Schneier on Security
A blog covering security and security technology.
« Lockpicking and the Internet |
| EFF on Locational Privacy »
August 13, 2009
Man-in-the-Middle Trucking Attack
For over three years the pair hacked into a Department of Transportation website called Safersys.org, which maintains a list of licensed interstate-trucking companies and brokers, according to an affidavit (.pdf) filed by a DOT investigator. There, they would temporarily change the contact information for a legitimate trucking company to an address and phone number under their control.
The men then took to the web-based "load boards" where brokers advertise cargo in need of transportation. They'd negotiate a deal, for example, to transport cargo from American Canyon, California, to Jessup, Maryland, for $3,500.
But instead of transporting the load, Lakes and Berkovich would outsource the job to another trucking company, the feds say, posing as the legitimate company whose identity they'd hijacked. Once the cargo was delivered, the men invoiced their customer and pocketed the funds. But when the company that actually drove the truck tried to get paid, they'd eventually discover that the firm who'd supposedly hired them didn't know anything about it.
Actually, not so clever. I'm amazed it went on for three years. You'd think that more than a few of the subcontracters would pick up the phone and call the original customers -- and they'd figure out what happened. Maybe there are just so many trucking companies, and so many people who need cargo shipped places, that they were able to hide for three years.
But this scheme was bound to unravel sooner or later. If the criminal middlemen had legitimately subcontracted the work and just pocketed the difference, they might have remained undiscovered forever. But that's much less profit per contract.
Posted on August 13, 2009 at 5:09 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
check this out: people in jail for not revealing their passwords in GB (see 4.11)
This reminds me: a decade or so ago I remember seeing a demonstration in front of Congress (outside) where some reformed car thieves dismantled (ie stripped) a 5-year old Cadillac in about 5 minutes while the onlookers watched. The total value of the parts recovered (they took everything but the chassis/unibody) was supposedly ~$50,000. They had paid about $15,000 for the car.
So my question was: why don't they just buy the cars instead of stealing them? It would give them a smaller profit margin, true; until you add in the costs of hiding, sneaking, stealing, arrest, court/jail time, fights with other car thieves, etc. Plus you could still get additional value from the big pieces that werent strippable (crush/recycle the chassis).
It's a well known fact that the majority of criminal activity is uneconomic by any measure. Freakonomics had a good section on this IIRC. You could build an economically useful arbitrage business out of the above scenario, but no, they had to shoot the goose that laid the golden egg. Dumb.
It's always struck me that the fundamental flaw in most criminals is that, given the choice, they take the bigger short term (non-sustainable) profit rather than smaller long term (sustainable) profit; they also never know when to stop.
This case supports both observations.
"Actually, not so clever. I'm amazed it went on for three years. You'd think that more than a few of the subcontracters would pick up the phone and call the original customers -- and they'd figure out what happened. Maybe there are just so many trucking companies, and so many people who need cargo shipped places, that they were able to hide for three years."
Have you considered that being "riped off" is an industry norm?
Or the state of the economy is making this to be just noise in the general "non payment".
I have worked in some business areas where "10% of turnover" fraud levels where considered part and parcel of doing business and the cost of reclaiming to high so it just got added into customer fees.
"...It's a well known fact that the majority of criminal activity is uneconomic by any measure...."
True. The ultimate motive is not rational, but emotional. This applies to nearly all legal business activity as well.
Criminals generally commit crimes out of laziness - it is easier to make an immediate profit by disregarding risk than to assess that risk and act for longer-term profits. Acting as an unlawful middle-man and only keeping residual profits "looks like work", which is a primary reason why criminals don't do it.
Seems like they'd last a lot longer if they paid the sub-contractor and pocketed the earnings. Much less lucrative, but over a longer time might net a lot more money.
$50k is probably the retail price of the parts, NEW from the dealer. The cost of the parts, used, would be significantly less. It's possible that, yes, all the parts sold separately would be worth more than the cost of the car... IF you can sell all the parts. Problem is there is a high demand for certain parts; side windows, side mirrors, door and quarter panels. But how many people need to replace interior seats? Doesn't make it worth while to buy a car for $15k if you're only getting $10k from selling the high value parts and having to junk the rest.
The car thing is also a good example of the economists' $20 Bill Theorem (there are no $20 bills on the sidewalk, because if there were someone would have picked them up already). If car theft miraculously stopped, and all the replacement parts had to come from dealer stock, junkers or cars purchased used, the price of the used cars would rise until the profit from chopping them up was in line with the profits from other legitimate sources of parts.
"Acting as an unlawful middle-man and only keeping residual profits "looks like work", which is a primary reason why criminals don't do it."
You missed the biggest reason criminals refuse to do it.
If they DID do it legitimately, then they would be regular workers at a regular job and NOT criminals ... and therefore there would not be a story about them doing it.
"It's always struck me that the fundamental flaw in most criminals is that, given the choice, they take the bigger short term (non-sustainable) profit rather than smaller long term (sustainable) profit; they also never know when to stop.
This case supports both observations."
You just never hear about the ones who choose the smaller, long term, sustainable profit.
My guess is that many of the subcontractors were 'unlicensed' drivers. There is a large market of drivers who for whatever reason aren't currently licensed or insured but have worked out an economy of doing jobs on the side etc. They may own their own rig, or borrow one from somewhere to get a job done (that rig itself may only be licensed or insured for local travel and not interstate work).
By using these third parties to do the work, you are pretty sure that few of them are going to mention it because well they could be doing hard time themselves if they ask too many questions. Of course you have to then worry about angry drivers with crowbars finding you.
The other case that comes up is that the sub-contracted company may call and be told that that is a contract dispute between you and company they were fooled by. In most cases the goods have been delivered so the first company has no interest in calling the Feds etc about it.
I guess the scam works because they were quoting prices below the cost of doing the job: arbitrage wouldn't work in that case, they'd lose money on every deal. But, as they never pay for the work...
Actually, considering the scam started 3 years back, considering the rare cases in which the subcontractor might call the original customer, how significant will the cargo transport company be in the conversation given that the cargo is satisfactorily delivered to serve its purpose? Even when the first such glitches in protocol might 've surfaced, the feds must've needed the time for sufficient incidents to occur, to frame a credible court case :)
Besides laziness and short time horizons, another significant reason for crime is that criminals are inveterate optimists, that bad stuff is never going to happen to them, once it does it ain't going to happen again. http://williambswift.blogspot.com/2009/03/...
Not that I'm condoning this in the least, clever as though it may be, but I sure am glad this was about making a few bucks, as opposed to say, running off with large shipments of dangerous materials...
Hopefully shipments of anything that might pose a threat are dealt with a little more carefully.
"If the criminal middlemen had legitimately subcontracted the work and just pocketed the difference, they might have remained undiscovered forever."
Are they even criminals anymore in this case? other than "hijacking" the name/reputation of an existing company, what's illegal about subcontracting the work and keeping the difference. Sounds like a legitimate business model to me...
Well, if they started their own website and got famous so everyone went to their site to look for works, then it's perfectly legal. Although people may starting to know how to avoid their "tax" by contacting the companies directly.
"You'd think that more than a few of the subcontracters would pick up the phone and call the original customers -- and they'd figure out what happened."
Remember: Many truck drivers are independant owners/operators. Not all truck drivers are associated with a trucking company.
@justthinkin: "Are they even criminals anymore in this case? other than "hijacking" the name/reputation of an existing company, what's illegal about subcontracting the work and keeping the difference. Sounds like a legitimate business model to me..."
I would say it falls under the theft through deception category. People think they are directly paying the trucking company $10,000 when they are just paying someone else $2,000 to pay the company $8,000. Without the deception, they would just go straight to the trucking company for the $8,000. More than the reputation/name is hijacked.
>It's always struck me that the
>fundamental flaw in most criminals is
>that, given the choice, they take the
>bigger short term (non-sustainable)
>profit rather than smaller long term
Not necessarily. We usually find the patient ones in city halls, capitol buildings, and Wall Street.
> they also never know when to stop.
That remains, however, true.
There was an interesting phrase I heard last week, that does seem to ring true:
"Chicago's politicians are corrupt, but competent at governance."
It's an interesting thing to think about, and pretty true. There's no doubt places like Chicago, Providence, Boston have high levels of corruption. But they're also pretty well run cities.
Compare that to Detroit or New Orleans where corruption is combined with complete lack of competency.
Does that mean being competent in what you do is more important then being ethical?
Sorry to intervene, but there might be something to say in favour of the choice of those becoming criminal. That's the initial funding needed. There is a large number of humans in almost everey country that cannot afford (or borrow) the initial 15k$ necessary to buy the car in the first place.
I think at least some of those ripping parts off of cars are quite happy if they somehow aquired the tools to do so. (Which is another investment to be made beforehand.)
The posted reasons for becoming a criminal might be true as well, but at least one should allow for the slight opportunity that there are more "positive" reasons for why people stride from the path of legal business.
@HJohn: No, it's not theft, it's just arbitrage. It's a natural consequence of any market that isn't perfectly liquid and informed.
As usual, many of the earlier posters are right on.
@ Clive Robinson "..being ripped off is the industry norm."
@Hjohn, @Vipool.. @Stephen.. also very good insights.
In one of my many careers, I worked in trucking operations, both Import / full load & LTL loads.. for several now-defunct companies.
We always looked for ways - and were taught or encouraged at all levels of management- to save money by skirting the laws. Whether we could move loads through subs/arbitrage.. (rather than union drivers or drivers who were over legal hours).. teach drivers 'creative bookkeeping' so they could squeeze one more run into their 'legal hours of service' or so they could balance the mileage/fuel tax sheets better.. or how to buy a midnight load of home heating oil (untaxed) to fill our diesel rigs.. or knowingly disguise/hide damaged freight just to get the customer's signature and avoid a damage claim..
It was all crooked, and all done fairly openly. Even when cheating, we still ran at best a 2-3% margin, usually a 3-4% loss.
This crime takes advantage of the good reputations of some carriers (id theft), and the greed of many others. Unfortunately, the guy working the hardest -the driver delivering the freight- is the one who can least afford getting ripped off.
I hope the people who learn about this will all confirm future contracts out-of-band or some other way.
Nice critique of deregulated markets.
I actually found the story most interesting because it resulted in a mental-illness debate. The accused drifted into an opportunity, and then acquired the means. Their motive was simply income and the article ends with a plea from the convicted to drive trucks and paint houses...if only that opportunity had presented itself earlier as a more feasible one than crime.
Davi Ottenheimer, I have a hard time sqauring the idea of "skirting the laws" with the idea of a "deregulated market".
I could describe it as "poorly-regulated", "unenforced regulation", or possibly even "unenforcable regulation", but not "deregulated".
Maybe this would work at a Sonic.
You pull into the Sonic, and someone comes up saying the speaker is broken and takes your order. They go in, bring your food back and tell you it is $15. Later you find out, they weren't an employee and the meal was really $12. Most people would think it was theft... you thought you were dealing directly with the source, and they presented themselves that way. It certainly could not be called a legitimate business model. If someone offered to pay them $3 to get them $12 worth of food, perhaps, but not in the deceit. (I know, I know, check receipts... not the point, just an illustration.)
Similar to the man in the middle. They injected themselves into the process through deceit resulting in scamming money out of someone who was mislead as to who they were.
I saw a Nightline a few years back about a (bank robber?) who just couldn't understand why he was so "unlucky". It took going to prison and learning chess to teach him that most of his life was determined by his actions. Now he works with kids, using chess to try to pass on the same lessons.
What these guys did was essentially, front-run the market.
For them it required a significant amouint of work and risk, however, they were doing almost exactly what goldman sachs has just been shown to be doing to the US stock exchange.
Goldman, however, have a privileged position, legitimated access to the servers and let the computers do the work.
I'm sure, somewhere in there, is the distinction between legal and illegal. The effect on the global economy however, is orders of magnitude different.
@HJohn: That's straightforward fraud. These guys were offering services on an open exchange for contracts, which allows price discovery. A more accurate analogy would be driving up to your Sonic (I take it that's a burger chain?) and there's a line of a dozen guys: they all offer you a price and you pick the best one.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.