In my new book, Virus Bomb, Jerry Barkley doesn’t trust the FBI because his past experiences with the FBI have been less than satisfactory. Some people have suggested that what Jerry Barkley experienced in fiction with the FBI would never happen in real life.
My history with the FBI goes back to an embezzlement case in the 1990s. I was an independent consultant and a large company needed some specialty work done for which I was ideally suited. I met with the IT Director and another guy, and they asked me if I was okay billing through this other guy’s company.
Subcontracting deals happen all the time, usually because big company purchasing departments and governments only maintain relationships with a select few prime contractors. That puts those prime contractors in a power position with everyone else and it leads to all kinds of shady deals. It’s part of the nasty underbelly of the IT industry.
Given the choice between billing through a preferred prime contractor or not working at all, I said yes. I delivered my work, and then had to make noise to get paid. As I recall, it took around sixty days.
A few months later, a family friend who worked for the same company told me the police hauled the IT Director away in handcuffs from the company cafeteria. It seems he was in cahoots with that other guy and they inflated subcontractor hours and split the extra money.
The local police interviewed me and that was the last I heard of it. Until five, count ’em, five years later, in 2002 when a couple FBI agents asked me to meet them in their downtown Minneapolis office for an interview and agreed to pay for my parking. It seems my invoices were the only records anyone had about the real number of hours billed. Why did they take so long to interview me? They said the FBI had been busy since 9/11 – even though the embezzlement happened in the 90s, years before 9/11. They also made me pay for my own parking. They said I could tax-deduct it. Thanks, guys, I wouldn’t have been able to figure that out on my own.
To this day, I don’t know what happened to that IT Director or his partner in crime.
I ran into the FBI another time in November, 2000, and this was the incident that made me interested in cybersecurity. I wrote about it in a magazine column, and wrote a blog post about it here.
Somebody had penetrated my homebrewed DNS server and used it in an apparent DDOS attack against the government of Brazil. I called the FBI, but nobody took me seriously, and when I called back, nobody had any record that I had called earlier. I eventually had to explain what the internet was. Three months later, in early 2001, shortly after my magazine column was published, the manager of the Minneapolis FBI office called and wanted to troubleshoot.
This was a long time ago and I’m sure by now everyone at the FBI knows what the internet does.
A couple weeks later, somebody else from the FBI called and wanted me to join an organization named Infragard. The idea was a partnership between the FBI and the private sector to help secure the critical infrastructure of the United States. Giddy stuff for a bald guy from Minnesota, and so I said yes. I went to lots of meetings where people in nice suits handed out business cards to other people in nice suits and the organizers talked about their chapter governance structure.
One time, the Infragard higher-ups wanted to set up a booth at a tradeshow and needed volunteers to help staff it. I volunteered. Or, at least I tried to volunteer. Nobody returned any phone calls or emails and I have no idea if Infragard ever had a booth at that tradeshow.
Another benefit of Infragard was threat intelligence. Because I was a member, I saw FOUO (For Official Use Only) documents about the latest cyberattacks. The emails usually hit my inbox a day or two after articles appeared in the Minneapolis Star/Tribune, which we all know is a leader in technology news. (Insert tongue in cheek here.)
I kept at Infragard for almost fifteen years, hoping it would someday amount to something useful. My last meeting was in 2015 when I wanted somebody from the FBI to read my first book, Bullseye Breach. Membership dues were due that day, and I laid down $25 in cash and gave a copy of my book to the FBI agent in charge. Nobody from the FBI returned another phone call or email after that.
And there’s more.
In 2011, I needed to buy equipment for a customer, but US Bank denied my credit card. I talked to Kim in the Fraud Department and we spent more than an hour tracking down details on every single fraudulent transaction. We even talked to some of the store clerks in Florida who waited on the attempted thieves and remembered the incidents. I packaged all that information and emailed one my Infragard contacts. He returned the email, the FBI in Minneapolis sent it to the FBI in Florida, and I’m still waiting for a call back.
People don’t believe me when I tell this story. But I still have the email chain and I’m pasting it in at the bottom of this blog post, with names of people, phone numbers, and addresses changed. You make the call.
I know sharp people work for the FBI. I watched the announcement, along with everyone else in the United States, that the FBI had pieced together Hilary Clinton’s email server after she tried to wipe it. I saw the news about how the FBI tried to alert the Democrats about their data breach in 2016. I still question how the FBI knew enough about traffic in and out of that system to analyze it. Does the FBI have sensors at every internet service provider? And I know the FBI is involved in forensics for many of today’s sensational data breaches.
But multi-billion dollar international corporations and major political parties are only the tip of a big cybersecurity iceberg. Despite what politicians who don’t know what they’re talking about say, most of us are on our own.
From: Yyyyy, Xxxx A. <Xxxx.Yyyyy@ic.fbi.gov> Sent: Thursday, December 01, 2011 11:13 AM To: Greg Scott <GregScott@Infrasupport.com> Subject: RE: Chance to nail a credit card fraud clown Greg - You should speak with SSA Zzzzzz with respect to these concerns. He would be in the best position to answer your questions. Thank you, Xxxx Yyyyy From: Greg Scott [GregScott@Infrasupport.com] Sent: Thursday, December 01, 2011 12:09 PM To: Yyyyy, Xxxx A. Subject: RE: Chance to nail a credit card fraud clown OK. The only connection with Tampa is that name from Bayho – tenuous at best. Will the folks in Tampa actively go after this one? - Greg From: Yyyyy, Xxxx A. [mailto:Kyle.Loven@ic.fbi.gov] Sent: Thursday, December 01, 2011 11:02 AM To: Greg Scott Subject: RE: Chance to nail a credit card fraud clown Greg - Our Supervisory Special Agent (SSA) for Financial Crimes, Rrrrrrr Zzzzz, has decided to package your information and send it to the Tampa Division for action. If you need to speak with SSA Zzzzzz, he can be reached at (612) xxx xxxx. Thanks, Xxxx From: Greg Scott [GregScott@Infrasupport.com] Sent: Wednesday, November 30, 2011 4:57 PM To: Yyyyy, Xxxx A. Cc: [my wife] Subject: RE: Chance to nail a credit card fraud clown So is the FBI interested in going after this one? If so, I’ll call Kim, Han, and Alex back with a heads-up that the FBI may be calling so they don’t get freaked out. I was also exploring with Kim at US Bank the possibility of using that CC number as a honeypot but we weren’t able to come up with anything that didn’t put any merchants at risk. Now that it’s been declined and cancelled, our badguy is probably onto other credit cards anyway. And then I was trying to figure out how that card number was compromised. Off the top of my head, it’s on file with Amazon, eBay, Paypal, NewEgg, Tech Data, and maybe some others. If the FBI wants to go after this, I’ll dig deeper and find out all the places that have my CC number on file. LOL – nobody’s contacted me about any breach. Imagine that. Bayho is an online vitamin company. Why would somebody try to steal $thousands in vitamins over the Internet? Another mystery. - Greg From: Greg Scott Sent: Wednesday, November 30, 2011 3:17 PM To: 'Xxxx.Yyyy@ic.fbi.gov' Subject: Chance to nail a credit card fraud clown Hi Xxxx – thanks for taking my call a few minutes ago. Here is the info you asked me to send over: I have a US Bank Flex Perks card – now cancelled because it’s been compromised. I’ll give the number to you over the phone if you want. I spoke with a very helpful lady named Kim with US Bank a few minutes ago. Kim’s phone number is 866-821-8411 X kkkkkkk. This is also Kim’s employee number. Apparently, somebody stole my CC number and tried to use it for several transactions. Here are the dates and details: Big Fish on 11/24/2011 at 2:20 PM Central time for $1. This charge was declined because the expiration date was wrong. US Bank reference number 132968223717. I spoke with Alex from Big Fish, phone number 866-921-6960 and alerted Alex we may try to track down the IP Address that started the offending transaction. Alex did not have any info of value immediate available to him, but Big Fish can produce logs with a subpoena. Next is from a company named Bayho, phone number 800-611-8247. 11/28/2011 10:47 AM Central time $3112.10 charged and reversed 11/28/2011 10:50 AM Central time $6732.06 charged and reversed 11/28/2011 10:52 AM Central time $4929.76 charged and declined by US Bank Somebody tried to use my credit card to steal a lot of merchandise from Bayho. Fortunately for all of us, the fraud systems at US Bank worked. I spoke with Han at Bayho and Han spoke with his manager. Apparently, our badguy also tried several other credit cards. Han gave me a name, address, phone number, and email for the person associated with the above charges: [Name removed for this blog post] [Address removed for this blog post] Tampa, FL. 33614 Phone xxx-xxx-xxxx Email: firstname.lastname@example.org My opinion – the above name is probably either fake or another victim. Regardless, let’s nail the clown who tried to mess with my credit card and apparently some others. At least we have a starting point. Thanks - Greg Scott - Cell phone xxx-xxx-xxxx - Home phone xxx-xxx-xxxx