Tuesday, May 29, 2007

Medicare Fraud arrests might expose ties to medical identity theft and organized crime

Ever wonder why our social services are going bankrupt? Here is a story, from a FBI press release, showing how $101 million was paid out in fraudulent health care claims.

Reading the release also made me wonder, where all the names to claim services, came from?

From the FBI release:

On May 22, 2007, a Miami federal grand jury returned a 46-count indictment against eight defendants in United States v. Mabel Diaz, et al., No. 07-20398-Cr-Ungaro. The indictment charges Mabel and Banner Diaz, wife and husband, with operating All-Med Billing Corp. (All-Med), a Miami medical billing company, and executing a scheme to submit tens of millions of dollars in fraudulent claims to Medicare from 1998 to 2004 for reimbursement for durable medical equipment (DME) and related services. The indictment alleges that All-Med submitted approximately $80 million in false claims on behalf of 29 DME companies. The claims were allegedly fraudulent in that the equipment had not been ordered by a physician and/or had never been delivered to a Medicare patient. As a result of the submission of the fraudulent claims, Medicare paid the DME companies approximately $56 million. The indictment also seeks forfeiture of the fraud proceeds and here substitute assets, including real estate of the Diazes. The Diazes were additionally charged with conspiracy to launder the proceeds of the alleged All-Med billing fraud scheme. Also charged in the All-Med billing fraud scheme was All-Med employee Suleidy Cano.

If you read down further on the release, the names of all the people being charged are Hispanic.

While I suppose, not all criminals with Hispanic names, cater to illegal aliens, a large number of them seem to. Despite this, there seems to be no information, whether or not; this activity had any ties to illegal immigrant activity, or if people’s identities were stolen to facilitate these crimes.

There is also very little information as to exactly how these crimes were committed. It would make sense that they would have to use names and other personal information to claim the “services,” paid for with taxpayer money.

Digging a little deeper, I found another press release dated the day before from the FBI describing a similar health care fraud scheme – where the employees involved were described as illegal aliens.

This case occurred on the other side of the country (Southern California). Please note that all the names listed on this press release were of Hispanic origin, also.

In the Los Angeles case, the taxpayers were only ripped off for a little more than $9 million. Small potatoes compared the amount in the Miami case. Of course, I wonder how much more of this is going on, where no one has been caught?

Some of these illegal aliens were posing as nurses, which could be pretty scary, if they were dispensing any real medical services. Even scarier, is the very real harm bogus information in a medical record can cause. If you think about it, bogus information in a medical history could be life-threatening.

The World Privacy Forum has studied this subject (in detail) and stated in a 56 page report:

This report discusses the issue of medical identity theft and outlines how it can cause great harm to its victims. The report finds that one of the significant harms a victim may experience is a false entry made to his or her medical history due to the activities of an imposter. Erroneous information in health files can lead and has led to a number of negative consequences for victims. Victims do not have the same recourse and help for recovery from medical identity theft as do victims of financial identity theft. This report analyzes statistics in health care and identity theft, and estimates that approximately a quarter million to a half million individuals have been victims of this crime.

The report also states:

Medical identity theft is deeply entrenched in the health cares system. Identity theft may be done by criminals, doctors, nurses, hospital employees, and increasingly, by highly sophisticated crime rings.

If the FBI is issuing two press releases about this activity, one could deduct that they might have been investigating some of these “highly sophisticated crime rings.”

Not sure if the impending immigration bill is the reason some of the surrounding issues aren't being talked about, but a lot of criminal activity is tied to the trade in human flesh.

On a personal note, I want to see honest immigrants find a better life, and continue the American tradition of adding value to the most diverse society in the world. The problem is that a lot of organized criminal groups have profited in the illegal immigrant trade for years, and no one has come up with a way to weed out this hidden activity, very effectively (my opinion).

Of note, the honest and hard working illegal immigrants are often victimized in this process, which is largely controlled by organized crime.

With millions of identities compromised, it isn’t going to be easy. Assuming someone else's identity has become too easy, especially for those with criminal connections.

FBI press release on Florida arrests, here.

FBI press release on Southern California arrests, here.

World Privacy Forum report on medical identity theft, here.

QuackWatch has a good site, which covers this type of fraud in great detail, here.

In case you wanted to learn more, the U.S. District Court of Southern Florida is happy to sell you the information, here.

The Virginia WatchDog goes after government sites that post too much personal information. A lot of great information about this subject, and examples of effective action taken by the Watchdog herself, BJ Ostergren can be found, here.

BJ and I had about an hour long conversation recently, where she demonstrated how easy personal information can be data-mined from these sites. I found BJ to be a fascinating person, but more of that, later.

This site and their important work will be the subject of some future posts.

My previous rants about organized crime controlling the traffic in human flesh can be read, here.

Organized groups with Hispanic names aren't the only immigrant groups ripping off the taxpayers. Here is a recent post, I did about another immigrant group that seems to focus on stealing public funds:

Eurasian organized crime loots public coffers

Friday, May 25, 2007

Google launches security awareness effort using the blogosphere

There is another effort to curb fraud, phishing and financial misdeeds in the blogosphere. This week, Google launched a blog called the "Google Online Security Blog," which is designed to protect their users from the sometimes dangerous (murky) waters on the Internet.

In their own words (from their first post):

Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post.

In this post they discuss "drive by downloads," which install what I call "cybernasties" on systems, often designed to steal personal, or financial details. They point out that Google already warns users of malicious sites in their search results and that users can prevent these sites from loading using Google Desktop Search.

They have also included a link to a paper, which studies this issue.

Since Google (as far as I know) isn't selling security software, the paper is well worth a read. This isn't to say that a lot of the papers published by security companies aren't relevant, it just means that Google's effort isn't designed to sell security software.

They also point out that most of the sites they investigated that download malware a.k.a. crimeware belong to webmasters, who don't know they've been hacked and are being used to compromise systems.

This post was written by Panayiotis Mavrommatis and Niels Provos of Google's Anti Malware team and includes a link to StopBadware.org. StopBadware.org has a lot of great tips on how to protect and avoid the growing phenomenon of malware (crimeware).

Google's Online Security Blog can be seen, here.

I look forward to seeing what else they come out with!

Sunday, May 20, 2007

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

Not so long ago, I did a post about how the federal government was phishing their own employees.

It didn’t surprise me that many of the phish took the bait, pretty easily. It would just mean that the federal employees, who were phished are no different from the general population on the Internet.

After all, there wouldn’t be so much phishing, if it didn’t work.

Apparently, the practice is catching on and Amy Joyce of the Washington Post did an interesting article about why the idea might be a good one.

In the article, James MacDougall (South Carolina’s computer security guru) as saying:

You can spend all the money on the technology you want, MacDougall said. But if the end users are doing dangerous behavior, there is almost no cure for that.

Mr. MacDougall has hit an important point right on the head and phishing tends to set new records, every time the Anti Phishing Working Group issues their monthly report. Their most recent report (April) indicates that not only did the number of phishing sites set a new record, but their numbers more than doubled over the previous month (March).

Spam filters designed to stop phishy e-mails seem to be under major attack, and haven't been very effective in the recent past, either.

Maybe, we are spending too much money on technology to solve the problem rather than using some good old fashioned common sense?

One of the reasons, technology tends to be defeated, or used by criminals – is that it is too easily compromised by human beings. Most financial scams rely on the greed factor, or getting people to fall for something that's too good to be true.

It doesn’t take a genius to buy DIY (do it yourself) crime kits, which are readily available over the Internet, and commit what some might consider, sophisticated criminal activity.

Relying on technology to protect us without human oversight is a big mistake, and this holds true, for more than financial crimes.

Government and private systems are attacked all the time for their information.

Technology is a wonderful tool and makes things easier, but it has limitations. Instead of throwing all of our resources into technology, which seems to have a limited life span, maybe we need to focus more on the human factors that put us at risk, daily.

Thought provoking story by Amy Joyce, here.

Advance Fee credit schemes steal from people who are already in financial trouble

A Florida scam artist has been caught after ripping off thousands of people in what is known as an advance fee credit scheme. The scam -- which targets a market segment known as the under banked -- offers credit to people, who wouldn't qualify for it, otherwise.

Although variations of advance fee schemes have been around for centuries, the global and anonymous nature of the Internet has enabled them to spread like a virus with the click of a mouse.

In advance fee credit schemes, after paying a large fee in advance, the people don’t get the credit and are out the fee.

According to the AP, the Florida man, defrauded low income people out of about $12 million in this recent arrest.

Although in this instance, credit cards were being offered, other forms of credit are offered in advance fee credit scams, also.

These scams are spread via spam e-mails all the time, but they also appear in more traditional advertising like newspapers and magazines. People are also often solicited by telephone.

Recently, the Truston blog commented about a New York Times story revealing that InfoUSA, a databroker, was selling lists of senior citizens interested in lotteries and sweepstakes. Lottery and sweepstake scams are rampant on the Internet.

I wonder how many other telephone lists are sold by data brokers, which help fraudsters market their scams?

The Federal Trade Commission (FTC) has a nice page explaining this problem, here.

Suspected activity can also be reported to the FTC:

The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit http://www.ftc.gov/ or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Most scams do not make sense and are too good to be true. Paying a third-party to get credit is unlikely to change, whether or not, an individual qualifies for a particular financial product.

On a final note, it's also not wise to give out your information to someone you don't really know. Doing so, might lead to becoming an identity theft statistic.

AP story, here.

Truston blog post on New York Times article about data brokers selling telephone lists to criminals so they can "market" their scams, here.

Saturday, May 19, 2007

Secret shopping jobs are liable to cost you a lot of money!

The Secret (Mystery) Shopper scam is running full steam and victimizing people, daily. The last time, I addressed this problem was in a post, where I noticed I was getting a lot of hits from Google on this subject. Recently, a lot of people have been reading my previous posts about this scam.

Here is a basic description of the scam from my last post:

In the Secret Shopper scam, people are solicited to become "Secret Shoppers" sometimes known as "Mystery Shoppers," and go into (normally) Walmart to negotiate a bogus check. Walmart recently got into the business of cashing checks. They are then asked to wire the money using WalMart’s Money Gram services to Canada and report on the "customer service" aspects of their visits.

Once the money is wired and picked up (sometimes within minutes), there is very little that can be done to get your money back.

The letters soliciting victims (mystery shoppers) often are set up with fake telephone numbers that have fraudsters answering them.

The cardinal rule in Internet dealings is to independently verify any numbers provided, no matter how real they seem.

Please note that 800 type numbers are used, also. Sometimes the numbers are set up in the United States, but the shopper is normally instructed to wire the money to somewhere outside the country.

In several of the newer letters, which all contained high dollar counterfeit checks, the shopper is being instructed to cash the item, go and buy a nominal (low dollar) amount of merchandise, then (of course) wire most of the money back to the so-called service.

So far as what bank’s checks are being counterfeited, this seems to change daily.

Sometimes going to your own bank to verify an item isn't a good idea, either. Banks often give a customer credit for these items, and then hold their customer responsible when the item returns. Also, it's not unknown for people to get arrested when attempting to cash these items.

Numerous businesses are listed as places to shop on the recent letters I saw, but they all have one thing in common, which is they offer Money Gram or Western Union wire transfer services.

The most recent versions of the letter state to keep the nominal amount of merchandise they instruct you to purchase.

If you get one of these letters and checks, never cash it, or wire the money before making 100 percent sure the item is good. Of course, I’ve never seen one that did turn out to be good. Who would send a legitimate check worth thousands of dollars to someone they don’t know? Scams never make sense and prey on people looking to make a quick buck.

A good place to search for counterfeit cashier’s or official checks is the FDIC alerts on them, here.

If there is no alert, independently find the banking institution’s number and ask to speak with someone in their security department. Counterfeit checks often use legitimate account numbers and customer service people sometimes verify fraudulent items as legitimate.

This type of scam can be reported the Federal Trade Commission (U.S.) and to Phonebusters in Canada, although it is rare that any action will be taken to investigate an individual case.

I’m not saying not to report them, but the truth is that there is so much of this going on, no one has the resources to go after individual cases. The value in reporting them lies in providing intelligence to law enforcement, which does sometimes build cases, and goes after the culprits.

The best protection for the individual is to recognize these offers for what they are, or too good to be true.

All my previous posts mentioning this scam can be seen, here.

Thursday, May 17, 2007

Equifax hires ID Thief

These days, identity theft is being used for more than to commit financial crimes. A woman in Georgia (Tonia Leach) discovered her identity was stolen after an inquiry showed up on her credit report from a temp agency and Equifax. The still not identified impostor used the woman’s identity to obtain employment at Equifax.

When I say the impostor used the identity for more than committing financial crimes, I didn’t mean the victim wasn’t left with a lot of financial liability, as a result of this occurence.

WSBTV.com (Georgia) reports:

The woman also opened credit cards in Leach’s name. Leach even got a bill from the IRS. Leach said her life has been turned upside-down.

When the creditors call, they call me at 6, 7, 8, 9, every hour of every day. They will call you because they want their money. It was horrible, said Leach.

Equifax, one of the big three credit reporting agencies made the following statement:

We can confirm that an individual posing as Ms. Leach was employed with Equifax for less than a year, beginning in early 2006. There were no indications with the identification information that she provided or through the work history or the credit report that this was a stolen identification.

Equifax also claims, the impostor didn’t have access to sensitive information, but the article doesn’t say exactly what she did, or if there was any sensitive information accessible where she worked?

After all, this person seems very adept at stealing information and it’s possible, she could have found ways to steal it, using other people’s access. Access codes and passwords are frequently compromised by dishonest employees, who intend to steal, or commit other misdeeds.

If you are interested in how easy it is to get all the documents necessary to pose as someone else, I did a post about Suad Leija, who has shared a lot of information on this subject:

Paper weapons (counterfeit documents) enable more serious crimes than illegal immigration and identity theft

With the amount of stolen identities, backed up by easily available counterfeit documents, we can expect to see more people obtaining employment using someone else's information.

Most identity theft experts recommend you check your credit report at least once a year. It's a good idea to pay attention to what inquiries have been made and be wary if you don't recognize, who has been making inquiries into your credit.

Tom Fragala at MyTruston, who is a fellow blogger, provides an easy to use method to check to see if you are a victim of identity theft. Checking to see if you are a victim is always free and you only pay if you choose to use his recovery services. The recovery services are cheaper than anything I've seen out there, thus far.

MyTruston is also "privacy friendly," which means you don't have to give up your personal information to be stored in someone else's database. Identities are stolen from databases, pretty frequently.

You can link to MyTruston, here.

WSBTV.com story, here.

Wednesday, May 16, 2007

Fake e-commerce sites steal personal and financial details

Not all the financial information being stolen comes from data breaches at large corporations. Quite often, it is inadvertantly given away by the victim, when they are tricked into doing so.

If you see a website selling goods for prices that are too good to be true, it might be a ploy to steal your payment card details, or they are probably selling counterfeit merchandise.

Dinah Greek, of Computeract!ve did a great piece of investigative journalisim, exposing one of these sites.

Police are investigating what could turn out to be a massive scam, which has drained thousands of pounds from people's bank and credit card accounts.

Computeractive and fraud specialist Early Warning have discovered that debit and credit cards used to pay for goods such as iPods and Nintendo Wii consoles from www.instant-av.co.uk have been used fraudulently elsewhere.

Once an unwary person had given up their payment (credit/debit) card details, they often received another call stating that the original card didn’t work and were asked for another card.

This, of course, resulted in both cards being compromised.

The authorities in the United Kingdom are investigating (based on Dinah’s information), but when a fake site is posted on the Internet, the victims might be anywhere in the world!

This site didn’t have a secure sockets layer (SSL) certificate, which encrypts the transaction; however just because a site has a SSL icon doesn’t mean it’s secure.

Internet criminals sometimes fake these certificates, as discussed on Bruce Schneier’s blog, here.

Another way to spot questionable sites is to use TrustWatch, which tells you if a site has been verified as legitimate, using a color coding system. Of course, nothing is certain on the Internet and legitimate sites are sometimes hacked and taken over. Nonetheless, it's a pretty good tool that I use myself.

Dinah Greek's story, here.

Tuesday, May 15, 2007

Eurasian organized crime loots public coffers

Well placed government sources claim that the government loses $300 billion a year in healthcare fraud - with about half of this figure being stolen from immigrant gangs - many of whom hail from the former Soviet Union.

Troy Anderson of the LA Daily News reports on one small part of the overall problem:

Lana Michael and her husband collected welfare benefits in 2003, claiming they earned less than $24,000.

But authorities say Michael, the former office manager of a job-training center for immigrant welfare recipients, also owned a liquor store and recycling business.

And, authorities say, she drove a $76,000 luxury car, shopped at Neiman Marcus and Saks Fifth Avenue and had $147,980 stashed in her bedroom dresser.

Lana Michael is also known as Svetlana Djangarian was part of an elaborate scheme, where welfare to work checks were issued from the inside and cashed using fake ID. Fraudulent tax returns were also filed.

Daily news story, here.

No wonder programs designed to help the less fortunate are in trouble!

Friday, May 11, 2007

British citizens accused of child porn found to be fraud victims

Information (identity) theft sometimes leads to innocent people being charged with a crime. Recently, I've been reading about how British citizens were accused of viewing child pornography, when they were actually victims of credit card fraud.

The Guardian did an excellent article about this, explaining how the porn industry supplements it's income with payment (debit/credit) card fraud. This explains how innocent people, who are victims of credit card fraud, get accused of crimes they didn't commit:

One method used from 1999 by criminals, including the Gambino mafia family in the US, was to offer free tours, or access for a credit card payment as small as $1.95, to adult sex sites. Customers had to provide name, address, card details, and email address and password. The criminals then reused the data or traded them online with other fraudsters.

Operating out of Indonesia, Russia or Brazil, many of the webmasters linked via Landslide appear to have obtained and swapped lists of stolen cards and charged them up through different portals, usually for amounts of less than $50 - small enough that unwary people might not spot them on a credit card statement.

The current arrests stem from a larger investigation, where a U.S. based child porn website (Landslide Inc.) was investigated, revealing 250,000 credit card numbers (used on the site), belonging to card holders, worldwide.

Copies of the hard drives were provided to British law enforcement. Subsequently, thousands of British citizens were investigated, as a result of having their credit card number show up as having paid for Landslide's seedy services.

The investigation began in 1999 and was conducted by the United States Postal Inspection Service and Dallas Police Department. It exposed how the Internet is used to commit this disgusting crime (child pornography), globally, with the click of a mouse.

The investigation tracked activity to 60 different countries. 120 people were eventually arrested in the United States. Pete Townsend, the Who's guitarist was arrested for viewing child porngraphy in this investigation, also.

54,348 of the credit card numbers discovered in the U.S. search warrant were identified as having been stolen from Levenger Incorporated, a luxury goods company. Of course, Levenger declined to comment on how the information was stolen.

The Guardian article makes a clear argument that many more of the numbers taken in the search warrant could have been stolen (in a lot of places) and used on the Landslide site.

The sheer amount of stolen information and fraudulent payment devices circulating via the Internet is victimizing innocent people, and more than likely giving guilty people, plausible deniability.

Not everyone caught in this was a victim of credit card fraud. Exploiting children is one of the most disgusting crimes I can think of. People, who exploit children, deserve to be punished, severely.

It's apparent that our inability to address the source(s) of crime on the Internet is having VERY severe consequences on the people, who are victimized by it.

Innocent, or guilty, 39 people have committed suicide over this. Wouldn't it be nice if some of these child pornographers/credit card fraudsters could be charged with murder, or at least manslaughter?

USPIS press release on Operation Avalanche, here.

Suspected crimes against children can be reported to the National Center for Missing and Exploited Children, here.

Well researched article from the Guardian, here.

Thursday, May 10, 2007

Does it really matter how well a bank protects their site?

Dark Reading had a story that caught my eye (courtesy of Bank Systems & Technology) stating that a 150 million people in the United States are scared of online banking.

For fear of becoming the next victim of identity theft, 150 million U.S. consumers don't bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers' confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research (Pleasanton, Calif.) for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.

One thing to consider is that in most instances, where an individuals banking or personal information is compromised -- it is because they downloaded malware (crimeware), or they gave it up by more social means -- often referred to as phishing.

A bank site might be well protected, but if your computer system is NOT, it's probably still at risk. There are also a lot of spoofed fake bank sites out there that look pretty convincing to the untrained eye.

If you are unfortunate to pick up a keylogger -- everything you "key" is logged and sent back to the person -- who dropped it on your system. If the crook gets your user name and password, no amount of security on the bank's site is going to stop you from being victimized.

Most keyloggers are dropped on a system, when the user clicks on a link they shouldn't have in a spam e-mail.

Perhaps, the key is to make sure your system is well protected, and learn to protect your information, personally.

I use online banking myself, but I'm not going to rely on the bank to protect me.

The best defense against identity theft is using common sense, which in the case of computer systems, should include current protection from a reliable computer security vendor. Of course, being aware of the more social ways information is stolen is highly recommended, also!

My own bank tries to sell me online banking as a means of preventing identity theft. They remind me (every time I log on) that it's a way to prevent my personal information (sent in snail mail marketing offers) from being stolen.

On a personal note, I remind myself, I'm saving a tree or two. It also reduces the amount of documents, I have to shred. Thinking of it that way, gives me more peace of mind.

The last time I asked a Postal Inspector, mail theft hasn't stopped, and still is a way identity thieves steal a LOT of information.

You can opt out from receiving this snail mail (highly recommended), here. If you do, the credit bureaus will stop marketing your personal information, and it will be less available to steal.

As long as corporations are making a lot of money by keeping the commodity (our information) easy to use, criminals are going to find ways to steal it. After all, it's become highly profitable for them, also.

Dark Reading article (courtesy of Bank Systems and Technology), here.

Monday, May 07, 2007

Is Target's payment card and new refund procedure stopping retail criminal activity?

Will stricter return policies drive Target's customers, elsewhere? Some are saying their new return policy (which will require a receipt for cash returns of $20 or more) -- isn't very customer friendly --and might do just that. Some are also questioning, whether another policy (how they verify plastic transactions) is enabling fraud to occur within their four walls.

So far as the new refund policy, Target's response is that this will affect a very small amount of its customers. Chris Serres, Star Tribune, Minneapolis - St. Paul gives Target's rationale for this:

Target officials said the new limits affect fewer than 5 percent of its customers. Shoppers who have bought products with credit cards, debit cards or checks can still return them without receipts, without having to worry about the new limits.

"While we expect the changes to ... impact a very small number of guests, our goal is to minimize losses regardless of amount," said Amy von Walter, a Target spokeswoman.

Law enforcement officials have a different take on this:

Target's practice of not checking the IDs of credit card holders has made it a target for more sophisticated fraudsters, said Brandon Deshler, an officer with the Edina Police Department and a detective with the Minnesota Financial Crimes Task Force, a state law enforcement agency. "There is a real inconsistency here," he said.

Sophisticated fraudsters are becoming the norm with data breaches, carder forums, and do it yourself (DIY) crime kits being marketed via the Internet.

I keep reading about how identity theft is tied into methamphetamine use, but in reality, it might also be tied into heroin use, or any other narcotic that people get addicted to. Addicts often turn to retail crime to support their habits, also.

Before the Internet made sophisticated fraud pretty easy to accomplish, addicts did a lot of shoplifting (boosting) to support their habits.

As time went on, retailers got smarter. They started locking up high value (shrink) merchandise and tightened up their return policies. To get past this, many retail criminals use fraudulent payment devices, which are pretty easy to obtain.

Organized criminals now make their "cut" selling the information and devices to less sophisticated crooks, who do all the dirty work for them. Deals are made on the Internet with a click of a mouse, and these devices are (normally) shipped from foreign sources, where it is hard to identify the criminals behind it.

Fraudulent devices are ordered in chat rooms, paid for by wire transfer or PayPal, and shipped to these (questionably) sophisticated criminals UPS, or Fedex, worldwide. Sometimes, they are shipped in bulk to one location and then redistributed. This is another method used to make tracking these devices to their original source, difficult.

Because of the growing availability, retail criminals are using
fraudulent payment devices to obtain and then refund merchandise.

If customers using credit cards, debit cards and checks are still allowed to return them without receipts, I'm guessing a lot of refund fraud will still occur.

I wondered how customers, using payment devices (checks, credit cards, debit cards) could get a refund without a receipt? Just to make sure, I called my local Target and told them I lost my receipt from a credit card purchase. I was told to bring my credit card in and they could look up the information.

In light of the many recent data breaches, such as TJX -- where at least 45 million customers were compromised -- this thought scared me. Even if their systems are completely safe (not sure if any really are), does this mean that a dishonest employee could access my information? Employee dishonesty has long been (and still is) a major problem at most businesses.

The best thought out security can be beat by one person with access to it!

One of the systems compromised at TJX was their refund authorization system. Not allowing easy access, or even maintaining personal and financial information is the recommended way to prevent data theft.

Besides that, I often wonder how accurate the data is in some of these refund systems. These days, crooks use a lot of other people's information.

Since Target relies on electronic authorization systems (they don't even require their staff to check ID) on credit/debit card transactions, the law enforcement official quoted above might have a very valid concern.

But this isn't the only time, I read about this concern in the past week.

An article came out from Washington about an enraged identity theft victim, who after realizing no one was doing anything with her case, decided to beat the pavement (investigate), herself. Working with a reporter, she did her own check of retailers and here is what happened at Target (as reported on KOMOTV.com):

We did the same thing at Target. This time, we included wine in our purchase thinking some stores require an ID check when buying alcohol. At no point during our checkout did the Target clerk even ask to see the credit card. The clerk never asked for an identification check.

In a statement, Target says it does not require its clerks to handle or inspected credit cards.
Instead the store relies on an electronic authorization system where the customer swipes their own credit card through a reader."Electronic authorization is faster and more accurate than relying on visual inspection of verification of written signatures," says Brie Heath of Target.

Even with these systems, where a customer swipes their own card, a lot of retailers require that the clerk check identification AND inspect the card on signature transactions. In fact, a lot of pos (point-of-sale) systems prompt the customer and the clerk to do so.

Counterfeiting payment cards has become so easy to do that it's now
done in garages with hardware that can (unfortunately) be bought over the Internet. Granted, identification can also being counterfeited, but at least visual inspection is going to making it a little harder to commit payment (debit/credit) card fraud.

The truth is that electronic verification systems read data, and in the case of debit and credit card data, it's being transferred (counterfeited) all the time.

Many might ask why Target would rely on an electronic system with so much fraud going on out there? One reason might be that when a card is "swiped" (electronically authorized), it is pretty hard for the bank to charge it back to Target.

When this happens, I'm guessing that Target isn't the one taking the loss, the bank does.

Chargebacks are becoming a huge issue, and many merchants (especially e-commerce merchants) are saying they are unfair to them, also. These merchants claim the rules favor the banks, who are passing off the costs of fraud to them. With the recent TJX data breach, and the realization of how expensive information theft has become, we can expect to see more controversy on this issue.

It's sad that businesses seem to be spending more time going after each other than the criminals behind the activity (my emphasis).

We also need to consider the considerable grief, victims go through in this process. Victims can be held liable for losses, have their credit ruined, and are even charged with crimes they didn't commit. Some of these victims are undoubtedly past, present, or future customers.

It's pretty easy for me to understand law enforcement officials and identity theft victims might be a little frustrated with Target's policies.

There is no doubt that the amount of refund and payment device fraud is growing. Businesses do have the right to protect themselves, but passing the financial loss to another business, and ultimately (all of us) does little to stop the problem. In fact, it might be one of the reasons this type of fraud is growing.

It would be unfair to single out Target on these issues. Other retailers need to be looking at them, also. Retailers are sold expensive security technology and too often (my emphasis) find that someone has figured out a way to exploit it.

Systems get defeated by human beings all the time. The best defense against this are other human beings. Removing human interface from the equation makes it easier to commit fraud (my emphasis).

Star Tribune article, here.

KOMOTV.com article about the identity theft victim doing her own investigation,

Saturday, May 05, 2007

How to avoid getting your information stolen via wireless connections

Yesterday, I wrote about how the FBI is warning us that personal details can be stolen (i-jacked) when using public computers. This occurs using crimeware, previously installed on a public computer, logs the keys you are stroking and sends the information (electronically) to criminals.

It can be dangerous to look at any of your online financial information on these (public access) machines.

When writing about this phenomenon, I remembered that even using your personal computer at a public place with a wireless connection can expose a person's personal and sometimes, financial details.

Just the other day, Martin Bosworth, over at Consumer Affairs, wrote an excellent piece covering this danger, where he stated:

Sending unencrypted information over any unfamiliar network can turn your computer into an open book -- with pages full of your personal information.

Many of these connections are appear to be legitimate connections because they are spoofed (camouflaged to appear as if they are a trusted connection).

Spoofing a connection, or site isn't very hard to do. They simply copy and transpose pictures and statements (words) from legitimate sites to their own. The Artists Against website has a portal, where you can see fake websites that are up and running on the Internet, here.

Martin's article contains some excellent tips on how to navigate the murky waters of public hot spots, safely.

They can be viewed, here.

Interestingly enough, wireless technology, isn't only used to compromise individuals. In the recent TJX data breach, where some are saying 200 million records were stolen since 2003, reports are saying the data was stolen, using wireless technology.

It's being reported that this was accomplished from a car with a laptop. Driving around with a laptop, using other people's wireless connections, is sometimes referred to as "war-driving," which is my new word for the day.

Joseph Pereira (Wall Street Journal) wrote about this (courtesy of the Northwest Florida Daily News), here.

Friday, May 04, 2007

TSA loses 100,000 employee records and discloses the matter, immediately

For the first time, I can remember a data-breach is being reported the day after it was discovered by an agency entrusted to protect and serve the public at large. Here is part of the press release from the Transportation Security Agency (TSA):

Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation.

Of note, the information compromised here is everything an identity thief would need to completely assume another person's identity, sometimes referred to in carder forums as a "full."

Carder forums (chatrooms) are where a lot of stolen personal and financial information is sold, right over the Internet.

Their press release on this unfortunate matter states they have extensive data protection protocols, which I would hope include the fact that the data (stored on a portable device) was encrypted.

I'm sure some are going to try to bash TSA for this incident, however I am going to take a different stance, which is they appear to be handling the matter a lot more responsibly than many organizations that have breached, recently. In my humble opinion, the TSA is taking this seriously and handling this matter the best way possible. Data breaches embarrass a lot of organizations -- too many of them would rather avoid the negative publicity -- instead of doing the right thing to protect their (in this case OUR) most valuable asset, people.
I'm not thrilled with this data breach -- or that information continues to be left where it shouldn't be -- but disclosure (being more honest) goes a long way towards fixing the overall problem.

Recently, a TSA employee caught a culprit with 43 different driver's licenses and a lot of bogus payment devices. We need to remember that the people compromised by this, protect all of us!

I really liked their statement about what they intend to do about it - if wrongdoing is discovered:

TSA has extensive data protections protocols and training in place for its employees regarding data privacy. TSA has zero tolerance for employees not following policies on data protection and will take swift disciplinary action, including dismissal, against individuals found to be in violation of our procedures.

I'm not able to comment on TSA's data privacy procedures (never seen them), but one person with access, who violates any data privacy procedure can do a lot of damage.
If anyone knows something about this data-breach, information can be submitted to the FBI (investigating agency), here.

Data breaches have happened at a lot of places. If you are interested in reading more about them and where they occurred, the Privacy Rights Clearinghouse maintains a chronology, here.

A lot of data breaches occur when information is stored on portable (easily stolen) devices. Some claim that even if encryption is present on the device, the wrong person can still (sometimes) access the information.

The full press release can be read, here. They also link to the new government site on identity theft (worth a read if you haven't seen it yet), here.

You never know who might be selling hot merchandise on eBay

Normally, I avoid writing about petty crime, but this one is too good to pass up.

From SF Gate:

A Hillsboro mother found her daughter's missing winter coat on eBay, and now a teacher at the girl's elementary school faces charges of theft and computer crimes.

The teacher, who was placed on administrative leave pending the outcome of her trial, claims she found the jacket in the lost and found.

Of course, Mom claims she had already checked there!

With all the alleged fencing that occurs on auction sites, this person is either very unlucky, or doesn't cover her tracks very well. I would have to recommend, she sticks with teaching elementary students.

A couple of days ago, I wrote about what might happen to credit cards and identification left haphazardly in a lost and found:

Airline employees and correctional officer arrested for credit card fraud

Full story from SF Gate, here.

FBI warns of banking details being i-jacked (stolen) at Internet cafes and hotel business centers

It could be pretty expensive to check your online banking assets at Internet cafes, or at the public computer in a hotel's business center.

Here is an interesting article by Robert Schmidt at Bloomberg.com, quoting FBI sources, where he says:

Tens of millions of dollars have been looted from online brokerage accounts in a fast-growing fraud that targets unsuspecting hotel guests and Internet cafe patrons, Federal Bureau of Investigation officials say.

The way this is done isn't new, the crooks simply install keylogging software on these public machines. As I've written before, keylogging software (itself) is legal and can be purchased by anyone over the Internet. Some of the legal (marketing) justifications are to spy on employees, spouses and your children.

Oh I forgot, they are also used by private investigators, like the ones busted in the recent HP scandal.

Keyloggers are often dropped (installed) on computers via spam e-mails, when an unsuspecting person clicks on the wrong link, also. According to the Anti-Phishing Working Group, the use of them is growing, rapidly. February set an all time record for this type of activity, according to their monthly report.

Although keyloggers are legal, when used by criminals to steal personal and financial information, we refer to them as crimeware (go figure)?

To read the full article at Bloomberg.com, click here.

I wonder if the FBI's job would be easier if laws were enacted to stop certain companies from enabling this growing problem?

Wednesday, May 02, 2007

Airline employees and correctional officer arrested for credit card fraud

A lot of payment (credit/debit) card fraud is caused by dishonest employees, who skim the information from cards; or might even simply forget to return them to you. And when they "forget" to return them, it might be intentional!

The New York City District Attorney's Office announced:

Manhattan District Attorney Robert M. Morgenthau announced today the arrest of four JetBlue employees and a New York City Department of Corrections Officer for the unauthorized use of credit cards from Jet Blue customers.

Press release, here.

Pretty scary, that Jet Blue (airline) personnel and a correctional officer, who should be people that can be trusted, seem to have given a black eye to their professions.

I saw this story the day after I had to go back to a Del Taco, who failed to return my card to me. After going to considerable trouble to get my card back (which I should probably cancel), I was amazed that no one apologized to me for what had occurred.

They even charged me for the ice tea, I ordered when returning to get the card.

On a more serious note, businesses should always make sure lost payment devices and identification are properly secured. They should only be maintained for a short period of time, then destroyed to prevent someone compromising (using) them.

Many people would be shocked at how often these lost and found items are maintained (sometimes for years) in not very secure places, such as an unlocked drawer.

At least, the Del Taco manager did make me show ID to get my card back, but she didn't do very much to make me rave about their customer service. A kind, or sympathetic word can do a lot of smooth out an unfortunate situation, like this one!

So far as restaurant employees involved in credit card fraud, a lot has been written about this, recently.

Here is my version of what a lot of people have been writing about:

Why it's become TOO easy for restaurant workers to skim payment cards

Please note, it's probably not fair to single out restaurant workers, this can occur at any business that accepts plastic, or even checks.

Washington Post exposes another reason why Katrina victims are still suffering

The hurricane disasters, and their commentary on social issues, continue to amaze me. To me, the rest of the world can learn a lot by studying the ongoing problems related to the disaster.

The amount of money wasted, or lost to fraud (over a billion and growing) is a sad commentary, when a lot of the victims are still living in the now (infamous) FEMA trailers.

Now a new allegation is being brought forth, which is that $854 million in aid promised by our allies, wasn't even accepted. I find this pretty interesting as people are suffering nearly two years, afterwards?

Even more shameful was that expert search and rescue personnel, were turned down, immediately after the hurricane, when they probably would have been extremely helpful:

And while television sets worldwide showed images of New Orleans residents begging to be rescued from rooftops as floodwaters rose, U.S. officials turned down countless offers of allied troops and search-and-rescue teams. The most common responses: "sent letter of thanks" and "will keep offer on hand," the new documents show.

This fact, given the problems in the initial response, amazes me.

Original Washington Post article, here.

I wonder how our allies, many of who have accepted similar aid from us in the past, felt when we turned their generous offers down?

More recently, the Post is reporting that Congress intends to look into this. The article regarding this can be read, here.

I'm not sure when the story on Katrina will be over. The bottom line is that there are still a lot of hurricane victims, who could use a helping hand. A good place to learn more about this is Margaret Saizan's site (Beyond Katrina), which can be seen, here.

Tuesday, May 01, 2007

Phishermen use call-forwarding scam to avoid detection when bank notes suspicious activity

Most of get a lot of phishy e-mails requesting personal and financial information from criminals pretending to be a trusted brand. Now they are adding a devious twist designed to beat fraud detection software, which is used by a lot of companies as a means to detect fraudulent transactions, early on.

Herb Weisbaum of KOMOTV.com (Seattle) reports:

The mass e-mail I saw claimed to be from Bank of America -- big banks are a prime target for these scams because they have so many customers.

The e-mail says, "During our regular update and verification we could not verify your current phone number. Either your information has been changed or it is incomplete.

"The message tells you to confirm your phone number right away “or your account will be suspended indefinitely.”

Not only are you supposed to give them you phone number, you're instructed to forward your calls to the Bank of America Security Department, and they give you that number.
Herb's full story, here.

When the institution notes suspicious activity and calls, the now forwarded call goes to the scammer, who assures them "all is well."

Call-forwarding being used to defraud people isn't exactly new, but this is a new twist. In the past, scammers have called the telephone company and told them that a business line was having problems, then instructed them to forward the call to another number (theirs). This is normally done to businesses, who accept payment information over the telephone.

Of course, the goods, or services are never received and the information is later used for criminal purposes, or to steal money.

This practice is enabled by telephone companies not verifying (authenticating) information when a call forwarding request is placed. Most telephone companies allow the owner of a line to protect it with a password, however unless the owner does so, they are open to this sort of attack.

It's probably a good idea (especially for businesses) to have a password placed on their account!

Consumer Affairs wrote about another variation of the call-forwarding scam -- which is designed to charge the victim for long distance calls (possibly used by fraudsters, or even inmates to commit crimes) -- where the victim is tricked into call-forwarding their number.

Note that the command for call forwarding at most telephone companies is "72#" or "*72," then the telephone number. The inmate or fraudster will normally pose as a telephone tech, who tells you there is a problem with the line. Call-forwarding can be disabled by entering "72#" or "*72."

Please note, at some businesses, the command is "90#".

This scam is frequently used by prisoners in correctional institutions to make free calls and targets both personal and business lines. Another good reason for businesses to password protect their telephone account and consider disabling call forwarding. Most telephone companies charge extra for this service, anyway.

Consumer Affairs story, here.