Friday, August 31, 2007

Were camera systems hacked in the bomb threat hoaxes?

Photo courtesy of elegantmob at Flickr

The bomb hoaxes occurring nationwide are creating a lot of fear and speculation.

When reading a Slashdot entry, I came across one of the more interesting speculations about these bomb threats. The speculation is that hackers are taking control of the camera systems in the affected locations and have the ability to monitor the hysteria they are creating live via CCTV.

Here is the entry, I read on Slashdot, which is based on a news article and the comments of a certain Chief of Police:

The FBI is investigating fifteen store robberies in eleven states, committed via phone and Internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article,

"A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened."

Since most camera systems of the digital variety transmit their data (images) via the Internet, I suppose it is (remotely) possible for hackers to get into a not very well protected system and take advantage of it.

The problem is that most of these camera systems, that might have been hacked, belong to major financial institutions or retailers. As far as I know -- most of these systems operate on an intranet, which is also normally protected by a firewall -- and therefore (in theory) would be pretty hard to get into.

A hacker would have to get past the intranet and firewall to access the CCTV systems.

If you are curious about the difference between Internet and intranet, Wikipedia has a good explanation, here.

With numerous companies and institutions being targeted, all of which in theory have different intranets and firewalls, it would take a lot of hacking to take control of all the camera systems involved (my personal speculation).

I suppose it's also possible that hidden cameras were placed in one of the stores and transmitted over the Internet. It could also be possible that a live person is watching and reporting what is going on via telephone.

The problem with these other speculations is that so far, no one is reporting finding any covert camera equipment. My guess is that these places are searched pretty extensively after the threat is made.

Additionally, human beings covertly reporting the "goings on" during one of these hoaxes doesn't seem very practical, once you think about it. This has occurred in eleven States and the amounts requested aren't in the millions of dollars. It wouldn't be very feasible to use human beings over this wide an area, considering the amount of money involved.

I've learned to "never say never," but I suspect a little fast talking, possible knowledge of the victim's layout (most of these places are set up the same) and the use of fear is how this bomb threat scam is being accomplished.

When I first read about this, I reflected that fear is being used in order to get money wired to criminals. Fear is just another method of social engineering (trickery), which seems to be one common denominator in most of the scams involving the wiring of money.

Despite the fact that many of these scams are spreading quickly with the assistance of technology, it still takes a human element to make the whole thing work.

Exploiting wire transfer systems to steal money is nothing new, either. Wire transfer transactions have become a preferred method of stealing money in a lot of Internet type scams. From romance to lottery scams, with a lot of other variations in-between, Internet criminals have been tricking people into wiring money to them for quite awhile now.

When money is wired, once it is picked up (often within minutes), it's very hard to trace. Please note that these other scams involving wire transfers are predicated on tricking human beings, also.

The good news is that the FBI, Secret Service and Western Union are actively going after the people behind this. Rumor has it they are close to making some arrests.

Since the exact details of the case are being kept confidential, which is important to give the good guys an edge in catching these crooks, all the rest of us can do is speculate.

Let's wish them success in their endeavors and look forward to announcement that the people behind this have been caught! After all, this hoax (scam) is NOT very amusing!

Of note, most experts will always strongly recommend to treat a bomb hoax seriously, despite the fact that most of them are hoaxes. It is recommended that all organizations have a plan on how to handle these scenarios. has an extensive page with some pretty good advice (my opinion), here.

Slashdot entry by Erris (531066) and posted by samzenpus, here.

The article, they are referring to comes from News 5 in Phoenix, Arizona.

Thursday, August 30, 2007

Fake e-mail from the BBB stating someone complained about you is a scam!

If you get an e-mail from the Better Business Bureau stating that a complaint has been made against you - it might be a good idea to just delete it.

Websense is reporting:

Websense® Security Labs™ has received reports of a new email spam variant similar to an attack launched early this year. The spoofed email purports to be from the Better Business Bureau (BBB). The message claims that a complaint has been filed against the recipient's company. Attached to the message is a Microsoft Word document (Document_for_Case.doc), supposedly containing additional details regarding the complaint. The Word document actually contains a Trojan Downloader that, when opened, attempts to download and install a keylogger. This keylogger uploads stolen data to an IP address in Malaysia.

Keyloggers record the keystokes on a computer and then send them back to the crooks, who installed them.

They are normally interested in your password information, especially if it gives them access to personal financial data. That way they can rob you blind.

In case, you just have to know, whether or not, you've received a complaint at the Better Business Bureau, it might be a good idea to contact them independently to inquire into it.

Their website is here.

The best way to avoid becoming compromised is to have updated security software protecting your system and even better yet -- avoid clicking, or even opening unsolicited e-mails no matter, who they claim to be from!

Websense alert (with screenshots), here.

Wednesday, August 29, 2007

ICE raids two more companies and discovers stolen identities being used by illegal immigrants

Two more food processing companies have been raided by ICE (Immmigration and Customs Enforcement) in the past week. At least some of the illegal immigrants detained were found to be using stolen identities.

In North Carolina, 25 of the illegal immigrants were using the identities of U.S. citizens.

From the ICE press release:

United States Attorney George E. B. Holding announced today that his office has obtained criminal complaints charging 25 individuals with identity theft and various immigration violations. These individuals were arrested on Aug. 22, 2007, U.S. Immigration and Customs Enforcement (ICE) agents as part of an investigation that focused on individuals who were working at the Smithfield Processing plant in Tar Heel, N.C., and who had, as part of the commission of other crimes, transferred, possessed or used the identification of someone else in violation of federal law. The United States Attorney will ask the federal grand jury to consider these cases in the near future.
Meanwhile, in Ohio raids were conducted on Koch Foods and 160 illegal immigrants were detained. While this was going on a search warrant was executed at their corporate office in Chicago.

From the ICE press release:

Special agents from U.S. Immigration and Customs Enforcement (ICE) today executed criminal search warrants at Koch Foods in Fairfield, Ohio. ICE identified more than 180 Koch employees working at the Fairfield plant requiring further questioning and administratively arrested more than 160 as of 4PM for immigration violations. ICE agents simultaneously executed criminal search warrants at Koch's corporate office in Chicago.

There is no disclosure as to whether any of these people were using other people's identities.

In both press releases, ICE outlined the reasons for the raids:

Unlawful employment is one of the key magnets drawing illegal aliens across our borders," said Julie L. Myers, Assistant Secretary of Homeland Security for ICE. "When illegal aliens use fraudulent documents or engage in identity theft, they not only exploit a vulnerability, they also cause real harm to U.S. citizens. We will pursue egregious violators by seeking criminal charges and continue to deploy tools such as the new social security no match guidelines to help businesses comply with the law."

Besides unlawful employment, there is a flourishing trade in counterfeit documents that enables a lot of illegal immigrants to obtain employment.

Suad Leija's Paper Weapons site is a place, where you can get an inside look at how bad this problem is. It also shows how other crimes, besides illegal immigration are tied into the trade.

Suad is currently writing a book, which will go into a lot of detail about the trade in paper weapons.

ICE press release on the North Carolina raid, here.

ICE press release on the Ohio and Illinois raids, here.

Previous posts on how illegal immigration ties into other crimes can be viewed, here.

IRS name used to phish for ID theft victims, again!

Government agencies and trusted brands are often spoofed (impersonated) in phishing attempts, which are social engineering ploys to steal personal and financial information, and or download cybernasties (malware, crimeware) on your system. Please note the cybernasties normally steal information from your computer, also.

The information culled from you, or your computer is then used to make YOU an identity theft statistic.

In the past couple of years, spoofing the IRS has become an old story, but they keep on doing it.

Here are the most recent updates on IRS phishing scams:

Updated Aug. 24, 2007 — The Internal Revenue Service today warned taxpayers of a new phishing scam, in which an e-mail purporting to come from the IRS advises taxpayers they can receive $80 by filling out an online customer satisfaction survey. The IRS urges taxpayers to ignore this solicitation and not provide any requested information. The IRS does not initiate contact with taxpayers through e-mail.

Updated June 19, 2007 — In another recent scam, consumers have received a "Tax Avoidance Investigation" e-mail claiming to come from the IRS' "Fraud Department" in which the recipient is asked to complete an "investigation form," for which there is a link contained in the e-mail, because of possible fraud that the recipient committed. It is believed that clicking on the link may activate a Trojan Horse.

Full IRS press release on this matter, here.

Phishing isn't limited to impersonating the IRS, the APWG (Anti-Phishing Working Group) tracks this ever growing problem and offers advice on how to avoid getting hooked, here.

Previous posts about phishing attempts impersonating the IRS can be seen, here.

Tuesday, August 28, 2007

China caught stealing government information again!

The Chinese, who were recently accused of poisoning pets and selling toxic toothpaste are now being accused of hacking into government computers in Germany.

Roger Boyes of the TIMESONLINE reports:

Der Spiegel, quoting senior officials from the German equivalent of Special Branch, said that the hacking operation was discovered in May. Computers in the Chancellery, the Foreign, Economics and Research ministries had been targeted. The Federal Office for the Protection of the Constitution (BfV) conducted a comprehensive search of government IT installations and prevented a further 160 giga-bytes of information being transferred to China. Commentators described it as “the biggest digital defence ever mounted by the German state”.

The information was being siphoned off almost daily by hackers in Lanzhou, northern China, in Canton province and in Beijing. The scale and the nature of the data being stolen suggest, the investigators say, that the operation must have been steered by the State and, in particular, the People’s Liberation Army.

Naturally, the Chinese are denying involvement, but this isn't the first time we've heard of them hacking into systems, or committing government/corporate espionage.

Here are a couple of posts, I wrote awhile ago where U.S. government computers were the target:

How Dangerous is China

The Hackers from China are at it AGAIN!

Last year, the FBI arrested two men stealing technology secrets and attempting to take them to China. Their press release on this matter can be seen, here.

USA Today (David J. Lynch) also did an excellent article quoting FBI sources about the problem, which can be seen, here.

We need to start considering the consequences of continuing to allow this to go on unchecked.

Roger Boyes story (worth reading), here.

Sunday, August 26, 2007

Apophis - a malware tool that is smart and can steal 30,000 people's personal details

If anyone thinks our personal information is safe, think again. Panda Labs, an International security software company, recently discovered a tool, which appears to be stealing personal and financial details on a global basis.

From Panda's press release:

A version of Apophis, a tool used by cyber-crooks to handle information stolen from users infected by several variants of the Nuklus family of Trojans, stores data belonging to over 30,000 users from more than twenty countries. PandaLabs has been able to access a file with some of the stolen data. This file kept encrypted confidential data belonging to almost 1,500 people from the USA, Canada and the UK.

Surprisingly enough, this data contained, in addition to information about bank and email accounts, information such as the users’ postal address, phone number or their credit card expiry date. With this information, cyber-crooks not only can get the users’ money, but also impersonate them and use their identity to make purchases, bank transfers, etc., in their name.
In more simple terms, this gives criminals the ability to clean out your financial resources, then use your information to get more credit, which you will be hounded for when the bills aren't paid.

Besides that, stolen identities are used by illegal immigrants, criminals and some claim, terrorists to blend into society.

Even worse, this tool is considered smart -- it actively searches out the information criminals desire.

According to Panda, this tool can store over 30,000 records. That is a lot of people that can be victimized by just one of these nasty devices.

More information, including some screen shots from the Panda blog, here.

The press release can be viewed, here.

Panda also offers a free scan to see if your computer might be infected, here.

Saturday, August 25, 2007 might be sending you a letter that your information was compromised

Photo courtesy of shane_allen at Flickr

If you posted your information for a job on, you might be getting a letter notifying you that your personal details have been compromised:

Joseph Menn, Los Angeles Times is reporting: said Thursday that 1.3 million users had personal information stolen by criminals who hacked into the job-placement website. The company said it would warn each of the victims by mail.

Monster parent Monster Worldwide Inc. said it identified the victims after analyzing the data found this week by computer security firm Symantec Corp., which had estimated that hundreds of thousands of people were at risk.

In this latest data breach, it is being reported that only names, addresses and e-mail addresses were stolen. This information will likely be used to lure potential job candidates into what are known as job scams.

In a job scam, a person is recruited into cashing bogus financial instruments, or laundering the proceeds of Internet crime. In most instances, these bogus employers will request a lot of personal and financial information (supposedly to vet the new employee)and this is probably where someone would put themselves at a real risk of becoming an identity theft victim.

The LA Times article also stated:

Also Thursday, some Monster users said they had received such e-mails as far back as February.

Since job scams are nothing new and Monster isn't the only site, where scammers gather information to lure people into doing their dirty work, it's very possible that the current data breach has nothing to do with the e-mails going as far back as February.

I've seen these types of e-mails going back a lot further that February.

Here is a previous post, I did with an emphasis on the social engineering aspects of job scams:

Internet criminals stealing information from job sites isn't anything new!

LA Times article, here.

7-Eleven Clerk accused of stealing winning lottery ticket from customer

This story shows why it might be important to be careful when checking your lottery ticket at your local 7-Eleven.

Art Campos at the Sacramento Bee is reporting:

A man who went to a 7-Eleven in Roseville to check on his lottery tickets had picked the right numbers, but state officials said it was the clerk who almost hit the jackpot.

The female clerk told the customer he won $4 on his Mega Millions picks for Aug. 14, and then pocketed his winning ticket worth $555,000, California Lottery officials said.

However, the clerk's alleged scheme fell apart after the unnamed victim became suspicious and called lottery officials.
It turns out that the California lottery officials were not very amused:

Donald Currier, the lottery's chief legal counsel, said it was the second time in two years that a retail clerk had been arrested for allegedly stealing a winning ticket.

"To any clerks out there who think they can steal a winning ticket, we'll get you," Currier said. "Clerks just don't get away with it."
Apparently, this also happened in 2006 in Southern California.

Lottery security officials recommend you always sign your tickets. This will make it a lot harder for a dishonest employee to try to take advantage of the situation.

Sacramento Bee article, here.

Friday, August 24, 2007

Internet criminals stealing information from job sites isn't anything new!

The recent reports about 1.3 million Monster users having their information stolen from the job site has become somewhat of a major news story. While this seems shocking, the truth is that job sites have been targeted for the information they contain, or to recruit people to commit crimes (sometimes unknowingly) for quite awhile now.

Jim Finkle at Retuers (courtesy of the Washington Post) recently covered this story: waited five days to tell its users about a security breach that resulted in the theft of confidential information from some 1.3 million job seekers, a company executive told Reuters on Thursday.

Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide Inc said were stolen from its clients, in one of the biggest Internet security breaches in recent memory.

They launched the attack using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program known as Infostealer.Monstres, said Patrick Manzo, vice president of compliance and fraud prevention for Monster, in a phone interview.
Symantec -- who broke the story has published some of the examples of the fake job offers being sent to people -- posting their resumes on Monster, here.

People can protect themselves by being aware of the social engineering aspects of these scams. The job offers are always too good to be true and normally don't make very much sense.

Most of them are ploys to either cash bogus financial instruments, or launder the proceeds of Internet crime. Another red flag is that the employee is solicited to wire money, normally across a International border.

The employee (victim) then ends up financially liable, and in some instances, can even end up facing criminal charges. In most areas, cashing bogus financial instruments and money laundering is considered a crime.

The scammers, who offer these jobs intend to get someone else to take all the risk for them, while they reap most of the financial rewards.

Monster isn't the only place, where this happens. The risk is there on just about any of the Internet job sites, including Craigslist.

If you use these sites, it's a good idea to verify, who you are talking to before accepting a job offer.

The Privacy Rights Clearinghouse has an excellent page about job scams on their website, here.

Because these fake employers gather their victims's personal and financial information, they are likely to become an identity theft victim, also.

The page on the Privacy Right Clearinghouse site gives good advice on how to deal with this, also.

The good news is these scams are pretty easy to spot and a little awareness can prevent them from happening altogether.

Reuters story (courtesy of the Washington Post), here.

Tuesday, August 21, 2007

The sad state of affairs in the information (identity) theft crisis

It shouldn't surprise anyone that data breaches are becoming more prevalent than ever, or that identity theft is up fifty percent since 2003.

Robert L. Scheier (courtesy of InfoWorld) wrote an article about this that is getting a lot of play in the press:

Today's electronic world is a risky place for your personal data -- and it's not getting any safer. More than 158 million data records of U.S. residents have been exposed as a result of security breaches since January 2005, according to The Privacy Rights Clearing House, a nonprofit consumer rights organization.

As fast as banks, merchants and consumers add new layers of security to their storage systems and network, say security analysts, new technologies -- or simply careless users -- create new security holes that aggressive and sophisticated identity thieves eagerly exploit. The result, says Avivah Litan, a vice president and distinguished analyst at Gartner Inc., is that "things will get worse before they get better."

Whether information is being stolen by phishing, pharming, hacking, insider theft, or common dumpster diving - the problem seems to be growing by leaps and bounds.

An interesting aspect, which I've covered in previous posts is that criminals seem to be using technology as a marketing tool - just like their counterparts in more legitimate businesses:

Criminals are also getting smarter. Larry Ponemon, chairman and founder of Ponemon Institute, which conducts research on privacy and security issues, calls it "inverted customer relationship management," in which criminals target the wealthiest individuals for their attacks.

Some are even buying marketing lists to piece together profiles of "who's got the Platinum [American Express card] and who's got the account with Merrill Lynch and who doesn't," says Litan.
I found this particularly interesting because a reasonable person would have to question, who is selling them these lists?

In the most recent high profile data breach to hit the news at Certegy, a dishonest insider sold the information to a broker. Interestingly enough, as far as I know, this information broker has yet to be identified. The next question might be - who did the information broker sell the information to?

Recently, another data broker (InfoUSA) was pegged for selling marketing lists to sweepstakes scammers.

Perhaps PogoWasRight, who states "We have met the enemy and he is us" hits the reason for the problem right on the nose.

A lot of people are making billions, if not trillions of dollars making it easy to use information. So much information has been plastered in so many places, we seem to have lost track of it all.

This gives the criminals behind this phenomenon a lot of places to steal, or even buy everything they need to commit identity theft.

Another sad statistic is that these criminals seem to rarely get caught. Pretty sure the last statistic I saw was less than 1 percent. This makes it a pretty lucrative criminal enterprise to be involved in.

Despite this, we still don't have a law that addresses data breaches?

With the elections coming up, perhaps we should be asking our elected leaders, why this is the case?

The only way to turn this trend around is to make everyone involved in it, more accountable.

Interesting article by Robert L. Scheier, here.

The article mentions statistics gathered by the Privacy Rights Clearinghouse, which I quote frequently. Other places that gather information on this are PogoWasRight and

And all of them will be the first to tell you - these are only the breaches we know about. The mysterious criminals stealing the information would rather not disclose, who they are stealing IT from. Of course, the people getting the information stolen from them would probably rather not make it public, either.

Sunday, August 19, 2007

A look into Arizona's identity theft and counterfeit document problem

Fake ID picture courtesy of caural at Flickr

I've done a couple of posts about how new employment verification laws are likely cause more illegal immigrants to use real identities. In the not too distant future, Social Security numbers are probably going to have to be able to be tied into a real identity to meet federal employment eligibility requirements.

Arizona -- which already ranks extremely high in incidents of identity theft, according to the various studies conducted on the subject -- might be on the front line of a new effort designed to stem the flow of illegal immigration.

Daniel González (Arizona Republic) did an interesting story on this issue in Arizona:

Arizona's new employer-sanctions law requires companies to verify worker eligibility through a federal database. Lawmakers in other states also are taking steps to make it more difficult for illegal immigrants to use fake documents to land jobs, hoping the crackdown will cut down on illegal immigration. And under new rules announced last week by the Bush administration, employers risk prosecution if they don't fire workers whose names and Social Security numbers don't match.

But nobody thinks the fraudulent-document industry in Arizona will dry up and disappear. If anything, it's going to get bigger and more sophisticated as criminals who make fake documents adapt to meet demand. The database can't flag documents made with stolen identities, where the names and numbers match. As a result, a proliferation of fraudulent IDs, combined with identity theft, could undercut the employer-sanctions law.

In July, Arizona signed a pretty tough law designed to go after employers, who hire illegal immigrants:

In July, Gov. Janet Napolitano signed a tough employer-sanctions law aimed at turning off the job magnet that draws illegal immigrants. The law, which takes effect Jan. 1, revokes business licenses of employers caught knowingly hiring illegal workers a second time. It also requires the more than 150,000 licensed Arizona employers to run Social Security numbers and other data for new employees through the federal Basic Pilot Program, an electronic verification system. Arizona businesses employ about 2.6 million workers.

Two other states, Colorado and Georgia, have passed similar laws.

David's interesting article goes on to give some scary (real world) examples of how easily counterfeit documents are obtained.

In the article, David cites an Arizona Task Force, which was able to get all kinds of counterfeit documents using names of known terrorists.

The crooks and gangsters behind data breaches -- which frequently make the news, and already provide a lot of information to criminals in too many places, including Internet chatrooms -- are probably gearing up to sell to a potentially large market segment (20 million people).

Of course, a lot of legitimate businesses are already marketing to this segment of society. How many times do we hear, "press 1 for English ..," when using the services of a lot of the businesses out there?

It's become easy to counterfeit documents and too much information has already been compromised. A lot of these documents are produced in apartments and garages, using portable technology, easily purchased from a variety of sources. It doesn't take a lot of expertise to accomplish what causes a lot of damage to the person, who has had their identity stolen.

The criminals selling the information and producing the counterfeit documents don't really care, who is buying them as long as they are getting paid.

There is no easy solution to this. There are a lot of reasons from the rights of the middle class (who foot the bill for all of this) to our health and well-being, which dictate that stronger action needs be taken.

I just hope, we aren't planning to take half-steps and end up with a bigger problem.

The key would be to look at the enabling factors, which make it pretty easy to use someone else's information. The government, financial, retail and IT sectors need to start working together instead of against each other. Recently, this problem seems to be turning into a blame game, where everyone seems to be blaming each other.

Hopefully, most of them are already taking measures to do this. Getting caught losing information doesn't exactly inspire consumer confidence, or the trust of the voting public.

Besides that, it's getting more and more expensive to clean up the mess that this problem causes. Maybe the cost (money involved) will be what finally gets a few people's attention!

Daniel González's very interesting article, here.

Saturday, August 18, 2007

Russian identity thieves target the rich and famous

Photo courtesy of CarbonNYC at Flickr

An interesting story hit the news this week about some Russian identity thieves targeting the rich and famous.

The ringleader was talked into meeting Federal Agents in the Dominican Republic, then entered the country (he believed illegally) and was arrested. Not very bright, especially given the clout of his intended victims.

Tom Fragala at the Truston Blog had some interesting and well thought out commentary about how the less rich and not so influential might be targeted in a caper like this.

In Tom's own words:

ID thieves going after the ultra-rich or celebrities is nothing new. That is not what makes this story interesting to me. It’s that the “ring” of thieves showed a bit of ingenuity in how it targeted the victims. The ring leader allegedly did public records searches such as home purchases. That’s right, if you purchase a home, then tremendous amounts of information about you is made available to anyone for a small fee. The law requires the information is made public via a UCC filing (uniform commercial code). Then using that information, such as the bank listed on the mortgage documents, and piecing together parts of your identity from other places, your financial accounts might be able to be compromised. In other words, if the thief knows your brokerage account is with Wells Fargo, the thief can then pose as you to authorize a withdrawal. Perhaps a wire transfer to Russia, Vanuatu or Nigeria.

And your bank is not necessarily going to come riding to the rescue and return your funds because, well, “they have to, right?” Not exactly. Can you name the US federal statute that provides consumer fraud protections for your brokerage or home equity account like FCRA does for your credit card? Don’t waste your time, it doesn’t exist. What about the Federal Trade Commission, don’t they help you? Nope, they have no jurisdiction. Banking oversight is handled by a hodge podge of agencies depending on where and how your bank/credit union is chartered.
According to the story, the information to do this was data mined online (probably from a County or State website).

Too much personal information being stored on government sites is a huge problem. Recently, I did a post about Betty Ostegren a.k.a. (also known as) the Virginia Watchdog. Betty actively goes after State and County governments, who leave information on their sites that could be used to commit identity theft, or worse. Although, a lot of sites have pulled some of the information off their sites, it's still a major problem.

When I was working on the post, Betty was able to show me how she has been able to view the personal information of a lot of prominent people from the comfort of her home.

In this instance, the crooks were caught, but the amount of money they almost got away with is scary.

Truston blog post, here.

Tom is the CEO of Truston, which is the only identity theft detection/recovery service (that I know of) that doesn't require you provide all your personal information to them. They are also unique in the fact that their detection (prevention) services are free.

A lot of identity theft services out there require you to surrender all your information and even give them your power of attorney.

As evidenced in the recent Certegy data breach, a dishonest employee, who has been given access to the information can compromise the best computer security. Besides internal compromises, external hackers seem to still be able to get into databases. TJX was recently compromised by hackers, who stole about 45 million personal and financial records.

A lot of their critics were quick to point out that they shouldn't have been storing some of this information in their proprietary databases.

Interestingly enough, one of main principles of PCI (Payment Card Industry) data security standards is to not store information in too many different places. These standards were set by the payment card industry to protect information, but as of this writing, not everyone has adopted them.

This is a Catch 22 (no-win) situation because (I suspect) many merchants store information to avoid chargebacks for fraudulent transactions.

I've often wondered how quickly this would all get fixed if compliance was mandatory to accept debit/credit card transactions?

Storing our personal and financial information in too many places is probably one of the root causes of the problem with data breaches.

Friday, August 17, 2007

Are fraudulent practices partially to blame in the current mortgage crisis?

We seem to be facing a looming financial crisis because of irresponsible lending practices that enabled a lot of people to buy property that was beyond their means.

Many will blame the people, who took out the mortgages, but are there other factors bear consideration when looking into the cause?

Although fraud hasn't been cited as a reason, government investigators might be pretty busy in a effort to discover why this problem occurred.

The Herald Tribune is reporting:

Within the next six months, it should be clear how regulators will proceed against those companies, said Michael Malloy, a former enforcement official of the U.S. Securities and Exchange Commission.

"Odds being what they are, somebody's going to get hooked," said Malloy, who now teaches at the McGeorge School of Law, part of the University of the Pacific. "From an investigative point of view, they'll be looking at how much of this was the result of stupidity and misfortune and how much is broader manipulation."

The broader manipulation could include failing to appropriately disclose the value or the risk of securities backed by subprime loans, which could constitute fraud, experts say.
Mortgage fraud is a bigger problem than most people think.

A good place to learn about all the various schemes and who is getting caught committing mortgage fraud is the Mortgage Fraud Blog, which can be viewed, here.

Herald Tribune story, here.

Class action law suit filed against Certegy for data breach

Data breaches are likely to become costly to organizations who fail to protect their information. The TJX data breach (45 million people and counting compromised) has inspired several legal actions in both the United States and Canada.

Now a similar action is being brought against Certegy, a check verification company, who had an insider sell information to a still (as far as I know) undisclosed data broker.

An August 15th press release announced:

The law firm of Girard Gibbs LLP ( has filed a class action complaint on behalf of approximately 8.5 million consumers nationwide whose financial and personal data was stolen by an employee of Certegy Check Services, Inc. and Fidelity National Information Services, Inc (NYSE: FIS) and released to unauthorized third parties. The complaint alleges that a senior database administrator misappropriated the confidential information of millions of consumers and then sold the data to direct marketing firms and data brokers who may have resold it to others.

Certegy and FIS had a duty to safeguard the confidential data of consumers from any breach, including that of their employees. Once the internal breach became known, it should have been communicated to the public in a timely and adequate manner,” said Eric Gibbs, one of the attorneys for the plaintiff. “The failure by these companies to make the internal data breach immediately known exposed consumers to direct marketing campaigns and the risk of unauthorized use of their bank accounts and identity theft.”
This case is interesting because it involves customer information that was obtained at merchants, who used the service to verify whether a person's check, or sometimes payment card was good.

I wrote a couple of posts about Certegy, which received a lot of comments. One comment (in my opinion) by a "Risk Manager" opened up another can of worms:

I think there is a bigger issue here that Certegy does not "own" the data that was stolen but in fact it is records of Certegy customers like businesses that contract Certegy for check-cashing services. I would ask Certegy to confirm what they store on their systems, how long they store it and why bank account and credit card numbers are stored AND investigate if Certegy violated any Visa/PCI mandates.

This seems to be a reasonable question, especially in light of some of the more high profile data breaches, we've recently seen. However in this instance, since all it takes is one person (who has access) to compromise information, it probably wouldn't have made much difference.

The reality is that Certegy sells the fact that they store a lot of information on people to merchants. Without this information, they wouldn't have a service to sell.

Nonetheless, the statement does warrant consideration as to how well third party databases are protected, especially when they contain detailed personal and financial information?

I'm not sure why the data broker, who bought the information hasn't been identified? They are responsible for buying and selling information all the time. Information is worth money and is being sold (some believe haphazardly) all the time.

Recently, it was disclosed that a data broker sold lists targeting elderly gamblers to sweepstakes (lottery) scammers. New York Times article, here.

Current laws enable financial institutions to sell your information, unless you go through a pretty complicated process of opting-out. They are required by law to notify you of your rights, but these are often sent out via snail mail and called "privacy notices." I've often made the mistake of thinking they were junk mail and shredded them.

They don't make it easy for the average person to protect their information.

I wonder how much personal information is sold to people that shouldn't be getting it? Even if we manage to opt-out today, how much of our information is already stored on a database somewhere?

Since the people enabling information to be compromised are making billions of dollars by selling it -- perhaps more of these lawsuits are one way to hold them accountable and bring some sanity to what is becoming a situation -- which seems to get worse all the time?

Of course, more laws to protect consumers are needed, also!

As I stated earlier, this is going to be interesting. I don't know where it will go, but maybe this is a signal to the people data mining our information to wake up and smell the coffee?

If they don't, they might end up dealing with a lot of litigation, which is always very costly.

It also might put them out of business. Dark Reading did an article this week about another third party vendor Verus, who folded after it was disclosed that they lost a lot of people's information from several hospitals. The point of compromise in this situation was the failure of some IT people to leave a firewall up when transferring information between servers.

Here are my two previous posts on the Certegy breach:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Sunday, August 12, 2007

Identity theft, the crime that can follow a person for years!

I first started reading David Lazarus at the San Francisco Chronicle early in 2006, when he wrote about a huge data breach that was later tied to Office Max. Please note that Office Max never quite admitted to being the point of compromise.

That data breach was tied to payment card fraud that spread quickly across the entire country.

Since then it's become very apparent that hackers have been targeting merchants for the credit/debit (payment) card information they've been storing in not very safe places.

David has left his digs at the San Francisco Chronicle and now writes for the LA Times.

In what appears to be his first story for them, he wanted to let his readers know:
The honchos here at the paper say I should devote my first column to introducing myself. At the moment, there's only one thing I want anyone to know about me: I'm not Derrick Davis.

And I want this guy out of my life once and for all.
David understands the frustration a lot of people go through when someone takes over their financial life.

In David's case, the person who stole his identity wasn't even here legally. Apparently, he was also able to use a social security number that didn't match his name to run up lines of credit and open checking accounts. It's amazing that the credit was issued, when discrepancies like these existed.

Davis was eventually caught, but only because David worked the case himself and had a sympathetic soul (Postal Inspector), who took the information for action.

Even then since Davis was an illegal immigrant, the worst that happened to him was being deported to Jamaica.

Trust me, catching an identity thief is rare and hard to accomplish, unless you know the right people. The odds of not getting caught are 99 to 1, according to statistics.

All of this occurred in 2003 and David is still suffering from the episode.

When he moved to LA from San Francisco and tried to buy a new house, David discovered that the credit bureaus were still listing some of the bad debt Davis created. The mortgage company even suggested that David pay the debt Davis had incurred to allow their deal to go through on schedule.

Being well connected, David was able to get a couple of comments from Linda Foley at the Identity Theft Resource Center:
The question is not if you'll become a victim of identity theft. It's when. It's the crime that keeps on giving. It's the never-ending story.

You think you get everything solved, and then it's like a ghost that reappears.

I'll follow David's work to the LA Times. I've always found him to be an excellent read and very knowledgeable on this subject. He has educated a lot of people this growing problem, and even has helped enact laws that protect people from this crime.

When I first started reading his articles, I had just discovered my information had been stolen in the compromise that Office Max never admitted to.

I guess I'll have to keep wondering if that unfortunate episode will come back to haunt me sometime in the future.

David's introduction to his new readers at the LA Times, here.

Saturday, August 11, 2007

FTC shuts down prepaid debit card vendors with hidden fees

Photo courtesy of Big Dubya at Flickr

We keep getting warned that it's dangerous to give out too much personal information on the Internet. In this instance -- semi-legitimate financial companies, supported by annoying pop-up ads and Internet advertising -- have been caught deducting a $159.95 (hidden fee) out of people's checking accounts that were unfortunate enough to apply for their product.

Fortunately, the FTC has stepped in and shut down the prepaid debit card operations of these so-called legitimate financial services operators.

According to a complaint filed by the FTC, the defendants market bank-issued, Visa- and MasterCard-branded stored-value (prepaid) cards under a variety of names through Web sites and pop-up and e-mail advertisements that direct consumers to Web sites for the individual cards. These include Acclaim Visa, Impact Visa, Sterling Visa, VIP Advantage Visa, Vue Visa, Elite Plus MasterCard, Impact MasterCard, Secure Deposit MasterCard, VIP MasterCard, and Vue MasterCard. The defendants also market unrelated short-term loans on Web sites such as,, and

The complaint alleges that, through their prepaid card programs, the defendants debited, without authorization, a $159.95 “application and processing” fee from consumers’ bank accounts, including from consumers who either had no contact with the defendants or had applied for an unrelated short-term loan. Consumers who visited the defendants’ prepaid card Web sites were instructed to provide personally identifiable information, including their bank account information, to apply for a card. The defendants allegedly also made deceptive claims on their Web sites, such as “No Annual Fees” and “No Security Deposit,” without disclosing clearly and prominently that they would use the consumers’ personal information to debit the $159.95 fee. Consumers usually discovered the unauthorized debits when they reviewed their bank account statements or when banks notified them of penalty fees or overdraft charges due to insufficient funds.
Let's see a $159.95 upfront fee for a card that you finance yourself. Since it's obvious that the people bilked out of this fee had a bank account, I'm guessing they could get a lot better deal at the bank they do business with, or just about anywhere else!

While credit cards are technically a different animal, there has been a lot of public outcry for them to stop some of their practices in regards to hidden fees. You can learn more about this at the Consumers Union, here.

I did a post on their campaign to make some of these hidden fees more reasonable for both merchants and consumers:

Congress needs to take a hard look at credit practices

FTC release, here.

You can report deceptive practices, or outright fraud to the FTC, here.

Self service stamp machines targeted by credit card thieves

Photo courtesy of Leff at Flickr

New scams are invented daily. Here is one, where self-service stamp machines (the kind that accept payment cards) are being targeted at Post Offices.

David Bowermaster at the Seattle Times is reporting:

In mid-July, three men left their homes near Los Angeles and traveled to Seattle to buy postage stamps.
But these were no ordinary collectors. Armed with at least 27 stolen credit-card numbers, federal prosecutors say, Artem Danilov, Stephan Melkonyan and Karapet Kankanian fraudulently purchased more than 3,200 books of stamps worth nearly $24,000 from Seattle-area post offices in just more than a week. A federal grand jury Thursday charged the men with an assortment of crimes.

Following a pattern that Postal Service investigators have uncovered in at least five Western states, the men made mass purchases of stamps after normal working hours from automated postal machines, which are accessible 24 hours a day in the lobbies of many post offices around the country, prosecutors allege.
While these three were caught (two Russians and an Armenian), it appears this activity has been occurring throughout the Western United States.

The illegal stamp-buying scheme appears to be a novel breed of identity theft, one that blends high-tech thievery, online commerce and the retro currency of the U.S. mail.

James Vach, a spokesman for the U.S. Postal Inspection Service in Seattle, said investigators first encountered a wave of fraudulent stamp buys in the Los Angeles area late last year.

Since then, the Postal Service has uncovered illegal stamp-buying schemes in Washington, Oregon, Arizona and Colorado.

The Postal Inspectors suspect a larger ring is involved and some of the stolen credit card numbers used have been traced to a car wash in Southern California.

According to the article, here is how the suspects were using the stolen credit card numbers:

Danilov, Melkonyan and Kankanian allegedly used a credit-card reader to embed the stolen credit-card numbers onto the magnetic strips of gift cards from a variety of retailers, Brown said, a process that allows the gift cards to function like credit cards.

They then used the adulterated gift cards to repeatedly buy books of stamps from postage machines in one post office after another. Customers used to be able to buy dozens of books of stamps per transaction from the automated postage machines, but the Postal Service has since limited the number to try to fight such fraud.

Although the authorities don't know where all the stamps were being sold, according to a assistant U.S. Attorney, some of them are being fenced on eBay.

A lot of stolen merchandise is fenced on eBay and other auction sites. A lot of this stolen merchandise is purchased with fraudulent credit/debit card information.

Out of curiousity, I decided to see if new stamps (the kind used for postage) could be found on eBay. Amazingly enough, I found what I consider a large selection with offers of free shipping and discounted prices. What I found can be seen, here.

Of course, at a glance, it can be hard to tell what is legitimate and what is not on an auction site.

A lot of stolen gift cards (used in this instance to clone the cards used) are also fenced on auction sites. I wonder if the value on them had already been used, or if our suspects lifted them at a retailer before a dollar value was loaded on them at a point-of-sale (register)?

Seattle Times story, here.

If you spot this type of activity during a visit to the Post Office, you can report it to the Postal Inspectors, here.

Although two of the suspects apprehended were Russian, the U.S. resident was an Armenian from Southern California. Recently, Armenians (from Southern California) have been tied into similar type activity. The previous posts, I've done on these stories can be seen, here.

Are illegal immigrants from Islamic nations slipping across our Southern border?

Not all the illegal immigrants slipping across our Southern border were born in Mexico. For years, a substantial amount of them hail from Central America and now there is evidence that Islamic drug traffickers are using the route, also.

Although many of the people making this crossing are looking for jobs, which will enable them to make a better life for themselves, the entire process is controlled by organized criminals.

While many of us have sympathy (empathy) for people trying to make a better life for themselves, it is often hard to distinguish between innocent workers and hardened criminals, or worse.

Sara Carter of the Washington Times is reporting some of our leaders, who are alarmed by this are calling for an investigation to study how bad the problem could be.

In Sara's own words:

Rep. Ed Royce, ranking Republican on the House Foreign Affairs terrorism and nonproliferation subcommittee, said the Drug Enforcement Administration (DEA) document — first reported yesterday by The Washington Times — highlights how vulnerable the nation is when fighting the war on terrorism.

"I'll be asking the terrorism subcommittee to hold a hearing on the DEA report's disturbing findings," said Mr. Royce of California. "A flood of name changes from Arabic to Hispanic and the reported linking of drug cartels on the Texas border with Middle East terrorism needs to be thoroughly investigated."
According to the DEA report, the people of interest in the report are versatile in their linguistic abilities:

These "persons of interest" speak Arabic, Spanish and Hebrew fluently, according to the document.

The report includes photographs of known Middle Easterners who "appear to be Hispanic; they are in fact, all Spanish-speaking Arabic drug traffickers supporting Middle East terrorism from their base of operations" in the southwestern United States, according to the DEA.
Birds of a feather tend to flock together and it is no secret that a lot of terrorist activity has been funded by a booming poppy trade in Afghanistan for over twenty years now.

Another Congressional leader, Congressman John Culberson (R) supports taking a deeper look at this, also.

According to the Department of Justice's National Drug Threat Assessment (2006), heroin production has declined in most source countries, with the exception of Afghanistan.

The report stipulates that no large increase of heroin has been noted in the United States, but it did speculate:

Any significant substitution of Southwest Asian heroin for South American heroin most likely would take several years to occur because Colombian and Dominican criminal groups control most white heroin drug markets, and as such, there are relatively few established Southwest Asian heroin transportation and distribution networks in the United States. Moreover, Colombian and Dominican criminal groups quite likely would strive to maintain control over domestic heroin distribution by purchasing Southwest Asian heroin from sources in Asia or Europe and distributing it in eastern drug markets.
Perhaps, the new report cited in the Times means that this process is already occurring and the groups involved in this deadly trade are creating an unholy alliance.

Terrorists need money to fund their causes, and one of the ways they make it is through illegal means, including drug trafficking.

Sara Carter also has written about Suad Leija, who is helping the federal authorities deal what will probably prove to be a major blow to a major counterfeit document cartel operating throughout the United States. Suad is the stepdaughter of one of the major players in the organization.

I first became interested in Suad's story after reading Sara's article.

Suad has been featured by Lou Dobbs, Fox News, Paula Zahn and several other news organizations.

One of the reasons, Saud decided to assist the authorities in going after her family was a chilling remark her grandfather made when she asked him if the "family" would sell documents to terrorists. His reply was "terrorism is an American problem not Mexican."

Suad is now writing a book about her experiences and is offering a personally autographed copy to anyone, who drops her an e-mail before the release date and then purchases the book directly from her Paper Weapons site.

The e-mail address can be had by clicking on the contact link on the left side of the main page. The book will help support the sacrifices, she has made assisting the authorities in identifying a threat to the citizens of the United States.

Washington Times story, here.

Department of Justice's 2006 National Drug Threat Assessment, here.

If you would like to write Congressman Ed Royce to show support, or make a comment on his call for an investigation, his website is here.

Another person supporting this investigation, Congressman John Culberson's site can be reached by linking, here.

Monday, August 06, 2007

Bizzare site asks viewers for money to keep a bunny from being butchered!

I was reading the Sunbelt blog, written by Alex Eckelberry and came across a post he did on a bizzare and pretty sick website.

In Alex's own words:

save-me-please(dot)com is a site dedicated to saving a bunny.

We have no idea what this is odd thing is: A joke, a hoax. Or a scam.

The whole intent of the site is to get a person to pay to save the bunny.

You can view the Sunbelt blog's entire presentation, here.

Paying to save the bunny isn't recommended and as Alex aptly states, one of the videos depicting a rabbit being skinned is "enough to make you a vegetarian."

This blog, according to a study Jonathan Edwards at Yankee Group has "mojo."

I can see why it does, besides providing a lot of great information, it tends to keep the interest of the people, who read it!

The Sunbelt blog is also an excellent place to keep up on, or learn about computer (information) security issues.

Sunday, August 05, 2007

Will Social Security number verification slow down illegal immigration?

Employers will soon have to take action against employees, who have a Social Security number that doesn't exist, or doesn't match the name associated with it. In the past, they were able to ignore the fact that these types of discrepancies existed.

With statistics showing that employee fraud and abuse cost corporations billions of dollars, it's amazing that employers would ignore that the person they have working for them might not be, who they claim they are.

DHS (Department of Homeland Security) has already provided a SSN validator for employers to use, which shows, whether or not the number was ever issued. The problem is that it doesn't show who the number belongs to.

As I blogged in a earlier post, this has led to more and more cases of illegal immigrants stealing real people's numbers to maintain their employment. The posts also explains how employers could already be doing more to verify, who their employees really are.

Over the weekend, the issue hit the news again.

Suzanne Gamboa and Anabelle Garay of the AP report:

WASHINGTON (AP) -- Employers across the country may have to fire workers with questionable Social Security numbers to avoid getting snagged in a Bush administration crackdown on illegal immigrants.

The Department of Homeland Security is expected to make public soon new rules for employers notified when a worker's name or Social Security number is flagged by the Social Security Administration.

The rule as drafted requires employers to fire people who can't be verified as a legal worker and can't resolve within 60 days why the name or Social Security number on their W-2 doesn't match the government's database.

Employers who don't comply could face fines of $250 to $10,000 per illegal worker and incident.

AP story, here.

We've already seen an increase in stories -- where someone goes to file their taxes, or find another job only to discover their Social Security number has been being used -- sometimes by more than one person.

Recently, the story of a financial crimes detective, Adrian Flores, who had his identity stolen was covered in the LA Times. It appears that more than one person used Detective Flores' number. Before he cleared his name, he went through a lot of grief from various private and government agencies, including the IRS.

What scared me the most about Detective Flores' story was that he is obviously of Hispanic descent. Does that mean that citizens with Hispanic surnames are going to be victimized because their names will be more considered more desirable?

This is a whole new take on the sometimes sensitive issue of "profiling."

Bob Sullivan (MSNBC) blogged about this issue extensively at the Red Tape Chronicles, here.

During the aftermath of the controversy surrounding the immigration bill -- Lou Dobbs interviewed Suad Leija, the stepdaughter of one of the main players in a organized crime family producing counterfeit documents -- who is assisting federal authorities in identifying members of the cartel. Suad aptly pointed out to Lou that if the bill passed, the counterfeit cartel's business would have exploded because dates could be fixed to reflect whatever date qualified a person for amnesty.

Could the same groups be preparing to provide their own version of Real ID to the millions of people illegally living in this country?

According to Suad, the fake documents are as "good as anything you have in your pocket."

If you go to Suad's Paper Weapons

Suad's interview with Lou, here.

Exactly, how the rules will change remains to be seen. What worries me is the organized crime machine behind providing the documents and identities always seem to stay one step ahead of the authorities.

Getting stolen identities shouldn't present too much of a challenge to the groups counterfeiting documents. There already is an underground market selling this information, also.

This could translate into more people having their identities abused than ever before.

As long as the consequences for stealing identities are viewed as a not very serious crime, the problem will continue.

There are no easy answers to this problem -- but perhaps if there were harsher consequences for counterfeiting, the use of counterfeit documents and stealing identities -- the problem would be easier to deal with.

As long as employers are taking advantage of cheap labor, which is the reason most of these people are coming here, the solution isn't going to be an easy one.

We have to ask ourselves at what cost will this be allowed to continue?

Saturday, August 04, 2007

Celebrities, including Paris Hilton become identity theft victims

(Courtesy of Flickr) Only the photographer knows who is behind the mask.

No one's identity is safe these days. It's just been reported that a lot of celebrity types, including Paris Hilton have had their identities jacked (stolen).

Tampa Bay's reports:
Investigators busted a massive identity theft ring allegedly operating out of a row home in Northeast Philadelphia Friday.

Police said the list of targeted victims includes celebrity names like Donovan McNabb, his mother Wilma, Jennifer Lopez, Paris Hilton, Whitney Houston, Patti LaBelle, Michael Vick and Microsoft founder Paul Allen.
Allegedly, a couple of fraudsters used change of address forms and had mail diverted to a Philadelphia address. They then used the information from the stolen mail to order checks and credit cards.

The article also states that one of the fraudsters was a former IRS employee, and that some of the information might have been stolen from their computers.

Considering the names they were using, one might wonder why no one noticed at the banks, credit card companies, or the post office when this scheme was first hatched?

In case any of these famous people are wondering why it was so easy to use such recognizable names, it might be because issuing credit cards, checks and (I'm guessing) address changes are approved by computers.

To demonstrate this, they might want to read a previous post I wrote:

Ever Wonder How Well the Credit Card Companies Protect Your Personal Information?

I did another post, where a cat was issued a credit card, also:

Should cats be issued credit cards?

According to the article, this case is still being investigated and the list of people compromised is likely to grow.

It will be interesting to see, if it is ever disclosed, how long this went on and how much money was stolen as a result of this! article, here.

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

(Courtesy of Flickr)

A new report issued by the Treasury Department's inspector general reveals that too many IRS employees compromised their user ID and password to an unknown person, who was actually a government auditor posing as a help desk employee.

Sixty percent of the IRS employees fell for the social engineering trick, sometimes referred to as vishing. This isn't the first time a test like this has been conducted. In 2004, 35 percent of the employees tested compromised information and in 2001, the failure rate was 70 percent.

In the recent past, the agency has also been criticized for it's aging computer systems and their name has been spoofed (impersonated) in phishing attacks.

I guess the IRS makes a good story, but they certainly aren't the only government agency, or private entity being compromised by activity like this.

Whether it's vishing or phishing -- where social engineering (fraud, deception etc.) techniques are used to trick people into giving up access to information that should be protected -- human beings are probably the biggest threat to information (computer) security.

True, the results of this report are shocking, but maybe we should listen to what it is telling us? If social engineering didn't work, my guess is that a lot of the current explosion in phishing and vishing activity would go away.

Even when malware, often referred to as crimeware, which steals information using technology is used, a human being has to be lured into clicking on a link, or visiting certain websites for the software to be implanted.

Maybe one of the problems is that people, who fall for these ploys are reluctant to admit they were tricked so easily? I've seen a lot of people fall for social engineering ploys, and not all of them are poorly educated, or what most of us would consider, stupid.

In fact, many us would probably be amazed at exactly who falls for social engineering ploys. Most people would rather remain anonymous because it's embarrassing to admit they were conned into whatever scheme they fell for.

Of course, the people I'm referring to have asked me to respect their privacy, and I'm an advocate of protecting that, along with being kind to victims, also.

Whether it is a government agency, big business, or non profit being targeted, the only thing that is consistent is we see more and more of this activity all the time. Trust me, if it didn't work, the criminals behind it wouldn't be wasting their time doing it.

If the activity is increasing, and social engineering it tied into most of it, the best thing we can do to defeat it, are more tests like these, combined with an effort to make people more aware of the problem.

While the results of this report aren't good, at least they are making the information public and not hiding it. My guess is that IRS employees aren't the only ones, who would fall for something like this.

Education and awareness are key in stopping this problem, which keeps growing by leaps and bounds!

Inspector General (Treasury Department) report, here.