Wednesday, February 28, 2007

Could the arrests in the Stop and Shop data breach indicate a tie to Armenian Mobsters?

( Photo courtesy of Stop & Shop and the Rhode Island Police)

Stop & Shop has recently been in the news because of a data breach, involving compromised debit and credit card information. The data breach was traced to PIN pads that had been mysteriously replaced.

To read my original post on the Stop & Shop data-breach, link here.

Monday night, Stop & Shop employees spotted four individuals attempting to remove PIN pads at one of their stores. Police were notified, store video was shared with them, and four arrests were eventually made.

After the disclosure, Stop & Shop bolted down the PIN pads at all their stores. Some believe this helped slow the crooks down long enough to be noticed.

Despite this, some alert employees certainly deserve some recognition.

The Rhode Island police published some of the video stills of the suspects in action, here.

Ray Henry of the AP is reporting:

The men were arrested Monday night while attempting to switch keypads at a store in Coventry, police said. A store security officer called police after employees noticed one suspect trying to remove a keypad while two others were seeking to distract workers.

Arutyun Shatarevyan, 20, Mikael Stepanian, 28, Gevork Baltadjian, 20, and Arman Ter-Esayan, 22, were arrested and charged with conspiracy, computer theft and fraud. They were scheduled to be arraigned Tuesday afternoon in Kent County District Court.
Data breaches have become a huge issue, with new reports surfacing (it seems) every week. Over 100 million Americans have had their information compromised since 2005, according to the Privacy Rights Clearinghouse, which has maintained a chronology of these occurrences.

AP story, here.

Interestingly enough, the arrested individuals are from California. Judging by their surnames, they are of Armenian descent. This brings to mind a previous breach, where two fraudsters were charged after a data breach at Dollar Tree - they were also from California and have Armenian surnames.

Parkev Krmoian was arrested in the Dollar Tree episode and (at the time), a picture of his friend was being circulated (who was still at large), here.

Armenian organized crime is a big problem in Glendale (where Krimoian was from), and they are known to be involved in "lucrative white collar crimes," such as credit-card fraud. Glendale and Hollywood in Southern California has the largest Armenian population outside of Armenia.

If you are interested in learning more about Armenian organized crime, ARMENIANDIASPORA.com has a nice little write-up, here.

Placing skimming devices in public places is a growing phenomenon, Tom Fragala (MyTruston) did a great post on this (with video), here.

The video is pretty amazing!

Sunday, February 25, 2007

MyTruston, a privacy friendly identity theft prevention/recovery service based on trust


Tom Fragala, CEO of MyTruston (Identity Theft Prevention and Recovery Services) has created a service for identity theft victims, where they don't have to put all their personal information (which was used to steal money) on another database.

This makes a lot of sense, when databases seem to be compromised, weekly. The Privacy Rights Clearinghouse has ample evidence supporting this in their chronology of data breaches, here.

The concept behind MyTruston is that preventing identity theft should be free. People only have to pay (if and when) they become a victim, and only do so, while in the recovery process.

In a recent conversation with Tom, I asked him what would happen if someone suspended the service, and changed their mind, later. He told me that the system would retain all their information, and they could start all over (as if they never left). Since identity theft can (raise it's ugly head over and over again) when new fraudulent accounts are opened, this is a pretty customer friendly feature.

Most of the current identity theft services count on a person paying for them over a long period of time, whether they use it, or not. In fact, these services are probably betting on making a lot of money from people, who never use them.

Additionally, with most of these services, you aren't covered unless you've paid the up-front premiums.

With MyTruston, the prevention part is free, and if you need to recover; you'll spend a lot less money and do it the right way (the first time). For $19.99 a month, that's a pretty fair deal.

There must be a lot of people not buying some of the current services on the market. Out of 205 million active credit customers, less than 5 percent subscribe to a service. This tells me that a lot of people aren't buying some of the services out there, but still might benefit from one.

Studies indicate that 1 in 5 of us has been a victim of identity theft in the past five years. People need to be able to go somewhere, they can both trust and takes care of the problem at a reasonable price.

MyTruston delivers this, and the service was designed by someone (Tom Fragala), who had a personal experience with identity theft. Many of the key principles behind the service, were based on his experience (as well as) more than a 1000 hours helping other victims.

The service is easy to use (I tested it myself) and it walked me through each recovery step. A person can stop in the process anywhere, and it automatically reminds you where you left off.

Tom is currently working on developing protection for more sophisticated forms of identity theft, and plans to roll them out in the near future. These forms of identity theft, which sometimes aren't very apparent, have been the subject of a lot of speculation, recently.

Identity theft is a problem that isn't going to disappear very soon.

Given current trends, Thomas Harkin (former director of Mastercards fraud division) recently predicted the problem could grow as much as 20 times in a USA Today article. One of the reasons for this is only an estimated 6 out of a 100 criminals stealing people's identities ever get convicted.

You can take a look at MyTruston, here.

Tom is also a fellow blogger, and covers this subject (identity theft) on his blog. I read and link to what he says, frequently.

Saturday, February 24, 2007

FBI issues vishing alert

Vishing is a term used when people are tricked into giving up their personal details to criminals over the telephone.

Many believe it is being enabled by VoIP technology, which has made calling long distance cheap.

The FBI is reporting:

It’s one of the latest breakthroughs in telecommunications—Voice Over Internet Protocol, or VoIP, which enables telephone calls over the web.

And guess who’s hopping on the VoIP bandwagon along with millions of legitimate customers? Criminals, that’s who. They’re using the technology to hijack identities and steal money. It already has a name: “vishing.”

FBI vishing warning, here.

The term vishing comes from phishing, which is still a growing problem. The Anti-Phishing Working Group tracks phishing statistics, which go up (it seems) every time they issue a report.

I've yet to see any statistical analysis on vishing, but it seems to be a growing problem, also.

Legitimate companies don't contact people (unsolicited) and start asking for all their personal and financial details.

Vishing can be reported to the FBI, here.

Monster lure used to install malicious code

Spoofed (spam) e-mails, claiming to be from Monster (the popular job site) are being used as a lure to install malware on computers.

The good people at Websense are reporting:
Websense® Security Labs™ has discovered emails that attempt to lure users to click on a link in order to upgrade their system security. The emails, which are spoofed from Monster, are written in HTML and claim that Monster systems have been upgraded and that users need to download a certified utility to be able to use Monster. The domain name that the emails point to are using five different IP addresses. Upon connecting to one of the IP addresses, the code is run, several files are downloaded and installed on the user's machine, and another file is downloaded and installed from a server in Denmark. The files appear to be designed to steal end-user information.
Websense alert, here.

Stealing end user information means that anyone unfortunate to have this code installed on their machine could become an identity theft victim.

Clicking on a link from an unsolicited e-mail can be dangerous. Of course, it also pays to have your computer protection up-to-date.

These types of lures to defraud people are known as social engineering. Wikipedia has an excellent article about social engineering, here.

Unfortunately, this isn't the first time a job site has been used as a vehicle to commit fraud.

Criminals often steal personal information posted on job sites, or trick people into giving it up by pretending to offer them a job. Another well known scam involving job sites is where people are recruited to negotiate fraudulent financial instruments (launder stolen money) and wire the money back to their (questionable employers).

Sometimes these financial instruments are outright counferfeits, also.

The Privacy Rights Clearinghouse has information on how to avoid fraud on job sites, here.

Thursday, February 22, 2007

Tax Refund Loans attract fraudsters

There are a lot of people trying to scam tax preparers and the government.

Part of the problem is that W-2 forms are easily purchased at just about any Office Supply store and forged.

KGO, San Francisco (Alan Wong) reports:

The latest trend in tax fraud has made its way to the Bay Area and it could be costing the federal government millions.

People are being enticed to cheat Uncle Sam and then split the take.
The goal is to get these tax preparers to give them a loan (refund anticipation type) and walk out with about $6,000 - $8,000 in cash.

Fraudsters recruit low income/unemployed people to go in with the forged W-2s and get these loans.

KGO story, here.

Of course, those who get recruited will end up holding the bag if the IRS discovers this happening and takes the matter for prosecution. My guess is the people recruited will bear the brunt of any punishment because their information is being used, and the fraudsters (recruiters) will disappear in the mist.

These recruiters can be reported to the IRS, here. Of note, they mention that anyone reporting criminal activity might be entitled to a reward.

Here is a previous post, which covers all the scams the IRS looks for this time of year:

Don't be lured with promises of something too good to be true when filing your taxes

Identity theft is also becoming an issue when people try to file their taxes. A lot more than W-2s are being counterfeited these days.

News 25 (Peoria) is reporting how people are going to file their taxes and discovering someone else has already filed using their social security number.

News 25 story, here.

I wonder who will be liable for all the problems a taxpayers faces if their identity is stolen, and someone issues one of these handy dandy refund anticipation loans to a fraudster?

Unfortunately, my guess is that the identity theft victim will suffer the most.

Clearing up problems with the IRS can be a painful experience.

Tuesday, February 20, 2007

Counterfeit Check (Cheque) Scams are all over the Internet

The amount of counterfeit checks (cheques) being circulated via various Internet scams, and even the classifieds (paper media) is on the rise.

A new trend is also being seen, where people are getting these counterfeits items in the mail (unsolicited). Some of us, who watch this closely, suspect they are data mining information off job sites, like Monster.com and Craigs List.

Last April, I did a post about a Better Business Bureau (BBB) employee, who got a lot of negative attention after she accepted a job to cash bogus intruments and send the money overseas.

Common scams in which these checks are sent for someone to cash and wire the money back to fraudsters are the check cashing (job), lottery, auction, secret shopper, romance and Nigerian letter varieties.

According to the National Consumers League, counterfeit checks schemes rank near the top of the scams reported to them by victims.

High quality counterfeit money orders and travelers/gift cheques are making the Internet fraud scene, also. In the recent past, these have included Postal Money Orders, Travelers Express (MoneyGram) Money Orders and most recently, American Express Gift Cheques.

The NCL has an interesting page on their site about the most prevalent scams reported to them in 2007, here.

And don't expect the bank to tell you (whether or not) a check is good. Since they have no liability in the matter, they will often say the item is good, give you provisional (temporary) credit, then take the money away from you when it is determined to be a fraud.

Here is a previous post about how this occurs:

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

Some of these scams direct you to places like Walmart to cash the item, and wire the money back to them, also. I've had readers leave comments and send me e-mails about getting arrested after attempting to pass one of these items at Walmart.

Before we smear Walmart, consider that with the amount of these items in circulation, its getting harder and harder to determine, who is and who is not, really a victim.

Check fraudsters are now posing as victims, and are scamming the scammers by cashing the items. If they are caught, they claim to be innocent victims.

I've personally spoken to a few of these alleged victims, and for some reason; they never seem to have wired (or sent) any of the money back?

Interestingly enough, the scammers love to direct people to Walmart (probably because they cash checks and wire money), but they could care less if you get arrested.

The bottom line is that even if the check is initially considered good, it can easily return, and the person passing it is held responsible.

Deb Radcliff (cybercrime author) did an interesting blog post about how law enforcement, and the companies having their brands used on these checks aren't going after the cuplrits, here.

Unfortunately, they normally don't have much to go on, and the crime is normally initiated from a foreign country.

Another sad statistic, the Stop and Shop data breach

Last weekend, Stop and Shop (Quincy, MA) reported a data-breach at two of their stores in Rhode Island. After an initial investigation, they tracked the theft to two pin-pads.

Consumer Affairs has the most informative story (my opinion) on this current breach. They are reporting that with the assistance of the Secret Service, four more compromised pin-pads have been identified (all in the Rhode Island area).

Martin H. Bosworth makes an interesting point in his article that the United States hasn't been as proactive as our European friends in instituting new technology to stop debit/credit card fraud, such as chip and PIN.

Of course, implementing PCI data protection standards are not exactly 100 percent, either.

PCI data protection standards were implemented by the payment card industry, and even when they are violated, the only consequence seems to be that the merchant will be fined. The standards are designed to stop merchants from storing information they aren't supposed to.

Consumer Affairs story, here.

Of interest (in this case) is that (it appears) PIN pads were tampered with inside the stores, which makes me wonder if there is some sort of inside connection?

Tom Fragala (CEO, Truston Identity Theft Services) did a recent post on his blog, where he linked to a video on how easily a remote ATM machine can be compromised in a store, here.

Of note, Truston is the only service for victims (that I know of), where someone doesn't have to submit all their personal information to a database, which could be compromised, also.

This is a good video, but note the ATM was in a pretty concealed area, and I'm guessing that these pin-pads were in the check out lanes in stores?

Attrition.org and PogowasRight provide information on data breaches (frequently updated), here.

Someone should start a chronology of how many of the people stealing this information get caught. Unfortunately, the list wouldn't be very long.

*(Update): I must have missed that Attrition.org is recording arrests, but the results are not encouraging.

The most recent news about legislation to protect the people being victimized by this growing problem isn't good.

A recent article by Scott Bradner (Network World) about how special interests are preventing the passage of any meaningful legislation argues this point, eloquently:

The Leahey privacy bill: coddling the criminals?

Sunday, February 18, 2007

Buying drugs on the Internet could be hazardous to your health

I normally write about Internet fraud, which is enabled (a lot) by spam e-mails attacking our in-boxes on a daily basis.

A lot of these spam e-mails are trying to sell drugs.

The FDA is now warning all of us that buying these drugs from questionable sources could be hazardous to your health.

This makes this issue more serious than losing a little money!

From their press release on the matter:
The Food and Drug Administration (FDA) has become aware that a number of Americans who placed orders for specific drug products over the Internet (Ambien, Xanax, Lexapro, and Ativan), instead received a product that, according to preliminary analysis, contains haloperidol, a powerful anti-psychotic drug.

Reports show several consumers in the United States have sought emergency medical treatment for symptoms such as difficulty in breathing, muscle spasms and muscle stiffness after ingesting the suspect product. Haloperidol can cause muscle stiffness and spasms, agitation, and sedation.

Therefore, the agency is reissuing its warning to consumers about the possible dangers of buying prescription drugs online. FDA urges consumers to review the FDA Web site for information before buying medication over the Internet.

FDA press release, here.

My advice is to anyone, who cares to listen, is get your prescriptions from your own doctor and fill them at your local pharmacy.

The FDA has a lot more material on how to avoid problems, such as this one, on their main website, here.

Just how many computer records have been compromised?

Just yesterday, I ranted about statistics and how (for the right amount of money) some of them are manipulated to lead people to a particular conclusion.

To counter some recent statistical analysis, I used the Privacy Rights Clearinghouse's, "chronology of data-breaches." Please note, they have a disclaimer on this page clearly saying that their figures are merely an estimate.

This morning, I was reading the "Chronicles of Dissent," which is a new site (off-shoot of PogowasRight.org) and I saw (what I consider) a very interesting post.

100 million records exposed? Nope, make that 1.76 billion and counting.

Apparently, this will be an upcoming topic at the Stanford Law School. I'm going to refrain from my usual "rolling commentary" because I truly feel people should read this post.

PogowasRight is now listed on the data-theft chronology put out by the Privacy Rights Clearinghouse as a resource.

For anyone interested in privacy, both these sites are an excellent place to educate yourself.

Saturday, February 17, 2007

Why don't all the identity theft statistics say the same thing?

Consumer Affairs wrote an interesting article about all the recently released identity theft surveys.

Martin H. Bosworth reports:

The financial services industry, hoping to befuddle the new Congress, has been busily laying down a smokescreen claiming that identity theft is on the wane.

But the Federal Trade Commission's latest compilation of consumer complaints and a survey by the National Crime Prevention Council should do much to clear the air.

Martin's article, here.

Who should we believe, the government, or the financial services industry?

The civil servants behind the government surveys have no financial interest in all of this. On the other hand, the financial services industry have a huge financial interest. At least as long as they can still profit by writing all the losses off.

It's going to cost them some of their (hefty) profit margins to properly protect all the information they've been data-mining on all of us for decades. It also might force them to be more responsible when selling their products.

Interestingly enough, privacy and consumer advocates all seem to agree with the government.

Of course in any statistical analysis, there are a lot of unknowns. The Privacy Rights Clearinghouse regularly updates their statistics about how many people's personal information has been compromised in February, 2005.

They admit that their analysis might not be 100 percent accurate when they state:

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals. In reality, the number given below is much larger. For many of the breaches listed, the number of records is unknown.
It's also come to light recently that there is a flourishing market on the Internet, selling personal and financial information (wholesale), in underground chat-rooms.

This might support some of the data the Privacy Rights Clearinghouse has been compiling.

Of course, the people involved in this activity are unlikely to comment, or provide statistics of their own. I don't think it would be in their best interest to do so.

Doing so, might hurt their money flow, or cause them to lose their freedom.

The problem is that too many people have financial interests in what some of these surveys are selling to the public.

I think the Latin phrase, caveat lector (reader beware) certainly applies in this instance. I have a hard time believing what I read in some of this statistical analysis.

Thursday, February 15, 2007

Is Julie Amero (in reality) another victim of Internet crime?

Internet crime is a growing problem. Every week, we seem to read of large scale data breaches, and spam is filling up our inboxes, despite the spam filters designed to stop it.

The spam getting past these filters is often riddled with deceptive lures (links) to all sorts of porn sites. In turn, these sites often infect machines that aren't properly protected with adware, spyware, malware and even crimeware.

So far as properly protecting our machines, this can be a chore, also. It requires frequent updates, and new exploits are discovered all the time.

Sometimes even legitimate sites are hacked and people get infected just by surfing, or visiting (what they think) is a trusted site.

Criminals of all sorts, including those of an organized nature are getting involved in Internet crime. In fact, many believe the problem is growing because very few get caught, and even if they do, very little happens to them.

I was amazed when I got an e-mail from Alex Eckelberry (CEO Sunbelt Software) that a substitute teacher (Julie Amero) had been convicted for some porn that had shown up on a classroom computer.

A jury has already found her guilty and she could face up to 40 years in prison. Even worse, it appears the stress of the trial may have caused her to have a miscarriage.

Is her conviction a miscarriage of justice? Many computer experts (including Alex) seem to think so.

Alex writes a very convincing argument, where he states:
When I first read of the case, my reaction was how illogical it all sounded: A middle-aged, substitute female teacher accessing porn on a classroom computer, in front of her students on one particular day? It made no sense.
He's right, it doesn't make sense.

An article from the Norwich Bulletin stated that:

Computer expert W. Herbert Horner, testifying in Amero's defense, said he found spyware on the computer and an innocent hair styling Web site "that led to this pornographic loop that was out of control."
"If you try to get out of it, you're trapped, according to Horner."

Anyone, who has surfed the Internet knows there are a lot of malicious sites designed to lure people to click on them, using seemingly innocent lures.

She was also convicted on testimony that she must have had to physically click on the sites in question. According to Alex and other computer security experts, the pop-ups from these sites leave the same imprint as if they had been physically clicked on.

Alex wrote in the Norwich Bulletin:

The computer was also found to be riddled with spyware -- programs that generate popups and degrade system stability.

Spyware may or may not have played a direct part in this incident, but the fact it was on the system creates additional damning evidence of the state of this computer system. What is extraordinary is the prosecution admitted there was no search made for spyware -- an incredible blunder akin to not checking for fingerprints at a crime scene.

Alex also states that this was an old system, without adequate protection, despite the fact that federal law mandates that it should have been in place.

Julie, herself claims the website in question was accessed by students when she went to the restroom. When she noticed it, no matter what she did, more pop-ups would surface.

More on Herb Horner's analysis (courtesy of the Sunbelt blog), here.

In a criminal case, the standard is that a person should be found innocent if there is reasonable doubt. After reading about this case, it makes sense to me, that we have a lot of reasonable doubt that Julie is guilty.

At best, the investigation used to convict her seems to have been poorly researched, and therefore, flawed.

Porn is a big component of Internet crime, which according to a WebMD survey reaches a lot of children. This research was conducted by interviewing children, themselves.

Some of the children interviewed were the same age as the ones in Julie's class that day.

Survey, here.

So far as a connection to real (organized) crime, porn was allegedly one of the Gambino crime families biggest earners ($350 million).

Besides being unjust, going after Julie Amero, is a big waste of resources (taxpayer dollars) that could be put to better use.

Wednesday, February 14, 2007

Valentine's Day Virus moving quickly across the Internet

Sophos is reporting a nasty virus, which if downloaded, sends more e-mail to everyone in your address book.

They suspect that the worm opens a gateway, which will allow your computer to be turned into a zombie and be used to send more spam e-mails.

Here is a portion of the alert from Sophos:
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread worm posing as a St Valentine's Day greeting which is spreading fast across the internet

The W32/Dref-AB worm has been deliberately spread via email in readiness for office workers and home computer users to find the malicious Valentine email in their inbox first thing in the morning. Since midnight GMT the Dref-AB worm has accounted for 76.4% of all malware sighted at Sophos's global network of virus monitoring stations.

Subject lines used in the attack are many and varied, but all pose as a romantic message. Some of them include "A Valentine Love Song", "Be My Valentine", "Fly Away Valentine", "For My Valentine", "Happy Valentine's Day", "My Lucky Valentine", "My Valentine", "My Valentine Heart", "My Valentine Sunshine", "Send Love On Valentines", "The Valentine Love Bug", "The Valentines Angel", "Valentine's Love", "Valentine's Night", "Valentine Letter", "Valentine Love Song", "Valentine Sweetie", "Valentines Day Dance", "Valentines Day is here again", and "Your Love on Valentine's".
Sophos alert, here.

Spam is getting out of control and seems to be defeating spam filters (too often). Here is more evidence of this problem:

2006 was the Year of Internet Crime - 2007 is predicted to be even worse

Spoofed (counterfeit) BBB e-mails contains virus

If you get an e-mail from the Better Business Bureau stating you have received complaints don't click on the link to view them.

Annys Shinn (Washington Post) is reporting:

The Better Business Bureau network was the target of a "spoofing" scam yesterday in which thousands of businesses in the United States and Canada received e-mails encouraging them to download what is thought to be a computer virus.

The e-mails, using the name of the 95-year-old network of nonprofit groups that looks into consumer complaints, told businesses that they were the subject of a complaint and included a link to view related documents. Clicking on the link, however, accessed the address book of an infected computer and distributed the counterfeit e-mail to more recipients, said Steve Cox, spokesman for the Council of Better Business Bureaus.

Washington Post article, here.

Wandering to the BBB site to see what they had to say, I found a little more information. Apparently, if you click on the link, it downloads an executable file, believed to contain a virus.

The BBB and others are calling this a phishing attempt, but in phishing the intent is normally to get the user to provide personal, and or financial information to the sender. Since this doesn't seem to be the case, and no one is saying exactly what the executable file (virus) is, this doesn't appear to be phishing.

It will be interesting to see exactly what this executable file does, but some computer viruses (crimeware and malware) download keyloggers, which log a person's keystrokes and are used to steal personal and financial information.

Other computer viruses might turn a computer into a zombie, which allows someone else to use it for their own purposes (sending spam or denial of service attacks). Zombie computers are formed into what is known as botnets (groups of zombie computers), which are used for illicit purposes by their "controller."

You can download a lot of nasty things by clicking on something from someone you don't know. And the people behind it like to spoof well known entities, such as the BBB. Organizations from eBay to the FBI have been spoofed in the past.

Example of spoofed e-mail from the BBB site:

From: operations@bbb.org [mailto:operations@bbb.org]
Sent: Tuesday, February 13, 2007 6:06 AM To: XXXX
Subject: BBB Case #263621205 - Complaint for XXXX

Dear Mr./Mrs. XXXX

You have received a complaint in regards to your business services. The complaint was filled by Mr. XXXX on 02/05/2007/

Use the link below to view the complaint details:

DOCUMENTS FOR CASE #263621205

Complaint Case Number: 263621205
Complaint Made by Consumer Mr. XXXX Complaint
Registered Against: Company XXXX
Date: 02/05/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

DOCUMENTS FOR CASE #263621205

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

Tuesday, February 13, 2007

Don't be lured with promises of something too good to be true when filing your taxes

Tax season brings with it all kinds of fraud. A lot of immoral sorts try to get someone to fall for something that's too good to be true. They get away with it because people are afraid of what they might owe, or they take advantage of what I call the "greed factor."

One thing is certain, if you fall for their promises, you're going to be left holding the bag. This means financial hardship (at a minimum) and could mean incarceration (jail).

I firmly believe that education is the best weapon against fraud. And the best places to educate yourself about tax fraud is none other than the IRS website, itself.

They keep a close eye on trends involving tax fraud and publish the information for free.

On February 7th, they published the 2007 "Dirty Dozen Tax Scams."

Here are the 12 most prevalent scams, according to the IRS:

1. Zero Wages. In this scam, new to the Dirty Dozen, a taxpayer attaches to his or her return either a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 that shows zero or little wages or other income. The taxpayer may include a statement indicating the taxpayer is rebutting information submitted to the IRS by the payer. An explanation on the Form 4852 may cite "statutory language behind IRC 3401 and 3121" or may include some reference to the paying company refusing to issue a corrected Form W-2 for fear of IRS retaliation. The Form 4852 or 1099 is usually attached to a “Zero Return.” (See number four below.)

2. Form 843 Tax Abatement. This scam, also new to the Dirty Dozen, rests on faulty interpretation of the Internal Revenue Code. It involves the filer requesting abatement of previously assessed tax using Form 843. Many using this scam have not previously filed tax returns and the tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses the Form 843 to list reasons for the request. Often, one of the reasons is: "Failed to properly compute and/or calculate IRC Sec 83––Property Transferred in Connection with Performance of Service."

3. Phishing. Phishing is a technique used by identity thieves to acquire personal financial data in order to gain access to the financial accounts of unsuspecting consumers, run up charges on their credit cards or apply for new loans in their names. These Internet-based criminals pose as representatives of a financial institution and send out fictitious e-mail correspondence in an attempt to trick consumers into disclosing private information. Sometimes scammers pose as the IRS itself. In recent months, some taxpayers have received e-mails that appear to come from the IRS. A typical e-mail notifies a taxpayer of an outstanding refund and urges the taxpayer to click on a hyperlink and visit an official-looking Web site. The Web site then solicits a social security and credit card number. In a variation of this scheme, criminals have used e-mail to announce to unsuspecting taxpayers they are “under audit” and could make things right by divulging selected private financial information. Taxpayers should take note: The IRS does not use e-mail to initiate contact with taxpayers about issues related to their accounts. If a taxpayer has any doubt whether a contact from the IRS is authentic, the taxpayer should call 1-800-829-1040 to confirm it.

4. Zero Return. Promoters instruct taxpayers to enter all zeros on their federal income tax filings. In a twist on this scheme, filers enter zero income, report their withholding and then write “nunc pro tunc”–– Latin for “now for then”––on the return. They often also do this with amended returns in the hope the IRS will disregard the original return in which they reported wages and other income.

5. Trust Misuse. For years unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits, and the IRS is actively examining these arrangements. There are currently more than 200 active investigations underway and three dozen injunctions have been obtained against promoters since 2001. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

6. Frivolous Arguments. Promoters have been known to make the following outlandish claims: the Sixteenth Amendment concerning congressional power to lay and collect income taxes was never ratified; wages are not income; filing a return and paying taxes are merely voluntary; and being required to file Form 1040 violates the Fifth Amendment right against self-incrimination or the Fourth Amendment right to privacy. Don’t believe these or other similar claims. These arguments are false and have been thrown out of court. While taxpayers have the right to contest their tax liabilities in court, no one has the right to disobey the law.

7. Return Preparer Fraud. Dishonest return preparers can cause many headaches for taxpayers who fall victim to their schemes. Such preparers derive financial gain by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Taxpayers should choose carefully when hiring a tax preparer. As the old saying goes, “If it sounds too good to be true, it probably is.” And remember, no matter who prepares the return, the taxpayer is ultimately responsible for its accuracy. Since 2002, the courts have issued injunctions ordering dozens of individuals to cease preparing returns, and the Department of Justice has filed complaints against dozens of others. During fiscal year 2005, more than 110 tax return preparers were convicted of tax crimes.

8. Credit Counseling Agencies. Taxpayers should be careful with credit counseling organizations that claim they can fix credit ratings, push debt payment plans or impose high set-up fees or monthly service charges that may add to existing debt. The IRS Tax Exempt and Government Entities Division is in the process of revoking the tax-exempt status of numerous credit counseling organizations that operated under the guise of educating financially distressed consumers with debt problems while charging debtors large fees and providing little or no counseling.

9. Abuse of Charitable Organizations and Deductions. The IRS has observed increased use of tax-exempt organizations to improperly shield income or assets from taxation. This can occur, for example, when a taxpayer moves assets or income to a tax-exempt supporting organization or donor-advised fund but maintains control over the assets or income, thereby obtaining a tax deduction without transferring a commensurate benefit to charity. A “contribution” of a historic facade easement to a tax-exempt conservation organization is another example. In many cases, local historic preservation laws already prohibit alteration of the home’s facade, making the contributed easement superfluous. Even if the facade could be altered, the deduction claimed for the easement contribution may far exceed the easement’s impact on the value of the property.

10. Offshore Transactions. Despite a crackdown by the IRS and state tax agencies, individuals continue to try to avoid U.S. taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance to do so. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions. During fiscal 2005, 68 individuals were convicted on charges of promotion and use of abusive tax schemes designed to evade taxes.

11. Employment Tax Evasion. The IRS has seen a number of illegal schemes that instruct employers not to withhold federal income tax or other employment taxes from wages paid to their employees. Such advice is based on an incorrect interpretation of Section 861 and other parts of the tax law and has been refuted in court. Lately, the IRS has seen an increase in activity in the area of “double-dip” parking and medical reimbursement issues. In recent years, the courts have issued injunctions against more than a dozen persons ordering them to stop promoting the scheme. During fiscal 2005, more than 50 individuals were sentenced to an average of 30 months in prison for employment tax evasion. Employer participants can also be held responsible for back payments of employment taxes, plus penalties and interest. It is worth noting that employees who have nothing withheld from their wages are still responsible for payment of their personal taxes.

12. “No Gain” Deduction. Filers attempt to eliminate their entire adjusted gross income (AGI) by deducting it on Schedule A. The filer lists his or her AGI under the Schedule A section labeled “Other Miscellaneous Deductions” and attaches a statement to the return that refers to court documents and includes the words “No Gain Realized.”

Two items fell off the list this year:
Two noteworthy scams have dropped off the “Dirty Dozen” this year: “claim of right” and “corporation sole.” IRS personnel have noticed less activity in these scams over the past year following court cases against a number of
promoters.

Dirty Dozen press release, here.

If you are a victim of one of these scams, you can report it, here.

Notably, they mention that reporting a scam might qualify you for a reward, but reporting one of these scams might (also) prevent someone else from becoming victimized.

There is also a lot of other free information and tools to do your taxes on the main IRS website, here.

Monday, February 12, 2007

Trooper discovers a lot of counterfeit instruments used to commit identity theft/financial fraud

I recently did two posts:

Is tracking fraudulent refund information effective and could it be putting people at risk of becoming an identity theft victim?

Paper weapons (counterfeit documents) enable more serious crimes than illegal immigration and identity theft

I wrote both of these to show how easy criminals seem to be getting around existing systems designed to stop them.

Here is a rather obscure story that illustrates how widespread counterfeit identification and the use of other people's identities to commit crime might be.

Santiago Esparza of the Detroit News reports:

Troopers with the Michigan State Police Richmond Post stopped a man and a woman on eastbound Interstate 94 near Joy Road and discovered much more than two people not wearing seat belts.

The troopers found dozens of driver's licenses, social security cards, credit cards, debit cards and check cards. The troopers also found checks, check registers and other items that could be used to purchase items with fake identification, according to a Michigan State Police press release issued today.

Santiago's story, here.

I doubt if the two people were using their own identities to purchase, or return merchandise. IT also doesn't look like they had a problem getting a lot of other people's information to use for illicit purposes.

Sunday, February 11, 2007

Information Week exposes the Internet Underworld

With the TJX data breach fresh in the news, Larry Greenemeier and J. Nicholas Hoover (Information Week) have written one of the most informative articles to date on the hacker underworld.

They are warning us that:

Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with stolen credit card data, driver's license numbers, and malware, the programs that let hackers exploit the security weaknesses of commercial software. Cybercriminals have become an organized bunch; they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together.

The article covers the mysterious carder forums - where other people's financial information is bought and sold and how the information is paid for (wire transfer, PayPal, e-gold). It also shows how they avoid detection by anti-money laundering laws by what is know as "layering" (splitting up large sums into smaller ones).

There is also interesting information about the shady world where malware (crimeware) is being produced to steal the data.

Information Week article, here.

In case you were interested, here is how much (roughly) this information is being sold for:

The Black Market

$980-$4,900
Trojan program to steal online account information

$490
Credit card number with PIN

$78-$294
Billing data, including account number, address, Social Security number, home address, and birth date

$147
Driver's license

$147
Birth certificate

$98
Social Security card

$6-$24
Credit card number with security code and expiration date

$6PayPal
account logon and password

Data: Trend Micro

The conclusion of the article isn't new, which is that the business world needs to protect it's data better and law enforcement faces obstacles in going after borderless crimes. Until laws are enacted, which allow the problem to be solved, it will likely flourish and grow.

Blaming FEMA for the fraud in Katrina isn't going to solve the problem

There is no doubt about it - the Katrina and Rita debacle - was NOT a shining moment in our nation's history. Fifteen months later as New Orleans prepares to celebrate "Fat Tuesday" (Mardi Gras), more allegations of fraud and mismanagement are coming to light.

Two reporters (Michelle Roberts and Frank Bass) of the AP wrote an interesting article about how FEMA now wants $300 million back in claims paid for households that didn't exist, according to official pre-hurricane census figures.

Even more interesting is that they did their own analysis using the federal Freedom of Information Act, which deducts that a lot more than $300 million might come out in the wash before all is said and done.

Here is what they said in their article:
But an Associated Press analysis of government data obtained under the federal Freedom of Information Act suggests the government might not have been careful enough with its checkbook as it gave out nearly $5.3 billion in aid to storm victims. The analysis found the government regularly gave money to more homes in some neighborhoods than the number of homes that actually existed.

The pattern was repeated in nearly 100 neighborhoods damaged by the hurricanes. At least 162,750 homes that didn't exist before the storms may have received a total of more than $1 billion in improper or illegal payments, the AP found.

Full story (ABC news version), here.

While there is no doubt a big problem exists, we need to put the overall issues in perspective and I'm not sure FEMA is entirely to blame.

David Garratt, FEMA's deputy director is saying that officials were in a "no win" situation. And while, I'm not here to defend FEMA, he probably has a valid point.

When the federal government got involved, fraud artists from all over the world were setting their sights on what they saw as a "lucrative opportunity."

A lot of the fraud that occurred didn't necessarily come from the areas affected by the hurricane.

Couple this, with a lot of pressure to right all the initial blunders in the disaster, which most of us were watching "live," and mistakes were made.

Sadly enough, fraud prevention systems in place, were deemed to cumbersome and disabled. Again, there was a lot of pressure (rightfully so) to take swift action to help a lot of people, who were in harm's way.

We can blame FEMA all we want, but the fact is that fraud is growing at a rapid rate, and the federal government isn't the only one with inadequate fraud prevention systems.

For example, in Southern California (pretty far from Louisiana), there was another interesting article about the taxpayers footing a $1.5 billion a year bill for fraud, here.

And while there seems to be a lot of government fraud, fraud in the private sector is growing by leaps and bounds, also. There is no doubt that identity theft (another growing problem) helped fuel the fraud in the hurricane disasters.

There is a lot of evidence to suggest that much of this fraud is enabled by information that has been data-mined on all of us, which isn't protected very well. Some suggest that technology and the information sector, which make a lot of money selling their wares are the root cause of all of this.

Unfortunately, those committing fraud are too keenly aware of this.

Blaming FEMA is unlikely to correct the overall problem. And if their fraud prevention systems were inadequate, perhaps we should be looking at who sold them the faulty systems?

Perhaps, when history is written, the Katrina disaster is a warning of the looming disaster we all face if we don't stop viewing fraud as a "victimless crime."

Fifteen months later (as Mari Gras approaches), there are still a lot of people suffering from the hurricane disasters.

If you would like to learn more about this, Margaret Saizan's site (Beyond Katrina) is a great resource.

I wonder how much good the money would have done for the true victims if it hadn't been stolen from underneath them?

Wednesday, February 07, 2007

Is tracking fraudulent refund information effective and could it be putting people at risk of becoming an identity theft victim?

The retail industry loses billions of dollars a year to fraudulent refunds.

Fraudulent refunds occur when retail crooks (shoplifters, bad check writers and credit card fraudsters) bring in stolen merchandise to convert into cash. To protect themselves, merchants have developed refund policies, which require that personal information be maintained in a database to identify retail crooks.

I believe the merchants, who came up with this idea, did so with honorable intentions. But is it possible that these systems are easily defeated and themselves might be attacked (hacked) for information they are storing?

The retail security industry has a new buzz word (organized retail crime). If these crooks are organized, my guess is that they are already using fake identification and other people's identities to return merchandise.

Refund data-bases might be full of information from some of the other data-breaches. Other people's information is used to commit a lot of credit/debit card and check fraud. In the case of fraudulent transactions at retailers - the criminals often refund the merchandise they purchase (with bogus financial instruments) to get what they really want, or cash.

And it wouldn't be very hard for them to get bogus information - personal and financial information is for sale in carder forums and fake identification is getting better and easier to obtain all the time.

Another thing to consider is that besides organized retail criminals, another huge loss factor for retailers happens when insiders (dishonest employees) steal from them. Like the external element, a lot of dishonest employees seek to steal cash, and one of the easiest means to do so is to do fraudulent refunds, themselves.

Given the new refund systems, they will have to come up with an identity to accomplish this. The easiest way to do this is to use a customer already in one of their data-bases, or even make up a name.

TJX (a merchant operating under many different names) recently enabled what a lot of experts believe will be the largest data breach to date. One of the databases compromised was their information on all the people, who had refunded merchandise at their stores.

Unfortunately for TJX and the retail industry - it now appears they were storing financial information that they shouldn't have been.

According to reports, TJX was storing payment card (credit/debit card) information they weren't supposed to be in violation of already established PCI data-protection standards. These standards are established by the payment card industry, themselves.

It seems odd to me that in light of all the data breaches, the industry is being allowed to police themselves. I wonder if an unbiased third-party (with no financial incentive) should be taking a look at the problem?

And even if the merchants bring their data protection standards up-to-par for payment cards - will the data being mined in the refund systems receive similar protection?

Guard My Credit File.org recently published a story about Federated requiring SSNs for refunds (courtesy of a blog post and later conversation with George at Fat Pitch Financials).

Apparently George's wife bought some merchandise off one of their websites with a gift card. She decided to return the jeans (for credit back to her gift-card) and when she went into a Federated store (Macys), she was asked for her driver's license and SSN to complete the transaction.

Please note, she had her gift-card and the receipt for her purchase. George eventually complained loudly enough that a manager relented and allowed the return without a SSN.

My guess is that criminals are furnishing fake SSNs (which are hard to verify) and only the honest customers are providing real ones.

Story, here.

As I stated earlier, tracking refund data was probably a good idea when it was first conceived, but I wonder how effective it is today? The data itself could be posing risks to anyone honest enough to give their real information, and criminals are likely using other people's information.

Sadly enough, recent data- breaches indicate that this (personal information) probably isn't very well protected. It's also sad that after spending millions of dollars to protect themselves with refund databases, the retailers have a product that might not be very effective and could become a customer trust issue.

There needs to be a better way to protect merchants and their customers from theft. Customers and retailers are both being victimized by what seems to be a growing problem.

Here is another post, I wrote on this same issue:

Are Retail Refunds Violating Customer Privacy