CIA Agent Pleads Guilty to Defrauding Covert Credit Cards

By Kevin Poulsen February 06, 2009 | 4:41:53 PMCategories: Spooks Gone Wild  

A 16-year veteran of the CIA pleaded guilty Thursday to a federal fraud charge after using undercover agency credit cards to run up $75,000 in personal expenses, including costly hotel stays and a $700 watch.

Steven J. Levan, 48, worked as a case agent at the CIA until his recent termination over the fraud.  According to an affidavit (.pdf) by a U.S. postal inspector who investigated the case, Levan made unauthorized personal use of four special credit cards that, while not officially billed to the government, are “customarily paid by the agency.”

“The agency had to pay the defendant’s fraudulent charges on those credit cards, in order to maintain the means by which the agency protects the identity of certain of its employees,” reads the affidavit.

Despite the relatively mild charges, Levan’s been held without bail since his arrest on January 12, based on the government’s assertion that the former spy could begin peddling national security secrets to foreign powers to raise more money.  Levan’s attorney slammed the espionage rhetoric as “rank speculation” in a motion for bail (.pdf) last month.

Veteran CIA spy Steven J. Levan used a covert government credit card to buy himself a $700 Raymond Weil watch — garrote not included.

“Nothing about the underlying allegations relate to espionage or the deprivation of honest services,” wrote Federal Public Defender Michael Nachmanoff. The lawyer acknowledged that Levan has suffered from financial difficulties.

Government filings in the case don’t name the CIA as Levan’s former employer, but Nachmanoff’s bail motion does. Levan apparently joined the agency after graduating from the Virginia Military Institute in 1982, then receiving a Master’s degree in national security studies from the Naval War College and spending four years in the Army.

Judging from his salary tier, Levan occupied a fairly senior position in the CIA: as a GS-15, he earned between $115,000 and $149,000 a year, the top level for government civil service. He’s lived in Virginia — where the CIA is headquartered — and the Washington DC area since 1987, “with the exception of several tours overseas,” wrote Nachmanoff.

In a plea deal with prosecutors this week, Levan agreed to abandon his bid for release on bail, and he pleaded guilty to a single count of access device fraud for running up $7,446 on one of the CIA credit cards at the Staybridge Suites hotel in McLean, Virginia.

Levan also admitted (.pdf) using the identity information on the CIA cards to obtain two more credit cards he had sent to his home. Additionally, he stole another covert credit card from a different, unnamed, government agency, and lifted a coworker’s personal credit card to ring up another $15,000.  In all, the losses topped $100,000.

The government has agreed to recommend a term of no more than a year in prison, and full restitution, when Levan is sentenced on May 1.

Levan is the second CIA official to be outed by allegations of criminal conduct in recent weeks. In late January, ABC News published the name of the former station chief of the CIA’s outpost in Algeria, who’s come under suspicion in the alleged date-rape of several women there.

According to court records, Levan is separated from his wife, who lives in his house with the couple’s children. He committed much of the fraud while living at a Residence Inn in Tyson’s Corner, Virginia. Under an assumed identity, naturally.

Global ATM Caper Nets Hackers $9 Million in One Day | Threat Level from Wired.com

y Kevin Poulsen February 03, 2009 | 2:43:39 PMCategories: Crime

A carefully coordinated global ATM heist last November resulted in a one-day haul of $9 million in cash, after a hacker penetrated a server at payment processor RBS WorldPay, New York’s Fox 5 reports.

RBS WorldPay announced on December 23 that they’d been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other mag-stripe data needed to clone the debit cards were also compromised in the breach.

At the time, the company said it identified fraudulent activity on only 100 cards, making it sound like small beans. But it turns out the hacker managed to lift the withdrawal limits on those 100 cards, before dispatching an global army of cashers to drain them with repeated rapid-fire withdrawals. More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8.

A class action lawsuit has been filed against RBS WorldPay on behalf of consumers.

A nearly identical cybercrime feeding frenzy targeted payment card company iWire in late 2007. From September 30 to October 1 of that year — just two days — four iWire payroll cards were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in losses of $5 million.

A similar MO was employed against Citibank account holders last year, after a processing server that handles withdrawals from Citibank-branded ATMs at 7-Eleven convenience stores was breached. In that case, cashers converged on New York and withdrew at least $2 million from Citibank accounts, sending 70 percent of the take back to a mysterious hacker kingpin in Russia.

Could all three breaches be the work of a single wealthy cybercrook sitting on piles of cash somewhere in Moscow? Some of the cashers in the iWire and Citibank caper are cooperating with the FBI, so we may eventually find out.

What’s clear is that this is a great time to be a hacker. In just over one year we’ve seen these kinds of breaches go from virtually unheard of into a multimillion dollar industry.

In September, Canadian police announced the arrest of Israeli hacker Ehud Tenenbaum for allegedly penetrating the Calgary-based financial services company Direct Cash Management and increasing the cash limits on prepaid debit cards he and his co-conspirators legitimately purchased. The caper allegedly netted the crooks the equivalent of $1.7 million U.S.

Despite much-ballyhooed payment card security standards, the industry responsible for protecting our money appears to be as leaky as a sieve. But, as always, consumers aren’t responsible for fraudulent withdrawals that they find and promptly report to their card issuer.

via Global ATM Caper Nets Hackers $9 Million in One Day | Threat Level from Wired.com.