Sunday, October 30, 2005

RFID, Abuse in the Private Sector?

"How would you like it if, for instance, one day you realized your underwear was reporting on your whereabouts?" California State Senator Debra Bowen (pictured on right).

RFID (Radio Frequency ID) has hit the news with the technology being introduced into U.S. passports. Because of this, I decided to research the controversy and did so in a previous post: RFID, A Necessary Evil; or an Invasion of Privacy?

This second post is meant to focus on the privacy issues (controversies) that surround this product. While this technology has definite security and supply chain potential, the potential for abuse is also great.

I suppose the use of these tags is inevitable, however we need to be proactive in developing legislation (laws) designed to prevent their abuse. Legislation rarely keeps up with technology and from a historical perspective there has been substantial abuse of other technologies, such as adware/spyware and keyloggers; which have been used for illegal purposes and legally (because of a lack of legislation) to invade personal privacy.

Simson L. Garfinkel wrote an article about this in "The Nation." Here are some excerpts:

So why did the American Civil Liberties Union, the Electronic Frontier Foundation, The World Privacy Forum and a dozen other organizations ask for a voluntary moratorium on RFID technology in consumer goods? Because this use of RFID could enable an omnipresent police surveillance state, it could erode further what's left of consumer privacy and it could make identity theft even easier than it has already become.

RFID is such a potentially dangerous technology because RFID chips can be embedded into products and clothing and covertly read without our knowledge. A small tag embedded into the heel of a shoe or the inseam of a leather jacket for inventory control could be activated every time the customer entered or left the store where the item was bought; that tag could also be read by any other business or government agency that has installed a compatible reader. Unlike today's antitheft tags, every RFID chip has a unique serial number. This means that stores could track each customer's comings and goings. Those readers could also register the RFID tags that we're already carrying in our car keys and the "prox cards" that some office buildings use instead of keys.

Mr. Garfinkel's conclusion, which seems very sound, was:

Companies that are pushing RFID tags into our lives should adopt rules of conduct: There should be an absolute ban on hidden tags and covert readers. Tags should be "killed" when products are sold to consumers. And this technology should never be used to secretly unmask the identity of people who wish to remain anonymous.



For the complete article by Mr. Simpson, go to: The Nation: The Trouble with RFID.

Again, I used my friends at "Wikipedia" to find some examples of potential abuse that has already occurred:

The potential for privacy violations with RFID was demonstrated by its use in a pilot program by the Gillette Company, which conducted a "smart shelf" test at a Tesco in Cambridge. They automatically photographed shoppers taking RFID-tagged safety razors off the shelf, to see if the technology could be used to deter shoplifting.

In another study, uncovered by the Chicago Sun-Times, shelves in a Wal-Mart in Broken Arrow, Oklahoma, were equipped with readers to track the Max Factor Lipfinity lipstick containers stacked on them. Webcam images of the shelves were
viewed 750 miles (1200 km) away by Procter & Gamble researchers in Cincinnati, Ohio, who could tell when lipsticks were removed from the shelves and observe the shoppers in action.

In January 2004 a group of privacy advocates was invited to METRO Future Store in Germany, where an RFID pilot project was implemented. It was uncovered by accident that METRO "Payback" customer loyalty cards contained RFID tags with customer IDs, a fact that was disclosed neither to customers receiving the cards, nor to this group of privacy advocates. This happened despite assurances by METRO that no customer identification data was tracked and all RFID usage was clearly disclosed.

The controversy was furthered by the accidental exposure of a proposed Auto-ID consortium public relations campaign that was designed to "neutralize opposition" and get consumers to "resign themselves to the inevitability of it" whilst merely pretending to address their concerns.

The standard proposed by EPC global includes privacy related guidelines
for the use of RFID-based EPC. These guidelines include the requirement to give consumers clear notice of the presence of EPC and to inform them of the choice that they have to discard, disable or remove EPC tags. These guidelines are non-binding, and only partly comply with the joint statement of 46 multinational consumer rights and privacy groups.

If readers are easily accessible, or not protected properly from theft, there is also the potential that identity thieves could scan personal information. Whether or not, this is feasible is a matter of great debate, but as with all technology, even if it isn't feasible now, how long will it take for someone to create a way to do it?

Saturday, October 29, 2005

Advance Fee Loan Scams

I was reading "Ask the Private Investigator," which is a blog that is linked to mine and saw a post on Advance Fee Scams taking another "twist," or mutation. From there, I did a "news search" on Yahoo and found an article by Stephanie Zimmerman of the Chicago Sun Times dated October 24th on this very subject.

Ms. Zimmerman writes:

"The loan approvals seemed like the end to their troubles, but little did two suburban women know, they were about to get even deeper in debt.

Sadly, they were not alone: More than 4.5 million Americans were said to have lost money to advance-fee loan schemes last year in an old ripoff that's seen a resurgence in Chicago and nationally. So-called loan brokers -- often people based across the border in Canada -- tell consumers they have been approved for a loan, then ask them to pay a "security fee" to guarantee they will make their monthly payments.

Once the money is wired, the "loan" disappears.

"We are hearing on a daily basis from people who have lost money to advance fee loans," said Steve Bernas, vice president of the Better Business Bureau of Chicago and Northern Illinois."

Most of the solicitations (ads) target people, who have bad credit and promise loans even to those in bankruptcy. The ads are being found in "classified sections" and on the internet. The recently reported scams come out of Canada, which more and more, is becoming an origin point for advance fee activity.

The FTC also has some recommendations on what to look for:

Don’t pay for the promise of a loan. It’s illegal for companies doing business by phone in the U.S. to promise you a loan and ask you to pay for it before they deliver.

Requiring advance fees for loans also is illegal in Canada.

Ignore any ad — or hang up on any caller — that guarantees a loan in exchange for a fee in advance.

Remember that legitimate lenders never guarantee or say that you will receive a loan before you apply, or before they have checked out your credit status or contacted your references, especially if you have bad credit or no credit record.

Don’t give your credit card, bank account, or Social Security number on the telephone, by fax, or via the Internet unless you are familiar with the company and know why the information is necessary.

Don’t make a payment to an individual for a loan; no legitimate lending organization would make such a request.

Don’t wire money or send money orders for a loan through Western Union or similar companies. You have little recourse if there’s a problem with a wire transaction. Legitimate lenders don’t pressure you to wire funds.

If you are not absolutely sure who you are dealing with, get the company’s number in the phone book or from directory assistance, and call it to make sure you’re dealing with the company you think you are. Some scam artists have pretended to be the Better Business Bureau or another legitimate organization.

Check out questionable ads by calling Project Phonebusters in Canada toll-free at 1-888-495-8501. If you live in the U.S. and think you’ve been a victim of an advance-fee loan scam, report it to the FTC online at http://www.ftc.gov or by phone, toll-free, at 1-877-FTC-HELP (1-877-382-4357).

Advance Fee Scams seem to mutate continuously. With ever growing numbers of people gaining access to the internet, there are a larger pool of victims to be harvested by the cybercriminals. Unfortunately, as this pool of victims grows, we are now seeing the less fortunate (people who already have financial problems) being taken advantage of.

You can read Stephanie Zimmerman's article at:

http://www.suntimes.com/output/news/cst-nws-loan24.html

For the FTC publication on this matter, click on the title of this post.

Friday, October 28, 2005

RFID, A Necessary Evil; or an Invasion of Privacy?

With the State Department's (United States) announcement of adding RFID (Radio Frequency ID) chips to passports, the controversies surrounding this technology are again making headlines. Please note that other countries, especially in the European Union are also implementing RFID technology for identification purposes.

The Pakistan Passport Authority is already using RFID tags in it's passports. This might be an interesting place to study it's effectiveness because Pakistan seems to continue to be a sanctuary for terrorists and is known to be a origin and transshipment point for a lot of drug smuggling.

In recent years, RFID has been the "buzz word" in the security industry, however there are those that challenge it's long-term effectiveness. There are also those who fear that it will be abused, violating our rights to privacy and even other's from the religious community, who fear RFID is the mark of the beast mentioned in the Book of Revelation (Revelation 13:16).

The definition of RFID in Wikipedia is "an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. An RFID tag is a small object that can be attached to or incorporated into a product, animal, or person. RFID tags contain antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver. Passive tags require no internal power source, whereas active tags require a power source."

The proverbial question is RFID a necessary means of protecting ourselves, or in the end will the technology be abused to violate privacy, such as spyware and adware have already done.

This technology has been around for awhile. Currently, Wal-Mart and the United States Department of Defense are using this technology to manage their supply chains, as well as, prevent pilferage and theft. With decreasing costs, we can expect to see a lot more of this technology deployed by both the private and public sectors in the near term.

Besides being used for identification, RFID tags are being used as quick pay devices for fuel and tolls, theft tracking devices, to track animals and there have even been some implanted in humans.

Some of the security concerns already raised are if the ability to read them is too universal, they could pose a risk to personal location privacy, especially in the corporate/military environments. Another concern being raised by privacy groups are RFID devices being embedded in products (which aren't removed when purchased) that could be tracked from great distances. Because of this, they could be used for so-called "marketing" purposes, which invade personal privacy.

There are also concerns that these "tags" could be cloned.

If these tags could be cloned, they could be used in producing false identification, which is alarming considering the technology is being used for high security applications like "proximity cards used to access secure facilities, or vehicle immobilizer anti-theft systems which use an RFID tag embedded in the vehicle key. It is also a problem when RFID is used for payment systems, such as contactless credit cards (Blink, ExpressPay), the ExxonMobil Speedpass, and even in RFID enhanced casino chips."

"With wireless technology, RFID tags can be scanned from afar. Because of this, there is even more potential for abuse than the reencoding of magnetic stripe technology. There are defenses built into these tags, which fall into two categories. There are those use "cryptographic protocols. A typical example of the "RF-based" defense relies on the fact that passive RFID tags can only be activated by a reader in close proximity, due to the limited transmission range of the magnetic field used to power the tag. RFID manufacturers and customers occasionally cite this limitation as a security feature which (intentionally or otherwise) has the effect of limiting scanning range. However, while this approach may be successful against direct tag scanning, it does not necessarily prevent "eavesdropping" attacks, in which an attacker overhears a tag's response to a nearby, authorized reader. Under ideal conditions, these attacks have proven successful against some RFID tags at a range of more than sixty feet."

"A second class of defense uses cryptography to prevent tag cloning. Some tags use a form of "rolling code" scheme, wherein the tag identifier information changes after each scan, thus reducing the usefulness of observed responses. More sophisticated devices engage in challenge-response protocols where the tag interacts with the reader. In these protocols, secret tag information is never sent over the insecure communication channel between tag and reader. Rather, the reader issues a challenge to the tag, which responds with a result computed using a cryptographic circuit keyed with some secret value. Such protocols may be based on symmetric or public key cryptography. Cryptographically-enabled tags typically have dramatically higher cost and power requirements than simpler equivalents, and as a result, deployment of these tags is much more limited. This cost/power limitation has led some manufacturers to implement cryptographic tags using substantially weakened, or proprietary encryption schemes, which do not necessarily resist sophisticated attack."

Last, but not least, there are "social" factors to be considered. Even with the best technology available, we have seen many technologies "hacked" that are supposed to protect us today. In the past couple of years, we have also seen massive data intrusions, many of which were accomplished by simple theft and or insider collusion.

In fact, a lot of the organized gangs committing fraud today, have access to a lot of displaced "highly educated" computer scientists, which already assist them in hacking technology at every turn for their criminal purposes. This is especially true of the area, formerly known as the Soviet Union, where a lot of these gangs are based.

One of the reasons, we are considering this technology is certainly the 9-11 attacks. We can implement the best technology available, however unless it is worldwide, the "bad and the ugly" will be able to obtain identification based on other identification. In fact several of the 9-11 attackers did just this in Virginia. In other words, it probably wouldn't have made any difference if RFID technology was in place in the 9-11 disaster.

Technology is merely a tool. Even though it continues to amaze me at how quickly it advances, it doesn't replace the human mind. While RFID technology is a tool to use for our protection, we must continue to examine, whether or not, it has potentials for abuse.

TrustWatch Search Engine

There is a new free search engine designed to protect people from fraud, phishing and financial misdeeds on the internet.

"GeoTrust, Inc., a leader in identity verification solutions for e-business and a leading issuer of digital certificates for web security, today announced an expanded set of features for TrustWatch(TM) Search, the first free trusted search service aimed at helping consumers avoid becoming victims of web-based fraud, identity theft and phishing scams. In its initial release, the TrustWatch Search service verified sites that were secure for e-commerce and confidential transactions; now, the service verifies many content sites as well. Additionally, Certified Store rating data from CNET is displayed within TrustWatch to allow consumers to consider additional data when evaluating online merchant sites."

"Sites that can be verified receive a green "verified" rating; sites that do not have enough data to be verified, but are not known to be fraudulent, receive a yellow "not verified" rating; and known fraudulent sites display a red "warning" rating. If a site is deemed to be both verified and secure for the exchange of confidential data, it receives a lock icon next to the green verification rating."

If anyone would like to take a look at it go to: http://www.trustwatch.com/.

According to their press release: "TrustWatch Search also works with leading providers of blacklist data, such as Cyota and the Anti-Phishing Working Group, to alert consumers to fraudulent sites. TrustWatch Search uses Ask Jeeves search technology to provide search results.

Another good feature of this site is that the average person can report suspicious sites. The average fraudulent website is normally only up for a matter of days and since "Trust Watch" shares and reports their information, this could become a valuable "intelligence" resource that aids awareness, investigation and prosecution. As always, I highly recommend and encourage people to report suspicious activity.

Unfortunately (for me), this site only has a "yellow" (not verified) rating thus far. Maybe one of these days, I will get a "green rating."

To read the entire press release, click on the title of this post.

Friday, October 21, 2005

419 From the Other Side of the Fence

There is an interesting article by Robyn Dixon of the LA Times, who interviewed an allegedly former 419 (Advance fee fraud) scam artist named Samuel. He describes a murky world of cybercafes, where the Nigerian fraudsters congregate and send out the infamous e-mails. According to the article "they even have an anthem "I Go Chop Your Dollars," hugely popular in Lagos, which hit the airwaves a few months ago as a CD penned by an artist called Osofia:

"419 is just a game, you are the losers, we are the winners.

White people are greedy, I can say they are greedy White men, I will eat your dollars, will take your money and disappear.

419 is just a game, we are the masters, you are the losers."


For the video, click here.

Samuel goes on to describe the long lost riches and the dating scams, as well as the money some have made off these schemes. You can read the entire article by going to:

''I Will Eat Your Dollars''

The lyrics of this song might be offensive to some, but it is probably reality to many in Nigeria.

Quite simply, in Nigeria, 419 is a means to escape poverty. For years, foreign companies have made themselves and a "select" few Nigerians extremely rich (via vast oil reserves). Meanwhile the majority of the population lives in conditions that would make a "welfare recipient" in the West appear wealthy. In fact, the CIA estimates that 70 percent of the country lives in poverty, despite the fact that they are a member of OPEC and the eleventh largest producer of petroleum in the world.

To a Nigerian, their perception of these companies is probably just what the song states, or "greedy white men."

There is another headline that has been hitting the press about Microsoft and the Nigerian goverment working together to end scams. Neil Holloway (President Microsoft Europe) said "It's the first-ever agreement Microsoft has signed with an African country to aid law enforcement efforts. Microsoft's aid will include providing information to law enforcement in addition to training. The company has already been working with Nigerian authorities over the last three to six months. We think we have a responsibility to make an impact in this particular area."

Hopefully, the Microsoft Computer Security types have received additional training in self-defense, or have been augmented by other security types, preferably former special forces personnel. Here is the latest CIA Travel report: U.S. State Department's Travel Warning - Nigeria. My understanding is that the oil companies, who have billions invested in Nigeria, have a large budget for security there.

The Nigerian government has also made numerous headlines lately in it's battle against 419. Numerous arrests have been made and money has even been returned to victims. After years of bad press (a lot of it from 419), they do seem to be trying to take measures to improve their image in the world.

Still, the majority of the people live in standards that we couldn't even imagine in the West. I fear, if this problem (which is probably the cause) is allowed to continue, there will always be a steady stream of willing recruits into this seedy business.

Unfortunately, these actions by the Nigerian government and Microsoft only address the suffering created in the West by 419.

If we really want to address the problem of 419 in Nigeria, we probably should take a look putting pressure on the government over there to provide a better standard of living for their people. I would challenge all the foreign companies doing business in Nigeria (particularly from the petroleum industry) to take this to heart.

Microsoft is a newcomer in Nigeria and there is no doubt they are doing a lot of charitable work around the world. I salute them in their efforts and hope their partnership with the Government of Nigeria reduces the amount of suffering created by 419. I would hope that Microsoft and (others) also take the time to address the reason that 419 is a means of escape for many young Nigerian's, like Samuel.

It would be sad that if in the end, they "too" were perceived as "greedy white men."

If anyone is interested in a Nigerian view of corruption in Nigeria, click on the title of this post.

For some of the bad press on the internet regarding 419, here are some sites courtesy of the 419 Coalition (US) :

419eater.com
419 Fraud (US)
419 Legal (South Africa)
419letter.org
African Anti-Fraud Control Agency (AAFA) (Norway)
Africaservice.com (Norway)
American Association of Retired Persons (AARP) (US)
AnthonyParsons.com
Anti African Scam Commission
Artists Against 419 (US)
Australian Institute of Criminology
Avant Solutions Inc. (US)
BankersOnline.com (US)
Bart De Wolf's Site (El Salvador)
Brian Wizard Inc. - 419 Novel Available Now - (US)
BusinessInAfrica.com (US)
California Society of Certified Public Accountants (US)
Canadian Council of Better Business Bureaus
Classic Car Fair (New Zealand)
ConsumerAffairs.com (US)
Consumer Protection Association of America
Crimes of Persuasion (US)
Data Wales (Wales, UK)
Delaware Scam Victims (US)
eBay Scamkillers (US)
Economic and Financial Crimes Commission (EFCC) (Nigeria)
Edofolks.com (Nigeria)
Email Scams and Frauds (Dr. Robert J. O'Hara's site) (US)
Fighting back at Nigerian 419 Advance Fee Fraud Scammers (UK)
Financial Scandals Website (UK)
Forensic Services SA (South Africa)
FraudAid (US)
Freeman Institute (US)
G2 (US)
Globrocks Information Systems (US)
GreaterThings.com (US)
I Need a Trustworthy and Honest Business Partner (Denmark)
Idaho Department of Finance (US)
InterGOV (US)
International Investigation Services (IIS) (Iceland)
Internet Crime Prevention and Control Institute (US)
Internet Fraud Complaint Center (IFCC) (US)
Internet Scambusters E-Zine (US)
Involution.Org (US)
Lads Of Lagos (US)
London Metropolitan Police (UK)
Loss Prevention Concepts Ltd. (US)
Ministry of Fair Trading, Government of Western Australia
Money From Africa Letter Collection (Poland)
Monitor das Fraudes (Brazil-Portuguese Language)
Monks of Adoration (US)
Motherland Nigeria (US)
Mr. Ugo Watt's Scam Baiter Pages (UK)
National Association of Credit Management (NACM) (US)
National Criminal Intelligence Service (UK)
National Fraud Information Center - Internet Fraud Watch (US)
Nigeria 419 Scam (US)
Nigeria Master Web (Nigeria)
Nigeria Scam Alert (US)
Nigerian Business Proposal (.com) (US)
Nigerian Fraud Email Gallery (US)
NigerianGemScam.com (US)
Nigerian Letters (Australia)
Nigeria Master Web (Nigeria)
Nigerian Nightmare (US)
Nigerian Scams (WONST) (US)
Nigerian Spam.com (India)
Offshore Finance Canada Magazine/Ezine (Canada)
PeaceProject (US)
Pennsylvania Attorney General (US)
Phonebusters (Canada)
Policia Judiciaria (Portugal-Portuguese language)
Poppage1 Site (Canada-India)
Popsubculture.com (US)
Quatloos! (US)
Quatrocantos.com (Brazil-Portuguese Language)
Regulatory Intelligence Agency (RIA) (Vanuatu)
Romance Scam 419 Yahoo Group (US)
RCMP/GRC Royal Canadian Mounted Police (English & French language)
Scam.com (US)
Scambuster419.co.uk (UK)
Scam o Rama (US)
Scams.net (US)
ScamWatch (US)
Scam Victims United (US)
Scott Bidstrup Site - Onsite Personal Viewpoint on Nigeria (US)
Sierra-Leone.org (Sierra Leone)
Silicon Valley Business Law (Law Offices of Thomas Gross) (US)
Snopes.com Urban Legends Reference Pages (US)
South African Police Service (South Africa)
Southwest Georgia Com (SOWEGA.COM) (US)
Spam, Scams and Hoaxes (US)
Stentorian.com (US)
Stop 419s (UK)
StorOslo Sikkerhetstjeneste AS (Norway)
Svensk 419/Nigeriabrev-site (Sweden-Swedish Language)
The Big Scam (Sweden)
The Internet Project (TIP) (Australia)
The Nigerian Scam Buster
The Nigerian Muse (Dr. Mobolaji Aluko) (US & Nigeria)
TheThin.net (US)
United Nigeria Association Tulsa (UNAT) (US)
United States Department of Commerce International Trade Administration
United States Department of State Bureau of Consular Affairs
United States Department of State Bureau of International Narcotics and Law Enforcement
United States Department of the Treasury FinCEN
United States Embassy Nigeria
United States Federal Bureau of Investigation
United States Federal Trade Commision
United States National Archives and Records Administration
United States Postal Service
United States Secret Service
United States Senator Russ Feingold
Venture Research Institute (US)
Virginia Attorney General
War On Spam (US)
Waruno Mahdi's Website (Germany)
Web Police (US)
Whatsthebloodypoint.com (US)
ZYRA.org (UK)

Wednesday, October 19, 2005

Protect Yourself from Spyware

Spyware/Adware programs are all over the place. They are used by big business for marketing, criminals to steal personal and financial information, or by "whomever" wants to invade someone's privacy. Most of the programs are legal and easily purchased anywhere, including the internet.

According to SpyCop, " commercial monitoring spyware is being developed with features that can rival the most advanced FBI wiretap tools. An article by Will Sturgeon of Silicon.com sums it up rather well: "Spyware is becoming increasingly pernicious and sophisticated, according to security experts who are warning that users are still failing to take basic steps to protect themselves against the threat." The mass media, along with Internet bloggers, fail to notice the mounting threat that these products now pose. With the rise in cybercrime, including identity theft, phishing and credit card fraud, it's quite surprising that computer users are still at a loss as to how to protect themselves."

SpyCop has an interesting e-book for those, who desire to learn how to protect themselves: http://www.nospyzone.com. It points out that besides Spyware and Adware programs being easily accessible, a lot of so-called programs touted as protection are no better than some of the free programs out there. One of the best free programs is Spybot and can be downloaded at:

http://www.safer-networking.org/.

Both Spyware and Adware should be illegal, in my opinion. There are too many opportunities for it to be used to victimize people and too many examples of it doing so. Here is an interesting site, which shows legislation and litigation regarding this from the Center for Democracy and Technology:

http://www.cdt.org/privacy/spyware/.

Of course, I always recommend letting your elected officials know how you feel.

In the United States go to:

http://www.house.gov/writerep/.

In the United Kingdom go to:

http://www.locata.co.uk/commons/.

If anyone has information for other countries, please feel free to add it on a "comment" to this post.

Monday, October 17, 2005

Ask the Private Investigator

There are a lot of sites on fraud and I've looked a quite a few of them. Here is one, I consider noteworthy by John Dierckx, Corporate Risks New Zealand. John is a Private Investigator, who is not only well rounded in investigations, but also specializes in computer crime (cyber-investigations).

What I like about this site is that John, who is obviously a very busy and talented investigator, takes the time to share his knowledge with everyone in the interest of protecting people.

Recently, he even wrote a post of interest to bloggers on how not to not get into trouble with your employer. His most recent post on Pyramid Schemes is extremely well researched and contains valuable information on how not to become a victim. What's interesting is he clearly defines the difference between Pyramid Schemes and MLM (Multi-level Marketing). Please note, there are a lot of scams within Multi-level marketing, also!

To read John's article, click on the title of this post!

Sunday, October 16, 2005

Better Teamwork is an Opportunity

There is an interesting story from the CanWest News Service by Chad Skelton about finding stolen goods on eBay. In the article, it states: "When someone calls this city's police to report they've had something stolen - either in a home break-in or a vehicle smash-and-grab - Sergeant Doug Fisher gives out the same piece of advice, again and again: "Look for your item on eBay."

The story goes on to describe a former high school principal arrested for selling 9,000 items on eBay and a "sophisticated" ring at Toronto's airport that stole millions of dollars worth of goods and sold them....on eBay.

Fisher said, "eBay co-operates by pulling down suspect listings when notified, and turning over the names of shady sellers without requiring a warrant. But he added it often takes the company 10 to 20 days before they respond to his requests."

In the rapidly changing world of internet fraud, 10-20 days is more than enough time for most criminals to assume another identity and be long gone. Furthermore, fencing stolen goods on eBay is only one part of the problem. Fraudulent financial transactions and the use of fake identities pose major problems, also. Again, not only on eBay, but just about any auction site out there.

There has been an increasing problem of "account hijacking" on e-Bay, as well as, other auction sites. This has been happening both with buyer and seller accounts. Quite simply, the accounts are taken over and fraudulent transactions are "laundered" through the legitimate accounts.

Much of this is accomplished from phishing and pharming the information necessary to takeover accounts. The Anti-Phishing Working Group (APWG) in August reported thousands of sites involved in this activity. This would give the criminals involved in this sort of activity the ability to switch accounts and identities every few days, if not daily. In fact, the APWG's latest report estimated the average life of one of these sites to be 5.5 days. If Sergeant Fisher has to wait 10-20 days for his request, the crooks are likely to be long gone.

One would think that it would take a fair level of technical expertise to accomplish this level of sophistication, but it doesn't. There are reports that information need to perform these crimes is routinely sold in chatrooms and even on websites. Even if the criminal doesn't want to buy the information directly, technology to do this is being sold (often very cheaply) and from there social engineering takes over.

To add to the confusion of it all, victims are often harvested from all over the internet (chatrooms, dating sites, job sites etc.) to receive the stolen goods and ship them elsewhere. They are also being conned into negotiating bogus financial instruments and wiring the money to a distant locale.

Please note, that some of these people might be posing as victims in order to avoid the long arm of the law.

I don't mean to single eBay and the auction sites out in this. The same activity occurs with financial institutions, retailers and even "Google." The specifics might vary, but the activity is basically the same and just as intertwined.

We can't win this battle unless the activity can be detected quickly and then dealt with when it's fresh. The criminals simply change identities and then do the same thing (over and over) again. All too often, there are barriers to rapid communication, jurisdictions that aren't clearly defined and red tape.

Ironically, the fear of protecting information sometimes creates a barrier to the rapid exchange of information between the good guys. Let's face it, the fear of "identity theft" has created heightened awareness and laws that make getting information more difficult. Unfortunately, the bad guys aren't hampered by the same rules.

The laws are necessary to protect the innocent. What is needed is better team work, along with safe ways for information to be shared between the people charged with fighting fraud. In addition to this, as the people charged with fighting fraud are normally understaffed and underfunded, perhaps allocating more resources would help, also.

My personal theory is that law enforcement, IT and corporate security types need to communicate more effectively and develop resources to facilitate the rapid exchange of information. There are many resources out there to gather information and many of them do communicate with each other. Herein lies the answer and the more they consolidate their efforts, the more effective they will become.

There has been evidence that a lot of the organized gangs involved in fraud are consolidating their efforts and are working in collusion with each other. In fact, when you note all the cooperation on their end from technology to socializing to logistics, it becomes very apparent. Perhaps, the answer is for the good guys to develop a similar strategy, or fight fire with fire!

You can read the story from CanWest, by clicking on the title of this post.

Saturday, October 15, 2005

Criminal Activity on Dating Sites

I was reading an article by Christopher T. Heun (InternetWeek) on the amount of fraud on dating sites. He quotes an industry analyst that approximately 10 percent of the profiles on any given site are fake.

Recently, I've seen victims duped into cashing fraudulent money orders and or cashier checks by someone that met in a chatroom or on a dating site. Dating sites are another place where fraudsters go to harvest victims.

In the article, Dan Larkin (Internet Crime Complaint Center) states "People are already going to [dating Web sites] in a somewhat vulnerable position and the bad guys play on that. The reality is, people either don't know they're a victim or don't want to report it."

Dating sites are often used to recruit people into cashing fraudulent instruments and reshipping scams. These involve fraudulent financial instruments, or merchandise purchased with them. They are then asked to ship the merchandise, or negotiate the instrument into cash and wire the money to the fraudster.

In both scenarios, once the transactions are determined to be fraudulent, the victim is often left responsible for the financial loss. Even worse, they might face criminal charges.

Of course, there are also the mail order bride scams that can be found on these sites. Sometimes these scams are also set up on sites created by the fraudsters themselves. Here is an excellent link with information on how to spot these scams:

http://www.dangersofinternetdating.com/mailorderb.htm

There are also a lot of sexual and violent crimes are initiated on the internet. The "Home Page" of the link above is a really good site for anyone, who desires to protect themselves, or someone they know from the dangers of dating on the internet.

http://dangersofinternetdating.com/

In the busy world of today, there are a lot of people using the internet to find companionship. Whenever something becomes popular, it seems to attract the criminal element. In the end, being aware and informed is probably the best defense against becoming a victim.

Tuesday, October 11, 2005

How to Impact Fraud, Phishing and Financial Misdeeds

In the past couple of years, we have seen massive data intrusions. Here is one of many posts, I've done on this: Identity Theft at Large Corporations . Recently, I was reading an article in Wired, which makes a lot of sense. It was written by Bruce Schneider, a well-known security expert.

He makes a valid point, which is; laws that only address criminal activity are only part of the solution. The war against identity theft will never be won until businesses that are entrusted with people's personal information are held accountable for substandard security practices and (in some cases) selling people's personal information to criminals.

Let's face it, we are in the information age and personal information is routinely sold for a lot of money. Besides marketing, there is a booming spy (be your own detective) market that is largely unregulated. Just about anyone can sift personal information using these programs and even buy "keylogger" software. Keyloggers, which are marketed as a means to spy on your employees, boss, errant child or wife also can be used by identity thieves to steal personal and financial information.

Here is an excerpt from his article:

"Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses. If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work."

Many of these data intrusions were accomplished by simple theft involving deception, or unprotected data. As a result, many a person has been victimized due to lacks of diligence by entities, who were profiting monetarily. As long as these entities continue to get off "cheap" and the criminals have little to fear, this activity is going to flourish.

I think Bruce's observations are right on the money!

To read the article in "Wired" click on the title of this post.

Monday, October 10, 2005

Safe Charity Resources for South Asia Earthquake

The devastation and death toll continues to rise in South Asia. Many of the areas affected (in this mountainous region) are not accessible by roads. In keeping with the theme of my blog, I am providing resources (directly from Yahoo news and the Network for Good), where one can donate safely and ensure that the money gets to the people who need it the most.

As in previous disasters (Katrina, Tsunami etc.), fraudulent charities will probably be set up by people without morals. For my previous post about this go to: Is Fraud Around the Corner in the South Asia Earthquake?

Here are a list of charities, most of which, are deploying to the area to assist:

Doctors without Borders
Mobilizing to provide medical assistance, blankets, water, sleeping mats and tents.

International Federation of Red Cross and Red Crescent Societies
Dispatching teams to assess damages and the needs of victims.

International Rescue Committee
Assessing immediate needs on the ground and preparing emergency response.

Mercy Corps
On the ground providing emergency relief, including water and tents.

Oxfam
On the ground assessing the response effort and responding to victims.

UNICEF
Sending emergency staff to distribute aid and make further assessments of the damage.

To go to the "Network for Good" website, click on the title of this post.

Sunday, October 09, 2005

Is Fraud Around the Corner in the South Asia Earthquake?

The death toll in Katrina just recently went over 1,000. Already, the death toll in yesterday's earthquake in Kashmir has reached 20,000. This will cause untold suffering for the people in the Kashmir area, who have lived under the threat of war and terrorist activity since 1947, when Great Britain gave Pakistan and India their independence.

There are reports of rescue teams and ordinary citizens using their bare hands trying to dig survivors out of the rubble.

"President Pervez Musharraf (Pakistan) said there were difficulties reaching remote areas. He thanked foreign countries for expressions of sympathy, but said what Pakistan needed most were blankets and tents, transport helicopters and medicines."

These people deserve our help and hopefully the world is going to be generous. What I fear is that as in every disaster, we have seen recently, the cyberscum (fraudster) element are already gearing up to siphon off as much of the charity money as they can get their hands on. As I write this, I'm guessing that fraud charity websites are probably being designed and domain names (relevant to the earthquake) are being bought up to be later sold to the highest bidder.

Although, it hasn't hit the internet yet (to my knowledge), we are probably going to see Advance fee fraud (419) letters circulating regarding this. Someone will probably claim to have inherited millions of dollars from a Saudi terrorist killed in the earthquake and will solicit assistance (via e-mail) getting this "fortune" out of the area.

The FTC (Federal Trade Commission) addressed charity fraud in the wake of Katrina and published some helpful tips, which will probably be relevant to this disaster, also. Here they are:


"Donate to recognized charities you have given to before. Watch out for charities that have sprung up overnight. They may be well-meaning, but lack the infrastructure to provide assistance. And be wary of charities with names that sound like familiar, or nationally known organizations. Some phony charities use names that sound or look like those of respected, legitimate organizations.

Give directly to the charity, not the solicitors for the charity. Solicitors take a portion of the proceeds to cover their costs, which leaves less for victim assistance. Do not provide personal or financial information, including your Social Security number or credit card and bank account numbers to anyone who solicits from you. Scam artists use this information to commit fraud against you.

Check out any charities before you donate. Contact the Better Business Bureaus Wise Giving Alliance at http://www.give.org/. Do not give or send cash. For security and tax record purposes, contribute by check or credit card.

Write the official name of the charity on your check. You can contribute safely online through international charities like www.redcross.org/donate."

Ask for identification if you are approached in person. Often, paid fundraisers are required to identify themselves as such and to name the charity for which they are soliciting.

Should you suspect fraud, report it to the authorities. In the United States, you can file a report directly with the FTC at http://www.ftc.gov/.

Please give to the people of South Asia wisely by being AWARE of the "cybercriminals", who would try to profit from the suffering of human beings!

Saturday, October 08, 2005

Fraud Against Elder Citizens

Unfortunately, all too frequently, senior citizens are targeted to become victims of fraud. The are many reasons for this, including that many senior citizens are looking to boost their "nest eggs." This makes them particularly vulnerable to telemarketing fraud, auction fraud and advance fee scams. Another reason they are targeted is that they have well established credit histories (desirable to identity thieves) and have more liquid assets (access to cash) than other members of society.

The people, who prey on our grandparents, are in my opinion, the worst of the worst and deserve to be sought out (aggressively) and punished by the harshest means possible.

There are a lot of resources for our elder citizens and I thought I would take some time and put them together in the spirit of providing resources that inspire awareness. The National Center on Elder Abuse (NCEA) is a very informative site and has a lot of resources to protect senior citizens.

On this site is a great link to report suspected abuse:

"If you suspect elder abuse, or are concerned about the well-being or safety of an older person, report it. Don't hesitate, don't make excuses. Call your state abuse hotline immediately. Click here for State Elder Abuse Hotlines."

Protecting those who have worked hard all their lives to build what we have today is a noble cause and in my opinion, our duty.

The AARP (also) seems to be very active in the fraud prevention (awareness) field and has an excellent page, which can be viewed by clicking on the title of this post.

Friday, October 07, 2005

State of Pennsylvania Unveils Website on Fraud

In the past week, I have been focusing on efforts by politicians to take a bite out of the fraud crisis. The State of Pennsylvania recently put up a website to protect it's citizens from becoming statistics.

Below is a press release, directly from the Governor's office:

Governor Edward G. Rendell today announced a new effort to protect consumers and keep them alerted to fraud. The Governor said that the state Department of Banking has created a new, easy-to-use Web site that will provide consumers with instant notification when the Department of Banking takes action against a financial service provider.

"One way to protect consumers is to provide them with up-to-the-minute information on financial service providers," Governor Rendells said. "With this new Web site by the Department of Banking, consumers can sign up for free electronic updates to be kept apprised of any attempt to rip them off."

The new Web site, which went live early this morning is at www.banking.state.pa.us.

"Unfortunately, there are individuals and companies who want to prey on people," Governor Rendell said. "The information that will be provided through this Web site will empower consumers to make informed decisions about where they do business."

Making people AWARE is a key item in the fight against fraud!

Monday, October 03, 2005

The Social Solution to Internet Fraud

My last post was about trend setting legislation adressing identity theft being passed in California. To read the previous post go to Terminating Identity Theft in California .

Today, I read an article by James B. Kelleher from Reuters, which demonstrates the need for more of this legislation (worldwide). These laws can go a long way towards prosecuting the cyberscum that create 9 million victims a year in the United States alone.

Kelleher quoted two security experts from Visa USA and Mastercard International:

Speaking at the Bank Card Conference here, John Shaughnessy, senior vice president for fraud prevention at Visa USA, and Suzanne Lynch, vice president for security and risk services at MasterCard International, said that organized crime rings — with the help, in many cases, of former Soviet KGB cryptographers — were successfully using the Internet and "crimeware" software programs to circumvent the defenses credit card issuers erected against them.
Another root cause of the problem are corporations, who put profitability ahead of their customers:

"While the criminals are increasingly savvy, Shaughnessy and Lynch said that in many cases they were inadvertently helped by sloppy security policies within the payment chain and by slip-ups by merchants, third-party processors or the credit card companies."

Both experts agree that the end is nowhere near in sight.

It's going to be difficult to build technical defenses, especially when some of these gangs (notably those from the former Soviet Union) are known to employ highly educated technical experts. There have also been reports that the gangs are working in collusion with each other, or networking.

For every measure created to address their activity, they seem to have the experts to come up with a countermeasure.

To attack the problem, we need to figure out why this activity is so lucrative. One answer is that the laws are lax and the chances of getting caught are minimal.

Creating laws with strict penalties is a step in the right direction!

For the story from Reuters, click on the title of this post.

Sunday, October 02, 2005

Terminating Identity Theft in California

Senator Diane Feinstein was responsible for a law in California requiring victims to be notified by businesses and the government when their identities have been compromised. This law has had a far reaching effect on policy setting and is credited with starting a trend, both in the United States and beyond.

In January, she introduced more legislation to address the crime of identity theft.

"The Privacy Act – A comprehensive bill that would set a national standard for protecting personal information such as Social Security numbers, driver’s licenses, and medical and financial data, including information collected both online and offline. Modeled on California ’s financial privacy law, it requires companies to let consumers “opt in” before their most sensitive information is shared."

"The Social Security Number Misuse Prevention Act – This bill would regulate the use of Social Security numbers by government agencies and private companies by prohibiting the sale or display of Social Security numbers to the general public, and by requiring Social Security numbers to be taken off of public records published on the Internet."

"The Notification of Risk to Personal Data Act – Modeled on California’s database security law, this bill would define as personal data an individual’s Social Security number, driver’s license number, state identification number, bank account number or credit card number; require a business or government entity to notify an individual when it appears that a hacker has obtained unencrypted personal data; levy fines by the FTC of $5,000 per violation or up to $25,000 per day while the violation persists; and allow California’s privacy law to remain in effect, but preempt conflicting state laws."

Following the trend set by Senator Feinstein, Governor Arnold Schwarzenegger (with the help of a lot of California politicians) is also working hard to protect the rights of people, who become victims of a crime that can ruin people's lives. He has recently signed the following laws into effect:

"SB 13 by Senator Debra Bowen (D-Marina del Rey) - Personal information.
SB 13 requires that the Committee for the Protection of Human Subjects at the Health and Human Services Agency approve scientific research proposals before state agencies are permitted to disclose personal information to be used while conducting scientific research."

"SB 97 by Senator Kevin Murray (D-Los Angeles) - Commercial electronic mail: penalties.
SB 97 provides that a person who violates California's anti-spam law by sending unsolicited commercial electronic mail ("spam") has committed a misdemeanor punishable by a fine of not more than $1,000, imprisonment in a county jail for not more than six months, or by both the fine and imprisonment."

"SB 158 by Senator Michael J. Machado (D-Linden) - Powers of attorney: social security numbers.
SB 158 eliminates the requirement that one provide his or her Social Security Number on a power of attorney form and authorizes any party accepting the form to seek identification of the agent."

"SB 460 by Senator Bob Margett (R-Arcadia) - Offender access to personal information.
SB 460 expands existing law to prohibit any offender confined in a county facility or any inmate confined in the California Department of Corrections and Rehabilitation (DCR), from employment that provides access to the personal information of private individuals, by making the provisions of law applicable regardless of the commitment offense of the inmate."

"AB 361 by Assemblymember Sharon Runner (R-Lancaster) - Notaries public.
AB 361 provides that it is a misdemeanor for notaries public to willfully fail to perform the required duties of a notary and requires the court to revoke a notary's commission if the notary is convicted of a felony or for willfully failing to perform his or her duties. This bill also clarifies that the crime of forgery includes falsifying an acknowledgement of a notary."

"AB 1069 by Assemblymember Cindy Montanez (D-San Fernando) - Deceptive identification documents.
AB 1069 makes it a crime to possess deceptive identification document-making devices with the intent that the device(s) will be used to manufacture, alter, or authenticate a deceptive identification document, as defined."

"AB 1517 by Assemblymember Sharon Runner (R-Lancaster) - Department of Managed Health Care: employee information.
AB 1517 would permit the Department of Managed Health Care (DMHC) to run criminal background checks on any prospective employee whose duties would include access to medical information. This bill also requires the DMHC to conduct criminal background checks on any contractor, its employees, agents or subcontractors that, as a part of their contracts with the DMHC, will have access to medical records."

It's refreshing to see politicians ignore party lines to protect people from what is becoming the fastest growing crime of the century. I would like to commend Govenor Schwarzenegger, Senator Feinstein and the host of State Senators for their noteworthy efforts. These efforts will protect those they serve.

California is continuing the trend of enacting laws, which will (in my opinion) "terminate" the easy access cybercriminals have to all of our personal information.

You can support legislation (present and future) by letting your politicians know how you feel. Here are two sites to find out where to write:

In the United States go to: http://www.house.gov/writerep/.

In the United Kingdom go to: http://www.locata.co.uk/commons/.

To read the information on Govenor Schwarzenegger's site, click on the title of this post.

Saturday, October 01, 2005

Jury Duty Telephone Scam

On Wednesday, the FBI issued a warning about a new identity theft scheme. Fraudsters identifying themselves as employees of a court call telling people they have been selected for jury duty and ask them to verify their names, date of birth and social security numbers. In another version of this scam, they call and will claim you didn't show up for jury duty. Again, they try to get your personal information and sometimes credit card numbers, also. They are alleged to be very convincing and even threaten their intended victim(s) with fines and legal action for not complying.

I did a search of the news and noted local stories in Arizona and Virginia about this scam, also.

According to the FBI, "The judicial system does not contact people telephonically and ask for personal information such as your Social Security number, date of birth or credit card numbers. If you receive one of these phone calls, do not provide any personal or confidential information to these individuals."

"This is an attempt to steal or to use your identity by obtaining your name, Social Security number and potentially to apply for credit or credit cards or other loans in your name. It is an attempt to defraud you."

If you are approached with this sort of activity, please report it to your local FBI field office, which can be found at www.fbi.gov.

Identity Theft is a crime costing the U.S. (alone) 53 billion dollars a year and claims roughly 9 million victims. Here are some tips from the FBI on how to avoid identity theft:


  1. Never throw away ATM receipts, credit statements, credit cards, or bank statements in a usable form.
  2. Never give your credit card number over the telephone unless you make the call.
  3. Reconcile your bank account monthly and notify your bank of discrepancies immediately.
  4. Keep a list of telephone numbers to call to report the loss or theft of your wallet, credit cards, etc.
  5. Report unauthorized financial transactions to your bank, credit card company, and the police as soon as you detect them.
  6. Review a copy of your credit report at least once each year. Notify the credit bureau in writing of any questionable entries and follow through until they are explained or removed.
  7. If your identity has been assumed, ask the credit bureau to print a statement to that effect in your credit report.
  8. If you know of anyone who receives mail from credit card companies or banks in the names of others, report it to local or federal law enforcement authorities.