On March 2010, four defendants, Kenneth Lowson, 40, Kristofer Kirsch, 37, and Faisal Nahdi, 36, all of Los Angeles, Joel Stevenson, 37, of Alameda, and their company, Wiseguy Tickets, Inc. (“Wiseguys”) were charged with conspiracy to commit wire fraud and to gain unauthorized access and exceed authorized access to computer systems.
The men are alleged to have hacked into Ticketmaster.com, MLB.com, Ticket.com as well as other on-line ticket vendors in an elaborate scheme that netted them over twenty-five million dollars. Through fraud, and defeating computer security measures they were able to obtain prime tickets to sports and entertainment venues, which they then sold at a markup to other vendors and individuals.
The “Wiseguys” utilized a number of techniques to defeat the measures that were put in place to ensure equitable ticket distribution to the public by the online vendors. One measure that they defeated was CAPTCHA challenges.
CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. It is a challenge and response test that can ascertain if responses are being made by a human or a computer, specifically “bots” which are software programs that can rapidly run automated tasks, such as maliciously filling in forms.
Below is an example of a CAPTCHA:
Other CAPTCHAs are auditory for those that are visually impaired. It also should be pointed out that some CAPTCHAs require mathematical computation, as in 3 x 3 = ?
There are a number of methods to defeat CAPTCHAs, one is using Optical Character Recognition (OCR), related to this is clearing up the clutter in the CAPTCHA which can help in defeating it. There are also third-party apps that will defeat CAPTCHAs. Some CAPTCHAs allow you to continue to use the correct CAPTCHA entry for additional entries, and some CAPTCHAs allow multiple attempts at guessing them without penalty.
Other CAPTCHA defeating operations have been known to employ inexpensive human labor to enter CAPTCHAs. In the case of the “Wiseguys”, the defendants employed computer programmers in Bulgaria to simulate visits to ticket vendor websites. The ring used CAPTCHA Bots, and were able to inundate ticket sites with purchases in the critical moments when tickets first went on sale.
Additionally, the defendants created hundreds of bogus domains, shell corporations, as well as thousands of e-mail addresses to receive their tickets.
As the defendants operated both throughout the United States and Bulgaria, there are International and Federal ramifications to their crimes. Bulgaria is a signatory to the European Council Cyber-Crime Convention of 2001, as is the United States, though prosecution provisions are somewhat limited under the legislation.
However in the United States the defendants face wire fraud as codified at 18 U.S.C. § 1343 as well as prosecution under the Computer Fraud and Abuse Act of 1986 codified as 18 U.S.C. § 1030 and which has been amended to the Identity Theft Enforcement and Restitution Act in 2001 .
Amongst the amendments are: Eliminating the requirement in 18 U.S.C. § 1030(a) that the defendant’s action must result in a loss exceeding $5,000; Adding a provision to 18 U.S.C. § 1030(c) that makes it a felony to cause damage to ten or more computers; Expanding jurisdiction for cases involving theft of information from computers by eliminating the requirement that information must have been stolen through an interstate or foreign communication; Amending 18 U.S.C. § 3663(b) to make clear that restitution orders for identity theft cases may include an amount equal to the value of the victim’s time spent remediating the actual or intended harm of the identity theft or aggravated identity theft offense; Creating a criminal offense for conspiring to commit a computer hacking offense under 18 U.S.C. § 1030; Providing a mechanism for forfeiture of property used in or derived from violations of 18 U.S.C. § 1030;
Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.
If convicted, the defendants faced a maximum statutory penalty of 5 years in prison on the conspiracy charge and a maximum statutory penalty of 20 years in prison on each wire fraud charge. In addition, defendants Lowson, Kirsch, and Stevenson faced statutory maximum penalties of 5 years’ imprisonment and a $250,000 fine on each of 19 counts charging gaining unauthorized access and exceeding authorized access to computers; and 10 years’ imprisonment for each of six counts charging damage to computers in interstate commerce. In addition, each defendant faced a fine of 250,000 per count of conviction.
In her decision, Judge Katharine S. Hayden of the United States District Court sentenced Mr. Lowson, and Mr. Kirsch, the company’s owners, to two years of probation and 300 hours of community service. Additional defendants; Mr. Lowson was ordered to forfeit $1.2 million, Mr. Stevenson, was sentenced to one year of probation, and Faisal Nahdi, remains at large.