A real-life version of The Matrix is taking place amongst us each and every day.

Like many ordinary students, RD, a finely featured 22 year-old, rides a bicycle to school and on errands around town. Upon returning home, however, he takes on the guise of a seriously gifted computer hacker to tamper with the personal Internet banking electronic transfer information of private individuals.

It's 1 a.m. and Kaohsiung denizen Peter cautiously logs onto his personal Internet bank account as he prepares to transfer a NT$10,000 installment payment to the account of an Internet vendor. After repeatedly verifying his inputs of the three key digital entries – the bank's routing number, the account number and the amount of the transfer – he hits send, and the web page displays a "transaction completed" message. His mind now at ease, Peter hits the sack, completely unaware that his funds have now been transferred into a dummy account RD has set up.

The following day, the exasperated vendor contacts Peter complaining that they have not received his payment, and the two sides proceed to argue endlessly over the telephone.

Far off in Taipei, RD has slipped a Trojan horse program into Peter's computer, and even though Peter's monitor declares that the electronic transfer information is correct, RD has already stealthily swapped it for his dummy account, so the bank won't ever be the wiser that the data has been tampered with.

It's late July at the biggest annual hacker's convention in Las Vegas, U.S.A. and a shaven-headed hacker dressed in black calling himself "Jack" is on stage incessantly tapping away on a keyboard as an automatic teller machine (ATM) off to the side spits out a continuous stream of bank notes in rhythm with Jack's keystrokes. The assembled crowd of hackers cheers wildly as banking information security officers in the crowd break out in a cold sweat.

Two years ago Jack bought two ATMs and figured out how to breach the ATM technology using a flash drive disk and remote terminal software, allowing him to bypass the ATM's tight security and get the machine to spit out cash at will.

In early July at Taiwan's biggest annual hacker's convention, a certain university professor led a team in demonstrating the use of just a netbook and a wireless antenna transmitter/receiver assembly to tamper with the new stored value technology used in "Easy Cards," allowing him to remotely and covertly alter the amounts of other people's Easy Cards within a radius of 10 meters.

In the eyes of gifted hackers, what the ordinary person perceives as the impenetrable defenses of Internet banking transactions are full of holes. Yet in any event, hackers are loathe to launch attacks on the highly secure mainframes of banks, preferring to go after the virtually undefended end terminals of individual users. Just when we are enjoying the convenience the Internet offers, hackers are finding it ever more convenient to ensnare all of our computers.

Even if you don't use Internet banking and never buy anything online, your personal data can be compromised through other channels, among them, hospital registration systems.

Mrs. Chang, a 60-something from Taipei suffering from cardiovascular disease, completed online registration procedures for an appointment at a major hospital the next morning. Later in the afternoon following her appointment, she received a phone call from someone identifying themselves as a staff doctor at the hospital who proceeded to cordially inquire whether the prescriptions she'd had filled earlier in the day were proving beneficial and further informing her that the hospital had another particularly effective medication that she could directly purchase through electronic ATM transfer.

Mrs. Chang was very nearly the victim of a successful scam.

"Of course I believed this'doctor,' because he knew everything about the medication I was taking," she says.

Virtually any one of us can fall prey to a hack. In Taiwan an average of two people every hour are the victims of an electronic scam due to personal information being compromised.

Even though major companies with massive amounts of customer date on file install layer upon layer of firewalls to block the leaking of personal information, it's "only outside hackers that are easy to dodge, while internal thievery is hard to prevent." As one information security consultant reveals, among the cases of corporate leaks of personal information he has handled, more than 60 percent have been "inside jobs" involving company employees. In June 2009, for example, the personal information of more than 8,000 customers of online retailer ETMall was leaked in a case that ultimately resulted in the apprehension of a company employee. By then, however, more than 100 of those customers had been fleeced.

Firms Taking Personal Info Security Lightly

Two year ago the National Police Administration's Criminal Investigation Bureau broke the nation's biggest-ever case of personal data hacking, involving the worldwide leak of more than 50 million pieces of personal data on Taiwanese residents, providing international hackers and electronic scamming groups with names, addresses, telephone numbers and other personal information.

With leaks of personal information resulting in a proliferation of electronic scams, this may just be the most rampant criminal activity in Taiwan. Yet it is extremely rare that cases result in arrest. Police investigation units are even urging victimized businesses and individuals not to even bother reporting such incidents, because the perpetrators cannot be caught, and even if they are caught, there's no way to shut them down. Why?

In many cases of illegal accessing of personal information, the data has been stored on overseas website servers, so even if the government tracks it down, there is no way to retrieve it.

"Once personal information has been leaked it will be continually duplicated; there's just no way to put a stop to it," says Digital United Information Security Service vice president for research and development Chang Yu-min.

For example, anyone can now go online to track down the information on the ETMall customers whose personal information was leaked. Each MS Excel file contains 4,000 sets of customer data, with details including names, ID numbers, birthdays, addresses, home phone numbers, mobile phone numbers, credit card numbers and their corresponding issuing banks and expiration dates as well as purchase histories.

"All you need to do is get hold of the information and you can start making online purchases," says Irving H.C. Tai, general director of the Science & Technology Law Center of the Institute for Information Industry (III).

Yahoo! Auction/Shopping, Ruten Auction, PayEasy, books.com, ETMall, the National Health Service... all have suffered compromised client data resulting in cases of fraud.

"Just name an online business, they've all experienced intrusions by hackers," Chang Yu-min says.

Even more troubling, the broadband network of which Taiwan is so proud has come to be seen as a fatted calf in the eye of international hackers, with large-scale dissemination of Trojan horse and Botnet viruses. It has also become a beachhead for mainland Chinese hacker attacks on international websites.

Readers are perhaps unaware that Taipei has become the world capital for Botnets (see box). According to a survey by anti-virus software vendor Symantec, within a year's time Taipei has gone from Botnet capital of East Asia to Botnet capital of the world, with remote hackers taking control of more than 340,000 computers to conduct criminal activities, while all the while their users remain completely unaware.

Data security website zone-h.org each day updates its log of hacker intrusions into websites in various countries. On August 16th alone, 19,106 websites around Taiwan were hacked.

Slippery Hackers Take to the Clouds

Hacker groups are now moving toward a global division of labor and so-called "cloud computing," making it even tougher for police to track them.

Over the past two years a wave of cloud computing has swept through the global information industry, but hackers were hiding among those "clouds" as early as five years ago.

The targets of hacker attacks has gradually shifted from major large-scale websites to powerful high-performance personal computers with high-capacity hard drives and relatively little security against hacker intrusion. Tens of millions of compromised personal computers, referred to as "zombie computers," have been compromised and fallen under the control of hackers cloud by cloud.

More than 30 percent of the world's personal computers have at one time or another been infected with a Botnet virus. Zombie computers are like soldier ants in the control of hackers, attacking en masse a given major website, paralyzing Internet services with denial-of-service attacks. Zombie computers also propagate themselves like dividing cells, endlessly searching for the next zombie to add to their "downline."

"There's simply no way to scrub all the PCs that have become zombie computers," says hacker Mr. K. "It would be impossible to dispatch a million engineers to eliminate Botnet viruses one by one." The only way would be to disconnect your computer's Internet cable and never go online again, he says.

Challenging Human Weak Spots

While the Internet provides a platform for a high degree of interaction with others, it also draws hackers closer to us. Our passwords, no matter how complex, can eventually be cracked.

Young people enjoy posting photos of their travels and social gatherings on the Internet to share with friends, but at the same time, however, they are potentially "sharing" themselves with hackers.

"Anytime you put information out there on the Internet, there's a risk of it being misused," say Wu Ming-wei, chief product supervisor for Armorize Technologies Inc.

To protect their privacy, people commonly provide incomplete information about themselves on various websites, believing this will keep hackers at bay. But hacker rings can gradually compile partial information scattered across dozens of websites to "construct a more complete profile of an individual through analyzing names, birth dates, gender, means of contact, income and names of family members and then take that information to engage in electronic scams," Wu says.

"Once you connect to the Internet, your hard drive belongs to others," and it's difficult for users to tell whether or not their machines have been accessed, insists Lee Hsang-Chen, director of the National Police Agency's Information System Department.

Mobile Phones: The Next Battleground

And it's not only computers that are vulnerable. Now, even 3G smart phones and public terminals at convenience stores can be implanted with Trojan horses to steal personal data.

With the soaring popularity of these 3G smart phones over the past two years, iPhone and Android users have been downloading massive numbers of software "apps," some of which are sourced free of charge from murky developers and can constitute a backdoor for stealing personal information.

Some of these downloadable smart phone apps cause virus infections, transmitting in real time such secret personal information as data transfer logs, daily planners, call records and photos across 3G or wireless networks to software company servers in China.

"If you see a simplified Chinese smart phone app from a software developer in China, by all means avoid downloading it," advises hacker RD, who specializes in mobile phone data security.

While you enjoy the ease of the Internet and wireless communications, don't neglect data security for the sake of convenience. Always be on guard – the hackers are watching you.

Translated from the Chinese by Brian Kennedy

---

Botnet Viruses

Botnet viruses infect computers through email, instant messaging software and security leaks in computer systems. 

Like worms, Botnet viruses hide in computers and gradually spread through other machines in the same network, actively seeking holes in other computers' security systems to exploit. Ultimately, they form massive networks of zombie computers that can number in the millions and are remotely controlled by criminal rings, sending massive numbers of spam emails and carrying out attacks on websites.