Thursday, September 07, 2006

TSA Bungles and Exposes Employee Information

Data breaches are being reported too frequently - and all too often - they involve government agencies:

Thomas Frank, of USA TODAY is reporting:

The Transportation Security Administration is warning 1,195 of its former employees that a contractor may have mailed their Social Security numbers and birth dates to the wrong addresses and left them open to identity fraud.

The error, acknowledged in letters the TSA mailed in late August to each of the former employees, is the latest in a series of data breaches that may have exposed workers in both private and government jobs to identity thieves.

"Making a mistake like this is abominable," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocate for consumer privacy. "You've got an agency whose mission is security."

The TSA is part of the Homeland Security Department. Its 55,000 employees primarily run airport security.

Full story, here.

The Privacy Rights Clearinghouse maintains a record of data breaches, here.

They also have an interesting newsletter on current federal legislation concerning this subject - which many don't think is the best solution - here.

Counterfeit Cashier's Checks Fuel Internet Crime

Tom Fragala - Truston Identity Theft Blog - and I were talking about how counterfeit cashier's checks have become a long-term problem in the world of Internet crime.

It's often difficult to verify that a check is counterfeit. They often use valid account numbers, which verify (easily) in the computerized telephone systems that most banks use today. Quite simply, unless the bank or the account owner is aware of that their account is being counterfeited - the item will appear to be legitimate.

Furthermore -- a lot of banks have taken the stance in recent years -- that they will not verify whether a check is good, or not. It's getting harder all the time to verify checks with banks.

The lottery, auction, work-at-home (check cashing), romance, advance fee (419) and secret shopper scams all have a common theme -- they often use counterfeit cashiers checks to lure victims into negotiating the item and wiring the money off to some far-away location.

The fraudsters often request that you use Western Union, or MoneyGram to wire money to them. They are also known to use wire transfers services offered by banks. Once the money is picked up (normally very quickly in scams), the sender has very little, or no recourse.

The golden rule is to never wire money to people you don't know, or only know from the Internet.

To understand why Internet fraudsters prefer counterfeiting these instruments, one can refer to the legal definition of a cashier's check (courtesy of Wikipedia):

Under Article 3 of the Uniform Commercial Code, a cashier's check is effective as a note of the bank. Also, according to Regulation CC (Reg CC) of the Federal Reserve, cashier's checks are recognized as "guaranteed funds" and amounts under $5000 are not subject to deposit holds, except under certain circumstances.

To the person receiving the item, they appear as if they are guaranteed by the bank and if the check is under $5,000.00 - there is no hold on the funds. The fraudsters know this and it will normally be 7-10 days before their victim discovers that anything is wrong.

There was a recent story circulating in the press about a "seemingly cautious gentleman," who decided to have his bank examine the item before he went forward with an auction deal. The bank told him the item was good (twice) and he deposited it. Several days later, while reviewing his online statement, he discovered that this wasn't the case and the bank had withdrawn the funds.

In the article, the bank blamed "Reg CC," because they are unable to hold the funds. Not completely true, an exception can be made if they have reason to believe the item can't be collected. The item may also be sent in as a collection versus depositing it in the account.

Nonetheless, in this instance, the bank had little to no liability because the item was counterfeit.

To illustrate, the amount of this activity, the FDIC sends out alerts on counterfeit cashier's checks. If you would like to see how many alerts -- they've issued recently (scary) -- link here.

Here are some things a person can do to see if a cashier's check is fraudulent:

If someone is asking you to wire money back to them - it's more than likely a scam.

Review the security features of a cashier's check. Despite the "booming" make your own check industry, some of the items out there are pretty amateur. Wikipedia has a good reference on the security features, here.

Review recent FDIC alerts - in a lot of cases, a warning has already been issued.

Verify the check with the issuing institution. Although this isn't 100 percent effective in the case of a counterfeit, they can normally verify certain items; like the ABA/account number, payee, check number, date of issuance, authorized signer and amount.

When you call the bank, never use the number printed on the check. Quite often - phony numbers with phony employees are set up to verify these items. Get the bank's number from a website, or telephone directory. Using 411 (information) might not be the best way to verify a number. Recently, there have been phony numbers set up that verify through - and reverse - through 411.

Since, there are also a lot of phony bank sites out there, if you use the Internet, TrustWatch is a good option for a search engine. TrustWatch will show you via a "coded coloring system," whether the site is verified to be legitimate, or not.

In some instances, good cashier's checks are copied, which defeats verifying the item by telephone. Once the counterfeit item is cashed, the fraudster negotiates the good item and the counterfeit is returned. This is also seen (occasionally) with counterfeit money orders.

If you are still uncomfortable after talking to the bank - ask to speak to a supervisor, or even better - someone in the fraud department. Ask if you can fax them a copy of the item for them to look at. A good way to do this - is to tell them you have a reason to suspect fraud.

Scams that involve, counterfeit cashier's checks, always represent something that is too good to be true. If this is the case, it probably is.

Wednesday, September 06, 2006

Do It Yourself Crime Kits Victimize the Masses

It appears that phishing attempts have hit an all time record thanks to the availability of "do it yourself kits" available on the Internet.

Phishing is a leading cause of identity theft, which impacts millions of people a year.

Dinah Greek, Computeract!ve reports:

This was the warning from the Anti Phishing Working Group (APWG) , which said the kits allow non-technical criminals to start up their own online criminal empires.

All the information they need to set up phishing emails or websites infected with malware, such as Trojans, viruses and worms, is contained in the kits bought and sold online.

Full story, here.

Do it yourself (crimeware) kits aren't entirely new and have been reported before, here.

We keep hearing about the record number of phishing attempts being recorded. Unless some of these people start getting caught - we are likely to see the number continue to grow!

And the criminal "do it yourself industry" doesn't limit itself to phishing. Kits on how to scam on auction sites are also being sold (previous post), here.

Monday, September 04, 2006

The Hidden Dangers of Identity Theft

When most of us think about identity theft, we think about someone assuming debts in another person's name. While this is a huge problem, it isn't the only way identities are being used.

Illegal immigrants, criminals and even terrorists might be using stolen identities to commit a number of crimes. From obtaining a job and credit in someone else's name to ordering supplies to manufacture methamphetamine - identities are being stolen to facilitate a lot of illegal activities.

Although a little dated (2002), here is an extensive report from the GAO detailing the problem:

Identity Fraud - Prevalence and Links to Alien Illegal Activities

Even more scary - is the very real possibility that innocent people will be held accountable for other people's illegal activities.

With the record amounts of data breaches and identities being sold (routinely) over the Internet, the problem is continuing to get worse.

Here is a post, I did about why we are approaching the problem the wrong way:

Are We Addressing Cyber Crime from the Wrong End

Identity theft threatens our financial stability, privacy and national security and we can no longer afford to ignore that fact.

Sunday, September 03, 2006

The FBI Will Pay for Information on Katrina Fraud

There is no doubt that there was a lot of fraud in the hurricane disasters a year ago. The Clarion Ledger (Mississippi) is reporting that the FBI will pay for information on Katrina related fraud:

Mississippi public corruption cases are on the rise in the wake of Hurricane Katrina, and the FBI will have 10 full-time agents investigating Katrina-related fraud by December.

Authorities are encouraging the public to come forward with tips and are offering cash rewards.

"If you see something, you hear something or learn something, even if you believe it's insignificant, if that little light goes on in the back of your head, that 'boy, this just doesn't look right,' don't be afraid to call," said John Raucci, the FBI's special agent in charge in Mississippi.

He said sometimes seemingly insignificant details can crack a federal case.

Cases of fraud are increasing in south Mississippi as billions of dollars in federal funds are authorized for the recovery effort. Raucci said publicizing the reward system is one way to help combat fraud.

"I myself can authorize up to $25,000 for any information," Raucci said. "That's just me out of my budget. I can go back to headquarters with one phone call and get $100,000. There are also other types of cases where you can actually get a percentage."

Full story, here.

I'm not sure if they are running a similar program in Louisiana. There are probably a few people who deserve to caught there, also.

Of course - there are also people - who report crime because it is the right thing to do. If everybody reported it for that reason - it would go a long way towards making our world a better place to live.

Saturday, September 02, 2006

CastleCops PIRT Reports New Version of eBay Phishing

Castle Cops, PIRT-Phishing Incident Reporting and Termination Squad is reporting a new type of phishing attempt with an eBay lure:

CastleCops PIRT has received a new email which tries to get people's full personal information including name, age, location, telephone numbers, gender and marital status on the offer of getting paid to work from home online for a company called "eBay Small Business Limited". Its business is in "manufacturing and selling textiles and fabrics". The email tries to goad you into giving up your personal information with the promise of making easily $300 to $1,000 per week simply by collecting payments on behalf of the Company (all for 3-7 hours per week).

Link, here.

Besides a new type of phishing attempt - this could turn into what is termed a "check cashing scam." In a "check cashing, or job scam," a person is recruited to handle "accounts receivables," which are in reality tied into fraudulent transactions.

The new employee's job is to negotiate transactions sent to them, and wire the money to a far-away locale. The fraudsters (in most instances) instruct the "new employee" to use Western Union, or MoneyGram, which aren't protected by the FDIC.

The transactions are normally "account takeovers" on eBay - also caused by phishing. In an "account takeover" a legitimate eBay user gives up their information as a result of a "phishy e-mail." The Phishermen then take over their account and sell items, which are paid for, but (normally) never received.

Towards the end of the fraud cycle, the fraudsters might also get their employee to negotiate (cash) totally bogus financial instruments. Of course, when the bottom falls out of this, the fraudsters can then steal the identity of the employee involved - having gathered all the information to do so via the employment process.

For the person - who falls for this - although they get the generous commission at first - they are likely going to be hounded for a long time by collection agencies and in some cases, law enforcement.

Believe it, or not - a Better Business Bureau employee fell for this scam. Here is the post, I did on that:

BBB Worker Takes Job Processing Fraudulent eBay Transactions

By the way, PIRT is a great place to "take a bite out of phishing." You can report suspected "phishy e-mails" to them by forwarding them to PIRT@CastleCops.com. After verifying the "phish," they make sure it gets to all the right people!

Friday, September 01, 2006

Accounting Firm Causes 5th Data Breach for Wells Fargo in Three Years

Here we go again - an "auditing firm" has caused Wells Fargo their fifth data breach in three years.

Here is a bit from the article just released from Computer World:

This time the letters are going to an undisclosed number of employees whose personal information was contained in a computer and a hard disk stolen from the trunk of a locked vehicle belonging to an employee of an auditing firm retained by Wells Fargo.

Julia Tunis, a bank spokeswoman, did not say when the equipment was stolen. But she said the bank had started sending out letters to all the affected employees yesterday.

Link to Computer World article, here.

We seem to have a lot of these data breaches occur - courtesy of auditing firms. Here is a previous post, I did about a well known auditing firm exposing a lot of personal information:

Stealing Data Shouldn't be so Darned Easy

With all the auditing (compliance) going on that causes data breaches - it makes me wonder if someone doesn't need to audit the auditors!

If You Sell Your Cell Phone - Your Personal Information is at Stake

Recently, I did a post about identity crooks obtaining "personal information" from discarded computers. Here is a press release from Trust Digital about how the same thing can occur with with some of the new "handy-dandy" cell phones out there:

Trust Digital engineers recovered nearly 27,000 pages of personal, corporate, and device data from nine of 10 mobile devices purchased through eBay for the project, including a smartphone sold by an employee of a major corporation. The salvaged data included personal banking and tax information, corporate sales activity notes, corporate client records, product roadmaps, contact address books, phone and Web logs, calendar records, personal and business correspondence, computer passwords, user medication information, and other private, competitive or potentially damaging material.

The information was retained in the flash memory of the devices because of users’ failure to perform the advanced hard reset required to delete the data. The nine devices with retrievable data included those belonging to a former employee of a publicly traded security software company, an employee of a web services firm, and a corporate counsel of a multi-billion dollar technology company serving the legal market. The tenth device in the test was never used.

The analysis highlighted the vulnerability of individuals and organizations that fail to secure the data on their smartphones and PDAs. Loss or theft of the devices could lead to embarrassment, major breaches of corporate security, or even blackmail.

Full press release, here.

Although eBay was cited as being used in the test - we should consider that cell phones can be purchased, discarded, or even stolen in a lot of places.

Trust Digital recommends enabling the "password function" on your phone and "hard wiping" Treos and RIM devices.

Of course, they recommend their services, also.

I recommend being extremely aware of what you keep on easily "transportable" devices and if you must have sensitive information on them - be very careful.

How to Deal with Phishing - A Major Cause of Identity Theft

There has been a lot of publicity about the IRS being phished. Phishing is a ploy to steal people's personal information, which is then used to commit identity theft.

Phishing attempts disguise themselves as government agencies, financial institutions, charitable organizations AND (too frequently), eBay or PayPal.

Here is an obvious phish, I got just this morning:

Date: Thu, 31 Aug 2006 20:01:26 -0500
To: tedrichardson9925@sbcglobal.net
Subject: Tax Information - tedrichardson9925@sbcglobal.net - (Code 7624-6263)
From: "IRS.gov" service@IRS.gov






Account : tedrichardson9925@sbcglobal.net Number : 7624

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $191,40. Please submit the tax refund request and allow us 5-7 days in orders to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records of applying after the deadline.

To access the form for your tax refund, please (link removed).

Regards,

Internal Revenue Service

Note that this appears to be sent from "IRS.gov" service@IRS.gov, which is obviously a "spoofed" e-mail address.

Here is the web address - which I removed above:

http://rds.yahoo.com/_https://sa1.www4.irs.gov/irfof/
lang/en/irfofgetstatus.jsp?6263/**http://www.abandonship.com/g2data/irs/.

An easy way to get the web address is to "hover" your mouse over the "click here" and read what comes up on the bottom of the screen. You can also copy it (if you want) by "left clicking" on your mouse and clicking on the "copy shortcut" bar.

Here is the web address of the real IRS site:

http://www.irs.gov/

Not a good match and obviously a phish.

*Please note that unless you and your "system" are "bulletproof" never click, or go to a phishing site. There is a possibility that by doing so you might "unknowingly" download malware, which can also lead to "identity theft."

Never fear, there are great places - with "bulletproof" protection - that will take care of it for you.

If you get a phishy e-mail - you can turn it into "fried phish" by sending it to the good folks at PIRT-Phishing Incident Reporting and Termination Squad. They have a module to report "suspected phishing activity," or you can forward the "suspected phish" to PIRT@Castlecops.com.

PIRT is a joint venture by CastleCops and Sunbelt Software - and they will report it to the right people, including law enforcement.

The IRS also has a dedicated e-mail address to report IRS phishing attempts, phishing@irs.gov.

Reporting the Phishermen is a kind thing - this foul activity causes people a lot of pain and suffering.