Wednesday, January 31, 2007

Paper weapons (counterfeit documents) enable more serious crimes than illegal immigration and identity theft

Suad Leija

Counterfeit (forged) documents are used by illegal immigrants, financial crime artists (fraudsters) and even terrorists. 9/11 proved this a few years back - when it was discovered that several of the hijackers (terrorists) used forged documents to obtain legitimate state-issued driver's licenses.

And this can't be the only time terrorists have used counterfeit documents - jihadist training materials teach their disciples to use these documents to blend into our society, as well as to pay for their expenses. Al Qaeda's training manual (courtesy of Frontline) illustrates this, here.

Several months ago, I saw one of the first stories about Suad Leija and wrote about her. Since then I've mentioned her in a couple of posts. This led to her husband making contact with me, and eventually speaking to Suad, herself.

Suad Leija is trying to educate the public that counterfeit documents pose a serious problem to our safety and national security. And who would know better than Suad, who was raised around one of the biggest organized crime groups providing counterfeit documents to anyone willing to pay for them.

Suad is the step-daughter of Manuel Leija Sanchez, described as the "boss" of the Chicago cell of the Castorena Leija-Sanchez crime family. The ICE press release about his recent arrest can be seen, here.

Mr. Leija-Sanchez has been arrested in the past for selling counterfeit documents (several times), narcotics and assault. He is currently serving a one-year sentence in Illinois for this latest arrest. More details about how he ended up only getting one-year sentence are on Suad's YouTube videos, which can be seen on her Paper Weapons site (highly recommended and linked to further down in this post).

I asked Suad about her bodyguards - mentioned in other articles about her - reported as being Polish. She told me that they were represented to her as Polish, but didn't really know. Interestingly enough, they taught Suad to speak a little Russian.

This made me reflect on speculation that Eastern European organized crime is involved in all the major data-breaches involving the theft of personal and financial data. They would need resources to turn their information into counterfeit devices.

Eastern European organized crime is (also) known to be involved in human smuggling and there are illegal immigrants of Eastern European origin all over the world. Sometimes, we need to remember that illegal immigrants aren't only from Mexico.

Law enforcement officials from Canada and Great Britain have voiced their concerns in public about connections between organized crime and terrorism in the recent past.

Of course, the FBI has been saying the same thing for awhile (since 2002), here.

I asked Suad how many people she thought used counterfeit identification to obtain legitimate documents and she told me that was why items, such as utility bills are popular. Suad describes these items as "feeder documents," which are then used to obtain more legitimate identification.

As long as feeder documents are acceptable to prove legal status, putting security features on legitimate documents will do little to stop the problem. This is especially true, when some of the documents used as feeder documents might come from anywhere in the world.

Hazardous material licenses are even forged - allowing hazardous materials to be illegally transported. Besides the possibility of a freak accident occurring (if used in an intentional manner) a lot of innocent people could be hurt, or killed because of a forged hazmat license.

Counterfeit documents can be used to cross borders, board airplanes and it seems (more recently) obtain access to sensitive government facilities.

ICE recently arrested quite a few illegal aliens working at some of these secure government facilities.

Suad is currently in hiding (under the protection of her husband) - there are reports that her step-father has threatened her life after he is released. Manuel Leija-Sanchez and Pedro Castorena are both in custody - but there is no telling for how long - and their organizations still appear to in business.

ICE press release on Pedro Castorena's arrest, here.

According to Suad's website Paper Weapons:

The Castorena Leija-Sanchez crime organization is the major supplier of counterfeit documents/paper weapons in the United States. They are based in Mexico and have been operating in the United States for 17 years. They are in every major US city and earn approximately 300 million dollars per year.

Paper Weapons site, here.

The site has a chilling flash presentation showing pictures of 9-11 terrorists and members of the Castorena Leija-Sanchez family on fake counterfeit identification.

Suad's story has been covered by the mainstream media (Lou Dobbs, Paula Zahn, CBS, Univision), here.

Her personal story (in her own words) can also be seen in a series of YouTube presentations, along with the stories from the mainstream media.

Some other items were pointed out to me as a result of this conversation. There are 15 million illegal immigrants in the country today, and the reason they are here is to make money. If the jobs weren't readily available (and they seem to be), the problem wouldn't be anywhere as big as it is now.

The motivation of most of these people is to escape poverty - and believe it or not - people on public assistance in the United States live like "kings" in comparison to how they live in their own countries.

Then there is the matter of how any program could be administered. Embassies across the world are already overwhelmed with visa requests and how would these people be effectively screened?

It was also pointed out to me that if a guest worker program were implemented, it probably wouldn't be long before the required identification to be a guest worker was being counterfeited, also.

Documents being counterfeited is nothing new (counterfeiting has been around for centuries). But with recent advances in technology, it's becoming pretty easy to do. The quality of the documents is getting better and security features are being compromised quicker than ever before.

The problem of counterfeit documents goes far beyond poor people doing menial labor (jobs that no one seems to really want). In fact, they are enabling much more serious activity, and this is where we need to direct our focus.

Sunday, January 28, 2007

How people's credit can be ruined by a mortgage fraudster

The terms mortgage fraud and identity theft keeping popping up in the same stories. Hard to believe that someone could buy real estate with another person's identity, but it seems to be happening more and more often.

Another good argument that people should review their credit report on a regular basis.

Before getting involved in a real estate deal that might be "too good to be true," it might be a good idea to educate yourself and make sure you've done all your homework.

USA Today interviewed a convicted fraudster - who openly talks about how he defrauded a lot of people, including senior citizens (he considers them lucrative targets).

From straw buying -- where people are conned into letting their names and credit be used to buy properties to people having their homes stolen from them -- the convicted real estate fraudster (Brent Barber) gives some interesting insight into the "seedy" world of mortgage fraud.

USA Today story, here.

And in another story, a former nun had her identity stolen and used to buy properties (she almost lost her own house).

This telling story was written by Michelle McPhee, who is a Police Bureau Chief and reporter for the Boston Herald.

Interesting read, here.

Mortgage fraud is a crime that by recent estimates costs over $1 billion a year in the United States. Rachel Dollar, an attorney and broker, who is an expert in mortgage fraud does an interesting blog for anyone, who wants to become more educated in the subject, here.

Saturday, January 27, 2007

Congress needs to take a hard look at credit practices

Right before Christmas, the Consumers Union spearheaded a campaign calling for credit card reforms. It now appears as if some of the issues they surfaced are being looked into by the Senate Committee on Banking, Housing and Urban Affairs.

And Consumers Union isn't alone - a lot of other consumer groups are pretty much calling for the same kind of corrective action for the industry, here.

But it's not only consumer groups that are up in arms. Merchants seem to be, also.

The Merchants Payment Coalition is also applauding this development and is calling for a "deeper look" into interchange fees, which they say cost consumers $30 billion a year. Notably, they state that this amount represents twice the amount the industry charges for late fees, which have also been under attack by the consumer groups mentioned above.

The describe these fees as:
Americans pay a hidden fee on virtually every transaction they make, whether they use a credit card or not, costing consumers tens of billions of dollars a year. This fee, called interchange, is a percentage of each transaction that Visa and MasterCard banks collect from merchants every time a consumer uses a credit or debit card to pay for a purchase. The fee varies with type of card, size of merchant and other factors, but averages close to 2 percent for credit card and signature debit transactions. These hidden fees drive up the cost of goods and services for all consumers whether they pay with plastic, cash or check.
Merchants Payment Coalition page about this, here.

The National Retail Federation is also very "passionate" about interchange fees.

In July, they issued a press release, stating:
The National Retail Federation welcomed a hearing on soaring credit card interchanges rates scheduled to be held today by the Senate Judiciary Committee. The hearing is expected to focus on the $26.3 billion in credit card interchange fees collected each year, the impact of the fees on American retailers and consumers and whether the price-fixing practices involved in setting interchange fees violate federal antitrust laws.
National Retail Federation press release, here.

Since this release was issued in July stating that interchange fees brought in 26.3 billion, I guess the current estimates of $30 billion means that these fees were more profitable than anticipated for the credit card issuers?

We seem to be living in a world, where the amount of debt carried by consumers is at an all time high and fraud is running rampant. Critics claim that credit is issued too easily and not very responsibly.

Please note, this doesn't only apply to the credit card industry, we are (also) beginning to see the impact in the mortgage industry - where defaults are at a record high. Probably the result of too many people "flipping properties," and what appears to have been a record amount of "mortgage fraud."

We are also seeing a growing amount - especially with all the data breaches - of payment card (credit/debit) card fraud.

It makes one wonder how much longer it will be before we hit "bottom," and an economic disaster is the result. If this happens - who will pay the cost?

Our leaders need to examine this problem carefully - and take appropriate action to fix it. Passing the costs of it between businesses (and ultimately consumers) will only work for so long.

Thursday, January 25, 2007

TJX's stolen data is being used - 200,000 accounts identified, so far

My guess is that the recent TJX data breach will prove to be the largest on record. Several sources are already reporting data from this breach is being used to commit fraud.

The Boston Globe is reporting:

The Massachusetts Bankers Association said yesterday that several banks reported fraud linked to debit and credit card numbers pilfered from TJX's computer system for unauthorized purchases made in Florida, Georgia, and Louisiana in the United States, and Hong Kong and Sweden overseas.

Middlesex Savings Bank is reissuing at least 20,000 Visa debit cards and had about a dozen suspected cases of fraudulent activity as far away as California and Japan, bank officials said. The bank said it costs at least $5 to replace a card, and many of the fraudulent charges were occurring at gas stations, discounters, grocery stores, and Internet merchants.

Boston Globe story, here.

This is likely the "tip of the iceberg" because a majority of the affected institutions haven't reported in yet.

Meanwhile up North, thousands of Canadian citizens have been affected. CTV is reporting:

Fraudulent activity has been confirmed on the accounts of thousands of Canadian credit-card holders who had their information stolen during a security breach at the U.S. parent company of Winners and HomeSense.

CTV story, here.

My advice is that if you have shopped at a TJX company recently - watch your statements, carefully.

Especially, if you have a debit-card. Debit cards aren't protected as well as credit cards. Tom Fragala (Truston Identity Theft Services) has a great post on his blog about this, here.

Tom developed this service from a victim's standpoint and has helped many victims, both personally and with his well-known commentary on the subject.

If you are a victim - I can personally recommend his services - which don't expose your personal information (again), also.

Here is my previous post on the TJX data breach:

TJX named as point-of-compromise in International …

Symantec warns of newsletters and "legitimate" advertising being hijacked!

Viagra with your Fantasy Football?

Spam is getting worse than ever, and a lot of spam filters don't seem to be stopping it. Even worse, legitimate mail is being designated as "spam" and placed in "bulk folders."

I find myself having to review my "bulk folder," daily.

Symantec is reporting a new "sneaky" spam tactic being seen out there. Legitimate newsletters and advertising from well known organizations, such as Walmart and ESPN are having ads for Viagra (example) inserted into their publications and sent out as if they are affiliated with the product.

In essence, the spammers are "hijacking" legitimate publications.

As reported in the Symantec Security Response blog by Kelly Conley:

We've noticed a tricky new spam tactic occurring recently and thought we'd share it with you. It’s always exciting when a new spamming technique comes along and it’s even more exciting when our filtering capabilities are successful against it. Most users running our product will not have seen this. Spam filtering can still protect you from this “new spam technique,” but, even if you have seen it or even opened it, you probably gave it a one-two glance and wondered “Eh? This isn't what I thought it was.”

The headers are legit – coming from a newsletter or ad that you have signed up for. You should be receiving this mail, right? Nope, it's a spam email. Look closer. There at the top of the page. It's an ad for something entirely different than what you thought was going to be in that email.

Kelly's full post, here.

Symantec's researchers have noted these "faux" (fake) images inserted on legitimate pages, or when the page is accessed - a "pop in" spam message appears moments later. They've also noted that the spammers seem to be able to control how many messages are sent out. No more than one a day is sent to any particular e-mail address -- and a different legitimate newsletter, or retailer is used each time.

According to the researchers, the motivation behind this is to (probably) make the reader more likely to read the message (believe it's credible). This method is possibly also used to in an attempt to trick a lot of the spam filters out there.

The good news is that - according to Kelly - Symantec's filters appear to be catching almost all of this.

A lot of us laugh at spammers and their "seemingly ridiculous" advertising, but the sad truth is, they wouldn't be sending it out if unless some people were falling for it. And that person might be one of your grandparents, or "younger relatives."

Even worse, the products they are "hawking" are questionable and in some instances, dangerous. In addition to this, spam is also used as a means to hook "victims" into all the various Internet scams that I frequently write about.

Symantec covers this issue "online fraud" (and others) on their blog, here.

Screenshot (below) of Kohl's ad being hijacked to sell drugs

Wednesday, January 24, 2007

Small Businesses are often the victims of financial misdeeds

Large businesses often employ dedicated experts to protect their assets. Unfortunately, smaller business can't afford these resources, and therefore are more vulnerable to fraud losses.

And it's easier for these larger businesses to write-off their fraud losses. The sad truth is that - if not managed properly - fraud losses can put a smaller business "out of business."

The Association of Certified Fraud Examiners noted in the 2006 report to the nation that small businesses seem to suffer "disproportionate fraud losses," when compared to larger organizations.

I did a previous post, which links to the report, here.

I read an interesting article by Lena West (CEO of xynoMedia Technology) that offers some practical advice to small businesses.

Ms. West writes:

It is officially open-season on small businesses. Hackers, phishers, spammers and fraudsters often use small businesses as target practice before going after the big guys, though it's news that often doesn't make it in the headlines. No one really knows the true impact of online security breaches, as only 20 percent of businesses reported computer intrusions to legal authorities, according to the FBI and Computer Security Institute. And every online merchant knows the threat of bogus credit card purchases is one that never goes away.
Full story from, here.

The story points on how to deal with and protect yourself from everything from data-breaches to credit/debit card chargebacks.

Since in my opinion (awareness is the best and most effective fraud tool) - this article is great information for anyone, who owns a smaller business.

Tuesday, January 23, 2007

People are getting tired of having their personal and financial information stolen

Are people beginning to get sick and tired of discovering that their personal and financial information has been exposed?

Employees at Xerox are picketing their office in Oregon because it took four months for anyone to be notified that a Human Resource's Manager lost a laptop with their personal information on it.

Many of the employees (rightfully feel) that an offer of "free credit monitoring services" is coming four months too late, and are wondering why their information was stored on a laptop?

KOIN 6 News story, here.

With the news that TJX has potentially exposed millions in several countries by having their systems hacked, we are likely to see more and more people speak out!

Of course, we could ask Martha Coakley, who was just sworn in as the Attorney General in state of Massachusetts. Ms. Coakley recently discovered someone was trying to use her credit card to buy a Dell. Her comment was that the chances of catching the crook "are slim to none, since even if they could link it to a person, jurisdictional issues would likely hamper an effort to prosecute."

Boston Herald story, here.

Maybe the problem is that there aren't sufficient laws to protect people's (personal and financial) information, or go after the people - who steal it?

Monday, January 22, 2007

McAfee reports on worldwide identity theft trends

Although, identity theft has become a global issue, there are very few studies that put the trends together from a global perspective.

Since identity theft can travel thousands of miles with the click of a mouse (or with the use of automated software), we could learn a lot by studying the problem as a whole.

McAfee has just released a white paper, which does this.

From the McAfee site:

According to the report, the number of keyloggers - malicious software code that tracks typing activity to capture passwords and other private information - has increased by 250 percent between January 2004 and May 2006. Additional findings show that the number of phishing alerts tracked by the Anti-Phishing Working Group has multiplied 100-fold over the same period of time. The report also provides practical guidelines that minimize the risk of identity theft to help readers protect themselves and prevent this increasingly common crime.

The study shows that identity theft exacts a high toll on national economies around the world. According to the Federal Trade Commission, the annual cost for consumers and businesses in the United States alone reaches $50 billion annually(1). In the United Kingdom, the Home Office has calculated the cost of identity theft to the British economy at $3.2 billion during the last three years(2) and some estimates from the Australian Centre for Policing Research place the cost of identity theft at $3 billion each year(3).

The conclusion of their report is:

We must first admit that every one of us—individuals and businesses—are threatened and potentially vulnerable to identity theft; this is not something that happens only to others. Despite the seriousness of current incidents and the
increasing threat, some basic principles allow us to significantly reduce the risk. Awareness is the best defense. Through awareness, we develop our senses to spot identity theft and to protect personal and corporate information, while maintaining the benefits of information technology.

Not only covered in the report are technological means in which identities are stolen and used, but it also covers known cases, such as "dumpster diving, mail theft and employee theft."

It also shows how victims are denied credit, identification and even labeled as "terrorists" because their identity had been assumed, and used for "illicit" purposes.

The paper is substantiated by referencing a lot of (worldwide) government and private studies.

The paper also has a lot of relevant tips for both individuals and organizations on how to avoid becoming a victim.

All in all - a very "interesting" read.

McAfee White Paper, here.

Sunday, January 21, 2007

Does eBay now see fraud protection as an important part of their continued profitability?

There has been a lot written about fraud on auction sites, particularly eBay. Perhaps, with all the competition going after their "extremely profitable business model," they are reconsidering the importance of preventing fraud on their site?

Mark Raby of the TG Daily writes:

During a webcasted conference with some of the online auction site's top sellers, eBay's North America president Bill Cobb expressed concern over the rise of people who don't ship out items or list counterfeit merchandise as real, along with people who have found more clever ways of manipulating the system.

Cobb said that one key target that could more easily be monitored is the selling of fraudulent and pirated merchandise, which is not always easily caught or reported by the buyers, or the wording in the auction is deceptive so that the victim has no means of restitution.

Top-end products, like cars and jewelry, will also be on Ebay's watch list as it puts new measures into place to ensure that both the buyers and sellers are legitimate. With around two billion new items put up for sale every year, it has historically been difficult and financially unmanageable to have a comprehensive anti-fraud program for the site.
TG Daily story, here.

Although - as always - "money talks," it's great to see some forward motion on this issue, which has left too many people "holding the bag."

Here is a previous post, I wrote about competition forcing more "fraud protection" in the auction world:

Will competition make it harder to write off fraud costs on auction sites?

Has a lot of money been lost because of fraud, waste and abuse in Iraq?

There is no doubt that the war in Iraq has cost the taxpayer's a lot of money. Many brave young and women have even paid a greater price.

Jim Fry (Voice of America) is reporting:

"Government auditors told Congress Thursday that waste and fraud in the reconstruction of Iraq have been rampant. They predict they will uncover losses in the billions of dollars. Key Democrats on the House Armed Services Committee demanded an accounting within two months."

Voice of America story, here.

There are going to be some, who claim that this is political posturing for for the "upcoming" presidential elections, but there is no doubt - we need to take a hard look at what's been going on.

If fraud has been a problem in Iraq - and hard evidence is brought forward - the guilty should punished, severely. After all, many of our nation's finest (the brave men and women I referred to above) have paid with their "blood" for justice in Iraq.

They deserve some (justice), also!

Should this turn out to be "political posturing," the voters (who by now should be getting tired of special interest/pork barrel politics) should make their voices be heard on election day.

I will be one of the people, who vote every election, watching the results of this, carefully!

Saturday, January 20, 2007

TJX named as point-of-compromise in International data breach - millions of people at risk!

Data breaches are happening at an alarming rate. Until some meaningful action is taken to address them, such as following already established principles (data and PCI security compliance), we're probably going to see them continue.

Reuters is reporting (courtesy of the Washington Post):

TJX said the breach involves the computer network that handles credit card, debit card, check and return transactions at its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico; and its Winners and HomeSense stores in Canada.

It said the intrusion could also affect customers at stores in the United Kingdom and Ireland, and its Bob's Stores in the United States.
Reuters story, here.

This time not only credit and debit-card information was compromised, but check and all the personal information gathered when someone makes a refund might have been exposed, also.

The breach - reported to have been discovered in December - was kept quiet at the request of law enforcement.

The company has set up hot-lines, which are 866-484-6978 in the United States, 866-903-1408 in Canada and 0800-77-90-15 in the U.K. and Ireland. I called one of them and they didn't seem to be able to answer much, but told me if I wanted more information to go their website, here.

The problem in these large data breaches at merchants (TJX isn't the only one) is that too much personal and financial information is being maintained in databases, which aren't protected properly.

The Privacy Right's Clearinghouse maintains ample evidence of this, here.

The Payment Card Industry has already established data security standards, which aren't being followed in a lot of cases. Visa did a press release announcing that they are offering financial aid to Level 1 and Level 2 merchants. There is also mention that fines will be increased for merchants who fail to comply.

Unfortunately, even Visa states that compliance for Level 1 merchants is at 36 percent and 15 percent for Level 2 merchants.

Although, I commend the action by Visa, I fear fining non-compliant entities might not be enough.

Tech Web's "Dark Reading," has an excellent essay on the need to become more proactive, here.

In their essay, they state:
One recommendation is that Congress pass a law that compels organizations to protect sensitive information rather than one that simply determines when and how customers will be notified after the fact. There's been a consensus in Congress that standards are needed to safeguard personal information, but there's been a lack of unanimity in the details of how this should be done, says, Liz Gasster, acting executive director and general counsel for the Cyber Security Industry Alliance. "It was a real letdown for the citizens of this country that legislators weren't able to overcome their differences last year and pass a law," she says, adding that one big sticking point was Congress not wanting IT security improvements to create additional costs for industries operating in their constituencies.
Maybe with a new Congress, we'll see some "forward thinking" on this issue? After all, it's their responsibility to represent the people, who are having their personal and financial information compromised.

It would also be nice to see more funding to go after the criminals behind this growing problem. After all - the companies being breached aren't the source of this issue.

And besides enacting legislating and prosecuting the criminals doing this, we have the matter of "trust" and "consumer confidence" to consider. These are two "key" business principles that fuel economies. Failure to do something now; might lead to some unfortunate consequences, later.

If you would like to learn more about payment card compliance and data security, here's a site I recommend:

PCI and Data Security Compliance

Here's a previous post, I wrote on this subject:

With all the data breaches - something needs to be done!

Will a hot-line being staffed 24 hours solve the fraud problem in Los Angeles?

A story recently hit the press about Los Angeles County (potentially) losing $2 billion a year to fraud. That's a lot of taxpayer money!

This dollar figure was "estimated" (using Association of Certified Fraud Examiner statistics), which say that 5 percent of all revenues (generic) are lost to "employee fraud, waste and abuse." Nonetheless, there have been a lot of recent allegations of "too much fraud" occurring in Los Angeles County.

The problem with any fraud statistic is that the intention of the people - who commit financial misdeeds (fraud) - normally like to keep it rather anonymous. I keep seeing different figures (the $2 billion was from an article a couple of weeks ago), but the truth is - all anyone knows - is that it appears to be a substantial problem.

Now the County officials are announcing a fraud hot-line to report instances of government fraud and abuse will be manned 24/7.

The LA Times is reporting:
Ratcheting up efforts to crack down on bureaucratic waste, fraud and abuse, Los Angeles officials unveiled a 24-hour whistle-blower hot line Thursday to take tips from workers and the public.

The latest move to clean up City Hall comes two years after the City Controller's Office created a special task force to investigate fraud.

LA Times story written by Rick Orlov, here.

If you are a resident of Los Angeles County and have something to report, the number is (866) 428-1514.

In the recent article, I read quoting the $2 billion loss figure, there were also allegations that very few people are ever prosecuted, or even lose their jobs when caught committing fraud in the County.

In fact, a recent story stated:

Despite the large number of prosecutions, critics said only a small proportion of county employees found to have engaged in fraud and misconduct are disciplined or charged criminally.

While investigators substantiated 120 fraud hot-line cases last year, only 38 employees, or 32 percent, were fired, suspended, transferred or allowed to resign.

Does this mean that the County is losing $2 billion a year to fraud, the hot line only netted 120 "substantiated cases," and of the personnel implicated - 68 percent of them are still employed?

I'm just an "average person," but to me, increasing the fraud hot-line hours isn't going to make this problem go away.

And not going after the problem "aggressively enough" isn't fair to the honest citizens of Los Angeles, who are "footing the bill" for all of this.

I wonder how many private companies would put 2 out of 3 people bilking their bottom lines back to work?

I feel sorry for the investigators trying to put a dent in this problem!

Here is another post, I did on fraud in Los Angeles:

Los Angeles Grand Jury Calls Child Care Program an ATM for Thieves

Friday, January 19, 2007

A new work-at-home business that scams everyone!

With the recent raids on Swift by ICE - a lot of people have wondered how much phony identification is out there. The most recent story about this is out of the Toronto area, where a large counterfeiting ring was discovered in a residential neighborhood.

The home based business was producing counterfeit identification, credit cards, government benefit cards and passports. In other words, they were making anything a criminal, illegal alien, or terrorist would desire - right out of a private home.

The City News (Toronto) is reporting:

The hunt began last May when Red Rocket officials put out a notice about phony Metropasses that were being distributed in the city. From there, they began to follow a long and winding road of deception that eventually led cops to a residence in Mississauga.

Armed with a search warrant, they entered the home last December 20th, and discovered illegal equipment - like computers, hot stamp pressers, special inks and more - that allowed suspects to turn out the illegal phonies by the thousands. They also found seemingly endless supplies of the finished products.

They were stunned to see scores of blank cards, OHIP cards, altered driver's licenses, even passport photos arrayed inside the home.

City News story with interesting video, here.

It's no wonder that both Canada and the United States (as well as many others) are having a huge problem with illegal immigration, border security and financial crimes.

Here are some similar stories about the same activity in the United States:

Is Bashing DHS for the Swift Raids Fair?

Mexican Organized Crime Ring is Mass Producing Fake Documents - and Considers Terrorism an American Problem

And the UK seems to have discovered the same problem:

International Identity Theft Ring tied to Bank

Of course, the people doing this don't honor borders, or jurisdictions - which means the proceeds from this problem can "easily travel" and victimize a lot of people.

Wednesday, January 17, 2007

OCC is warning the public about counterfeit cashier's checks

I've written a lot about counterfeit cashier's checks, which have spread via the Internet in a number of different scams. Known scams include winning the lottery, secret shopping, overpayment for an item sold on an auction site, or assisting a romantic interest found in a chat-room.

The people who do this are creative and you never know what new "scam mutation" will be discovered tomorrow.

The OCC is warning:

However, cashier’s checks lately have become an attractive vehicle for fraud when used for payments to consumers. Although the amount of a cashier’s check quickly becomes “available” for withdrawal by the consumer after the consumer deposits the check, these funds do not belong to the consumer if the check proves to be fraudulent. It may take weeks to discover that a cashier’s check is fraudulent. In the meantime, the consumer may have irrevocably wired the funds to a scam artist or otherwise used the funds – only to find out later, when the fraud is detected – that the consumer owes the bank the full amount of the cashier’s check that had been deposited.

The OCC offers a lot of insight about the growing problem of counterfeit cashier's checks, here.

Also contained is a FDIC Bank locator, which is an excellent tool because in a lot of scams - the crooks set up phony telephone numbers and even addresses to make themselves appear legitimate.

In the case of cashier's checks, the issuing bank (not yours) is the best place to validate whether an item is legitimate, or not.

FDIC tool, here.

If you would like to see if a particular bank has been targeted with counterfeit cashier's checks - the FDIC issues alerts, here.

Another item to key on is the "scam behavior," which normally will always involve sending money to someone in anticipation of something that is too good to be true!

Sunday, January 14, 2007

Does anyone know - whether or not - check fraud is on the rise?

I sometimes wonder - whether or not - anyone really knows how much check fraud is out there?

Law enforcement jurisdictions often have dollar amounts (some fairly high), which must be met before a case is actively investigated - causing it to be recorded as a statistic. And in the private sector - a lot of NOT very "clear reasons" are used to return checks, which might or (might not) mean fraud.

My two favorites reasons the banks use to return checks are "refer to maker" and "stop payment." This might mean someone was unhappy with a service that was performed, or it could mean the item is counterfeit and the owner of the account placed "stop payments" on the checks. It's even possible that items returned as NSF (non-sufficient funds) are forgeries, or counterfeits because the owner of the account has yet to discover their account has been compromised.

The same holds true with "fraud accounts" that banks open for crooks (new account fraud). New account fraud occurs when fraudster(s) open an account (often with fake information), write a series of checks for a lot more than what is in the account, and disappear (literally).

Often they do this over a weekend, and withdraw the amount they initially deposited, also.

New account fraud items normally return as (NSF) non-sufficient items until the bank closes the account. Once this occurs, they are classified as "account closed." Non-sufficient fund and account closed items are normally not considered a fraud classification.

The only thing that is certain is that the loser is going to be the party, who accepted the check, and not the banks. In fact -- some believe the banks are the winners in this process -- because they make a lot of money from "bounced check" fees.

In a lot of the recent Internet scams, customers have even gone to a bank employee to ask if an item is good. After trusting the employee's expertise, the check was deposited and the funds were made "available." A few days later, the item was returned as fraud and the customer's account was "garnished."

And in all the cases, I've heard where this happened, the bank didn't accept any liability. Here's a post, I wrote about this:

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

The other day, I came upon an article by SmartPros, indicating that a "possibility exists" that check fraud will rise in the coming year.

According to SmartPros:
Identity theft trends in the next year may include an increase in check fraud, check synthesizing and check counterfeiting, according to The Identity Theft Resource Center, a nonprofit victim assistance center.
SmartPros story, here.

In case no one has been watching - check fraud appears to have been growing rapidly over the past several years. It's true that all the bogus "financial paper" circulating aren't only checks, we are seeing a lot of counterfeit money orders, also.

Counterfeit cashier's checks and other bogus paper financial instruments (money orders, travelers and gift cheques) have been showing up in secret shopper, romance, lottery, work-at-home and auction scams at ever increasing rates. The situation seems to be getting worse - as more and more people - become Internet users.

In fact, eBay recently announced they will no longer offer any protection for paper financial instruments on their site.

And so far as the amount of them out there, there is evidence that bogus paper financial instruments are being produced on an industrial level:

Are Counterfeit Documents being Mass-Produced in Nigeria?

The Federal Deposit Insurance Corporation sends out alerts on all the counterfeit cashier's checks, which are pretty hard to keep up with. If you want to see what I mean, link here.

We read a lot about "DIY" (do-it-yourself) kits being sold to commit phishing and eBay fraud in shady Internet crime forums -- but in the case of checks -- DIY kits are openly sold in stores, and available on e-commerce sites.

In fact, there are a lot of "legitimate companies" selling all sorts of software, printers and even magnetic ink, which are capable of turning out some pretty convincing counterfeits. Throw in a computer, and it's not very difficult to start making checks.

To show all the "DIY check technology" for sale on the Internet, I ran a Google search, here. Of course, a lot of this (including the paper) can be bought at your local office supply store, also.

As with a lot of fraud, technology seems to be enabling the problem.

Although check fraud might continue to grow, there is little doubt that it's already a huge problem. BankersOnline did an article in 2002 stating:

About five years ago, U S NEWS and WORLD REPORT did the most in-depth study on this that we've had, and I've used their figures ever since. They probably are low by now. They said the financial institutions in the United States lose about $12 Billion a year in check fraud, and the retail industry loses a like amount. The total loss being $24 Billion as a result of check fraud. I think identity theft is getting a lot of publicity now - but it's been around for a long time. We just never gave it the designation of identity theft.

Since this report is now 5 years old and it is using figures that were 5 years old -- no one probably knows how much check fraud is really going on.

I guess until everyone comes up with some uniform standards, it's going to be impossible to determine how much check fraud is really out there.

BankersOnline article by Barbara Hurst, here.

A great resource on check fraud is the National Check Fraud Center. Their site provides a lot of expert information on check fraud and how to protect yourself from it.

Is check fraud on the rise? Despite the lack of statistics - my best guess is that it is!

Thursday, January 11, 2007

New phishing rod being marketed on Internet crime forums

A new and more dangerous "phishing rod" is being marketed and sold in Internet crime forums. This assures that this "phishing rod" will be readily available to all sorts of "i-jackers" (identity theives).

DigitalTransactionNews is reporting:

RSA Security Inc. on Wednesday announced its analysts had discovered a powerful new phishing tool fraudsters are selling via online forums and using to hoodwink consumers. The tool, which RSA calls a “universal man-in-the-middle phishing kit,” allows phishers to set up a URL that can interact in real time with the actual content of the Web site of a targeted brand, such as a bank or e-commerce site. In this way, the fraudsters can intercept any data consumers may enter at the log-in or checkout pages of these sites. They then send out phishing e-mails embedded with links that send recipients to the fake URL, where the user can see an organization’s legitimate Web site but where any information he enters will be hijacked by the fraudsters as he types it.

The new tool is especially insidious, says RSA, because of its all-purpose nature. Fraudsters can use it to target any Web site without having to customize or create a tool for each brand. Also, the tool collects all data users enter, including all information the user types in after logging in. Typically, phishing attacks gather only data they request, usually passwords, PINs, or credit and debit card account numbers.

DigitalTransactionNews article, here.

I first read about the man in the middle phishing attack when it was discovered at CastleCops by PIRT (Phishing Incident Reporting and Termination Squad) and reported by Internet crime writer Brian Krebs of the Washington Post, here.

PIRT is a great place to report suspected phish. They have a lot of dedicated personnel that fight phishing!

It's a shame that these Internet crime forums are allowed to continue operating. It's even been reported that one of them is being "hosted" in the Islamic Republic of Iran.

And Internet crime isn't the only problem that Iran is hosting. I'm sure some of our brave troops in Iraq and Afghanistan could attest to that.

Until we go after the sources of this problem, I have a "bad feeling" that Internet crime will continue to grow.

The FTC was recently given greater powers to follow Internet criminal activity across borders. Maybe laws like these will enable the "good guys" to start having a more "lasting" effect on the people behind the problem.

Will competition make it harder to write off fraud costs on auction sites?

Perhaps market forces will be what it takes to better protect buyers and sellers from fraud on auction sites? Competition dictates that the auction providers will have to offer a "better deal" to attract and maintain their customer base.

Internet auctions have become a "very" popular way to buy and sell goods, but they've also attracted a lot of fraud. And fraud seems to be motivating some changes at the most popular auction site, eBay.

eBay is limiting what types of transactions they protect and is banning Google's Checkout on it's site. In addition to this, they are increasing the dollar amount protected with PayPal.

Ina Steiner of AuctionBytes wrote:

eBay will double PayPal Buyer Protection on its site, offering up to $2,000 of coverage for qualified transactions on, but is eliminating buyer-protection for non-PayPal transactions. The move is a dramatic effort by eBay to push buyers to use its PayPal online-payment service at a time when it faces increasing competition from Google Checkout, a method it prohibits sellers from accepting on its site.
AuctionBytes story, here.

The story also mentions that eBay no longer protects transactions with financial instruments, such as wire transfers, money orders and checks. Scams using these now "unprotected" financial instruments have been well documented in the auction world.

The message is that if you don't use PayPal, or a credit-card - you aren't protected on eBay.

Not sure if eBay is trying to limit it's own fraud exposure, or if they are marketing fraud protection?

Even though buyers might be getting "slightly" more protection - sellers seem to be more at risk of losing money from fraud than they were before. They are either going to have to limit their "accepted payment methods," or take the chance of losing more money.

And so far as credit cards - "sellers" still are and "always have been" at risk of receiving chargebacks from the financial institution involved.

It will be interesting to see how this progresses and how auction users react.

The auction business is getting more "competitive," and writing off the cost of fraud is going to become "increasingly more difficult."

Here are some previous posts, I've written on auction fraud:

Romanian Second-Chance eBay Scammers Busted

California Issues Alert on Emerging eBay Fraud Trend

How to Spot a Counterfeit on eBay

Bid Reaper, "TELLING IT LIKE IT IS" on eBay

Auction Fraud and the Romanian Connection

How to Protect Yourself on eBay

BBB Worker Takes Job Processing Fraudulent eBay Transactions

Sunday, January 07, 2007

With all the data breaches - something needs to be done!

There have been a lot of large data breaches in the past year, where anonymous sources pointed to a retailer (merchant) as the point-of-compromise. Of course - as in most data breaches -rumors are often "downplayed" and in some instances, denied.

Card processors have been accused of maintaining information they shouldn't have, also.

The Privacy Rights Clearinghouse maintains a chronology of these incidents data breaches since 2005, which can be viewed, here.

And a business would have good reason not to disclose everything. It could create a lot of negative publicity, which would have a negative impact on their bottom line.

This is probably one of the better arguments for legislation requiring full disclosure, when people's personal information is compromised.

Could it be that a lot of these data breaches are being enabled by storing too much information in point of sale systems, which is poorly protected, and therefore - easily compromised (hacked) by criminals?

Last month, Visa International issued a press release offering $20 million in incentives to what they term Level 1 and Level 2 merchants to assist them in becoming compliant with the existing standard. It also mentions sanctions (fines) that will be imposed on merchants, who decide they aren't going to conform.

The press release states:

Locking down cardholder data is an important security component that will benefit financial institutions and merchants, and is equally important to maintain consumer trust in Visa," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA. "By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce."

According to the press release, "current PCI compliance among Level 1 merchants is at 36 percent and 15 percent among Level 2 merchants, with the majority in both levels actively working toward compliance."

The bottom line is that it appears the card issuers (themselves) are getting pretty sick and tired of all the data breaches. My guess is that the banks -- who deal with the customer fall-out -- are getting pretty tired of it, also.

After one of the many posts, I've written about data breaches, I came into contact with a company called Security Metrics. Security Metrics provides a service to assist merchants in protecting their information.

Wen Free (Director of Business Development) told me that he believes breaches at the merchant level are becoming an "all too common" problem. Wen also told me that I would be shocked at how many merchants aren't in compliance, and are storing information - which isn't protected properly.

Wen pointed me to a tool developed by SecurityMetrics and MasterCard, where a business can run a Free-Scan ( of their systems, to determine how compliant they actually are.

If these deductions are correct, it makes these merchants lucrative targets for hackers in search of people's financial information.

The fact that only 36 percent of the level 1 merchants and 15 percent of the level two merchants at Visa are "compliant" supports his contentions. And we have to remember that Visa isn't the only major issuer in the game and that most merchants offer multiple ways to pay for their goods and services.

With all the recent large-scale attacks on payment systems, it's going to be harder and harder for businesses to absorb losses from data breaches. Recent stories of carder forums - where this information is bought and sold on the Internet - point to the fact that there seems to be an abundance of (already breached) information available.

How the losses are allocated is normally kept pretty quiet, but my guess is that if the banks can charge back a merchant, they are doing so. But if the truth were to be told, these losses are eventually being charged back to all of us in the form of higher prices.

There are also customers stating that their fraud claims have been denied, and they are stuck with the loss. This can be especially true with debit-cards, if the loss isn't reported promptly.

Should everyone involved fail to solve this problem by themselves, my guess is that legislation will be the next step. After all, one of the most important asset in any business is the "trust and confidence" of their customers.

Here is a previous post, I wrote on this subject:

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?

Saturday, January 06, 2007

Is Bashing DHS for the Swift Raids Fair?

Suad Leija (courtesy of YouTube)

Recently, there were a lot of people bashing DHS because of the raids at the Swift meat packing plants. There were allegations that only 65 of those "detained" were charged with crimes, and that everyone else was "hard working and innocent." Of note, the associated press just reported that this number is up to 220, and DHS is still investigating. Just being here "illegally" is considered an "administrative matter," and not a "crime."

AP update, here.

Could this mean that some of the "fake identification" is of such "high quality" that it's taking time to establish criminal activity? It also might point out that the rights of those being charged are being considered, carefully.

After all, we live in a country, where people have rights.

DHS has maintained that the raids were part of a much larger investigation into organized crime and the mass production of fake identification.

I've always taken the stance that I have nothing against hard working people trying to make a better life for themselves, but that we can no longer afford to let criminals control our borders.

And besides hard-working citizens having their identities stolen, and used for illegal purposes, we have to consider the threat to national security. In 9-11 - several of the terrorists involved - used forged documents to enter the country and obtain legitimate identification.

In July, I did a post about how organized the mass production of fake identification is. According to the stepdaughter of one of the ringleaders of the organized crime ring behind it - they consider terrorism an "American problem."

The stepdaughter (Suad Leija) is now making the "YouTube" arena, and you can hear what she has to say, here.

CNN also did an interesting story (available on YouTube), which shows how easy it is for "anyone" to get fraudulent identification, here.

Also included is a lot of evidence that some of this fake identification is so good, it easily passes muster at a border crossing, or airports. Of note - the video shows card reading technology used a liquor store - which catches a lot of these fakes and points out that it isn't in use at our airports, or borders?

Maybe this is something DHS could look into, further?

I also did a post - where a writer from Colorado - who is an identity theft victim wondered aloud - if she was one of the people arrested at Swift?

I wonder if any of the critics of the Swift raids has had their identity stolen, and if this became the case, they would be so quick to judge the actions of DHS?

Thursday, January 04, 2007

Should cats be issued credit cards?

In order to protect her privacy, my daughter used to use the dog's name to register on websites fond of data mining personal information (smart kid). Shortly thereafter, our dog (Oliver) started receiving a lot of junk mail. Included were pre-approved offers for credit-cards.

All of this correspondence went directly into a shredder and we had a good laugh about it. I had to "coach" my daughter not to use our "actual address" and the problem stopped.

Now Reuters is reporting that a woman in Australia used her cat's name to apply for a secondary credit-card, and was able to get a new account for the feline. The stated reason she did this was to prove that it's too easy to commit credit-card fraud.

Reuters quoted the woman (Katherine) as saying:
You don't need to hack into the internet when you can just steal someone's credit card number and create a card for yourself."

In fact, had Messiah been a fraudster - and not a feline - Katherine wouldn't even have known the card existed.

I wasn't notified that a second card had been issued. Messiah could have put a different address and the card would have been sent there and I wouldn't have known. If it's that easy for a cat to get credit, imagine what a dog could get.
Reuters story (courtesy of IBN), here.

There was another story, I blogged about, where journalists tested how much security there is when a credit card is issued:

Ever Wonder How Well the Credit Card Companies Protect Your Personal Information?

But my favorite story about credit being issued "too easily" (along with pictures) comes from Rob at, which can be seen - here.

Credit card fraud is a serious problem, which causes a lot of "pain and suffering" to anyone unfortunate enough to be impersonated.

Wednesday, January 03, 2007

Medical Identity Theft Could Kill

Recently, I've seen a lot written about Medical Identity Theft. There seems to be a lot of people getting bills for medical procedures they never received and subsequently going through a lot of "pain and suffering" to clear their good names.

And (it seems) organized criminal are getting involved in the activity, probably because it's a "profitable" enterprise with little danger of getting caught.

BusinessWeek online did an interesting article about this, where they said:
Yet the thief isn't always an individual desperately needing medical care. In some instances, the perpetrator can be a doctor hoping to pad his or her income by filing fraudulent claims. Even worse, law enforcement authorities say that more and more frauds are being perpetrated by organized crime rings who steal dozens, and sometimes thousands, of medical records, as well as the billing codes for doctors. The rings then set up fake medical clinics—offering free health screenings as a ruse to draw in patients—that submit bogus bills to insurers, collect payments for a few months, and then disappear before the insurers realize they've been had. (Dixon notes that health records now fetch $50 to $60 each on the black market, vs. a mere 7 cents for stolen résumés.)

BusinessWeek online article, here.

The BusinessWeek article quotes Pam Dixon, executive director of the World Privacy Forum, and rightfully so. The World Privacy Forum (to the best of my knowledge) was the first to call out this growing problem and has done quite a bit of work to determine the extent of it.

They have an entire page devoted to it on their site, here. I highly recommend it for anyone, who is, or might become a victim of this growing trend.

Based on their research, they have presented some key recommendations:

  • Individuals’ rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
  • Victims of medical identity theft should have the right to receive one free copy of their medical file.
  • Individuals should have expanded rights to obtain an accounting of disclosures of health information.
  • Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
  • All working prototypes for the National Health Information Network need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy.

The World Privacy Forum has also presented their finding to several government agencies, including the FTC.

This problem goes beyond the financial implications of identity fraud because it could cause great harm to victims, who have had erroneous medical information put in their medical histories. People could be improperly diagnosed, which might (in an extreme case) lead to their demise.

I did a previous post:

Tell it to the Identity Theft Task Force

Since the Federal Identity Theft Task Force is soliciting information from the public - this would be an appropriate place for someone to voice their thoughts (recommendations) about medical identity theft.