Wednesday, October 31, 2007

One of the oldest social engineering techniques (sex) still seems to work!

Some would argue that sex is one of the oldest social engineering ploys to deceive someone into doing something they normally wouldn't do. As far as I know, it's been being used since biblical times.

Roderick OrdoƱez at the Trend Labs Malware Blog (Trend Micro) is reporting that malware is being downloaded on systems using a mysterious woman named Melissa, who strips off her clothing (in increments) when a user puts in the right CAPTCHA code.

CAPTCHA codes are those annoying letters and numbers, we have to enter in a box to prove we are human.

From the Trend Labs Malware post:

A nifty little program that Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go,” and “Melissa” reveals more of herself.
It appears that no one is completely sure what the malicious intent is with Melissa, but Roderick speculates that:

The CAPTCHAs in the example above were taken from the Yahoo! Web site, possible proof that someone may be building a huge base of Yahoo! accounts. For spam-related reasons perhaps? Although various methods of OCR (Optical Character Recognition) are already used to circumvent the CAPTCHA, this social engineering technique is new in that it uses people to unsuspectingly aid a malicious user.

The dangers of downloading all kinds of what I refer to as cybernasties are well documented on porn sites. A lot of these sites are owned by organized criminals, and unsuspecting users have had their identities stolen by going on them.

Here is a post, I did where British citizens were charged with a crime after having their identities stolen in this manner:

British citizens accused of child porn found to be fraud victims

The investigation that started this originated in the United States.

Recently, I did a post on hackers almost shutting down the State of California's systems, by misdirecting them to porn sites. In the post, I wrote:

As I've written before -- exercise extreme caution when clicking on porn sites, they often make your computer come down with a virus (or worse)-- especially if "safe surfing practices" aren't being used.

Interesting post from the Trend Labs Malware Blog with some rather revealing graphics, here.

Tuesday, October 30, 2007

The FTC Fraud Department didn't really send you that phishmail

Phishing attempts spoofing (impersonating) government agencies aren't anything new. Here again, the FTC (Federal Trade Commission) is being used as a badge of authority to trick people into downloading something that is likely to steal their personal and financial details.

From the FTC press release about this most recent occurrence:

A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments.

The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations.

The virus contains a keylogger, which logs information keyed into a computer and sends it back (electronically) to the phishermen (bad guys). This is a common method of stealing people's financial and personal information, which then is used to steal money.

The technical terminology used in the press release refers to a virus. Two other terms used to describe how a keylogger is planted on a system are malware and crimeware.

Keylogging software seems to be legally purchased, often touted as a way to spy on your family, or employees. Law enforcement and people committing more sophisticated forms of espionage have been known to use them, also.

If you are interested in seeing how many people are marketing keyloggers, click here.

Phishing might sound technical, but it almost always uses a psychological technique known as social engineering (trickery) to accomplish it's purpose. In this case, the trick (lure) to click on the attachment is fear, but in a lot of cases, it's something that's too good to be true.

The FTC refers people, who want to learn more about phishing to http://www.onguardonline.gov/.

Another place that has a lot of information about phishing is the Anti-Phishing Working Group.

Traditionally, the Phishermen relied on tricking people to give up the information they were seeking. More and more, keyloggers are being used that steal the information automatically.

Other posts, where I've written about keyloggers can be seen, here.

I've been getting a lot of queries on this site about another government agency (the IRS), who has also been spoofed frequently by the Phishermen. The last update on this was on September 19th, but my guess is that these are still circulating out there, also.

Full FTC press release on this matter, here.

Here is an interesting CNet blog post about FTC Chairman, Deborah Platt Majoras, stating publically that phishing is driving her insane. This was taken from a comment she made about a month ago to the first National Cybersecurity Awareness Summit.


(Deborah Platt Majoras courtesy of the FTC site)

13 percent of the U.S. population were fraud victims, according to the FTC

More than one out of ten people fell victim to a fraud scheme last year, according to the Federal Trade Commission. Of even greater interest was the fact that weight-loss scams came out number one, over lottery and buyers-club scams.

From the FTC press release on this:

The Federal Trade Commission today released a statistical survey of fraud in the United States that shows that 30.2 million adults – 13.5 percent of the adult population – were victims of fraud during the year studied. More people – an estimated 4.8 million U.S. consumers – were victims of fraudulent weight-loss products than any of the other frauds covered by the survey.

Fraudulent foreign lottery offers and buyers club memberships tied for second place in the survey. Lottery scams occur when consumers are told they have won a foreign lottery that they had not entered. Victims supplied either personal information such as their bank account numbers or paid money to receive their “winnings.” In the case of buyers clubs, victims are billed for a “membership” they had not agreed to buy. An estimated 3.2 million people were victims of these frauds during the period studied.
Here is another set of statistics worth evaluating:

Print advertising – direct mail, including catalogs, newspaper and magazine advertising, and posters and flyers – was used to pitch fraudulent offers in 27 percent of reported incidents. The Internet, including Web sites, auction sites, and e-mail, was used to make 22 percent of the fraudulent pitches. Television or radio accounted for 21 percent of the pitches, and telemarketing accounted for nine percent.

Interestingly enough, at least according to this survey, the Internet is only one venue used to pitch fraudulent schemes. Almost half (48 percent) were pitched by more traditional marketing venues, such as direct mail, newspaper and magazine advertising, television advertising and telemarketing.

Schemes pitched via the Internet only accounted for 21 percent of the reported incidents.

The full release by the FTC, along with consumer tips can be read, here.

The FTC has another page worth reading (I like the fact that it points out certain behaviors that most fraudsters exhibit), here.

Both of these links contain information on where to report fraud, which is highly recommended. The sad truth is that a lot of fraud victims never report being taken advantage of. Admitting that you were taken in by one of these schemes is embarrassing to a lot of people.

Trust me, there are a lot of people out there that fall for something that's too good to be true. Not reporting a scam probably means another person is probably going to end up being victimized by it.

With all the publications, television and radio shows, and direct mail come-ons out there, the FTC needs help identifying all the fraud that is out there.

I wonder what would happen if laws were passed that required advertising (marketing) mediums to exercise a little due diligence (act with a certain standard of care) before accepting money to plaster some of these fraudulent schemes all over the place?

One thing is for certain, most fraudsters aren't going to be able to get their customers to promote their goods, or services without paying them to do so!

Friday, October 26, 2007

Counterfeit Document Gang Jefe(s) "Chiefs" charged with murder, racketeering and conspiracy


Recent picture of Suad Leija taken at an undisclosed location. Although not mentioned in many of the articles about this arrest, Suad is responsible for providing a lot of the information used in this latest indictment. Her story has been covered in the mainstream media by Lou Dobbs, Paula Zahn, Fox, CNN, La Opinion and Univision.

Operation Paper Tiger, the federal investigation into the organized trade in counterfeit documents has resulted in the arrest of three of the Jefes (Chiefs) of the largest organized gang (the Castorena Leija-Sanchez organization) involved in the trade.

Also arrested was one of the hit-men associated with the gang. The latest charges include murder, racketeering and conspiracy. These charges have been added to previous charges (already) filed regarding the organized counterfeiting of identification documents by the organization.

All 23 defendants arrested thus far are from the Castorena Leija-Sanchez counterfeit document organization. Three of the people arrested include Manuel Leija-Sanchez, Pedro Leija-Sanchez and Julio Leija Sanchez -- three brothers who allegedly are in control of the organization throughout the United States and Mexico.

There is a lot of evidence that this organized gang, which the government describes as International in nature, is responsible for providing counterfeit documents to ANYONE with the money to buy them. This would include not only millions of illegal immigrants, but a LOT of criminals and potentially, even terrorists.

On Wednesday, the Department of Justice announced the indictment of the three leaders of this cartel in a press release:

Federal racketeering conspiracy and murder-related charges were added against three brothers – now all in custody and charged together for the first time – and their alleged “hitman” in Mexico to a pending indictment resulting from the dismantling in April of an international counterfeit identification document business that allegedly generated profits between $2.5 million and $3 million a year in Chicago’s Little Village Community. Manuel Leija-Sanchez, 40, who was arrested in Mexico last Friday, and his brother, Pedro Leija-Sanchez, 35, who was arrested in Mexico in August, are facing extradition to the United States. Together with a third brother, Julio Leija-Sanchez, 31, who was arrested in Chicago in April, the three are among a total of 23 defendants facing charges in Chicago as part of Operation Paper Tiger, an investigation led by U.S. Immigration and Customs Enforcement (ICE). Also facing extradition from Mexico is the alleged hit-man, Gerardo Salazar-Rodriguez, 34, who was charged previously and was arrested in Augustin Mexico, federal law enforcement officials announced today.

Not mentioned in the press release, or most of the news articles, I saw appear on this story is the fact that most of this was made possible by a young woman by the name of Suad Leija.

Suad Leija is the step-daughter of Manuel Leija-Sanchez -- who has been providing information to the authorities about the gang's inner-operations and identifying members -- previously unknown to law enforcement.

The Chicago Tribune (Antonio Olivo) was the one mainstream source, I'm aware of, who refers to Suad's involvement in the case. I've also been told by Suad's husband that she has completed two recent interviews with Univision and was featured on the Minutemen Project the other day.

Suad started providing information on the organization after discovering her husband was trying to gather intelligence on potential terrorists, who the organization had provided with counterfeit documents. This led to her having to make a hard choice, which was whether to side with her family, or her husband. Suad chose her husband after being educated on the dangers this trade poses to the United States.

I would have to speculate that a lot of evidence used to arrest Manuel, Pedro and Julio was obtained as a result of information Suad has provided to the authorities.

If one refers to the Paper Weapons site, it also shows that the earnings of this cartel are a lot higher than $2.5 - 3.0 million allegedly earned by the Chicago cell of the organization. The figure quoted on the site is actually closer to $300 million. This figure includes the earnings of the numerous cells of the organization, which are located in cities throughout the country and operated as franchises.

Suad's story has been well-documented by mainstream media types, such as Lou Dobbs, Paula Zahn, Fox, CNN, Univision and La Raza. She has also produced a series of YouTube videos, which reveal why she decided to educate the public on how counterfeit documents are actually "paper weapons."

Interestingly enough, her story has been covered extensively in the Spanish media. One reason for this might be that pending legislation will force employers to respond to no-match social security numbers. Because of this, legal Hispanic identities will likely be targeted for identity theft purposes. In the past, making up a name was sufficient to pass muster for employment purposes.

Suad and her husband have written a novel describing the full detail of their involvement in Operation Paper Tiger, which is currently only available from the Paper Weapons site. This book reveals what might be at stake if we continue to allow criminals to control our borders.

Included in the book are transcripts from actual wire-taps, many of which, tie into this most recent indictment.

They are currently writing another novel, which will detail Suad's personal story.

Here is my original post, I did on Operation Paper Tiger, which introduces the book:

Operation Paper Tiger - the true story, which reveals why our borders aren't very secure!

I highly recommend it to anyone, who is concerned about our Nation's security.

DOJ press release on the arrest of the Leija-Sanchez brothers, here.

Indictment from Eastern Court of Illinois, here.

ICE (Immigration and Customs Enforcement) has a slightly different version of this latest development in the story, here.



(Passport photo -- which are frequently used to make counterfeit documents -- of Pedro Castorena-Ibarra)


(Pedro Leija-Sanchez doing time for another crime under an assumed name)


(Julio Leija-Sanchez)

Is Myexcusedabsence.com a counterfeiting mill for dishonest employees?

Just about when you think you've seen everything on the Internet, someone comes up with something so outlandish that a reasonable person has to question it's legality.

Jessica K. Brown (AP) is reporting on a website that allows anyone to counterfeit (my term) excuses to provide to an employer.

From the AP article (courtesy of the Washington Post):

For about $25, students and employees can buy excuse notes that appear to come from doctors or hospitals. Other options include a fake jury summons or an authentic-looking funeral service program complete with comforting poems and a list of pallbearers.

Apparently, they are getting away with it because they have a disclaimer on the site stating that the templates are for "entertainment purposes only."

Oddly enough, the AP article directly quotes one of the owners as saying:

"Millions of Americans work dead-end jobs, and sometimes they just need a day off," said John Liddell, co-founder of the Internet-based company Vision Matters, which sells the notes as part of its Excused Absence Network. "People are going to lie anyway. How many people go visit their doctors every day when they're not sick because they just need a note?"
To me, this is a direct admission that they know fully well that their templates are being used to defraud employers.

And please remember that it wouldn't be too far fetched to guess that some of these excuses could be used by people committing workmen's comp fraud.

Will the owners of this enterprise be held liable when someone loses their job after providing one of these counterfeit excuses to their employer?

According to the article at least one person has been already been arrested after using one of these counterfeit excuses. A New Jersey woman was arrested after using one of these notes to try to get out of appearing in court. I guess this means people can and will use these counterfeit documents for other purposes besides getting a day off.

Since, a lot of these people are collecting pay using these documents, there is a financial loss being incurred by employers from this activity, also.

There are a lot of reasons for employee absenteeism and many consider it a factor in how productive (profitable) any organization is.

In 2003, a study was published by Braun Consulting News that attempts to quantify the reasons it occurs and what can be done about it. Interestingly enough, the study showed that employee absenteeism was decreasing. The study recommends proactive ways of increasing employee morale, which was found to be big factor in what causes employees to call in sick.

The study is worth a read and it certainly points how organizations need to take a proactive approach in an ever-changing world to address employee absenteeism.

Saying this, most employers are going to take a dim view of forged documents and any employee, who uses them and gets caught, is going to be extremely lucky if they are not terminated for their actions. Most employee handbooks I've ever seen have a clause in them warning against falsifying documents, and most of them call for immediate termination for doing so.

This is a pretty hefty price to pay to get a day off!

Most reasonable bosses are more than happy to take care of a hard working and productive employee if they have a need. My guess is that these documents will be used by employees -- who aren't very hard working, and have already abused the system so much -- they need a written excuse.

The amount of payroll a company spends it directly attributable to how much money they are making. The more of it that gets stolen, the less a company will have to spend on wages and benefits. Given this, the people at myexcusedabsence.com are costing the honest worker wages and benefits should their materials be used for anything other than entertainment purposes.

The Internet offers a lot of questionable services, and too many of them operate under the "entertainment purposes" guise.

Maybe if enough people complained to the Federal Trade Commission (FTC) about them and they were investigated throughly a few of them might be held accountable.

After all, in this instance, one of the site owners seems to have openly admitted to the associated press that he is fully aware of what people are using them for!

AP article (courtesy of the Washington Post), here.

As Southern California burns, watch out for charity scams!

A sad commentary on how some people react to a disaster are the amount of scams that surface as a result of them.

The Postal Inspectors are warning us that we are likely to see a lot of these scams appear as a result of the Southern California fires.

If you are one of the good people out there, who intends to lend some financial support, it is a wise thing to make sure your hard-earned money is going where it is supposed to.

From the USPIS release:

Our charitable nature leaves us vulnerable to charity fraud schemes. Most charities are legitimate organizations that support good causes. Some, however, are run by swindlers. With more than 700,000 federally recognized charities soliciting for charitable contributions, the U.S. Postal Inspection Service reminds everyone it pays to be cautious when making a donation.

Disasters bring out the best in people who truly desire to help those impacted by these situations. Unfortunately, disasters also bring out the worst; scammers take advantage of the circumstances by stealing the charitable donations intended to help victims of the disaster. Postal Inspectors saw numerous charity scams emerge in the days following the devastation of Hurricane Katrina, the 2004 Southeast Asia earthquake and tsunami, and the September 11th terrorist attacks.

The recent California firestorm offers a new opportunity for fraudsters to perpetrate charity scams. If you're considering a contribution to help with relief efforts, it's important to know where your donation dollars will go. California Charities can be researched on the Attorney Generalwebsite, http://ag.ca.gov/charities or at the Better Business Bureau's Wise Giving Alliance, http://www.give.org/.

The Postal Inspectors are also offering some general tips on how to avoid these scams:

-- Give donations to known charities, or research new or unfamiliar charities first.

-- Refuse high-pressure appeals. Legitimate fundraisers won't push you to give on the spot. -- Be suspicious of solicitors who say they can only accept a cash donation.

-- Always make checks out to the name of the charity, never to an individual.

-- Be wary of "sound-alike" charities, many scammers use names that sound similar to names of legitimate charities.

-- Be skeptical if someone thanks you for a pledge you don't remember making. This is a tactic scammers use to lull victims into sending "additional" funds.

-- Ask for ID. For-profit fundraisers must disclose the name of the charity requesting the donation --- it's the law. Many states require paid fundraisers to identify themselves as such and to name the charity for which they're soliciting. If the solicitor refuses to tell you, hang up and report it to law enforcement officials. Also ask how much of your donation goes to those in need and how much goes to the fund raiser.

Last, but not least -- if you spot one of these scammers, you can help terminate their activities by reporting them to the Postal Inspectors.

You can find your local Postal Inspector by calling 877-876-2455. If you are of a more technical nature and prefer to report illegal activity online, you may do so, by clicking here.

USPIS release, here.

Although, Arnold isn't taking calls from bloggers this morning, I'm sure he supports terminating this type of activity, also.


The people in Southern California will need a lot of money to help them recover. Wasting monetary resources on scams will not help the situation.

PS: I'm dedicating this post to Paul Young, a noted Southern California blogger and friend, who writes Prying1.

I've enjoyed reading his investigative insights on issues, which are obtained, by digging a little deeper than the mainstream media.

Saturday, October 20, 2007

Payment card fraud victims being denied compensation

Apparently, fraudsters are now able to clone some payment cards, assign a new PIN -- and it appears that the customer's old PIN was used when the bank reviews the transactions.

Card Guide (UK) is reporting:

The Chip and Pin technology that has been in use in the UK over recent years is supposed to be practically fraud proof, but this is not the case, as thieves can clone cards and put a new PIN number onto the card – this is known as a YES card.

However, it appears to the bank that the original card and PIN have been used, and therefore banks claim that either the customer carried out the transaction themselves or they gave their PIN number to someone or were careless with the security of their PIN.

Card Guide story, here.

There have been many instances, where payment card thieves were able to get card details, along with the PIN numbers. It can happen to just about anyone, even when they are being careful.

If you have had a fraud claim denied because the bank claims you were careless, you might want to read about instances (substantiated), where PIN details were stolen using pretty sophisticated methods, here.

Of course, there are and always have been people, who try to claim fraud for their own financial advantage. Because of this, it seems some innocent people are getting their claims denied (my opinion).

Figuring out, who is guilty of this is getting harder all the time.

My guess is that with all the fraud involving payment cards, it's no longer an expense the banks can continue to write-off as a cost of doing business.

Banks denying claims because they say a customer compromised their own information is nothing new.

One example of how this happens can be seen on BankofAmericaSucks.com, here.

I guess all the zero liability ads we see all the time aren't exactly one-hundred accurate?

If you have wrongfully had a claim denied, I've seen individuals made whole by escalating the matter with the financial institution. In some instances, using a consumer advocate was necessary.

On a final note, in most businesses, the cost of fraud is passed off to everyone, when we pay more for goods and services. The truth is we are all held liable for the cost of fraud!

Scammers trick grocery chain into sending them $10 million


(Photo courtesy of rcbatey at Flickr)

Normally, when e-mail scams are brought up, we think of unfortunate individuals falling for something that's too good to be true. A surprising discovery, found in federal court filings, proves that this isn't always the case.

Yesterday, Rebecca Boone of the Associated Press (courtesy of the StarTribune.com) reported:
Supervalu Inc., the Eden Prairie-based grocer, fell prey to an e-mail scam this year, sending more than $10 million to two fraudulent bank accounts, according to federal court filings.
Apparently, Internet e-mail scam artists accomplished this by sending spoofed e-mails impersonating Frito-Lay and American Greetings:

The company said it received two e-mails -- one from someone purporting to be an employee of American Greetings Corp. and another from someone claiming to be with Frito-Lay, according to the documents. Both e-mails claimed that the companies wanted payments sent to new bank account numbers.
At first, it appears that no one at SuperValu questioned the account changes and approximately $10 million was wired into them.

According to the article, the scam was discovered quickly and the FBI intervened. SuperValu will not comment on how much money they actually lost.

Either this is a fluke, or it shows a growing trend, where businesses are being specifically targeted in e-mail scams.

This isn't the only type of e-mail scam that has been targeting businesses and organizations.

Stories about what is known as spear phishing have been circulating recently. Spear phishing differs from regular phishing because indivduals are targeted by name, and as reported in some of these stories, sometimes by both name and title.

Previous posts, I've written about spear phishing can be seen, here.

Please note that stealing money isn't the only goal in spear phishing. Sometimes the goal is to steal information (which is worth money), also.

Phishing has become more sophisticated in recent history. Besides using social-engineering (trickery) to obtain information -- malware (sometimes known as crimeware) is downloaded into a system by opening a e-mail attachment -- which steals the information automatically and on an ongoing basis.

Another growing trend is the sale of DIY (do-it-yourself) phishing kits in underground (normally Internet) forums. These kits are enabling less technically inclined criminals to get into the game.

This goes to show that educating employees (especially those with access to financial assets, or valuable information) how to avoid being scammed might be something worth taking a look at.

On a final note, we need to remember that the same type of scam could be accomplished via snail mail with convincing letterhead, or even via a fax. The best way to avoid scams is to be able to recognize the behavior behind them.

AP Story, here.

USPIS Presents: Work@Home Scams: They Just Don't Pay!


The United States Postal Inspectors have produced a pretty telling video showing how Internet criminals lure people into taking jobs that will cause them financial and legal trouble.

The film entitled, Work@Home Scams: They Just Don't Pay shows what happens to people, who accept work-at-home jobs that aren't what they appear to be.

It also speaks to how this problem has grown from ads in the classified section of newspapers and magazines to being plastered all over the Internet.

A lot of us probably see spam e-mails offering these too good to be true jobs that don't make sense on a daily basis. You might also run into one of these scams on a job-site, such as Monster.com.

Another fact is that applying for one of these jobs can lead to giving up your personal information, which will later be used to steal your identity.

Please remember these scams still show up in the classified ads of newspapers and magazines, also.

Here is (what I consider) an interesting story about someone falling for one of these scams that should have known better (my opinion):

BBB Worker Takes Job Processing Fraudulent eBay Transactions

Friday, October 19, 2007

How much money is lost by businesses due to coupon fraud?

Here is an interesting blurb about an Arby's employee, who stole $14,524 by using coupons to conceal the fact he was dipping into the till.

NBC10.com (Philadelphia) is reporting:

A fast-food restaurant employee was charged with theft after police said he was skimming the cash register by using coupons.

Curtis Smith, 32, of Coatesville, was an employee at the Arby's store located on Concord Pike for several years, police said.

Police said Smith used $1 off coupons at the register and would then take that money from the register. He obtained between $50 and $150 at a time, police said.

The investigation started because of declining revenues at the restaurant.

Coupon fraud can be a huge problem for companies, who use them as marketing tools. A few years ago, Subway discontinued a promotion because too many coupons were being reproduced and sold on auction sites.

CouponInfo.com has some pretty good descriptions of the types of coupon fraud going on out there. According to the site, there is even an underground market in counterfeit coupons.

They state that coupon fraud costs companies millions of dollars a year.

After reading this, I decided to go on eBay and see if I could find coupons for sale. After going to the site, I was able to find quite a selection. If you want to take a look, click here.

Because everyone always picks on eBay, I decided to see what Google had to say. After doing this, I was amazed at the market out there in selling coupons.

No wonder CouponInfo.com couldn't put an exact figure to the losses caused by coupon fraud. It would be pretty hard to figure out!

Going back to the story about the Arby employee, the article doesn't state where he got the $14,523 in coupons. Of course, it's hard to say, but it wouldn't be hard to find them by doing a little surfing on the Internet.

Maybe this is something that businesses, who issue and redeem coupons should watch a little more carefully?

NBC.com story, here.

Thursday, October 18, 2007

P2P under Congressional scrutiny - FTC to investigate

Although there are legitimate uses for P2P (peer to peer) software, there is no doubt that there are a lot of dangers to using it, also.

Officially, the concerns are how this exposes people to identity theft -- but this costs the entertainment industry (who probably have a few lobbyists dedicated to this matter) a lot of money when they don't get their royalties (money) on music and videos -- which people download for free using P2P.

Now Congress is asking the Federal Trade Commission to take a deeper look into the matter.

Still worried that peer-to-peer filesharing networks like Lime Wire are causing users to "inadvertently" expose sensitive documents, posing potential security risks, members of Congress are now asking for a formal investigation into the phenomenon.

The latest concern from the House of Representatives Committee on Oversight and Government Reform, judging by a 7-page letter (click for PDF) dated Wednesday to Federal Trade Commission chairwoman Deborah Majoras, appears to be this: Peer-to-peer networks may make unsuspecting consumers vulnerable to identity theft.

The same group of politicians, led by Reps. Henry Waxman (D-Calif.) and Tom Davis (R-Va.), suggested earlier this summer that peer-to-peer networks can pose a "national security" threat by allowing users to expose sensitive information unwittingly. (Some politicians, particularly those with entertainment industries in their districts, also took the opportunity once again to condemn unlawful transfer of copyrighted content via the networks.)

I've written a little about why it isn't a good idea to use some of the P2P networks out there:

Japanese cop exposes confidential information on 6,000 people using P2P (file-sharing) software

How P2P Software like Limewire Compromises Personal and Financial Information

Besides being a potential national security threat and an identity theft venue, most of this software is liable to do a lot of damage to your system. And unless you are pretty technically inclined, you will probably have to spend a little of your hard-earned money to fix the damage it will cause!

CNet news blog story, here.

Krackin software will crack your computer's security!


(Screen shot courtesy of Websense)

Krackin is one place you don't want to try to download music, or videos. The result will be your computer becoming what is known as a zombie, which will be used to spew out spam e-mails, which facilitate Internet fraud.

If you have clicked on this, I highly recommend reading the link in Websense's alert, which I have provided below.

Websense is reporting:

Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see (http://www.websense.com/securitylabs/blog/blog.php?BlogID=141).

This site poses as a new piece of software called "Krackin v1.2" and advertises:

* Easy to install
* Auto-Virus scanning* Mobile Source Downloading
* IP Blocking to Prevent Tracking
* Unwanted User Blocking

Users with unpatched computers are automatically exploited. Users with patched computers are prompted to download and run a file called "kracking.exe" This file contains the Storm payload code.

Websense alert, here.

On a final note, if you are a parent, this would be a good topic to cover with younger family members. From the appearance of the screenshot above, it would likely attract younger users.

Monday, October 15, 2007

Student narrowly escapes expulsion for revealing data breach

It might be a good idea to be careful (or extremely anonymous), when reporting a data breach.

Jaikumar Vijayan at Computer World is reporting an interesting case -- where reporting a data breach brought about some personal grief for both the person, who reported it -- and the person they reported it to.

This person, who was a student, was almost expelled for bringing the matter to light. And the person, who it was reported to is no longer employed.

I guess whistle-blower laws don't apply at institutions of higher-learning?

For more information on whistle-blower laws, whistleblower.com is a decent reference.

Jaikumar writes:

A student at Western Oregon University who accidentally discovered a file containing personal data on a publicly accessible university server and then handed that data over to the student newspaper has narrowly escaped being expelled for his actions.

But a contracted adviser to the newspaper has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university's policies relating to handling of personally identifiable data.

Brian Loving, a student at WOU, stumbled upon a file containing the names, Social Security numbers and grade point averages of between 50 to 100 students on a publicly accessible university server in June. Loving downloaded a copy of what he discovered and handed it over to the Western Oregon Journal, the campus newspaper.
Institutions of higher learning are frequently the targets of hackers stealing information. This has been well documented by the Privacy Rights Clearinghouse, Attrition.org and PogoWasRight.

Given all this evidence, it amazes me that the highly educated people running these institutions still insist on using social security numbers as the primary method of identifying their students.

Social security numbers are worth money to the people, who like to steal them. Perhaps, if these institutions of higher learning, understood this a little better, they wouldn't be targeted nearly so often.

A little common-sense goes a long way.

Computer World story, here.

If you get a chance, read the comments on Jaikumar's story. Some of them are pretty good!

Schwarzenegger vetoes data breach bill

It appears the data breach bill, which went to Governor Schwarzenegger's desk for signature has been vetoed.

Cheryl Walker at the OC Register is reporting:

An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger.

In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards.

He also contended the bill lacked clarity and could increase the cost of compliance for small businesses.
There seems to be little press coverage on this and I couldn't find any comment from Arnold about it on his site.

There has been a lot of coverage about a NRF (National Retail Federation) letter calling out that businesses, who accept credit cards are forced to maintain credit card information for 18 months to protect themselves from fraud (chargebacks).

Here is a post, I did on that subject:

Retailers call for a level playing field on data security

Maybe this bill was too unfair towards businesses, who accept plastic, and favored the financial services industry a little too much? The bill would have pushed more of the financial responsibility towards businesses versus the card issuers, themselves.

The sad thing is that with all the bickering between these two large sectors, it's probably the little person, who will lose out in the long run.

Although, with a lot of litigation being raised, data breaches are becoming extremely costly. Maybe both sides of the equation need to get together and come up with something that will work for everyone?

After all, they do share one thing in common, which is their customers!

OC Register story, here.

Sunday, October 14, 2007

Why Mahmoud Ahmadinejad might not want transparency in Iran's financial dealings

Over the weekend, the press has been awash with a story that Iran is refusing to adhere with International money laundering standards.

It appears Mahmoud Ahmadinejad and his motley crew of religious extremists don't want anyone looking at their money flow "too closely." My guess is that it might reveal that some of the money is coming from questionable sources.

From the AFP:

The United States Friday welcomed action by an international anti-money laundering watchdog urging Iran to close loopholes in its financial system and take steps to limit terrorist financing.

US Treasury Secretary Henry Paulson said he was pleased with the statement earlier Friday by The Financial Action Task Force, which groups 34 countries, calling on the Islamic Republic to take action.

The Financial Action Task Force has taken a dramatic step in highlighting the significant threat Iran poses to the international financial system," Paulson said in a statement.

"As the premier standard-setting body for countering terrorist financing and money laundering, the FATF's expression of concern toward Iran speaks volumes."
Of course, it's probably not a coincidence that Iran is next door to Afghanistan, where opium production has reached an all-time high. Please note that most of the opium production is backed by the Taliban, who aren't exactly friendly towards the West, either.

In case, you are interested in a non-Western source -- which might support this contention read the Daily Times of Pakistan -- where they recently reported a large heroin/hashish bust on the border of Iran and Afghanistan, here.

What's interesting is that penalties in Iran for drugs are pretty harsh, despite the fact that they seem to have a drug problem within their country. If you continue to the bottom of this post, a video is referenced showing the drug problem in Iran.

The use of drugs is forbidden in the Islamic religion.

Nonetheless, it seems that if the money from drugs is for what they (Mahmoud and motley crew) and the Taliban perceive as a good cause, they seem to look the other way. Otherwise, it is logical that they would embrace financial transparency within their borders.

To sum this up, it's no secret that Iran supports and funds a lot of terrorist activity. The fall-out from this terrorist activity causes a lot of pain and suffering to a lot of people, worldwide.

Since drugs are forbidden by the Islamic religion, this clearly shows how Mahmoud Ahmadinejad and his motley crew of religious extremists are no more than a bunch of hypocrites.

A wise person once told me if you want to get to the bottom of a problem -- follow the money. It always tells the truth.

AFP story, here.

At the bottom of this post is a YouTube video, which shows a woman smoking heroin. It also shows that she has to prostitute herself to survive.

Women have been treated pretty harshly in Iran since religious extremists took over. This is part of an interesting series, which was aired on the CBC (Canadian Broadcasting Corporation).

Casual sex is highly frowned upon in Iran, also. If you take a look at the video, the woman stops at a pharmacy to purchase condoms. This would lead me to believe there is more casual sex in Iran than we are led to believe.

Mahmoud also claims there are no, or at least very few gay people in Iran. I'll bet the CBC, or another reputable news organization (given the proper resources) might prove him wrong about this, just like they did in this telling series.

I would guess that gay people have a vested interest in staying in the closet under his regime.

Saturday, October 13, 2007

ICE nails foreign gang members in 19 States


(Map of arrest locations courtesy of the ICE website)

Recently, I wrote about how counterfeit documents enable all kinds of undesirable people to blend into our communities. The point of the article was that these documents are used by more than hard working illegal immigrants seeking a better life for themselves and their families.

ICE issued a press release, which shows how widespread the problem of undesirable people blending into our communities has become.

From the press release:

A comprehensive national law enforcement operation led by federal agents and officers of the Department of Homeland Security's U.S. Immigration and Customs Enforcement (ICE) resulted in the arrest of 1,313 violent street gang members, associates and illegal aliens in 23 cities across 19 states.
Many of these undesirable individuals are involved in narcotics, human smuggling, financial crimes and of course, crimes of a more violent nature.

MS13, which has been written about a lot was one of the targets. Other gangs were targets, also:
In addition to MS-13, targeted gangs included Surenos-13, 18th Street Gang, Latin Kings, Bloods, Crips, and Vatos Locos to name a few.
While this reflect the most recent statistics from ICE, Operation Community Shield in an ongoing operation and when you take a look at the big picture, the statistics are even larger:
During the last 27 months, Operation Community Shield has resulted in the arrest of more than 7,655 members and associates of approximately 700 different gangs and the seizure of 287 firearms. Of those arrested, 107 were gang leaders. Many of those arrested under Operation Community Shield are prosecuted criminally and eventually removed from the United States. To date, 2,444 have been charged criminally, while 5,211 have been charged with immigration violations and processed for removal.
And it seems (finally), ICE is gathering support from local law enforcement, who have been forced to stay away from this activity, mostly because of political mandates. Here is a quote from a Sheriff in Florida:
Collier County, Fla., Sheriff Don Hunter notes that, "Criminal illegal immigrants are committing crimes and victimizing our residents and it is our responsibility to investigate their immigration status thoroughly while investigating their other crimes. We have the resources and tools to do that now. It is part of our mission."
ICE press release, here.

A few days earlier, an extensive ICE operation in California netted a lot more of these undesirable foreign types, including a large number of them eating up tax dollars in local jails. What is amazing -- if you take the time to read this press release, are specific references to arrests of individuals (not only in the jails) --who had previously been convicted of serious crimes.

In other words, when they were picked up, they were running around in our neighborhoods.

Previous press release, here.

Here is the post, I mentioned in the first paragraph, which describes how a lot of these people blend (sneak) into our society:

Operation Paper Tiger - the true story, which reveals why our borders aren't very secure!

America is a land of immigrants, and should continue to be considered that. After all, a lot of us believe that this diversity is what has made this the greatest nation in the world.

Please note that there are a lot of legal immigrants, who earn the right to become citizens, also. We shouldn't be handing over the fruits of our society to anyone, who can sneak over the border. It simply isn't fair to the people, who follow the law and prove they have what it takes to uphold the best interests of our society.

Some of them value the right to be called an American so much that they are serving our country in Iraq and Afghanistan as I write this. By the way, this is nothing new, many citizens of our country have earned their right to be called an American by serving it.

The problem is all the illegal activity, which goes hand-in-hand with illegal immigration, enables a lot of undesirable people to blend into our society. These people are not making our society a better, or a safer place to live.

If we allow this to continue, we risk losing our status as the greatest nation in the world.

We need to remember that "We the People" are what made this nation great.

In closing, I've seen the folks at ICE bashed quite a bit this year for trying to make an impact on a serious problem. There are some of us -- who appreciate the fact that they are doing their jobs, and by doing so -- trying to make this country a safer place to live.

In my opinion, these fine citizens deserve to be commended instead of being picked apart by certain factions in the media.

Friday, October 12, 2007

Resources to avoid those dangerous Chinese products

There has been a lot in the news lately about dangerous Chinese products. At this point, there seems to be too many of them for the average person to keep up on.

I happened to be taking a look at Lou Dobbs' site and found some great resources that the average person can use to determine, whether or not, they are making a safe buying decision.

Since there doesn't seem to be enough oversight by our government to ensure our safety, I highly recommend taking matters into your own hands. Especially with the holiday season rapidly approaching.

On the site, I found a link to a U.S. PIRG page on recalled toys, here.

Additionally, the page had a safety blog set up by ConsumerReports.org, here.

Also, on the page, is a message from Mattel about products they have voluntarily recalled, here.

Of course, the Chinese haven't only been in the news lately for exporting dangerous products.

Here are some posts about other things they are doing that might be considered dangerous to the rest of the world:

China caught stealing government information again!

The Hackers from China are at it AGAIN!

How Dangerous is China

Here are another posts, I've done (with lots of references) about unsafe products from China.

The new red menace, global commerce from China

Of course, we can't only blame the Chinese. There are other forces in this equation, who are making a lot of money doing business with China:

The problem of unsafe products from China are just a symptom of the bigger problem!

Maybe if we started making more educated shopping choices, some of these problems would go away?

After all, the almighty dollar has a lot of power!

Wednesday, October 10, 2007

Operation Paper Tiger - the true story, which reveals why our borders aren't very secure!


(Mohammed Atta of 9/11 infamy used counterfeit documents to get this legitimate Florida Driver's License. Counterfeit documents used to get legitimate ones are known as "feeder documents.")

Border security has become a major concern for all us ever since 9/11 revealed how vulnerable we really are.

Counterfeit documents paved the way for the terrorists in 9/11 to get into our country and cause the terrible event, which has forever changed the way we live.

In 2006, Suad Leija, who was raised as the stepdaughter of the founder of the largest counterfeit documents cartel in the United States began assisting the federal authorities in discovering how widespread this problem has become.

Suad has been able to identity members of the organization, who were previously unknown to law enforcement and provide historical data on the organization dating back to the late eighties.

The story begins with Suad meeting and marrying an American businessman, who runs businesses in Mexico and Central America.

Although, this part of the story still isn't completely clear, her husband turned out to be a little more than a person operating businesses in foreign lands.

Saud discovered her husband was trying to gather intelligence on suspected terrorists the cartel had supplied with counterfeit documents. The information he was interested in was contained in an extensive database of the cartel's business dealings.

Upon this discovery, Suad had to make a hard choice. The choice was between her family, or her husband and the United States.

After her husband described the terrorist threat -- comparing it to the violent drug gangs operating in Mexico, she chose to support him -- and ultimately the United States of America.

There is an excellent description of how this occurred in a La Raza article, which has been translated into English on the Paper Weapons site, here.

I found it interesting that La Raza was covering this story, given their political agenda. La Raza isn't the only Spanish media outlet covering the story, Saud has been featured on La Opinion and Univision, also. This would indicate to me that a lot of Hispanic Americans are worried about the criminal and possible terrorist implications that counterfeit documents pose to all of us.

Eventually, Suad and her husband fled to the United States and this is where Operation Paper Tiger begins.

Operation Paper Tiger documents the federal investigation into the widespread use of counterfeit documents in the United States, which are available to anyone, who can come up with the money to pay for them. It also reveals how these documents, which are produced in large numbers, aren't very expensive, either.

The book introduces a term (Paper Weapons), which might unfamiliar to the general public:

Counterfeit documents are Paper Weapons. The first weapon a terrorist needs to "FIT IN" in the United States is a document. Once he has this weapon and cover he can then go about his business of causing great harm to the United States and its citizens.
Here is a description of the cartel and their scope of operations:

The Castorena Leija-Sanchez crime organization is the major supplier of counterfeit documents/paper weapons in the United States. They are Mexico based and have been operating in the United States for 17 years. They are in every major American city and earn approx.300 million dollars per year. They also deal in narcotics and human smuggling. They are the new silent terrorist. Just about every illegal immigrant has purchased documents or knows some one who has from this organization. This book will go into the history, organization in Mexico and the United States, money laundering, illegal document manufacturing, human smuggling and murder.
Counterfeit documents are easily purchased in most major U.S. cities. Most of us have been led to believe that they are used by illegal immigrants, who are trying to make a better life for themselves.

While this is partially true, these documents are also used by criminals to commit a lot of different crimes and have been used by terrorists to blend into our society. The book is able to substantiate this with factual information from government sources, as well as, information revealed during Operation Paper Tiger.

If you were to consider the criminal activity alone, it would include narcotics, white slavery, and a host of financial crimes. More violent crimes result out of these so-called lesser crimes, also.

In fact, Suad once asked her grandfather if the family would sell documents to terrorists. His reply was chilling, “terrorism is an American problem, not a Mexican one.”

The novel includes actual transcripts of wiretaps, revealing a lot of criminal activity, including a pretty gruesome description of a murder within the cartel.

Also revealed are some amusing blunders made by members of the cartel and how the business of counterfeiting documents is set up much like any other successful organization.

It even shows how inmates in prison are serving their sentences under assumed identities.

Operation Paper Tiger shows how these documents are enabling benefits fraud and points out that most of the people, who immigrate here are poor and need assistance. In other words, it shows how the American taxpayer is picking up the cost for all this.

Benefits fraud is another growing problem. In 2006, Los Angeles was losing an estimated $1.5 billion dollars to benefits fraud.

Also revealed is how the recently defeated amnesty legislation wouldn't have done much to stop the flow of illegal immigrants across our Southern border. Quoting the book, itself:

Border Patrol agents have found fraudulent utility bills -- dating back more than five years, and thus proving residency under the Senate's bill --in the possession of those illegally crossing the border into the United States. Many of the immigrants with the documents had never visited or lived in the country, said one Border Patrol agent who requested anonymity.

This fact is substantiated in the wiretaps, which are available in the book.
Quite simply had this legislation passed, counterfeit documents would have made it easy for just about anyone to qualify as having been here for five, or more years.

Given this, it's possible the bill would have caused a rush to our borders by people seeking to get in on the amnesty provision.

If you are interested in knowing the truth about all the criminal activity, which is hidden in illegal immigration, Operation Paper Tiger is a must read.

Suad has paid a price for revealing this information. Her life has been threatened by the cartel and she is forced to remain in hiding. Since she is hiding with the borders of the United States, one has to assume this cartel has a pretty far reach.

Operation Paper Tiger can be bought directly on the Paper Weapons site, here.

Suad has been interviewed extensively by the mainstream media, including Lou Dobbs, Paula Zahn, Fox, CNN, Univision and La Opinion. Many of these stories are linked to the Paper Weapons site.

She has also produced her own set of YouTube videos, which can also be seen on the site.

I highly recommend reading this novel, which reveals Suad's and the government's efforts to keep us out of harm's way!


Pedro Leija-Sanchez serving time in prison under an assumed name.

Previous posts, where Suad is mentioned can be seen, here.

Monday, October 08, 2007

The continuing saga of Vladuz and Phishing on eBay

Here is an update to the ongoing saga of Vladuz versus eBay. Apparently, Vladuz, or someone claiming to be him, accessed eBay's servers and suspended some eBay accounts.

Ina Steiner reports on the AuctionBytes blog:

eBay confirmed that a known fraudster had limited access to a very small number of eBay accounts on the eBay.com site and the company appeared to have reacted quickly to block him on Friday. eBay spokesperson Nichola Sharpe said, "At no point did the fraudster get any access to financial information or other sensitive information." In a strange twist, some users reporting the incident said they had been openly critical of a hacker calling himself Vladuz and had been suspended briefly during the incident.
It is strange that some of the people suspended were openly critical of Vladuz?

Notably, this is the first time eBay has admitted Vladuz accessed their servers.

In another development, eBay, PayPal and Yahoo are joining forces to combat phishing. Phishing is a phenomenon that has caused a lot of eBay and PayPal account holders a lot of grief. Experts maintain that eBay and PayPal are the two most phished brands out there.

Phishing is where an account holder is duped into giving up their access information via social engineering (trickery).

The intent of the phishermen, who target eBay/PayPal accounts is normally to take the account over and commit even more fraud.

This activity gets more sophisticated all the time with crimeware (malware) being used (which steals the information automatically), and DIY (do-it-yourself) phishing and hacking kits being marketed in underground Internet forums.

Reuters, courtesy of the Washington Post is reporting:
EBay and PayPal have upgraded their computer systems to support an emerging technology standard known as DomainKeys invented by Yahoo that authenticates e-mail senders are who they say they are, allowing Yahoo to block fake e-mails.

The technology upgrade will be made available to Yahoo Mail users worldwide over the next several weeks, the company said.
If you are interested in how bad the phishing phenomenon is getting, the National Consumers League has a very well written and informative paper on the subject, here.

They also have an interesting document, which although is a little dated, shows the increase in auction fraud and calls out that eBay severed their ties with them.

It should be noted that auction fraud doesn't only occur on eBay. It can and does happen on all the auction sites. The reason we hear more about it on eBay is because they are the used by more people than the other sites.

For the scammers that means there are more potential victims to harvest there.

NCL article on auction fraud, here.

AuctionBytes blog post on this, here.

Reuters story on eBay/PayPal's efforts to combat phishing, here.

Here is my most recent post about Vladuz allegedly raising his head again:

Did Vladuz hack eBay, or is stockpiled stolen information being used to make it look like he did?

Sunday, October 07, 2007

The somewhat slow response to the hacking of California.gov

With all the technology that California is famous for, you would think their government websites were state of the art, when it comes to security.

Apparently, this is NOT the case. The result has been a lot of misdirection to sites of a pornographic nature.

Alex Eckelberry, CEO of Sunbelt Software, has been blogging on this subject:

Yesterday, we reported on a federal shutdown of “ca.gov” sites to fix a hack.

Well, we have a little more information on this. It was the Marin County government website that started all of this — something we reported back in September 12th.
Does anyone besides me wonder if there wasn't much of a sense of urgency on this issue?

Bezhou Feng at Neowin.net reported that:


The shutdown, initiated by the General Services Administration (GSA), a US agency in charge of all top-level ".gov" domains, began at roughly 4:00PM (PST), quickly turning into such a problem that Gov. Arnold Schwarzenegger even considered calling the President himself.

While the porn aspect is either amusing, or disgusting (depending on your viewpoint) -- this clearly shows that .gov sites should wake up and listen when experts are trying to tell them something is wrong.

After all, this type of activity could have been something far more serious than something that is disgusting, or amusing!

Of note, as of this writing, I ran a search on Google and the Marin site (TAM) is still misdirecting users to a number of pretty nasty porn sites.

As I've written before -- exercise extreme caution when clicking on porn sites, they often make your computer come down with a virus (or worse)-- especially if "safe surfing practices" aren't being used.

Sunbelt blog post, here.

Neowin.net story, here.

Update 10/09/07: Alex Eckelberry (Sunbelt), who has covered this problem for over a month did (what I consider) an amusing post to follow-up on this one, here.

Alex and his team at Sunbelt are my favorite place to learn about computer security issues. They routinely help a lot of people free-of-charge and are experts in what they do.

Saturday, October 06, 2007

MyTruston -- where you can see if someone is stealing your identity for free!



You won't get a million dollar guarantee and Tom Fragala's social security number if you decide to use myTruston identity theft prevention/recovery services. You also aren't going to get the paid endorsements for his product by Fred Thompson, Rush Limbaugh, Sean Hannity, or Howard Stern.

Tom, who is the CEO/Founder of MyTruston doesn't believe in buying endorsements, paying bloggers, or doing massive advertising campaigns to promote his service.

He trusts that once a prudent consumer looks at his product and the value it provides, the service sells itself.

Tom was an identity theft victim himself and has spent thousands of hours advocating for other victims. Many of the basic principles behind myTruston were based on both of these personal experiences.

What you get with myTruston is a "piece of mind" that if you have to protect yourself from identity theft -- your information isn't being exposed in another place -- where it might be compromised.

Preventing identity theft using myTruston is and always has been free, you only pay for the recovery services, if and when you need them.

Most identity theft services require that you provide them with all of your personal information, and in some instances, even your power of attorney.

With myTruston you can protect your identity, and if need be, recover from identity theft without giving up your information to a third-party.

With call centers being outsourced -- the possibility of insider theft, and hacking techniques that seem to routinely defeat current security technology -- this might be something to think about when protecting your identity and financial well-being.

All identity theft services bundle free services that theoretically could be done for free. It's a low overhead and immensely profitable business. The trick to it is making sure you do everything properly, and this is where a third-party service can add value.

The unique twist with Truston is that it's free to prevent identity theft and you only pay to recover from it. In other words, you don't pay for something that might never happen to you, which seems to be a common denominator with a lot of the services out there.

Many of the services out there charge $10.00 and up a month to protect you, which is free at myTruston. Many of them (also) do not cover you if you were compromised before you paid for their services (read the fine-print).

What Truston provides is an easy do-it-yourself (DIY) platform that makes it easy for the average person to ensure they are not being compromised, and take effective action if they have been.

Truston recently announced they were upgrading their service and lowering the cost of their paid (recovery) service. The paid portion of the service only needs to be used as long as the customer feels it is necessary.

Here is a portion of the announcement from their blog:
This week we released a new version of our award-winning myTruston service. The new features are FREE to current members for a 45–day free trial period. These four new prevention and privacy services are:

1. Credit bureau fraud alerts
2. Chexsystems fraud alerts
3. Stop pre-approved credit offers
4. Stop telemarketing calls

We updated our product names: we now have myTruston Free and myTruston Plus. myTruston Free has the same features since we first launched (inspecting your credit reports year round). myTruston Plus includes what you get with Free, the four new prevention/privacy features, and our ID theft recovery tools. Also, the price for the Plus service is reduced 50% to just $10 a month!
What I like about these new features is they begin to address the growing problem of synthetic identity theft. Synthetic identity theft occurs when different parts of people's identity are crafted to form another one. This is getting to be a big problem, which is expected to get worse.

In the near future, employers will have to take action when they have employees, who have social security numbers that don't match their names. In the past, this was never enforced, and social security numbers could be made up (literally).

With this new development, up to 20 million illegal immigrants are going to have to use social security numbers that match an identity. This could lead to an explosion in the already staggering amount of identity theft that is occurring.

Watching your identity carefully, is probably a better idea than ever before.

The Chexsystems alerts are a part of this new effort. Fraudulent checks that tie into identity assumptions do not always show up on credit reports.

In case you missed the Certegy data breach, where 8.5 million people's checking account information was compromised, this might be something that will help a few people out there. Please note this compromise was accomplished by a not very honest insider, therefore no amount of computer security could have stopped it.

Two other enhancements are the ability to put yourself on the no-call lists and stop all those pre-approved credit offers. Most privacy experts recommend we do this to avoid having our information sent all over the place.

Tom, whom I speak to on a semi-regular basis, has indicated that he and his team are working on even more enhancements to provide more value to his service in the future.

They are also working with industry partners to bundle their services and provide them as an option to a wider audience, who might want to a take a more private approach to preventing, or recovering from, identity theft.

I would highly recommend getting in touch with Truston if you are providing these services to your employees, or perhaps considering providing them to your customers.

Victims of identity theft are sometimes cautious about giving up their information after they've been victimized. MyTruston provides a viable solution for these customers, as well as, customers who are careful about protecting their privacy.

For the full announcement, which includes a free trial period for current customers on the paid services (you don't have to provide a credit card number, then remember to cancel)link, here.

I've noticed this is another neat marketing trick (requiring a credit card) employed by a lot of entities offering services for free lately. I suspect they count on busy and forgetful people like me, who forget to cancel the service.

PS: I got to know Tom from his blog and work as an advocate for identity theft victims. If you are interested in identity theft or privacy issues, I highly recommend you consider it as another free resource, he provides.

Friday, October 05, 2007

Retailers call for a level playing field on data security

The data breach at TJX, which compromised approximately 45 million people has spawned a looming battle between retailers and the financial industry. At stake is who will bear the future costs of data breaches, which are becoming more expensive than ever before.

Thus far, we've seen legislation introduced to hold retailers responsible and calls for PCI data security standards. Legislation has been passed in Minnesota and is awaiting Governor Schwarzenegger's signature in California.

In any disagreement, there are two sides to a story -- and now the National Retail Federation (NRF) is bringing up what I consider is a valid point -- which is if they weren't required to store all this information, it would be harder to steal.

Under current rules, they are required to maintain too much information for 18 months, or face what are known as chargebacks.

Chargebacks are when a customer requests a refund from their card issuer, normally because of fraud. Please note that some dishonest customers claim fraud, when it never occurred. Additionally, the payment card industry sets the due diligence standards when accepting their cards and actively promotes their use.

The bottom line is -- merchants can accept payments, follow all the rules, and if they can't provide the required information -- they get charged for it, anyway.

With all the fraud that results from payment cards, this could get pretty expensive for a retailer, if they fail to control it.

Saying all this, we need to consider the bigger picture, which is the best way to protect data is to limit how many places it is being stored. This principle should be considered in a lot of other places besides retailers, also.

Mark Jewell of the AP is reporting:
The National Retail Federation on Thursday urged a card industry organization to stop requiring retailers to keep customers' card numbers for up to 18 months.

The stored data helps track product returns and disputed or suspicious transactions. But retailers say the data would be more secure if only credit card companies and banks that issue the cards stored it.

"It makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," David Hogan, the retail federation's chief information officer, said in a strongly worded letter.
In the article, Mr. Hogan brings up the very reason that retailers have been holding on to what some consider, too much information:

Hogan said in an interview that retailers routinely hold onto information because credit card companies ask them to produce data from transactions as old as 18 months to verify product returns and protect against fraud. If retailers can't produce data showing the product was legitimately purchased, they can end up reimbursing banks and card companies, Hogan said.
Only 44 percent of large retailers are now PCI compliant. This month, the larger retailer's banks will start facing fines for failing to become compliant. Banks that service medium size retailers will start facing fines in January.

This doesn't even take into account smaller merchants, who often are victimized the most by fraud, and chargebacks.

In case you don't understand how chargebacks can be a burden to a merchant, I've included a YouTube video at the bottom of this post, where a small merchant rants about chargebacks from PayPal.

The frustration expressed in this video is the same one felt by a lot of merchants (retailers).

The basic issue in all this is who will end up paying for it. Since no business remains solvent if they are losing money, the costs are going to end up being passed on to the consumer.

So far as the NRF's point, I think it is entirely valid. If retailers didn't have to store all this data, it would be one less place, where criminals could access it.

After all, while data breaches at retailers have gotten a lot of attention recently, they are not the only place they are occurring.

If you are interested in seeing what I mean by this the Privacy Rights Clearinghouse, PogoWasRight and Attrition.org all try to keep track of as many of them as they can.

All of them will tell you that their efforts only document the known breaches. There are probably many more that no one knows about -- and the last I heard -- the criminals behind them keep this a closely guarded secret.

After all, disclosure of a data breach impacts their bottom lines, also.

My personal solution is for everyone to get together and go after the real people behind this problem, or the criminals. Everyone would benefit from this!

My guess is they (the criminals) could care less, who ends up paying for all the damage they are causing.

AP story, here.

National Retail Federation (NRF) press release, here.

Here is the YouTube video (mentioned above), which reflects a small merchant's frustrations with the chargeback process. Please note that smaller merchants are bound to have a stake in what becomes of this controversy, also.

(YouTube video courtesy of Terry)

Thursday, October 04, 2007

How was Mayor Bloomberg's BofA account jacked?

Here is a clear case, which shows that just about anyone can have their financial identity compromised. In this case, the victim is none other than the mayor of New York City, Michael R. Bloomberg.

This story is getting a lot of coverage, but no one is saying (if they know) how Mayor Bloomberg's financial information was compromised.

The New York Times (Sewell Chan) reported:

One man, Odalis Bostic, was indicted for trying to steal $420,000 from the mayor. According to prosecutors, Mr. Bostic created the Laderman Development Company in Elizabeth, N.J., and set up accounts in the company’s name at two banks, PNC and Sovereign Bank.

In early June, Mr. Bostic deposited a $190,000 forged check into the Sovereign account and a $230,000 forged check into PNC account, according to prosecutors. Both of the forged checks were drawn on Mr. Bloomberg’s personal account at the Bank of America and were issued in the name of the mayor’s financial manager, Geller & Company.

Mr Bostic was probably hoping the bank would release the funds, at which time, he would have drained the accounts.

During the course of the investigation another fraud was discovered, where Mayor Bloomberg was the victim:

A second man, Charles Nelson, has been charged with stealing $10,000 from one of the mayor’s financial accounts on May 11. In an online transaction, Mr. Nelson transferred $10,000 from the mayor’s Bank of America account to an E*Trade account the defendant had set up, prosecutors said. They said he later used a debit card for cash advances and to make purchases from the E*Trade account.

The next question is how did Charles Nelson get Mayor Bloomberg's log on credentials to his Bank of America account? Getting a copy of a check and counterfeiting it is one thing, but online transactions normally require a log on ID and password.

I checked the press release from the Manhattan DA and it doesn't disclose how this happened, either.

None of the stories indicate that Bostic and Nelson knew each other. In fact, Robert Morgenthau, the DA was quoted as saying they were unrelated in the NY Times story. The DA's press release doesn't stipulate whether they knew each other, or not.

Mr. Nelson was arrested in New Jersey and is being charged with grand larceny and identity theft.

There are a lot of ways an account can be compromised (jacked). Phishing, where account owners are tricked into giving up their details and data breaches happen at an alarming rate these days. The sad thing is that there is so much of this going on, it's pretty hard to determine the original point-of-compromise.

Another sad thing is that, according to most statistics, over 99 percent of the criminals doing this are never brought to justice. In fact, most of the time, a victim can do little more than file a report, which never gets investigated.

This story is a testament to making sure you review your accounts on a regular basis. As long as unauthorized withdrawals are reported in a timely fashion, the owner of the account normally can't be held liable.

New York Times story, here.

Manhattan DA press release on this, here.

Tuesday, October 02, 2007

International task force led by U.S. Postal Inspectors stops $2.1 billion in counterfeit checks bound for the United States


(Picture courtesy of FakeChecks.org)

On September 7th, I did a post based off a story that circulated out of Nigeria about an International investigation that might lead to arrests, worldwide.

Apparently, it did and the U.S. Postal Inspection Service is now giving more details, including some arrest statistics.

Please note that a lot of other agencies were involved in this, including the Nigerian Economic and Financial Crimes Commission, and the United Kingdom Serious Organized Crimes Agency.

From the press release:

Investigators led by the U.S. Postal Inspection Service have arrested 77 people as part of a global fraud crackdown which has since January intercepted more than $2.1 billion in counterfeit checks bound for the United States.

The eight-month investigation involved schemes in Nigeria, the Netherlands, England and Canada, and has stopped more than half a million fake checks from being mailed to American victims.

At a press conference at the National Press Club, Postmaster General John Potter announced a consumer-awareness campaign to educate the American public. International scammers have found U.S. consumers easy prey and are increasingly targeting them, Potter said.

“All fake check scams have the same common pattern: Scammers contact victims online or through the mail and send them checks or money orders. They then ask that some portion of the money be wired back to them,” said Potter.

“The best thing our citizens can do to protect themselves is learn how to avoid these scams. The old adage still holds true: If someone offers you a deal that sounds too good to be true, it probably is.”

The press release is launching a new awareness campaign, which includes a website run by the National Consumers League (NCL) to protect people from this billion dollar problem.

Consumers can learn more and report fraudulent activity at the Alliance website, FakeChecks.org.

If consumers believe they have been defrauded by a scam, the Postal Inspection Service wants to hear from them. These crimes can be reported by calling 1-800-372-8347.


I've spent a little time taking a look at the site. The information on it is easy to understand, highly visual and is a definite asset in protecting the average person from becoming the victim of an Internet scam.


In fact, I liked it so much, I've put it on my links list.

The entire press release, which contains a lot of helpful information, can be viewed, here.

I recently did a pretty detailed post on how to verify if these items coming in the mail are fake, here.