Los Angeles Times: Monday, August 26, 1996 Credit Sting Involves Hacker And Citibank Cardholders By JIM NEWTON, TIMES STAFF WRITER When U.S. Secret Service agents set a trap for a young computer operator who had expressed an interest in stealing credit information, they baited it well: with real credit card numbers from real customers. The young man, Ari Burton of Las Vegas, went for it, was arrested and was charged with possession of stolen credit information--charges to which he ultimately pleaded guilty. That ended the case against Burton, but the cardholders' information did not stay secret with the Secret Service. Detailed credit histories of 35 Citibank cardholders, none of whom gave their permission for their files to be accessed, ended up with the defendant, his lawyers and anyone else who got a copy of the case file. Included in it: names, addresses, home phone numbers, Social Security numbers, credit card numbers, available credit lines and outstanding balances--more than enough for anyone to run up huge tabs on unsuspecting customers. The cardholders were never warned that their information had been used in a sting, or that it had subsequently been shared with the defendant and others. In fact, a few of the cardholders only learned of the disclosure when the defendant's father wrote asking whether they had authorized the release of the information. Others found out just last week, three years after the information was first released, when contacted by The Times. Told of their unwitting involvement in a federal sting, many were furious. "I'm upset, I'm real upset," said Joe Becker of Costa Mesa. "I want to know how this happened." "I never authorized anything like that," said Sarah DiBoise, who lives in Atherton. "I am certainly bothered by it." And Sam Zadeh, who lives in New York, deplored what he called the "bank and law enforcement agency invading our privacy." The same revelations that left cardholders smoldering also raised troubling questions about the conduct of the government and of the bank that released private information to the Secret Service. Some of those questions ripple into delicate areas of criminal law--topics such as the right of defendants to evaluate evidence against them and the right of uninvolved citizens to maintain their privacy while federal agents try to corral bad guys. Why, lawyers, cardholders and others asked, would the Secret Service use real cardholder information for sting operations? And even if, for legal reasons, it feels compelled to use actual credit histories, why not seek permission from cardholders first? Finally there is this question: How many cardholders nationally are exposed to disclosure of their credit information through government operations? Authorities in some other parts of the country say they do not use real credit information, and Citibank stresses that the Burton case was an aberration. But investigators and prosecutors in Las Vegas said the techniques used to nab Ari Burton are employed in other instances. In fact, Secret Service agents in Las Vegas say the use of real credit information is forced upon them by federal law requiring authorities to demonstrate that a suspect actually possessed something illegal in order to win in court. "In something of this nature, the crime is the illegal obtaining of what is called the access device," said Jerry Wyatt, assistant special agent in charge of the Secret Service office in Las Vegas. "Unless the access device is a real number, it's just a number." Following that theory, some authorities argued that if the Secret Service had supplied Burton with fake credit card information, Burton could not have been found guilty of attempting to steal real credit card histories. But that reading of the law is hotly contested by experienced lawyers. Although it is a violation of federal law to have unauthorized possession of an access device--another name for a credit card number--it also is against the law to attempt to possess such a device, even if that attempt turns out not to be successful. Legal experts said agents could make up fictitious customers and generate false credit histories, then use that information in sting operations. Even without a handoff of real credit information, prosecutors still could charge the objects of the stings with attempting to steal credit card numbers, an approach that might slightly complicate criminal cases but that would protect cardholders. Wyatt said he was not familiar enough with the facts of the Burton case to know why that approach was not adopted. Nor could he say how many cases each year involve the knowing transfer of actual credit information from the government to criminal suspects--only that such cases are not unusual. At the U.S. attorney's office in Las Vegas, the chief of that office's criminal division agreed that other tactics might have minimized the risk to cardholders in the Burton case, but he said the Las Vegas office typically uses real credit card numbers of actual cardholders in luring suspects such as Burton. "We're sensitive to disclosing too much personal information," said John Ham of the U.S. attorney's office. "But whenever we charge credit card cases, we include names and numbers." As for its role, Citibank acknowledged releasing the files to the government but defended its actions by saying it meant no harm and by stressing that its customers' privacy is its highest priority. "We would never do anything to jeopardize our customers," said Maria Mendler, a spokeswoman for the bank, which has a reputation for vigorous protection of its cardholders' privacy. She acknowledged that real information was supplied in the Burton case, but she said the bank did not intend for that information ever to surface in a court file or otherwise become available to the defendant and others. In 1993, the bank also defended its actions in a letter to a lawyer by noting that while information had been released, it had not been done to hurt anyone. "We submit that the actions as alleged do not include the requisite element of an intention to do harm to those customers whose information was disclosed," an associate general counsel for Citibank wrote at the time. Those explanations hold little sway with Citibank customers, however, many of whom complained that if their personal credit histories were going to be used in a sting operation, they at least deserved to be notified so that they could apply for new card numbers once the operation was over. Instead, sensitive information about them and their credit has been kicking around a court file for more than three years--available to, among others, Burton, a man who has admitted that he tried to steal credit information. There is no evidence that Burton or anyone else used the card information gathered in that case to ring up bills, but that, too, is little comfort to the cardholders. "Financial information is private, and I have a right to privacy," said Becker, one of those whose credit information was used by the Secret Service. "I'm worried about how this information might be used now that it's out there." Experienced defense and civil rights lawyers, who are used to analyzing government conduct and subjecting it to harsh scrutiny, said they were taken aback by the actions of the Secret Service and Citibank in the Burton case. "I would think these people could sue for invasion of privacy," Century City defense lawyer Harland W. Braun said of the cardholders. Paul Hoffman, a Los Angeles civil rights lawyer, said he too was surprised by the use of private information in a sting. "It does seem amazing to me," he said. "These people have rights, too." Legal experts with both defense and prosecution backgrounds acknowledged that problems might have confronted the Secret Service had it tried to avoid offending customers by fabricating card numbers or inventing fake credit histories. But they said those problems probably could have been overcome, and added that in any event, they did not pose enough of an obstacle to justify accessing credit information without permission. "The answer to that is you get real people who are willing to have their credit cards used that way," said Hoffman. "If you're doing a sting in a house, it doesn't mean you go into a neighborhood and take a house. Why should this be different?" Complicating the issue still further is a decision by the prosecutor in the case. Once the Secret Service and Citibank had used real credit histories to bait the trap for the sting, the U.S. attorney in Las Vegas was presented with a case in which the evidence against the defendant involved personal information whose disclosure might harm innocent citizens. That type of situation can pose a difficult dilemma for a prosecutor: Federal rules require that prosecutors share evidence with their defense counterparts so that defendants know what they might face at trial, and failing to do so can allow suspects to go free. On the other hand, disclosing the information might put other people at risk. In general, careful prosecutors tend to err on the side of providing information to the defense even if it may create hazards for others. In the Burton case, however, some experts argue that the privacy rights of the cardholders should have outweighed the defendant's right to confront the specific identifying information; an edited list of cardholder information should have sufficed in a case such as this one, they said. The solution, according to those experts, would have been for prosecutors to ask the judge to impose a protective order that would have shielded the personal, private information from either the defense lawyer or from the defendant himself. But others maintain that Burton's lawyers were entitled to the information because it was evidence against Burton, and therefore evidence that his lawyers had a right to assess and consider in deciding their legal strategy. Ham, the chief of the Las Vegas office's criminal division, echoed that view, saying his office had no choice. "We have to provide documents that support the charges," he said. If prosecutors had not done so, he added, a judge undoubtedly would have forced them to. Ham said no protective order was sought to keep the information from being shared with people other than the defense lawyer. The prosecutor, said noted Los Angeles defense lawyer Donald Re, "probably had the obligation to provide the material in discovery." Re added, however, that a protective order might have been tailored to allow Burton's lawyers to review the material on the condition that they not share it with anyone else, including their client. Because there was no such order, Burton effectively received the same information in discovery that he had sought illegally. Within a month of being arrested, the same government that was charging him with a crime provided him with the list of cardholders and their personal information. "They handed it right back to me," Burton said in an interview. At the same time, Re and others stressed that the prosecutor's decision was a close call and difficult to second-guess. Far more troubling, they said, were the actions that led to it: the bank's disclosure of the material and the Secret Service's decision to hand it over to a suspect. And given the statements by investigators and prosecutors that the techniques used in the Burton case are widely practiced in other investigations, many experts warned that ill-advised government practices may be putting cardholders across the country at risk. "There are a lot of situations where they create a scenario like this where you want to show actual possession, not just an attempt," said Re. "But in those situations, you get consent from somebody. You have a security officer who sets up an account, and you use that account number in the sting. Then there's no harm, no foul. "But you don't give out real information," Re added. "That's just crazy." USA Today: Wednesday, August 28, 1996 Citibank Tightens Rules on Disclosure to Law Enforcement By Jeff Mangum Stung by a sting that nabbed a Las Vegas man for possession of stolen credit information, Citibank says it has changed how it works with law enforcement agencies. Citibank agreed in 1993 to give the U.S. Secret Service credit card information on 35 customers, without their knowledge, to help catch a man who eventually pleaded guilty. Customers' names, addresses, home phone numbers, Social Security numbers, credit card numbers, available credit lines and outstanding balances ``ended up with the defendant, his lawyers and anyone else who got a copy of the case file,'' the Los Angeles Times reported Monday. ``Citibank trusted that the criminal justice system would keep this information safe and confidential,'' the bank said Tuesday. ``As it turned out, that was a mistake.'' Citibank says a relative of the defendant subsequently contacted the affected customers, asking them to join a class-action lawsuit against the bank. That, spokesman Mark Rodgers says, prompted Citibank to contact the customers and change its policy in 1993. ``Were we to consent to a similar operation (now), for example, we would only do so with the express consent of that customer,'' Citibank said Tuesday. Federal law generally prohibits disclosure of financial records. But there are exceptions. ``The general rule of thumb is there has to be a subpoena or a person's consent,'' says Mitch Montagna, a spokesman for AT&T;Universal Card. The American Bankers Association says ``99.9% of the time, customer information is safe and secure.'' Denver Post: Tuesday, September 10, 1996 Editorial U.S. Invades Privacy in Nevada Credit-Card Sting Americans who say they worry about invasions of their privacy have a new reason to fret: In a recent case, the federal government and a major bank willingly gave a suspected crook the credit card numbers and personal histories of citizens -- without their permission or knowledge. The breach of privacy in this Las Vegas, Nev., case was egregious and outrageous. The Clinton administration should reprimand the agents involved, and Congress should amend the laws so that such an affront to citizens' rights never reoccurs. In the case, U.S. Secret Service agents wanted to snare a computer operator who had expressed interest in illegally obtaining credit-card information. They asked Citibank for the names, addresses, Social Security numbers and other credit information on some of the bank's card holders. Citibank complied with the request - but never got the card holders' permission to divulge such personal information, according to a story in the Los Angeles Times. In other words, law enforcement agents handed a suspected credit swindler the very information he would need to carry out a crime. The suspect ultimately pleaded guilty to some of the charges. Many of the card holders heard that their personal records were used to bait a credit-card sting only when the defendant's father contacted them. Others learned about the episode through a newspaper reporter who was covering the case. In theory, there are laws to protect consumers from people prying into their credit histories without their permission. Obviously, these statutes aren't nearly strong enough. American Banker: Monday, September 16, 1996 FUTUREBANKING Mondex, Moving Fast, Sees Long Trek To a Worldwide Cash Alternative By JEFFREY KUTLER Exactly a year passed between the start of the Mondex trial in the southwest England town of Swindon and the creation of Mondex International, the banking consortium that hopes to use the smart card system as the basis for a global alternative to cash. That was fast according to the calendar. It was also an eternity. During those 12 months, National Westminster Bank, the new payment technology's inventor and champion, rode a roller coaster between self- congratulation and a skeptical press, between the celebration of an unprecedented accomplishment and a storm of criticism from within its own industry. Even with the formation July 18 of Mondex International, enthusiastic backing from banking powers as diverse as Wells Fargo Bank and Hongkong & Shanghai Banking Corp., and the current cloning of Swindon in the Canadian city of Guelph -- it relates locationally to Toronto as Swindon does to London - the Mondex eternity continues. The emotional pendulum still swings at Natwest Group headquarters in London. And emanating from Natwest and from within the Mondex project is a mix of messages that underscores how truly groundbreaking is their attempt. Win or lose, whether or not they are understood or praised by their peers, the founders of the Mondex project have risen above the almost weekly cycles of technological change and quarterly pressures on earnings with a longer-term perspective antithetical to the traditional ways of bankers and the banking industry. "Natwest recognizes that Man does not live by short-term profits alone," group chief financial officer Richard K. Goeltz said in a recent interview with American Banker. "There are things we have to bequeath to our successors." Mr. Goeltz -- who moved to New York this month as chief financial officer of American Express Co. -- and others close to Mondex want the world to recognize how far they have come in a year. But the Mondex promoters are quick to point out that it is actually Year 6 since Natwest began to fund them. Today they look at a 10- or 15-year horizon. (Natwest will recover most if not all its development cost by issuing about $150 million of stock in Mondex International. The bank expects to collect further royalties as the system rolls out. Partner bankers do not begrudge Natwest its return for risk taking.) One gets the sense that Natwest's leaders were so well primed for the long haul that it would take more than a few technical glitches and negative newspaper stories to get their goat. Mr. Goeltz dismissed the sniping from more tradition-bound competitors as "slings and arrows" that never hit their mark. Mr. Goeltz and other insiders knew, long before the Mondex International membership roster became public, that the concept was attracting interest. "Broad-scale cooperation" was a prerequisite, written into Natwest's business plan, and 16 other "global founders" who came forward July 18 found the case compelling enough to want to join in the marathon. "This is a process of change management - it's not like flicking a switch," said Roy S. Pratt, deputy chief general manager of Mondex UK Ltd., the British franchise co-owned by Natwest and Midland Bank Ltd. "Our job is not to say, 'This is how it will be.' It is about trends and responsiveness. To say anything is cast in stone at this point would be presumptuous." Mr. Pratt, 49, spent 31 years at Midland Bank before being "seconded" to Mondex UK in 1994. His banking jobs were in treasury, asset/liability, and portfolio management. He said his nontechnological background enabled him to see the complexity of the phenomenon, to confront necessary questions about the known and unknown quantities of a reinvented payment system. "People always want to ask about take-up (acceptance) rates, how fast this will happen, but I am reluctant to make blanket statements," Mr. Pratt said. "Mondex will mean different things to different people. It will not be the same at Exeter University (where it is being introduced this fall) as it is in Swindon. "There is not one proposition or growth rate. What is a critical mass for one segment will be different in another. A carpark will not be the same as a bus. You might call each a micro-Mondex economy. "This is a change process that will be based on value exchange on a just-in-time basis," Mr. Pratt continued. "It is not a product like a loan or deposit package, or even a payment mechanism. It is not mono-dimensional. "And it's not just an issue for bankers. We respect the integrity of the payments process, but we also have a responsibility to society." Such words are hardly bankerly. To be sure, Mondex has rigorous underpinnings. The bankers' thought processes are logical. The strategic plans passed muster with "some of the most sophisticated, hard-nosed bankers in the world," Mr. Goeltz said. "Mondex does have tremendous social implications, not least in terms of what it can do for welfare payments and pensions," Mr. Goeltz said before his recent departure for American Express. By automating cash "it reduces friction in the economy. "But the implications for society were not the motivation for Mondex. It was to serve customers better and generate a return for shareholders. "What's interesting about Mondex was not the technology," Mr. Goeltz went on. "The technology was a facilitator. This is one of the few products I've seen in which all three participants in the value chain -- banks, retailers, and customers -- benefit." The enthusiasm carries over to outsiders - even some who have been lumped among the critics - to a point. "The richness, the robustness of the technology, is fantastic," said H. Eugene Lockhart, president and chief executive officer of MasterCard International. (MasterCard held negotiations with Natwest to buy into or participate in Mondex, but at the same time its European affiliate, Europay International, was developing the competitive Clip electronic purse system.) For more than two years, Mr. Lockhart has insisted on seeing smart cards' "business case," and even as MasterCard launches experiments around the world he is still not completely satisfied. "Let's assume there is a business case," he said. "The opportunity is that we have this new technology platform that can do a lot of things, stored value being only the first manifestation. "But there is a big problem: How on earth do you grow that system in millions of other cases just like Swindon?" Swindon, for now, is "the case." Mondex UK's overly optimistic projection of 40,000 cardholders in the city of 190,000 people set off the bad press. In reality, the 10,000 that signed up within 12 months weren't bad news at all. That's almost 25% of the combined Natwest-Midland customer base in the area. Mondex said its surveys showed 66% of the cardholders said they preferred Mondex to cash. Average card loads were the equivalent of $35 to $45, and the majority of transactions were under $7.50. Perhaps more to the point, it is hard to find a storefront, public phone, or any type of payment device in the commercial center of Swindon that does not accept Mondex. The banks signed 600 merchants, double the number accepting MasterCard and Visa, which stands to reason for a cash replacement. "You can actually go cashless," said Mark Gordon, Mondex International's head of marketing. "It's not a big deal when you present Mondex at the tills." While Mondex has been selective in its data disclosures -- no one denies that its transactions are a small percentage of the Swindon total -- Mr. Gordon and his team have been more than hospitable in letting the world come view Mondex. Banker delegations are commonplace, often gathering at the "Mondex Store" in the town center before setting out to observe and test merchant acceptance. Hardly a day goes by without the visit of a television crew. Many come from Asia, where Mr. Gordon believes "Mondex will really fly." (A Hong Kong pilot is set for late this year, and smart cards of various kinds are already prevalent in Singapore, Taiwan, and elsewhere in the region.) "They see this as a city of the future," he said, "like something out of 'Blade Runner.'" The Mondex staff tries to keep the visits unobtrusive, but some of the merchants were willing to pay the price of unanticipated stardom. "Our town center store is small," said Bob Upshall, manager of the Sainsbury supermarket, part of one of Britain's biggest chains. "Having Mondex raised our profile and provided a morale boost." At the corporate level, Sainsbury was eager to participate in Mondex because "it didn't want to be left behind." So the smaller, convenience-oriented Swindon outlet, which otherwise might have relied for years on older computers and point of sale equipment, got an upgrade on a par with many "superstores," and Mr. Upshall said, "My staff loved it. A positive staff is a plus for customer take-up." Sainsbury, a Midland Bank customer, invested 45 minutes per cashier in Mondex training and found the system was so easy to grasp that it didn't have to deploy, as anticipated, demonstrators in the checkout lanes. Mondex volumes were running at less than 0.5% of sales at the three Swindon stores -- slightly lower in the town center location than at the larger branches on the outskirts of town. Mr. Upshall said an incentive offer in May and June of a five-pound voucher (about $7.50) for every 50- pound ($75) shopping trip brought in transactions well above the average ticket of five pounds in-town and 30 pounds ($45) elsewhere. "Whether smart cards will be in Mondex or other forms, they are here to stay," Mr. Upshall said. He gauged customer reaction as "very positive," though mainly among early adopters. He himself likes Mondex as a consumer -- "I use it in the canteen all the time" -- and as a merchant, because it streamlines the cash-handling tasks that require two to three full-time positions in the supermarket's back office. Nearby in McElroy's, a local department store, Vince Ayris accepts and encourages Mondex payments at his shoe repair and key-making stand. Mr. Ayris has been in the business 17 years, is a well-known man about town, and so strongly believes in Mondex that he essentially sold it to the local rugby club, where "we use it quite a lot. I find I'm more careful about spending money (with Mondex) than with cash, and it's easier than small change." Mr. Ayris admitted to being "a bit skeptical at first," but he has become so strong a booster that Mr. Gordon felt he had to deny that Mr. Ayris is in Mondex's employ. "I don't give money away to a bank like I do with a MasterCard or Visa discount," the merchant said. "There is no problem with fraud or counterfeit. "I have more over-ring errors on the till than on Mondex terminals. Every transaction is documented so disputes are more easily resolved" than with cash. And because the Mondex terminal is smaller than a cash register, "I have more room for selling product." Mondex is also proving itself at a multiplex movie complex, part of the MGM chain that Virgin Enterprises recently acquired. John Keil, the manager, said he "needed no convincing" to accept Mondex at every point of sale. "We saw the benefit immediately. Any way at all to take cash out of the system, the better. "The bigger the business, the more problem cash is," Mr. Keil went on. "Any major company sees the benefits in the technology." Like the supermarket, the MGM outlet easily won staff support. "Most of them are into gadgetry," Mr. Keil said. It also encouraged sales by cutting Mondex users' ticket price to about $4.90 from $6.80. The transactions are still a small portion of the 30% of in-person box-office sales done on plastic cards. (Another 30% are advance sales by phone; Mondex has not yet been accepted that way.) Mr. Keil said he is looking forward to having "one box" that can accept all cards. Even so, he said Mondex was "very flexible, requiring no change whatsoever to our system. It was slotted right in ... They made their system fit ours." "I think the system will take off eventually," Mr. Keil said. His only regret is that because he doesn't live in Swindon, he can't use Mondex more than he does. It is as if Mondex has succeeded at recruiting its merchants as change agents. Time will tell if they are still on board when Mondex begins costing them something. "The chip brings a fundamental change," said Mr. Pratt of Mondex UK. "You feel as if you are shaping the future. "When the market begins using it to create its own needs and to solve its own problems, that's when the real thrill will come -- and a surge in usage." --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps