANKING

Mondex, Moving Fast, Sees Long Trek To a Worldwide Cash Alternative

By JEFFREY KUTLER

Exactly a year passed between the start of the Mondex trial in the
southwest England town of Swindon and the creation of Mondex
International, the banking consortium that hopes to use the smart card
system as the basis for a global alternative to cash.

That was fast according to the calendar. It was also an eternity.

During those 12 months, National Westminster Bank, the new payment
technology's inventor and champion, rode a roller coaster between self-
congratulation and a skeptical press, between the celebration of an
unprecedented accomplishment and a storm of criticism from within its
own industry.

Even with the formation July 18 of Mondex International, enthusiastic
backing from banking powers as diverse as Wells Fargo Bank and Hongkong
& Shanghai Banking Corp., and the current cloning of Swindon in the
Canadian city of Guelph -- it relates locationally to Toronto as Swindon
does to London - the Mondex eternity continues.

The emotional pendulum still swings at Natwest Group headquarters in
London. And emanating from Natwest and from within the Mondex project is
a mix of messages that underscores how truly groundbreaking is their
attempt.

Win or lose, whether or not they are understood or praised by their
peers, the founders of the Mondex project have risen above the almost
weekly cycles of technological change and quarterly pressures on
earnings with a longer-term perspective antithetical to the traditional
ways of bankers and the banking industry.

"Natwest recognizes that Man does not live by short-term profits alone,"
group chief financial officer Richard K. Goeltz said in a recent
interview with American Banker. "There are things we have to bequeath to
our successors."

Mr. Goeltz -- who moved to New York this month as chief financial
officer of American Express Co. -- and others close to Mondex want the
world to recognize how far they have come in a year.

But the Mondex promoters are quick to point out that it is actually Year
6 since Natwest began to fund them. Today they look at a 10- or 15-year
horizon.

(Natwest will recover most if not all its development cost by issuing
about $150 million of stock in Mondex International. The bank expects to
collect further royalties as the system rolls out. Partner bankers do
not begrudge Natwest its return for risk taking.)

One gets the sense that Natwest's leaders were so well primed for the
long haul that it would take more than a few technical glitches and
negative newspaper stories to get their goat. Mr. Goeltz dismissed the
sniping from more tradition-bound competitors as "slings and arrows"
that never hit their mark.

Mr. Goeltz and other insiders knew, long before the Mondex International
membership roster became public, that the concept was attracting
interest. "Broad-scale cooperation" was a prerequisite, written into
Natwest's business plan, and 16 other "global founders" who came forward
July 18 found the case compelling enough to want to join in the
marathon.

"This is a process of change management - it's not like flicking a
switch," said Roy S. Pratt, deputy chief general manager of Mondex UK
Ltd., the British franchise co-owned by Natwest and Midland Bank Ltd.

"Our job is not to say, 'This is how it will be.' It is about trends and
responsiveness. To say anything is cast in stone at this point would be
presumptuous."

Mr. Pratt, 49, spent 31 years at Midland Bank before being "seconded" to

Mondex UK in 1994. His banking jobs were in treasury, asset/liability,
and portfolio management. He said his nontechnological background
enabled him to see the complexity of the phenomenon, to confront
necessary questions about the known and unknown quantities of a
reinvented payment system.

"People always want to ask about take-up (acceptance) rates, how fast
this will happen, but I am reluctant to make blanket statements," Mr.
Pratt said. "Mondex will mean different things to different people. It
will not be the same at Exeter University (where it is being introduced
this fall) as it is in Swindon.

"There is not one proposition or growth rate. What is a critical mass
for one segment will be different in another. A carpark will not be the
same as a bus. You might call each a micro-Mondex economy.

"This is a change process that will be based on value exchange on a
just-in-time basis," Mr. Pratt continued. "It is not a product like a
loan or deposit package, or even a payment mechanism. It is not
mono-dimensional.

"And it's not just an issue for bankers. We respect the integrity of the
payments process, but we also have a responsibility to society."

Such words are hardly bankerly.

To be sure, Mondex has rigorous underpinnings. The bankers' thought
processes are logical. The strategic plans passed muster with "some of
the most sophisticated, hard-nosed bankers in the world," Mr. Goeltz
said.

"Mondex does have tremendous social implications, not least in terms of
what it can do for welfare payments and pensions," Mr. Goeltz said
before his recent departure for American Express. By automating cash "it
reduces friction in the economy.

"But the implications for society were not the motivation for Mondex. It
was to serve customers better and generate a return for shareholders.

"What's interesting about Mondex was not the technology," Mr. Goeltz
went on. "The technology was a facilitator. This is one of the few
products I've seen in which all three participants in the value chain --
banks, retailers, and customers -- benefit."

The enthusiasm carries over to outsiders - even some who have been
lumped among the critics - to a point.

"The richness, the robustness of the technology, is fantastic," said H.
Eugene Lockhart, president and chief executive officer of MasterCard
International. (MasterCard held negotiations with Natwest to buy into or
participate in Mondex, but at the same time its European affiliate,
Europay International, was developing the competitive Clip electronic
purse system.)

For more than two years, Mr. Lockhart has insisted on seeing smart
cards' "business case," and even as MasterCard launches experiments
around the world he is still not completely satisfied.

"Let's assume there is a business case," he said. "The opportunity is
that we have this new technology platform that can do a lot of things,
stored value being only the first manifestation. "But there is a big
problem: How on earth do you grow that system in millions of other cases
just like Swindon?"

Swindon, for now, is "the case."

Mondex UK's overly optimistic projection of 40,000 cardholders in the
city of 190,000 people set off the bad press. In reality, the 10,000
that signed up within 12 months weren't bad news at all. That's almost
25% of the combined Natwest-Midland customer base in the area.

Mondex said its surveys showed 66% of the cardholders said they
preferred Mondex to cash. Average card loads were the equivalent of $35
to $45, and the majority of transactions were under $7.50.

Perhaps more to the point, it is hard to find a storefront, public
phone, or any type of payment device in the commercial center of Swindon
that does not accept Mondex. The banks signed 600 merchants, double the
number accepting MasterCard and Visa, which stands to reason for a cash
replacement.

"You can actually go cashless," said Mark Gordon, Mondex International's
head of marketing. "It's not a big deal when you present Mondex at the
tills."

While Mondex has been selective in its data disclosures -- no one denies
that its transactions are a small percentage of the Swindon total -- Mr.
Gordon and his team have been more than hospitable in letting the world
come view Mondex. Banker delegations are commonplace, often gathering at
the "Mondex Store" in the town center before setting out to observe and
test merchant acceptance.

Hardly a day goes by without the visit of a television crew. Many come
from Asia, where Mr. Gordon believes "Mondex will really fly." (A Hong
Kong pilot is set for late this year, and smart cards of various kinds
are already prevalent in Singapore, Taiwan, and elsewhere in the
region.) "They see this as a city of the future," he said, "like
something out of 'Blade Runner.'"

The Mondex staff tries to keep the visits unobtrusive, but some of the
merchants were willing to pay the price of unanticipated stardom.

"Our town center store is small," said Bob Upshall, manager of the
Sainsbury supermarket, part of one of Britain's biggest chains. "Having
Mondex raised our profile and provided a morale boost."

At the corporate level, Sainsbury was eager to participate in Mondex
because "it didn't want to be left behind." So the smaller,
convenience-oriented Swindon outlet, which otherwise might have relied
for years on older computers and point of sale equipment, got an upgrade
on a par with many "superstores," and Mr. Upshall said, "My staff loved
it. A positive staff is a plus for customer take-up."

Sainsbury, a Midland Bank customer, invested 45 minutes per cashier in
Mondex training and found the system was so easy to grasp that it didn't
have to deploy, as anticipated, demonstrators in the checkout lanes.

Mondex volumes were running at less than 0.5% of sales at the three
Swindon stores -- slightly lower in the town center location than at the
larger branches on the outskirts of town. Mr. Upshall said an incentive
offer in May and June of a five-pound voucher (about $7.50) for every
50- pound ($75) shopping trip brought in transactions well above the
average ticket of five pounds in-town and 30 pounds ($45) elsewhere.

"Whether smart cards will be in Mondex or other forms, they are here to
stay," Mr. Upshall said. He gauged customer reaction as "very positive,"
though mainly among early adopters. He himself likes Mondex as a
consumer -- "I use it in the canteen all the time" -- and as a merchant,
because it streamlines the cash-handling tasks that require two to three
full-time positions in the supermarket's back office.

Nearby in McElroy's, a local department store, Vince Ayris accepts and
encourages Mondex payments at his shoe repair and key-making stand. Mr.
Ayris has been in the business 17 years, is a well-known man about town,
and so strongly believes in Mondex that he essentially sold it to the
local rugby club, where "we use it quite a lot. I find I'm more careful
about spending money (with Mondex) than with cash, and it's easier than
small change."

Mr. Ayris admitted to being "a bit skeptical at first," but he has
become so strong a booster that Mr. Gordon felt he had to deny that Mr.
Ayris is in Mondex's employ.

"I don't give money away to a bank like I do with a MasterCard or Visa
discount," the merchant said. "There is no problem with fraud or
counterfeit.

"I have more over-ring errors on the till than on Mondex terminals.
Every transaction is documented so disputes are more easily resolved"
than with cash.

And because the Mondex terminal is smaller than a cash register, "I have
more room for selling product."

Mondex is also proving itself at a multiplex movie complex, part of the
MGM chain that Virgin Enterprises recently acquired. John Keil, the
manager, said he "needed no convincing" to accept Mondex at every point
of sale. "We saw the benefit immediately. Any way at all to take cash
out of the system, the better.

"The bigger the business, the more problem cash is," Mr. Keil went on.
"Any major company sees the benefits in the technology."

Like the supermarket, the MGM outlet easily won staff support. "Most of
them are into gadgetry," Mr. Keil said.

It also encouraged sales by cutting Mondex users' ticket price to about
$4.90 from $6.80. The transactions are still a small portion of the 30%
of in-person box-office sales done on plastic cards. (Another 30% are
advance sales by phone; Mondex has not yet been accepted that way.) Mr.
Keil said he is looking forward to having "one box" that can accept all
cards. Even so, he said Mondex was "very flexible, requiring no change
whatsoever to our system. It was slotted right in ... They made their
system fit ours."

"I think the system will take off eventually," Mr. Keil said. His only
regret is that because he doesn't live in Swindon, he can't use Mondex
more than he does.

It is as if Mondex has succeeded at recruiting its merchants as change
agents. Time will tell if they are still on board when Mondex begins
costing them something.

"The chip brings a fundamental change," said Mr. Pratt of Mondex UK.
"You feel as if you are shaping the future.

"When the market begins using it to create its own needs and to solve
its own problems, that's when the real thrill will come -- and a surge
in usage."

---

Dr.Dimitri Vulis KOTM
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps