Friday, March 30, 2007

Did we waste too much time last week blaming TJX for the dark side of the Information Age?

With the (estimated) 45.7 million records being compromised in the TJX breach, everyone seems focused on placing blame on the retail industry.

We seem to quickly forget that others, including institutions of higher learning, the financial services sector and even the government have been compromised pretty frequently, also. And even though massive data-breaches facilitated by hackers makes good press, the truth is that information is stolen on a less newsworthy basis, daily.

Brad Dorfman (Reuters) might have put it all in perspective when he wrote:
Consumers who want to be sure about protecting their personal data and preventing identity theft might need to pay solely with cash, shun retailer loyalty programs and only make returns when they have a receipt.

They might also need to stop paying taxes, serving their country and getting an education (my emphasis).

Brad's story about why retailers are one (my emphasis) of the targets, here.

Meanwhile the retail and financial services industries seem on the verge of fighting a battle of who should be (financially) responsible for all of this. Of course in the bigger picture, I can think of a few other industries to push the blame towards, also.

We spend a lot of effort and resources trying to spread out the financial burden of information theft. While this might be enabling some of those concerned (industries starting to point fingers) to keep writing the costs of information theft off, it isn't stopping very many of the facilitators.

I sometimes wonder how much better we might be off if we went after the facilitators more aggressively? Resources to do this are minimal and if you don't believe me ask any victim, who tried to get something done with their individual case. Even better, ask someone who has the unfortunate job of trying to help some of these victims.

Until we make stealing information harder to do and start punishing the facilitators, problems associated with the dark side of the information age are probably going to continue have a ever growing financial burden.

In the criminal world, the 45.7 million compromised records, were yesterday's opportunity. What opportunity are they exploiting right now?

Saturday, March 24, 2007

FBI is going after Internet crime in Russia and Romania

A lot of experts believe that carder forums (selling stolen personal and financial details) are run overseas by Romanian and Russian organized crime.

Nate Anderson (ars technica) wrote an interesting article about this, where he said:

One American in Virginia, who goes by the Internet nick "John Dillinger," agreed to cooperate with "vendors" from Eastern Europe. These groups "acquired" credit card numbers, then sent them by e-mail and instant message to Dillinger, who then encoded them onto credit cards. He then took these credit cards to ATMs and made cash withdrawals; a percentage of the money was then sent back to the "vendor" and Dillinger kept the rest. Dillinger was eventually busted by the feds, though, and was sentenced in February 2007 to 94 months in jail.

This is a good example of how the Internet is enabling a global identity theft crisis.

Apparently, the problem is big enough for the FBI to send assets to Romania and Russia to go after the problem.

Of course, since most of the stolen information comes from the West, I guess that it means the Russians and Romanians are sending assets abroad or recruiting them there, also.

Nate's article, here.

In the past few days, 6 arrests in Florida are being tied into the TJX data breach (which might be the largest known compromise) to date.

Although, no one seems to be saying for sure, I doubt the six arrested are the main players in the TJX breach. They probably purchased the information, elsewhere.

The total damage being reported in the Florida case is $8 million. The case was identified when the perps made some (extremely) large gift card purchases.

Maybe that's why they got caught, or they got (slightly) greedy?

IT also probably isn't entirely fair to keep publishing the TJX breach. Personal and financial details have been stolen from a LOT of places. The known places can be viewed at, here.

This is a global problem and it's going to take a global effort to put a stop to it!

Thursday, March 22, 2007

SIRAS – Smart technology that protects profit and privacy

Organized retail crime, according to RILA (Retail Industry Leaders Association), is a $34 billion a year problem. A study at the University of Florida conducted by Dr. Richard Hollinger suggests that 9 percent of all refund activity or $16 billion is fraudulent.

At most merchants today, refunds are tracked with personal information. While this was effective 10 years ago, the information in the current databases might not be as accurate as it once was.

Personal and financial information is stolen and sold in a lot of places, most notably over the Internet. A perfect example is the recent compromise of consumer data at TJX stores. This information is turned into fraudulent identification and financial instruments and sold to criminals.

It is likely that criminals can assume multiple identities, using other people’s information to refund merchandise. In fact, payment (credit/debit) card and bad check fraudsters already demonstrate this ability on a daily basis.

With the negative publicity surrounding data breaches and identity theft, honest customers are nervous when asked to surrender their personal details. Recently, privacy groups and Senator Chuck Schumer have been openly critical of current systems, which gather personal information.
A company named SIRAS provides a means to protect an organization’s bottom line and their customer information, also. The way they do it is so simple, it’s brilliant. Instead of tracking personal information, SIRAS tracks the merchandise, itself.

The SIRAS system captures the UPC and serial number of a product at the point-of-sale and creates an electronic receipt. This enables a merchant to determine exactly when and where it was sold AND how it was paid for.

SIRAS can tell when the merchandise was never purchased (stolen), or if it was purchased at another retailer. It also can identify counterfeit merchandise, price switching and altered/counterfeit receipts. Because it ties into a sales transaction, the system could also identify fraudulent forms of payment used to purchase the merchandise, or if the item has been a chargeback issue.

SIRAS makes it pretty hard do a fraudulent refund. Getting series of numbers to match can be extremely difficult, if not almost, impossible.

The data is compiled into customized reporting tools, which can be leveraged to determine risk factors when merchandising products. These tools also have extremely useful applications from an intelligence (analysis) and investigation perspective.

Besides organized retail crime, the largest losses suffered by merchants are caused by internal theft. Fraudulent refunds, “sweetheart returns,” enable dishonest employees to steal cash, or issue credit to payment cards. Like their external counterpart, internal criminals now have to use personal information to prompt a point-of-sale system to issue a refund. Again, this information (which might not be accurate) corrupts a lot of the current databases.

Dishonest employees are going to have a hard time being able to match UPC/serial number to a legitimate sale. This will prevent employees from attempting to commit refund fraud, and should they decide to do so, the custom reporting tools (when used properly) would identify the culprits, with ease.

SIRAS can track and identify retail theft a long way past the refund counter. With its unique ability to track merchandise to a sale, SIRAS can be used to identify merchandise sold in fencing operations (and more likely) via Internet auctions.

In fact, SIRAS has been used to help prove criminal cases, or to obtain search warrants by law enforcement.

The system can also be used to identify counterfeit goods, wherever they might be appear for sale.

Other benefits include being able to better manager warranty programs and in the case of call centers (crucial in e-commerce), it provides their employees with direct access to the original purchase information.

An effective merchandising application, I noted was the ability (via analysis) to identify products that have a high rate of being defect rate, or that aren’t as easy to use, as advertised.

SIRAS has applications that go far beyond fraud at the refund counter.

The system is easily incorporated with patented technology into current point of sale systems and employee training is minimal. Being that it replaces many labor intensive tasks, payroll can be better spent in other areas.

SIRAS applications are beneficial not only to manufacturers and traditional retailers, but the system is equally effective in e-commerce applications.

This technology is already being used by several major retailers and manufacturers. You can view a list of them on their website (listed below).

With privacy becoming a bigger issue all the time, SIRAS provides a smart way to protect assets and not expose customer information. SIRAS makes it harder to commit fraud in a retail environment, while making it easier (customer friendly) to return an item without a paper receipt.

More information about SIRAS and who uses their services can be viewed at:
CNET's story about the TJX data breach can be viewed, here.

Wednesday, March 21, 2007

(Update: TJX data confirmed as used in Florida Case) Is the information being sold in carder forums being used in organized retail crime?

Underground carder forums (selling personal and financial information) are making it too easy to commit financial crimes. Symantec released a report showing that a credit-card number (with verification number) is sold for as little as $1 to $6. Complete information to take over an identity (government ID, social security number, bank account number, date of birth, etc.) costs about $14 to $18.

Here is an example of how this stolen information might be used by criminals. I happened to run across a good example of this in the News-Press (Southwest Florida):
Six people suspected of using stolen credit cards to purchase an estimated $8 million in WAL-MART and Sam’s Club gift cards were arrested in by Gainesville Police in a four-month ongoing investigation, according to a report released Monday by the Florida Department of Law Enforcement.
The bogus credit-cards were being used to purchase high-end electronic merchandise and gift cards.

News-Press story, here.

*Update (3/23/07): An article from InfoWorld is stating that the data used in this scheme is part of the TJX data breach. InfoWorld story, here. It still isn't clear how the culprits obtained the information, or how they, had the information made into counterfeit instruments.

Symantec's report covers all the different methods information is being stolen. One of the more common methods is referred to as phishing. This normally happens when a person clicks on a link from a spam e-mail sending them to a fake site (requesting personal information).

Note that sometimes the fake sites only ask for your personal and financial details (referred to as social-engineering), but more and more, computers are infected with malware when someone is tricked into clicking on a link they shouldn't have.

Malware records people's personal details (automatically) and sends them back to the scammers.

Symantec's press release on their report, here.

If you are wondering why the retail crooks were buying gift cards. Here is a previous post, I did on that subject:

Why Buying Gift Cards on Auction Sites isn't a Good Idea

Sunday, March 18, 2007

PIN pads replaced at Wendys to steal payment card details

More payment cards have been skimmed (financial details hijacked) as a result of PIN pads being replaced. This time the breach occurred at a Wendys in a busy part of Edmonton, Canada.

A "Bluetooth" device was used in the phony PIN pads to transmit all the card details, using a wireless connection.

The fraud was discovered when a large number of Edmonton cards started showing up with unusual activity in Montreal.

According to the Edmonton Police, about 400 cards have been identified as having been compromised and used (cloned), but there could be more. They also stated that they don't believe there was employee involvement in the scheme.

One person was arrested in Montreal, but the authorities are saying they don't believe this person was a "major player."

This activity is probably being accomplished with a device known as a point-of-sale (POS) data logger. The stated legitimate purpose of this device (found on a webpage called is to back up data in case of a power failure. It even advertises that it will capture PIN numbers when they are entered on a keypad.

The advertising jargon for this particular device states:
Once the data is logged, the device can be EASILY AND QUICKLY removed (takes about 2 seconds for installation or removal) from the store POS machine and plugged into another computer where you can download and save the data.
Hackers Homepage (who claims they are the only ones selling these devices) offers them for $395 each. IF you buy 100 of them, they will sell them to you for $9,999 (a savings of $30,000 off retail).

I'm amazed that these devices are for sale right over the Internet. Maybe someone in law enforcement will read this and do a little checking on this e-commerce enterprise.

Recently in Rhode Island (United States), a similar scheme was uncovered at Stop and Shop stores. Four males from California were eventually arrested after being spotted by employees tampering with a PIN pad.

Edmonton Police press release, here.

Here is my previous post on the Rhode Island scheme:

Could the arrests in the Stop and Shop data breach indicate a tie to Armenian Mobsters?

Saturday, March 17, 2007

Copy machines could store information useful to identity thieves

With copies of tax documents being made in massive numbers as the deadline grows nearer, we have something new to worry about.

My daughter a.k.a (Quembel) passed this one on to me from the AP (courtesy of CNN):

Consumers are bombarded with warnings about identity theft. Publicized threats range from mailbox thieves and lost laptops to the higher-tech methods of e-mail scams and corporate data invasions.

Now, experts are warning that photocopiers could be a culprit as well.

That's because most digital copiers manufactured in the past five years have disk drives -- the same kind of data-storage mechanism found in computers -- to reproduce documents.

AP story, here.

I'll quote my friend "Dissent" at PogowasRight on this one - "We have met the enemy and he is us."

Auction Fraud Tops FBI's 2006 Internet Crime Report

The FBI's Internet Crime Report for 2006 has been released. It shows that 45 percent of the complaints are for auction fraud and that "old standards" like the Nigerian letter still hook victims.

In fact, according to the report, the Nigerian Letter accounted for the highest median loss ($5,100).

Other Internet crimes covered in the report are identity theft, investment fraud, cyberstalking, phishing, spoofing and spamming.

The report indicates more crimes were reported to the FBI in 2006 than in any other previous year.

While we might like to believe that Internet crime comes from afar, the report shows 61 percent of Internet fraudsters come from the United States. Other countries of origin listed were the U.K., Nigeria, Canada, Romania, and Italy.

74 percent of the victims were contacted via e-mail.

Full report, here.

The report has tips on how to avoid becoming a victim.

More tips can be viewed on the IC3 site, here.

Friday, March 16, 2007

A good argument for a federal law requiring disclosure of data breaches

An assistant professor at the University of Washington co-authored a study on data breaches (compromised personal and financial information), which reveals that the amount of compromised information out there could be a lot worse than anyone thought.


If Phil Howard’s calculations prove true, by year’s end the 2 billionth personal record – some American’s social-security or credit-card number, academic grades or medical history – will become compromised, and it’s corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.
While the news media is full of stories about hackers, his survey revealed 60 percent of the breaches were due to "organizational mismanagement." The report is referring to lost (stolen) hardware, internal theft, administrative error, or accidentally exposing the information online.

According to the authors, gathering the information for this study wouldn't have been possible before state laws were passed requiring disclosure of data breaches.

Laws requiring this are only on the books in less than half of the states, nationwide. story, here.

Unfortunately, despite a lot of effort, no federal law has been passed, and the most current version before Congress threatens to make it easier not to report data breaches.

Here is a previous post about that subject:

Consumers Union Calls for Congress to Protect People's Personal Information

Tuesday, March 13, 2007

Civil Servants under scrutiny for credit card abuses

Senator Grassley (Iowa) is introducing legislation to counter what he calls massive abuse with government credit cards.

He is quoted on his site as saying:
Every time we open these GAO reports we find more outrageous spending. Internet gambling and a Yankees baseball game don’t seem to be appropriate uses of tax payer money. The federal agencies don’t seem to be stepping up, so our legislation helps put some common sense controls on these credit cards.

The press release covers this in more detail:

Grassley said the legislation would also stipulate that cases of fraud be referred to the U.S. Attorney for prosecution and employees that egregiously misuse or commit fraud with a government charge card be fired. The bill would also increase oversight by providing that each agency Inspector General periodically conduct risk assessments and audits to identify fraud and improper use of credit cards.

Following the devastation of Hurricane Katrina, Grassley was concerned that provision raising the limit for emergency "micro-purchases" on government credit cards from $15,000 to $250,000 was ripe for waste, fraud and abuse and successfully fought to bring the limit back down. At the time, Grassley said that wasting taxpayer money does not help the victims of Hurricane Katrina.
Does this mean that government employees can commit fraud and waste taxpayer money without being fired, or prosecuted? If this happened in the private sector, the culprits would likely be fired and (possibly) prosecuted.

The sad thing is that Senator Grassley has attempted to introduce this legislation in the last two Congresses and it was never acted upon.

So far wasted taxpayer money not helping the Katrina victims, the GAO confirmed Senator Grassley's prediction. Here is a previous post on that matter:

More Allegations of Money Wasted in Katrina

Senator Grassley's press release on this matter, here.

Of note, Senators Norm Coleman of Minn., Joe Lieberman of Connecticut, and Susan Collins of Maine are supporting Senator Grassley in this legislation. Congressman Joe Wilson has filed similar legislation in the House of Representatives on government credit card abuse.

Civil servants should be held to at least the same standard as the people they are serving!

Sunday, March 11, 2007

If you own a small business it pays to be aware of scams and exercise due diligence

Individuals and eBay warriors aren't the only people being targeted by advance fee and overpayment scams. Businesses, especially smaller ones, are now suffering losses with ever increasing frequency.

The Association of Certified Fraud Examiners noted in their last report to the nation that small businesses suffer "disproportionate fraud losses," when they become a fraud victim.

Part of the reason for this is large businesses employ people to deal with fraud. The other part of the reason is they can't afford the exposure (as well as) larger businesses can.

Report, here.

Rich Mintzer ( did a pretty detailed article in January about how small business is targeted by fraudsters. He has some smart tips for business owners:
Smart Tip: Don’t ship any products to a buyer on a pre-paid basis unless you’ve done business with the company previously or can verify the legitimacy of its payment method.

Smart Tip: It’s better to be safe than sorry. Never send products or refunds to a first-time buyer until their check has cleared the bank.

Smart Tip: The bottom line is, if you haven’t seen a directory before and can’t verify that it’s actually distributed, you’d be wise to steer clear of any such offers.

Smart Tip: If it’s the vending machine business you’re interested in, do your own homework and contact companies you’ve done your research on. And be leery of local ads for new vendors that offer a toll-free number and a chance to make "big bucks."
Rich's tips (with more detail), here.

Michael Webster, an attorney practicing in Toronto, has an excellent site, which educates all of us on business scams:

Misleading Advertising Law (Due Diligence for Income Earning Opportunities).

A little awareness and (due diligence) can stop most fraud dead in it's tracks!

Saturday, March 10, 2007

Mike Rothman's book on being an effective CSO

Mike Rothman (CSO type and blogger) is now a published author in his own write.

What I like about his blog (in Security Incite) is that it takes a balanced approach to computer security (protecting information). His blog considers the technological, as well as, the social aspects of protecting information.

In my opinion, he takes a balanced (holistic) approach to increasingly important issues surrounding protecting information.
In Mike's own words (from Security Incite):

It is with great pleasure that I announce the availability of The Pragmatic CSO: 12 Steps to Being a Security Master. It's been an interesting process and I learned a lot. I'm sure you will be pleased with the outcome.

With protecting information becoming a huge issue, the fact that Mike approaches the problem via a learning process says a lot. Issues with protecting information change (sometimes daily).

This book is well worth a look at not just by CSO types, but it might be a valuable tool for anyone, who considers information a valuable asset.

Link to information on Mike's new book, here.

Friday, March 09, 2007

What a santuary city (Los Angeles) thinks of BofA and their no SSN credit-card product

Just read an interesting article from the Los Angeles Business, which indicates that 74 percent of the respondents in an informal poll are against Bank of America's "no SSN needed" credit-card product.

Pretty interesting since in Los Angeles, even the LAPD (Los Angeles Police Department) can't ask if someone is there legally, or not.

A lot of people seem to be upset that this financial product will help enable illegal immigration and make it (easier) to commit identity theft and credit card fraud.

Criminals and a lot of illegal aliens are already using other people's social security numbers. Obtaining a fake SSN is no problem in Los Angeles, or just about any other area in the United States.

A lot of illegal aliens pay for the credit they get with other people's identities. After they assume and probably (pay for) a good identity, it isn't prudent to invite negative attention.

So far as illegal immigration, Bank of America isn't the only company enabling illegal immigration. In fact, they are merely going after a market segment, that has no problem finding employment.

Even if fraud does go up, I doubt Bank of America is planning to lose any money off this product. High interest rates and a hefty fee structure can cover a lot of fraud write-off.

With that thought in mind, is Bank of America taking advantage of the very people, they claim to be helping?

Just this week, Congressional hearings were held about credit card companies taking unfair advantage of the public with the interest rates and fees, they already have in place.

USA today has an interesting editorial about the hearings entitled "When interest rates hit 32%, there ought to be a law."

So far as the fraud aspect, there are many who think part of the problem is that the industry has been issuing credit, somewhat irresponsibly. This makes it pretty easy to commit credit-card fraud.

Another big story this week is the Visa summit, where the payment card industry is meeting to discuss fraud issues. Perhaps, high interest rates and hidden fees aren't covering fraud losses as well as they used to?

Recently, merchants and credit issuers have been arguing about who should be responsible for eating the costs in data-breaches. All is not well within the industry, itself.

I'm not sure how much all these events tie in together, but maybe someone should start listening to the honest customers?

After all, when all is said and done, honest customers end up paying for all the fraud, as well as, the salaries of those selling these financial products.

Maybe what we really need to do is figure out why credit card fraud and identity theft is so easy to commit. Hopefully, the Visa summit will be a forum that will inspire some good ideas (and commitments) that can be put into practical use.

Interesting comments from readers (potential customers) courtesy of the Los Angeles Business, here.

Thursday, March 08, 2007

Nigerian (419) fraud is a worldwide problem

Nigerian (419) fraud is showing an alarming increase in India (900 percent) in one year. Pramit Pal Chaudhuri of the Hindustan Times is reporting:

The world's most widespread financial fraud, the Nigerian 419 scam, is finding new pastures in Asia. India is the third fastest growing market with the defrauders' earnings from Indians increasing nine-fold in one year, says a report by the Dutch firm Ultrascan Advanced Global Investigations.

Almost every cellphone and email user has been solicited by a 419 con man. The best-known ploy is a message claiming there are unclaimed fortunes in banks that can be accessed if someone puts up a little money upfront.

Pramit quoted some interesting figures in his article suggesting the worldwide bill for this type of fraud is $3.88 billion.

Pramit's (interesting) story, here.

Pramit cites intelligence from the Dutch firm Ultrascan Advanced Global Investigations. They have a lot of interesting facts about Nigerian fraud, here.

In October (2005), I did a post exploring how some rationalize this activity in Nigeria:

419 From the Other Side of the Fence

The post references a Nigerian pop singer (Osofia) and a song he did about the infamous scam:

"I go chop your dollar"

Perhaps, Osofia should update his song to include all the other currencies being chopped?

FBI alerts the public about a growing trend in mortgage fraud

According to the FBI, mortgage fraud is a growing issue. To back this up, they are saying:

Mortgage Fraud Suspicious Activity Reports (SARs) referred to law enforcement by financial institutions increased from 17,127 SARs in Fiscal Year 2004 to 35,617 SARs in Fiscal Year 2006, reflecting estimated losses of $946 million. FBI Mortgage Fraud investigations have focused on large-scale frauds perpetrated by organized crime and industry insiders, including attorneys, brokers, appraisers, and realtors. Since September 2002, the number and types of investigations have increased from 436 to 1,036. Of these current cases, 51% involve expected losses in excess of $1 million, and 57% involve our federally insured financial institutions as victims.

Full alert (courtesy of the FBI), here.

Here is a file, with a poster about mortgage fraud (also courtesy of the FBI), here.

If you know about any mortgage fraud, or other crime that the FBI investigates - report it online, here.

Mortgage fraud doesn't only hurt financial institutions, the words identity theft and mortgage fraud are frequently showing up in the same cases.

Here is a post, I wrote in January about this growing phenomenon.

Tuesday, March 06, 2007

Ruby Tuesday serves a blow to credit card skimmers

Ruby Tuesday is doing something about credit card fraud. They announced yesterday that they will be introducing an ultra-secure (encrypted) credit card system to protect their customers from fraud.

The AP is reporting:

The system, which is expected to be in all the restaurant chain's 900 locations by April, leaves no credit card information at the restaurant and is instead sent to the bank in encrypted form. The system is said to help prevent identity theft.
Criminals (some say of the organized type) have been targeting a lot of unprotected information, recently. Some of this information is bartered in underground chat rooms set up for this purpose.

Of note, Visa International commented that the new system is fully compliant with PCI data protection standards.

AP story, here.

If you would like to see the sheer volume of recent data breaches, has a chronology, here.

If you would like to see how easy it is for your payment card information to get skimmed at a restaurant - you can view an interesting video, here.

Sunday, March 04, 2007

It pays to be observant when paying with your credit card

Dishonest employees at your local restaurant, or store might be making a little spending money selling your card information. Leaving your card unattended (even for a couple of seconds) can make you a victim.

An interesting video on YouTube (posted by kamranakhtar) shows why.

You Tube video, here.

This video was first shown on the TechEBlog, as far as I can tell.

Organized retail criminals sell their ill-gotten proceeds in many places

Organized retail crime is becoming a "buzz word" within the retail security industry. Because of this fact, many large retailers employ dedicated specialists to deal with the issue.

Some estimates (RILA) reflect that this could be a $34 billion a year problem.

I've seen a lot of recent stories about merchandise being fenced on auction sites. Although, this is a big problem, stolen goods are fenced in other places, also.

WKYC news (Ohio) is reporting that 19 homes and business were recently raided, illustrating how organized some of this activity can be.

Very interesting video, here.

The Washington Post, did an interesting article about organized retail crime in 2005, here.

It noted that federal law enforcement is getting involved in the prosecution of these cases, because of their impact, and (probably) the fact that they cross state lines, frequently.

RILA (The Retail Industry Leaders Association) proposed changes to Congress to deal with the problem, here.

Of note, they quote the FBI as saying that organized retail crime is funding terrorist organizations.

Another problem (the FBI calls out) is when outdated medicine and items, such as baby formula are repackaged and sold as new.

This could pose significant health risks to those, who purchase these stolen items.

Besides the fact that we all pay for this with our hard earned money (higher prices), our safety is being compromised by these criminals, also.

Should recent prosecutions for fraud in Katrina remind us of something?

Bruce Alpert, of the Times Picayune did an excellent article about a lot of recent prosecutions for fraud in the aftermath of the hurricane disasters.

One woman, LaWanda Williams collected $267,377.15 in an identity theft scheme using several other people's information.

I wonder if any of the people (who had their information stolen) were denied benefits, as a result of LaWanda's activities?

And LaWanda is just one example of people's greed. FEMA and Army Corps of Engineers officials, Red Cross employees and many others took advantage of the situation.

In fact, fraud was being committed as far away as California, where 71 cases have been documented.

Bruce Alpert's article, here.

Bruce's article points out that this isn't the first time fraud occurred after a disaster. Similar fraudulent claims occurred after 9-11 and the Tsunami disaster.

The money lost to fraud is a symptom of the larger problem, which was a disaster preparedness system that failed. The resulting confusion enabled a lot of fraud to occur, and probably made it too easy to commit.

I doubt any of the people now being prosecuted thought they were going to be caught.

As the old saying goes - "an ounce of prevention is worth a pound of cure." Our focus needs to be towards preventing this from happening again.

If you would like to learn more about the hurricane disaster - and how how people are still being "cured" two years after the fact - Beyond Katrina has a lot of information on the subject.

Friday, March 02, 2007

Bank's Telephone ID Spoofed in Vishing Scam

People in Jefferson City, Missouri are receiving fraudulent telephone calls soliciting their personal and banking information. Even worse, their caller ID reflects that the call is coming from a bank.

A new term (vishing) is being used to describe this kind of fraudulent activity. Scams over the telephone are nothing new, but many experts believe that VoIP technology is making the problem worse.

Michelle Brooks, of the News Tribune is reporting:

More than 1,000 people in the Jefferson City area received a prerecorded phone message Wednesday that sought customer information and claimed to be from “Central Trust Bank”- a name Central Bank does not go by - and, in fact, showed Central Bank's customer service line on caller ID systems.

News Tribune story, here.

Besides stealing from people, a Washington Post story shows how this technology can be used by stalkers and criminals, who are potentially violent (stalkers).

This technology is a favorite of collection and telemarketing types to get people to answer their telephones. Some of the people marketing this technology, claim their intent is to protect privacy.

Of course, some of us believe, that this technology is violating a lot of people's privacy.

One of the most scary examples of this is They sell a calling card that not only spoofs the number being called from, but gives their customers the ability to change their voice. The calls are also recorded (accessible by calling a 800 number).

Besides this company, there are many others, that are hawking Caller-ID spoofing. Collection agencies and telemarketing types use the technology to trick people into answering their telephones.

The FTC (Federal Trade Commission) seems to be taking a look at this problem, a list of their press releases on this matter can be viewed, here.

The FCC (Federal Communications Commission) also has a lot of information about the problem on their site, here.

If you are mad about someone doing this to you, the FCC has a complaint form, here.

Isn't it a shame that we constantly see so-called legitimate businesses profiting from technology that victimizes the general population?

Congress needs to work with the FCC and the FTC to pass a law against this abuse!

Thursday, March 01, 2007

Internet Spammers fail to keep CastleCops down

CastleCops, the all volunteer site dedicated to fighting phishing, fraud and dastardly deeds on the Internet is back in action. The site had been under a massive DDos attack for the past couple of weeks.

Paul Laudanski (CastleCops founder) announced the sites return to action via an e-mail to the community tonight.

Brian Krebbs (Washington Post) did an interesting post about the attack on his blog, where he quoted Robin Laudanski (Paul's better half and co-founder) as saying:

"I take [the attacks] as a compliment because if we weren't putting a dent in the bad guys' pocketbooks, we wouldn't be getting attacked," Laudanski said. "It means we're being a pain, and that we're doing something right."

It appears the criminals behind this attack can't keep the good folks at CastleCops down!

Robin also said that this has brought about a lot of support from the security community to rally and support the site.

CastleCops is a great place to learn about and report Internet scams.

They also run the PIRT Phishing Incident Reporting and Termination Squad, where anyone can report phishy e-mails. Last I heard, they are looking for handlers, also.

If you are looking for a good place to help take back the Internet from criminals, CastleCops is a great place to give your support to.

You can see all the information about the attack, here.