Three years ago, Muneeb Akhter and his twin brother Sohaib, then 19 years old, were featured in the Washington Post in a story headlined “George Mason’s youngest grads.”
They had graduated from George Mason University, in Washington, DC, with degrees in electrical engineering – “arguably the school’s toughest program”, the Post noted – after three years.
They reportedly liked to invent robots.
“I think we’ll be hearing more about these guys”, the Post’s Tom Jackman wrote.
Yes, indeed, starting now.
Muneeb Akhter is under investigation after admitting that he inflated the value of gift cards for companies including K-Mart, Shell Gas, Whole Foods, Starbucks and Dunkin Donuts, all without spending any money to do it.
He admitted, in a sworn, signed statement referenced by the Department of Homeland Security in an affidavit, that he had illegally accessed the companies’ e-commerce sites to pump up the cards.
From the affidavit, via NBC Washington:
Subject admitted to creating computer codes on his personal notebook computer to gain unlawful access to multiple e-commerce sites, including Shell Gas, Whole Foods, [K-Mart], Starbucks and Dunkin Donuts. Akhter has used his codes to trick the e-commerce systems into adding funds to gifts cards he has possession of without actually expending any money to do so. He admitted to using his program to add funds to other individuals' gift cards without the need to actually expend funds.
Akhter said he loaded a Sears card with at least $500, a K-Mart card with $495, a Whole Foods card with $300 and a Starbucks card with $100.
Akhter reportedly landed a cyber security job last month and began work in late June.
At his new job, he couldn’t resist boasting to a colleague about the code he’d cooked up that enabled him to take an ordinary $25 pre-paid gift card and add value to it.
NBC quotes him:
I told my co-worker I used to own my own company and we were doing attacks against smart cards, gift cards and those things. I had a few gift cards with me and I showed him the gift cards and said 'I know how to reload them for free.'
Well, helloooooo, Homeland Security agents!
Akhter’s co-worker went straight to his manager to tell him about the new hire’s skills – credentials that he apparently had neglected to put on his resume.
A Homeland Security agent questioned him. His badge and parking pass were quickly revoked, but the agent initially told him he was being considered for a higher position.
He said the agent told him:
We're interested in your skill set. We need you for this high level position but I need to know exactly what you did.
Homeland Security and Secret Service agents paid a visit to Akhter at his home, again asking about his code.
He was, in fact, oblivious to the fact that he was under investigation until 24 July, when a team of 11 agents ransacked his house, seizing computers, phones and other electronics.
So much for being a whiz kid. Bragging about your crimes to your colleagues is about as smart as posting publicly on social media stuff like how you OMG just hate yr boss so much you could, like, KILL him.
But beyond sheer naivete, Akhter’s story is one in which somebody who’s presented himself as worthy of a career in cyber security has shown a lack of morals that’s completely antithetical to the profession.
Akhter said he never actually used the monetary value he added to the card and that his gift-card “experiment” amounted merely to “research”:
I'm a researcher. ... I've been researching the field for a long time and a lot of my work shows it. ... I'm not a malicious guy.
He might call it research, but his work reflects an itch to profit from whatever vulnerabilities he’s discovered: He told NBC that he had planned to use his own company to approach retailers with a proposed fix.
He hasn’t yet been charged with a crime, and he’s not sweating the prospect of being prosecuted:
I've heard stories of a lot of other hackers who have had similar experiences so I don't think it's a big deal. ... They should be more worried about what the tool can do if a malicious actor took it.
I wouldn’t be all that relaxed if I were him.
In May, a 22-year-old cybercrook was handed a 20-year prison sentence, in part for involvement in a web forum that hooks up cybercriminal buyers and sellers for trading of things including dodgy credit and gift cards.
Just because you discover a vulnerability doesn’t make you a good guy. It doesn’t make you a “white hat” hacker.
In many countries, it is, and should be, a criminal offence to access a computer system without authorisation.
Penetration testing can wreak unforeseen damage to a system.
Conducting it on systems without their owners’ permission or knowledge is not only illegal; it’s also irresponsible and unethical.
Does it matter if he or his friends actually used the inflated gift cards to make illicit purchases, or whether they merely flipped them out of their wallets to boast about Akhter’s coding prowess?
I’m not sure how the courts would answer that question, but we could well find out soon enough if charges are filed.