CD Universe evidence compromised

June 7, 2000, 5:00 PM PT

By Mike Brunker and Bob Sullivan,4586,2584330,00.html

Six months after "Maxim" broke into the computers of Internet retailer CD Universe and stole 300,000 credit cards, U.S. authorities have been unable to find the thief. And even if they do, they are unlikely to be able to successfully prosecute the case because electronic evidence collected from the company's computers was not adequately protected, has learned.

Though the FBI indicates the theft and subsequent extortion attempt remain under investigation, a source familiar with the case said the failure to preserve the electronic evidence had virtually eliminated the possibility of a prosecution.

"The chain of custody was not established properly," said the source, who spoke on condition of anonymity.

A second source, also speaking on condition of anonymity, confirmed the account.

"This is a case that is not going to get solved," said the second source. "It's like the O.J. Simpson case, the evidence is tainted. Even if you find whomever, how do you prosecute it?"

"Chain of custody" refers to the process by which computer forensics specialists preserve the crime scene - i.e., the computer logs on hard drive of the network server - so that an intruder's actions can be traced. Each step in the process must be carefully documented so that, if the case gets to court, prosecutors can show that the electronic records were not altered as the investigation progressed.

'This is a case that is not going to get solved. It's like the O.J. Simpson case, the evidence is tainted. Even if you find whomever, how do you prosecute it?'|anonymous source Initial reports suggested Maxim orchestrated the crime from Eastern Europe, but that has never been confirmed. If true, it would mean the odds against his arrest and prosecution already were extremely long.

But the inability to use electronic evidence in court virtually guarantees that the thief, who claimed to be a 19-year-old Russian male in e-mail conversations with reporters after news of the theft became public in January, will never be brought to justice.

It is not clear exactly how the CD Universe evidence was compromised, but it apparently occurred in the initial frenzy in the company's Wallingford, Conn., headquarters as FBI agents and employees from three computer security firms worked feverishly to determine how the thief got into the company's network and to shore up network defenses, the sources said.

Representatives of the three companies - Network Associates, Kroll O'Gara and - did not return calls seeking comment.

A spokesman for Network Associates contacted days after the break-in saying the company was conducting a review of security at CD Universe. Sources said experts from Kroll O'Gara and arrived on the scene later.

Brad Greenspan, president of eUniverse, parent company of CD Universe, said he had no knowledge that the data culled from the music retailer's computers could not be used in court.

"We've complied with the federal authorities and stepped back and let the FBI do their investigation," he said.

Lisa Bull, a spokeswoman for the FBI's field office in New Haven, Conn., declined to comment on the investigation other than to confirm that it remains open. Other FBI officials also declined to conform or deny that the electronic evidence had been improperly catalogued.

Preserving computer data for use in court requires the use of stringent checklists and procedures to prevent files from being overwritten and thereby making it impossible to prove that they were not altered after the fact, explained Joan Feldman, president of Computer Forensics Inc. in Seattle.

"On a PC running Windows or NT, for example, if you go into Explorer and click on a file, you've automatically changed the last-access date," she said, using the familiar home computer to draw parallels to working in a server environment. "If I'm working on the only copy and I've just changed the last-access date, that's an important piece of data if I'm trying to authenticate evidence."

Without knowing the circumstances under which the CD Universe data was allegedly compromised, Feldman said a breakdown in communication would be the most likely cause of such a loss of documentation.

"Mistakes happen," she said. "Somebody doesn't tell somebody that it's the only copy. That's the kind of area where it would break down."

She also speculated that CD Universe employees and personnel from the security consulting firms may have been more concerned about figuring out how Maxim gained entry to the network rather than preserving the evidence.

'You could make it more secure, the problem is that nobody ever tells you you need to.'|source Questions about the evidence in the CD Universe case may well turn out to be moot, as there has been no indication that investigators are making headway in their attempts to track down Maxim.

In fact, it remains a mystery how the computer criminal was able to penetrate CD Universe's network and seize what he claimed was data on 300,000 credit cards. He later posted information on roughly 25,000 cards on a Web site after failing to extort at least $100,000 from the music retailer.

Maxim, in e-mail conversations with and other news organizations after his exploits became known, stated that a security flaw in IC Verify credit-card processing software allowed him to gain access to the data.

But Cybercash, the company that makes IC Verify, denied the charge and neither public nor private investigators have come forward to clarify the situation - a move that would allow other retailers to plug the hole.

A source familiar with the product told, however, that IC Verify does create clear text - or unencrypted - logs of credit card data and stores the information in two files on the server.

The merchant can change the location of this vulnerable store of data, but many small business owners who purchase the product aren't tech-savvy enough realize the danger, said the source, an information-systems consultant with nearly 30 years' experience.

"You could make it more secure, the problem is that nobody ever tells you you need to," said the source, who spoke on condition of anonymity.

And despite the six months of investigation, it also remains unclear how much fraud was perpetrated with the stolen cards. has anecdotal evidence that some cardholders' accounts were fraudulently used, but Visa and MasterCard said that they do not have any overall breakdown of fraud statistics that would allow them to determine a figure for losses attributable to the theft.

"But certainly we've seen no uptick as a result of this case or fraud in general," said Sean Healy, a spokesman for Visa USA, noting that fraud rates remain at historic lows even though the level for Internet transactions is 9 cents per $100 as compared to 6 cents per $100 for brick-and-mortar transactions.

He also cited the credit-card company's zero-liability policy for customers whose credit cards are used for financial fraud.

But Karen Jones of Sebastapol, Calif., said that while she has suffered no monetary loss since her Visa card was posted on the Web by Maxim, the theft has caused her a considerable amount of grief. She figures she has spent roughly 10 hours a week since Dec. 30 corresponding with credit card companies and dozens of merchants and vendors to get more than $4,000 in fraudulent charges removed from her account.

And even after she canceled her credit card and opened a new one, charges from the old card continued to find their way onto her new account.

She finally was able to put a stop to the credit cross-pollination by contacting the Visa International office in Tokyo. A Visa International spokeswoman said the forwarding of charges to the new account was "not a normal operating practice," and indicated that it would be the responsibility of the bank that issued the card to correct the problem.

Jones said that while her experience was extremely educational, it also was frustrating. "There's nobody out there - there's no agency - that is willing to take on the individual cardholders," she said. "... It's you and the bank that issues you the card.

And after spending countless hours trying to get the fraudulent charges erased, she has a piece of advice for anyone who finds themselves in a similar position.

"I would say don't waste your time like I did," she said. "Let the Visa issuer worry about it."

main page ATTRITION feedback