Wednesday, August 30, 2006

ATT Hacked and Loses 19,000 Customer Records

There is a report that hackers got into ATT's DSL Store over the weekend and made off with 19,000 customer records.

Tom Young from VNUET.com wrote:

Hackers have obtained the credit card details of almost 19,000 online shoppers from telecoms giant AT&T.

The US company says it has notified shoppers at its online store of the security breach, which affected people buying high-speed DSL internet items.

Full story, here.

Another story from (Scott M. Fulton, III) TG Daily reports:

The company admits that records for customers purchasing DSL service and equipment online through AT&T were swiped sometime over the weekend, though a company spokesperson told the San Jose Mercury-News today that no incidents of unauthorized credit card use had yet been reported by customers.

Story, here.

In a lot of data breaches, the companies affected have been slow to admit anything. In this instance, it appears that ATT is doing so and making an effort to notify it's customers.

Covering up data breaches to avoid "bad publicity" erodes consumer confidence in the company breached. Maybe some companies are finally realizing this?

Sometimes the best way to solve a problem is to attack it, head-on!

Sunday, August 27, 2006

Spam E-Mail from Anti Child Porn Agency (Impersonator) Harbors a Trojan

Last week, the mainstream media was reporting how porn users were being targeted by phishy e-mails. Here is another (recent) example of where the threat of being labeled as a "child porn user" is being used as a "hook" to trick people into downloading a malicious Trojan on their system:

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a Trojan horse that has been spammed out in an email claiming to come from an organization fighting child pornography on the web.

The emails claim that the recipient's email address has been found in a child porn database discovered by the Association of Sites Advocating Child Protection (ASACP), but really contain a Trojan horse.

The Troj/Agent-CPK Trojan horse has been spammed out in the email messages, with the subject line "CP investigation was started."

Link to Sophos alert, here.

For a previous alert from Sophos in March about "child porn" being used as a lure, link here.

If you want to learn about how to fight child porn, the "International Centre for Missing & Exploited Children" is a great place to learn how to protect our young from this vicious crime.

Ted Becomes Ed

When I started this blog, I decided to use a "ghost name". Of course, I explained to this to anyone I made personal contact with.

After some reflection and talking to a lot of friends - both personal and the many I've made by writing this blog - I've decided to start using my real name.

Therefore, from today, Ted goes back to being "plain old Ed."

Saturday, August 26, 2006

Secret Service is Studying the Problem from Within

The USSS (Secret Service) is studying how dishonest "insiders" can pose a large problem to organizations.

Here's what they say about it in their press release:


The report released today focuses on the people who have had access to and have perpetrated harm using information systems in the banking and finance sector, which includes credit unions and financial institutions. The findings underscore the importance of organizations’ technology, policies and procedures in securing their networks against insider threats, as most of the cases showcased in the report were perpetrated by insiders with minimal technical skills. Various proactive practices are among the suggestions offered by the report.

“With the potential for cyber crime and network intrusion expanding rapidly around the globe, the importance of cooperation with our partners in the private sector is greater than ever,” said Secret Service Director W. Ralph Basham. “The Insider Threat Study is a solid example of the role the Secret Service and its partners can play in understanding threats and helping to prevent serious crimes such as network intrusions, identity theft and financial fraud.”
Link to press release, here.

Link to full study, here.

I have no doubt that individuals and even people planted as "insiders" pose a serious threat to the safety/security of any organization. Information is worth a lot of money and getting an asset on the inside makes stealing it, pretty easy.

There is a report by the Privacy Rights Clearinghouse, I quote often, which shows that the reason for a lot of data breaches is never discovered, here.

I wonder if any of them were inside jobs?

Sponsors

ING Direct
Office Max
Yellow Pages

Friday, August 25, 2006

Phishermen Reel in Porn Users

Users of "adult services" on the Internet are the latest target of Phishermen. Being phished normally guarantees that you will become a victim of identity theft. Here's a warning from Sophos:

Experts at SophosLabs™ have warned internet users that criminals are not just targeting online bankers in their phishing campaigns as an attack is launched against users of an adult webcam site.

Spam experts based in Sydney, one of the global network of virus, spyware and spam analysis centers operated by Sophos, have identified an active phishing campaign focused on users of iFriends, which claims to be the world's largest online videochat community with more than two million registered users. Many of the video chatrooms hosted by iFriends are of an adult nature.

Link, here.

Many adult sites harbor all kinds of adware, spyware and malware. Websense did a survey, about this, here.

My guess would be that it's smart to stay away from these sites, unless your system is "bulletproof."

Not all porn is legal. I did a earlier post on how financial information might be used for another purpose:

Child Pornographers to be Tracked Financially

Wednesday, August 23, 2006

Debix Study Finds Fault with the Fraud Alert System

Debix (one of the many companies entering the identity theft business) did a study indicating that the fraud alert system mandated by the Fair Credit and Reporting Act doesn't work as well as it was intended to.

Here is what the New York Times had to say about this:

The Debix study included privacy and consumer rights advocates, as well as data security executives from Citigroup, Charles Schwab, Expedia, Discover Financial and other companies.

Participants were registered for fraud alerts at one credit reporting agency — most at TransUnion, Ms. Fergerson said.

Of the 54 volunteers, 32 received confirmation letters within a week or so — the sign that things worked as they should. But in 22 cases, something went awry.

In 18 cases, the fraud alert was set at only two agencies. In four cases, it took hold at only one.

Full story, here.

Note that the credit bureaus are disputing this - stating that this conclusion is "absurd" and the sampling was too small to be effective.

Maybe the Federal Trade Commission (who is charged with enforcing this) should do their own "study?"

After all - the important factor in this equation are the millions of people - who are, or might become "victims of identity theft."

To learn more about "fraud alerts," courtesy of the FTC, link here.

Tuesday, August 22, 2006

Ernst & Young Fraud Survey in Emerging Markets Recommends Stronger Internal Controls

There is no doubt that the global economy has created new opportunities. Ernst & Young has issued a fraud survey about risk in emerging markets.

Here are some "bits" from their executive survey:

"Developed country respondents are more likely to have suffered significant fraud at home or in subsidiaries in developed countries, and yet management admits greater unease about fraud exposure in emerging markets."

"Some 60% of respondents in developed countries believe their operations are at greater risk to fraud in emerging markets

Of the respondents that recently suffered a significant fraud, 75% experienced a fraud in their developed country operations, while 32% experienced a fraud in an emerging market

One in five respondents elected not to invest in certain emerging markets as a result of fraud risk assessments

Over a quarter of respondents fail to consider anti-fraud measures explicitly when they invest in a new market."

Full survey, here.

So most of the fraud is happening in developed countries, but we are afraid of "emerging markets?" Maybe we should be more worried about fraud trends on the home front?

Here is an interesting statement, again, from the survey:

"Despite this belief, there is little evidence that clearly indicates fraud has reduced. In fact, one in five of the companies that we interviewed experienced significant fraudulent activity in the past two years."

Does this mean that the controls, we have been implementing over the past few years don't work?

Controls are necessary for businesses and organizations in general, however their is a growing number of people that believe that we are doing a lot of processes that aren't very effective and are very "costly."

I'm not against compliance and controls, but unless they are effective (catch people committing fraud) - they are quickly defeated by the criminals. If fraud isn't going down after controls have been implemented, it's time to take a look at the controls.

The fraudster of today looks for ways to exploit controls, and they have been pretty successful in doing so.

Maybe this is why organized crime groups are becoming more and more involved in the activity. Some experts claim that fraud has become their number-one source of income.

Perhaps spending more of our resources on apprehension and prosecution would be money better spent!

So far as the survey - it doesn't surprise me that the dollar loss to fraud is much higher in developed countries. After all, fraudsters want money and there is more of it to be "stolen" in the "developed countries."

Monday, August 21, 2006

DollarRevenue uses "Osama has been Captured Lure" to Download Malware

Over the weekend Chris Gunn (owner of BIZynet) and the newsgroup Biz.Stolen sent me an interesting e-mail with the title "Osam (SP) Bin Laden Captured." Here is a copy of the e-mail:

From: david.jones@gmail.com
Subject: Osam Bin Laden Captured
Date: Sun, 20 Aug 2006 09:07:48 -0500
To: biz-stolen@moderators.isc.org

Hey, Just got this from CNN, Osama Bin Laden has been captured! A video and some pictures have been released. Go to the link below for pictures, I will update the page with the video as soon as I can.

*Link removed because it was still active when checked earlier today. The "stuff" on here will ruin a good home PC.

Thinking this was too good to be true, I went to the CNN site and found a lot about Bin Laden -- who is being featured as part of a special this week -- but nothing about him being captured.

Not sure of what was going on, I sent a quick e-mail to Alex Eckelberry (CEO, Sunbelt Software) and Paul Laudanski (CastleCops, PIRT) to see if they would help me get to the bottom of this. Paul and Alex are both very active in helping protect the public against "Internet Sleazebags."

Alex was kind enough to have Patrick Jordan (Sunbelt) take a look at it and they told me it was from DollarRevenue. According to a post, I read on another blog - Patrick's own site was under DDOS attack in June.

DollarRevenue sounds like they aren't very nice people.

Here is what Patrick discovered (I shortened the report to only show results versus no virus found):

Antivirus Version Update Result

AntiVir 6.35.1.3 08.21.2006 TR/Dldr.DollarRev.A
Avast 4.7.844.0 08.21.2006 Win32:Adloader-CG
AVG 386 08.21.2006 Downloader.Generic2.LEV
BitDefender 7.2 08.21.2006 Trojan.Downloader.DollarRevenue.Z
DrWeb 4.33 08.21.2006 Adware.DollarRevenue
Ewido 4.0 08.21.2006 Downloader.Adload.ee
Kaspersky 4.0.2.24 08.21.2006 Trojan-Downloader.Win32.Adload.ds
McAfee 4833 08.21.2006 DollarRevenue
NOD32v2 1.1717 08.21.2006 Win32/TrojanDownloader.Adload.NAY
Sophos 4.08.0 08.21.2006 Troj/Adload-IK

Spyware Warrior did an interesting post about DollarRevenue in May. Here was their conclusion about DollarRevenue and another outfit called Gimmycash:

Are the GimmyCash affiliates cheating by bundling the gimmy files with DollarRevenue and others? Are they getting paid that 40 cents for each download of a gimmygames.exe and gimmysmileys.exe file even though the application are never actually installed? If any other spyware researchers have any observations or thoughts on this, I'm most interested.

At any rate, some affiliates are apparently making a lot of 40 cents and 30 cents based on all the complaints, HijackThis logs and reports seen on the web. It's no wonder affiliates of these kinds of programs bundle as many pay-per-install adware applications into one infestation and push them through exploits. It's all about the money folks, the cash, the moola, the dollar revenue and gimmy cash, nothing else.

Link, here.

Hopefully some legal action is being considered against DollarRevenue. Downloading programs like this have ruined many home systems. And telling us Bin Laden has been caught (something that would make me jump for joy) as a lure is pretty sick.

Sunbelt and CastleCops run a group called PIRT, Phishing Incident Reporting and Termination Squad, which goes after Internet phishermen by reporting them to the "right people." They are looking for people to pass on their "phishy" e-mails to them, or even become a "handler."

Alex also does the Sunbelt blog, which I have found to be a great resource on computer security.

Chris Gunn provides and designs websites. He also does a few free websites and moderates newsgroups to serve what he considers "public interests." Chris and I are considering doing a new website on fraud and will be working on promoting the Biz.Stolen newsgroup.

Very much in the "planning stages," but we'll see what happens.

Sunday, August 20, 2006

ACFE Issues Study on Fraud in the Workplace

The Association of Certified Fraud Examiners has released their 2006 Report to the Nation on occupational fraud and abuse.

The report takes into account actual cases conducted by members of their organization over the past two years. In about 25 percent of the cases studies - the loss was $1,000,000.00, or greater.

Another finding from the report is that small businesses seem to suffer "disproportionate fraud losses," when compared to larger organizations.

An interesting aspect to this report is that government and non-profit organizations were studied, also. There certainly has been a lot in the news about fraud in these sectors.

The report came to the conclusion that most businesses lose 5% of their revenue to fraud and cites that if this were translated to the U.S. gross domestic product it could mean we lose $652 billion to fraud every year.

Also cited in the report were controls by industry and their effectiveness. The controls measures were external audit, internal audit, fraud training, surprise audits and the use of fraud hotlines.

The report admits it's hard to put a dollar amount on fraud, because if it's not detected, it's normally not "advertised." Nonetheless, the report seems to be extremely factual and I've never seen anyone, who was able to put an exact dollar amount on fraud losses, or their causes.

Even when investigated thoroughly - there are "unknowns" and the best anyone can do is try to make an honest deduction.

If you would like to view the full report, it can be found on their website, here.

Friday, August 18, 2006

Rogue Governments, Terrorists and Organized Criminals Raise the Stakes for Control of the Cyberworld

Hackers pose a very real threat to systems worldwide - here is evidence that this is no game being played by children.

I read this story from Government Computer News by Paitence Wait:

The Pentagon's primary Internet backbone, the Global Information Grid, comes under siege some 3 million times a day by outsiders looking for a way to penetrate military networks. And the outsiders come from all over the world, whether American script kiddies trying to prove their skills or Eastern European hackers looking for information they can sell.

Then there are the military cyberthreats from potential enemies.

Maj. Gen. William Lord, director of information, services and integration in the Secretary of the Air Force Office of Warfighting Integration and Chief Information Officer, today told an audience of civilian Air Force personnel attending the Air Force IT Conference that "China has downloaded 10 to 20 terabytes of data from the NIPRNet. They're looking for your identity, so they can get into the network as you."

Lord said that this is in accordance with the Chinese doctrine about the use of cyberspace in conflict.

Full story, here.

I recently wrote a post, Great Britain Creates National Fraud Squad to Fight Organized Crime and Terrorists. Add some rogue countries to the problem - and it's easy to see why a lot of the experts are becoming concerned.

Technology has also made communicating one's thoughts and beliefs rather easy.

The Internet (Cyberworld) -- with it's worldwide reach -- is also used by a lot of "entities" to spread propaganda. To illustrate this, we have a new blogger (Iran's President Mahmoud Ahmadinejad) who has created a "blog" to get his version of the word out. To see it, link here.

Of course, a lot of subversive organizations have been doing this for years. Al Qaeda (in particular) has used the Internet to further their despicable deeds. Timothy Thomas did an interesting essay on this, here.

With President Ahmadinejad and his proxy Hezbollah in the news recently, we need to reflect on history for a moment before reading his "jihad of the pen."

These are the people responsible for taking American hostages in Iran and later Lebanon. They were also responsible for the Marine barracks being bombed at the Beruit airport in 1983 - and more recently have been a conduit for terrorist activity in Iraq.

And he (Mahmoud Ahmadinejad) says he wants nuclear technology for peaceful purposes? If anyone believes that I can refer them to someone who needs help getting millions of dollars out of Africa.

How to Spot a Counterfeit on eBay

Steve Swoda (founder of buySAFE) offers the following tips on how to avoid buying counterfeit merchandise (knockoffs) on eBay.

These tips were published in the Miami Herald a couple of weeks ago:

  • Don't buy based on price alone. We all know that if the price is too good to be true, it probably is. Not all knockoffs are cheap, however. High prices can add a sense of legitimacy, and many knockoff sellers know this. Just because the price is high doesn't mean it's authentic.
  • Pictures aren't always worth a thousand words. If a seller has only a few pictures and won't share more, you know you're dealing with someone illegitimate. Anyone selling high-value goods -- used or new -- understands the importance of authenticity. If the merchant is selling something genuine, he'll have nothing to hide.
  • Read the fine print. Some ''e-tailers'' or auction sellers will lure you in with words that you're likely to use, such as ''Chanel'' or ''Gucci.'' Many sites also resort to overkill with words such as 'authentic,'' or 'genuine'' to describe items. It's only by reading carefully through the descriptions that you will see comments such as ''inspired by . . .'' to let you know that the merchandise isn't an exact copy. This sort of wording affords the seller immunity from trademark infringement.
  • Return or get burned. Make sure the seller offers a return policy, or ensure that he uses a buyer-protection program.
  • The extras. Designers love to provide value-added extras, such as boxes, identity cards and storage bags. The counterfeiters are always one step ahead, so don't let down your guard. Recent reports indicate that counterfeiters are even buying fake receipts to prove authenticity.
  • At the end of the day, it's caveat emptor. If you suspect that the merchandise isn't genuine, don't buy it.
Link, here.

Of course, fake receipts are nothing new - shoplifters have used them for years to refund stolen merchandise. A Google search will show you that this "activity" is alive and well on the Internet, here.

Someone should go after the companies selling the means to do this!

Steve also does a blog, "Steve Woda's Blog: buySAFE, eCommerce, Trust & Safety" and was recently appointed to the "Commonwealth of Virginia's Joint Commission on Technology & Science Cybercrimes Advisory Committee."

Here is a previous post, I did on how to safely navigate auction sites:

25 Ways to Avoid Auction Fraud From a Seller's Perspective

I did a post on counterfeit goods (knockoffs), it mentions a book by Tim Phillips on the subject (Knockoff), which is a great reference on this subject:

Counterfeit Goods, A Borderless Problem

Thursday, August 17, 2006

Another Laptop Lost by Accounting Firm - Chevron Employees at Risk of Identity Theft

Saw this on PogoWasRight.org - which is an excellent read on privacy issues:

"Chevron may have pocketed record profits of $4.35 billion in the most recent quarter, but that wasn't enough to protect the names and Social Security numbers of potentially tens of thousands of employees. The San Ramon oil giant sent an e-mail to U.S. workers Monday warning that a laptop computer "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans."

Link to PogoWasRight post, here.

PogoWasRight was quoting a story in SFGate by David Lazarus. In his story, he quotes Larry Ponemon of the Ponemon Institute:

"It's a big problem," said Larry Ponemon, founder of the Ponemon Institute, a Michigan think tank that focuses on privacy issues.

"It's always the human factor," he said. "There are always going to be people who download something incredibly confidential onto their laptop and then it ends up stolen or on the Internet. It's not because of evil intent. It's usually because of incompetence or complacency."

When are we going to wake up that storing "sensitive data" on laptops is a bad idea? And there is evil intent - at least on the part of whomever is stealing this information.

According to the SF Gate article, the Ponemon Institute released a pretty telling survey:

"On Tuesday, the Ponemon Institute issued a study revealing that 81 percent of companies surveyed have experienced the loss of one or more laptops containing sensitive data over the past 12 months."

"The study also says 64 percent of almost 500 data-security pros surveyed admit that their companies have never performed an inventory to determine the location of customer or employee info."

Link to SFGate article, here.

There is another thing to consider - and it's the internal factor. Most of this information is worth money and it makes me wonder in how many of the breaches (of which there have been many) a dishonest employee was somehow involved?

For an article about that by Will Sturgeon from Silicon.com, link here.

Of course, in this case - as most of the others - Chevron is revealing few details.

Credit Bureau Fined for Marketing Credit Monitoring by FTC

Tom Fragala - who writes Truston's Identity Theft blog - wrote an interesting post on one of the big three credit bureaus (Experian) getting fined by the FTC for selling "credit monitoring," when people requested free copies of their credit report.

Tom wrote:

"In 2005, Experian (doing business as consumerinfo.com) was fined $1 million by the Federal Trade Commission for deceptive and fraudulent marketing of credit reports (see the FTC report here). Basically they marketed “FREE” credit reports and then charged people for the services. In clear violation of Federal law."

Tom also made an astute observation about the required disclosure of this on their site, here.

If you would like to learn more about the Federal law in question, CalPirg has an excellent guide on their site:

The New Fair Credit Reporting Act: What Consumers Need to Know

You can also "opt out" from letting your information be sold, here.

There are many out there that believe the current "identity theft crisis" has it's roots - at least in part - due to personal information being maintained and sold in databases, which aren't protected very well.

Guess who has been maintaining and selling most of the information in question?

Wednesday, August 16, 2006

buySAFE Protecting 3,000,000 eBay Listings

I recently did a post on buySAFE and how they bond sellers on eBay. Today (on the buySAFE blog), they announced 3,000,000 listings are being protected by their service.

If the seller has the buySAFE seal - the transaction is guaranteed.

For the announcement on buySAFE's blog, link here.

Recently - with proposed fee increases - there are a lot of eBay users speaking out. For an interesting article about this by AOL (Sheldon Liber), link here.

One of the frustrations mentioned in the article is the amount of fraud on auction sites.

I read another article (one of many in the past few years) that says auction fraud is on the increase in Japan:

Web auction fraud leads surge in Japan cyber crime

This same trend has been noted (pretty much), worldwide.

It seems that there is a need for services, such as buySAFE, to bolster consumer confidence and protect the "little guy."

Here is the original post, I did on buySAFE:

buySAFE Protects it's Customers from Fraud on eBay

Fraudsters Stealing Personal Details from Discarded Computers

There are several reports about personal details being harvested from discarded computers, or from hard drives that aren't properly disposed of by the repair facility.

The problem is caused because most people only delete their files before getting rid of a system. If the wrong person gets their hands on the hardware - the files are easily extracted and identity theft can occur.

One story from the Daily Telegraph about this can be read here.

The article from the Daily Telegraph references this activity occurring in Lagos (Nigeria), but according to other sources - Nigeria isn't the only point of compromise.

Bob Sullivan of MSNBC did a story in June about this same type of activity. His story references it happening in the United States, link here. In the MSNBC story - the hard drive in question was discarded (replaced) at Best Buy.

Computer security experts say the only way you can make sure your information has been erased is to destroy the hard drive, or use special software to erase everything.

Also - if you have your hard drive replaced - insist on getting the part back and destroy it yourself!

Tuesday, August 15, 2006

Phishermen are Impersonating the FDIC

Cybercriminals often pose as reputable government agencies. Recently, they set up a totally "fake Interpol site" and we've seen them use the names of the IRS and the FBI to lure victims into their web of deceit.

Now they are using the good name of the FDIC.

Here is the FDIC alert:

The FDIC is aware of a phishing e-mail that has the appearance of being sent from the FDIC. The name "Federal Deposit Insurance Corporation" appears on the "From" line and the subject is, "IMPORTANT: Notification of Federal Deposit Insurance Corporation."

This e-mail claims that the FDIC has received an application from the receipt's bank to insure their checking or savings account against fraud, phishing and identity theft. The e-mail further instructs the recipient to enroll in "the FDIC protection system" by clicking on a link to a spoofed FDIC Web page. The spoofed Web page requests the following information:

First Name, Last Name, Phone Number, Social Security Number, Mother's Maiden Name, Driver License/Issued State, Date of Birth, E-mail Address, Street Address, City, State, Zip/Postal Code, Name on Credit Card, Credit/Debit/ATM Card Number, Card Expiration Date, Card Verification Number, Personal Identification Number, FDIC-Insured Institution (Bank Name), Bank Routing Number, and Bank Account Number.

This e-mail was not sent by the FDIC and is a fraudulent attempt to obtain personal information from consumers. Financial institutions and consumers should NOT access the link provided within the body of the e-mail and should NOT under any circumstances provide any personal information through this media.

The FDIC is attempting to identify the source of the e-mails and the location of the Web site in order to disrupt the transmission. Until this is achieved, consumers are asked to report any similar attempts to obtain this information to the FDIC by sending information to alert@fdic.gov.

For a link to the alert, link here.

When I stumbled upon this news - I had just finished doing a post about a great presentation on cybercrime the FDIC just released to educate the public:

FDIC Releases Multimedia Presentation to Educate Public on Cybercrime

Maybe the presentation is so good - the criminals don't like it?

If you spot one of the "phishy e-mails, report it to the FDIC as described in the alert.

It's easy to do and it might protect someone you know!

FDIC Releases Multimedia Presentation to Educate Public on Cybercrime

The Federal Deposit Insurance Corporation (FDIC) just released an excellent video - geared towards the average user - on how to avoid cybercrime.

Here is what the FDIC has to say about it:

"Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. The Federal Deposit Insurance Corporation (FDIC) has produced a multimedia presentation to help consumers protect themselves from identity theft. The presentation provides information on steps consumers should take to secure their computer and protect themselves from identity theft, as well as actions consumers should take if they become a victim of identity theft. Financial institutions are encouraged to make the link available to their customers from their websites. This presentation is hosted by Vodium."

To view the presentation, or order up to 25 of the CD-ROMs, link here.

I watched it from start to finish and was extremely impressed with it. Even my Mom will get the point (she says she doesn't understand what I write about) after watching it.

This is a great tool to share with "anyone and everyone" - who navigates the "sometimes" murky waters of the Internet!

Saturday, August 12, 2006

Trust and Risk in the Workplace

Dr. Monica Whitty (pictured on the left) of Queens University in Northern Ireland (Belfast) is conducting a formal study on "Trust and Risk in the Workplace."

In Dr. Whitty's own words, here is why she is conducting this study:

"A number of surveys have been run on internet usage, yet researchers still know little about how individuals use their work computers. The purpose of this study is to ascertain how individuals in different countries use their work computers and/or laptop computers. It also asks how they protect their work computers and/or laptops from security risks."

There have been a lot of "compromises" that have occurred because of "not very safe" computer practices in the workplace, therefore this survey might reveal some interesting insights.

Furthermore, a lot of people/organizations have been "victimized" because they didn't have the necessary computer protection (which might change daily), or they simply didn't follow some of the "safety rules," that are now a "necessity" when navigating the murky waters of the Internet.

The survey is open to the citizens of the United Kingdom, United States, Australia, the Netherlands and Singapore who use a laptop, or desktop at work.

If you are interested in taking the survey, link here.

Dr. Whitty's personal page and biography can be found, here.

Friday, August 11, 2006

If You Receive a Qchex (Check), Extreme Caution is Recommended

Qchex is a company that makes checks for their customers and returns them via e-mail. They even offer a free check printer (with a $100.00 purchase) on their site guaranteed to be "100 percent Bank-compliant."

Also - in their efforts - to make the checks "look good," they provide magnetic ink and the latest in check paper.

I wrote a couple of posts about how this was being leveraged by Internet fraudsters in all their favorite scams and the FDIC issued a nationwide alert on the Qchex issue.

Fraud Qchex (checks) seemed to disappear for awhile, but readers and knowledgeable sources are saying they are seeing them reappear in all the favorite Internet scams.

If you read the security disclaimer at Qchex - after sifting through all the protections most Internet fraudsters easily defeat - they state (in bold letters), "Qchex does not endorse or guarantee transactions undertaken by its members."

Kind of scary that Qchex doesn't even trust the people using their services. To me, this means that a prudent soul shouldn't give them their complete trust either.

Anyone who negotiates a fraudulent Qchex item (no matter how innocently) will be held responsible (victimized). A lot of people have already learned this, the "hard way."

There are two places Qchex fraud should be reported to:

The first is the Federal Deposit Insurance Corporation (FDIC), alert@fdic.gov.

And the second is the Federal Trade Commission (FTC), link here.

I did a previous post - which has a lot of the same information - but (if you're interested) there are some pretty telling comments by some of the victims. Link, here.

The Privacy Rights Clearinghouse wrote a "telling" article about Qchex, here.

Department of Transportation Joins the Lost Laptop "Hall of Shame"

Here we go again - it's amazing that with about 91 million Americans compromised - we still have laptops containing people's personal information available for the taking.

There were several stories of this, but I found the one from the "Department of Homeland Stupidity," the most appropriate:

A U.S. Department of Transportation laptop containing names, birthdates, addresses and Social Security numbers of about 133,000 Florida driver license, commercial driver license and pilot’s license holders was stolen from an employee’s car, the department said Wednesday.

The theft occurred on July 27, but Acting Inspector General Todd Zinser said he was not aware that it had contained personal information until last weekend.

The password-protected laptop contains personal information for approximately 42,792 Florida pilots, approximately 80,667 Miami-Dade County CDL holders, and approximately 9,005 individuals who obtained their personal driver’s licenses and approximately 491 drivers who obtained their CDLs from the Largo licensing examining facility near Tampa.

Link, here.

Here is a previous post, I did on the most recent desktop taken from a VA contractor that contained personal information:

Another Computer with VA Data has Gone Missing

This was announced shortly after the arrest of two teenagers - who stole a laptop containing 26.5 million veterans private information.

Advertise for a Roommate and Get Scammed

I was reading about this "overpayment scam," which is targeting roommate ads. I've had readers send me questions about similar "scam attempts" about an apartment they were renting.

The scam works this way, someone answers the ad you placed for a roommate, or apartment. They will normally be visiting from a foreign country and offer terms that are extremely attractive a.k.a., "too good to be true."

They then send you a large amount of money -- normally in the form of a counterfeit cashiers check -- which will be more than the amount of the lucrative offer and ask you to wire the money back to them. Please note, they might use all sorts of bogus financial instruments, such as counterfeit money orders.

If someone falls for it -- they wire the money back via Western Union or MoneyGram -- and shortly thereafter, your bank comes after you for depositing a counterfeit financial instrument.

Because current laws dictate how long a check can be held, banks often issue the funds -- and have even been known to tell their customer the check is good -- then give their customer the bad news later.

Here is a recent post, I wrote about that:

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

For the article, from the Tucson Citizen that inspired me to write this post, link here.

Thursday, August 10, 2006

Keeping kids safe on the Internet

Young people are frequently Internet victims. Here is an extremely good article by Ryan Holeywell, Gannett News Service about how "young people" can protect themselves.

From the article:

The Federal Trade Commission reports that in 2005 Americans ages 18 to 24 made more than 69,000 identity theft complaints — more than any other age group. Here are 10 ways students can prevent identity theft and the headaches that come with it.

1. Watch what you blog. Millions of young people keep online diaries that are usually available to anyone surfing the Web. Safe blogging means not posting any personally identifiable information other than your first name, says Linda Foley, co-executive director of the Identity Theft Resource Center in San Diego. "There's nothing wrong with blogging," Foley says. "Blogging can be fun — as long as you do it safely."

2. Don't get caught in a phishing net. Phishers try to steal your personal information by misdirecting you to a counterfeit Web page that looks identical to one you might use to pay a credit card bill or check your cellphone minutes. On this page, they ask you to type in personal information, such as your Social Security number and harvest this information. Doug Jacobson, an associate professor of computer and electrical engineering at Iowa State University, says an easy way to spot phishing is by hovering the cursor over a hyperlink while looking at the bottom of the browser. If the URL displayed seems very long, it's probably a fraud. "Think of the computer as your phone," Jacobson said. "If someone called you out of the blue on the phone and asked for your Social Security number, you wouldn't do it."

For the full article and additional tips, link here.

Of note, vishing attacks (using the telephone to steal information) are on the rise. I'm not sure I completely agree with Mr. Jacobson on this one.

Young people (too often) are the targets of more serious crimes involving their personal safety.

Here is ANOTHER resource that teaches the young (and us older folks) how to be safe in the cyberworld:

SafeKids.Com

Tuesday, August 08, 2006

The Art of Defeating a PayPal Scammer - Part II

Saw this one on Digg:

"Among the files actually hosted by the scammer is this image. It is only 3k, but imagine the impact it could have if we all worked together? If you have Flash installed you automatically attempt to download that image once per second. The more users idle on this page, the greater the likelihood the that this scammer's tool will be brought offline."

Note you have to scroll down to see all the screen shots.

The Art of Defeating a Paypal Scammer

There are a lot of scam baiting sites out there. Just visiting these sites can lead to crimeware being installed on a system. It can be even more dangerous if personal contact is made with one of the scammers. In fact, many of the "scam baiting sites" specifically warn newcomers about this.

A Google search reveals how popular this "scam baiting" has become. Link, here.

While scam baiting might seem fun, it has little impact on the scammers. Most of the fake sites simply move on to another location. Moving (frequently) is part of their standard method of operation to confuse investigative efforts.

What will have a more (lasting) impact is getting the information to places that have the resources to put a few of them in "jail." There are a lot of places you can do this.

Here is where you can report phishing (as described in the Digg article).

PIRT Phishing Incident Reporting and Termination Squad

They make sure it gets to all the appropriate people.

Here is another collection of places to report Internet scams:

Report Fraud to the FTC
Internet Crime Complaint Center (FBI)
Internet Fraud (U.S. Department of Justice)
Report Internet Securities Fraud (SEC)
Interpol
Serious Fraud Office-UK
Phonebusters-Canada

The 419 Coalition Website has a lot of information on where to report Internet scams, worldwide.

Too many people ignore the scams they see on the Internet. And innocent people do fall for them. If everyone took the time to report scams, we would see a lot less fraud on the Internet.

Monday, August 07, 2006

Another Computer with VA Data has Gone Missing

Two days after two teenagers were arrested for the stolen computer that contained the personal information of 26.5 million veterans - the VA is reporting that another computer has "gone missing." This time the impact is smaller - it only contained the information of 38,000 veterans.

Unisys, the VA contractor, who lost the computer claims it didn't have any financial information - but if you read into it a little deeper - they state:

"In the latest case, Unisys told the VA on Aug. 3 that the computer was missing from the company's offices in Reston, Va., the VA said. The VA and Unisys said the data may include names, addresses, Social Security numbers and dates of birth."

My analysis of this is that there were no credit card numbers, or bank accounts - but generally everything else an I.D. thief needs to go out and create a lot of "financial information."

Gotta love some of these "press releases."

For the Reuters story - courtesy of CNet, link here.

Here is post, I did reflecting my thoughts on the last VA computer that went missing:

The VA Data Breach is a Symptom of a Bigger Problem

I close this post with that thought.

Sunday, August 06, 2006

Botnets used to Scam eBay Users

With all the talk about the DefCon (Black Hat) conference in Vegas, this story seems to have gone to the wayside.

Botnets are used by organized criminals - who employ hackers (the malicious sort) - to commit crime on the Internet. Now they are being used on eBay to create phony customer feedback scores and commit auction fraud.

Botnets consist of computer systems that have been taken over after malware is downloaded. The systems are then turned into "zombies" and can be controlled remotely. The "zombie computers" are then used by their owners to commit all kinds of mischief (the illegal type).

Gregg Keizer, TechWeb Technology News reports:

Scammers are using bots to create bogus eBay accounts that boast trustworthy profiles in a new scheme to rip off buyers, a security company said Monday."

The scam, said Sunnyvale, Calif.-based Fortinet, is a new twist on an old con where criminals set up bogus auctions, rake in the proceeds, and then scram, never intending to ship anything to buyers."

Long-time eBay users, however, have gotten wise to such double-crosses, and have learned to avoid auctions where the seller has little or no transaction record and/or little or no buyer feedback.

The new dodge, however, makes that defense useless.

According to Fortinet, the racket uses a bot to create a large number of fake accounts, then applies a spider to scavenge eBay for 1-cent "Buy Now" items, then purchase them.


Once they get a "good rating" going, the scam begins.

Link to the full story by TechWeb, here.

Of course, phishing takes a toll on eBay users, also. Normally, the intent here is to takeover a account with a good rating and then disappear.

Interestingly enough, PIRT run by CastleCops and Sunbelt Software just released the Top Phished Brands - which confirms that eBay and it's sister organization PayPal are phished more than any other brands.

Technology continues to be leveraged by criminals to commit crime on auction sites. In this instance, the recommendation is to read the feedback of the seller "carefully" and beware of anyone with too many 1-cent auctions.

It also pays to ensure the protection for your system is up-to-date and avoid clicking on any links that you aren't certain of.

Here is a good post about how to avoid fraud on auction sites:

How to Protect Yourself on eBay

To avoid phishing scams - which often lead to malware downloads - the APWG (Anti Phishing Working Group) has a good link, here.

Expert Warns RFID Passports AREN'T Completely Safe

Looks like a lot of "information" is coming out from the "Hackers Convention" (DefCon) in Vegas. Here - AGAIN - an expert is warning that using RFID in passports might have security implications.

Here is an interesting article from Dan Goodin of the AP:

Electronic passports being introduced in the U.S. and other countries have a major vulnerability that could allow criminals to clone embedded secret code and enter countries illegally, an expert warned.

A demonstration late Friday by German computer security expert Lukas Grunwald showed how personal information stored on the documents could be copied and transferred to another device.

It appeared to contradict assurances by officials in government and private industry that the electronic information stored in passports could not be duplicated.

Link to AP article, here.

Here is a recent post, I wrote about another warning concerning the use of RFID in passports:

RFID Hacked Again and Vendor Says it's as Safe as Anything in Your Wallet!

Are Retail Refunds Violating Customer Privacy?

There is no doubt that fraudulent refunds from shoplifting cost billions. It's a way for criminals who target the retail industry to get cash.

To protect themselves from refund fraud, many retailers maintain the personal information of refunders in databases. With the identity theft crisis in "full bloom," many customers aren't very happy at having to provide personal information when they return a defective product.

Chelsea Emery of Reuters recently wrote:

Receipt in hand, Peter Soltesz expected his trip to Home Depot Inc. to return a $25 faucet part would be quick and uneventful.

But the Rockville, Maryland, consultant went home with the part -- and without his cash -- when the clerk insisted on recording his driver's license data.

"A driver's license is one of those pieces of key, secure information that identifies me," said Soltesz, a computer and telecommunications specialist.

"I'm more than happy to give it to a bank, but a Home Depot, for goodness sake? They can't clean a store, much less protect my information."


Please note that information is compromised at banks, quite frequently, also.

Of course, within the retail industry -- it's known that shoplifters aren't the only culprits in the refund fraud world -- dishonest employees (also) use refunds as way to steal cash. When an employee does a fraudulent refund and takes the cash - the loss transfers to the physical inventory (goods on hand) - and their till will balance. By the time an inventory occurs (once or twice a year), the loss will reflect as missing product, and it's impossible to determine whether it was due to internal, or external theft.

Since the employees have access to these (refund) data bases, my guess is that they use existing customer information, or make it up. Previous surveys within the retail industry have cited employee theft as the number one cause of losses.

The 16 billion dollar loss figure was put together by Dr. Richard Hollinger of the University of Florida and the most recent study reflected an increase in "organized retail crime." With the "identity theft crisis" in full bloom, it's probable that many of the "more organized criminals," have access to multiple identities.

Bad check writers frequent retailers all the time and are known to refund merchandise to get cash. There are databases to prevent check fraud and the way criminals often defeat them is to assume a "good identity." Again, due to the identity theft problem, identities have become cheap and are being marketed in chat rooms and rogue websites on the Internet.

If many of the criminals committing the $16 billion in fraud are circumventing the system - a lot of this data currently maintained probably is flawed.

Sadly enough, consumers like Peter are probably reacting to recent news events.

Recently - although never admitted to - it was alleged that "Office Max" was the point of compromise in a debit-card breach. In the past week, it has also "come to light" that "Dollar Tree" (another retailer) was the point of compromise in another breach.

If financial systems can be "hacked" at retailers, it's conceivable that this data base could be compromised, also.

According to the Privacy Rights Clearinghouse - which has been following this - 91 million people have had their data exposed in the past couple of years. And the list keeps growing.

For their chronology, link here.

Technology makes crime become more sophisticated on a daily basis and the "bad guys" are constantly looking to defeat "security measures." Unless these measures evolve, they can become "not very effective" in a short amount of time.

I'm not sure what the answer is. Retailers have the right to protect their assets, but at what cost and how effective is the process? Another issue is with all the "identities" floating around and "employee abuse," is there a potential for honest people to be tagged as shoplifters?

Sadly enough - as evidenced in the Reuters story - I doubt Peter will be giving Home Depot any business soon. This is going to hurt retailers, also.

Saturday, August 05, 2006

419 Artists Arrested and Tie to Funding Terrorists Suspected

Nigerian fraud has become "Internet folklore" and there are many sites on the Internet about it.

In recent years - a unit of law enforcement professionals have been waging war against fraud in Nigeria - and as a result, it's not very safe to commit fraud in Nigeria anymore. Here is a story of a recent arrest, where it appears that 419 (advance fee fraud) might have been helping fund a terrorist group:

"The Economic and Financial Crimes Commission, EFCC, have arrested a terrorism suspect in a raid on a cybercafe, NetXpress, located on Road 51, Festac town, Lagos. The commission disclosed that 13 other suspects caught in the act of sending scam mails to Europe and America, were also arrested."

"The suspect who claimed to represent a faceless terror group, Terrorist International was caught demanding payoff from a multinational oil company to forestall the kidnap of its expatriate staff in the Niger Delta. The other suspects were caught sending scanned documents purportedly issued by Chief Executives of Nigerian government agencies such as the Central Bank of Nigeria, CBN and the Nigerian National Petroleum Corporation, NNPC."

Link from the EFCC site, here.

Of note, Nigeria recently passed a pretty strict law on advance fee (419) activity entitled the Advance Fee Fraud Act. This law allows for cyber-cafe owners and even the landlords to be arrested if 419 activity is occurring on their premises.

Advance fee activity is a worldwide problem and it's not only done by Nigerians. Catching this group undoubtedly saved a lot of people in other countries from being victimized.

There seems to be a lot of speculation from the law enforcement community that Internet fraud (a worldwide problem) is being used to fund terrorist groups. In this recent case, the EFCC has helped validate this.

Here is a previous post - with links to others - regarding concerns by law enforcement that Internet fraud might be a source of terrorist funding:

Great Britain Creates National Fraud Squad to Fight Organized Crime and Terrorists

Friday, August 04, 2006

Fraud Steals from the Truly Needy

My blogging friend, Mr. T. L. Stanley, author of the New Rosemead Times wrote a post (Poverty Caused by Corruption) that made me do a little thinking.

Mr. Stanley writes:

"Fighting poverty seems to be hot ticket for politicians every time world leaders get together and want to show everyone they are in a giving mood. For some reason, America wants to throw money at worldwide poverty. Unfortunately, the money that is aimed at poverty is usually stolen by corrupt leaders of poor countries. Zimbabwean President Robert Mugabe is just one example of corruption. This president has driven a highly productive country into bankruptcy in 20 years. Because, political corruption is common. And, this president made the mistake of assuming that productive outputs would continue in the face of economic and political oppression."

For the full post (highly recommended) link, here.

Not only are we throwing good money at "not-so-good" countries, but we can see a lot of the problem, right here at home. Unfortunately, the Katrina hurricane and other allegations about "fraud and abuse" in programs intended to help the poor (a noble cause) help support Mr. Stanley's thoughts.

There is a lot of evidence showing that a substantial amount of the money intended to help the "poor," lines the coffers of corrupt individuals. Since the money never reaches the people it was intended for - corruption truly does cause poverty. Fighting poverty is a "noble cause," but it's also important to ensure that the resources are reaching the people that need it.

What is needed is a "zero-tolerance" approach to the people taking advantage of the poor.

If we did this - perhaps our social programs wouldn't be "going broke."

Cybercrime Treaty Hailed as a Violation of Privacy by the EFF

The Electronic Frontier Foundation is concerned that a law (soon to be voted on in the Senate) would violate the privacy of Americans.

Specifically, the argument against it is that it would subject Americans to laws that aren't a crime in this country.

Hours ago - it was announced that this law was ratified by the Senate.

Here is what the EEF is saying:

The Convention on Cybercrime is a sweeping treaty that has been waiting in the wings of the Senate for nearly three years. Now the administration is putting pressure on the Senate to ratify it in the next two days. If it does, it would mean the U.S. would enforce not just our own, but the rest of the world's bad Net laws. Call your Senator now, and ask them to hold its ratification.

The treaty requires that the U.S. government help enforce other countries' "cybercrime" laws - even if the act being prosecuted is not illegal in the United States. That means that countries that have laws limiting free speech on the Net could oblige the F.B.I. to uncover the identities of anonymous U.S. critics, or monitor their communications on behalf of foreign governments. American ISPs would be obliged to obey other jurisdiction's requests to log their users’ behavior without due process, or compensation.

Link to EEF story, here.

Interestingly enough - this was a big story on Digg. Here it is - along with a lot of comments:

World's Worst Internet Law Sneaking Through the Senate

Just thought I would pass this on - I would hate to investigated because I wrote something about a "fraud problem" in a foreign land that doesn't recognize the right of "free speech."

If anyone would care to write their Senator and express their opinion (positive or negative), you can find their e-mail address, here.

Hopefully Alberto Gonzales is right when he said "the cybercrime pact strengthens international cooperation in "obtaining electronic evidence" while still honoring constitutional protections of free speech and privacy."

I'm all for going after cybercrimals, but if it violates our constitutional rights, we need to take a closer look at it.

After all, our constitution is what made this country great!

SEC Sends a Message to Insurer - It's Not Nice to Trick the Military

Taking advantage of our military in time of war is despicable. Here is some positive news that the SEC (Security and Exchange Commission) is protecting those who protect us.

From the SEC press release:

"Washington, D.C., Aug. 3, 2006 — The Securities and Exchange Commission today sued a Waco, Texas, insurance company and its affiliates for targeting American military personnel with a deceptive sales program that misleadingly suggested that investing in the company’s product would make one a millionaire. Since 2000, approximately 57,000 members of the United States military services purchased the product. The vast majority earned little or nothing on their investment."

The good news is that money from the law suit will go to the service members victimized by the misdeeds of this insurance company.

Press release, here.

There are a lot of "get rich quick schemes" popping up in "in-boxes." In many instances, this means someone getting "rich" at the expense of someone falling for their pitch.

Here are some great tips from the SEC on how to avoid securities fraud:

Be wary of promises of quick profits, offers to share "inside" information, and pressure to invest before you have an opportunity to investigate.

Be careful of promoters who use "aliases." Pseudonyms are common on-line, and some salespeople will to try to hide their true identity. Look for other promotions by the same person.

Words like "guarantee," "high return," "limited offer," or "as safe as a C.D." may be a red flag.

No financial investment is "risk free" and a high rate of return means greater risk.

Watch out for offshore scams and investment opportunities in other countries. When you send your money abroad, and something goes wrong, it's more difficult to find out what happened and to locate your money.

If a company is not registered or has not filed a "Form D" with the SEC, visit the website of the North American Securities Administrators Association to find your state securities regulator.

The SEC also has an excellent web page to help you investigate before you invest:

How to Avoid Investment Scams

Being an informed consumer is imperative in the Internet age. There is a lot of information on government sites that help the common person do this.

You can report suspected "suspicious activity" to the SEC, here.

All too often - when we spot a scam - we move on without thinking "someone might actually fall for this." If everyone reported what they suspect is a scam, we would see a lot less of it going on.

Of course, education is a powerful tool, also.

And if it seems to good to be true, is probably is NOT!

Wednesday, August 02, 2006

Dollar Tree Suspected as Point of Compromise in New Debit Card Breach

KCRA Sacramento is reporting that a large number of people have had their debit cards compromised in Northern California. They all have one thing in common, they used their card (legitimately) at Dollar Tree.

Dollar Tree is a nationwide chain with about 3100 locations that sells everything for a dollar, or less.

From the KCRA story:

Dozens of local victims have come forward in a massive debit card fraud investigation involving Dollar Tree stores.

Federal, state and local investigators are looking into hundreds of fraud complaints from people who suddenly found hundreds of dollars stolen from their bank accounts by a sophisticated ring of electronic bandits who recreated ATM debit cards and are believed to have stolen more than $600,000.

Although KCRA is local to Sacramento, they reported similar activity is suspected from another Dollar Tree location in Northern California (Modesto) and Oregon.

According to a previous article by KCRA, the Oregon breaches occurred in May and June. Of course, Dollar Tree isn't commenting, but is cooperating with law enforcement.

Current story, here.

Previous story, here.

There was another debit card breach recently, which started in Northern California and spread nationwide. At the time - although never admitted - speculation was that the point of compromise was Office Max.

Here is a post, I did on that:

Debit Card Breaches, A Growing Problem

In case you become a victim of debit card fraud, here is an excellent link from PIRG (Public Interest Research Group) on your rights.

Unfortunately - when it comes to our rights - debit cards don't seem to be as safe as credit cards.

Tuesday, August 01, 2006

Identity Theft Used to Lure Veterans into Telephone Scam

Fraudsters will go to no end in order to trick people out of their money. Now they are using the "fear" of identity theft to lure veterans into paying $9.99 a minute for "identity theft services."

KATU in Portland Oregon is reporting:

The U.S. Department of Veterans Affairs is warning all veterans of a telephone scam regarding the recent data loss by the U.S. Department of Veterans Affairs.

Kevin Doyle, a V.A. Police Operations Team Leader, says the scam works like this: The caller talks the veterans into believing that they have a resource to assist them with the lost veteran data.

The veteran is talked into calling a 1-800 number. Once the veteran calls the 1-800 number, the veteran is directed to call a 1-900 number. That is when the vet incurs a $9.99 per-minute charge.

Link to story, here.

900 numbers always cost, most telephone companies have 900 blocking - which is a good thing to have - especially if you have children.

I went to the VA website to see if there was any additional information, but couldn't find anything yet.

I did find another recent alert warning about a "telephone scam," where a company called "Paitent Care Group" is calling veterans and asking for a credit card number so they can have their prescriptions filled.

Link to VA alert, here.

To protect yourself from this - never give out any information when solicited by an unknown source. Before telling them anything of a personal nature - verify who you are communicating with a third party means - such as a telephone directory.