A U.S. House committee recently passed legislation that aims to help law enforcement bring to justice criminals from other nations who buy and sell payment card data stolen from U.S. citizens. But would it really help the global fight against cybercrime?
The Cybercrime Anti-Resale Deterrent and Extraterritoriality Revision Act, better known as the CARDER Act, passed the House Judiciary Committee on Dec. 2.
In a nutshell, the CARDER Act is designed to help make it easier for U.S. law enforcement authorities to arrest and prosecute cybercriminals in overseas markets who trade, buy and sell U.S. cards in underground forums. In particular, the proposed legislation would help support the prosecution of middlemen known as "carders," who link hackers with the fraudsters who buy stolen payment card information to make fraudulent purchases.
By taking the carders out of the equation, law enforcement could more successfully shutter the underground forums where stolen card data is sold - at least that's what a backer of the legislation claims. "Taking down carder forums can make it significantly more difficult to sell credit card data and simultaneously increase the chances of identifying and arresting the hackers responsible for the initial theft," according Rep. James Langevin, D-R.I., the bill's sponsor.
The bill would give the U.S. the right to arrest and prosecute criminals from overseas who violate U.S. fraud laws related to payment cards and payment instruments. Current federal criminal code only applies to crimes that occur within the U.S.
Little Impact on Global Cybercrime?
Even if this proposed legislation makes its way through the House and Senate and is signed by the president, some observers contend it won't have much impact on bringing international cybercriminals to justice.
"It is not easy to understand how passing this legislation will make law enforcement's job easier," says Shirley Inscoe, an analyst at the consultancy Aite. "If criminal activity originates outside the U.S., it is difficult for law enforcement to gain access to the individuals involved. Passing a law won't really change that unless the countries involved have a bilateral agreement in place to cooperate on such crimes."
We've seen recent improvements in cross-border collaboration to bring cybercriminals to justice - but only in certain parts of the world.
In countries such as Russia and China, which lack extradition agreements with the U.S., criminals can easily find safe haven. And this proposed bill would not change that (see Fighting U.S. Card Data Fraud Overseas).
"Reading between the lines, it appears the primary benefit may be that the proposed legislation will allow lesser evidentiary requirements, i.e., stolen card data doesn't have to reside within the U.S.," Inscoe says. "If this is the intended benefit of the legislation, it seems a positive development, and very well could lead to higher prosecution rates. I wouldn't hold my breath on catching more of the kingpins behind this organized crime, though. Lower-level criminals rarely have ties to or even know the criminals at the top of the empire."
Another financial fraud expert, Walter Mix, a former commissioner of the California Department of Financial Institutions, tells me that winning the support of other nations in prosecuting those who violate U.S. fraud laws will, indeed, prove challenging.
"It's going to take a lot of resources, and think about how much more difficult it is going to be to implement on a global basis. ... It's clearly a multiyear effort," says Mix, who now serves as managing director and head of the financial services practice at the consultancy Berkeley Research Group
Mix contends, however, that the proposed legislation is an indicator that Congress is at least attempting to move in the right direction.
A Broader Approach Needed?
Cybercrime consultant Mike Urban suggests, however, that if Congress really wants to enhance law enforcement's ability to bring international cybercriminals to justice, it should pass legislation that's not limited to international prosecutions for payments fraud.
"The main issue I have with the CARDER Act is that it only covers [payment] card numbers," Urban says. "If we are going to get serious fraud legislation enacted, we need it to [deal with] any fraud related to the compromise of any American's PII [personally identifiable information] and/or PHI [protected health information]. We have already seen that medical records are worth several times more than credit card information."
As Urban points out, the risks of ID theft are not linked to the theft of card data; but, rather, to the theft of PII and, in many cases, healthcare information.
Ben Knieff, another analyst at Aite, suggests that the United Nations, rather than Congress, may be the best forum for instigating change for cross-border cybercrime prosecutions. "The Internet is global; cybercrime is global; national boundaries mean very little to the criminals; and it's far too much for law enforcement," he says.
But Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner Research, is hopeful that Congress will enact the legislation as a first step toward battling international fraud.
"This is a no brainer law - I can't imagine why Congress wouldn't act on it and pass it, other than lawmakers are too obsessed with their own political agendas and this is not the type of legislation that will gain them any votes," she says.