Sunday, December 22, 2013

From 1963 to 2013: Two Robberies and How The Thieves Got Away

Last week brought news of two robberies that happened five decades apart:  the Great Train Robbery of 1963 and the Great Target Data Breach of 2013.  A comparison of the two tells us something about how the business of thievery has changed over the years, and how likely it is that criminals who execute large-scale thefts like these today will be punished for their misdeeds.

But first, the tale of Ronald Biggs.  On his 34th birthday, August 8, 1963, he assisted a dozen or so partners in crime in an elaborate scheme to divert a British mail train carrying some $7 million in banknotes (equivalent to about $50 million today).  Back then, the Bank of England had the bad habit of shipping large amounts of physical currency from one bank to another, and the thieves caught wind of a shipment and successfully heisted it all.  Biggs' fingerprints were found and he was captured quickly and sentenced to a long jail term.  But less than two years later, he staged a daring escape and made his way first to Australia, then to Brazil, living a life of debauched indolence and occasionally taunting the British authorities by consenting to interviews with visiting newspeople.  However, as he became aged and sick, home looked better than ever, and he returned to England in 2001, expecting a pardon.  What he got instead was a jail sentence, which he served until 2009 when he was released on account of poor health.  He died Dec. 18, a hero to rebels everywhere but a convicted criminal nonetheless.

Only three days earlier, the giant U. S. retailer Target announced that from Nov. 27 to Dec. 15, an elaborately planned hack of their point-of-sale terminals acccomplished the theft of as many as 40 million credit and debit card numbers, names, and one of the two types of card security codes (the one embedded in the magnetic stripe, not the one printed on back of the card).  The potential value of this data on the black market is comparable to the $50 million or so that Biggs and his cohorts nabbed.  This particular piece of information came uncomfortably close to home when I discovered that my wife had used our debit card at Target for Christmas shopping recently.  Fortunately, she used it after Target said they had stopped the breach, but some 40 million people weren't so fortunate.

Catching Ronald Biggs was a matter of examining physical evidence such as fingerprints.  The digital fingerprints left by the Target thieves are much harder to trace.  Late word is that security experts have localized the source of the hack to Southeast Asia, but they may well encounter a brick (or bamboo) wall in their investigation at that point.  The global village metaphor is overused, but from a digital point of view, we really do live practically in each others' laps, with millisecond access to any of millions of computers around the world possible from my lowly laptop here on my desk in Texas.  But the uniformity of jurisdiction that allowed English detectives to move freely and quickly to investigate the Great Train Robbery does not exist across international boundaries, and it's hard to imagine how this situation would change.

There is some precedent in the way that international technical standards are worked out by so-called "working groups" that gather voluntarily to decide on a given technical problem.  But such groups have an automatic unity of purpose that the law-enforcement agencies of different countries do not share.  In some parts of the world, the criminal element is almost indistinguishable from the legitimate government.  Somalia comes to mind, and North Korea, where counterfeiting is regarded as a legitimate act of war.  The only way you could catch cyber-criminals who are harbored by such governments is to go to war with the government, and that measure is a little extreme even for the most dedicated law-and-order types. 

Fortunately for the millions of Target shoppers who were caught with their numbers down, so to speak, the big losers in such thefts are not the individual credit-card holders (whose liability is usually limited to $50) but the retailer whose system was breached, and the credit-card companies and banks themselves.  There will be lawsuits, surely, but the chances of recovering either the data or the money stolen by means of the data are small, if the history of similar breaches is any guide. 

In many European countries, a more complex type of credit card is used, one which has a microchip embedded in it that generates a different security code every time it is used.  It's much harder to hack the microchip type of card than it is to hack the old-fashioned magnetic-stripe variety that dominates the U. S. market.  But because the microchip card will require massive retooling at retailer point-of-sale systems and in the systems of credit-card issuers, the industry has resisted it so far.  According to the president of the Connecticut Bankers Association, MasterCard and Visa have promised to roll out the microchip cards by 2015, but this assumes that retailers won't block it by protesting it will cost them too much.  However, if the banks tell the retailers that they will be liable for fraudulent charges unless they switch to the new system, that may persuade reluctant retailers to get with the program.

As long as there is money and other valuables, there will be people who want to steal.  And the Target data breach is just the latest in a long series of cops-and-robbers escapades that goes all the way back to cavemen filching another tribe's giant-mastodon meat, no doubt.  But let's hope that the credit companies, banks, and retailers get their act together sufficiently to give us a well-tried microchip technology soon, one that at least makes it harder for thieves to break in and steal your credit-card number. 

Sources:  I referred to articles on Ronald Biggs in the Washington Post at and the New York Times at  I used information on the Target data breach from NBC News at, from Forbes at, and from an AP report carried by the Boston Globe at as well as a Fox News report at  The Connecticut banker was quoted by the Connecticut Post at, and I referred to the Wikipedia article on card security codes. 

No comments:

Post a Comment