Tuesday, July 31, 2007

Customer stops debit card skimming scheme at AM/PM

Another tale of a skimming device being found at a gas station has surfaced in the local Northern California news. In this instance, a savvy customer figured out what was going on and notified the Police.

Koula Gianulias CBS 13, Sacramento reports:

Skimming at the pump. Hundreds of dollars have been stolen from unsuspecting drivers. Recently, a local driver figured out he was being taken.

When Joe Schroder tried to pay for gas at the ARCO in Newcastle, he had some trouble sliding his ATM card into the slot.

“Got up under it, pry up on this. It popped off in my hand and I knew I had something there,” says Joe Schroeder.
In June, a similar problem occurred at AM/PM stations in Huntington Beach in Southern California. One of the reasons, authorities speculate card skimmers like AM/PM is because they only accept debit cards.

As far as I've heard, the suspects in this case are still at large, also.

Huntington Beach Independent article, here.

Koula got the official statement from the parent company, which is:

”The number one priority of BP, ARCO, AM/PM is the safety and security of our customers' every transaction, every day, at all of our sites. It is unacceptable that our customers and company have been targeted by these thieves. We are continually updating our systems to further protect our customers.”

Of course, in this case, it also helps to have aware customers frequenting your premises!

CBS13 story, here.

There is an excellent video on CBS13 link, showing how one of these devices can be installed at a gas station in 20 seconds, or less!

I've also done a few posts on skimming, which might help educate people, here.

If you scroll all the way to the bottom, there are a lot of pictures and links to more pictures to take a look at.

This activity doesn't only occur in the United States. It's happening all over the world.

Similar device discovered at a gas station in Great Britain. (Courtesy of Flickr)

Story about activity in Finland, here.

Will the Stevens raid cause voters to trust politicians even less?

I'm predicting the upcoming elections will be pretty interesting. Confidence in our political leaders seems to be at an all time low.

One particularly bothersome phenomenon are stories of elected officials being investigated for lining their own pockets. They seem to be surfacing with alarming frequency.

It's no wonder that both the executive branch and house seem to have one thing in common - ever decreasing public support.

The most recent event in this seemingly never-ending chain of disappointing stories is the raid on Senator Ted Stevens' Alaska retreat.

Dan Joling of the AP is reporting:

Federal agents with cameras searched the home of U.S. Sen. Ted Stevens amid questions about an oil company official's involvement in a 2000 renovation project that doubled the home's size, law enforcement officials said.

Stevens, 83, is under a federal investigation for his connections to Bill Allen, founder of VECO Corp., an Alaska-based oil field services and engineering company that has reaped tens of millions of dollars in federal contracts.

Allen was convicted earlier this year of bribing state lawmakers. He also oversaw the renovation of Stevens' home in the ski resort community of Girdwood, contractors involved in the work say.

This seems to be part of a larger investigation:

The Justice Department's probe into Allen's relationships has led to charges against state lawmakers and contractors. Last year, FBI raids on the offices of several Alaska lawmakers included Stevens' son, former Alaska Senate President Ben Stevens.

Neither the U.S. senator nor his son has been charged.
The AP Story also states that Alaska's only U.S. representative, Don Young, is also under investigation. This cannot be confirmed because the source was anonymous.

The AFP version of the story (courtesy of Yahoo News)cited unnamed sources as saying:

The investigations have prompted calls for ethics reform in Congress and damaged President George W. Bush's Republican party. Some party members blamed the corruption cases for helping hand their Democratic rivals control of Congress in legislative elections last year.
I found this an interesting statement because Republicans don't seem to be the only ones getting accused of lining their own pockets by using their political influence.

Let's not forget Rep. William Jefferson, D-La. has been indicted on federal charges of racketeering, money-laundering and soliciting. The investigation against Jefferson suggested ties to a foreign political figure, Abubakar Atiku (former Vice President of Nigeria).

Atiku was still in office, when the scandal made headlines. Interestingly enough, the connection between him and Jefferson seemed to be ignored by the Western press, however it was covered extensively in Nigeria and elsewhere in Africa.

Wikipedia has an interesting article tracking charges of corruption involving political figures. If you look at their document and note the amount of incidents since 1990, the problem seems to be growing.

Wikipedia article, here.

Of course, there was political corruption around before 1990, also. Maybe, the trend started earlier with the Abscam investigation in 1980?

Here is a FBI video of Jack Murtha dealing with a undercover FBI agent in the infamous Abscam investigation.

It's a sad commentary that so many of our leaders seem to be getting caught, or accused of being corrupt. Maybe this is one of the reasons that politicians seem to be losing the popular support of the people, they are supposed to be serving.

Whether this is all dirty politics, outright corruption, or a mixture of both -- it does little to bolster public confidence in our leaders.

After all, these are people, we (and our children) are supposed to look up to.

AP Story, here.

Correctional Officers steal credit cards from prisoners

Ran into a pretty sad story, where it was reported that two Baltimore correctional officers were caught stealing credit cards from inmates they were processing into jail.

John-John Williams IV of the Baltimore Sun reports:

Two corrections officers from the Central Booking and Intake Center were arrested yesterday and charged with stealing credit cards of people under arrest.

Lontona Maria Webb, 38, of the 3600 block of Clarinth Road and Latoya Renee James, 24, of the 1300 block of Dalton Road each face multiple counts of credit card fraud, identity theft and misconduct in office, according to charging documents.
The authorities investigating the case aren't commenting because the investigation is still underway.

It also appears that the Baltimore Sun and an attorney, who was arrested (charges later dropped) are responsible for alerting the authorities that their jail needs a little cleaning up:

Nicholas Panteleakis, 34, a city public defender, said that his credit card was used to make nearly $1,000 in fraudulent purchases at McDonald's, Target and a gas station.

Panteleakis said that his credit card company took care of all of the fraudulent charges.

The Sun detailed Panteleakis' claims of fraud at Central Booking in February. At that time, Panteleakis said he discovered that someone had used his credit card within six hours of his release from Central Booking. He said he believes the card was stolen after his wallet was checked as property at the facility when he was arrested on one count of loitering, a charged later dropped. He immediately canceled his credit card.

"If it wasn't for my access to the media and other avenues, I don't think anything would have become of it," he said. "People would still be having their stuff stolen from them."

As a result of this, officials at the jail have had video surveillance cameras installed to watch the area, where personal property is inventoried.

It's sad when we discover those, who have taken a sacred oath to uphold the law, violate it. They damage the reputation of their profession, and all the fine people, who take this oath seriously!

Unfortunately, this isn't the first time, I've done a post, where a correctional officer (and some Jet Blue employees) were stealing credit cards:

Airline employees and correctional officer arrested for credit card fraud

Baltimore Sun story, here.

Sunday, July 29, 2007

The Coalition Against Domain Name Abuse seeks to disable Cybersquatting

Cybersquatting is where people, who may have less than honorable intentions, set up a website with a domain name that appears to be a trusted brand, or organization.

Often, these domains are then used to commit financial crimes on the Internet.

In most of the recent disasters, most notably the Katrina hurricane, some of these look alike domain names were sold for a lot of money.

Sadly, these look-alike domain names, which victimize people and businesses, are being sold legally.

These look alike domain names are used in phishing scams, also. If you ever want to see a lot of fake websites, that appear to be real, visit Artists Against 419 and go to their Lad Vampire page.

Dibya Sarkar of the Washington Post is reporting about a coalition lobbying Congress to stop making this activity (like most crime on the Internet) too easy to accomplish:

Well-known companies such as Dell Inc., Yahoo Inc. and Marriott International Inc. are lobbying Congress for tougher laws targeting online scammers who profit from their brand names.

United as the Coalition Against Domain Name Abuse, 10 companies have hired the law firm Alston and Bird LLP to persuade federal lawmakers of the need to crack down against those who claim Web addresses, or domain names, that include _ or even resemble _ a legitimate company's trademark.

Washington Post story, here.

The coalition has set up a website, that anyone can join:

The Coalition Against Domain Name Abuse

The Post article failed to mention all the businesses backing the coalition. The entire list is located, here.

Orange County processing traffic citations in Mexico outrages citizens

If you get pulled over in Orange County in Southern California, the information for their traffic court system is likely to be processed in Mexico.

Gordon Dillow of the OC Register did an interesting editorial about this phenomenon and the subsequent fear and outrage this has caused among Orange Country residents:

The furor over Orange County Superior Court's "outsourcing" of traffic ticket processing to Mexico is understandable. After all, it brings together two issues of great concern to many people in this county: The outflow of jobs beyond our borders, and a deep distrust of our largely poor and widely corrupt neighbor to the south.

And it kind of makes you wonder what the boys down at the courthouse were thinking.

Sadly enough, Gordon points out that although the concerns over this are valid, getting people's personal DMV information isn't very hard to accomplish North of the border, either.

Interesting perspective by Gordon, here.

Until we address the issues that enable the mass abuse of people's identities, the problem will probably continue to grow. The problem always seems to be someone's bottom line and how far they are willing to go (at the expense of people) to make it fatter.

Lifelock CEO's identity theft case dropped - authorities cite coercion as the reason

No one can dispute that Lifelock -- the identity theft protection company offering a million dollar guarantee -- is pretty aggressive in their marketing tactics. They pay everyone from bloggers to the likes of Howard Stern, Rush Limbaugh and Fred Thompson to promote their products.

It now appears that marketing isn't the only thing they are aggressive at.

Recently, as a result of a New Times article, their founder Robert Maynard stepped down from his position after it was suggested that his stories of being an identity theft victim weren't exactly one-hundred percent accurate. Even more damaging was an allegation that Maynard used his father's identity to secure a American Express card that went bad.

The identity theft story had been often heralded as one of the reasons behind the Lifelock business concept.

Even though Maynard stepped down, it appears he is still making money from Lifelock and hawking it's products. At the time of this announcement a rumor came out that Todd Davis, Lifelock's CEO -- who plasters his social security number all over the Internet to show his confidence in Lifelock -- was himself a victim of identity theft.

It has now come to light that Mr. Davis wasn't happy with the Texas authorities sense of urgency on his personal matter and took it upon himself to send a film crew and Lifelock representative (private-eye) to his evil twin's house to get him to sign a prewritten confession.

Apparently, the suspect was told to either sign the prewritten confession and agree to community service, or the Police would be out to arrest him. None of the articles, I read indicated, whether or not, the suspect had any part in preparing the prewritten confession.

In defense of the authorities concerned, there is a lot of identity theft to investigate. It turns out they were waiting for additional evidence to tie the suspect into the use of Davis' identity. The evidence they were waiting for was records from ATT to verify the suspect's Internet Protocol address, which they had already subpoenaed.

Although, not specifically stated, this leads me to believe that the theft using Mr. Davis' identity was originated, where a lot of this type of theft starts, or on the Internet.

It also appears that the authorities had advised Davis to let them do their job, and he decided to do otherwise.

The person involved doesn't appear to be a very sophisticated identity thief. He is described by the Fort Worth authorities as "mentally disabled."

All I have to say is that it doesn't help Davis' marketing efforts when a mentally disabled person is able to commit identity theft using the social security number, he put up all over the Internet. Of course, the suspect in this case can't be considered very bright, either. Apparently, he got the social security number right off Lifelock's website, where Davis is basically daring someone to steal it.

I have to wonder if he wanted to get caught?

It doesn't seem reasonable when a film crew and private investigator use "pretty questionable tactics" (my opinion) to resolve the crime. Of course, this isn't only my opinion because the authorities in question have now dropped the case because of the sloppy investigative tactics referred to as "coercion."

To put this in perspective, this suspect, who is described as mentally disabled, stole $500.00 using Davis' identity, which is plastered on the Internet for all to see. According to the original New Age article, Maynard, who was or maybe still is his business partner, allegedly ran up a $170,000 tab using his father's identity.

We don't see Lifelock dispatching private eyes and a film crew to track down Maynard.

There was speculation when the original post came out on Lifelock someone was orchestrating a hit job on them. I don't know, if this is true, but Lifelock seems to leave themselves wide open for attack.

When reading about this post, I came upon a rather amusing summary of the Lifelock saga, written by Robert Cringley at InfoWorld entitled:

Dumb, dumber, and Davis

On a closing note, I am an advocate of pursuing identity thieves to the fullest extent of the law. However, we must always realize that in our zeal to do so, people have rights, which need to be protected, also.

There has been recent evidence of innocent people being charged with crimes because their identity was stolen. This makes it even more important to ensure that the person being charged is actually the guilty party.

Here is a post, I did about the wrong people being charged with a crime because their identities were stolen.

Saturday, July 28, 2007

iPhone hacked under laboratory conditions

There is no doubt that the iPhone, Apples new entry in the smart phone market, has received a lot of attention. I just had the opportunity to use one and they are truly an amazing toy, especially when compared to what else is out there.

Whenever something is popular, Internet outlaws normally try to figure out an angle on how to exploit it for their personal (probably financial) gain. In the interest of getting one step ahead of the bad guys - some of the good guys are trying to discover some of the potential issues with the iPhone before they occur.

Read a post written by Mike Gikas on the Consumer Reports Electronic Blog, which stated:

This week Independent Security Evaluators (ISE), a U.S. independent testing lab, dramatized the looming danger by piercing the defenses of the much-vaunted iPhone. (ISE is the lab whose help Consumer Reports seeks for our evaluations of security software. See our report on how we test antivirus software and look for our 2007 State of the Net report, which posts to ConsumerReports.org in early August.)

Apparently, ISE was able to hack New York Times reporter's iPhone by having it visit a website, which downloaded malware (malicious software) on the phone and gave the testers access to files and iPhone functions.

A visual presentation of this evaluation has been posted on YouTube:

Please note this was done under lab conditions and we've yet to see any hacking of the iPhone done in the wild (at least to my knowledge).

Nonetheless, hacking smart phones might become a new trend that people need to be made aware of. Just about any device can be hacked if hackers are motivated enough to do so.

My personal theory is that as smart phones become more common, we will see them exploited more often.

Perhaps, common sense when using any device that connects to the Internet is the best defense out there. Here are the tips offered from the electronic's blog:
1. Only visit Web sites you know.
2. Only use Wi-Fi networks you trust.
3. Don’t open Web links from e-mails.

And of course, don't fall for anything that is too good to be true, or doesn't make sense. Social engineering techniques (confidence tricks, fraud) normally are what lures anyone into a technology exploit.

Here is a previous post on some controversial software being sold that can invade someone's privacy (my opinion) by loading it on their smart phone. Thus far, they are not advertising software that is compatible with the iPhone.

FlexiSpy - software that spies on people via their smart phone

Full post from Mike Gikas on the Electronics Blog (Consumer Reports), here.

Certegy reveals their data breach is a lot larger than originally reported

Earlier this month, I blogged about the Certegy data breach, where a not very HONEST employee got caught selling information to an unidentified data-broker. Certegy was quick to assure the public that none of this information would be used to commit fraud because it was being used by "legitimate marketing firms."

Now the number of records (people compromised) has risen significantly after Certegy filed a report with the Securities and Exchange Commission.

The Tampa Bay Business Journal Reports:

An ongoing investigation has determined that about 8.5 million consumer records were stolen, according to a July 25 Securities and Exchange Commission filing by Fidelity National Information Services Inc. (NYSE: FIS), the Jacksonville-based parent company of St. Petersburg-based Certegy.
According to Fidelity, Certegy's parent company the investigation is continuing and this number could grow.

Florida Attorney General Bill McCollom listed some useful information for victims in a press release, which said:

For more information, consumers may call Certegy at 866-498-9916 or may visit their website at http://www.certegy.com. Affected consumers are encouraged to take the precautionary steps outlined in the Certegy letter, including obtaining a free fraud alert from one of the credit reporting agencies. Furthermore, if consumers believe at any time they are victims of identity theft, they should report this to the police and request that the national credit bureaus place a fraud alert on their credit reports. Consumers should also notify banks and creditors involved of questionable charges or accounts, keep records of all telephone calls and follow up in writing with credit bureaus, banks and creditors.

If you received a letter from Certegy and you continue to receive marketing calls that you suspect result from this data breach, please report this activity to the Attorney General’s Citizens Services Hotline at 1-866-9-No SCAM (1-866-966-7226). Additional information about protecting yourself from identity theft is available online at http://www.myfloridalegal.com/identitytheft.

I've received a lot of comments on my original post, including some (anonymous) claiming their information was used for fraud. Unfortunately, I cannot verify this information, but someone with the e-mail address LPLong@Yahoo.com claims to be collecting victims to file a class action law suit.

My original post with comments, here.

Press release from Florida Attorney General (Bill McCollom), here.

Note this is probably the right place to verify information, if you receive a letter. If you believe you are fraud victim based on the Certegy breach, I would let them know about it, also.

Tampa Bay Business Journal article, here.

Thursday, July 26, 2007

Congress is considering a law to stop Social Security Numbers from being posted in unsafe places

I’ve written a lot about how the buying and selling of personal information enables a lot of identity theft to occur. This multi-billion dollar industry assures our most personal information is available to ANYONE, who wants to buy it, and stored in a lot of places that might, or might not be very secure.

With all the data breaches that occur, my guess is that it is stored in a lot of not very secure places.

The Consumers Union’s FinancialPrivacyNow.org is running a campaign, where you can write your elected representative and let them know how you feel about this subject:

No more Social Security Numbers on Medicare cards, checks, or on the Internet! The House Ways and Means committee has unanimously passed legislation that would accomplish just this. H.R. 3046 would stop the widespread and unnecessary sale, purchase and displaying of Social Security Numbers by government and businesses that has made consumers more vulnerable to identity theft. Twenty-five House members have already expressed support. Urge your House member to support H.R. 3046 and make sure that industry doesn’t create holes in the bill’s protections.

Link to where you can write your elected representative, here.

Because employers are checking applicants more carefully, many are saying that illegal immigrants will be forced to use real social security numbers to obtain employment. Here is a post, I wrote about that:

Will stricter enforcement cause more illegal immigrants to assume real people's social security numbers?

This might make a growing problem worse. Personal and financial information is already being stolen and sold in a lot of places, including chat rooms on the Internet.

Stopping one of the reasons information is too easy to steal could have a positive impact on what has become a very negative situtation!

Sunday, July 22, 2007

Disney learns (the hard way) that insiders can be the biggest threat to information security

In the world of data breaches, nothing is sacred, not even Disney. It has come to light that a subcontractor (Alta Resources, Inc.) had an employee, who sold credit card information to federal agents.

Jaikumar Vijayan, Computerworld reports:

A subcontractor working for a company that processes and fulfills orders for the Disney Movie Club sold credit card numbers and other account information belonging to an unknown number of customers to undercover law enforcement agents.

The May 2007 incident has prompted Disney to send out letters to an unspecified number of customers informing them about the breach.
Jaikumar tried to get Disney to comment, but in standing with data breach protocol, they declined to do so. He was able to get one of the letters sent out to the customers, who were breached.

The letter reassured the "compromised" by stating:

Law enforcement officials have informed us that there is no indication that your information was used to make improper purchases or sold to anyone other than federal law enforcement agents," Flynn said in his letter. "Nevertheless, in an abundance of caution, we have informed representatives of Visa, MasterCard, American Express and Discover of these events."

Given the wholesomeness of Disney, their customers could be considered lucrative targets for identity theft. Most of them probably have good credit.

Either, the person involved was caught right from the beginning, or he isn't talking.

They are also saying that CVV/CVC codes were not compromised. CVV/CVC codes are three-digit codes added to a payment card as an extra layer of security.

I went to the site and didn't see CVV/CVC codes being asked for after pretending to buy some merchandise from them? Granted, I didn't click "buy," which would have sent my credit card information to them, but I completed the rest of the steps.

Not all merchants ask for this code, when someone makes a purchase, or payment over the Internet.

It amazes me how optimistically data breaches are presented.

In an Orlando Sentinel article about the breach, officials at Disney were quick to point out they had been "independently certified by under the Payment Card Industry Data Security Standard."

PCI data security protection standards are being pushed on merchants right now -- but as long as one dishonest person is given access, or is tricked into doing so -- no amount of security is going to protect information.

PCI data security protection standards are a step in the right direction, but need to be combined with other sound practices to protect businesses from being compromised.

PC World article, here.

Update: NetworkWorld's Buzzblog is quoting a Orlando Sentinel story that David Haltinner of Wisconsin has been charged in the case. They also have a link showing a copy of the official letter, here and a letter from a customer, claiming their card, which was on file with Disney had fraudulent purchases ($8,000.00 worth) put on it.

The writer of the letter did try to report this, but was told that it probably didn't tie into this breach. Finding the point of compromise in a credit card fraud case is difficult to say the least. Perhaps, this is why the recent GAO report on data breaches claims very little fraud is being tied into the compromises they studied?

With all the entities being compromised only revealing as little as they have to, there is a lot of plausible deniability.

The Buzzblog got the customer notification letter from someone at Attrition.org, who tracks data breaches on their site, here.

LA Gangs take a vacation in Hawaii using funny (counterfeit) money

I've read a lot about street gangs, who used to finance themselves by selling drugs, moving into the financial crimes arena. Some say financial crimes are a lot more profitable, and the punishment for getting caught isn't nearly as harsh.

Looks like some of them have gone West (Hawaii) to enjoy a little vacation financed with "funny money."

The HawaiiChannel.com is reporting:

Thousands of dollars worth of counterfeit $100 bills are flowing into Hawaii, most likely from Los Angeles-based gangs, according to Secret Service officials.

For the last week or so, $2,000 to $2,500 a day in counterfeit $100 bills have been passed at retail stores in Waikiki and across the islands, the Secret Service said.

Some high-end Hawaii retailers are taking a hit.

Apparently, the members of the Bloods and Crips involved in this (didn't know they were hanging out together) sometimes buy merchandise and then refund it a short while later. Refund fraud is a common way criminals launder money, or turn it into disposable income.

According to the article, counterfeit (funny) money is also being passed by members of the military coming back from the Middle East.

HawaiiNewsChannel.com article, here. There is a pretty good video on how to detect counterfeit money to the left of the article.

The article confirms what I've seen a lot of in the past couple of years, which is that a lot of the counterfeit money in circulation are five dollar bills washed into hundred bills. Because of this, the counterfeit detection pens, which most merchants use don't work.

The best way to detect them is to hold them up to the light and if the hologram is Abraham Lincoln instead of Benjamin Franklin, it is a counterfeit. The embedded strips will also state that they are five dollar bills, if they are counterfeit.

If you are in the money business, I recommend teaching your employees how to visually inspect money. Counterfeit detection devices are not 100 percent reliable.

The Money Factory (government site) has a lot of good information on how to detect counterfeit money, here.

The United States Secret Service also has a page on their site with a lot of information, here.

Saturday, July 21, 2007

Task Force puts child predator away for 10 years

There is nothing that disgusts me more than crimes against children, or crimes against the elderly. The anonymous nature of the Internet has made it easier for criminals to distribute child pornography, as well as, for child predators to have access to our young.

I happened to see a Department of Justice (DOJ) press release about one of these predators getting 10 years in prison for being involved in child pornograpy.

On Jan. 3, 2007, Thomas Lane pleaded guilty in U.S. District Court for the Southern District of Indiana in Indianapolis to one count of possession of child pornography. The government's evidence showed that the defendant possessed images and binders with photos of children engaged in sexually explicit conduct. The majority of the images, printed out and organized in the binders, also contained links to Internet Web site addresses. Lane had been previously convicted in 1998 for receipt of child pornography.

DOJ press release, here.

This was accomplished (investigated and prosecuted)by the Internet Crimes Against Children Task Force (ICAC).

Apparently, it was brought about as a result of Project Safe Childhood, which was put in place by Attorney General Alberto R. Gonzales in 2006.

Besides investigating this type of crime, they have a pretty good (my opinion) educational resource to educate all of us on this problem.

The DOJ website can be viewed, here.

Child pornography has been tied into organized crime, identity theft and payment card (credit/debit) card fraud. Here is a previous post, I did about how this occurs:

British citizens accused of child porn found to be fraud victims

In case you haven't seen it, the To Catch a Predator series (Dateline) made a lot of people aware of how serious a problem child predators are. Chris Hansen, who hosts the show, has a blog about the series, here.

If you suspect a crime against a child, it can be reported, here.

Wednesday, July 18, 2007

The battle over who is going to pay for data breaches heats up

The TJX data breach (45 million records and counting) is rapidly turning out to be the straw that broke the camel's back. Everyone seems to be worried about, who is going to bear the financial burden that data breaches are causing.

Cleve Doty at PrivacySpot.com writes:

Retailers will be forced to pay for data compromises when they violate industry standards of data protection under a new Minnesota law, detailed here. California and Texas are considering similar legislation, as noted here and here. The Minnesota law adopts Payment Card Industry Association (PCIA) data protection standards, which require that companies not retain data from a card, including security codes, PINs, and magnetic strip data, for more than 48 hours after a transaction is approved. If a data breach occurs and the retailer failed to comply with the card security protocol, then they will have to pay costs including: refunds for unauthorized purchases, reissuing cards, notifying cardholders, and closing and reopening accounts.
The article also stipulates that retailers could be charged for excessive fraud transactions that occur on their premises.

This interested me, especially given the recent criticism Target -- who has it's headquarters in Minnesota -- recently received for not verifying credit card transactions. Will this make them change their policy of ONLY relying on electronic data (magnetic stripe info) when accepting payment cards? Currently, they do not train their employees to check cards, or ask for identification.

The other strange thing at Target is that, although they've tightened up their return policy, they will gladly look up your payment card number (credit/debit) card to assist you in completing a refund. One of the basics of protecting a lot of this information is that it isn't stored for a long time?

One of the more common and most publicized losses by retailers are when thieves commit fraudulent refunds. I wonder how much merchandise is being stolen using fraudulent payment devices, then refunded?

Today, I'm picking on retailers, but the fact is that data breaches are occurring at a lot of places. For instance, institutions of higher learning, seem to be breached all the time. Furthermore, if you follow what tracking is available on data breaches (Privacy Rights Clearinghouse, Attrition.org, PogoWasRight), the financial services sector has had their share of breaches, also.

It amazes me that since the TJX breach, there has been a lot of focus on merchants. Sadly enough, this legislation will probably hurt smaller merchants more than it will larger ones.

Merchants feel strongly that the credit card companies have been unfairly charging them for a lot of things, including fraud. Recently, I did a post about a Merchant Bill of Rights, where merchants are banding together to fight for a better deal when dealing with the credit card industry.

Meanwhile, the deadline is looming for federal agencies to come up with a plan to address data breaches. Government agencies seem to be having their share of breaches, also.

We'll probably see a lot of infighting between all the different sectors being breached. Everyone seems to be worried about, who gets to pay for all of it, and how it might detract from all the money they've been making off people's personal information.

Maybe it would be better if everyone involved started working as a team and going after the real problem, which is that information is too easy to access and criminals are making too much money by stealing it.

Full story from PrivacySpot.com, here.

Tuesday, July 17, 2007

A look into labor abuses in the aftermath of Hurricane Katrina

Photo courtesy of Ruffit at Flickr

It never ceases to amaze me that we keep seeing additional allegations of abuse, fraud and waste come to light as a result of the Katrina hurricane, and it's aftermath.

Brian Beutler of the Media Consortium (courtesy of AlterNet) wrote a pretty telling article of the abuses dealt to laborers, who went to New Orleans to assist in the reconstruction/clean-up effort.

Brian reports:

In the two years since the disaster, there have been thousands of testimonials -- issued to both government officials and private advocates -- about a wide taxonomy of abuses.The most frequent complaint workers cite is withheld wages, but almost as numerous are accusations of employee intimidation, toxic and hazardous working conditions, immigrant abuse, trafficking, exploitation and monetary extortion.

Many workers, who went to New Orleans were paid a small percentage of what they were promised:

On December 30, 2005, Wilson received $865 in pay for the 94 hours of work he did from November 20, through Dec 7. For a similar stretch between January 5 and January 18, he was paid only $206.10. In each case, he should have been paid about $1,500.

According to the article, the Bush Administration suspended affirmative action and documentation requirements for immigrant workers. They also removed the requirement to pay "prevailing wages."

The end result of this was that visiting American citizens and local residents were underbid by foreign workers, who probably weren't legal. Of course, no one can say this for sure because it wasn't checked out (very well) at the time. However if this wasn't the case why did Senator Mary Landrieu (Democrat LA)request that ICE agents be dispatched to look into the problem?

This resulted in even more people doing a dirty job not getting paid:

The result was astounding. On payday, subcontractors, faced with undocumented workers seeking cash, often called ICE to report their own operations, causing frightened workers to either scatter or face deportation to their home countries without pay.

Likewise, employee recruiters, dispatched by subcontractors to foreign countries, would offer often-destitute men and women the promise of good work and fair wages at any number of reconstruction jobs in New Orleans.
Congressman Dennis Kucinich held hearings into this to determine, whether or not the Department of Labor (DOL), did their job in controlling some of this abuse.

Many believe, they did not.

For those, who like me continue to be fascinated by the social issues in the Katrina disaster, Brian's full article can be read, here.

My personal opinion is that they need to be studied, carefully. A lot of citizens (and apparently non citizens) suffered, not because of a lack of resources, but because of what appears to be a "few greedy people."

I've written quite a bit about Katrina (in my own personal study of what went wrong). My previous posts can be read, here.

Another great place to learn more about the social issues surrounding Katrina is Margaret Saizan's Beyond Katrina.

Sunday, July 15, 2007

Are passwords and codes, available in too many places, enabling crime?

Wired News (Kevin Poulsen) reported another instance, where an ATM was easily reprogrammed to think it was dispensing $1 bill instead of 20's.

The same thing happened in Virginia Beach last September.

Wired News reports:

Police in Derry, Pennsylvania are baffled by a June ATM robbery in which an unidentified man wearing flip flops and shorts strolled into Mastrorocco's Market and reprogrammed the cash machine to think it was dispensing dollar bills when it was actually spewing twenties.

In this instance, the factory code not removed from the ATM was "123456" and programming manuals are available on-line.

Wired story, here.

Of course, the ATM company in the article accepts no liability. Somewhere in their technical manual, they warned the buyer to remove the code.

Unfortunately, this doesn't only apply to ATM machines, and it's not the first time I've seen a factory code as simple as "123456."

Hackers love to target people, who forget to change default codes. The reason for this is because it is easy, and a surprising number of businesses fail to change them.

In the technology driven society of today, default codes are put into cell phones, point-of-sale equipment, alarm systems, and even safes. The list of devices using codes, or passwords could go on and on.

I even found instructions on how to hack a soda machine, using their default code on Google. As a matter of fact, besides technical manuals posting their default codes online, hackers seem more than happy to share this kind of information and post it (online), also.

In many of the data breaches, we read about too frequently, default codes, or not very strong passwords might have enabled hackers to breach a system containing financial information. Visa listed this as one of the top three vulnerabilities in point-of-sale systems in a November CISP bulletin.

If you are interested you can read Visa's CISP bulletin regarding this, here.

The bulletin is focused on merchant systems, and not banking ones? Does that mean there are no vulnerabilities in banking systems?

Of course, most of the information from banks is stolen via phishing -- where a person is tricked into giving up their information (passwords highly desirable) by social engineering methods, or more and more frequently -- (at least according to the last APWG report) by downloading malware (crimeware). When malware is downloaded, no more human interface is needed, and the information is stolen (normally with keylogging software).

Maybe, we are making it too easy to hack systems? Whether we call it a code, or a password, both of these are used to open something. Essentially, they are a key, which opens up the lock of whatever you are trying to keep locked (secure). Is the problem that we've created too many different keys?

At least with keys, you have to go to a little more trouble to duplicate them. It's hard to post them online, and a little more difficult to write them down, or even memorize them.

My best advice to the less technical people out there -- dealing with layers of passwords, or default codes -- is to read the technical manuals, carefully. It might also be a good idea to consult with the salesperson selling you the device on how to make it 100 percent secure, also.

Of course, it also might be a good idea, to see what is being posted online and not to hand out your keys to the wrong person.

I recently did a post on Dariusz Grabowski, a Polish immigrant, who describes himself as the "eBay king of stolen cars." As part of his plea bargain agreement, he disclosed information on how he was stealing a lot of cars and made the statement:

You go online, you find anything you need," Grabowski told the investigators in the videotaped interview. "You can go on eBay at this point and purchase any of the equipment you need. Of course, I might pick this up easier than other people.
Maybe if some of the people selling the devices, protected the keys a little better, the information wouldn't be so easily picked up?

R. Lee Ermey, who played Senior Drill Instructor Gunnery Sergeant Hartman in Full Metal Jacket might have have said it best in a scene from the now classic movie.

Courtesy of YouTube and Warner Home Video

Saturday, July 14, 2007

More arrests made by ICE as a result of the Swift raids

Here is an example, where some of the people enabling illegal immigration are being held accountable for their actions.

Last December, ICE (U.S. Immigration and Customs Enforcement) made a series of raids at Swift plants. At the time, they maintained the raids were part of a larger investigation.

The investigation continued and more arrests have been made. Most of the current arrests consist of people, who are not illegal immigrants.

From the ICE press release:
U.S. Immigration and Customs Enforcement (ICE) agents Tuesday arrested 20 employees of Swift & Company (Swift), one of the nation's largest processors of pork and beef, after executing federal and state warrants in six states. The arrests included a human resources employee, a union official, and current or former Swift employees identified by the Federal Trade Commission (FTC) as suspected identity thieves.

"The criminal arrests tied to the Swift case demonstrate how entering the country illegally can serve as a gateway to other crimes including identity theft and document fraud," said Homeland Security Secretary Michael Chertoff. "We take these crimes seriously and will continue to seek out and arrest those who break the law." ICE agents made the arrests in Marshalltown, Iowa; Grand Island, Neb.; Worthington, Minn.; Greeley, Colo.; Hyrum, Utah; and Cactus, Texas.

Of those apprehended, 18 were arrested for charges relating to identity theft and administrative immigration violations. Chris Lamb, a human resources employee, and Braulio Pereyra, a union official who represents Swift employees, were arrested in Marshalltown and are charged with harboring illegal aliens. Lamb, a 17-year Swift employee, is also charged with misprision of a felony. The charge for harboring illegal aliens carries a five-year maximum prison sentence. The misprision offense is punishable by up to three years in prison.
ICE press release with more information, here.

Apparently, the powers that be at Swift must have been pretty cooperative in the investigation:

Swift is to be commended not only for its cooperation during yesterday's enforcement action, but for its continuing efforts to improve its hiring practices in order to ensure a legal workforce," said ICE Assistant Secretary Julie L. Myers. "The vast majority of companies want to do the right thing. When they do, ICE can focus our resources on the worst of the worst - those who've used stolen identities or aided illegal aliens in using stolen identities and victimized the unsuspecting public."

It will be interesting to see how this plays out and what message it sends to other people involved in this activity.

Founded in 2003, ICE is in charge of investigating issues a lot of issues besides illegal immigrants. A full description of what they do is on their site, which can be seen, here.

Suspicious activity can be reported to them at 1-866-347-2423.

For more posts from this blog about the Swift raids, or referencing it, click here.

Friday, July 13, 2007

Will stricter enforcement cause more illegal immigrants to assume real people's social security numbers?

Will a crackdown on illegal immigration mean that 13 - 20 million people will need to use legitimate social security numbers to work? In response to increasing concerns about illegal immigration, the Department of Homeland Security provides what is known as the Basic Pilot Program (web based), which verifies the validity of a social security number.

The problem is that it only verifies, whether or not the number is good (matches). It doesn't show if the number is stolen, or even if the name matches the number.

Please note that this program is a great tool, but it isn't the only tool that should be used when verifying a person's identity. Even DHS is quick to point this out in the article I cite further down in this post.

You would think it would be in an employer's best interests to do a thorough background check. Employee fraud and abuse can cost them a lot of their hard-earned profits!

If certain employers use this tool and this tool alone will 13-20 million immigrants use 13-20 million legal citizens' social security numbers to obtain employment?

The LA Times did a story about a LA County financial crimes detective, who had his own identity stolen by illegal immigrant(s). The investigation of financial crimes normally involves investigating a lot of identity theft.

The victim in this case, Detective Flores eventually confirmed that at least one of the people using his identity had been picked up in the Swift raids, which occurred late last year.

Anna Gorman (LA Times) wrote:

Under pressure from federal authorities to verify their workers' legal status, more employers are checking the validity of Social Security numbers, and that has caused many illegal immigrants to use stolen rather than made-up numbers to get jobs, immigration officials said.

"It used to be that we would only see people come in with purely bogus documents," said Julie L. Myers, assistant secretary for U.S. Immigration and Customs Enforcement. "More and more we are seeing real people, real victims."

Although the agency does not break out identity theft statistics, Myers said, "we are definitely seeing a trend."

To better protect their businesses, more employers are using the Department of Homeland Security's Basic Pilot program, which enables them to check the validity of Social Security numbers online. But Basic Pilot doesn't detect identity theft. As long as the name and Social Security number are legitimate, the online system will indicate the person using them is authorized to work.

Word of this weakness in the system has spread quickly among illegal immigrants and the document theft rings that cater to them. Thieves will dig through trash cans or scan the Internet looking for Social Security numbers. Sometimes, criminals or homeless people are willing to sell their identity documents, Myers said.

There also have been cases in which employers provide their workers with stolen numbers, Homeland Security authorities said.

Detective Flores didn't lose any money, but was threatened by collection agencies and the IRS. Like the many other victims of identity theft, he probably went through a lot of pain and suffering and spent countless hours clearing his name.

Trying to do the right thing, Detective Flores tried to have his social security number changed, but his request was refused.

If employers aren't checking very carefully and only using the Department of Homeland Security's Basic Pilot System, the background checks aren't likely to be very effective.

The trick would be to run Social Security Numbers verifying some minor details, which might include:

  • Multiple names coming back to the same SSN (common).
  • Geographical areas that don't match the stated history on the employment application.
  • Discrepancies in ages, or where the social security number was issued.

This can be accomplished pretty easily by any employer. Even if an employer doesn't run a credit check, where discrepancies would normally surface, social security number traces are available from any of the major credit bureaus.

A social trace shows the name and address information, without the financial track record of the person.

There are privacy laws to protect this information -- but just about any legitimate employer can access this information, if they really want to -- and do so, legally. In most cases, a release form signed by the applicant is all that is needed. It isn't very hard to get someone to sign a release form, if they want a job.

Data brokers sell services to businesses, where social security numbers are easily run, also. If someone knows how to read these reports (they aren't difficult), it normally isn't very hard to find the real person (identity theft victim), when questionable activity is present. They are normally listed right on the report.

Besides performing background checks, social security traces are used to find people by law enforcement, collectors and private investigators. Financial crimes investigators (like Detective Flores) use them to find the people being impersonated by identity thieves, frequently.

A simple Google search on social security traces reveals how many vendors offer this service, here.

If illegal immigrants were using totally bogus social security numbers before, it isn't going to be hard for them to get real ones. This information is sold all over the place, including the Internet.

Organized criminal groups market both the information and documents on an economy of scale, which assures that their services are available to just about anyone for a nominal charge.

The bottom line is that it isn't hard for an employer to do an effective background, especially given the tools provided in the information age. In fact, a lot (most) of them already do this. As I stated earlier, employee fraud and abuse can be pretty detrimental to a company's bottom line.

As long as the jobs are available, illegal immigration will continue to be a big problem. If labor is needed and people want to realize the American dream, the people seeking the dream and those providing the jobs, need to accomplish their goals in a legal manner.

It isn't fair for them to accomplish their needs and goals at the expense (pain and suffering) of other people, who are following the law.

LA Times article, here.

Lou Dobbs discusses a holistic (common sense) approach to this problem on his television show and website. He also provides links to where all of us can let our politicians know how we feel about this problem.

Recently, the voice of the nation let them know exactly how we feel about this matter.

In the end, illegal immigrants might be the least of our worries. Activity like this shows how easily terrorists and criminals can operate inside our borders, also. This is probably the best argument (I know of) for why we can no longer afford to let criminals control our borders.

If Social Security calls requesting personal information, it might be smart to verify who you are talking to!

(Nice Photo courtesy of Long N at Flickr)

If you get an unsolicited call from an "alleged" Social Security employee, it might be wise to verify (independently), who is calling you. Of course -- you should do this by using a number obtained from a legitimate source, and not one pointed to by the person calling -- who might be trying to steal by using your good name.

The Office of the Inspector General, Social Security Administration recently reported:

Over the past several months, the Office of the Inspector General has received a number of reports relating circumstances where individuals have been contacted by someone pretending to be an SSA employee. The caller identifies himself/herself as an SSA employee and may even provide a toll-free number as a point of contact. The caller generally asks for personal identifying information such as:

  • Social Security Number

  • Date of Birth

  • Mother's maiden name

  • Bank account information

  • Other financial account information
The impersonator may state that "the SSA computers are down" or may refer to enrollment in the Medicare prescription drug program. The intent of the impersonator is to steal your identity and/or funds from your bank accounts.

It is possible that an SSA employee may contact you to follow-up on a previous application for benefits, application for a subsidy for the Medicare Part D program, or to follow-up on business you have initiated with SSA. If you are unsure as to the authenticity of someone who claims to be an SSA employee, please call SSA's
toll-free number: 1-800-772-1213 to verify the reason for the contact and the person's identity.

More information on this particular scam can be viewed on the link provided to the original press release below.

I always recommend reporting fraud attempts. At a minimum, it helps get the word out and you never know when it will lead to someone getting caught.

Information about the OIG's fraud hotline can be obtained from the Reporting Fraud section of the OIG's website.

Link to SSA press release, here.

Scams using the telephone are nothing new, but with VoIP (Voice over Internet Protocol) technology, the frequency with which they are being seen is increasing. The reason for this is that VoIP has made calling long distance cheap.

Telephone scams using VoIP are often referred to as "vishing." If you are interested in more information on this type of scam, I've written some other posts, which can be seen, here.

Impersonating official agencies is nothing new, either. In the recent past, the IRS, FBI, DOJ, FTC and even Interpol have all been spoofed (impersonated) as part of a fraud scheme involving vishing, or it's sister scam, phishing.

Thursday, July 12, 2007

Stealing money from ATMs is taken to a more dangerous level

I've written a lot about ATM skimming -- where electronic devices are used to record payment card information, clone the information on a new card -- and steal money.

A new and much more dangerous (potentially deadly) means of stealing money from ATMs is occurring. Although most of this is happening in South Africa, it has happened recently in the United States, also.

Monica Laganparsad of the Times is reporting:

ATM blasts in KwaZulu-Natal have dramatically increased in the past two months.

During the first five months of this year seven ATM bombings were reported in the province, but in the past two months the figure has jumped to 14.

The organised crime unit of the province’s police claims to be hot on the heels of those behind the blasts.

According to the article, there have been 194 ATM bombings in South Africa this year. One man had his arms blown off, while trying to use an ATM!

I would like to have found out that ATM bombings were purely a South African phenomenon, but they are not. On July 2nd, Fox News reported a similar series of attempts in Kansas City, here.

Stealing, or attempting to break into ATMs is nothing new.

Fox News has another video, where a "Bobcat earth mover" was used to steal a ATM machine in Kansas, here.

Times (South Africa) story, here.

ATM machine after being bombed courtesy of Pat Hawks at Flickr

Saturday, July 07, 2007

Why the GAO report on Identity Theft might show that disclosure works!

I came across a thoughtful post about the recent GAO report on identity theft and data breaches written by Dissent, who blogs at the Chronicles of Dissent. This is a well-written analysis, and after reading it, I was inspired to think a few things through.

In Dissents own words:

The June GAO report, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown [GAO-07-737 (pdf)] was released today.

Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft ResourceCenter, and reports obtained from NY and NC under FOIA by Chris Walsh.

Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.

Of note, Dissent is affiliated with PogoWasRight.org, which is affiliated with Attrition.org, one of the sources tracking the never-ending saga of data breaches.

I'm going to link to the full article, which I think is a valuable read for anyone interested in this subject. Then I will give my personal opinion.

Chronicles of Dissent post, here.

Identity theft seems to a growing problem, at least whenever anyone takes the time to track the statistics. If this is true, then why would known data breaches result in very few cases of identity theft?

The answer is simple, when a data breach is exposed, it isn't as easy to use!

When a data breach occurs, the human element (compromised) normally takes a lot of measures to protect their information. In fact, an entire industry (identity theft protection services) has come about, which is automating the process. This makes it harder, and probably, a lot more dangerous to use the information.

Everyone involved in studying this admits there are a lot of compromises no one knows about. These unknown compromises are probably, where most of the information being used to steal identities is coming from. After all, they don't want to waste their time on information that won't work, or even worse, put them at risk of getting caught.

One of the reasons the problem is growing is that not many of them are getting caught (my opinion).

At best, once a breach is known, someone is going to have to hold on to the information for later use (after people and organizations let their guard down).

Perhaps, these highly publicized data breaches have stopped the information from being used? If this is the case, it's certainly a good argument for mandatory notification.

In closing, our personal information has been put in too many places, that don't seem to be protected very well. The reason for this is pretty simple, also. There is a tremendous amount of money being made from selling it to market products.

As long as our information is being used for a profit and isn't being protected properly, it's only fair that those profiting should be held liable for all the notifications and clean-up.

Of course, I'm also in favor of going after the people compromising the information with a little more gusto. Since this costs money, I have no doubt, who should be helping to pay for that, also.

*Update to article 7/10/07 - Dissent owns PogoWasRight and is no longer affiliated with Attrition.org. He was kind enough to add a comment to this post, which can be viewed at the bottom of this post, here.

No one can ever be certain of anything until things become more transparent. This is why I often add that some of my thoughts are purely opinion, based on my observations of this phenomenon. I am always open to considering all points of view, and in fact, learn a lot by doing so.

(Courtesy of Flickr)

Friday, July 06, 2007

If your car gets stolen, eBay might be a good place to look for it!

If your car was recently stolen, it might be a good idea to check out the listings on eBay, according to Dariusz Grabowski, a.k.a (also known as) as the "eBay king of stolen cars."

Rick Hepp at the Star-Ledger reports:

Grabowski and his crew would buy junked or damaged vehicles at auctions and look for similar newer cars to steal. Once they found a car they wanted, they would get its vehicle identification number, usually found in sales ads or right on the car's windshield.

Today's newer car keys can only be duplicated if their computer chips are programmed according to the vehicle identification numbers. Car owners who lose their keys and want duplicates generally go to locksmiths who program the new keys by getting "key codes" from database companies hired by auto manufacturers.

Posing as a locksmith, Grabowski got these codes from the database companies and then made brand new keys. His crew took the keys and simply drove off with the cars.

Before selling the cars, they made them look legitimate by switching the vehicle identification numbers with the ID numbers of the junked cars they had bought.

Grabowski learned how to do all of this by surfing websites that provide technical assistance to locksmiths, and interestingly enough, buying any hardware he needed, on eBay:

You go online, you find anything you need," Grabowski told the investigators in the videotaped interview. "You can go on eBay at this point and purchase any of the equipment you need. Of course, I might pick this up easier than other people.
From there, Grabowski got a business license, which he made on a computer "real quick" and lavished special attention on a female owner of a company licensed to provide locksmiths with the necessary code to clone keys.

Grabowski and crew have all been convicted, but their victims are still paying the price for their misdeeds. New Jersey State Investigator, Jeffrey Lorman was quoted in the article as saying:

The buyers were happy with the cars, they got a great deal. Then we found out about Dariusz and the stolen cars were recovered. Some of these people are still paying for cars they no longer have.
The article mentioned that Grabowski was affiliated with a lot of other Polish nationals, involved in the business of stealing cars, also.

Our friend Dariusz, might or might not be the eBay king of stolen cars. If he is, he isn't alone, at least according to Google. A simple Google search reveals a large amount of information related to scams involving automobiles on eBay, here.

Fraud, Phishing and Financial Misdeeds a.k.a. (sometimes) FraudWar has a lot of information on auction fraud (if anyone is interested), here.

My advice is to be extremely cautious when buying a car on an auction site! If you choose to be cautious a good place to perform due diligence is CarBuyingTips.com, which can be seen, here.

The word is caveat emptor, latin for "buyer beware."

Star-Ledger article, here.

Wednesday, July 04, 2007

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Large data breaches are becoming a VERY frequent news event! This time only 2.3 million records were stolen, a mere fraction of the amount (45 million plus) TJX lost. In this instance, we are told we have nothing to fear because the information was sold to a data broker.

Ron Word of the AP (courtesy of the Washington Post) reports:

Fidelity National Information Services, a financial processing company, said yesterday that a worker at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information.

This occurred at one of their subsidiaries, Certegy Check Services.

According to the article:

About 2.2 million records stolen from Certegy contained bank account information and 99,000 contained credit card information, company officials said.

Since Certegy verifies check transactions, this probably means a lot of checking account information in addition to some credit and personal information. From a financial crimes perspective, this information could be used to commit a lot of identity theft, check and credit card fraud.

The company claims the information was sold to data brokers, who sold it to direct marketers. Their president, Renz Nichols, "believes" this is the extent of the damage.

Not sure, if I can "believe" that no one is at risk. The last time I checked, identity thieves normally shy away from revealing exactly, who they intend to compromise next. It's bad for business. Besides that, is this based on the word of someone, who stole the information and sold it in the first place?

Interestingly enough, the data broker is unnamed at this point. The AP article does say they are claiming they didn't know the information was stolen. I wonder how this data broker verifies the information they get, and who they are getting it from?

Data brokers and credit bureaus sell information all the time. Recently, a data broker (InfoUSA) was caught selling direct marketing information to spammers, who commit lottery fraud schemes.

The sad thing is that once the information starts getting sold, it becomes available to more and more insiders, who might sell it to the wrong person, assuming it hasn't been already.

And there is so much information to be sold, no one is ever sure exactly where it came from. Criminals are even selling it via the Internet to other criminals.

AP Story (courtesy of the Washington Post), here.

Attrition.org is tracking data breaches, here. The amount of them that happen is pretty scary!

I've written a lot of about how data brokers make billions buying and selling our information, which can later used against us, here.

They don't believe they are enabling a worldwide problem, either.

At least that's what I keep hearing, whenever a new data breach is announced.

FlexiSpy - software that spies on people via their smart phone

There is already a lot of "buzz" that mobile phones, especially those of the smarter variety, will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Here is FlexiSPY's marketing pitch (from their site):

Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms etc.
If FlexiSPY is installed on a smart phone, it downloads data to their server 4 times a day, which can be accessed via the Internet by anyone paying for their service 24 hours a day, 7 days a week.

The FlexiSPY site blasts F-Secure, a security vendor, for calling their software a trojan, and claims FlexiSPY will not answer their e-mails. This is probably because F-Secure was the first one to question this software and it's potential abuse factor. The site claims F-Secure's true intent is to sell their own software, which can remove FlexiSPY.

This is partially true, billions are made in the spy versus spy (white-hat versus black-hat) world of computer security. Although, in all fairness, F-Secure isn't the only on record that is worried about the use of FlexiSPY's spyware.

According to FlexiSPY, their software IS NOT a trojan because it has to be loaded on a telephone by a human being, and the software doesn't replicate itself.

I wonder how long it will be before a hacker figures out how to drop the software remotely? Of course, it also makes sense that FlexiSPY wouldn't want someone to be able to replicate their software. Replicated software doesn't make them any money.

I'll leave it to the reader's imagination how a product like this could be used by criminals, spies, or stalkers.

It never ceases to amaze me how some of these products are sold right over the Internet to ANYONE! It gives credence to the old saying, "there ought to be a law."

FlexiSPY even lists several electronic publications on their site as "talking about them." I decided to see what a few of them (besides F-Secure) had to say.

Gizmodo states:
The software allows a sickening amount of privacy invading features.

Endgaget states:

While FlexiSPY is designed to install itself invisibly, it's now been officially categorized as a trojan (which, face it, it really is) and has been added to F-Secure's virus database.

And the Register states:

A piece of software which allows a user to track another person's mobile phone use would be almost impossible to use in the UK without breaking the law, according to a surveillance law expert.

If fact, using this software could be illegal and subject to penalties in most of the civilized world. Most of these countries would require some sort of court order, even if this technology were to be used by law enforcement.

Gizmodo story, here.

Engadget story, here.

Register story, here.

FlexiSPY acknowledges the same concern that the surveillance law expert brings up in the Register article about them:
It is the responsibility of the user of FlexiSPY to ascertain, and obey, all applicable laws in their country in regard to the use of FlexiSPY for "sneaky purposes". If you are in doubt, consult your local attorney before using FlexiSPY. By downloading and installing FlexiSPY, you represent that FlexiSPY will be used in only a lawful manner. Logging other people's SMS messages & other phone activity or installing FlexiSPY on another person's phone without their knowledge can be considered as an illegal activity in your country. Vervata assumes no liability and is not responsible for any misuse or damage caused by our FlexiSPY. It's final user's responsibility to obey all laws in their country. By purchasing & downloading FlexiSPY, you hereby agree to the above.

I guess the old latin saying "caveat emptor" (buyer beware) applies in this instance!

Sunday, July 01, 2007

Phishermen impersonate DOJ in spam e-mail

DOJ logo. The press release mentions that the e-mail contains their official logo. Copying graphics is extremely easy to do. Internet criminals do this to make their spam e-mails look more official, or even to create totally spoofed (impersonated) websites.

Recently, Internet Phishermen have spoofed the IRS, FTC and the FBI to trick people into giving out personal/financial information. Of course, they spoof a lot of other organizations, also.

Apparently, the e-mail even contains the DOJ logo on it. This isn't very hard to do because copying graphics takes very little technical skill. To demonstrate, I will copy the DOJ logo and place it at the top of this post.

Because this is so easy to do, a lot of fake websites (mostly financial institutions) are all over the Internet.

From the DOJ press release dated June 27th:

The Department of Justice has recently become aware of fraudulent spam e-mail messages claiming to be from DOJ. Based upon complaints from the public, it is believed that the fraudulent messages are addressed "Dear Citizen." The messages are believed to assert that the recipients or their businesses have been the subject of complaints filed with DOJ and also forwarded to the Internal Revenue Service. In addition, such email messages may provide a case number, and state that the complaint was "filled [sic] by Mr. Henry Stewart." A DOJ logo may appear at the top of the email message or in an attached file. Finally, the message may include an attachment that supposedly contains a copy of the complaint and contact information for Mr. Stewart.

Although most phishing attempts are designed to trick people into giving up their personal/financial information, malware (crimeware) automates the process. Here is what the DOJ has to say about that:

Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by "double-clicking" on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.
Press release with links of where to report these phishy e-mails, here. There are also some links to government sites designed to educate the public on Internet crime on the news release, also.

If you would like to see how easy it is to copy graphics and make a fraud website look like a legitimate one, Artists Against 419 has a lot of actual examples on their site (see Lad Vampire link), here.

The Anti Phishing Working Group compiles statistics on spam and phishing. Every time they issue a new report (monthly), a new record seems to be set. APWG site, here.

Graphic illustration of what might happen to your computer after "double clicking" on an e-mail attachment from the Phishermen (courtesy of the FBI)!

It appears even the FBI has a sense of humor! Great picture (my opinion).

The problem of unsafe products from China are just a symptom of the bigger problem!

Interesting picture about consumer protection, courtesy of Flickr.

In the past couple of months, we've seen some alarming stories about dangerous products coming from China.

Dirk Lammers of the Associated Press wrote:

Poisoned pet food. Seafood laced with potentially dangerous antibiotics. Toothpaste tainted with an ingredient in antifreeze. Tires missing a key safety component. U.S. shoppers may be forgiven if they are becoming leery of Chinese-made goods and are trying to fill their shopping carts with products free of ingredients from that country. The trouble is, that may be almost impossible.

The Lammers family shopped far and wide, and came to the conclusion that merchants sell all kinds of products from China. Even more alarming, even if the label didn't say "made in China," it likely has a component (ingredient) that was.

The reason for this is simple, companies make billions off the cheap labor found in China and other less developed countries lacking the same level of consumer protection, we think (my opinion) we have.

The U.S. Bureau of Labor Statistics, which keeps tally of labor costs abroad, doesn't seem to have any data on China, or India for that matter. I mention India because, we seem to be in the market for a lot of their labor, recently.

The closest I could find was Sri Lanka, which in 2005 (most recent year available) has a labor compensation rate of 52 cents an hour.

I noticed a lot of countries left out. For instance, the region to the South of the United States, only has data for Mexico and Brazil. Mexico, which has a better economy than most of the area, has a labor cost of $1.57 an hour.

Maybe this is one of the major reasons our border to the South isn't very secure. Minimum wage, or even welfare benefits must seem like a king's ransom to some of these people.

Going back to China, I was able to find an estimate of labor costs in China by using Google. Judith Banner wrote in the Monthly Labor News Review:

Employees in China’s city manufacturing enterprises received a total compensation of $0.95 per hour, while their non-city counterparts, about whom such estimates had not previously been generally available, averaged less than half that: $0.41 per hour. Altogether, with a large majority of manufacturing employees working outside the cities, the average hourly manufacturing compensation estimated for China in 2002 was $0.57, about 3 percent of the average hourly compensation of manufacturing production workers in the United States and of many developed countries of the world.

A little higher than the government figure for Sri Lanka, but not much. Of course, I can think of a lot of countries, we outsource the cost of labor to, not included on the government list.

It makes sense -- that since a lot of these countries have a much lower standard of living, as well as, not very many consumer protection laws -- unsafe products have the capability to spread, worldwide.

In fact, with counterfeiting (another worldwide problem) thrown in, who knows what might show up in the supply chain? For example, it was recently disclosed that counterfeit drugs from China were likely being dispensed from pharmacies in the United States.

Chris Hansen, Dateline, did a pretty revealing story about this, here. The FDA did announce new rules, shortly after this, but I'm not sure this makes us very safe. All sorts of illegal drugs, make it past customs, daily.

I'm not sure if blaming China is the solution. After all, we aren't only outsourcing labor costs over there. Many of the other countries we outsource labor to, don't protect their people very well, and could care less about, consumer protection, also.

In fact, in many of these countries, people have a hard enough time keeping food on table!

Perhaps, we should take a closer look at ourselves? There are corporations here in the West, making a lot of money by stocking these products on our shelves. And at less than 60 cents an hour in labor costs, it must be extremely profitable for them.

The worker in China, or Sri Lanka isn't living very well off less than 60 cents an hour.

Perhaps, if certain companies had to start paying the true costs of padding their bottom lines with cheap labor, it wouldn't be as profitable.

I was amazed that despite all the special interests, obviously behind the recent immigration bill, that it was promptly defeated by the voice of the public. Many of us believe this bill, was at least in part, a ploy to drive down the cost of labor.

I'm not saying that all the politicians had ulterior motives, or that all corporations lack ethics, but it did reveal that the voter (individual person) has a choice, and more importantly, a voice!

It might be wise for politicians and corporations to get more on board with their voters, and customers.

If you are interested in learning more about this, I recommend Lou Dobbs, who has become extremely outspoken about a "war against the middle class." His site can be viewed, here.

Here are some references used for this post.

Article by Judith Bannister (Monthly Labor News Review), here.

Article by Dirk Lammers (AP), courtesy of the Washington Post, here.

Counterfeiting merchandise is enabled by outsourcing labor (my opinion). I've written a lot about this, here.

Previous posts about China and other dangerous activities coming from there, including espionage and hacking, can be viewed, here.