Q&A: Fraudster Frank Abagnale offers IT security advice
- 19 October, 2007 11:22
At Computerworld's Storage Networking World conference in the US, Frank Abagnale gave a keynote presentation on his life as an imposter and fraudster, a story that was told in the book and subsequent Steven Spielberg movie, Catch Me If You Can. Prior to his presentation, Abagnale spoke with Computerworld about ethics, computer crime and security risks faced by IT professionals.
Excerpts from that interview follow:
Suppose you'd been born in 1980. How much of what you got away with 40 years ago do you think you'd be able to get away with as a 17-year-old today?
It would be 4,000 times easier to do today, what I did 40 years ago, and I probably wouldn't go to prison for it. Technology breeds crime -- it always has, it always will. When I forged checks 40 years ago, it required a $1 million printing press that required three journeymen printers to operate. I had to build scaffolding on the side of it so I could operate it by myself. There were color separations, negatives, plates, typesetting chemicals.
Today, I sit down at a laptop, pick any company I want, go to their Web site, capture their logo, like American Airlines. I put it up on a check with a 747 in the background taking off. Fifteen minutes later, I have the most beautiful American Airlines check you've ever seen -- probably 10 times better than the check American Airlines uses.
Forty years ago, I wouldn't know who signs American's checks; I wouldn't know where American Airlines keeps its accounts payable account. Today, I would just call their accounts receivable, ask them for their wiring instructions. They'd tell me where they bank, on what street in what city, what their account number is. I call back and ask for a copy of their annual report, and on page three will be the signature of their chairman of the board, the CEO, the CFO, the treasurer. I scan it onto glossy white paper, with camera-ready art -- and I have the check. A world of too much information and the technology make it very easy to do today what I did 40 years ago.
Do you think there's much similarity between what drove you and whatever it is that drives a 17-year-old hacker today?
No, mine was strictly a matter of survival. I was a kid who ran away from home at 16 and ended up in New York. A lot of people back then got into Haight-Ashbury, the hippie scene, the drug scene. No one was going to hire a 16-year-old, so I started out by lying about my age in order to secure a job. One thing led to another and it became more of a case of people were after me, so I had to stay a step ahead of them. I don't think I was out to set any goals or to make X amount of money. I was very creative, so it became more of a game as time went on.
Is there anything we can do to make illicit computer-related activity a less attractive pursuit for young people?
There are about four reasons why we have crime to begin with. One of them is, of course, that we live in an extremely unethical society. We live in a society that doesn't teach ethics at home, a society that doesn't teach ethics in school because the teacher would be accused of teaching morality. We live in a society where you can't find a four-year college course on ethics. I have three sons who went through graduate school; only the one who went to law school had a course even offered on ethics. So today you have a lot of young people who have no character, no ethics and they find no problem in defrauding somebody or stealing from somebody or cheating somebody. Until we change that, crime is just going to get easier, faster, more global, harder to detect.
Page BreakI've spent 32 years at the FBI, and I've witnessed crime only got a lot easier to do. Obviously, there's a lot less threat of being caught. When I was caught, I was just a teenager, and they sent me to prison for five years. Today, I'd probably get probation and community service; I might get 18 months and serve six months in jail. So there really is no threat of going to prison to keep somebody in line.
I really think the more technology there is in the world, the more you have to instill character and ethics. You can build all the security systems in the world; you can build the most sophisticated technology, and all it takes is one weak link -- someone who operates that technology -- to bring it all down. People don't like to talk about that issue, because they think it's over-simplified. But the fact is, in all my experience, that's where the problem lies. Until that changes, crime is always going to be with us.
Any thoughts on how we can bring that change about?
I think you need to bring character and ethics back into schools, and you certainly need to bring it back into colleges and universities as part of a curriculum. Only about half of Fortune 500 companies even have a code of ethics or code of conduct. The ones that do have one publish it every five years on an inside page of their annual report to appease their shareholders. So, obviously, there's no big effort out there to bring about that change. Rutgers just finished a five-year study that found that 56% of MBA students cheated.
There are really no con men anymore like there were in my day, because you really don't have to associate with anyone. You don't have to be well dressed and well groomed and well spoken. Everything's done on a computer; there are no witnesses. So even if you know who's doing it, you probably don't have the ability to go capture them. Chances are you have no idea what they look like; they can sit in their pajamas and commit all these crimes.
As someone who has had a lot of experience with the law-enforcement authorities in other countries, how would you rate the effectiveness of international cooperation in the fight against computer crime?
It's getting a little better, but you're dealing with a lot of countries like China, Nigeria, Libya, Russia, where we really don't have that cooperation. Unless it's a huge dollar amount or some international incident, it's very difficult to get the authorities to do anything about it. The American authorities or Interpol talking to Beijing about doing something about a hacker somewhere in China is unlikely to bring about any law enforcement activity.
How are we doing domestically?
We have a lot of stupid laws. There's Check 21 [the Check Clearing for the 21st Century Act, which requires banks to accept paper documents with check images in place of original paper checks] -- the whole concept is ridiculous. Basically, what happens today is you give me a check for $2,500. I take the check and alter it to $25,000; I go to my bank and deposit it. My bank takes an image of it, which is a 600 dpi black-and-white copier image. It transmits that to your bank; they pay it, then they physically destroy the check. A month later, you reconcile and your auditor goes, "You wrote Abagnale a check for $2,500, obviously Abagnale has altered the check." So you sign an affidavit to your bank saying this is a forgery, the physical check has been altered. Under Check 21, they have to go back to the first bank of deposit, which is my bank. They tell my bank, "You have to give us some money back, this is a forged check, we have an affidavit from our client." Then, of course, the bank calls me and they say, "Computerworld said they gave you a check for $2,500 and you altered it to $25,000." I say, "They did? Do you have the check? No? Talk to you later." There is no evidence -- it's just absurd. There are a lot of stupid laws passed every day. I always say, criminals must have lobbyists in Washington.
Page BreakWhat's the single biggest oversight companies make with respect to computer security?
First of all, there is no foolproof system. If you believe you have a foolproof system, then you have failed to take into consideration the creativity of fools. My experience is if there's a man or woman who designed it, there's a man or woman who can defeat it. So I think most companies fail to take into consideration that they've developed this great system, but then they've failed to look at the person who's operating the system, the person who has information about the system -- his background and how much that person can be trusted. Companies hire people today with very little background checking; they're put into positions or they earn their way up to positions where they can do something to harm or cheat that company. So we have to pay a lot more attention to that weak link -- the human part of the system.
Would you say the greater security threat to a company is internal or external?
I think it's internal. What you have today is a lot of influence from the outside. For example, if I'm trying to get inside a company, I'm going to find out who works in that weak-link position. I may find him in a bar or a restaurant, I'm going to get to know him and eventually I'm going to say, "I don't know what they pay you, but I will triple or quintuple what they pay you if would simply get this information for me." I'm not saying to steal something physical, to go rob some money. I'm saying to somebody, "Pull this up on the screen, write it down on a Post-it note, give me the Post-it note, and I'll give you $50,000. Nobody's going to know you did it, you'll never see me or hear from me again." It's very appealing to someone who has very little character and ethics in their background.
What's the biggest misconception people have about you and your background?
All people know about me is the movie and what I did; I don't think they know that I've spent 32 years with the FBI and that I've dedicated my life to doing these kinds of [law-enforcement] things. People just know me as the character from the film. I do like the fact that most people don't recognize me, because they only know my name, so that's helped me a great deal since the film came out. But I don't really worry about those things -- I've tried to dedicate my life to eradicating some of these crimes. I've found that the No. 1 key way for me to do that is to educate people, so not only do I teach agents at the FBI Academy how to think out of the box, but I like to go out and tell the general public in banks and corporations, "Here are the problems and this is what you can do about it."
I don't want to go out and say, "Buy this software, it costs $1 million." I like very simple solutions to very serious problems. So I find that if I let people know, "Here is your risk, here is how people do this to you and this is how you prevent this happening to you," people are smart enough to go take the necessary steps to protect themselves. The problem is that most people are basically honest, so they don't sit back and think about how someone would do this. They're very naive when it comes to doing business, especially on a computer, and they have no concept of their risk.
What's the single most important thing that readers will read in your new book, Stealing Your Life, that's not available to them from any other source?
This is the fifth book I've written on crime. I just try again to bring people up to date -- this book is all about identity theft. I first wrote about identity theft in the 1980s in a book called Crimes of the Next Generation, and I talked about it before it was ever given a name -- that it would come to pass that we would have people stealing identities. You have to make people aware of the risk and show them all the ways people do it so that it opens their eyes to how simple it is to do it, and then on the other hand, show them simple ways to protect themselves as well, without going out and spending a fortune doing that.
Page BreakYou dedicated the book to Joseph Shea, the FBI agent whose mission it was to arrest you. Why?
He and I were friends for 30 years; he died at the age of 88 just about a year ago. He was a great help up until his death. I watched his two daughters grow up and get married; I attended their weddings. He watched my children grow up. He was obviously a big part of my life in getting me out of prison and getting me to work with the government. He was someone who saw that I had something to offer and he was very big on helping me do that. I think when he started out, he thought I was some master criminal and he was going to catch me, but when he came to the realization that I was just a kid and I was a runaway, being a father, he had a lot more compassion.
Obviously, I wish I hadn't lived the life I started out living, and I wish I could live that over. But I can't do that.
On the other hand, one could argue that if you hadn't done that, you wouldn't have been able to accomplish what you have in the past 32 years. That's true. It's a life I wouldn't want to have to live over again, even though I know where it's brought me today. But I believe there's a purpose and a reason things happen, and I'm just very fortunate that I grew up in a great country where you get a second chance to start your life over again and do something with it.