It takes one to know one

Feds are vulnerable to cyber fraud because of inertia, says the con man who inspired Steven Spielberg's "Catch Me If You Can."

Wikimedia image: Frank Abagnale.

Frank Abagnale said that in today's Internet-connected world, fraud has become "4,000 times easier."

Despite the increasingly daunting array of cybersecurity technologies being deployed by federal agencies and industry, it takes only a single mistake by an employee or a lone technical deficiency to expose a weakness, according to one of the world's most notorious confidence men.

Frank Abagnale, the one-time con man who successfully impersonated an airline pilot, a legal assistant in the Louisiana attorney general's office and a doctor in the 1960s, said every computer hack, especially the huge ones that cause the most damage, begins with human error.

Abagnale inspired Steven Spielberg's movie "Catch Me If You Can," in which Leonardo DiCaprio portrayed Abagnale's exploits in identity theft and fraud at Pan American World Airways and other places. According to Pan Am's estimates, between the ages of 16 and 18, he flew more than 1 million miles and took more than 250 flights by deadheading as a Pan Am pilot. He said, however, that he never flew on Pan Am planes and relied instead on the courtesy arrangements that allowed personnel to fly for free on competing airlines.

After serving time in French, Swedish and U.S. prisons on fraud charges, Abagnale has done pro bono security consulting for the Internal Revenue Service, the Secret Service and the Federal Deposit Insurance Corp. He has also consulted for free for the FBI for the past 38 years, ever since getting out of federal prison, as part of personal penance for his past crimes. He makes his living through speaking engagements and his company Abagnale and Associates, which advises corporations on fraud issues.

In his work as a security consultant, he has found breaches of federal networks to be more problematic than those in the commercial arena because the federal government works so slowly and is increasingly hampered by budget and political concerns.

Speaking at a Raytheon cybersecurity technology event on Dec. 2, Abagnale said every big breach he's seen up close began with "someone doing something they shouldn't have."

For instance, a breach of South Carolina's tax agency in 2012 that resulted in the release of detailed tax information for hundreds of thousands of residents began with an employee taking an agency computer home and using it to access the Internet.

During his capers in the late 1960s, Abagnale wrote an untold number of bad checks and manufactured his own identity documents. In today's Internet-connected world, he said fraud has become "4,000 times easier." Where he once needed a $1 million, German-made printing press to create an authentic check, now corporate logos and even corporate officers' signatures are available online, ready to be printed electronically and incorporated into any number of official documents.

Identity badges that he falsified using airplane model decals could now be easily replicated from online sources to fold into any number of fake print or electronic documents.

Identity theft, hacks and electronic fraud steal billions from federal systems every year, but they continue because of government inaction, he said. Medicare lost $100 billion to fraud in 2013, and the IRS paid out more than $7 million in refunds to a Virginia woman who filed fake electronic returns.

With the sheer volume of fraud perpetrated against federal assets, investment in cybersecurity technology could pay for itself in a short time, he said. "If we could cut fraud only 25 percent, we'd save billions. But it goes on and on."

He said fraud boils down to personal ethics and awareness. It takes only one person inside an organization with ulterior motives or without a solid understanding of fraudsters' and hackers' "social engineering" techniques to cripple an organization.

In his current work as a consultant, Abagnale said he runs scenarios in his head about how he might be able to get something past airport security checkpoints. Although there might be 10 Transportation Security Administration agents at a given checkpoint, "all I need to get to is one. It's the same with cybersecurity software and hardware."