Wednesday, November 27, 2019

Two Russian Czech geeks hacked visa system for the Vietnamese

...kept it for 5 years and earned over $30 million...

About 1% of Czechia's 10.5 million people – 100,000 – are Vietnamese. For some random reasons that I explained in my somewhat well-known Quora answer (LM), Vietnamese are the main exotic minority in Czechia while Czechia is the world's third country in the percentage of the Vietnamese, after Vietnam and Cambodia.

So given the number 100,000 whose change in time is at stake, you could think that basic questions such as "who decides about the new long-term migrants from Vietnam to Czechia" have a well-known answer that is compatible with the Czech laws. You would be completely wrong! ;-)

My one-year younger classmate from Prague's "MathPhys" – the Faculty of Mathematics and Physics of the Charles University (let me use the acronym MFF UK) – Marián Kechlibar has brought my attention to an incredible story explaining why you would be wrong and why governments of smaller countries are generally impotent vis-a-vis hackers.

Kechlibar's main lesson is "I beg you, don't introduce electronic elections" and I totally agree with this conclusion, as I will discuss later.

At any rate, the two main criminals were caught last year but only two days ago, investigative journalists at have unmasked some cool details about that scandal. See also e.g.

What happened? Well, the migration to Czechia has become a well-known recipe among the Vietnamese to improve their lives. I think it's OK for us in Czechia, too. At least, the Vietnamese aren't religious fanatics and 1/3 of them end up working in their small "Evening Grocery Stores", Večerka's for short. See my Quora text.

OK, Czechia was still accepting new Vietnamese folks after 2000 or so. Up to 2009, the applicants had to wait in a very long queue in Vietnam, in front of the Czech embassy. Queues are a problem, people waste lots of time there, and a local mafia was obviously operating there and selling places in the queue etc. Why don't we improve it, Czech bureaucrats asked? And indeed, they made an "improvement" in 2009, the so-called Visapoint – which was also used for the immigrants from Ukraine and Mongolia, two other important enough sources of the recent immigration to Czechia. Yes, we are very different.

Visapoint was mainly one web page where the Vietnamese applicant answered a CAPTCHA test to prove he or she wasn't a robot and filled in some data. On top of that, the Vietnamese person had to be lucky and pick the right moment when you open the web page. So I think that the system was designed in such a way that the Vietnamese people sitting in front of the keyboard and quickly responding had a higher chance to get the visa. Even before hackers arrive to the stage, I think that this fact is already a sign of a very bad design.

Someone else could click on behalf of them, right? So here are the heroes, Alexander and Andrei Voronin, Russian brothers who are about 35 and studied the same MFF UK in Prague as your humble correspondent and Marián Kechlibar. BTW I have some feeling that Marián also has some non-Czech Slavic roots and his name was Kechlibarov but it's not important here. ;-) Fine, so the Voronin brothers acquired a software that defeated the particular CAPTCHA. Their robot was capable of coming to the server and self-confidently declare: "I. AM. NO. FUDGING. ROBOT."

Good for them. So by introducing a robot that competed against the Vietnamese humans and that gained a monopoly over the slots, they had the "right to send the visa application" which they were selling through some Vietnamese Czech intermediaries to the Vietnamese applicants. The Vietnamese Czech collaborators (the whole group had 8 members, at least 8 members were caught) were collecting the names of the serious Vietnamese applicants (currently in Vietnam) who were ready to pay the almost $20,000 ransom – CZK 380,000 – to the Voronin brothers. The Vietnamese Czech members of the gang organized all the plans for the comfortable transfer of the Vietnamese folks to Czechia and brought the money that were sent remotely to the Voronin brothers. The Russians always had different clothes to make the search harder: the Czech intelligence officers are so smart that they can even distinguish a shirt from a sweater. ;-)

From the meeting with their Vietnamese Czech collaborators, the Russian Czech bosses took CZK 380,000 (almost $20,000) per applicant, along with the names and other data that they filled into the web page that they had hacked. In 2011 and 2012, no long-term visas were granted because of some policy decisions but the system was restarted in 2013 and between 2013 and 2018, about 300+ applications were granted every year. In those 6 years, they granted some 2,000 applications and earned CZK 760+ million crowns – over $30 million – if not much more so. The Visapoint was only shut down in late 2017.

Now, a bright reader like you has surely asked: if the system was shut down in 2017, how could they sell the 308 visa applications in 2018? Well, it's simple. The web page was replaced by another system with a telephone number, 84 232 321 378 (in Vietnam) if you want to give it a try. And they hacked the telephone number as well! They created a private switchboard that was constantly dialing that telephone number so that everyone else who tried to contact it got an "unavailable" response. Cool, up to technical differences, it worked just like in the case of the web page. The Voronins simply privatized it.

We, the alumni of MFF UK, are generally bright, aren't we? But as Marián says, there exist different levels of brightness and the Voronins didn't have to be "too" bright. Their system is simple and maybe even alumni of less prestigious schools could have built it LOL. They simply had a program that defeated a particular, primitive enough CAPTCHA system, and inserted their "copy" of the visa application process as a new link into the real one. Aside from the CAPTCHA-beating program, you don't need anything else. And the second, telephone-based hacking was even simpler, especially for the guys who were already dollar millionaires at that moment.

I think that the lessons are the following ones:

1) As Marián says, the government is a terribly incompetent entity when it has to deal with some clever hackers or similar criminals. For these systems to be safe, the government really has to hire good security/IT experts. But how "good" is "good enough"? In most cases, they only pick a "good enough" security expert that can go through some superficial tests and please other bureaucrats (or some voters?) who aren't terribly competent, either. Some random people who are friends with the minister or the officials get the nicely paid task to create the software at the ministry (of foreign affairs, in this case). But the "market" can always produce better experts than the nepotist government bureaucracy – in this case, the "market" has produced the Voronin brothers. So it is rather likely that the system may be hacked simply because the hackers represent "capitalism" and "free competition" – which are better expert than those coming from the "socialist" and nepotist government bureaucracy.

2) There are lots of systems where the e-government could look helpful but they might be abused by similar criminals. Elections, taxation, doing this and that. While the e-government looks like a very progressive idea, there simply are great risks that the mindless "progressives" – even "progressives" of this technical sort – deliberately overlook. One should be careful. The mean value of the "costs and damages" may easily surpass the mean value of the "benefits".

3) Aside from the computer incompetence, what's amazing is that there wasn't even any "rough human supervision" because the system could work in a completely corrupt, privatized way for six damn years. No one has noticed that every single new Vietnamese immigrant in six long years has paid a mysterious $20,000 fee.

4) A "positive" twist: When the Voronin brothers "privatized" the system, wasn't it actually working better than before? It is really a "market" solution that replaced the previous one. Maybe when the demand is high, there should be a higher price. They made it clear that the Vietnamese are willing to pay almost $20,000 for the application. Doesn't it mean that the government should actually collect this fee? Shouldn't the government always try to look for fees that are comparable to what the "market solutions run by criminals" would suggest? Shouldn't the government ultimately try to earn as much money as possible as well? And shouldn't the activity similar to the Voronin brothers' and their Vietnamese Czech collaborators be legalized? Shouldn't this visa granting process be given to some folks who can do it most efficiently? Is there anything wrong about selling the visas to the richest Vietnamese?

Such questions and potentially original – or radically conservative – solutions aren't being discussed in the election campaign. They're probably too complex for the voters. But the real problem is that they're too complex for their elected representatives, too. Many similar bad things may happen.

The Voronin brothers should get up to an 8-year prison term. Let's hope they won't be freed. It's a long time but if they stored their $30+ million somewhere and safely, isn't it ultimately a good deal for them? If the people were offered to live in a prison – I guess not a terribly inhuman prison – for 8 years and then to get $30 million for that "work", wouldn't you find lots of people who would accept the deal? Many regular people live lives that don't differ from a prison too much and they get just $100,000 for the very hard work in those 8 years. Why wouldn't $30 million for 8 years of "not so hard work" be considered better?

There are many questions here and the system is so much shaped by the incompetent and corrupt people – who aren't subject to any real supervision – that we may get lots of very problematic answers. Well, aside from the $30 million that the Voronins didn't quite deserve, nothing terribly serious has happened here. Czechia has gotten some 2,000 new "higher society" Vietnamese in those 6 years – which may be a good thing. The immigration from the truly problematic – especially Islamic – world is clearly larger and more harmful – even if the people who "owned" that migration procedures are less good IT experts than the Voronins.

No comments:

Post a Comment