Could illegal actions committed only at WiFi hotspots be tracked to an individual user?

Skald_the_Rhymer · November 22, 2009, 10:22pm

Let’s say that I suspect someone is illicitly using my credit card to buy things online. Let’s further say that the person I suspect has a laptop but no home internet connection. Whenever this person uses the internet he or she goes to a hotspot. Sometimes it’s the public library, where no login is required; sometimes it’s Starbucks, where the person must purchase a 2-hour connection from AT&T. Regardless, each time the person is finished with being nefarious , he or she logs off and deletes all the browsing history (or perhaps he or she opens a private browsing session each time). Lastly, let’s say everything the person buys is virtual–downloaded porn clips, say–rather than anything physical that comes to a physical address.

Would there be any way to connect this person to the misuse of the credit card?

Derleth · November 22, 2009, 10:31pm

It would most likely be too difficult to track to justify the expense if it’s only a theft. If it was tied in to a murder or a kidnapping (especially kidnapping, which is a Federal offense) it would be more worthwhile to do things like staking out likely hotspots in a given region and looking for people or laptops matching a description. Note that this really has nothing to do with the computer activity, which is likely more-or-less untraceable if the criminal isn’t a complete moron.

Skald_the_Rhymer · November 22, 2009, 10:39pm

What completely moronic actions could said user commit that would render him or her tracable? Mightn’t paying for the ATT connection at 'Bucks with the jacked card leave a trail?

Rumor_Watkins · November 22, 2009, 10:44pm

all I can think of is spoofing your MAC and the obvious crap like not using your credit card or using a clean computer without any personal data on it. what other things are there?

xash · November 22, 2009, 11:45pm

Anonymizer services which can’t trace back to the originator.

Derleth · November 22, 2009, 11:52pm

Of course using the stolen credit card is going to leave a trail. That isn’t what I’m talking about: It would leave just as big of a trail even if you hadn’t stolen a computer. That stolen computer is irrelevant to the credit card company’s tracking procedures.

I’m focusing on your usage of the computer getting you caught. In that spirit, I’ll continue.

One really stupid thing would be posting to a message board under a username that could be traced to you. If the police match the username to you, they can subpoena the board’s records of IP addresses and use those to track you to the hotspot you posted from. Not a slam-dunk unless you’re still sipping a latte in that specific cafe, but it would certainly narrow the search.

Other stupid things would be using the computer in a way that draws attention to yourself, like looking at really noisy and disgusting porn in a library. If someone notices you, they might well figure out you’re the one the police are after and turn you in. This, of course, only really works if it’s a high-profile case, or if the police later canvass the area you made a jackass of yourself in and someone remembers you.

Finally, I don’t see any reason to spoof a MAC address. I’m not aware of any programs being in place to track MAC addresses, which don’t leave the hotspot itself (that is, MAC addresses are not transmitted beyond the hotspot’s WiFi LAN) and are generally not known to the average computer owner. In summary, the police wouldn’t be able to find a MAC address, and they wouldn’t know which one to look for if they could.

Derleth · November 22, 2009, 11:54pm

Precisely. Tor is a good example of such a proxy.

xash · November 23, 2009, 12:23am

Technically, this is correct. But, forensically, if the illegal activity is tracked back to a set of WiFi hotspots, and there is a MAC address common to at least some of these WiFi hotspots, the suspect list can potentially be narrowed down.

drachillix · November 23, 2009, 1:21am

Granted, I am a computer guy, but this would still be hard unless you went to the same 2-3 spots. I could easily see where someone dealing in some form of illegal traffic (like kiddie porn) could easily camoflage alot of their dealings and have a shitload of traffic during appointed times, or via a very elusive and exclusive invitation systems.

combined with wardriving

You have little chance of being caught.

Markxxx · November 23, 2009, 1:36am

Even spoofs can be traced, nothing on the Internet is truly anonymous. The problem lies with the amount of effort. You can send an email message and route this message though literally tens of thousands of servers before it gets to its destination.

This makes the message effectively untraceable. No one is going to go through the effort of tracing messages from one sever to another over ten thousand times and getting the documentation to do it. You’d have to have each ISP co-operate or subpoena each of them.

As another poster pointed out it’s not worth the time to do this for low level theft. If you’re investigating a murder or a theft of millions of dollars it is worth it.

If someone buys something off the Internet it’s a lot more effective to investigate the point of delivery. Though some places don’t require signatures which renders that moot.

People simply pick an abandoned or unrented house and wait outside for the package and take it from the mailman.

si_blakely · November 23, 2009, 9:17am

You want to tell me how you propose to do this? Back in the day when the internet was unreliable, email would be routed via a number of servers, and each smtp server had a list of reliable neighbours. That would get you a few hops. Now, smtp servers generally connect direct to destination, so most email transfers are single hop (excluding internal transfers). So unless you have email addresses on those tens of thousands of servers and forwarders set up on all those email accounts, it is not actually easy to do.

Tor provides a level of isolation, but a compromised Tor endpoint still leaks information. And all your traffic has to start by travelling to an entry point.

As for the OP, MAC address tracing would be the start. Pay Services will log Mac addresses (to identify paid users), and many public access systems will log them too. Transparent proxy logs (yeah, most access points and ISPs use proxies to reduce bandwidth costs, and create logs) would be the next step, if you can co-ordinate MAC/IP/NAT/Proxy data. But it would be pretty hard if the thief used SSL (https: connections).

Si

Skald_the_Rhymer · November 23, 2009, 3:20pm

Thanks to all the respondents. The overall theme I’m getting here, though, is that for the thefts in question, which have amounted to less than $100, I’m pretty much shit outta luck when it comes to ever proving anything, yes?

Kenyth · November 23, 2009, 4:02pm

Yes, the cost and effort involved in tracing it far exceed the value of catching them. Most places won’t even report a petty theft for that much.

HorseloverFat · November 23, 2009, 4:14pm

>Sometimes it’s the public library, where no login is required; sometimes it’s Starbucks, where the person must purchase a 2-hour connection from AT&T.

There are data retention policies for places like this. Granted, at most you’ll be able to get mac addresses and timestamps, perhaps with a log of all tcp connections or something similar. This might be able to help law enforcement figure out who this is, but generally it would be difficult to find out as we dont keep a national registry of mac address ownership (not that it would make a difference).

>which have amounted to less than $100, I’m pretty much shit outta luck when it comes to ever proving anything, yes?

Not really. Your credit company would give you the money back and do a chargeback on the vendor who took the stolen card info. Merchants have almost zero rights when it comes to things like this, especially if they are not performing due diligence. Merchants should also always be asking for the CCV value on the back of the card, which they are not allowed to store. So if the thief gets a database of names, cc numbers, and expiry dates, a well run merchant store will not allow him to make a purchase without the CCV value. Ive noticed places that sell “virtual goods” always ask for it.

If someone is running around with your cc card and its ccv, he could potentially do a lot of damage, but you could still contest it. At that point this isnt an internet problem but a credit security issue. The attacker could waltz into lots of stores which never check ID or anything. Same thing here. Even with video camera footage of the guy , he’s unlikely to get caught.

drachillix · November 24, 2009, 12:31am

Or break in purely to answer the door.

Chronos · November 24, 2009, 2:00am

Quoth Derleth:

It sounds like you’re interpreting the OP as the thief, where it actually looks more likely from the context that he’s the victim.

Skald_the_Rhymer · November 24, 2009, 2:05am

Which is the case. I’m fairly certain I know who misused my card, and why, but I was wondering if it were worthwhile to try to prove it.

Kenyth · November 24, 2009, 1:43pm

Not to state the obvious but, costly accidents happen all the time. Even to people who sneak others credit card numbers.

That is, if you feel karma must be helped along here.