Saturday, September 30, 2006

buySAFE on the State of e-Confidence

Jeff Grass and Steve Swoda (buySafe) have written some excellent posts regarding the current issues facing eBay and the e-commerce world in general.

With my (sometimes) narrow focus on fraud, I found all three of these articles a great read.

What is a "Market for Lemons"?

What's Wrong With eBay? It's Simple Economics

Everyone's a critic? Not so fast

The bottom line is that in any business, the customer is king. If the customer loses confidence - the business loses, also!

Of course - going back to my narrow focus - getting ripped off can put quite a dent in a customer's confidence.

If you would like to learn more about Jeff and Steve's business - link here.

Prying1 - Digging Up the Dirt on Zango and Who Advertises for Them

Paul Young - author of "Digging a Little Deeper" did a great post about Zango and slammed (rightfully) the Guardian Unlimited U.K. for what some of us would consider deceptive advertising.

In Paul's own words:

But as I was surfing for more information I came across a Guardian Unlimited (UK) webpage that had a short Macromedia Flash shot. "YOU WON'T BELIEVE YOUR EYES" it says. Then it shows a kid running in front of a bus and laying down in front of it. Looks lke his plan is to be lying between the bus wheels as it passes over him. "SEE WHAT HAPPENS NEXT! NOT FOR THE SQUEAMISH." in the middle of the advert is a forward arrow (>) for you to see what happens next.

Not being squeamish I clicked on it and a new window opened for ZANGO.com whose slogan is, "With Zango – You’re Good to Go(TM)" - They also give this blurb - Zango offers a vast network of free ad-supported games, videos and downloads powered by proprietary and revolutionary time-shifted advertising technology. Zango allows users, publishers, content providers and advertisers to connect within one unique online community. - Also on the page was a lot of screenshots of various videos you can watch.

Link to prying1, here.

In case anyone is unaware of Zango, using them normally causes a lot of "unwanted" spy/adware to be loaded on your system.

That way - Zango's sponsors can track your every move - and the spy/adware will probably slow your system down to a snail's pace.

And if you want to clean up the mess it will make - it's going to cost some money.

HP Investigators Used the Same Tools as Phishermen and Fraudsters

Technology has taken away a lot of personal privacy. We often "cringe" when fraudsters and phishermen try to steal our personal information, but the sad truth is that there are many "so called" legitimate people out there doing the same thing.

Jon Schwartz of USA Today reported:

In snooping on a reporter to pinpoint internal news leaks, Hewlett-Packard used high-tech tools common to spammers, phishers, retailers, suspicious employers and investigators.

Those tools, including phishing-style e-mail and tracing software, underscore the growing use of electronic surveillance to monitor consumers' every digital move, computer-security experts say.

Misleading e-mails from HP investigators to CNet reporter Dawn Kawamoto "smacked of phishing tactics" to trick her into divulging information, says Dave Jevans, chairman of the Anti-Phishing Working Group.
USA Today story, here.

What the computer security experts might be referring to are "keyloggers."

If you would like to see how (anyone) can use this technology, link here.

Unfortunately, it doesn't take a private investigator, or computer security expert to electronically invade someone's privacy.

My question is - with the abuses of this technology - why is it legal?

Fraudsters Use Religion to Cover their Misdeeds

I believe that the majority of people - who profess a belief in god are good people. Unfortunately, there are some out there, who use religion as a cover for their "misdeeds."

And when they do so - they steal from the "good" to line their own pockets.

The LA Times is reporting that two former executives with the Baptist Church of Arizona were sentenced of defrauding approximately $600 million from their flock.

Sadly enough - they've only been ordered to repay about half that amount and are getting six years in prison. With good behavior (I have no doubt both of them will be extremely religious), I wonder how much time they will actually serve?

Oh - and most of the people they defrauded were elderly! Some might term this "elder abuse."

LA Times article, here.

Another story broke yesterday about two priests - who are being accused of skimming $8.4 million from collection plates to pay for lavish vacations, luxury apartments, girlfriends and even an Irish Pub.

Full story from thisislondon.co.uk, here.

Interestingly enough, the Alabama Securities Commission issued a warning about how religion is being used a tool to defraud unwary people, here.

I guess the moral of the story is to be careful when investing, or giving to anyone. If it doesn't make sense, or seems to good to be true, it probably isn't.

Friday, September 29, 2006

Kentucky Compromises the Identities of their Own

It appears that the State of Kentucky has "bungled" and exposed a lot of their own workers.

Roger Alford of the AP is reporting:

FRANKFORT, Ky. - Letters sent to 146,000 government employees in Kentucky inadvertently displayed each of their Social Security numbers on the front, prompting Attorney General Greg Stumbo to issue a warning about possible identity theft.

"The Social Security number is the key that unlocks many doors for identity thieves," Stumbo said in statement. "With that information, an identity thief has access to a host of information about consumers."

AP story, here.

Unfortunately, data breaches seem to occur (often) and one the leading causes is "inept behavior" by those charged with protecting the information.

If you are interested in seeing a "chronology" over the past few years (courtesy of the Privacy Rights Clearinghouse) - link here.

I found this story on "Pogo Was Right," which is a great resource on privacy issues.

Civil Actions are unlikely to stop fraudulent activity on eBay

I've written a thing, or two about fraud on eBay and auction sites in general.

Now we are seeing the retail industry go on the offensive for the large quantities of "knock-off" (counterfeit) goods available on the site. Tiffany's, Louis Vuitton and Dior Coutre have all filed lawsuits.

Microsoft took a different approach and is going directly after the sellers.

And counterfeit goods aren't the only fraud category on auction sites.

eBay has the distinction of being one of the most "phished" brands. And besides counterfeit goods, fencing operations are common on eBay. In fact, I was recently told that Target dedicated a full-time investigator to watch for their stolen goods on eBay.

Will this lead to additional civil actions?

Brian White (Blogging Stocks) hits the problem right on the head in a recent article:

Although eBay likes to let its buyers and sellers meddle with each other without oversight, this stance alone, combined with the unusually high numbers of Internet visitors eBay sites get, has made it a huge hotbed of forgery, fakes and fraud in every imaginable category. This should have been widely expected -- the formula for fraud contains a few things that the Internet promulgates -- larger visitorship, buyers ready with "cash" in hand and a low level of policing by the administration. Hmm, 2+2 definitely equals 4 here, yes?

Link, here.

From the criminal point of view, eBay has a business model that makes it easy to commit fraud. The Internet has made it much easier to commit crime and disappear in an "electronic mist." Coupled with a ever-growing identity theft crisis - it's very easy for the criminal element to use a legitimate person's identity and once it's compromised move on to another persons.

Another thing to consider is eBay - although considered the guru of the industry - isn't the only player in it. You can find "fraud, phishing and financial misdeeds" on any of the auction sites out there.

In the end -- although action is being taken -- it's unlikely that any of these lawsuits are going to do much good for the consumer, or hurt the criminal element operating on auction sites.

The sad truth is litigation costs a lot of money and expenses (including fraud) normally end up getting passed on to the consumer.

Perhaps the money being spent on litigation would be better spent on going after the people causing the problem?

Of course -- in order to do this -- all the corporate giants involved would have to work together and go after the core problem instead of attacking each other.

And there is a financial incentive for them to do so - consumer confidence is a key economic factor. If the rapid increase in fraud (driven by technology) continues, they are likely to lose the reason for their lucrative margins, or to put it (quite simply), their customers.

Wednesday, September 27, 2006

QChex Shut Down by California Federal Court

Bob Sullivan of MSNBC is reporting that Qchex has been temporarily shut-down by a California Federal Court after (it seems) - Qchex check scam artists targeted government agencies - including the FTC (Federal Trade Commission).

This is good news because Qchex - who e-mails checks without verifying them properly - has victimized a lot of people in their (not very ethical) quest to make money.

According to the article - the FTC is taking civil action against Qchex, also.

MSNBC story, here.

If you would like to learn more about Qchex and how check fraudsters use their service, here is my most recent post on them:

If You Receive a Qchex (Check), Extreme Caution is Recommended

Sunday, September 24, 2006

The Shopping Group Inc. is a Secret Shopper Scam Outfit

The Shopping Group Inc. of Kitchener, Ontario (Canada) is sending out counterfeit checks recruiting people to become secret shoppers. The mission - should they choose to accept it - is to cash a fraudulent check and wire the money back to their superiors.

Of course - if caught, or when they are - The Shopping Group Inc. - only cares that the proceeds are wired back to them, preferably by MoneyGram, or Western Union.

It seems (as usual) - they are asking their employees (victims) to shop Walmart - probably because Walmart offers both "check cashing" and "wire transfer" services.

Although - I am taking a light hearted approach to this - anyone who falls for this ploy is likely to be out of a lot of money and (maybe) will lose their freedom.

If you receive one of these checks (being sent unsolicited) - take a deep breath - and put it in your "shredder."

To read the story from CDAPress.com about this - link here.

Here is the most recent post, I've done on Secret Shopper scams:

According to Google - The Secret Shopper Scam is Acting Up Again

In most of these scams, counterfeit cashier's checks are used, here is a post I did on that subject:

Counterfeit Cashier's Checks Fuel Internet Crime

Richard Clarke's Views on Identity Theft

Richard Clarke - former National Security Advisor and Special Advisor to the President on Cyber Security - has opinions on the current identity theft crisis. And although (to some) his opinions are considered controversial - he is no doubt a person with a great deal of experience.

Four leaders of the "free world" have listened to his opinions.

After leaving government service -- he nows heads a private firm (Good Harbor Consulting LLC) -- which consults on security matters, to include identity theft issues.

Jack Kelly of the Pittsburgh Post-Gazette covered Mr. Clarke's speech at Carnegie Mellon University in 2005 and quoted him as saying:

"Identity theft -- which is being conducted more and more by international criminal gangs based in countries where law enforcement is lax -- is primarily a crime problem, but is also a national security problem."

In this speech - - he also covered the fact that obtaining (high-quality) fake identification is easy and that despite all the security at airports -- there is no attempt to verify, whether or not an ID is legitimate.

Link to full article (speech), here.

Clarke also supports "immediate disclosure" when data-breaches occur and spoke of this in an article, where he was interviewed by Dan Briody (published in CIO Insight). In this article, he also aptly points out the problem of data-mining companies.

Link, here.

Not everyone is going to agree with Richard Clarke, but he does seem to have a lot of valid insights into what has become an international problem.

It would be interesting to see what his opinion is on President Bush's Identity Theft Task Force and the direction they are going.

Sometimes people are "controversial" to raise the "awareness" level on an issue. Come to think of it -- from a historical perspective -- there are a lot of famous people, who were considered "controversial," that were later proven correct.

Saturday, September 23, 2006

California Could be the First to Address RFID Safety

California might be the first to address the issue of RFID and privacy. The Identity Information Protection Act of 2006 is expected to be on Gov Arnold Schwarzenegger's desk by month's end.

To read a fact sheet by the Electronic Frontier Foundation - link here.

And our privacy might not be the only thing at stake. There is a scary video (from YouTube) about how RFID could identify what country a person is from, and be used by terrorists to detonate a bomb, here.

RFID is becoming a highly controversial technology. Here is a previous post, I did:

RFID, A Necessary Evil; or an Invasion of Privacy

Identity Theft Task Force Issues Progress Report

Here are the interim recommendations by the President's Identity Theft Task Force on how to fight the national identity theft crisis in the United States (courtesy of the FTC website):

The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today. The Identity Theft Task Force, which was established by Executive Order of the President on May 10, 2006, and is now comprised of 17 federal agencies and departments, will deliver a final strategic plan to the President in November.

The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.

Link to recommendations, here.

Perhaps - identity theft - which isn't just a financial problem - is finally getting the focus it deserves.

eBay gets Sued (Again) for "Counterfeit" Sales on Site

Pocket-lint is reporting that eBay is being sued by Louis Vuitton and Dior Coutre. The actions allege that eBay doesn't do enough to stop the sale of counterfeit merchandise on their site.

Louis Vuitton is asking for $26 million and wants Dior Coutre $22 million in damages. The actions were filed in Euros - so the dollar figures are approximate.

Link, here.

Louis Vuitton isn't the first organization to sue eBay for selling counterfeit goods bearing their name. Tiffany filed an action in 2004 after commissioning a study which claimed that 73 percent of their items sold on eBay were counterfeit.

The Tiffany action is still pending.

Microsoft has taken a slightly different tact and has filed actions against the sellers (directly).

The buySAFE blog and Jeff Grass led me to this story via a del.icio.us article he "saved." When I found this story - I found another story Jeff saved - where eBay is suing start up auction sites for "trademark infringement."

Note that all these legal actions have one thing in common - they allege the wrongful use of a "name."

To read this article by MarketWatch - link here.

Law suits keep a lot of lawyers employed.

In all fairness - - counterfeiting is a worldwide problem -- and counterfeits aren't only sold on eBay. Here is a post, I wrote awhile back, which covers this:

Counterfeit Goods, A Borderless Problem

Jiffy Lube - A Sad Story About How Their Customers are Treated

Sometimes fraud is hidden right behind a "neon sign." NBC 4 News did a story about how this is happening at Jiffy Lube when people go in for an oil change:

"That's what NBC 4 found last May, when an undercover producer, took test cars to nine LA area Jiffy Lubes. One location charged the NBC4 undercover producer for a new fuel filter, but after the visit NBC4 found the old filter was still in the car."

"Four more Jiffy Lubes charged NBC4 for transmission flushes, supposedly using a high tech machine. But the machines just sat there, and the flushes were never done."

NBC4 also got this quote from a Jiffy Lube Manager:

"This stuff happens all over," a current Jiffy Lube manager in the Chicago area tells NBC4. He asked NBC4 to protect his identity. He says some Jiffy Lubes in Chicago routinely charge for work that's not done. "The customer is never going to know," he tells NBC4, He also claims employees sometimes even damage customers cars "Blowing up engines, transmissions, stripping bolts."

Link to NBC4 story, here.

After doing a little research, I was able to find a site (CarInfo.com) that is a good place to visit if you need to have your car repaired - or it seems - have your oil changed.

Of course - if you spot this type of fraud - the best thing to do is to report it. The right place is normally the "Consumer Affairs" department in your local area.

Wednesday, September 20, 2006

Auction Bytes Survey on eBay/PayPal Phishing Attempts

Auction Bytes did a survey - which reports that 98 percent of the respondents have seen "phishy" e-mails from eBay/PayPal. Even worse, 14 percent of the people surveyed answered these e-mails.

Phishing is a ploy to get an unsuspecting person to give up personal and or financial information, which is later used (normally) to commit financial crimes.

Sloppy password protection was another problem cited in the survey - which could cause an account to be compromised, also.

In the auction world - this leads to legitimate accounts being hijacked and used for illegitimate purposes (auction fraud).

Link to Auction Bytes survey, here.

Using a "trusted" seller's account, fraudsters sell items that are never received and even hire dupes to launder the stolen proceeds for them.

Depending on how sophisticated the "account hijackers" are -- they can also gather personal and financial information -- which is later used identity theft schemes.

PIRT (Phishing Incident Reporting and Termination Squad) - tracks phishing attempts and recently reported that eBay/PayPal are the two most "phished brands."

It pays to be AWARE on auction sites to avoid unpleasant and (costly) shopping experiences. Here is a post, I did on how to avoid being a victim:

How to Protect Yourself on eBay

I also did a post on a company that bonds eBay sellers - which guarantees their transactions:

buySAFE Protects it's Customers from Fraud on eBay

Canadian Bankers Call for Tougher Laws on Identity Theft

In Canada - an Identity Thief must be caught using stolen personal information before they can be charged with a offense. The Canadian Bankers Association is pushing to make it a crime to possess stolen personal information.

Reuters is reporting:

Police should be able to arrest people for possessing the materials used in identity fraud, such as blank credit cards, just as they can now charge someone with possessing burglary tools such as lock picks, the group said.

Association president Raymond Protti said police now have to wait until stolen personal information is actually used to commit a fraud, such as buying something on a fake credit card, before arrests can be made.

Link, here.

Sounds logical to me.

Making the laws tougher in Canada would protect people in the United States, also. A lot of the lottery and secret shopper scams (I've seen) originate from Canada.

Monday, September 18, 2006

Experts Speculate that Corporate Identity Theft is a Growing Problem

Identity theft has become a problem that continues to grow. While most of the victims are indivduals -- it now seems corporations are being targeted, also.

According to the Guardian (UK):

It happens when fraudsters steal the identity of a legitimate company and then trade under its credit and name. It can affect companies through assets being stolen and bank accounts being emptied by fraudsters trading on a company's credit worthiness.

Link, here.

This seems to be a new trend. Not much has been written about it yet, but I did find another story about corporate identity theft by Bob Sullivan of MSNBC, here.

Sunday, September 17, 2006

Was the VA Data Breach a Threat, or Not?

First a laptop containing 26.5 million veteran's information was compromised - then we were told it had been recovered from teenagers - and finally, the FBI thinks the data wasn't compromised?

Is the government positive the data wasn't breached?

Guard My Credit File.Org published an interesting analysis of this:

In May, the Veterans Administration was forced to announce that a computer containing the names, Social Security Numbers, and other personal information of 26.5 million veterans was missing. The laptop computer had been stolen from the home of a VA data analyst. As bad as the breach was, the VA was able to announce that the computer was recovered last month. Even more important was word that came from the FBI that there was no evidence that the file containing veterans’ information had been accessed. But not so fast. The VA now apparently wants to turn over a copy of the stolen database to a private company, without the permission of impacted veterans. Based upon this, the only logical conclusion is that FBI is not sure if the computer’s data was actually breached.

Very interesting analysis, here.

Unfortunately - with the record number of breaches being reported (recorded by the Privacy Rights Clearinghouse) - many people probably have had their information taken more than once. When they become a victim of identity theft - will anyone be able to determine - which breach the information came from?

The truth is that billions are made from selling personal information - and the people making all the money off of it - want to keep doing so!

Saturday, September 16, 2006

Canadian Government Loses Personal Information of Thousands

We read (too frequently) of personal information "going missing" in the United States. Here is a story by Chad Skelton of the CanWest News Service of a potential Canadian breach:

Computer tapes containing the private health and welfare records of "hundreds of thousands" of British Columbians were discovered missing from the government's main data centre in Victoria last year and have never been found, according to a confidential government investigation obtained by the Vancouver Sun.

Poor record-keeping at the facility, which is run by Telus, means it's impossible to confirm exactly what happened to the 31 tapes, although the report speculates they were most likely destroyed in error or borrowed by a government staffer who forgot to return them. However, the report warns that their disappearance is serious and "may have resulted in the inadvertent disclosure of the data contents."

CanWest story, here.

The story references a report, which says the tapes might have been borrowed by a government staffer. I hope they weren't borrowed in the same manner as VA computers were in the U.S. - or stolen.

Apparently the government knew about this last August, but didn't disclose it because the threat was considered minimal. Sound familiar?

New ATM Scam

There has been a lot in the news recently about debit card breaches and ATM skimming, but here is something new. In Virginia Beach - an unknown person - reprogrammed an ATM by punching in a series of numbers - which made the machine issue four times as much money as it should.

The Police are having a hard time investigating it because it took nine days before someone reported getting more money than they should.

I wonder if all the people - who didn't report it - will have to pay the money back?

Story from AP (Associated Press), here.

Here is a previous story, I did on ATM skimming:

ATM Machines That Clone Your Card

9-22-06 (Update): Tom Fragala (Truston) did a post on how easy this was to do - AND the how to "info can be downloaded on the Internet - here.

My comment is , "ouch!"

Friday, September 15, 2006

Contract Worker Arrested for Theft of Computer with Veteran's Personal Information

The computer stolen from Unysis containing the personal information of thousands of veterans has been recovered, and a suspect has been arrested.

Jonathan D. Silver, of the Pittsburgh Post-Gazette is reporting:

A Washington, D.C., man has been charged with stealing a computer containing personal data about thousands of Pittsburgh-area veterans from a private contractor for the U.S. Department of Veterans Affairs.

Khalil Abdullah-Raheem, 21, was charged Wednesday in federal court with theft of government property, the VA's Office of Inspector General announced yesterday.

Link to Pittsburgh Post-Gazette story, here.

This development highlights the fact that when a security compromise occurs - it frequently comes from within an organization. When this occurs - it often doesn't matter how tight security procedures are - because the person had access to whatever was compromised.

For a previous post, I wrote about how the Secret Service is studying this problem, link here.

Counterfeit American Express Gift Cheques

Counterfeit American Express Gift Cheques might be the latest form of fraudulent financial instrument circulating via the Internet. The items seen thus far are for $500.00 - note the largest denomination issued legitimately is $100.00.

If you receive one of these items - it is recommended you verify it before negotiating it. For the information to do so - link here.

Counterfeit financial instruments being used in Internet scams are nothing new. Here are some previous posts, I've done on this sort of activity:

Counterfeit Cashier's Checks Fuel Internet Crime

Counterfeit Postal Money Orders Showing Up in IScams Again

Postal Money Order Romance Scam

Counterfeit Travelers Express (MoneyGram) Money Orders Showing Up ...

In most Internet scams involving counterfeited financial instruments - a person is duped into negotiating the item and wiring the money back to the sender (scammer). If someone asks you to cash an item and wire them money - take a deep breath - and just say "no thanks."

Thursday, September 14, 2006

Ten Fake ID Rings Shut Down in Arizona

Here is a good example how identity theft, illegal immigration and (maybe) terrorism could be tied in together. KVOA Tucson is reporting:

Ten fraudulent document rings were shut down today after 16 people were booked on allegations that they made and sold fake I-Ds in metropolitan Phoenix. Officials said the rings produced hundreds of driver's licenses, Social Security cards and "green cards."

The operations were run out of more than a dozen locations, most in Phoenix but one in Glendale and another in Scottsdale.

Leesa Berens Morrison, leader of a task force of police focusing on fraudulent identification, says undercover officers bought fraudulent documents using the names of two known terrorists.

Link to KVOA story, here.

Recently, I did a post about Saud Leija - who is a family member of one of the fake ID cartels - working with the authorities. She quoted her grandfather as saying "Terrorism is an American problem, not a Mexican problem."

The fact that the authorities were able to get identification using the names of two known terrorists supports Saud Leija's statements.

Interestingly enough, MSN Money (and others) have named Arizona as the having the highest rate of identity theft.

MSN story, here.

Financial crimes aren't the only issue we need to consider when we look at the identity theft problem.

Wednesday, September 13, 2006

Angelides Campaign Manager Denies Arnold was Hacked

To update the post, I wrote yesterday - the Angelides campaign is now admitting they leaked information to the press - but claims they found it on the Schwarzenegger website.

Here is the story from the AP, courtesy of Yahoo:

The campaign of Gov. Arnold Schwarzenegger's Democratic rival acknowledged Tuesday that it downloaded — and leaked to the media — a recording of a private meeting in which the governor described a Hispanic legislator as having a "very hot" personality.

But Cathy Calfo, campaign manager for Democrat Phil Angelides, said the campaign had done nothing wrong because the file was available publicly on the governor's Web site.

Link, here.

Schwarzenegger's office is maintaining someone would have to snoop to have found the file.

Of note, I went to Governor Schwarzenegger's site and couldn't find his taped conversations?

Link, here.

According to Wikipedia, the definition of a "hacker" is:

Hacker in a security context refers to a type of computer hacker who is involved in computer security/insecurity and is able to exploit systems or gain unauthorized access through skills, tactics and detailed knowledge.

If a normal person couldn't have found this information - and it was found via an "exploit," the term "hacking" applies - at least to me?

Sadly enough, there are important issues to consider in the upcoming campaign and wasting resources on "trashing people" doesn't exactly serve the best interests of the people.

Monday, September 11, 2006

Was Arnold Hacked?

Did someone hack a State of California computer to obtain the comments Governor Schwarzenegger recently apologized for?

Reuters is reporting:

California police are probing if computer hackers illegally downloaded a private taped conversation of Gov. Arnold Schwarzenegger from state computers, a spokesman said Monday.

In the remarks, California's celebrity governor spoke of African Americans and Latinos, including a Hispanic state lawmaker, as having "hot" blood, or being passionate.

The comments were published last week by the Los Angeles Times.

Democrats rebuked Schwarzenegger, a Republican who is seeking re-election in November. State Treasurer Phil Angelides, the Democratic candidate for governor, called the comments offensive and embarrassing for the increasingly Hispanic state.

Computer hacking, not a leak within Schwarzenegger's office, is suspected. "We can confirm that we are looking into the security of the governor's office computer system," said Fran Clader, a spokeswoman with the California Highway Patrol, the agency in charge of the investigation.

Link, here.

With the recent news that HP executives were spied on via "pretexting," we are seeing a lot of information gathered using "questionable" means. Sadly enough - a lot of it seems to be coming from private investigative firms - who are supposed to operate within the law.

There is an ugly trend in the political world where "trashing" an opponent seems to be the preferred way of winning an election. With all the legitimate issues that face us today -- this is a sad commentary on the state of our political system.

Saturday, September 09, 2006

Jose R. Nunez - An Innocent Victim of the 9-11 Murderers


It happened almost five years ago and most of us will never forget exactly where we were at, or what we were doing on 9-11. It was a day that changed the world.

I'm here to remember the father of three daughters, Jose R. Nunez, who at age 42 was murdered by a bunch of cowards seeking their own sick "glory."

Jose was a hard working man, devoted to his family, who died because he was at the wrong place at the wrong time.

Mirelys, Marelnys and Melissa (Jose's daughters) have been forced to grow up without the father they knew and loved.

The murderers behind 9-11 and their cronies have made killing innocent people "a strategy" in their efforts to spread their malicious beliefs. Even as we hunt them down - they seem to violate the norms of war by not wearing uniforms and hiding behind innocent civilians.

We need to recognize them for what they really are - or dangerous criminals.

Jose was a real person and loved by real people. For them, nothing is going to replace Jose as the father, husband and friend he actually was.

God bless our brother, Jose. May we never forget his sacrifice, or the real suffering imposed on his loved ones.

The blogosphere (2996) of us are remembering the people - who have their lives on 9-11. If you would like to read more, link here.

Friday, September 08, 2006

Chase Throws Away Credit Information on 2.6 Million Circuit City Customers

With all recent concern about data breaches, here is a scary press release:

Chase Card Services today announced that it is notifying 2.6 million current and former Circuit City credit card account holders that computer tapes containing their personal information were mistakenly identified as trash and thrown out. Working closely with federal and local law enforcement, Chase conducted a thorough investigation and believes that the tapes, contained within a locked box, were compacted, destroyed and are buried in a landfill where the trash was taken.

Chase has been monitoring all of the affected accounts and has not identified any misuse of personal information connected to this occurrence. No other Chase accounts are involved in this incident.

Press release, here.

Chase isn't releasing the details of the "thorough investigation" that points to the tapes being "mistakenly" thrown away in a land fill. If you read closely, they "believe" the tapes were thrown away.

The press release also states that Chase is monitoring activity on the accounts and nothing has happened, but doesn't say exactly what personal information was compromised. If it was the standard information credit card companies keep, it could be used a lot of other places besides Circuit City.

In a lot of cases, identity theft victims have their information used to open numerous lines of credit.

To me, after reading this closely, this means that they aren't positive what happened to the tapes and we have 2.6 million potential identity theft victims running around.

The Federal Trade Commission (FTC) has information on what to do if you are at risk, or have already become a victim, here.

Thursday, September 07, 2006

TSA Bungles and Exposes Employee Information

Data breaches are being reported too frequently - and all too often - they involve government agencies:

Thomas Frank, of USA TODAY is reporting:

The Transportation Security Administration is warning 1,195 of its former employees that a contractor may have mailed their Social Security numbers and birth dates to the wrong addresses and left them open to identity fraud.

The error, acknowledged in letters the TSA mailed in late August to each of the former employees, is the latest in a series of data breaches that may have exposed workers in both private and government jobs to identity thieves.

"Making a mistake like this is abominable," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocate for consumer privacy. "You've got an agency whose mission is security."

The TSA is part of the Homeland Security Department. Its 55,000 employees primarily run airport security.

Full story, here.

The Privacy Rights Clearinghouse maintains a record of data breaches, here.

They also have an interesting newsletter on current federal legislation concerning this subject - which many don't think is the best solution - here.

Counterfeit Cashier's Checks Fuel Internet Crime

Tom Fragala - Truston Identity Theft Blog - and I were talking about how counterfeit cashier's checks have become a long-term problem in the world of Internet crime.

It's often difficult to verify that a check is counterfeit. They often use valid account numbers, which verify (easily) in the computerized telephone systems that most banks use today. Quite simply, unless the bank or the account owner is aware of that their account is being counterfeited - the item will appear to be legitimate.

Furthermore -- a lot of banks have taken the stance in recent years -- that they will not verify whether a check is good, or not. It's getting harder all the time to verify checks with banks.

The lottery, auction, work-at-home (check cashing), romance, advance fee (419) and secret shopper scams all have a common theme -- they often use counterfeit cashiers checks to lure victims into negotiating the item and wiring the money off to some far-away location.

The fraudsters often request that you use Western Union, or MoneyGram to wire money to them. They are also known to use wire transfers services offered by banks. Once the money is picked up (normally very quickly in scams), the sender has very little, or no recourse.

The golden rule is to never wire money to people you don't know, or only know from the Internet.

To understand why Internet fraudsters prefer counterfeiting these instruments, one can refer to the legal definition of a cashier's check (courtesy of Wikipedia):

Under Article 3 of the Uniform Commercial Code, a cashier's check is effective as a note of the bank. Also, according to Regulation CC (Reg CC) of the Federal Reserve, cashier's checks are recognized as "guaranteed funds" and amounts under $5000 are not subject to deposit holds, except under certain circumstances.

To the person receiving the item, they appear as if they are guaranteed by the bank and if the check is under $5,000.00 - there is no hold on the funds. The fraudsters know this and it will normally be 7-10 days before their victim discovers that anything is wrong.

There was a recent story circulating in the press about a "seemingly cautious gentleman," who decided to have his bank examine the item before he went forward with an auction deal. The bank told him the item was good (twice) and he deposited it. Several days later, while reviewing his online statement, he discovered that this wasn't the case and the bank had withdrawn the funds.

In the article, the bank blamed "Reg CC," because they are unable to hold the funds. Not completely true, an exception can be made if they have reason to believe the item can't be collected. The item may also be sent in as a collection versus depositing it in the account.

Nonetheless, in this instance, the bank had little to no liability because the item was counterfeit.

To illustrate, the amount of this activity, the FDIC sends out alerts on counterfeit cashier's checks. If you would like to see how many alerts -- they've issued recently (scary) -- link here.

Here are some things a person can do to see if a cashier's check is fraudulent:

If someone is asking you to wire money back to them - it's more than likely a scam.

Review the security features of a cashier's check. Despite the "booming" make your own check industry, some of the items out there are pretty amateur. Wikipedia has a good reference on the security features, here.

Review recent FDIC alerts - in a lot of cases, a warning has already been issued.

Verify the check with the issuing institution. Although this isn't 100 percent effective in the case of a counterfeit, they can normally verify certain items; like the ABA/account number, payee, check number, date of issuance, authorized signer and amount.

When you call the bank, never use the number printed on the check. Quite often - phony numbers with phony employees are set up to verify these items. Get the bank's number from a website, or telephone directory. Using 411 (information) might not be the best way to verify a number. Recently, there have been phony numbers set up that verify through - and reverse - through 411.

Since, there are also a lot of phony bank sites out there, if you use the Internet, TrustWatch is a good option for a search engine. TrustWatch will show you via a "coded coloring system," whether the site is verified to be legitimate, or not.

In some instances, good cashier's checks are copied, which defeats verifying the item by telephone. Once the counterfeit item is cashed, the fraudster negotiates the good item and the counterfeit is returned. This is also seen (occasionally) with counterfeit money orders.

If you are still uncomfortable after talking to the bank - ask to speak to a supervisor, or even better - someone in the fraud department. Ask if you can fax them a copy of the item for them to look at. A good way to do this - is to tell them you have a reason to suspect fraud.

Scams that involve, counterfeit cashier's checks, always represent something that is too good to be true. If this is the case, it probably is.

Wednesday, September 06, 2006

Do It Yourself Crime Kits Victimize the Masses

It appears that phishing attempts have hit an all time record thanks to the availability of "do it yourself kits" available on the Internet.

Phishing is a leading cause of identity theft, which impacts millions of people a year.

Dinah Greek, Computeract!ve reports:

This was the warning from the Anti Phishing Working Group (APWG) , which said the kits allow non-technical criminals to start up their own online criminal empires.

All the information they need to set up phishing emails or websites infected with malware, such as Trojans, viruses and worms, is contained in the kits bought and sold online.

Full story, here.

Do it yourself (crimeware) kits aren't entirely new and have been reported before, here.

We keep hearing about the record number of phishing attempts being recorded. Unless some of these people start getting caught - we are likely to see the number continue to grow!

And the criminal "do it yourself industry" doesn't limit itself to phishing. Kits on how to scam on auction sites are also being sold (previous post), here.

Monday, September 04, 2006

The Hidden Dangers of Identity Theft

When most of us think about identity theft, we think about someone assuming debts in another person's name. While this is a huge problem, it isn't the only way identities are being used.

Illegal immigrants, criminals and even terrorists might be using stolen identities to commit a number of crimes. From obtaining a job and credit in someone else's name to ordering supplies to manufacture methamphetamine - identities are being stolen to facilitate a lot of illegal activities.

Although a little dated (2002), here is an extensive report from the GAO detailing the problem:

Identity Fraud - Prevalence and Links to Alien Illegal Activities

Even more scary - is the very real possibility that innocent people will be held accountable for other people's illegal activities.

With the record amounts of data breaches and identities being sold (routinely) over the Internet, the problem is continuing to get worse.

Here is a post, I did about why we are approaching the problem the wrong way:

Are We Addressing Cyber Crime from the Wrong End

Identity theft threatens our financial stability, privacy and national security and we can no longer afford to ignore that fact.

Sunday, September 03, 2006

The FBI Will Pay for Information on Katrina Fraud

There is no doubt that there was a lot of fraud in the hurricane disasters a year ago. The Clarion Ledger (Mississippi) is reporting that the FBI will pay for information on Katrina related fraud:

Mississippi public corruption cases are on the rise in the wake of Hurricane Katrina, and the FBI will have 10 full-time agents investigating Katrina-related fraud by December.

Authorities are encouraging the public to come forward with tips and are offering cash rewards.

"If you see something, you hear something or learn something, even if you believe it's insignificant, if that little light goes on in the back of your head, that 'boy, this just doesn't look right,' don't be afraid to call," said John Raucci, the FBI's special agent in charge in Mississippi.

He said sometimes seemingly insignificant details can crack a federal case.

Cases of fraud are increasing in south Mississippi as billions of dollars in federal funds are authorized for the recovery effort. Raucci said publicizing the reward system is one way to help combat fraud.

"I myself can authorize up to $25,000 for any information," Raucci said. "That's just me out of my budget. I can go back to headquarters with one phone call and get $100,000. There are also other types of cases where you can actually get a percentage."

Full story, here.

I'm not sure if they are running a similar program in Louisiana. There are probably a few people who deserve to caught there, also.

Of course - there are also people - who report crime because it is the right thing to do. If everybody reported it for that reason - it would go a long way towards making our world a better place to live.

Saturday, September 02, 2006

CastleCops PIRT Reports New Version of eBay Phishing

Castle Cops, PIRT-Phishing Incident Reporting and Termination Squad is reporting a new type of phishing attempt with an eBay lure:

CastleCops PIRT has received a new email which tries to get people's full personal information including name, age, location, telephone numbers, gender and marital status on the offer of getting paid to work from home online for a company called "eBay Small Business Limited". Its business is in "manufacturing and selling textiles and fabrics". The email tries to goad you into giving up your personal information with the promise of making easily $300 to $1,000 per week simply by collecting payments on behalf of the Company (all for 3-7 hours per week).

Link, here.

Besides a new type of phishing attempt - this could turn into what is termed a "check cashing scam." In a "check cashing, or job scam," a person is recruited to handle "accounts receivables," which are in reality tied into fraudulent transactions.

The new employee's job is to negotiate transactions sent to them, and wire the money to a far-away locale. The fraudsters (in most instances) instruct the "new employee" to use Western Union, or MoneyGram, which aren't protected by the FDIC.

The transactions are normally "account takeovers" on eBay - also caused by phishing. In an "account takeover" a legitimate eBay user gives up their information as a result of a "phishy e-mail." The Phishermen then take over their account and sell items, which are paid for, but (normally) never received.

Towards the end of the fraud cycle, the fraudsters might also get their employee to negotiate (cash) totally bogus financial instruments. Of course, when the bottom falls out of this, the fraudsters can then steal the identity of the employee involved - having gathered all the information to do so via the employment process.

For the person - who falls for this - although they get the generous commission at first - they are likely going to be hounded for a long time by collection agencies and in some cases, law enforcement.

Believe it, or not - a Better Business Bureau employee fell for this scam. Here is the post, I did on that:

BBB Worker Takes Job Processing Fraudulent eBay Transactions

By the way, PIRT is a great place to "take a bite out of phishing." You can report suspected "phishy e-mails" to them by forwarding them to PIRT@CastleCops.com. After verifying the "phish," they make sure it gets to all the right people!

Friday, September 01, 2006

Accounting Firm Causes 5th Data Breach for Wells Fargo in Three Years

Here we go again - an "auditing firm" has caused Wells Fargo their fifth data breach in three years.

Here is a bit from the article just released from Computer World:

This time the letters are going to an undisclosed number of employees whose personal information was contained in a computer and a hard disk stolen from the trunk of a locked vehicle belonging to an employee of an auditing firm retained by Wells Fargo.

Julia Tunis, a bank spokeswoman, did not say when the equipment was stolen. But she said the bank had started sending out letters to all the affected employees yesterday.

Link to Computer World article, here.

We seem to have a lot of these data breaches occur - courtesy of auditing firms. Here is a previous post, I did about a well known auditing firm exposing a lot of personal information:

Stealing Data Shouldn't be so Darned Easy

With all the auditing (compliance) going on that causes data breaches - it makes me wonder if someone doesn't need to audit the auditors!

If You Sell Your Cell Phone - Your Personal Information is at Stake

Recently, I did a post about identity crooks obtaining "personal information" from discarded computers. Here is a press release from Trust Digital about how the same thing can occur with with some of the new "handy-dandy" cell phones out there:

Trust Digital engineers recovered nearly 27,000 pages of personal, corporate, and device data from nine of 10 mobile devices purchased through eBay for the project, including a smartphone sold by an employee of a major corporation. The salvaged data included personal banking and tax information, corporate sales activity notes, corporate client records, product roadmaps, contact address books, phone and Web logs, calendar records, personal and business correspondence, computer passwords, user medication information, and other private, competitive or potentially damaging material.

The information was retained in the flash memory of the devices because of users’ failure to perform the advanced hard reset required to delete the data. The nine devices with retrievable data included those belonging to a former employee of a publicly traded security software company, an employee of a web services firm, and a corporate counsel of a multi-billion dollar technology company serving the legal market. The tenth device in the test was never used.

The analysis highlighted the vulnerability of individuals and organizations that fail to secure the data on their smartphones and PDAs. Loss or theft of the devices could lead to embarrassment, major breaches of corporate security, or even blackmail.

Full press release, here.

Although eBay was cited as being used in the test - we should consider that cell phones can be purchased, discarded, or even stolen in a lot of places.

Trust Digital recommends enabling the "password function" on your phone and "hard wiping" Treos and RIM devices.

Of course, they recommend their services, also.

I recommend being extremely aware of what you keep on easily "transportable" devices and if you must have sensitive information on them - be very careful.

How to Deal with Phishing - A Major Cause of Identity Theft

There has been a lot of publicity about the IRS being phished. Phishing is a ploy to steal people's personal information, which is then used to commit identity theft.

Phishing attempts disguise themselves as government agencies, financial institutions, charitable organizations AND (too frequently), eBay or PayPal.

Here is an obvious phish, I got just this morning:

Date: Thu, 31 Aug 2006 20:01:26 -0500
To: tedrichardson9925@sbcglobal.net
Subject: Tax Information - tedrichardson9925@sbcglobal.net - (Code 7624-6263)
From: "IRS.gov" service@IRS.gov






Account : tedrichardson9925@sbcglobal.net Number : 7624

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $191,40. Please submit the tax refund request and allow us 5-7 days in orders to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records of applying after the deadline.

To access the form for your tax refund, please (link removed).

Regards,

Internal Revenue Service

Note that this appears to be sent from "IRS.gov" service@IRS.gov, which is obviously a "spoofed" e-mail address.

Here is the web address - which I removed above:

http://rds.yahoo.com/_https://sa1.www4.irs.gov/irfof/
lang/en/irfofgetstatus.jsp?6263/**http://www.abandonship.com/g2data/irs/.

An easy way to get the web address is to "hover" your mouse over the "click here" and read what comes up on the bottom of the screen. You can also copy it (if you want) by "left clicking" on your mouse and clicking on the "copy shortcut" bar.

Here is the web address of the real IRS site:

http://www.irs.gov/

Not a good match and obviously a phish.

*Please note that unless you and your "system" are "bulletproof" never click, or go to a phishing site. There is a possibility that by doing so you might "unknowingly" download malware, which can also lead to "identity theft."

Never fear, there are great places - with "bulletproof" protection - that will take care of it for you.

If you get a phishy e-mail - you can turn it into "fried phish" by sending it to the good folks at PIRT-Phishing Incident Reporting and Termination Squad. They have a module to report "suspected phishing activity," or you can forward the "suspected phish" to PIRT@Castlecops.com.

PIRT is a joint venture by CastleCops and Sunbelt Software - and they will report it to the right people, including law enforcement.

The IRS also has a dedicated e-mail address to report IRS phishing attempts, phishing@irs.gov.

Reporting the Phishermen is a kind thing - this foul activity causes people a lot of pain and suffering.