Sophos Cloud Optix
Three years ago, Muneeb Akhter and his twin brother Sohaib, then 19 years old, were featured in the Washington Post in a story headlined “George Mason’s youngest grads.”
They had graduated from George Mason University, in Washington, DC, with degrees in electrical engineering – “arguably the school’s toughest program”, the Post noted – after three years.
They reportedly liked to invent robots.
“I think we’ll be hearing more about these guys”, the Post’s Tom Jackman wrote.
Yes, indeed, starting now.
Muneeb Akhter is under investigation after admitting that he inflated the value of gift cards for companies including K-Mart, Shell Gas, Whole Foods, Starbucks and Dunkin Donuts, all without spending any money to do it.
He admitted, in a sworn, signed statement referenced by the Department of Homeland Security in an affidavit, that he had illegally accessed the companies’ e-commerce sites to pump up the cards.
From the affidavit, via NBC Washington:
Subject admitted to creating computer codes on his personal notebook computer to gain unlawful access to multiple e-commerce sites, including Shell Gas, Whole Foods, [K-Mart], Starbucks and Dunkin Donuts. Akhter has used his codes to trick the e-commerce systems into adding funds to gifts cards he has possession of without actually expending any money to do so. He admitted to using his program to add funds to other individuals' gift cards without the need to actually expend funds.
Akhter said he loaded a Sears card with at least $500, a K-Mart card with $495, a Whole Foods card with $300 and a Starbucks card with $100.
Akhter reportedly landed a cyber security job last month and began work in late June.
At his new job, he couldn’t resist boasting to a colleague about the code he’d cooked up that enabled him to take an ordinary $25 pre-paid gift card and add value to it.
NBC quotes him:
I told my co-worker I used to own my own company and we were doing attacks against smart cards, gift cards and those things. I had a few gift cards with me and I showed him the gift cards and said 'I know how to reload them for free.'
Well, helloooooo, Homeland Security agents!
Akhter’s co-worker went straight to his manager to tell him about the new hire’s skills – credentials that he apparently had neglected to put on his resume.
A Homeland Security agent questioned him. His badge and parking pass were quickly revoked, but the agent initially told him he was being considered for a higher position.
He said the agent told him:
We're interested in your skill set. We need you for this high level position but I need to know exactly what you did.
Homeland Security and Secret Service agents paid a visit to Akhter at his home, again asking about his code.
He was, in fact, oblivious to the fact that he was under investigation until 24 July, when a team of 11 agents ransacked his house, seizing computers, phones and other electronics.
So much for being a whiz kid. Bragging about your crimes to your colleagues is about as smart as posting publicly on social media stuff like how you OMG just hate yr boss so much you could, like, KILL him.
But beyond sheer naivete, Akhter’s story is one in which somebody who’s presented himself as worthy of a career in cyber security has shown a lack of morals that’s completely antithetical to the profession.
Akhter said he never actually used the monetary value he added to the card and that his gift-card “experiment” amounted merely to “research”:
I'm a researcher. ... I've been researching the field for a long time and a lot of my work shows it. ... I'm not a malicious guy.
He might call it research, but his work reflects an itch to profit from whatever vulnerabilities he’s discovered: He told NBC that he had planned to use his own company to approach retailers with a proposed fix.
He hasn’t yet been charged with a crime, and he’s not sweating the prospect of being prosecuted:
I've heard stories of a lot of other hackers who have had similar experiences so I don't think it's a big deal. ... They should be more worried about what the tool can do if a malicious actor took it.
I wouldn’t be all that relaxed if I were him.
In May, a 22-year-old cybercrook was handed a 20-year prison sentence, in part for involvement in a web forum that hooks up cybercriminal buyers and sellers for trading of things including dodgy credit and gift cards.
Just because you discover a vulnerability doesn’t make you a good guy. It doesn’t make you a “white hat” hacker.
In many countries, it is, and should be, a criminal offence to access a computer system without authorisation.
Penetration testing can wreak unforeseen damage to a system.
Conducting it on systems without their owners’ permission or knowledge is not only illegal; it’s also irresponsible and unethical.
Does it matter if he or his friends actually used the inflated gift cards to make illicit purchases, or whether they merely flipped them out of their wallets to boast about Akhter’s coding prowess?
I’m not sure how the courts would answer that question, but we could well find out soon enough if charges are filed.
Image of gift cards courtesy of Shutterstock.
Hmmm … so he graduated from the school’s toughest program. Sounds like he either didn’t take the ethics course or found a way to boost his course mark. In either case – FAIL.
Indeed unauthorized access is an ethical breach for a “white hat” hacker, but then again those companies will not give authority. They know (I’d wager for a fact) that their systems are NOT hardened, NOT secure, and cannot hold up even to average hackers given access.
We have seen a long proven that this kind of research has been a tremendous benefit for the public at large, without it we are all left completely insecure.
It does matter that he did not spend ANY of the money, that is proof of intent. Who else would avoid a quick cup at Dunkin Donuts, how much could that hurt aq company? An ethical hacker, thats who, those cards represent real work not leisure.
There is no doubt that “legally” what he did was wrong, but lets not for get the law of greater good. The key is are his statements true? Easy enough to tell, the databases will reveal if any of the cards were used to make purchases. I would say one “small” test purchase for testing only should be overlooked.
The big story here has been grossly overlooked. What on earth is Home Land Security doing in a petty hack investigation? Isnt that using a bazooka to kill a nat? Indeed it is, and as is par for the course with these new post 9/11 agencies and laws, this all teeters on the brink of running afoul of our constitutional protections.
Fear and ignorance is, by far, the largest enemy to the public safety and security, not terrorists or hackers. Second on that threat list is the lazy bureaucracy and greed of businesses that insist on using online conveniences without adequate protection or due diligence, relying instead on security by obscurity. It is that fear and ignorance that cause us to stand by while our freedoms and protections are continually eroded before our eyes. The very same freedoms, by the way, that many tens of thousand of good men and women gave their lives to defend and protect, including our own sons and fathers.
Let us not forget the wise words of Mr Franklin, “He who sacrifices freedom for security deserves neither”, and in fact we can see history prove this out for us daily.
He added an awful lot of value to a surprising number of cards by way of research that was only to prove a point for the greater good of all, wouldn’t you say?
I’d have thought that once he’d put $5 on one card and repeated it on a different one to show it wasn’t a fluke, he’d have his result right there.
I’m not convinced that “many tens of thousand of good men and women gave their lives to defend and protect” this bloke’s right to reload gift cards for free (his own choice of words when boasting about his activities).
What did he have in mind for his next experiment, do you think? Perhaps he could have made some ATM skimming devices and tried those out, for our collective protection?
Without question Muneeb has certainly shown a lack of self discipline as well as a lack of common sense, immature by almost any standard. Certainly at least a reprimand is in order. However intent is a bit of dodgy thing to prove.
All I’m saying is if we take the intent of our laws and our founding fathers seriously then he is innocent until proven guilty and I know of no one, possessed of criminal intent, that would sit on gift or cash cards with significant amounts of money on them without using them right away.
Thats where all this breaks down, foolishness aside the evidence (as stated in the article) indicates that his story is truthful and he is just a bit of an idiot. How many nerds do you know that take a little bit of a good thing way too far in their enthusiasm. He is certainly no pro pen tester, he didn’t claim he was. He made some mistakes, so right out of the shoot we let Home Land Security have a go at him.
So, ah….. Who’s protecting our borders and going after the real terrorists, New York’s finest? A measured response that fits the offence is what is called for, digital breaking and entering, because K-Mart cant protect their own systems.
I may have given a misleading set of statements on another page. This is my current stance, in case I did. In the paragraphs below, “you” refers to an aspiring ethical hacker.
You don’t do penetration testing without permission. You don’t transfer money without permission. You don’t perform any action that could IN ANY WAY break a network without permission. You don’t break anything as a side effect of your intrusions. “Break” in the previous 2 sentences is intended to be VERY broad. It also includes customers and clients of the entity you are attacking as well as that entity.
There are a handful of “hacking” actions someone could perform without breaking anything, and without running afoul of the law. But, read and understand Hacking Exposed (etc.) yourself to find out what they are; I’m not going to list them here.
One note: If you prefer not spending time incarcerated, you would do well to get the above-mentioned permissions in writing.
2nd* toughest program. Computer engineering is actually more difficult at GMU
Why the Dept of Homeland Security? If it’s a criminal offence why didn’t the police (state or federal) investigate?
It shows that even the smartest people can lack the intelligence to make good decisions.
This story shows smart people are just as vulnerable as anyone else when it comes to committing crimes. Everybody is looking for an easy ride OR easy way to get money even if it’s unethical and illegal.
Whiz kid with a big mouth. What did he think would happen? Just because you don’t spend the money you steal, doesn’t mean that you didn’t steal anything. Young and stupid.