Cyber Canon Book Review: “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity" (2008), by Byron Acohido and Jon Swartz
Book Reviewed by: Jon Oltsik, Enterprise Strategy Group Senior Principal Analyst and Fellow
Bottom Line: I don’t recommend this book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
When I started focusing on cybersecurity back in the early 2000s, we faced a series of routine attacks like the Melissa virus, Love Bug and Anna Kournikova. Viruses and worms were often propagated through email, botnets or exploited Windows vulnerabilities, then quickly spread through contact lists or common Windows protocols.
Viruses and worms of the early 2000s caused their share of havoc by weaponizing Windows PCs, saturating corporate networks and disrupting operations, which led to massive and costly cleanup efforts. For example, SQL Slammer in 2003 exploited a SQL Server vulnerability and quickly spread to hundreds of thousands of Internet-connected systems, impacting business operations at Bank of America, Continental Airlines, the City of Seattle and many other organizations. Researchers estimate SQL Slammer cleanup costs exceeded $1 billion.
Who was behind this string of attacks? Most often, it was lone wolf hackers showing off to their peers or making a declaration about the state of software security. The MS Blaster worm, which in 2003 affected 120,000 PCs within 24 hours, was written by 18-year old Jeffrey Lee Parson from Hopkins, Minnesota. The worm contained a direct message for Microsoft founder and then CEO, Bill Gates, that read, “Billy Gates, why do you make this possible? Stop making money and fix your software!”
This era of cybersecurity hijinks ended abruptly in about 2005 when data broker ChoicePoint was conned into selling 145,000 personal records to bogus African businessmen. This event made it abundantly clear that the bad guys had figured out ways to scam the system, steal personal information, conduct identity theft, and execute billions of dollars of fraud and cybercrime activities. The Internet hasn’t been the same since.
“Zero Day Threat” by Byron Acohido and Jon Swartz documents this metamorphosis, describing how the Internet transformed into a high-crime neighborhood in the early 2000s. This transition was the result of a “perfect storm” of three simultaneous trends:
- An exponential increase in consumer credit, driven by Internet technology proliferation: The book outlines the creation and evolution of credit card purchasing. In 1963, the entire credit card industry totaled $111 million. By 2006, Visa accounted for $2.4 billion on its own. In the early 2000s, banks and credit card companies made it extremely easy for consumers to acquire new credit cards, qualify for “creative” mortgages and accrue billions of dollars of household debt. Fraud was viewed as a cost of doing business as the industry insulated itself with high-dollar lobbying, friendly regulations, and insular and adversarial practices.
- A resulting boom in consumer data creation, analysis and sales: Along with ChoicePoint, data brokers, credit agencies, investigative services and banks themselves collected and analyzed massive amounts of consumer data. Although fraught with inaccuracies, this data was available for sale to Internet users as well as scam artists and cybercriminals, leading to a growing wave of identity theft throughout the decade.
- A rise in the sophistication and cooperation of cybercriminals: An army of drug dealers, petty thieves and professional criminals realized that there was easy money to be made by exploiting this electronic pot of gold. As a result, cybercriminals developed their craft, organized online and remained steps ahead of technologists and law enforcement.
“Zero Day Threat” does a great job of documenting this cat-and-mouse game, dividing each chapter into the behavior of three different types of actors: 1) Exploiters: The scammers, identity thieves and cybercriminals. 2) Enablers: Banks, credit card companies, data brokers, etc. 3) Expediters: The technologists who write code and/or defend against cybercrime.
Through these three personas, the reader is taken through a series of independent and related episodes. For example, the book tracks a gang of cybercriminals residing in Edmonton, Alberta, Canada. The group evolves from hapless dumpster divers in the first chapter to a globally connected cabal capable of stealing $10,000 per day through a combination of website hacking, identity trading and the exploitation of numerous holes in the Canadian banking system. It also follows several innocent individuals through the trauma of identity theft and the lengthy legal recovery process.
The Enablers sections of the book take the reader through the evolution of online banking and credit initiatives, technologies and regulations. This journey begins with the creation of the Diners Club card in 1952 and culminates by describing a credit card clearing infrastructure capable of 6,803 transactions per second. The system of cheap and fast credit also created a peripheral industry, including credit bureaus and data brokers, all eager to make money through the sale of consumer data. The authors explain that these firms place profitability above all other activities, including keeping the data accurate and providing customer service to individuals who’ve experienced some form of identity theft.
The Expediters section will be most familiar to cybersecurity professionals with 10 or more years of experience. It highlights some of the viruses and worms of the early 2000s and explains how malware became a tool for global organized crime. It also looks at technology companies like Microsoft, whose code was (and still is) the target of so many attacks. For example, the book looks at Microsoft’s adoption of its Trustworthy Computing initiative and software development lifecycle (SDL), then relates how these security enhancements changed cybercriminals’ tactics, techniques and procedures (TTPs).
“Zero Day Threat” was written 10 years ago, so it is a bit dated. Nevertheless, it provides the reader with a detailed summary of the causes and effects of cybercrime and identity theft. Thus, the book represents a cybercrime example of philosopher George Santayana’s famous quote, “Those who cannot remember the past are condemned to repeat it.” In other words, cybersecurity professionals will find that “Zero Day Threat” can provide a synopsis of how cybercrime and identity theft became so prevalent from 2000 through 2018.
On a final note, it is worth stating that Acohido and Swartz are journalists, and their professional experience is abundantly clear to the reader. The book is well researched and extremely vivid, describing individuals, historical events and technical events with precise and colorful detail. This makes “Zero Day Threat” an easy yet informative read. Cybersecurity professionals interested in financial services, cybercrime or identity theft should add this fine book to their reading list.
We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!