Saturday, December 30, 2006

The Road Home for Katrina Victims is Frustrating

With all the allegations of "poorly spent money" in the hurricane disasters, it's become apparent that a lot of money hasn't reached the people, who need it.

For instance, take the "Road Home Program", which has paid a company called ICF International over $60 million to issue $4 million in checks. The program is intended to assist victims in getting back into "livable housing," and will manage the distribution of $7.5 billion in federal relief money.

ICF International is a "consulting firm" based in Fairfax, Virginia. According to Wikipeida, it's services have been used by the U.S. Environmental Protection Agency, the Department of Homeland Security, the Department of Energy, the United States Postal Service, and Housing and Urban Development.

The program has it's own website, which states:
The Road Home program was created by Governor Blanco, the Louisiana Recovery Authority, and the Office of Community Development. The program is funded by the U.S. Department of Housing and Urban Development.
There has been a lot of criticism that ICF has been slow to fill positions for the project. Interestingly enough, there are a lot of positions (still not filled) advertised on their website.

The Times Picayune did an excellent assessment of the lack of program staffing, here.

The "Road Home" website also states that it dispels a lot of myths about the program, but it appears not everyone is "buying their version" of what is going on.

Because of the allegations of "mismanagement," the Louisiana House and Senate have passed two resolutions to terminate ICF's $756 million contract. They are also calling for an investigation into "possible conflicts of interest."

The Times Picayune reported:

The House and Senate, in separate unanimous votes, also passed House Concurrent Resolution 34 by Rep. Cedric Richmond, D-New Orleans, ordering a special legislative panel of New Orleans lawmakers and the Louisiana Recovery Authority -- the state agency overseeing recovery operation in the state -- to investigate ICF's handling of the contract. It was amended by Rep. Jim Tucker, R-Algiers, to also urge the federal Securities and Exchange Commission to probe ICF's public stock offering, shortly after winning the state contract, for possible conflicts of interest.

The Times Picayune article, here.

Sue Sturgis, who writes for Facing South, has also written some interesting commentary on the program.

Ms. Sturgis points out that ICF initially was involved in a contract to help the state decide how to spend federal grant money, which conceptualized the "Road Home Program." During this time frame, ICF decided to seek the "lucrative program administration project."

When the Louisiana Board of Ethics raised concerns that this contract might be perceived as giving ICF an unfair advantage in getting the larger contract, ICF ended the initial one. The payout for the first contract was $900,000, while the Road Home Program could pay ICF up to $756 million.

She also brings out other concerns the Board had with some of the banking relationships that were being proposed by ICF to administer the funds.

Facing South article, here.

Whether conflicts of interest exist remains to be seen. What can be clearly seen is that taxpayer money intended to help Katrina victims isn't getting to those who need it very quickly.

Red tape and excuses aren't going to be acceptable when there are a lot of people still living in "not very nice" conditions.

And until this matter is rectified, there are going to be "voices" calling for some "accountability."

Some of these voices are getting pretty loud.

This month, federal investigators plan to release audit results on contracts given to "so called" politically connected firms in the Katrina crisis. Speculation has it that these audits are going to reveal additional concerns about how money was squandered in the Katrina aftermath.

Friday, December 29, 2006

Ask Eric if there is "Zero Liability" in Identity Theft

Sometimes to understand what an identity theft victim is faced with you need to hear about it from a person, who has actually experienced it.

We live in a world where our information is gathered, sold and not protected very well. Meanwhile, there seems to be an army of fraudsters compromising credit issuers, who issue credit without checking very carefully.

Then there is the advertising, which claims that their financial products have a "zero fraud liability."

The Boston Globe did an interesting story that shows the liability innocent people face when they become identity theft victims.

Beth Healey writes:

Eric W. Carroll's credit report says he has a home in Florida, a wife named Katrina, and a pile of unpaid bills.

He first learned this when a debt collector called him in 2002, dialing his apartment in Bridgewater, yet asking for an Eric W. Carroll from Avon Park, Fla. Carroll insisted there was some mistake: He was not married, and he had never lived in Florida.

Nearly five years later, collectors are still hounding the wrong Eric Carroll.

Boston Globe story, here.

And even though Eric seems to have done all the right things, he seems to still be suffering.

There is no zero liability for identity fraud and we need to stop "sugar coating" the true impact it has on individual people.

Here are two places, I've recently "blogged" about where people can voice their opinion to people that can make a difference:

Tell it to the Identity Theft Task Force

Consumers Union Calls for Congress to Protect People's Personal Information

Government uses "phishing" techniques to test information security

Internet abuse in the workplace has been a concern for a long time.

Now the federal government is going to phish their own employees to determine if they will "click" on malicious links.

Wade-Hahn Chan of FCW.com reports:

Phishing is a technique of tricking or coercing users into giving up personal information, revealing log-in names and passwords or visiting malware or virus-infected Web sites. The government-sanctioned attacks will be designed to test how well federal workers adhere to organization's e-mail security policies.


FCW.com article, here.

Most stories about phishing concentrate on attacks for personal information, which is later used in financial crimes. While this type of phishing is bad enough, spear phishing targets an organization's information.

With the amount of data breaches - both in the private and public sector - the concerns that employees might be compromising large amounts of information is very real. If anyone wants to see a long list of these breaches (courtesy of the Privacy Rights Clearinghouse) compiled in the past couple of years, you can do so, by clicking here.

No matter how much security you use to protect a system, most of it proves worthless, if a person with access compromises it.

And although most stories about phishing emphasize the impact this has on identity theft and financial crimes, espionage is a valid concern, also.

This might be a very effective tool to raise "employee awareness" on "information security."

Thursday, December 28, 2006

Federal Trade Commission will fight Internet Crime across Borders

Internet crime of often "elusive" because it crosses borders with "a click of a mouse." To fight this a new law has just been signed by President Bush, which gives the Federal Trade Commission a license to go after the problem at it's source.

In their recommendations to Congress, the FTC wrote:

Using Internet and long-distance telephone technology, unscrupulous businesses can strike quickly on a global scale, victimize thousands of consumers, and disappear nearly without a trace, along with their ill-gotten gains. For example, deceptive spammers can easily hide their identities, forge the electronic path of their email messages, and send messages from anywhere in the world to anyone in the world. Fraudulent overseas telemarketers can also victimize American consumers and hide their ill-gotten gains in offshore bank accounts.

The US Safe Web Act contains the following provisions:

Broadening Reciprocal Information Sharing and International Investigative Cooperation.

The FTC can now share confidential information in consumer protection cases with foreign law enforcers. The Act further allows the FTC and foreign law enforcement agencies to obtain investigative assistance from one another, while exempting information from foreign agencies from public disclosure laws. This provision addresses the concern expressed by some foreign government agencies that materials they share with the FTC might be publicly disclosed in response to an inquiry under the Freedom of Information Act (FOIA). This concern is reflected in certain foreign laws where the foreign consumer protection agency is not permitted to share information with the FTC unless the information is kept confidential. For example, Canada's Competition Act and the European Unions enforcement cooperation regulation contain such confidentiality requirements.

Enhancing Confidentiality of FTC Investigations.

Prevents notifying subjects of investigations if they may be likely to destroy evidence or move assets offshore.

Protecting Certain Entities Reporting Suspected Fraud and Deception Violations.

The Act protects a limited category of entities from liability for voluntary disclosures to the FTC relating to suspected fraud and deception. This provision is similar to longstanding protections for financial intuitions making disclosures to the FTC and is necessary to encourage reporting of suspected violations to federal agencies.

Allowing Information Sharing with Federal Financial and Market Regulators.

This provision assists the FTC in tracking proceeds of fraud and deception sent through U.S. banks to foreign jurisdictions so they can be returned to victims.

Enhancing Cooperation between FTC and DOJ in Foreign Litigation.

Permits the FTC to work with DOJ to increase the resources relating to FTC-related foreign litigation, such as freezing foreign assets and enforcing U.S. court judgments abroad.

Clarifying FTC Authority to Make Criminal Referrals.

Authorizes the FTC to share information with criminal authorities, which will improve information sharing with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue.

Report to Congress.

The Act requires the FTC to report to Congress within three years from the date of enactment, describing the use of the FTC's expanded authority and activities under the Act.

US Safe Web Act FTC document, here.

Although this law has just been enacted, it takes away a lot of the barriers to effectively going after individuals and organizations (businesses) that enable the growing problem of cybercrime.

Recently, I've written that technology will never solve Internet crime. It might stop it, or slow it down - but in the end "technology defeats technology."

Holding individuals and organizations accountable is likely to be a lot more effective. This new law breaks down a lot of the barriers that have prevented law enforcement agencies from doing so.

This (in my opinion) is a start in the right direction.

Interestingly enough, Microsoft has taken a similar approach - taking legal action worldwide. Here is a previous post, I wrote about this approach:

Does Microsoft's Approach to Addressing Counterfeiting Make More Sense?

Wednesday, December 27, 2006

Tell it to the Identity Theft Task Force

Fighting Back Against Identity Theft - Federal Trade Commission

On May 10, 2006, the Federal Identity Theft Task Force was formed and has been working on what some believe is a national crisis. And it very well could be, identities are a very personal matter and should be considered, "sacred."

Now they soliciting advice from the public on how they can improve upon the recommendations they've already come up with.

I got this from the press release on the Federal Trade Commission's website:

The Federal Identity Theft Task Force, chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft. The public comments on these issues will supplement the research and analysis being conducted, provide further information about the proposals being considered, and identify areas where additional recommendations may be warranted.

You can visit the Federal Identity Theft Task Force's site, here.

For all of us who have been "ranting" about this problem, here is our chance to voice our opinions and make a "difference" in what has become a significant problem.

The site has a lot of resources for victims and those who might become one.

They also have two "interesting" ten-minute videos about identity theft:

English, here.

Espanol, here.

Tuesday, December 26, 2006

More Allegations of Money Wasted in Katrina

Recently, I blogged about - whether or not - we would ever discover how much money was wasted in the Katrina disaster. Unfortunately, this statement is turning out to be more accurate that I would have liked it to have been.

Hope Yen of the AP is reporting:

Federal investigators have already determined the Bush administration squandered $1 billion on fraudulent disaster aid to individuals after the 2005 storm. Now they are shifting their attention to the multimillion dollar contracts to politically connected firms that critics have long said are a prime area for abuse.

In January, investigators will release the first of several audits examining more than $12 billion in Katrina contracts. The charges range from political favoritism to limited opportunities for small and minority-owned firms, which initially got only 1.5 percent of the total work.
Government officals (past and present) are now alleging that the dollar amount wasted could exceed $2 billion.

AP story (courtesy of the Washington Post), here.

It will be interesting to see how this plays out and what evidence is brought to light as a result of this.

The sad truth is that there are still a lot of people suffering as a result of this disaster. And it doesn't make sense that they should be when this kind of money was available.

Here is a post, I wrote about the results of a recent GAO (Government Accountability Office) audit:

Will We Ever Discover the True Losses in the Katrina Disaster?

Saturday, December 23, 2006

It's illegal to ask someone to send in "fees" for a loan!

Fake websites offering loans, or credit cards at "too good to be true" terms are taking advantage of the post-Christmas blues. If an unwary person responds to them, they will ask for "up-front" fees before issuing the loan, or credit card.

Bottom line is that it is ILLEGAL to ask for up-front fees in order to secure a credit-card, or a loan. If someone asks you to do this, it's a scam!

The person sending these fees never receives the loan, or credit card and becomes an advance fee loan fraud victim.

Annys Shin of the Washington Post writes:
The scam has been around for decades. Many consumers are not aware that it is illegal to charge lending fees in advance. People with poor or no credit are enticed by ads, direct mail solicitations or telemarketing calls promising fast money at favorable terms.

The Internet has made it easier for scam artists to find victims. Consumers are drawn in by legitimate-looking Web sites, complete with privacy policies, customer service numbers and online loan applications. Soon after filling out applications, the victims typically receive phone calls saying their loans were approved, but because of their credit ratings, they must first wire deposits or collateral.

Washington Post article, here.

Fake websites are nothing new - they are used in a lot of Internet criminal activities. The Artists Against 419 go after some of these websites, which may be viewed, here.

I just did a post the other day citing a FTC action against a payment processor, who was aiding some of these advance fee criminals, here.

And if you spot one of these scams, or have been a victim of one - I highly recommend you report it to the FTC, here.

2006 was the Year of Internet Crime - 2007 is predicted to be even worse

Have you noticed spam getting past your e-mail filters lately? You're not alone, experts are saying 2006 was the worst year ever in Internet crime - and it appears - security fixes are being defeated.

Brian Krebbs (Washington Post) is warning:

Few Internet security watchers believe 2007 will be any brighter for the millions of fraud-weary consumers already struggling to stay abreast of new computer security threats and avoiding clever scams when banking, shopping or just surfing online.

Washington Post story, here.

Brian cites that in October 90 percent of all e-mail received was spam. And most spam is a come-on for one fraud scheme, or another.

Since "security fixes" are being defeated pretty quickly by organized criminals - who allegedly hire their own computer security experts - the only viable recourse is to go after the source(s) with the intent to put the people behind it out of business.

Resources allocated to fund the investigation of financial crimes are (normally) not funded very well and the people investigating them are "overwhelmed." Maybe we should take some of the money being spent on developing "fixes" and use it to solve the real problem, which is a social one. Prevention seems to only work temporarily.

Security fixes are needed, but if we don't aggressively go after the sources, the criminals develop countermeasures and we have to start all over again.

After all - it seems that organized criminals and some say, terrorists are flocking to this activity because it's financially lucrative and a lot less dangerous than other criminal activities. Until we make it more dangerous for them, the problem is likely to keep growing.

John Bambenek (Assistant Politics Editor for Blogcritics and academic professional for University of Illinois) recently wrote a compelling essay about this subject, here.

Here is a previous post, I wrote about why we are approaching this problem the wrong way:

Are We Addressing Cyber Crime from the Wrong End

Fraudulent Gift Cheque Update from American Express

Since September, I've been writing about counterfeit American Express Gift Cheques showing up in a variety of Internet fraud schemes.

Readers have reported receiving these items primarily as a result of work-at-home scams, but they can show up in a variety of Internet fraud come-ons. They might also show up in secret shopper, romance, lottery and auction scams.

The fraudsters want you to cash these counterfeit gift cheques and send (normally wire) the money back to them. When they are discovered to be fraudulent - you end up taking the "rap" and they disappear in an "electronic mist."

Several readers reported being asked to wire the money to Nigeria and the United Kingdom. I recently wrote a post based on large amounts of counterfeit financial instruments being found at airports in the United Kingdom (allegedly from Nigeria), here.

Most of the counterfeit gift cheques, seen thus far, have been in the $500.00, or $1000.00 denominations. Note American Express doesn't issue gift cheques for more than $100.00.

American Express states in their bulletin that gift cheques are safe when verified prior to negotiating them. Anyone can call them and verify an item at 1-800-525-7641.

Unfortunately, a lot of people don't verify these items. Many people have also deposited them, initially received credit, and then had their accounts garnished when the items returned.

I've also had a couple of people write me and say they were arrested for trying to cash them. Presenting counterfeit financial instruments is considered a crime in most places. It will be up to the person arrested to prove they were a victim of a scam and not involved, intentionally.

American Express gift cheque bulletin, here.

Listed below are the posts, I've written since September, along with some scary comments from readers:

Counterfeit American Express Gift Cheques

Counterfeit American Express Gift Cheques (Update)

American Express Gift Cheques Being Circulated in Internet Scams

American Express gift cheques aren't the only items that have been counterfeited and passed via Internet scams. In the past we've seen a lot of Postal Money Orders and Travelers Express (MoneyGram) money orders being counterfeited, also.

Tuesday, December 19, 2006

Is Spending $550 Billion on RFID Going to Protect Us?

RFID is making the news again and some prominent politicians are saying we need take a hard look at it before we spend $550 billion (11 billion for each State) implementing it.

RFID is being implemented, or being recomended for implementation (worldwide) to verify a person's identity electronically when identification is presented. And there are people claiming it can already be compromised, or that it is just a matter of time before it will be.

EWeek wrote an interesting article about this about why two of our leaders don't feel RFID is safe, or a wise investment of taxpayer resources:

Sen. Daniel Akaka, D-Hawaii, and Sen. John Sununu, R-N.H., said they take issue with the technological implications of the act.

Sen. Akaka said that if the proposed national database were to be breached it would "provide one-stop access to virtually all information necessary to commit identity theft," and pointed to a study by the National Governors Association estimating that states would have to come up with a total of about $11 billion each to implement the necessary infrastructure to verify information electronically. Akaka will chair the Senate Homeland Security and Governmental Affairs subcommittee the group that has jurisdiction over the relationship between the federal and state governments in 2007.

The Emerging Applications and Technology Subcommittee, part of the Data Privacy and Integrity Committee that advises DHS, toned down its harsh criticisms of RFID technology used to identify individuals referring to the e-passport and PASScard ID card in a report released Dec. 13.

EWeek story, here.

And in another story a few thousand miles away from Washington, an Aussie hacker is claiming he can already hack Australian and British passports.

Sydney Morning Herald story, here.

Technology, including RFID is making people billions of dollars. Unfortunately, there is growing evidence that RFID isn't 100 percent secure. If RFID is easily hacked, there will be other (or maybe the same people) making a lot of money selling "security" to protect people from it.

Tracking inventory in Walmart's supply chain is one thing, but tracking humans is something that needs to be thought out, carefully. And $550 billion is a huge expenditure of the taxpayer's hard-earned money! We need to ensure this is a wise investment and that that individual privacy doesn't suffer because of it.

You can read Senator Akaka's press release on this subject, here.

And to go to Senator Sununu's page (couldn't find a release about RFID yet), click here.

For my previous posts on this subject, click here.

Monday, December 18, 2006

Colorado Identity Theft Victim Shares Her Personal Feelings on the Immigration Raids

When I saw the recent immigration raids in Colorado and all the "media spin" on them, I had a lot of mixed feelings about the issue.

Then I came upon an interesting editorial from an actual identity theft victim.

The Nothern Colorado Tribune published a story by Teresa Myer, identity theft victim and free-lance writer, which said:

As I learned of the immigration raids taking place throughout the country Tuesday, I wondered if one of those arrested was me.

Since 2001, someone has been using my name and Social Security number to gain employment as a seasonal worker.

In June 2004, I received a letter from the Internal Revenue Service, stating I owed more than $1,200 in taxes for "unreported income." The businesses that reported that I had been working for them included a pecan sorting facility in Deming, N.M., and several ConAgra facilities in Texas, Colorado and New Mexico.

Teresa's story goes on to express the long-term problems identity theft victims face, here.

The reason I had a mixed feelings about the immigration raids was because I have nothing against people trying to realize the American dream, but on the other hand, illegal immigration is becoming a big problem.

The problem is that an organized criminal element seems to be controlling their access to our dream and there are "greedy businesses," who benefit financially by not paying a "fair wage." There is also a substantial "social cost," when government services are being used to provide benefits at everyone's expense. And the cost has gotten so "high," some government programs are literally going "bankrupt."

Perhaps, if the "greedy businesses," were forced to pay for these benefits, hiring illegal aliens wouldn't be so profitable?

If you would like to read more about organized criminals providing other people's identities to fuel this problem, I wrote this post a few months ago:

Mexican Organized Crime Ring is Mass Producing Fake Documents ...

Sunday, December 17, 2006

Consumers Union Calls for Congress to Protect People's Personal Information

The Consumers Union is calling for voters to let their elected officials know they are concerned about identity theft.

Here are what the Consumers Union considers to be the key issues:

In every state, you should be able to place a "security freeze" on your credit file so thieves can't open new accounts in your good name. Companies and agencies should be required to notify you when the security of your private information has been breached. If lawmakers are serious about making us more secure, this should be the first thing they do when they return to Washington. Help us send this clear message now to your Congressional Representative and Senators.

If you are concerned about this issue, you can add your thoughts by sending a message to Congress, here.

The last time this issue came up before the election - a bill was being pushed through. Here is more information on it and what I wrote about it:

Don't Allow HR 3997 to Take Away Rights from Identity Theft Victims

This bill is still pending - and if passed in it's current version - it threatens to mute State laws already enacted to protect people from identity theft.

Click here to Guard your Identity

Saturday, December 16, 2006

Boeing Holds Employee Accountable in Laptop Theft

Laptops are stolen all the time - and far too often - they contain personal and financial information that can be used for identity theft purposes.

The Boeing Company announced Thursday that they fired the employee, who had their laptop stolen and compromised 400,000 people's personal information. This wasn't the first Boeing employee that lost a laptop containing sensitive information.

Boeing is saying that the computer was "password protected," and they believe the intent of the thief was to steal the laptop rather than breach the information on it. They are also saying that there is no evidence of identity theft, but are "assuming the worst case scenario."

I sometimes wonder if the same public relations firm prepares all these statements. They all say about the same thing - that there is no evidence the information has been used to commit "identity theft."

Of course, with all the attention brought upon this, even if the original motive was to steal a laptop, the thief probably is now aware the laptop contains a lot of information that can be sold for a price.

It's become pretty easy to find a place to sell stolen information with carder forums designed to do so operating on the Internet. Previous post, here.

The employee was terminated (fired) for not having the information "encrypted" per Boeing policy, which was implemented because of the earlier "laptop thefts."

Even if the information were encrypted - in theory at least - encrypted data can still be hacked by someone with the knowledge to do so. Another problem is that if information can be downloaded, it can be compromised by a dishonest insider, or with a "compromised password."

Just last week, the media was awash with stories of IT students being "courted" to work for organized criminal groups - which more and more - seem to be getting involved in technology based crimes, including "identity theft."

I did a post with my thoughts on this matter, here.

In all fairness, Boeing isn't the only organization losing laptops with personal information on them. The Privacy Rights Clearinghouse, which maintains a chronology of "known data-breaches," hit the 100 million mark this week (number of people compromised in the U.S., alone). Just this week, they documented eight "known" breaches.

Note, they can only document the "known breaches" and breaches that previously were "unknown" seem to be appearing, all too often.

Encryption and computer security measures are only one part of the solution. It's the information that the bad guys are after and we need to stop keeping it in places where it's too easily stolen.

Firing one employee is unlikely to have any impact on the overall problem.

James Wallace, Seattle PI has an extensive article about the Boeing story, here.

Discarded Computers might still have a lot of Sensitive Information on them

One of the ways identities are compromised is when computers are discarded without properly "washing" the hard-drive with specialized software, or destroying the hard-drive, itself.

I did a post in about this, here.

Bill Lambrecht of the St. Louis Post - Dispatch wrote an interesting article, where they purchased several old computers in Nigeria and were able to get a lot of information from them.

Interestingly enough, he quotes a prominent Nigerian, Oladele Osibanjo, who is a regional coordinator for the Basel Convention - a global treaty intended to protect people from the mishandling of hazardous materials as saying:

"The e-waste you are exporting is coming back to you in the form of cyber-crime. Maybe when Americans realize what is happening, they will be a little more careful."

While Mr. Osibanjo is trying to warn us about identity theft, I'm certain his true concerns lie more with hazardous materials that are damaging people's health in other countries. When I went to their site, the fact that this occurs, alarmed me.

St. Louis Post - Dispatch article, here.

Although the article is extremely informative - and there is ample proof of fraud coming from Nigeria - I continue to be amazed at the amount of press they receive about it.

With the recent ABC 20 20 story brought about by a certain former politician, who is behind bars and might be Chelsea Clinton's father-in-law someday, Nigerian fraud is again making headlines.

Stealing and using information is a worldwide problem and there are criminals involved in the "trade" in a lot of places.

So far as Chelsea, it must be hard to be Bill and Hillary's daughter, and she certainly doesn't seem to get in as much trouble as some twins, who were in South America recently.

Saying that, the story calls attention to what I consider the potential of a huge problem. Companies and organizations are constantly upgrading their computers and a lot of them get discarded.

Besides identity theft, there is a huge potential that "sensitive information" could be sifted from these hard-drives that would compromise trade secrets, or even government information.

Friday, December 15, 2006

Romanian Second-Chance eBay Scammers Busted

The federal authorities are charging twenty-one Romanian fraudsters, who scammed a lot of people in second chance auction scams. According to the federal authorities, the scam was active for about three years and a lot of the victims lived in the Chicago area.

From the article, it was one of the (now) notorious second-chance scams, where a person is given a second chance to win an auction and asked to wire money to a distant locale (in this instance Romania).

Of course, once the money is wired, the person who sent it, never receives "fair value" for their hard-earned money. Please note that wiring money is a "common ploy" in all sorts of Internet scams. I would take a deep breath, when asked to wire money on a transaction (normally overseas) that seems a little "too good to be true."

In this instance, the federal authorities are asking for people, who think they might have been victims to come forward:

Anyone who believes they may have been a victim may e-mail inquiries to usailn.victim.witness@usdoj.gov. Include your name, address, phone number, 10-digit Western Union Money Transfer Control Number, amount transmitted, date funds were provided and the name of the individual to whom the funds were sent. Victims may also call a toll-free hotline number for updates about the case – (866) 364-2621.

Second chance scams have been active on auction sites - you can read all about them on Google, here.

Western Union has a page warning people about wiring money to people they don't really know, here.

I read about this on CBS2chicago.com, who has more details on this story, here.

Tuesday, December 12, 2006

Another Record Set for Phishing and it appears Anti-Phishing Measures are being Defeated

Brian Krebs of the Washington Post did an interesting post on his blog about how phishing is increasing (again) and how anti-phishing measures (some recently marketed to users) are failing already.

Brian writes:

The Anti-Phishing Working Group reports that 52 percent more phishing sites were recorded on the Internet than a month earlier and nine times as many as were spotted in October 2005. The steep increase coincides with a massive spike in the volume of spam circulating on the Internet. According to e-mail security firm Postini, 90 percent of all e-mail these days is spam.

Brian's post, here.

Also mentioned is "Rockphishing," which takes advantage of zombie computers formed into botnets. The result is that it is making phishing extremely hard to trace.

Brian did an excellent job in his post - and I highly recommend reading it.

I wrote recently about how technology isn't winning the war against cybercrime. It seems like a lot of expensive anti-phishing software is proving this all over again.

Maybe a better approach would be to follow the money instead? After all - I'm pretty sure that is what the cybercrimals are really after.

Will We Ever Discover the True Losses in the Katrina Disaster?

The Government Accountability Office (GAO) has issued another report stating that the fraud losses in Katrina and Rita are a lot higher than previously disclosed to the public.

The report states:
  • Almost $20 million in double payments was paid to people claiming damage to the same property in both hurricanes (Katrina and Rita).
  • Almost $17 million in improper or fraudulent "rental assistance" payments given to people already receiving free housing.
  • 500 foreign students received $3 million in aid.
  • $156,000 was given to foreign workers on temporary visas.

Sadly enough, the report indicates that FEMA disabled a system (edit check in NEMIS) that would have caught people using duplicate information (social security numbers) to make claims in both hurricanes. In five of the six cases examined, the claimants didn't even have to provide proof that they had conducted repairs after receiving money for the first claim.

I have no personal experience with "edit check in NEMIS," but computers run pretty fast in today's world, and it doesn't make sense to me that an entire system designed to detect fraud was disabled?

Didn't we have enough personnel to do a manual check when duplicate social security numbers were noted? And even if this were so - why didn't FEMA take action (themselves) to identify the issues before the GAO investigated?

The use of other people's social security numbers is nothing new and probably could have been anticipated, fairly easily.

There is also a lot of missing equipment. The report shows that 34 percent of the property purchased to aid efforts has either been lost, or stolen. In the case of 2o flat bottom boats purchased - only two remain missing - however twice the retail price was paid to a vendor, who also failed to pay for 11 of the boats he sold to the government.

Even scarier, the report indicates that FEMA overstated the amount of found property reported in July hearings to Congress. This was based on an e-mail sent by DHS (Department of Homeland Security) on the eve of the hearings.

FEMA's estimate of the monetary impact of fraud in Katrina was $290 million, however if one is to believe the GAO report, the real losses surpass $1 billion.

With the stories that surfaced about prison inmates making claims and stolen information (social security numbers) being used in claims for addresses that were vacant lots - it's entirely possible that there is additional fraud that hasn't, or never will be discovered.

There were also a lot of stories of charities being defrauded and even fake charities being set-up. The GAO report only addresses the fraud losses incurred by the government.

GAO report, here.

Report Fraud, Waste and Abuse to the GAO, here.

FraudNET (Report Fraud, Waste and Abuse)

One might come to the conclusion that we wasted a lot of money on Katrina, but this is far from being true. In fact, a lot of people are still suffering as a result of these disasters, and the truth is that the money could have been used for better purposes.

I plan to explore this more in detail in future posts, but for now, I'll pass on a site that is devoted to the real victims in these disasters:

Beyond Katrina: The Voice of Hurricane & Disaster Recovery

Monday, December 11, 2006

Hotmail Accounts being held for Ransom

Websense sent out an alert showing how Hotmail accounts are being held for ransom. Here's the warning (courtesy of Websense):

Websense® Security LabsTM has received reports of a new form of cyber-extortion. Unlike previously documented cases (where end-users were infected with malicious code, certain file types were encoded or encrypted, and a ransom message was left on the machine), this attack compromises users' online web mail accounts. When end-users logged into their web mail accounts (in this case Hotmail), they noticed that all their 'sent' and 'received' emails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back.

In this case, the end-users had recently visited an Internet cafe where their credentials may have been compromised.

The email, which was poorly written in Spanish, roughly translates in English to:

"If you want to know where your contacts and your emails are then pay us or if you prefer to lose everything then don't write soon!"

Websense alert, here.

Computers at Internet cafes and libraries have been known to contain all kinds of malware, and or crimeware.

It's probably best to be extremely careful when entering any sort of personal information on them.

Organized Crime in North America

Despite stories of organized criminal "types" becoming more and more involved in Internet crime, organized crime (itself) is a phenomenon that's been around for a long time.

The Internet is merely another "avenue" for "organized criminals" to commit their misdeeds.

I happened to read an interesting article by Joan Delaney of the Epoch Times in Canada about the Triads (Chinese Mafia), which have been operating in North America since we imported a lot of Chinese nationals in the 1850s to work the gold fields and build the railroads.

The article states:

A 2004 Criminal Intelligence Service Canada (CISC) report stated that Asian organized crime presents a major threat in Canada because of its many widespread and well-run criminal operations. CISC said Asian-based street gang violence is on the rise in several cities, and that the street gangs have connections with more sophisticated Asian organized crime groups—in other words, the Triads.

At a local level, Asian gangs are involved in a long list of criminal activities: credit card fraud, luxury car theft, prostitution, home invasions, staged vehicle accidents, contract killings, assaults, welfare and employment insurance fraud, drug trafficking, software piracy, loan-sharking, and illegal gaming. While scattered from coast to coast, Asian gangs are most active in Vancouver, Calgary, Edmonton, and Toronto, the CISC report said.

Epoch story, here.

Interestingly enough the article also cites the Triads as being tied to the Vietnamese gangs and even the Hells Angels.

Note that these "outfits," probably expanded their activities to Canada from the United States.

Going to the CISC report, which I found published on the Internet, I found a lot of interesting information about organized criminal activity in North America and even a pretty good "analysis" of potential ties to terrorist groups.

CISC report, here.

Note that the report references a lot more that Asian crime and is a pretty interesting "read" for anyone interested in the subject.

Sunday, December 10, 2006

Should We Trust Computers to be the Voice of the People?

If you were to ask Christine Jennings -- and a lot of voters in Sarasota County -- the answer is "no."

Does it make sense that 18,000 voters in Sarasota County, Florida - most of whom used a computer to vote - would go to the polls and fail to pick a candidate for the House of Representatives?

Hundreds of voters have signed affidavits attesting to the fact that when they checked to see if their votes tabulated properly - their vote for Ms. Jennings didn't record properly.

A reasonable person might deduct - the computers were flawed - and a lot of people failed to check the fifteen page ballot. Voters shouldn't have to go through a fifteen page ballot to look for programming flaws!

MIT professor, Charles Stewart, claims that the possibility of an undervote of this size occurring is 1 in 5 million.

Here is an opportunity to discover the truth behind all these allegations, which worry a lot of us. Forty percent of the voters were forced to vote on electronic machines in the last election - with no paper trail to back up the results.

With all the pre-election "buzz" in the media about the dangers of electronic voting, perhaps we all might benefit from an opportunity to discover the truth?

Some of us are getting tired of hearing that our votes didn't count and then seeing the whole matter "downplayed" (supposedly) in the best interests of the people.

Perhaps there is more at stake than one election in Florida? Maybe this is an opportunity to explore this issue (electronic voting with no paper audit trail) a little more deeply?

Maybe that's why Arnold Schwarzenegger - a Republican - mandated that California's electronic machines be backed up with a paper trail. For more information on this from verifiedvotingFoundation.org - link here.

And Senator Feinstein has introduced legislation requiring that electronic voting systems have a verifiable audit trail, here.

This isn't a matter that should be dictated by partisan politics. After all the voice of the people is what made this country great and that voice should be considered "sacred."

For an interview with Sandy Powers, a senior citizen with 25 years using a computer (courtesy of YouTube), link here. This was in response to allegations that this entire matter was the result of voters being computer illiterate.

Friday, December 08, 2006

IT Students Aren't the Only Human Resources that Internet Criminals Desire

In the past couple of days, I've seen a lot of articles about IT (Information Technology) students being taken to the dark-side (recruited) by organized crime.

Reuters is quoting a McAfee report released in the past couple of days.

Although, hiring IT students seems to be the latest story going around, recruiting people to commit Internet crime is nothing new. As the article aptly states, organized crime has the money to recruit whatever experts they need.

And IT students aren't the only ones being recruited.

Starting with the fall of the (Soviet Union) "evil empire" and the rise of Eastern European organized crime, there have been a lot of "technical experts" being used for nefarious purposes. The Reuters article mentions that the tactics being used are the same ones used by the KGB to recruit spies.

In fact many experts speculate that Eastern European crime has a lot of "highly placed" former KGB types in their ranks.

In 1997, FBI Director Louis Freeh stated before Congress:

The Russian syndicates conduct the most sophisticated criminal operations ever seen in the United States, based on their access to expertise in computer technology, encryption techniques and money-laundering facilities that process hundreds of millions of dollars.

According to Freeh, part of that expertise is said to be provided by "former KGB officers working directly with some of those organized crime groups, and that poses an additional level of threat and sophistication.
Story courtesy of Risk Assessment Services, here.

And Russian organized criminals aren't the only players out there.

Dr. Phil Williams, a visiting CERT (Computer Emergency Readiness Team) scientist wrote about this a few years ago:

In recent years, there has been a significant increase in the sophistication of organized crime and drug trafficking groups. Colombian drug trafficking organizations, for example, have followed standard business practices for market and product diversification, exploiting new markets in Western Europe and the former Soviet Union. Criminal organizations and drug traffickers have increasingly hired financial specialists to conduct their money laundering transactions. This adds an extra layer of insulation while utilizing legal and financial experts knowledgeable about financial transactions and the availability of safe havens in offshore financial jurisdictions. Similarly, organized crime does not need to develop technical expertise about the Internet. It can hire those in the hacking community who do have the expertise, ensuring through a mixture of rewards and threats that they carry out their assigned tasks effectively and efficiently.
Dr. Williams full essay, here.

Although, I'm sure IT students are being recruited -- they probably aren't the first -- or the only type of experts being hired.

And there are a lot of disorganized criminals recruiting people, also.

Here are a some previous posts, I've done on so-called "disorganized criminals," who recruit other people to do their "dirty work."

Work at Home Scams

Cyber Gangs Luring Children to Launder Money

BBB Worker Takes Job Processing Fraudulent eBay Transactions

The Hurricane Disasters are a Sad Commentary on Society

During the Katrina and Rita disasters, I blogged frequently about what appeared to massive amounts of fraud going on. Reuters is now reporting that the dollar loss has topped 1 Billion dollars, here.

From government employees to fake charities, it appears a lot of people took advantage of those less fortunate than them in their "time of need."

And not very much of the money seems to have been recovered despite well publicized efforts.

Sadly enough, the public awareness of all the fraud is also likely to make it harder for victims in future disasters. The bottom line is that people - who take advantage of others in their time of need - should suffer severe consequences.

Perhaps, a lack of consequences (common in fraud schemes) is the reason this occurred? To prevent this from happening in the future, we need to make sure there are severe consequences for those committing the fraud, as well as, those who enable it by a lack of oversight.

After all, we were in a state of emergency, when these disasters occurred.

I'm afraid the amount of fraud we've seen come out of these disasters - which affected a lot of innocent people - is a sad commentary on our society as a whole.

Let's hope we do a little better next time.

To read my previous posts on this matter, link here.

Thursday, December 07, 2006

Walmart Employee Scams Customers via Electronic Checks

Processing checks electronically is becoming a standard practice, brought about the Check 21 law, or ACH (Automated Check House) processes.

Electronic checks save businesses a lot of money in processing costs.

Walmart is one business taking advantage of electronic checks - and when a check is written to Walmart - it's scanned in their point-of-sale system - then returned to the customer. From there, everything is handled "electronically."

I read a story put out by KRTK Houston about a Walmart employee, who scammed a customer by keeping the check (supposed to be returned), then used it to purchase merchandise and gift cards numerous times.

KRTK Houston story with video presentation, here.

When the customer noticed the fraudulent transactions on her account, she reported it to the Walmart and the employee was arrested.

The story also indicates that there are other victims out there that haven't been identified yet.

According to the story, the customer isn't being made whole by her bank because she didn't discover the transaction within thirty days and Walmart isn't refunding her money, either.

When check fraud occurs, victims are normally made whole by their bank, who goes after the business by charging them back for the transaction. If a business refunds the customer for their losses, the customer might be able to have the transactions charged back to them, also.

My guess is that Walmart isn't refunding the money because the bank still might charge-back the transactions to them?

Of note, it's probably not completely fair that Walmart is the only one being mentioned in the article. There is no mention of what bank is involved. I hope Walmart and the bank have since sorted this whole thing out and taken care of the people, who were victimized as a result of this.

After all - it only makes sense to do so - processing checks electronically saves them a lot of money by not having to process paper and if more stories surface (like this one), it's likely to affect "consumer trust."

I read consumer tips all the time that we should use our credit cards versus debit cards because they offer better protection in the case of fraud.

Tom Fragala (CEO of Truston) wrote a great post about this, here.

Wednesday, December 06, 2006

Store Detective Discovers Traveling Credit Card Ring

I came across an interesting story about how a store detective at Target caught a group of traveling credit card fraudsters in Washington.

The store detective noted suspicious behavior - customers purchasing large amount of gift cards and did a little checking. When he did, he discovered that the cards being used were counterfeits.

When the merry trio was arrested at a bank down the street, police discovered maps to area retailers, a lot of counterfeit credit cards and - of course - gift cards.

After being identified, the authorites determined that the fraudsters had traveled to Washington from California.

The fraudsters claim that they were using the gift cards to buy things for themselves. Let see, they travel from California to Washington and use numerous counterfeit credit cards to obtain merchandise for themselves?

And the authorities aren't buying their story either -- they are being charged with "leading organized crime."

My guess is that they were going to find a way to convert the gift cards to cash. I recently wrote about the problems associated with gift card fraud and how they are being fenced on auctions all over the Internet:

Why Buying Gift Cards on Auction Sites isn't a Good Idea

Normally - I write from a broader perspective - but this story illustrates how we might be rubbing elbows with some fairly sophisticated "criminal types," while out doing our Christmas shopping.

Jeremy Palowski of the Olympian wrote the story, which attracted my attention to this, here.

Sunday, December 03, 2006

An Identity Theft Protection and Recovery Service Based on Trust

The new identity theft protection and recovery service by Truston is live. The service is unique because it doesn't require you to give up your personal information, which could be stored in a database, and used to commit identity theft if it falls into the wrong hands.

In case you've missed the weekly stories, databases are being compromised all the time and according to the Privacy Rights Clearinghouse (which is keeping tabs), 97,326,222 people in the United States have been compromised by data-breaches since February, 2005.

I probably need to make a disclaimer that this number might grow before I publish this post. Nonetheless, here are the ugly statistics as of this writing.

Tom Fragala, who is the CEO and a former identity theft victim himself did a great post on his blog describing the service:

myTruston is a web-based service that protects you from identity theft. It is simple and safe.

How simple? One minute sign up. And myTruston works by providing you a recipe-like format, one task at a time, for dealing with identity theft. That goes for both prevention and recovering from fraud.

Why is it safe? Because our members never send us any confidential personal information. All we need is your email address to help you. Every other prevention and recovery service requires you to give them your name, address, SSN, and even power of attorney.

What does it cost? Our prevention services will always be free! And our recovery services are free until January 2007.

We’re getting some nice kudos from people. You can see an updated list here. One example:

"Very slick. You're a genius for coming up with something so simple yet effective & helpful. I'll definitely spread the word." - Jed Tucker, myTruston member

The bottom line is that finally we have a resource where someone can protect themselves and recover (if they are victimized) without putting themselves at additional risk.

And even I had no problem "navigating" it!

Here's the previous post, I did about myTruston:

Truston - An Identity Theft Service I Trust

If you would like to check out myTruston, link here.

Saturday, December 02, 2006

Terrorism on the Internet?

SITE (The Search for International Terrorist Entities) has published an analysis of a new "how to beat Internet security" magazine sent out to password protected "jihadist forums."

SITE reports:

The first issue of what is indicated to be a periodic magazine, Technical Mujahid [Al-Mujahid al-Teqany], published by al-Fajr Information Center, was electronically distributed to password-protected jihadist forums today, Tuesday, November 28, 2006. This edition, 64-pages in length, contains articles that primarily deal with computer and Internet security, in addition to other pieces explaining Global Positioning System (GPS) satellites and video types, editing, and encoding into different formats. The editors of the publication state that it was written to heed the directives of the Emir of al-Qaeda in Iraq, Abu Hamza al-Muhajir, and his call for technical support. Material such as this, regarding anonymity on the Internet, concealing of personal files locally on a computer, and utilizing all schemes of encryption, is to serve as electronic jihad, and a virtual means of supporting the Mujahideen.

Full analysis, here.

In another story out there, CIO Today is reporting:

According to the U.S. Computer Emergency Readiness Team (US-CERT), a joint venture between the U.S. Department of Homeland Security and private industry, threats were found on an Islamist Web site calling for attacks against U.S. financial Web sites through December, until the "infidel new year."

CIO Today story, here.

According to the story, there has been no evidence of any attacks and the alert is only to caution the industry.

Nonetheless, similar activity has been seen in the recent past:

Israeli Sites Under Attack by Islamic Hackers

I wonder how many attacks never happen because of some dedicated individuals at US-CERT and SITE?

International Identity Theft Gang Tied to Bank

The Serious and Organised Crime unit, the UK's financial crimes warriors, have delivered a significant punch to an organized identity theft gang, believed to have been in operation for ten years.

The gang, which seems Eastern European in origin, operated behind the cover of a "Moscow Bank" in Great Britain and Spain. Victims have been traced throughout Europe and the United States.

Fake identities and cloned credit cards were used to purchase "electrical goods," which were later fenced on eBay. The illicit proceeds of these transactions were "laundered" via PayPal and WorldPay accounts.

The TimesOnline reported:

Police discovered bogus passports, council tax documents, electoral registration applications, and bank statements as well as employment references from both an unsuspecting firm of solicitors and a fake one that were used to create false identities.

Cloned credit cards were used to buy cameras, computers, iPods, computer games, Royal Mint coin collection sets and other goods such as Liverpool FC strips from a variety of website traders. These items were then auctioned on eBay.

Link to TimesOnline story, here.

Unfortunately, a lot of the evidence was destroyed when one of the alleged gang members (while handcuffed) hit a power switch that wiped out the information.

Because of this - the true monetary implication will probably never be able to be determined from this activity.

Of course, even if the information was recovered, it's entirely possible that there are other databases that have yet to be discovered, or never will be.