Friday, March 31, 2006

Counterfeit Travelers Express (MoneyGram) Money Orders Showing Up in Internet Scams

Got a comment on an old post today about a reader being scammed by cashing counterfeit Travelers Express money orders. The reader was duped into thinking they were working as a Secret Shopper and has lost $7,000.00. Here is the previous post, I am referring to:

Secret Shoppers Scammed

Did a little checking via some of my sources and found that counterfeit Travelers Express money orders are showing up in all sorts of internet scams in the past week.

Thus far, these money orders are showing up mostly in Advance fee fraud (419) scams.

The Advance Fee scam is where a ruse is used to get a victim to send them money (nowadays normally wire-transfer) in anticipation of riches (or sometimes love) to come. The best known is the "Nigerian Letter," but the activity has mutated into romance, lottery, auction, check cashing, work at home and reshipping (as mentioned below) scams.

In a lot of the more recent Advance Fee activity, the victim is tricked into involving themselves in criminal activity, whether it be forwarding stolen merchandise, or negotiating bogus financial transactions and sending the funds elsewhere.

Please note that cashing counterfeit items is illegal and people have been arrested for passing them.

Here is information on how to verify Travelers Express Money Orders from their site:

"If you have retained your money order number, MoneyGram offers 24-hour automated money order status information by calling 1-800-542-3590. MoneyGram customer service representatives are also available from 7 a.m.-8 p.m. CST Monday-Friday and 8 a.m.-5 p.m. CST Saturdays."

There is more information on their site, which can be viewed by clicking on the title of this post.

Please note that automated systems aren't always accurate and that money orders are notoriously high risk instruments. Most money order companies leave themselves with an "out" in case the instrument is later discovered to be bad.

The old saying is "Caveat emptor," or "let the buyer beware." If it seems to good to be true, it probably isn't.

Laptop Loss Exposes U.S. Marines

The Marine Corps can now join a growing list of organizations that have compromised personal data stored on a laptop.

The Stars and Stripes is reporting:

A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops’ credit records and privacy.

In a message sent out to Marines, officials said the information was encoded and so far they’ve seen no evidence the information is being abused. But, because the data could be used for criminal purposes, they are asking all Marines to be on guard for signs of identity theft.

According to officials from the Manpower Information Technology Branch, the portable drive was part of a Naval Postgraduate School research project. The information was being used in research about the effectiveness of re-enlistment bonuses, but it was lost in a computer lab on campus in Monterey, Calif.

The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005.

School officials were notified that the data had been lost March 14. The servicewide message about the missing information was sent out 10 days later.

Data breaches are becoming weekly stories in the media. Recently, Ernst and Young, the accounting giant lost several laptops AND the personal data from several companies was compromised.

Both the Marines and Ernst and Young have made statements that the information was protected.

The Register, who has been reporting the Ernst and Young story had an interesting comment from a reader with a little technical expertise:

"I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc."

If the Marines were completely confident that the information was protected they wouldn't be warning their troops.

Passwords can also compromised via more social means, meaning they can be compromised by the people, who use them. In other words, the ability to hack into the systems might not be a issue in getting to the data. In any case, such as this, insider involvement is a distinct possibility.

One has to wonder if these laptops were targeted because of the information they contained? If so, the people behind this have probably taken into account how they would get past the protection installed on the systems.

Here are a series of articles from the Register on the Ernst and Young story:

Lost Ernst & Young laptop exposes IBM staff The Register
Nokia staff jacked by Ernst & Young laptop loss
HK police complaints data leak puts city on edge
Fidelity lost HP's employee data to impress HP
40,000 BP workers exposed in Ernst & Young laptop loss
200,000 HP staff exposed as laptop loss party continues
Readers amazed by Ernst & Young's laptop giveaway
Ernst & Young loses four more laptops
Ernst & Young fails to disclose high-profile data loss

Here is a list of the major data breaches from the Privacy Rights Clearinghouse. They have been compiling this over the past couple of years and it's pretty amazing.

For any Marines, who think their information is being used, the best place to go for help is the Federal Trade Commission (FTC).

Since, I was one of you guys a long time ago, if I can be of assistance, please leave a comment on here, or write me at

The full story from the Stars and Stripes can be viewed by clicking on the title of this post.

Monday, March 27, 2006

The Phishing Incident Reporting and Termination Squad is Looking for a Few Good Men and Women

Last week, I had the honor of corresponding with Alex Eckleberry (CEO, Sunbelt Security) and Paul Laudanski (Castlecops founder and Microsoft MVP) about the formation of the Phishing Incident Reporting and Termination (PIRT) Squad.

They are currently looking for a few good men and women to join their cause in the worldwide war against phishing.

No matter what authority is cited, phishing is on the rise and has become an internet epidemic. The "Phishermen" normally impersonate financial services and retailers, however they also sometimes impersonate law enforcement organizations and tax institutions. Currently, the IRS is having their woes with phishing and the news media is flooded with stories warning people not to respond to the e-mails requesting their personal information.

Of course, the end result of phishing is identity theft and financial crimes, which is another epidemic, we are facing today.

The intent of PIRT is to put the "Phishermen" out of business and or take actions that will lead to prosecuting a few of them.

PIRT is particularly interested in people with experience in the Asian ISP arena.

I've already tested the reporting software and it seems to work very well. I'm waiting to see if my application is accepted to become a member!

I could say more, but Alex is quite eloquent in his blog, which I might add is a great read for anyone interested in criminal activity on the internet:

CastleCops and Sunbelt Software are announcing a new anti-phishing community, the Phishing Incident Reporting and Termination (PIRT) Squad. This will be a community at CastleCops solely dedicated to taking down phishing sites. It’s the first public takedown community that I know of, and we are going to start nailing these sites. You can read the press release here. Zdnet article here.

The PIRT Squad works as a complement to existing organizations such as the Anti-Phishing Working Group (APWG). The primary difference between PIRT and other organizations is that PIRT is focused solely on aggressively terminating phishing sites. PIRT will work with other security organizations and, if necessary, law enforcement, to provide information for security and forensic analysis.

With this new service, you can report a phish via email or through a web tool. And we’re recruiting volunteers to help, too.

But here’s a little background: A while back, Paul Laudanski and I worked together to shut down a phishing site on a
financial services company. What did we do? We called them aggressively by phone. We contacted their ISP. We contacted the brokerage firm they used to clear their orders. In just a few hours, the thing was shut down.

This got us talking about the problem of phishing. Very few people report these phishing sites immediately and get them shut down. There’s a lot of experts involved in phish fighting, but they’re primarily dealing with the important security research and forensics angle of the business.

There are companies like Cyota, who contract with financial institutions to protect them from phishing, and they do takedown. Maybe their clients’ sites get taken down. But those who aren’t their clients? What happens?

This situation brings to mind those old TV shows, where a camera crew would have someone pretend to break into a car on a busy street, and no one around would call the cops. It’s not because no one cared, it’s because all the neighbors assumed someone else must be calling. So, no cops were called.

Well, it’s a relevant analogy for phishing. There’s an obvious solution to shutting down a phishing site that many people don’t realize they can do: Contact the site or the ISP or the compromised siteowner. In my experience, by aggressively going after phishing sites, you can shut down a significant portion of these sites — perhaps 40% or more — by simply taking action. This may not seem like a large number, but it’s pretty significant if you realize how many people you can help.

I’ve been testing this over the last couple of months: From time to time, I’ll contact someone related to the site to let them know that their site is being used for a phishing scam. In a fairly significant number of cases, I’ve been the first and possibly only one who ever contacted these people. It’s usually something that only takes me a few minutes, but it is effective in a large number of instances.

You see, most phishing operations run off of an innocent compromised site. Phishers, for obvious reasons, don’t want to let the world know who they are, so they find sites with poor security (almost always Apache-based sites that have poor configurations or old Apache versions), hack in, set up shop and do as much business as they can before they are shut down.

This even occurs with keylogging operations. Recently, we came upon an elderly lady running a site about flowers who had a full keylogging operation running off her site. Sending her emails was ineffective, so I simply looked up her name using, called her personally and told her what was going on. We helped her through the process of shutting down the compromised portion of her site, getting things back in place, and now a few less people will be affected by this keylogger. And just this past weekend, I worked on a takedown of a real-estate site with the zero day exploit. I was the first person to contact the realtor, and she took fast action to fix it. So one person can make a difference.

And that’s why Paul and Robin Laudanski and I decided to start PIRT. And we’re recruiting volunteers. Paul has even created a tool,
Fried Phish(tm), which you can use to make phishing reports. Join here. An introductory Wiki (a work in progress) is here.

You can help fight phishers as well, with just a basic knowledge of how the Internet works. If only 10% of the people who read this blog reported one phishing site a day, it would actually make a dramatic impact.

So join Paul and me and become a Phishing Terminator.

Alex Eckelberry

Sunday, March 26, 2006

Cyber Terrorist Out of Commission

The Site (Search for International Terrorist Entities) is reporting that a cyber terrorist responsible for spreading terrorist propaganda and even instruction materials is no longer in business.

The Washington Post is reporting that (Terrorist 007) Irhabi 007 disappeared off the internet last fall after four youths were arrested under the terrorism Act. British investigators have confirmed that one of the youths (Younis Tsouli) is the Al Qaeda hacker authorities have been seeking for two years.
Note that the article states that 007 used stolen credit cards to pay for his "hacking" activities.

Here is information from the SITE publication on this:

"For almost two years, intelligence services and government agencies around the globe have tried to uncover the identity of the notorious Internet expert Irhabi 007 (Terrorist 007), an infamous hacker whose teachings and contributions to the jihadi Internet community reigned unparalleled until the summer of 2005. It was then, on October 21, 2005, that British Authorities in Scotland Yard arrested four youths under the Terrorism Act instated after the attacks of September 11, 2001. Among these individuals was 22 year old West London resident Younis Tsouli, recently revealed to be the infamous Irhabi 007 himself."

"Celebrated in jihadi circles for his extensive computer abilities and his notorious hacking prowess, Irhabi changed the face of the jihadi Internet world through his ability to covertly and securely disseminate violent materials including manuals of weaponry, videos of jihadist feats, such as the beheadings perpetrated by Iraqi insurgents, and other inflammatory media files."
Full document, here:

Irhaby 007 Unveiled: A Portrait of a Cyber-Terrorist

There is a lot of evidence that Al Qaeda has used technology and in particular, the internet, for years. Here is document describing the extent of it by Lieutenant Colonel Timothy L. Thomas, USA Retired:

PARAMETERS, US Army War College Quarterly - Spring 2003

Normally, I write about financial crimes in relation (largely) to the internet. This illustrates that our failure to address the growing criminal and it seems terrorist use of this medium could have grave consequences.

Saturday, March 25, 2006

We Can No Longer Allow Criminals to Control Our Borders

In the post 9-11 environment, it was inevitable that illegal immigration could no longer be ignored. Not only does it create a security issue, but many States are going bankrupt funding the social programs that support it.

I've often thought it was unfair that businesses benefit from cheap labor and the taxpayer pays the tab.

This weekend, thousands are marching in protest of new laws intended to stem the flow of illegal immigration into the United States. Here is a current story by Reuters:

UPDATE 1-US immigration bill sparks protests, Bush plea

BUT there are security issues to consider. Illegal immigration is run by organized crime, no matter where the immigrants originate from. To work, most of these people need fake identification, which again are obtained from criminals.

In addition to this, many immigrants are forced to work in illegal activities to repay the criminals, who brought them over the border. The facts are that many illegal immigrants are horribly exploited.

AND illegal immigration isn't a problem just in the United States.

The State Department also published the 2005 Trafficking in Persons Report, which covers activity in 150 countries.

A lot of illegal immigrants are forced into slave labor, sexual exploitation and many other criminal acts. The people, who run this industry are not good people.

Sadly enough, it probably took 9-11 and the war on terrorism to bring this all to the forefront. Besides the obvious threat from fanatics, we need to stop people from being victimized by the trade in human flesh.

The bottom line is that we can no longer afford to let criminals control our borders. As we do this, we need also need to find kinder ways to allow immigration and protect the immigrants from being exploited.

There has to be a better way.

eBay Fraud from a Personal Standpoint

Here is a personal story from Randy (computer store owner) about fraud on eBay. To put it mildly, it's scary!

“Read your article on auction fraud, you mentioned send info if we see one… I have been trying to buy a Garmin 396 GPS for over a month now on eBay, DAILY there are ads posted containing fraud, most are account takeovers… this is a high dollar item, retail is about $2400, ads commonly want you to email a different address, the reply will offer one at $500 if you sent the money Western Union… Today I actually found one that looked legit and I was set to bid, they even offered PayPal, I wrote the user asking if I could pick up the unit in Wisconsin this weekend if I won the auction, one hour before close they wrote that it wasn’t their ad and then the ad disappeared… currently there are 2 legit ads up for this item, most days they will run through 10 – 20 fakes ones… I have to wonder how many people are getting scammed into sending money… I have written eBay numerous times but nothing happens, it’s like they don’t care… I almost think eBay should be shut down until they can figure out how to clean up false auctions, or at the very least be financially liable for any fraud perpetrated on their site… several years ago I was the victim of eBay fraud, I sent a money order for $650 for a digital camera which of course never arrived… after much investigation on my part I tracked the guy down.. I contacted the Postmaster in New York and they set up a sting and actually caught the 17 year old kid cashing a money order at the post office… turns out he had duped over 30 people on the same ad and a year earlier had duped many more… long story short, I lost my money, the kid probably just got a slap on the wrist, the post office won’t give any details other than he was arrested and held for 1 hour before being released… very sad and very frustrating…”

10-20 fake ads for 2 real ones and it appears that account takeovers are as rampant as ever! As mentioned in his e-mail, Randy did actually help catch an eBay fraudster and he was held one hour before being released?

AND there are a lot of frustrated business people, who are also taking a hit on eBay fraud. Here is a story about potential litigation being developed for all the counterfeit items for sale on the auction site (courtesy of the Globe and Mail):

The real deal: Lawyers wage war against fakes on Web

Another interesting story that came out about a week ago was an announcement from Microsoft that they were filing lawsuits against people selling counterfeit software on eBay.

Microsoft Files Lawsuits Against Online Sellers to Help Protect Consumers From Illegal Software

Time and time again, eBay has blamed anything and everyone else for the fraud problem on their site.

Randy put it quite eloquently in a reply to his original email:

"I was thinking this morning, I own a computer store. If my customers were being robbed daily while shopping on my premises, and I did nothing to protect them except tell them to be careful, or take any responsibility for the problem, how long would it take before the authorities shut me down because the place I was providing was too dangerous? I suspect it wouldn’t be very long."

I'll add another thought to this.

If Randy was selling counterfeit and stolen goods in his store, it probably wouldn't be long before he was arrested, or shut down by civil litigation.

When will eBay wake up and smell the coffee?

Here is a previous post on eBay denying the problem on their site:

eBay Claims Fraud Isn't a Major Problem

Is Cybercrime Overtaking Physical Crime?

Is cybercrime costing corporations more money than physical crime? IBM seems to think so and has published a survey:

Nearly 60 percent of American businesses believe that cybercrime is hurting them more than physical crime, according to a recent IBM survey. Companies surveyed in healthcare, finance, retailing and manufacturing say cybercrime has cost them revenue, current and prospective customers and employee productivity.

And businesses think it’s up to government, both federal and local, to rein in cyber criminals, which they see as increasingly sophisticated and organized. In contrast, another IBM survey found that more than half of consumers hold themselves most responsible for protecting themselves from cybercrime,

"U.S. IT executives are making it very clear how seriously they take cybercrime threat, both from internal and external sources," said Stuart McIrvine, director of IBM's security strategy. "Paralleling their growing awareness of the impact of cybercrime on their business is the view that this is not a battle they can fight wholly on their own. The nature of crime is changing, and businesses, technology providers and law enforcement must work together to ensure the right safeguards are being put in place to securely operate in today's environment."

Businesses see big bite from cybercrime

This comes on the heels of another well read speculation that cybercrime is more profitable than the narcotics trade (courtesy of Fox):

No country is immune from cybercrime, which includes corporate espionage, child pornography, stock manipulation, extortion and piracy, said Valerie McNiven, who advises the U.S. Treasury on cybercrime.

"Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion," McNiven told Reuters. "Cybercrime is moving at such a high speed that law enforcement cannot catch up with it."

For example, Web sites used by fraudsters for "phishing " — the practice of tricking computer users into revealing their bank details and other personal data — only stayed on the Internet for a maximum of 48 hours, she said.

Asked if there was evidence of links between the funding of terrorism and cybercrime, McNiven said: "There is evidence of links between them. But what's more important is our refusal or failure to create secure systems, we can do it but it's an issue of costs." - Business News - Expert: Cyber-Crime More Profitable Than Drug Trafficking

Some will dispute these statements, but the evidence is growing that we have a serious problem with cybercrime that is unlikely to go away very soon.

Wednesday, March 22, 2006

IRS and Websense Update Phishing Alerts

Any significant time of year, or newsworthy event attracts internet fraudsters bent on stealing your identity. Recently, the news has been filled with stories of phishing scams related to tax time. In traditional phishing scams, the unwary person is tricked (normally via an e-mail) into giving out personal information on a spoofed (fake) site. While the traditional phishing attempts are still out there, a more dangerous version of this scam exists that doesn't require the victim to give up their personal information. When the intended victim visits the site, crimeware (sometimes known as malicious software, or malware) is injected into their system.

Normally, the malware, or spyware injected into systems to steal personal information are Keyloggers. This malware (spyware) records key strokes on a system and transmits them back to the criminals, who normally are using it to commit identity theft.

Interestingly enough, a lot of this technology is legal and routinely sold over the internet.

Here are two updated warnings from Websense and the IRS, itself:

Websense Security Labs has discovered tax attacks targeting the U.S. in several countries outside of the U.S. hosted on compromised web servers. For example, one of the largest IRS phishing campaigns claims that the taxpayer is eligible for a refund and needs to log on to a website to verify their information. Users receive one of a variety of email messages with a link to a fraudulent website. Upon accessing the spoofed tax website, the user is then forwarded to a fraudulent site that requests credit card information and other personal identifiers. The intent of these attacks is to dupe users into revealing confidential information which can be used for withdrawing funds.

For the full press release by Websense:

Tax Attacks: Tech Thieves Target Online Tax Return Filers

Just a few days ago, the IRS itself updated their warning on this activity.

The following are examples of recent schemes reported on the IRS (updated) warning:

e-Mails claiming to come from, or other variations on the theme told the recipients that they were eligible to receive a tax refund for a given amount. It directed recipients to claim the refund by using a link contained in the e-mail which sent the recipient to a Web site. The site, a clone of the IRS Web site, displayed an interactive page similar to a genuine IRS one; however, it had been modified to ask for personal and financial information that the genuine IRS interactive page does not require.

The Treasury Inspector General for Tax Administration (TIGTA) has reported that it found 12 separate Web sites in 18 different countries hosting variations on this scheme.

A bogus IRS letter and Form W-8BEN (Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding) asked non-residents to provide personal information such as account numbers, PINs, mother's maiden name and passport number. The legitimate IRS Form W-8BEN, which is used by financial institutions to establish appropriate tax withholding for foreign individuals, does not ask for any of this information.

To protect against potential identity thieves, take the following steps:

Be skeptical of communications you receive from sources you are not expecting. Verify the authenticity of phone calls, standard mail, faxes or e-mails of questionable origin before responding.

Do not reveal secret passwords, PINs or other security-based data to third parties; genuine organizations or institutions do not need your secret data for ordinary business transactions.

Do not click on links contained in possibly questionable e-mails; instead, go directly to the site already known to be genuine. For example, the only address for the IRS Web site is, any other variations on this will not lead to the legitimate IRS Web site.

Do not open attachments to e-mails of possibly questionable origin, since they may contain viruses that will infect your computer.

Shred paper documents containing private financial information before discarding.

To report the fraudulent misuse of the IRS name, logo, forms or other IRS property, you may contact the TIGTA toll-free hotline at 1-800-366-4484 or visit the TIGTA Web site.

Those who think their identity has been stolen should visit the Federal Trade Commission's Web site for information about how to handle the aftermath of identity theft.

Here are some previous posts on tax fraud:

Tax Season Brings Out the Low Tech Fraudsters

The Dirty Dozen Tax Scams

Monday, March 20, 2006

Microsoft Takes the Fight Against Cyber Criminals Worldwide

Criminal activity on the internet keeps increasing. Borderless reaches, legal boundaries and advances in technology have made cyber fraud a growing problem. Microsoft is leading an effort to create partnerships that will break down the boundaries and take the prosecution effort across borders.

Here are some recent examples of this.

Courtesy of BBC News:

Microsoft is launching legal action against 100 phishing gangs based in Europe, the Middle East and Africa.

By the end of March, 53 cases will have begun said Microsoft, with all 100 filed by the end of June. Seven of the criminal groups behind fake websites that trick people into handing over confidential information are known to be in the UK.

The legal cases follow investigative work undertaken by Microsoft, national police forces and Interpol.

European phishing gangs targeted

AND just last week, Microsoft filed more actions against illegal software being sold on eBay. Here is the scoop from their press release:

"Cheap, pirated and counterfeit software abounds in the online marketplace. To help address the problem, Microsoft Corp. today announced it has filed eight lawsuits against sellers who Microsoft alleges sold counterfeit Microsoft software using eBay auctions. These eight cases reflect the company's ongoing efforts to protect its legitimate business partners and customers from dishonest business practices and the risks associated with pirated and counterfeit software."

"The eight defendants are located in Arizona, Connecticut, Florida, Hawaii, Massachusetts, Nebraska, New York and Washington."

"Microsoft identified seven of the defendants through customer submissions to the company's Windows Genuine Advantage (WGA) program. WGA is an online validation tool for customers to determine whether their software is genuine and gives them the option of submitting counterfeit reports on their suppliers if they did not receive genuine software. Complaints were also made about some of the defendants to the company's anti-piracy hotline, 1-800-RU-LEGIT (785-3448)."

Here is the full press release:

Microsoft Files Lawsuits Against Online Sellers to Help Protect Consumers From Illegal Software

For years, jurisdictional boundaries have hampered law enforcement efforts. Recently, in Cyber Criminals Love a Lack of Communication, I quoted Robert Mueller (FBI Director) as stating:

"Cyber space has been likened to the Wild West, an open and largely unprotected frontier with seemingly limitless opportunities. Like any new frontier, there will be those who seek to stake their claims, whether by legal or illegal means. And like the outlaws of the Wild West, the outlaws of this new world operate without boundaries and without barriers. They are moving as fast and as far as the technology will take them."

AND so it seems, Microsoft is right on their tail.

Here is more on Microsoft's (Bill's own) vision of the future of cyber security as he presented it to the RSA conference last month.

Gates Shares Microsoft's Vision for a More Secure Future

Websense Reports Organized Phishing Attack Targeting More than 100 Financial Institutions

Phishing attacks are becoming "smarter" and more organized. Here is a breaking alert from Websense:

Websense® Security Labs™ has received reports of a Trojan Horse which targets users of more than 100 financial institutions in the United States and Europe. Once installed on a user's machine, the malicious code checks to see if there is an active window open (either "my computer" or Internet Explorer). If one of these applications is not open, the malicious code modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (

If either of these applications is open, the behavior is different. In this case, the malicious code performs a DNS lookup to a DNS server hosted in Russia and receives an address for a website.

The address returned from that DNS server is then populated into the hosts file along with a list of target brands. If the target machine visits one of the sites in the list, the machine is redirected to a fraudulent web site on the hosted machine in Russia. This allows the attacker to change the destination address through DNS if one of the servers is taken offline.

The web server uses the hostname received to serve up pages for that particular target. There are more than 100 different phishing brands hosted on this site, all with unique pages for the particular attack.

Full alert below with screen shots:

Crimeware, Trojan redirector targeting more than 100 banks

Sunday, March 19, 2006

Will Special Interests Place Business Interests over People in Breaches of Personal Data

Fraud and Identity theft have become a worldwide epidemic in the internet age. Starting with laws in California, there has been a movement to better protect the victims of these crimes. The Consumers Union has a list of laws passed nationwide to protect people from becoming a statistic.

A new Federal law, the Financial Data Protection Act of 2005 (H.R. 3997), which recently passed the House Financial Services Committee on a 48-17 vote is drawing fire from consumer groups.

Reuters, who broke the story, is reporting:

"A U.S. House panel on Wednesday started debate on legislation to protect consumers' sensitive financial information, but agreed to set what some in the financial industry see as a low standard for triggering investigations and other steps required after a data breach."

For the full story from Reuters:

US House panel weighs consumer data security bill

Consumer advocates are warning that this proposed legislation will do nothing more than water down existing State laws. In fact, according to the Consumers Union, eleven States already have a higher standard. The proposed Federal law, which essentially lets the companies decide, whether the victims of breach should be notified, is a major step backwards.

All we have to do is look at the most recent case involving debit cards. It appears (I say that because no one is confirming anything) Visa and Mastercard knew of the problem at least a month before it was made public. The story broke with Bank of America and shortly thereafter, it was disclosed that Wells Fargo and Washington Mutual were involved, also. First, we were led to believe that the breach was in Northern California, but ever so slowly it seemed to move across the entire country. Then Boing Boing (a blog) broke the story that Citibank was involved and that PIN based transactions had also been compromised.

Of course, no one is admitting to the point of compromise, but then again, it seems to point to Office Max and Sam's Club.

Are special interest groups pushing this legislation to protect business interests over the people compromised? In fact, some might even speculate that the current rush to push this bill forward (after it sat in committee for a long time) is to prevent fall-out to the corporations involved.

U.S. Pirg (Public Interest Research Group) is already calling the bill a step backwards. In fact, Ed Mierzwinski (Consumer Program Director) said:

"Today, the Financial Services Committee voted for the worst data security bill ever. Rather than voting to protect consumers, the committee made things worse. All consumers should have the right to sleep at night without worrying about identity theft. This bill takes us in the wrong direction."

Here is a link to a blog entry that states how U.S. PIRG and the Consumers Union feel about this legislation.

Susanna Montezemolo, a policy analyst with Consumers Union, told Internet News:

"It is ironic that after a year in which over 55 million Americans' identities were put at risk through preventable data breaches, the House Financial Services Committee would repeal state laws that have protected consumers from identity theft."

The financial industry needs to wake up and smell the coffee and so do our elected representatives. Many of these breaches were caused by information not being protected properly and or human error. Now, the people, who lose the information and expose millions get to decide when their victims will be notified?

The bills reeks of the "Fox watching the Hen House."

Another scary thought is the "point of compromise" premise. The latest debit card breach has proven that most of these companies aren't going to be forthcoming with any information that might implicate them. In most "identity theft" cases, the point of compromise is never discovered. This means that few disclosures will ever be "triggered" under the current form of legislation.

Failure to disclose the truth leaves people, who have been targeted to become victims vulnerable. In fact, it seems to make the crime easier to accomplish. CalPirg did a study on a law enforcement perspective on identity theft. Some of the law enforcement opinions were to make credit issuers pay for the damage they cause and require stricter controls on credit issuance.

It's interesting that those in law enforcement, who have to investigate these crimes, feel so strongly about it. They seem to display almost a disgust for how easy the "credit issuers" make it to commit these crimes.

Perhaps, the solution is for everyone, who thinks they have been breached to write the elected representatives and call for a better version of this law.

Here is a site, where you can write to them and let them know how you feel.

Saturday, March 18, 2006

Information Breaches, the Human Factor

According to the Privacy Rights Clearinghouse, millions of identities have been compromised recently. In fact, it's impossible to quote an exact figure anymore because new reports of breaches are surfacing weekly. In their chronology, they list several occurrences as being caused by a dishonest insider, but in reality how much more of this could be happening?

One of the recent stories was about Ernst and Young getting some laptops stolen. Several other breaches are listed as a result of stolen computers. The question is how did the people, who stole them determine which ones to steal and what information would be on them?

Many other breaches are listed as a result of "hacking." Hacking is a big word and brings visions of teenagers breaking into systems from afar. BUT is it possible, that some of the hacking occurring today might be the result of insider information obtained by the hackers?

A recent study by Taleo research found that background screening at many companies is inadequate. The results of this study are pretty interesting:

27 percent of organizations experienced a major problem, workplace fraud (10%), employee theft (10%) or workplace violence, with an employee who was screened in, but ended up having a criminal record that was not found.

57 percent of survey respondents believe that their organization should be doing a better job of screening employees prior to being hired.

Only 19 percent consider their current background check process very effective at weeding out candidates that do not meet the criteria for employment at their company.

Two-thirds of organizations do not conduct ongoing background checks on employees.

Only 29 percent have ever run an audit of their current screening provider to determine the quality of their screenings.

Of course, in the real world of data breaches, it seems that those, who have been breached, are extremely reluctant to reveal very many details.

AND there is another problem, which is the number of illegal immigrants out there in the work force. Depending on who you quote, they number in the millions and the trafficking is done by organized criminal gangs. Many of these immigrants owe lots of money to these gang members and already use fake, or stolen identities to work. How many of them might be repaying their debts by stealing information?

Here is a document from CERT, which shows the implications of organized cyber crime:

Organized Crime and Cyber-Crime: Implications for Business

There is no doubt this is trend is growing and will continue to be a problem. Whether these organizations approach insiders for information, or plant them from within with fake identities; they can steal a lot of what is a very profitable commodity in the world marketplace, or information.

Another potential problem is outsourcing financial and computer services to other countries, where the security standards are not up to par. In fact, this might even make some of these firms more attractive targets for the criminal element. I wrote about this in a previous post:

What are the Security Implications of Outsourcing

Until some of the organizations, who have been breached are held more accountable, we will probably never know the true scope of "insider involvement."

Friday, March 17, 2006

Communication is a Key Factor in the Fight Against Financial Crimes

Technology seems to outpace laws and enforcement efforts in the world of financial crimes. Communication and awareness are two ways to keep up with technology.

In fact, Robert Mueller (FBI Director) recently called for the same thing. I wrote about this in a previous post: Cyber Criminals Love a Lack of Communication.

Monica Hatcher of the Miami Herald reports about another effort to better coordinate resources in the fight against financial crimes:

Until recently, law enforcement had few ways to keep track of consumer scams which seem to multiply daily, often duplicating investigative efforts and missing out on valuable information gathered by government counterparts.

The Center for the Study of Economic Crimes, a joint project of St. Thomas University School of Law and Florida State University College of Criminology, was established about a year ago to address the problem.

The center will host today its first national conference, drawing more than 300 government officials, law enforcement agents and corporate leaders to discuss emerging trends in white collar crime and consumer fraud.

The conference complements the center's main tasks of hosting and developing, a national clearing house for information on fraud-related topics, and producing scholarly reports on trends.

Here is the full story:

University hosts national conference on crime, fraud trends

Link to FraudUpdate for more information.

Law enforcement, security experts and the corporate world need to join hands to combat an alarming increase in financial crimes. Financial crimes, inspired primarily by the internet, are quickly becoming a major threat to the well being of the economy.

In my opinion, this is a step in the right direction.

Wednesday, March 15, 2006

Are the Arrests in the Debit Card Case the Beginning of More to Come

Greg Sandoval of CNet is reporting:

Law enforcement officials in New Jersey have arrested 14 people in connection with a crime spree that has forced banks across the nation to replace hundreds of thousands of debit cards.

The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards that were used to make fraudulent purchases and withdrawals from card-holder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks."

Some of the stolen credit card information came from the office-supply chain OfficeMax and other businesses, DeFazio told CNET on Monday. "We had cooperation from the security people from many victimized businesses," he said.

Credit-card issuers Visa and MasterCard have blamed a growing number of thefts from debit-card holder accounts--in areas ranging from San Francisco to Boston--on a security breach suffered by a merchant, but they've refused to identify the company.

Here is the full story from CNet:

Prosecutor: Debit card crime ring busted

This might be good news, but it's being announced by local authorities. This case has ties from coast to coast and the cloned cards have been used worldwide. I would speculate that there is more to come, or that one part of a group has been caught.

All through this case, it seems that many of the companies, who were breached were slow to notify their customers. There is likely to be a political backlash. Reuters reported recently that:

House panel to consider data security bill

The bottom line is that the common person needs to be taken into consideration when corporations lose their personal information.

Based on what I have been reading, there are a lot of frustrated people out there affected in this breach. From the beginning, the notifications to victims were slow in coming and even today, no one is admitting where the actual point of compromise was.

Boing Boing and the Consumerist have done an excellent job of getting out the view of the victim in many of their posts. For some personal views of how people are feeling out there, I highly recommend reading their material.

Here is a previous post, I did on Debit Card Breaches, A Growing Problem.

Some arrests have been made, but I doubt the issue has been resolved.

Saturday, March 11, 2006

Hard Drives for Nigeria

Nigeria is one of main sources for all sorts of Advance fee fraud (419) fraud scams. The Advance Fee scam is where a ruse is used to get a victim to send them money (nowadays normally wire-transfer) in anticipation of riches (or sometimes love) to come. The best known is the "Nigerian Letter," but the activity has mutated into romance, lottery, auction, check cashing, work at home and reshipping (as mentioned below) scams.

In a lot of the more recent 419 activity, the victim is tricked into involving themselves in criminal activity, whether it be forwarding stolen merchandise, or negotiating bogus financial transactions and sending the funds elsewhere.

419 is the criminal code for Advance Fee in Nigeria and they call their victims, Mugus. According to Wikipedia, 'Mugu' is a Nigerian Pidgin term which means 'fool'.

In fact in Nigerian popular music, a musician called Osofia has even done what is considered their anthem "I Go Chop your Dollar." Here are some of the lyrics:

"419 is just a game, you are the losers, we are the winners.

White people are greedy, I can say they are greedy White men, I will eat your dollars, will take your money and disappear.

419 is just a game, we are the masters, you are the losers."

For the video, click here.

419 (Advance Fee) is now done primarily via the internet via e-mail, instant messaging and in chat rooms. The fraudsters reportedly operate out of internet cafes in Nigeria.

Here is an interesting report involving Nigerian Fraud activity and shipping hard drives to Nigeria.

Can't say for sure, but I could speculate that they would be used in the 419 industry over there.

Hilary Bothma of the Oakland Tribune reports:

"A team of Oakland police officers, Secret Service agents and investigators from Hewlett Packard have recovered approximately $12,000 in hard drives that were about to be shipped to Nigeria as part of a package-forwarding scam.

Oakland police said they were contacted last week by HP's global security department about hard drives bought from the company with a stolen credit card and shipped to three Oakland addresses.

Oakland officers who contacted one of the recipients of the hard drives said he was "stunned" to find that his Nigerian friend, whom he met in a Yahoo chat room, was really a scam artist.
Police said the man, who preferred not to be identified, turned over two boxes of hard drives immediately and called them Wednesday to report that he wanted to return 10 more boxes.

According to police, the man's "friend" had used a stolen American Express account to purchase 120 desktop hard drives, with a value of about $100 each. The Oaklander was persuaded to receive the goods, reportedly told by his friend that shipping electronics directly to Nigeria would be risky and expensive.

The Oakland man, who works in a local Christian bookstore, planned to relabel the boxes and ship them to Nigeria himself, unaware that the parts were bought with a stolen credit card and that he risked being held liable.

Police said they do not suspect any of the three people who received the hard drives of any deliberate wrongdoing."

Here is the full story from the Oakland Tribune:

Hard drive-mailing scam cracked

419 Advance Fee activity has inspired an internet community dedicated to fighting their efforts. Many of the sites can be viewed courtesy of the 419 Coalition (US) on their links page.

If you have been a victim, or merely want to report activity, the 419 Coalition main page (linked above) is a wealth of information on how to do it anywhere in the world.

Former Bush Advisor Arrested on Shoplifting Allegations

WBAL, Channel 11, Baltimore is reporting that:

"A former domestic policy adviser to President Bush has been charged with theft for allegedly receiving phony refunds at department stores."

"Claude Alexander Allen, 45, was arrested Thursday by Montgomery County police for allegedly claiming refunds for more than $5,000 worth of merchandise he did not buy, according to county and federal authorities."

"Allen was the No. 2 official in the Health and Human Services Department when Bush nominated him in April 2003 to the 4th U.S. Circuit Court of Appeals in Richmond, Va. Bush nominated to the court again a year later, but Allen never received a Senate vote."

"During his confirmation hearing, Allen was questioned about his use of the word "queer" when he was a press aide to Sen. Jesse Helms, R-N.C., in 1984. Allen said he didn't intend it as a slur against gay people."

He recently resigned (abruptly) because he wanted to spend more time with his family. I wonder if there was anything else involved?

Per the Washington Post, "White House spokesman Scott McClellan said last night that if the allegation is true, "no one would be more disappointed, shocked and outraged" than the president. McClellan said Allen had told White House Chief of Staff Andrew H. Card Jr. and White House counsel Harriet Miers that the matter was a misunderstanding."

Here is the full story by WBAL:

Former White House Adviser Arrested

Here is the full story (more detail) by the Washington Post:

Former Top Bush Aide Accused of Md. Theft

Refund fraud is a serious problem for retailers. According to a National Retail Security Survey authored by University of Florida criminology professor Richard C. Hollinger, the retail industry lost about $16 billion to theft activities in 2003.

It appears that this crime truly spans all age groups and backgrounds. Allen, by no means is as famous as Winona Ryder, but they might both soon share something in common (the stigma of being a convicted shoplifter).

How Dangerous is China

David Perera of wrote an interesting piece deducting that Chinese hackers might be more interested in hacking our logistic systems than more classified systems that the military uses.

David Perera writes:
For Americans today, war evokes images of roadside bombs and hidden snipers in the Middle East. But Defense Department planners who are paid to think about future wars worry about the People's Republic of China. Rising powers long have challenged dominant countries for primacy - it's an old story. And now, nobody is more powerful than the United States.

Logistics information literally is the bread and butter of the military. Track the supply lines of materiel and personnel and you'll know where troops are headed. Disrupt that supply line, and you will have created a barrier to getting there quickly. Amateurs study tactics, professionals study logistics, goes the Pentagon cliché. Yet great chunks of logistics information flow across the unclassified Defense Department system, the Nonsecure Internet Protocol Router Network, or NIPRNet. The Pentagon maintains a separate network for secret information, but the NIPRNet is its daily workhorse.

The world's largest network once was one built from flagstone-paved roads extending 53,000 miles in Roman antiquity. The roads were designed as a tool for policing an empire, and also for trade and communications. Unfortunately for the Romans, barbarians found them equally useful for their own purposes - attacking legionnaires - and eventually the Roman Empire was no more.
Full story, here.

Last November, I wrote about, US Military Hacked, Sober Worm Goes Worldwide, What Next?

"The Chinese (who seem to be behind the most recent attack on the military) have been suspected of selling technology (including nuclear) to governments, who might be dangerous to world peace. All one has to do is read the story of AQ Khan, who developed nuclear weapons for Pakistan and admitted selling secrets to North Korea, Libya and Iran. There is a lot of speculation that he obtained a lot of his knowledge from the Chinese, who were caught stealing nuclear secrets from us during the Clinton Administration, Online NewsHour: Spies Among Us -- June 9, 1999."

There is also a lot of other evidence that the Chinese are heavily involved in cyber-espionage activities. The FBI Computer Crime Survey stated that China was responsible for 23.9% of the cyber attacks in their survey.

Of course, the United States is still the number one source, but one has to consider that the internet is heavily censored in China. This would lead a logical person to come to the conclusion that certain activities are being tolerated by those, who censor it.

In fact, some have dubbed it the "Great Firewall of China."

Another factor to consider is organized criminal activity of Chinese origin:

Chinese Criminal Enterprises - US Department of State

One of the activities, they are actively involved in is "illegal immigration," which could provide a conduit for planting spies in the industrial and financial sectors.

Patrick Devenny of recently wrote a story, where he quoted Sun Tzu from the Art of War:

Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy.

In his article, he writes:

The list of additional recent Chinese espionage cases is long and disturbing. It includes, among others, the theft of Blackhawk helicopter engines and optical devices by a South Korean man arrested last year. A Chinese-American couple in Wisconsin was arrested in 2004 for sending over $500,000 worth of computer parts to the Chinese government that can be used to improve missile guidance systems.

Statements from officials such as Szady hint that cases like these are just a small sample of the overall secret Chinese war against America. Indeed, in the words of one unnamed senior FBI source, “the Chinese are stealing us blind, the 10 year technological advantage we had is vanishing.”

Daily, we read of the threat from Terrorism. While this isn't an issue to be ignored, we can't afford to ignore what seems to be an ongoing and calculated threat from China.

AND there could be more ominous implications. One of the biggest threats today is the possibility of Iran becoming a nuclear power.

Guess who has been providing them with technology that could have stolen from us-China (courtesy of NTI).

Friday, March 10, 2006

Are Hackers Framing iBill

iBill is claiming that they are being framed. Wired News (Quinn Norton) is now reporting:

"I'm the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes to say 'we screwed up,' if that were the case," said iBill President Gary Spaniak Jr.

"Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two."

"Additionally, some entries in the stolen databases were identified as purchases on Diner's Club cards, which iBill says it has never accepted in its nine year history. Spaniak says iBill recently passed a security audit that found its databases well secured."

"Wired News found that entries from the smaller cache of one million consumers are listed as mortgage leads on a spammer community site, A Google search turns up scores of offers on for purported iBill databases, one of them advertising "20mill ibill list w/Full data from 2003" for $300. But in one message, a spammer slams an underground vendor for selling him a fake iBill list."

"Other offers on the site purport to sell data from competing internet billing firm CCBill, which says that it isn't aware of having been breached either."

What scared me the most was a statement issued by the FBI regarding this:

"An FBI spokeswoman says the bureau wouldn't investigate the breach unless the source of the leak comes forward to make a complaint."

Here is the full story by Quinn Norton:

Porn Biller Says It Was Framed

I did check the website and it does exist.

Pretty scary that this site is up and going AND selling people's personal information.

Perhaps, Paul Young of prying1 said it best when he wrote "Online Porn Addicts Be Aware of this."

With sites like and all the recent data breaches, we all need to Be Aware. Even if the information doesn't come from iBill, it appears people's information is being sold there.

I wonder if anyone at the FBI is investigating "" If they aren't, they should be!

Thursday, March 09, 2006

iBill (Adult Services Payment Processor) Latest Financial Services Company to be Breached

Quinn Norton of Wired News and Boing Boing are reporting that one of the major processors for "adult services" has compromised millions of their customer's personal information.

"Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers, security experts say."

"The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included."

Porn Billing Leak Exposes Buyers

Sunbelt Software discovered the initial breach of about one million customers, about a month ago. Their CEO does an excellent blog, which I recommend:

Alex Eckelberry's Sunbelt Blog

iBill (in keeping with tradition) isn't revealing very much about the breach.

This list of breaches (compiled by the Privacy Rights Clearinghouse) is quickly becoming in need of an update.

A Chronology of Data Breaches Since the ChoicePoint Incident

Unfortunately, new (major) breaches are being uncovered all the time.

Unfortunately a federal bill (S.1789) is still in the Judiciary Committee. Here's the bill summary. This might be the first step in forcing companies, who have been breached, to do a little "explaining" to their customers.

Wednesday, March 08, 2006

U.S. Citizenship and Immigration Services Probed for Fraud

A "whistleblower" has brought forward allegations of fraud at USCIS (U.S. citizenship and Immigration Services). With all the recent concerns about the security of our borders, this could be a concern.

Erica Werner of the AP reported:

"The allegations range from employees skipping required fingerprint checks on applicants and issuing duplicate green cards, to more serious accusations of bribery and undue influence by foreign governments. Many of the complaints originated with a whistleblower who took them to Sen. Charles Grassley (news, bio, voting record), R-Iowa."

The new USCIS Director Emilio Gonzalez is acknowledging there might be fraud and has asked that the matter be investigated.

If this turns out to be true, it illustrates that unless internal security is kept under control at organizations, both private and public, fraud will always be a possibility.

This will be an interesting story to follow.

For the full report by Erica Werner, click on the title of this post.

Sunday, March 05, 2006

Boing Boing Reports Citibank Under Fraud Attack

Boing Boing has scooped the press by reporting Citibank is under some sort of fraud attack.

AND in keeping with what seems to be a growing trend, it appears debit cards are being targeted.

Jake Appelbaum, who is currently in Toronto with a useless debit card, wrote:

"The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud."

"Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class break of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed."

"She informed me that I would have to return to the United States to change my pin number before my card would be valid and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem."

Poor Jake, stuck in Toronto with no way to get cash and he will have to cross the border to get his PIN number fixed. A testament on how fraud victims are treated, which from what I hear is a frustrating experience for all.

I did some checking and Carla ID#CRU194 was right. This doesn't seem to have hit the mainstream media. I probably should let the people at Boing Boing know that the company (bank), who has been breached tends to be very tight lipped about it.

Maybe if they provided better customer service to Jake, it still would be a deep dark secret.

Interestingly enough, here is a post, I wrote a couple of days ago:

Debit Card Breaches, A Growing Problem

The Privacy Rights Clearinghouse tracks data breaches, the number and velocity of them are pretty scary:

A Chronology of Data Breaches Since the ChoicePoint Incident

Here is my rant on the lack of sophistication in some of these data breaches:

Stealing Data Shouldn't be so Darned Easy

For the full post by Jake and Boing Boing, click on the title of this post.

Saturday, March 04, 2006

Internet Privacy is Becoming a Growing Concern

Recently in the news, ISPs (Internet service providers) have been faulted for releasing private information to the NSA (National Security Agency). In fact, we can probably expect to see a lot of legal action over this in the near term.

Given the amount of potential terrorism, the NSA is dealing with, I speculate they have little time to interfere in a normal citizen's privacy. To me, the real issue is the so-called "Information Industry," which has been gathering personal information (for resale) on all of us for years.

The result of this data harvesting has been a record number of data breaches, where massive amounts of people's personal information is compromised.

Tor, which is sponsored by the Electronic Frontier Foundation is a free option for those people, who do not want to have their personal information exposed.

According to Wikipedia:

"Tor is an implementation of second-generation onion routing - an anonymity system enabling its users to communicate anonymously on the Internet. Originally sponsored by the US Naval Research Laboratory, Tor became an Electronic Frontier Foundation (EFF) project in late 2004."

Tor (anonymity network) is a " toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features."

"Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

While this technology has the potential for abuse, as long as businesses gather this information and criminals steal it, a person should have the right to defend themselves. The criminal element on the internet probably already has access to this technology and is known to use other methods, such as using stolen identities, taking accounts over and even bot-nets to conceal their true identities. The reality is that criminals already use more than this to cloak their true identities and the solution is to identify the root causes of why they are able to do this.

We also need to accomplish this without making the common person vulnerable to abuse.

Debit Card Breaches, A Growing Problem

Last month, 200,000 debit card numbers were breached in the Western United States. News reports speculated that the breach was either at Sam's Club, or Office Max.

Here is one of the posts, I did on this scenario:

Office Max Denies Being Hacked in Debit Card Breach

Now activity seems to be moving to the middle of the country and even to the East Coast.

Indiana's NewsCenter16 Reporter, Kimberly Torres reported on 03/02/06:

"Banks and credit unions, including some here in Michiana, are sending out letters to warn their customers. Someone got into the database of a nationwide store chain, although Visa won't say what store. They stole Visa credit card/debit numbers, and soon after, ATM transactions popped up overseas."

Contact 16: Visa card numbers stolen, Michiana affected

The same day, the Indiana story broke, the Boston News Channel reported:

"Officials said Leominster and Fitchburg area residents are being stung by debit card fraud in amounts of from hundreds of dollars up to almost $2,000."

Towns Stung By Debit Card Fraud

Of course, there is no way to tell if this activity ties in together, but the similarities are amazing. It appears that retailers, debit cards and hacking seem to be involved in most of the scenarios.

This supports the story on February 23rd that Debit Card Fraud Causes FBI To Widen Its Probe ZDNet, which stated:

"Federal investigations into a debit card fraud that has affected about 200,000 cardholders in the western US have been extended to other parts of the US in an effort to identify common factors. In the past week, Bank of America, Wells Fargo and Washington Mutual advised that the debit cards of certain customers would be replaced following an unconfirmed card security breach in which cardholders' names, debit card numbers and PINs were obtained. Fraudulent charges at Wal-Mart's Sam's Club division and at office retailer, OfficeMax, are receiving particular scrutiny in investigations."

No one is saying (directly) how the systems at retailers are being compromised. One thing that has been spotted, with increasing frequency, is the use of skimming devices (often wireless) on ATM machines. Here is a post, I did awhile back with some interesting pictures:

ATM Machines That Clone Your Card

It appears that debit card breaches are a growing problem for both the financial and retail industries. Everyone seems to be extremely tight lipped on how the breaches are occurring and it's hard to say, whether this is because of the ongoing investigation, or for other reasons.

Fox News recently reported:

"Consumer advocacy groups say the public isn't getting the full story on debit cards, which have become so popular that 127 million are in use today."

"Debit cards are the pot of gold at the end of the rainbow for banks," said Ed Mierzwinski of the U.S. Public Interest Research Group (U.S. PIRG), a consumer watchdog organization. "They're a big risk for consumers."

"Mierzwinski said the bank makes $2 on every $100 spent with a debit card, but banks don't tell consumers how difficult it is to reclaim their funds after a theft."

Here is a scary story from MSN Money, Banks hang fraud victims high and dry by Liz Pulliam Weston. In this story, she writes:

"The rules are somewhat different for bank accounts. When a fraudulent debit charge or automatic payment is reported, a section of federal law known as Regulation E requires banks to investigate within 10 days. But banks can extend that period to 45 days if they credit the disputed amount or $2,500, whichever is less, to the customer's account. (Paper checks offer even less protection, as I discussed in "Your paper check is a thief's best friend.")

"But a bank can decide there was no fraud, experts say, and take the money back as long as it provides a written explanation to the customer. That's what happened to the Hendersons and to Los Angeles Times columnist Steve Lopez, who recently wrote about his bank snatching back the $2,020.50 it had restored to his account after a theft."

Problems with debit cards aren't confined to the United States, breaches are being regularly reported throughout the world.

Here is an interesting article from the Canadian Broadcasting Company, which illustrates the growing problem in Canada, also:

CBC News:Debit card fraud an 'epidemic'

Friday, March 03, 2006

How Effective is the Do Not Call Registry

Kevin Poulsen of Wired News wrote an interesting article about Caller ID spoofing. In it, he writes:

"If you've ever used one of the half-dozen websites that allow you to control the phone number that appears on someone's Caller ID display when you phone them, the U.S. government would like to know who you are."

"Last week the FCC opened an investigation into the caller-ID spoofing sites -- services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

Here is the full article, with links to some of these dubious services:

FCC Probes Caller-ID Fakers

The Federal Trade Commission (FTC) has it's National Do-Not-Call Registry, where you can register your telephone numbers, which makes it illegal for businesses to call you unsolicited.

Of course, it's still legal for businesses to call you, if you have a relationship with them. This means that you are still vulnerable to their marketing campaigns, whether you want to be, or not.

Lately, I've noticed that businesses that are allowed to call me, also spoof their numbers with caller ID logos, such as "800 services." Today, I got one that was a recorded ad for one of the clothing retailers, I shop at occasionally.

Additionally, charities are exempt from this and many charities hire third-party call centers to solicit donations for a commission. Often, if I answer, they will swear my wife made a pledge and when I ask her, she knows nothing about it. In fact, charity fraud was quite the buzz word in the recent hurricane disasters.

Let's face it, spoofing caller ID's is becoming the norm and if you don't know who called, it's going to be difficult to file a viable complaint. Making this activity legal, also provides a valuable means for criminals AND (unethical business people) to invade people's privacy and WORSE.

Here is another clear example of where laws need to catch up with technology.

The United States and Canada are Becoming Borderless in the Cyber Crime Wars

The Federal Trade Commission and Canadian consumer agencies are designating March as Fraud Prevention Month.

"Officials from the Federal Trade Commission and Canadian consumer protection agencies met in Ottawa today to kick off March as Fraud Prevention Month. The initiative is part of an international effort to raise public awareness worldwide of the dangers of fraud, while educating the public on how to recognize and report it. The representatives from the FTC, Canada’s Competition Bureau, the Royal Canadian Mounted Police, and the Ontario Provincial Police explained how cross-border partnerships are key in fighting the global scourge of fraud."

Fraud Prevention Month will be a theme on, which can also be viewed in Espanol (Spanish) at Alerta en

Both of these sites have a lot of "user friendly" information on how to avoid fraud on the internet.

You can also report fraud to the FTC by filing a "complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at"

Canada also have a similiar service, Phone Busters, which is accessible in English or Francais (French):

Welcome to PhoneBusters

There is no doubt that in recent years, we have seen a lot of fraud go both ways across the border. Cyber criminals often do this to avoid prosecution AND it's great to see TEAMWORK in fighting this activity.

For a Canadian perspective on this from Government of Canada news, read:

March Declared "Fraud Prevention Month" in Canada and Around the World

Thursday, March 02, 2006

Websense Security Trends Report for Second Half of 2005

Websense has published their report on internet criminal activity for the second half of 2005.

They are seeing an increase in the number of malicious websites containing crimeware on the rise. Phishing attacks are also changing (mutating) to account for greater awareness and defenses out there against them. One of the mutations is spear phishing, where specific groups are targeted, often (allegedly) with the use of inside information, which was probably stolen. They are also seeing an increase in attacks against non-finanical institutions, which were the traditional targets of this sort of activity.

The conclusion in the report is:

"The use of the web to launch attacks increased during the second half of the year, and the variety of methods used to launch attacks mirrored this increase. We saw criminals adapt to changing conditions by creating new exploits, capitalizing on inherent vulnerabilities, increasing the quality and stealth of their exploits, and cooperating among themselves."

"We saw browser and operating system exploits used more frequently and more effectively in H2 2005. These included zero-day exploits targeting browser and operating system vulnerabilities. Cyber criminals improved the timing of such exploits in H2 2005 by detecting vulnerabilities, designing attacks, and launching them before the vulnerabilities were widely known, and before patches could be provided for computer users."

"Infections resulting from visits to websites surpassed other infection methods during the second half of the year. We determined that this method of infection has begun to be used in combination with other methods."

"Hand-in-hand with the increased involvement of organized criminal groups, we saw a movement away from nuisance attacks toward exploits and malicious websites intended for criminal purposes. Successful exploitation of these vulnerabilities enabled attackers to execute code on the workstations of unsuspecting users without their knowledge or consent — even fully patched workstations. We also saw an increased use of affiliates to spread infections."

"New targets for exploitation appeared in the second half of the year, as cyber criminals compensated for increased sophistication and wariness among computer users who have become more aware of luring techniques. Spear phishing was introduced in an effort to deliver more convincing lures to targeted audiences."

"Attacks were increasingly launched against smaller domestic financial institutions in H2 2005, and more frequently against non-financial targets. We saw an increase in cyber extortion attacks in which money was requested to resolve problems introduced by those requesting money for the repairs."

Internet crime is on the rise. In fact, it seems that it is becoming more organized and that it is becoming more devious to thwart recent awareness campaigns. Recently, when addressing the RSA conference, FBI Director Robert Mueller called for greater cooperation between business sector and law enforcement to combat cyber crime throughout the world. If we fail to heed this wise advice, I fear the consequences could be serious.

On a personal level, I would like to commend the good folks at Websense, who are part of the business sector and seem to be contributing to the atmosphere that Director Mueller speaks of.