Tuesday, June 05, 2007

Spear phishermen target executives to steal company information

Shamus McGillicuddy of CIO News highlights an interesting fact, which is you never know, who is going to fall for a phishing scam.

The phishermen normally send out a lot of bait (spam) in the hopes of hooking a few phish.

Shamus writes:

Over the last week and a half, spam messages purported to be from the Internal Revenue Service and the Better Business Bureau have been specifically targeting senior-level corporate executives with phishing scams.

Experts say these targeted phishing attacks, sometimes called "spear phishing," are nothing new, but they illustrate that spammers are getting more adept at targeting sophisticated email users who have access to the most sensitive data within their companies.
Spear phishing is simply a more focused form of phishing, which uses more personal touches, such as a person's real name, and or title.

With all the information plastered over the Internet, or available for sale; it isn't hard for phishermen to get what they need (personal information) to go spear phishing.

Many private companies and government organizations recognize the danger phishing poses in the workplace. To counter this, and raise awareness; they are phishing their own employees.

Recently, I did a post about this, which revealed more employees fall for this, than many would like to admit:

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

There seems to be more and more phishing out there, which might be inspired by DIY (do it yourself) kits being sold over the Internet. DIY kits make it easy for not very sophisticated criminals to become expert phishermen.

The only good news about phishing is that with a little awareness, most people can spot this activity, because the phishing ploy doesn't make much sense, or is too good to be true.

CIO News story, here.

BBB Alert, here.

IRS Alert, here.

Merchants demand their rights from the payment (credit/debit) card industry!

Not very long ago, credit and debit (payment) card fraud was considered a cost of doing business. With carder forums and data breaches, the cost of payment card fraud has reached billions of dollars, and merchants, especially smaller ones, are being impacted in a negative manner.

There seems to be a looming battle on the horizon over, who is going to pay for all the fraud. Recently, in light of the TJX breach, legislation was introduced to charge more of the costs off to merchants.

Merchants have always been charged for a lot of fraud in the form of chargebacks. When I saw the proposed legislation, my first thought was how it would impact the smaller merchants, pretty harshly.

Additionally, merchants aren't only becoming more alarmed by fraud, but also by a perception that current fee structures are unfair, and deceptive. Interestingly enough, a lot of consumers feel the same way, also.


Today, I read an interesting press release about a movement to adopt a "Merchants Bill of Rights."


Recently, supporters of this bill did a survey of merchants, where they discovered:


  • Only 26 percent of participants believe they are being treated fairly by the debit/ credit/prepaid card processing industry.

  • Only 32 percent understand unfair card processing practices and how they impact their business.

  • Only 21 percent understand the rates, fees and surcharges they pay.

  • Only 15 percent believe they are charged the same as larger businesses.

The survey was sponsored by Heartland Payment Systems, who processes payment card transactions and payroll.


Heartland's CEO and Chairman, Bob Carr stated:

It’s clear that many owners of small and mid-sized businesses don’t understand the complexities of card acceptance. Yet, card acceptance is often one of the three largest expenses they incur. Business owners need to educate themselves so they can manage these costs. What they don’t know may be hurting their bottom line.


According to the press release, the bill of rights promotes fairness and transparency in card processing by identifying 10 fundamental rights:


The right to know the fee for every card transaction – and who’s charging it.



The right to know the markup of Visa and MasterCard fee increases.



The right to know all Visa and MasterCard fee reductions.



The right to know all transaction middlemen.



The right to know all surcharges and bill-backs.



The right to a dedicated local service representative.



The right to encrypted card numbers and secure transactions.



The right to real-time fraud and transaction monitoring.



The right to reasonable equipment costs.



The right to live customer support 24/7/365.



The effort has a home page, which can be viewed, here.


The page has a video for merchants to see if their rights are being violated, here.


The Association of Certified Fraud Examiners recognizes that small businesses suffer greater losses than larger ones do. I did a post on this subject, with the some tips on how to avoid becoming a victim, here.


In January, I did a post about how both consumers and merchants are calling for some reforms:


Congress needs to take a hard look at credit practices


In this post, I mentioned the Merchant's Payment Coalition, which is calling for greater oversight on some of this. Their page on unfair credit card fees can be viewed, here.


Even if you aren't a merchant, the truth is that these costs have to be passed off somewhere; otherwise merchants would go out of business. Who do you think ultimately pays for all this?

Monday, June 04, 2007

Is LifeLock an identity theft protection service people can trust?

Ray Stern, of the New Phoenix Times, published a scary story about an identity theft protection service, called “LifeLock.”

The article suggested that LifeLock was founded on stories that are questionable, and run by a Robert Maynard Jr., who seems to have a few skeletons hiding in his closet.

Not all identity theft services are 100 percent effective, or worth the money they charge (my opinion). Many require their customers to surrender all the same personal information a criminal might use, which will be stored in a database.

Databases are targeted by common thieves, hackers, and even dishonest insiders for their personal and financial information. Even if the information is protected, all it takes is one person with access, or who is tricked into giving up their access to compromise it.

Besides being stolen, information from data bases is bought and sold, frequently. It's a billion dollar business, itself.

Another problem is that even the best computer security can be compromised and has to be updated, frequently. Even encryption can be compromised by someone, who has the time and necessary knowledge to do so.

Many of these services require that their customers provide them with a power of attorney. Couple a person’s complete personal and financial information with a power of attorney – and a lot of subsequent damage can occur.

A lot of people are trying to make money off the current identity theft phenomenon. When choosing any service the term, "caveat emptor," or "buyer beware," certainly applies.

Robert Maynard Jr. is a person making a lot of money from the identity theft phenomenon, but should people trust his service? Before coming up with LifeLock, he was banned from ever working in the credit industry. Here is what the New Phoenix Times article said about this:

His credit-repair company was shut down by authorities in the early 1990s for false advertising and deceptive practices. Forced closure means that a federal court order has banned Maynard from working in the credit-repair industry — forever.

The FTC judgement against Maynard and his business partners can be read, here.

Maynard is fond of telling a story, where he was the victim of identity theft. He claims this experience gave him the inspiration to start LifeLock. BUT the story of how someone else used his identity to take out a $16,000.00 marker at a casino isn’t very credible.

The New Times interviewed Bernie Zadrowski of the Clark County District Attorney’s Office about this story.

Here is what they quoted Mr. Zadrowski as saying, which is a lot different from the story Robert Maynard Jr. uses to sell his identity theft service:

Not once did anybody ever suggest, in this particular case, that this was a case of stolen identity," he says.

Maynard never filed a police report for identity theft, or it would be part of the D.A.'s office file, Zadrowski says.

"The only call we received while he was in jail was from his girlfriend. She wanted to know how to get him out of jail," he says.

Zadrowski pulled the Arizona driver's license submitted to the casino by the person who took out the loan and e-mailed a copy to New Times.

Although the resolution quality is poor, the man in the picture looks like Maynard.

Zadrowski says the man pictured is Maynard.

There is also the matter of an American Express Card, taken out in Robert Maynard’s father’s name (Robert Maynard Sr.), but sent to a previous business address of Robert Jr., himself.

Here is what the New Times article has to say about this matter:

Records show that someone with Maynard Sr.'s personal information ordered the card. But that someone didn't have the bills sent to Maynard Sr.'s home. Instead, the bills went to a company called Netshield, at a Phoenix address used by one of Maynard Jr.'s former firms.

Though Maynard Sr. says he never asked for the card, he settled with the company. Coincidentally, Maynard Jr. has $170,000 in debt to American Express listed on his 2005 bankruptcy paperwork — and his father is named as a co-debtor.

If Maynard Jr. ordered the card using his dad's data, without his dad's knowledge, that would make him — you got it — an identity thief.

Apparently, Maynard has been able to sell his victim story numerous times to the mainstream media and pays bloggers to write about him.

During one attempt by the New Times to interview him, Maynard backed out at the last minute, claiming he had to meet with shock jock Howard Stern to discuss advertising. Maynard does take out advertising on Stern's show, among others, but Ray Stern (New Times) noted that his office appeared to have been vacated minutes earlier.

To date, there have been no complaints of wrongdoing at LifeLock, but if you read the New Times article, it would make someone like me think "long and hard" before handing over my money and information to them.

There are a lot of identity theft services out there. Most of them including LifeLock offer services that most of us could do by ourselves, if we had the knowledge.

Simply stated, the reason identity theft gets worse all the time -- is because of too much information is being bought and sold -- then maintained in too many (some not very secure) different places. The more places your information is stored, the more likely you are to become a victim.

New Times article, here.

Saturday, June 02, 2007

The new red menace, global commerce from China


You would think that we would have learned by now that products from China can be DANGEROUS for a variety of reasons.

Most recently -- our pets were poisoned and millions of dollars of products were pulled off shelves -- after it was discovered that pet food imported from China contained poisonous substances.

Washington Post article on this, here.

The FDA is NOW warning that they are putting antifreeze in oral hygiene products.

I guess poisioning our pets wasn't enough?

From the FDA alert:

FDA has identified the following brands of toothpaste from China that contain DEG and are included in the import alert: Cooldent Fluoride; Cooldent Spearmint; Cooldent ICE; Dr. Cool, Everfresh Toothpaste; Superdent Toothpaste; Clean Rite Toothpaste; Oralmax Extreme; Oral Bright Fresh Spearmint Flavor; Bright Max Peppermint Flavor; ShiR Fresh Mint Fluoride Paste; DentaPro; DentaKleen; and DentaKleen Junior. Manufacturers of these products are: Goldcredit International Enterprises Limited; Goldcredit International Trading Company Limited; and Suzhou City Jinmao Daily Chemicals Company Limited. The products typically are sold at low-cost, “bargain” retail outlets.


In case, you have used any of these products, the FDA recommends that you advise them in this manner:

Consumers can report adverse reactions or quality problems experienced with the use of these products to FDA's MedWatch Adverse Event Reporting program:www.fda.gov/medwatch/report.htm

(800) 332-1088

FDA news release concerning this, here.

My question is, given all this, maybe we should ban all commerce from China! The cheap prices aren't worth it. Perhaps, a little consumer mistrust, along with goverment sanctions might rectify this situation?

Other problems caused by free trade with China are counterfeit goods (including medicine), rogue websites (Internet fraud) and their army of hackers stealing everything from money to industrial and military secrets.

If you would like to read about other issues, I've written about, which are caused by "free commerce" with China, link here.

Do the record profits in the oil industry make sense?

Gas prices have gone over $3.00 a gallon for most of us, and seem to rise whenever there is an anticipated emergency, whether it actually happens or not. I've long been an advocate of the "does it make sense theory” and prices being raised for emergencies that never actually happened, DOES NOT, at least to me.

Meanwhile, billions of our dollars and human resources (young men and women) are being used to protect the area, where a lot of our oil comes from.

I've never figured out why our tax dollars are being used (seemingly without charge) to protect a few people, who have a lot of money to throw around. All we seem to get in return is higher prices, and dangerous people, we need to protect ourselves from.

Most of the terrorists in the 9-11 attacks were not from Afghanistan, which has little oil. In fact, most of them, including the mastermind still at large; come from one of these countries, using our resources to protect it.

It costs us a lot of money, and our brave young men and women to provide them protection. To me, it would make sense that those, who are enjoying our protection, showed their appreciation a little more.

But all our oil doesn’t necessarily come from these foreign lands we are paying to protect. Is there a common denominator to all this? The oil companies are sharing in the RECORD profit taking, also. These companies are largely owned by Americans, and other Westerners.

If the oil industry is so prone to dangers, it doesn't make sense that they are making more money than anytime in history? Based on their record profits, it doesn't seem to be hitting their bottom lines.

It does seem to be hitting the bottom lines of everyday American households, as well as, other industries, which will have to pass the costs off to everyone in the form of higher prices.

Recently, Walmart announced their sales are going down because people don't have as much disposable income to spend. A lot of everyday Americans shop at Walmart. I'm using Walmart as an example, but they aren't the only large business beginning to see this trend.

Wikipedia mentions this in their analysis of oil price increases in the past few years, here.

Personally, I'm an advocate of getting rid of the industry by exploring alternative energy sources, but until we get there, perhaps the little guy should get a fair deal?

The People's E-Mail network is sponsoring a drive to let our legislators and newspapers know that it's time to conduct an unbiased investigation to determine if their is any foul play connected with the current pricing structure, which is making a few people very rich.

John Edwards, a presidential candidate, has also called for an investigation of the industry. AP story, courtesy of Yahoo News, here.

It would be nice to see him get some support on this, preferably of the bipartisan type. Maybe it's time to make sense of a situation of a phenomenon that DOES NOT to a lot of us?

The way to do that is to investigate the problem, or discover the truth. If there is no fraud, then the oil industry should have nothing to fear.

You can let your elected representatives and local press know how you feel about this, here.

Criminals scam military families using the Red Cross name


Identity thieves have no honor. They don't care if they steal from our grandparents, or the families of those, who protect all of us by putting themselves in harm's way.

Here is a particularly ghoulish scheme reported on the Red Cross site:

The American Red Cross has learned about a new identity theft scam targeting military families:

The caller (young-sounding, American accent) calls a military spouse and identifies herself as a representative from the Red Cross. The caller states that the spouse's husband (not identified by name) was hurt while on duty in Iraq and was medevacuated to a hospital in Germany. The caller stated they couldn't start treatment until paperwork was accomplished, and that in order to start the paperwork they needed the spouse to verify her husband's social security number and date of birth. In this case, the spouse was quick to catch on and she did not provide any information to the caller.

Just to set the record straight - the Red Cross doesn't notify family members when this happens!


Not sure, where the identity theft ghouls are getting their lists to target military spouses? The Red Cross stated in their press release that the family member isn't identified by name, but this might have changed by now. Recently, I read a story from the New York Times, where a well known data-broker (InfoUSA) was selling marketing lists of senior citizens, known to gamble on the Internet, to lottery scammers.

I’m guessing that data brokers sell telephone lists to market goods and services to the military, also.

Not only are these blood suckers stealing information to enrich themselves, they are also putting military family members through a lot of personal grief, unnecessarily! Imagine what a call like this does to the family member, who receives it!

Red Cross press release, here.

Red Cross main page, here.

These are people that do a lot of good for other people, when they need it!

It is no wonder why skimming (credit/debit card fraud) is becoming a nasty problem!


Skimming credit and debit cards has become too easy with the irresponsible sale of technology. All the necessary techie devices to commit what many consider a "high tech crime" are being sold on the Internet - even on auction sites - such as eBay.

Yesterday, I read about an arrest of one of the Internet vendors by the Calgary Police, after they were tipped off by the United States Secret Service (USSS).

Here is what the press release from the Calgary Police Department said:
In January 2006, investigators with the U.S. Secret Service specializing in payment card fraud and Internet crime, identified a person using the Internet name of “Dron,” who was advertising skimming equipment for sale over the Internet.

A possible Calgary connection was identified and investigators assigned to the Calgary Police Service Commercial Crime Unit were involved in the investigation.

A joint, cross-border investigation was initiated. A Calgary resident was identified as the alleged manufacturer and exporter of devices which could be used for skimming data from debit and credit cards. With the assistance of other CPS units, the Calgary case has been successfully concluded.

There isn't a lot of information on how Dron was advertising his wares on the Internet, but the sad truth is he probably isn't the only vendor selling these devices.

I checked eBay (this morning) and devices that could be used to skim payment card details are being hawked (as usual) on the auction site.

In March, I wrote about a new variation (mutation) of skimming, where PIN pads were replaced at a Edmonton Wendys. The fake PIN pads are capable of transmitting card data and PIN numbers(using wireless technology) to fraudsters, who are probably sitting in a car in a parking lot.

I suspect the current fake PIN pads are being used to defeat PCI (payment card industry) data protection standards. The information is sent to the fraudster before it goes through the merchant's point of sale system.

PCI data protection standards have become a major concern lately, but it appears the criminals are already working on countermeasures that will get past them. Besides PIN pads, portable devices, used by dishonest insiders are a big problem right now, also.

Interestingly enough, even with all the media attention about PCI compliance, a large number of merchants have failed to implement them. A case to point at would be the recent TJX data breach, where at least 45 million records were compromised over a several year period.

In the Wendy's post, I identified a website called hackershomepage.com, which sells a lot of devices that can be used to commit financial crimes, including skimming. I just checked (and sadly) they are still up and open-for-business.

Of course, they publish a disclaimer on their page:
We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country.
This obviously is enough to keep them in business.
The PIN pad skimming variation has now been identified in both the Eastern and Western United States, as well as Canada.

Maybe if there were stricter controls on the sale of the devices that enable skimming, the problem wouldn't be so bad?

Meanwhile, expensive security technology (compliance) is being made mandatory. If history repeats itself, any technology designed (which is expensive in itself), will have a limited life span. I'm all for technological solutions, but if we don't back them up with consequences, they tend to have a limited effectiveness.

There needs to be more social solutions (laws) to bolster some of this expensive anti-fraud technology.

With millions of victims and billions of dollars being lost, I wonder why we allow this activity to be marketed over the Internet?

We are making hard working people, like USSS Agents and the Calgary Police, work pretty hard to fight a growing problem, which is victimizing a lot of PEOPLE and businesses!

Calgary Police press release, here.