Monday, August 07, 2006

Another Computer with VA Data has Gone Missing

Two days after two teenagers were arrested for the stolen computer that contained the personal information of 26.5 million veterans - the VA is reporting that another computer has "gone missing." This time the impact is smaller - it only contained the information of 38,000 veterans.

Unisys, the VA contractor, who lost the computer claims it didn't have any financial information - but if you read into it a little deeper - they state:

"In the latest case, Unisys told the VA on Aug. 3 that the computer was missing from the company's offices in Reston, Va., the VA said. The VA and Unisys said the data may include names, addresses, Social Security numbers and dates of birth."

My analysis of this is that there were no credit card numbers, or bank accounts - but generally everything else an I.D. thief needs to go out and create a lot of "financial information."

Gotta love some of these "press releases."

For the Reuters story - courtesy of CNet, link here.

Here is post, I did reflecting my thoughts on the last VA computer that went missing:

The VA Data Breach is a Symptom of a Bigger Problem

I close this post with that thought.

Sunday, August 06, 2006

Botnets used to Scam eBay Users

With all the talk about the DefCon (Black Hat) conference in Vegas, this story seems to have gone to the wayside.

Botnets are used by organized criminals - who employ hackers (the malicious sort) - to commit crime on the Internet. Now they are being used on eBay to create phony customer feedback scores and commit auction fraud.

Botnets consist of computer systems that have been taken over after malware is downloaded. The systems are then turned into "zombies" and can be controlled remotely. The "zombie computers" are then used by their owners to commit all kinds of mischief (the illegal type).

Gregg Keizer, TechWeb Technology News reports:

Scammers are using bots to create bogus eBay accounts that boast trustworthy profiles in a new scheme to rip off buyers, a security company said Monday."

The scam, said Sunnyvale, Calif.-based Fortinet, is a new twist on an old con where criminals set up bogus auctions, rake in the proceeds, and then scram, never intending to ship anything to buyers."

Long-time eBay users, however, have gotten wise to such double-crosses, and have learned to avoid auctions where the seller has little or no transaction record and/or little or no buyer feedback.

The new dodge, however, makes that defense useless.

According to Fortinet, the racket uses a bot to create a large number of fake accounts, then applies a spider to scavenge eBay for 1-cent "Buy Now" items, then purchase them.


Once they get a "good rating" going, the scam begins.

Link to the full story by TechWeb, here.

Of course, phishing takes a toll on eBay users, also. Normally, the intent here is to takeover a account with a good rating and then disappear.

Interestingly enough, PIRT run by CastleCops and Sunbelt Software just released the Top Phished Brands - which confirms that eBay and it's sister organization PayPal are phished more than any other brands.

Technology continues to be leveraged by criminals to commit crime on auction sites. In this instance, the recommendation is to read the feedback of the seller "carefully" and beware of anyone with too many 1-cent auctions.

It also pays to ensure the protection for your system is up-to-date and avoid clicking on any links that you aren't certain of.

Here is a good post about how to avoid fraud on auction sites:

How to Protect Yourself on eBay

To avoid phishing scams - which often lead to malware downloads - the APWG (Anti Phishing Working Group) has a good link, here.

Expert Warns RFID Passports AREN'T Completely Safe

Looks like a lot of "information" is coming out from the "Hackers Convention" (DefCon) in Vegas. Here - AGAIN - an expert is warning that using RFID in passports might have security implications.

Here is an interesting article from Dan Goodin of the AP:

Electronic passports being introduced in the U.S. and other countries have a major vulnerability that could allow criminals to clone embedded secret code and enter countries illegally, an expert warned.

A demonstration late Friday by German computer security expert Lukas Grunwald showed how personal information stored on the documents could be copied and transferred to another device.

It appeared to contradict assurances by officials in government and private industry that the electronic information stored in passports could not be duplicated.

Link to AP article, here.

Here is a recent post, I wrote about another warning concerning the use of RFID in passports:

RFID Hacked Again and Vendor Says it's as Safe as Anything in Your Wallet!

Are Retail Refunds Violating Customer Privacy?

There is no doubt that fraudulent refunds from shoplifting cost billions. It's a way for criminals who target the retail industry to get cash.

To protect themselves from refund fraud, many retailers maintain the personal information of refunders in databases. With the identity theft crisis in "full bloom," many customers aren't very happy at having to provide personal information when they return a defective product.

Chelsea Emery of Reuters recently wrote:

Receipt in hand, Peter Soltesz expected his trip to Home Depot Inc. to return a $25 faucet part would be quick and uneventful.

But the Rockville, Maryland, consultant went home with the part -- and without his cash -- when the clerk insisted on recording his driver's license data.

"A driver's license is one of those pieces of key, secure information that identifies me," said Soltesz, a computer and telecommunications specialist.

"I'm more than happy to give it to a bank, but a Home Depot, for goodness sake? They can't clean a store, much less protect my information."


Please note that information is compromised at banks, quite frequently, also.

Of course, within the retail industry -- it's known that shoplifters aren't the only culprits in the refund fraud world -- dishonest employees (also) use refunds as way to steal cash. When an employee does a fraudulent refund and takes the cash - the loss transfers to the physical inventory (goods on hand) - and their till will balance. By the time an inventory occurs (once or twice a year), the loss will reflect as missing product, and it's impossible to determine whether it was due to internal, or external theft.

Since the employees have access to these (refund) data bases, my guess is that they use existing customer information, or make it up. Previous surveys within the retail industry have cited employee theft as the number one cause of losses.

The 16 billion dollar loss figure was put together by Dr. Richard Hollinger of the University of Florida and the most recent study reflected an increase in "organized retail crime." With the "identity theft crisis" in full bloom, it's probable that many of the "more organized criminals," have access to multiple identities.

Bad check writers frequent retailers all the time and are known to refund merchandise to get cash. There are databases to prevent check fraud and the way criminals often defeat them is to assume a "good identity." Again, due to the identity theft problem, identities have become cheap and are being marketed in chat rooms and rogue websites on the Internet.

If many of the criminals committing the $16 billion in fraud are circumventing the system - a lot of this data currently maintained probably is flawed.

Sadly enough, consumers like Peter are probably reacting to recent news events.

Recently - although never admitted to - it was alleged that "Office Max" was the point of compromise in a debit-card breach. In the past week, it has also "come to light" that "Dollar Tree" (another retailer) was the point of compromise in another breach.

If financial systems can be "hacked" at retailers, it's conceivable that this data base could be compromised, also.

According to the Privacy Rights Clearinghouse - which has been following this - 91 million people have had their data exposed in the past couple of years. And the list keeps growing.

For their chronology, link here.

Technology makes crime become more sophisticated on a daily basis and the "bad guys" are constantly looking to defeat "security measures." Unless these measures evolve, they can become "not very effective" in a short amount of time.

I'm not sure what the answer is. Retailers have the right to protect their assets, but at what cost and how effective is the process? Another issue is with all the "identities" floating around and "employee abuse," is there a potential for honest people to be tagged as shoplifters?

Sadly enough - as evidenced in the Reuters story - I doubt Peter will be giving Home Depot any business soon. This is going to hurt retailers, also.

Saturday, August 05, 2006

419 Artists Arrested and Tie to Funding Terrorists Suspected

Nigerian fraud has become "Internet folklore" and there are many sites on the Internet about it.

In recent years - a unit of law enforcement professionals have been waging war against fraud in Nigeria - and as a result, it's not very safe to commit fraud in Nigeria anymore. Here is a story of a recent arrest, where it appears that 419 (advance fee fraud) might have been helping fund a terrorist group:

"The Economic and Financial Crimes Commission, EFCC, have arrested a terrorism suspect in a raid on a cybercafe, NetXpress, located on Road 51, Festac town, Lagos. The commission disclosed that 13 other suspects caught in the act of sending scam mails to Europe and America, were also arrested."

"The suspect who claimed to represent a faceless terror group, Terrorist International was caught demanding payoff from a multinational oil company to forestall the kidnap of its expatriate staff in the Niger Delta. The other suspects were caught sending scanned documents purportedly issued by Chief Executives of Nigerian government agencies such as the Central Bank of Nigeria, CBN and the Nigerian National Petroleum Corporation, NNPC."

Link from the EFCC site, here.

Of note, Nigeria recently passed a pretty strict law on advance fee (419) activity entitled the Advance Fee Fraud Act. This law allows for cyber-cafe owners and even the landlords to be arrested if 419 activity is occurring on their premises.

Advance fee activity is a worldwide problem and it's not only done by Nigerians. Catching this group undoubtedly saved a lot of people in other countries from being victimized.

There seems to be a lot of speculation from the law enforcement community that Internet fraud (a worldwide problem) is being used to fund terrorist groups. In this recent case, the EFCC has helped validate this.

Here is a previous post - with links to others - regarding concerns by law enforcement that Internet fraud might be a source of terrorist funding:

Great Britain Creates National Fraud Squad to Fight Organized Crime and Terrorists

Friday, August 04, 2006

Fraud Steals from the Truly Needy

My blogging friend, Mr. T. L. Stanley, author of the New Rosemead Times wrote a post (Poverty Caused by Corruption) that made me do a little thinking.

Mr. Stanley writes:

"Fighting poverty seems to be hot ticket for politicians every time world leaders get together and want to show everyone they are in a giving mood. For some reason, America wants to throw money at worldwide poverty. Unfortunately, the money that is aimed at poverty is usually stolen by corrupt leaders of poor countries. Zimbabwean President Robert Mugabe is just one example of corruption. This president has driven a highly productive country into bankruptcy in 20 years. Because, political corruption is common. And, this president made the mistake of assuming that productive outputs would continue in the face of economic and political oppression."

For the full post (highly recommended) link, here.

Not only are we throwing good money at "not-so-good" countries, but we can see a lot of the problem, right here at home. Unfortunately, the Katrina hurricane and other allegations about "fraud and abuse" in programs intended to help the poor (a noble cause) help support Mr. Stanley's thoughts.

There is a lot of evidence showing that a substantial amount of the money intended to help the "poor," lines the coffers of corrupt individuals. Since the money never reaches the people it was intended for - corruption truly does cause poverty. Fighting poverty is a "noble cause," but it's also important to ensure that the resources are reaching the people that need it.

What is needed is a "zero-tolerance" approach to the people taking advantage of the poor.

If we did this - perhaps our social programs wouldn't be "going broke."

Cybercrime Treaty Hailed as a Violation of Privacy by the EFF

The Electronic Frontier Foundation is concerned that a law (soon to be voted on in the Senate) would violate the privacy of Americans.

Specifically, the argument against it is that it would subject Americans to laws that aren't a crime in this country.

Hours ago - it was announced that this law was ratified by the Senate.

Here is what the EEF is saying:

The Convention on Cybercrime is a sweeping treaty that has been waiting in the wings of the Senate for nearly three years. Now the administration is putting pressure on the Senate to ratify it in the next two days. If it does, it would mean the U.S. would enforce not just our own, but the rest of the world's bad Net laws. Call your Senator now, and ask them to hold its ratification.

The treaty requires that the U.S. government help enforce other countries' "cybercrime" laws - even if the act being prosecuted is not illegal in the United States. That means that countries that have laws limiting free speech on the Net could oblige the F.B.I. to uncover the identities of anonymous U.S. critics, or monitor their communications on behalf of foreign governments. American ISPs would be obliged to obey other jurisdiction's requests to log their users’ behavior without due process, or compensation.

Link to EEF story, here.

Interestingly enough - this was a big story on Digg. Here it is - along with a lot of comments:

World's Worst Internet Law Sneaking Through the Senate

Just thought I would pass this on - I would hate to investigated because I wrote something about a "fraud problem" in a foreign land that doesn't recognize the right of "free speech."

If anyone would care to write their Senator and express their opinion (positive or negative), you can find their e-mail address, here.

Hopefully Alberto Gonzales is right when he said "the cybercrime pact strengthens international cooperation in "obtaining electronic evidence" while still honoring constitutional protections of free speech and privacy."

I'm all for going after cybercrimals, but if it violates our constitutional rights, we need to take a closer look at it.

After all, our constitution is what made this country great!

SEC Sends a Message to Insurer - It's Not Nice to Trick the Military

Taking advantage of our military in time of war is despicable. Here is some positive news that the SEC (Security and Exchange Commission) is protecting those who protect us.

From the SEC press release:

"Washington, D.C., Aug. 3, 2006 — The Securities and Exchange Commission today sued a Waco, Texas, insurance company and its affiliates for targeting American military personnel with a deceptive sales program that misleadingly suggested that investing in the company’s product would make one a millionaire. Since 2000, approximately 57,000 members of the United States military services purchased the product. The vast majority earned little or nothing on their investment."

The good news is that money from the law suit will go to the service members victimized by the misdeeds of this insurance company.

Press release, here.

There are a lot of "get rich quick schemes" popping up in "in-boxes." In many instances, this means someone getting "rich" at the expense of someone falling for their pitch.

Here are some great tips from the SEC on how to avoid securities fraud:

Be wary of promises of quick profits, offers to share "inside" information, and pressure to invest before you have an opportunity to investigate.

Be careful of promoters who use "aliases." Pseudonyms are common on-line, and some salespeople will to try to hide their true identity. Look for other promotions by the same person.

Words like "guarantee," "high return," "limited offer," or "as safe as a C.D." may be a red flag.

No financial investment is "risk free" and a high rate of return means greater risk.

Watch out for offshore scams and investment opportunities in other countries. When you send your money abroad, and something goes wrong, it's more difficult to find out what happened and to locate your money.

If a company is not registered or has not filed a "Form D" with the SEC, visit the website of the North American Securities Administrators Association to find your state securities regulator.

The SEC also has an excellent web page to help you investigate before you invest:

How to Avoid Investment Scams

Being an informed consumer is imperative in the Internet age. There is a lot of information on government sites that help the common person do this.

You can report suspected "suspicious activity" to the SEC, here.

All too often - when we spot a scam - we move on without thinking "someone might actually fall for this." If everyone reported what they suspect is a scam, we would see a lot less of it going on.

Of course, education is a powerful tool, also.

And if it seems to good to be true, is probably is NOT!

Wednesday, August 02, 2006

Dollar Tree Suspected as Point of Compromise in New Debit Card Breach

KCRA Sacramento is reporting that a large number of people have had their debit cards compromised in Northern California. They all have one thing in common, they used their card (legitimately) at Dollar Tree.

Dollar Tree is a nationwide chain with about 3100 locations that sells everything for a dollar, or less.

From the KCRA story:

Dozens of local victims have come forward in a massive debit card fraud investigation involving Dollar Tree stores.

Federal, state and local investigators are looking into hundreds of fraud complaints from people who suddenly found hundreds of dollars stolen from their bank accounts by a sophisticated ring of electronic bandits who recreated ATM debit cards and are believed to have stolen more than $600,000.

Although KCRA is local to Sacramento, they reported similar activity is suspected from another Dollar Tree location in Northern California (Modesto) and Oregon.

According to a previous article by KCRA, the Oregon breaches occurred in May and June. Of course, Dollar Tree isn't commenting, but is cooperating with law enforcement.

Current story, here.

Previous story, here.

There was another debit card breach recently, which started in Northern California and spread nationwide. At the time - although never admitted - speculation was that the point of compromise was Office Max.

Here is a post, I did on that:

Debit Card Breaches, A Growing Problem

In case you become a victim of debit card fraud, here is an excellent link from PIRG (Public Interest Research Group) on your rights.

Unfortunately - when it comes to our rights - debit cards don't seem to be as safe as credit cards.

Tuesday, August 01, 2006

Identity Theft Used to Lure Veterans into Telephone Scam

Fraudsters will go to no end in order to trick people out of their money. Now they are using the "fear" of identity theft to lure veterans into paying $9.99 a minute for "identity theft services."

KATU in Portland Oregon is reporting:

The U.S. Department of Veterans Affairs is warning all veterans of a telephone scam regarding the recent data loss by the U.S. Department of Veterans Affairs.

Kevin Doyle, a V.A. Police Operations Team Leader, says the scam works like this: The caller talks the veterans into believing that they have a resource to assist them with the lost veteran data.

The veteran is talked into calling a 1-800 number. Once the veteran calls the 1-800 number, the veteran is directed to call a 1-900 number. That is when the vet incurs a $9.99 per-minute charge.

Link to story, here.

900 numbers always cost, most telephone companies have 900 blocking - which is a good thing to have - especially if you have children.

I went to the VA website to see if there was any additional information, but couldn't find anything yet.

I did find another recent alert warning about a "telephone scam," where a company called "Paitent Care Group" is calling veterans and asking for a credit card number so they can have their prescriptions filled.

Link to VA alert, here.

To protect yourself from this - never give out any information when solicited by an unknown source. Before telling them anything of a personal nature - verify who you are communicating with a third party means - such as a telephone directory.