Thursday, May 29, 2008

TJX shoots the messenger reporting potential identity theft issues!


(Picture courtesy of b d solis at Flickr)

One would assume after compromising an estimated 94 million people's information, a company would become a model of information security for the rest of us to aspire to. Sadly, if the following story is true, this is NOT the case at TJX.

Ran into this disturbing example of a messenger getting shot for trying to report sloppy security on Sans Newsbites:

TJX Companies has fired an employee from a Lawrence, Kansas TJ Maxx store for making posts to a forum about the company's lax security practices, even after the notable breach. The employee, Nick Benson, said in several posts that except for a period of time following the breach disclosure when a strong password policy was enforced, the employee password at his store's server was set to blank. In addition, at one point a store server was running in administrator mode. When Benson began work at TJX, his password was the same as his user name. TJX says Benson was fired for disclosing confidential company information. -http://www.theregister.co.uk/2008/05/23/tjx_fires_whistleblower/print.html-http://computerworld.co.nz/news.nsf/scrt/3A2C5453A05F8C31CC257454006CE111

Reading a little further by linking to the article written by Dan Goodin in the Register, I discovered that the act of posting in forums came about AFTER the employee tried to resolve the problem, internally:

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

After posting on the forum (http://sla.ckers.org/forum/read.php?13,15148,page=1), the boss of one of the people Benson reported the matter to summoned him into the office and terminated him.

I suppose we could all argue that posting this information in a public forum is dangerous. Saying that, Benson did try to report the matter through his internal chain of command and nothing was done?

Maybe it is because the people, he reported it to aren't IT savvy enough to realize how vulnerable TJX's systems are when they are left unprotected like this?

Even if a hacker didn't compromise the system, it is feasible that a dishonest employee could gather quite of bit of information and sell it? Carder forums -- where personal and financial details are bartered over cyberspace -- are well known and not very hard to find.

Please note, I wrote IF a hacker didn't compromise the system. I'm just pointing out stealing information wouldn't take a very sophisticated hacking job given the opportunities described in this instance.

They might even post (anonymously), how easily they got the information in hacker forums. Sadly if Mr. Benson had been more anonymous, he would probably still be employed. I guess it doesn't pay to be honest in cases like these?

My post just before this was about another revelation (pun intended) that not all data breaches are being reported. I tied this post into two stories. One was about the lack of reporting, and other one was recent reports about Finjan finding crimeservers via simple searches that contain a lot of information that could be used to commit a host of financial crimes.

Interestingly enough, the crimeservers (available to anyone on the Internet) weren't "password protected," either.

So far as Mr. Benson is concerned, I wonder if TJX was required to maintain a confidential hot-line and if he ever reported the matter there? Although, I'm not a lawyer, I also have to wonder if federal laws protecting "whistleblowers" apply here. More information on whistleblower laws can be seen on whistleblower.com.

It's a crying shame that the powers that be at TJX didn't value the fact that an employee was trying to show them where they might receive a lot more unfavorable public exposure by compromising their customer information.

I'll close with a supportive comment from the editor at SANS:

[Editor's Note (Schultz): Once again TJX is proving itself to be a villain. Interestingly, I still sometimes shop at a TJ Maxx or Marshalls store, but I always pay cash--I would never use a credit card because of TJX's huge security deficiencies. And if Nick Benson reads this comment, I would encourage him to contact me, because I will do everything in my power to help him find another job. ]

PS: I would like to add that I'm pretty sure there are companies out there that would value an employee, who brought matters like these to their attention. They might save them millions of dollars in the end when you consider the cost of recovering from a data breach.

As a disclaimer, TJX's side of the story is unknown, but according to the Register article when they were asked they would not comment on the matter.

Wednesday, May 28, 2008

We are a long way to full disclosure in data breaches - even if we wanted to be!

I saw an article on PCWorld, written by Robert McMillan (IDG News), that according to the research firm Gartner -- not all data breaches are being reported by retailers.

I thought to myself ... here we go again ... burying our heads in the sand that all personal and financial information is hacked from retailers. Of course, that isn't to say that none of the stolen information is coming from retailers, either.

The conclusion was based on 50 retailers being interviewed and 21 of them saying they had been breached. Of these 21, allegedly only 3 had reported a data breach.

This led me to wonder if any of these retailers do business in an area, where disclosing data breaches is a matter of law?

My humble guess is that in the litigation happy society we live in today, no one is going to report anything unless they have to. As long as no one is certain (or they can get away with saying that) the information is probably buried, or someone comes up with a rationalization that it really didn't happen.

Going a little further, there has to be a lot of information being stolen that no one is even aware has been compromised. The fact that no one is aware it was compromised makes it easier to be used by the criminal element, effectively.

The sad truth is even if you could make computer systems bulletproof, human beings will continue to compromise information, either via social engineering techniques or to obtain financial compensation. We've made some of this information worth a lot of money.

Of course, information thieves often combine technology and social engineering, also. In the mysterious world of information crime, one shoe rarely fits all.

Right after reading the PCWorld article, I happened upon more research from Finjan, which might provide evidence that there must be a lot of computer systems out there that are NOT very "bulletproof."

As stated on Finjan's MCRC blog:

In our recent MPOM report, we reported on a Crimeserver hosting 1.4G of unprotected stolen data, including passwords, medical data, emails etc.

Many people asked us how we found the data. Was the data secure or not?

Although we cannot disclose all information to the public (for obvious reasons), I can say that the data on that Crimeserver was unprotected, meaning anyone could access it.

Today we came across another Crimeserver - it seems that we are finding one every other day...
Additionally, Finjan reported:

As we disclosed in our Q3/2006 Trend report, malicious code is hosted on caching servers of leading Search Engine Providers. This time we reported in our recent MPOM that stolen end-user data is also stored on these caching servers. Yes, your passwords, Social Security numbers, Online banking information …. no data is safe, as the examples below illustrate.

Even more alarming, it didn't take a lot of know-how to access all this information. The people at Finjan were able to do it, using simple Google searches.

I highly recommend taking a look at the entire blog post from Finjan (link provided at the bottom of this page) -- there are some alarming visual presentations indicating how much information is out there.

I'll include one, which shows a compromised (actual info blocked out) SSN:



The blog post also has visual presentations (screenshots) of user names and passwords to internal company sites, porn sites and online banking sites.

Now let me see ... if stolen information is being hosted on unprotected (anyone can access) crimeservers ... and it is being indexed (cached) by search engines ... it's probably safe to assume we don't have any real idea how much stolen information there is out there.

Also, please note it's safe to say not all this information came from retailers.

Last, but not least, I've seen commentary that we should blame Google for all this. First of all, I doubt that Google is the only place this information can be found. Another thing to contemplate is that thinking like this is as narrowly focused as thinking that retailers are to blame for most of the stolen information out there.

Unless we stop blaming each other -- we are going to be a long way from achieving transparency in data breaches. Exposing problems often is the first step in correcting them.

Until we embrace transparency, the people to blame (criminals) are going to be laughing all the to the bank.

Finjan post from their MCRC blog, here.

Sunday, May 25, 2008

13 year old buying Hookers with Dad's credit card is a marketing scam!

About two weeks ago, I heard a story about a 13 year old stealing his Dad's credit card to buy XBoxes and Hookers on a morning radio show. After seeing the story surface on several mainstream media outlets, I even wrote the Police Chief of the town (Newark, Texas) where it allegedly happened because it sounded a little too bizarre to be true.

Maybe it was the part of the story, where the escorts were conned into believing the boys were suffering from a disability (restricted growth) and State law dictated they couldn't be discriminated against? Perhaps it was because the escorts were not arrested because the boys were more interested in playing computer games??

The Police Chief never replied and I gave up on the story. Now, just as I thought in the beginning, the entire thing was nothing more than a hoax. Of course, the hoax had a purpose, which was to build backlinks to hawk credit cards by a company called money.co.uk.

It's ironic that a company selling financial products would use fraud as a marketing tool (my opinion).

JD Rucker wrote about this on NowPublic:

What a virtual world we travel through sometimes. A (relatively) innocent marketing ploy designed to draw in backlinks for a financial services comparison website in London has stirred up media attention ranging from the front page of Digg to coverage on Fox News.

When money.co.uk posted a story titled 13 Year Old Steals Dad's Credit Card to Buy Hookers, the idea was that it could be read as a humorous parody piece that could get attention from social media sites, yield quality backlinks, and draw in hundreds of thousands of visitors. The backlinks would help the site achieve higher rankings on search engines, especially for the target keyword phrases that would include the words "Credit Card".
JD Rucker summed up his article with a rationalization on why this occurred:

With the heavy emphasis that search engines place on inbound links, many websites are desperate for any form of viral link-building. It may not be "ethical" through some perspectives, but it is arguably justifiable in the competitive Internet marketplace.

Until the search engines come up with a better ranking system, we can expect sensationalized parodies to continue to pop up.

I'm probably going to be a little less kind when I say this appears to have been a marketing scam designed to sell credit cards.

I wonder what Bill O'Reilly will have to say? Fox picked up the story and "story about this in Wired News.

Bill is often fond of accusing the blogosphere of spreading not very well founded rumors. I guess one shoe doesn't fit all and it's never wise for people who live in glass houses to throw stones?

Now that is what I consider a rather "piffy" comment.

Sorry Bill, I do watch your show from time to time, but being a blogger, who "sometimes" tries to be thoughtful about what I write -- I couldn't resist making a point! I also agree with Jeanine that if this story were true, the hookers should have been arrested.

Now saying that, I do agree with you that an awful lot of "spinned yarns" and "malicious garbage" is plastered across the electronic universe. In fact, last time I checked, the more "malicious garbage is a current theme of this blog.

Full story on NowPublic, here.

Original Digg submission, which was "dug" 2507 times, here.

Lifelock's identity theft protection saga racks up 339 articles in Google!

Todd Davis, Lifelock's flamboyant CEO, who flashes his social security in public to sell identity theft protection made Yahoo's top five stories of the week. When I checked Google News, there were no less than 339 articles covering the woes of Lifelock and it's CEO.

Lifelock has been mired in controversy since it was revealed in the New Phoenix Times that one of his co-founders (Robert Maynard) wasn't being truthful about being an identity theft victim and was suspected of being a identity thief, himself.

I covered this part of the Lifelock saga in a post called, "Is LifeLock an identity theft protection service people can trust?"

Maynard stepped down from his position as co-founder, but continued to maintain a 10 percent interest in the company.

A short while thereafter, it was revealed that Todd Davis was himself a victim of identity theft. Instead of letting the authorities do their job, Davis took it upon himself to send out a PI (and film crew) to get a pre-written confession from the scoundrel. The end result was that the authorities dropped the case.

Meanwhile, Lifelock seemed to flourish and obtained a lot of investment capital to drive their aggressive marketing campaign. Everyone from Radio icons to bloggers have been paid to endorse their services.

The bad publicity even led to speculation that an organized hit job was being undertaken against Lifelock.

So far as the organized hit job theory, it does have some merit. The reason for this is that Lifelock's service isn't much different than what a lot of other companies are offering. Additionally, the repetitive fraud alerts make it more expensive to issue credit, and there is a cost incurred by the credit bureaus for providing them.

Then there is the competitive edge, identity theft protection services are being hawked by a lot of different companies. They range from unknown start-ups to financial institutions and the credit bureaus, themselves. In not very good economic times, the industry is showing double-digit growth.

The Motley Fool gave a good explanation of the reason for this in their article (one of the recent 339 or so) about Lifelock:

There's clearly profit to be had in the privacy protection market -- much-needed profit for credit reporting-related services. The 2003 passage of the Fair and Accurate Credit Transactions Act (FACT Act) handicapped one of their revenue streams by mandating free credit reports for all. (Get yours at annualcreditreport.com.)

To help make up for the financial shortfall, the credit reporting companies created a new revenue stream: credit watch products. Seeing profit in consumer fear, other companies soon created their own credit watch muscle for hire.

Please note, the article in the Motley Fool gives some pretty sound advice about how to protect yourself for free from identity theft, also.

Then came the legal actions, first Experian filed a law suit and then came a series of class actions alleging the Lifelock is guilty of misleading advertising, doesn't warn it's customers that it only provides limited protection and doesn't warn them that repetitive fraud alerts might damage their credit rating.

I suspect the current flurry of stories were partially the result of information released from the law offices in the class action suits that Todd Davis has been the victim of identity theft numerous times.

It's now been revealed that Davis' identity has been compromised 87 times in the past two years. 20 of these attempts involved drivers licenses. Davis has responded by stating that this proves Lifelock protects it's consumers from identity theft since the only known successful attempt was with the PayDay loan in Texas.

While this might be partially true, there is a flaw in this thinking. The flaw is that partial information isn't always picked up by credit bureaus and credit bureaus don't detect all forms of identity theft.

A new buzz word in identity theft circles is "synthetic identity theft." Here is a description of it from a previous post:

This is where different parts of other people's identities are used to forge a synthetic one. Quite often, because a lot of the information doesn't match, the credit bureaus don't pick it up. Most frequently, this is discovered at tax time, when someone gets a bill for taxes that an identity thief never paid to the government.

So far as identity theft that isn't picked up on a credit bureau, here is what I wrote about that in the same post:

Another reason there is no way to guarantee protection is that not all identity theft shows up on credit bureaus. Some examples of this are in cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

Because of these reasons, I'm not certain if Mr. Davis can be sure that all 87 attempts were entirely unsuccessful?

Another marketing claim that many feel is misleading is Lifelock's $1 million dollar guarantee. If you read the fine print, they only guarantee they will hire people to look into it should you become a statistic while using their service. They also stipulate that they will choose who does this for you.

Trust me, it's highly unlikely anyone will collect much of anything if they become an identity theft statistic while paying for Lifelock. In most instances, after the work is done, the financial institutions end up responsible for the loss.

Of course, when this happens the cost is passed on to all of us. No business would be able to remain solvent, otherwise.

The sad truth is that there really is no guarantee that you will never become an identity theft victim and it's probably better to exercise common sense and perform your own due diligence.

Since I seem to be quoting myself a lot in this post, here is something I wrote about this:

Most of the experts (not selling services) agree most people can fix their identity for free, and in the long run, they might do a better job of it, themselves.

If someone were to do this, a good place would be the FTC's Identity Theft page. Other decent free resources are the Identity Theft Resource Center and the Privacy Rights Clearinghouse.

Last, but not least, the good folks at Attrition.org did a highly amusing parody of identity theft protection services after they got sick and tired of them using their free material:

Going forward, we would like to announce that we have a new partnership with Identity-Love-Sock, a trusted provider of identity theft prevention services. Not only can Identity-Love-Sock protect YOU from IDENTITY THEFT, it also provides several guarantees for your PROTECTION should YOU be affected by IDENTITY THEFT. With the services provided by Identity-Love-Sock , YOU will NEVER have to WORRY about your IDENTITY being STOLEN, MISUSED, or otherwise COMPROMISED. For more details on how YOU can be COVERED and PROTECTED, please visit Identity-Love-Sock . You'll be glad you did.

Along with covering various matters related to computer security and privacy, Attrition is recognized for maintaining a pretty telling database on where a lot of identity theft starts, or data breaches.

Oregon case reveals the tie between software piracy and identity theft!


(Photo courtesy of naveenium at Flickr)

Software Piracy is a multi-billion dollar issue. Whether it's hawked in a spam e-mail, a flea market or on a auction site -- it might not work as well as advertised -- and could even lead to identity theft.

You never know what might be installed in pirated software. The person selling it to you might add a little malicious software (containing a keylogger) and steal all your personal and financial information.

A recent case showing how pirated software leads to identity theft was announced by the Department of Justice:

An Oregon man pleaded guilty today to selling counterfeit computer software with a retail value of more than $1 million, in addition to aggravated identity theft and mail fraud, announced Assistant Attorney General of the Criminal Division Alice S. Fisher and Karin J. Immergut, U.S. Attorney for the District of Oregon. This case is part of the Justice Department’s initiative to combat online auction piracy.

Jeremiah Joseph Mondello, 23, of Eugene, Ore., pleaded guilty to one count each of criminal copyright infringement, aggravated identity theft and mail fraud before U.S. District Court Judge Ann L. Aiken in Eugene. Mondello faces up to 27 years in prison, a maximum fine of $500,000 and three years of supervised release. Sentencing has been set for July 23, 2008.

Although this only appears to be a small win in the overall problem, it illustrates the danger of installing unauthorized software on your system. You might get more than you bargained for:

Mondello admitted to stealing individuals’ identifying information to establish online payment accounts in their names. Mondello acquired victims’ names, bank account numbers and passwords by using a computer keystroke logger program to surreptitiously obtain this information. The keystroke logger program installed itself on the victim’s computer and then recorded the victim’s name and bank account information as the information was being typed. The program then electronically sent the information back to Mondello, and he used this stolen information to establish the online payment accounts.

In other words, the moral of the story is that the money you save buying knock-off software can easily be lost when the seller returns to clean out your financial assets.

Trust me, criminals are not honorable and they could care less, if you get left holding the bag.

Last, but not least, most victims of identity theft are able to get their financial institutions to write-off their losses. However, if they discover you used illegal software -- which happened to contain malicious capabilities -- my guess is they are going to deny your fraud claim.

DOJ credited the Software & Information Industry Association for their assistance in this conviction. This association represents the software industry and goes after software and content piracy. They provide a means to report instances of piracy and offer up to a million dollar reward for doing so.

Full press release on this matter, here.

Saturday, May 24, 2008

China earthquake and Burma (Myanmar) cyclone inspire another round of charity fraud!


(Photo courtesy of IslamicReliefUSA at Flickr)

Last weekend, I lamented that the Western media wasn't reporting the expected fraud activity in the wake of the China earthquake and the Burma (Myanmar) cyclone.

Most of the scam activity, associated with the earthquake, was being reported out of China.

Having been extremely busy in my day job, I didn't get the chance to follow-up and see if this trend would continue. It did not and as expected, inboxes are being targeted with come-ons designed to take away from those, who would really benefit from our charitable impulses.

As expected, we are now seeing fraudsters, using their favorite technique (spam) to trick people out of their hard-earned money and (possibly) their personal and financial details.

The reason, I mention personal and financial details being stolen (identity theft) is because malware is being dropped on systems when unsuspecting people click on a link regarding a plea for financial assistance. Sadly, this more technical means of stealing information is becoming more and more commonplace. Not very intelligent criminals (my opinion) can easily buy all the software necessary to do it -- which sometimes comes with technical support -- right over the Internet.

Of course, identity theft, might not be the only intent in dropping the malware. Frequently, the intent is to take over your system and turn it into a member of a botnet so it can be used as a spam spewing zombie. Most of the time, the owner isn't aware their computer (zombie) is being used to flood cyberspace with spam e-mails.

Internet security firms are reporting suspicious e-mails asking for help and marketable domain names are fetching premium prices.

Sophos went on record that they had detected malicious software attached to some of these spam mails. McAfee also reported malware attached to electronic documents referencing the earthquake. The FBI issued an alert on this subject, also.

As a discaimer, at first sight, it can be hard to determine if a request for a donation is legitimate or not. Charity is a often practiced social-engineering ploy used by fraudsters and associated internet ghouls to steal money.

Besides using the Internet, charity fraudsters also use the telephone, snail mail, or even go door to door. Text messaging is another tool being used to commit charity fraud, also. This surfaced in the activity reported in China last week.

The best thing to do -- before handing over your hard earned money for an honorable cause -- is to make sure the entity receiving it is legitimate. Taking the time to check things out will help ensure the money goes where it is supposed to.

It might also be wise to give directly to an organization. Besides fraudsters, a lot of telemarketing types sell their services to charities and take a cut of the action. Simply stated, this means that less money will reach the people you are trying to help.

Listed below are some places, where you can cut out the middle-man, or avoid handing over your money to a scam artist. Please note, these organizations, might or might not be involved in the current earthquake and cyclone efforts. Current events often dictate the disaster come-on currently being used by fraudsters.

The United Way, http://national.unitedway.org/, 800 272-4630.

American Red Cross, http://www.redcross.org/, 800-HELP-NOW

Salvation Army, http://www.salvationarmyusa.org/, 800-SAL-ARMY

Network for Good, http://www.networkforgood.org/.

Habitat for Humanity, http://www.habitat.org/, 800-HABITAT.

Samaritan’s Purse, http://www.samaritanspurse.org/, 800 665-2843.

Save the Children, http://www.savethechildren.org/, 800 728-3843.

Humane Society of America, http://www.hsus.org/, 888 259-5431.

Feed the Children, http://www.feedthechildren.org/, 800-525-7575.

America’s Second Harvest, http://www.secondharvest.org/, 800 771-2303.

Additionally, if you are interested in charities that do a lot of work in Asia, here is another list:

Doctors without Borders
Mobilizing to provide medical assistance, blankets, water, sleeping mats and tents.

International Federation of Red Cross and Red Crescent Societies
Dispatching teams to assess damages and the needs of victims.

International Rescue Committee
Assessing immediate needs on the ground and preparing emergency response.

Mercy Corps
On the ground providing emergency relief, including water and tents.

Oxfam
On the ground assessing the response effort and responding to victims.

UNICEF
Sending emergency staff to distribute aid and make further assessments of the damage.

In more general terms, there are some excellent sites to check out, whether a charity is legitimate or not:

Better Business Bureau Wise Giving Alliance, http://www.bbb.org/charity/.

Charity Navigator, http://www.charitywatch.org/.

American Institute for Philanthropy, http://www.guidestar.org/.

Last, but not least - I would like to provide some resources to report suspected fraud activity.

If it is cyber related, report it to the Internet Crime Complaint Center.

For more general complaints, fraud can be reported to the Federal Trade Commisssion, here.

International Phishing Gang, nailed with a little teamwork!

I suppose it's big news when a phishing gang gets caught. Sadly, few of them ever seem to get nabbed, or prosecuted. Phishing is a crime that is committed across borders with the click of a mouse, or "bot," which makes investigating and prosecuting this type of crime, slightly challenging.

Saying that, the times might be changing, especially (more and more) when U.S. citizens are targeted. Besides this latest series of arrests, the FBI recently conducted a very successful operation against bot-herders in an effort dubbed "Operation Bot Roast."

Bot-herders, who run botnets are behind growing amounts of spam. Spam is the preferred method of spreading scams and other questionable activity across cyberspace.

According to the DOJ press release, 33 phishermen have been hooked, in an operation that was truly International in nature:

A federal grand jury in Los Angeles charged 33 individuals in a 65-count indictment unsealed today for their alleged participation in an international racketeering scheme that used the Internet to defraud thousands of individual victims and hundreds of financial institutions. Seven individuals were charged in a District of Connecticut indictment for their roles in an Internet phishing scheme, including two who were also charged in the Los Angeles case.

U.S. law enforcement authorities are executing nine arrest warrants in the Los Angeles area and Romanian law enforcement authorities are executing search warrants in Romania today in connection with the racketeering indictment.
Supporting the "global theory" of this activity, these phishermen operated from six different countries. They also claimed citizenship from several different countries:

The individuals named in the indictment operated from locations in the United States and abroad including Canada, Pakistan, Portugal and Romania, and include both U.S. citizens and foreign nationals. Sonny Duc Vo, Alex Chung Luong and Leonard Gonzales are U.S. citizens. Nga Ngo, Thai Hoang Nguyen, Loi Tan Dang and Dung Phan are permanent legal residents of Vietnam. Hiep Thanh Tran is a U.S. permanent resident from Vietnam. Caroline Tath is a permanent legal resident of Cambodia. Hassan Parvez is a citizen of Pakistan. Rolando Soriano is a Mexican citizen and is currently charged in Los Angeles with illegal entry by an alien following deportation. Ovidiu Ionut Nicola-Roman; Petru Bogdan Belbita; Stefan Sorin Ilinca; Sorin Alin Panait; Costel Bulugea; Nicolae Dragos Draghici; Florin Georgel Spiru; Marian Daniel Ciulean; Irinel Nicusor Stancu; Didi Gabriel Constantin; Mihai Draghici; Marius Sorin Tomescu; Lucian Zamfirache; Laurentiu Cristian Busca; Dan Ionescu; Marius Lnu; Alex Gabriel Paralescu; and Andreea Nicoleta Stancuta are Romanian citizens. An additional four individuals known only by their aliases, “Cryptmaster”; “PaulXSS”; “euro_pin_atm” and “SeleQtor” are believed to be Romanian citizens.

According to an article in PC World by John E. Dunn, stolen financial details (mostly payment card numbers) were stolen using a fake website. The stolen financial details were then sent via SMS (text) messaging to their cohorts in the United States and counterfeit payment (credit/debit) cards were produced.

After the counterfeit cards were produced, we can assume "runners" went to ATM machines and drained the accounts.

Financial institutions targeted included "People’s Bank, Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., and PayPal," according to the DOJ press release. Although, not a financial institution, the DOJ press release mentioned eBay was a phishing target, also.

Two good resources, largely from the private sector that study phishing and provide a lot of relevant information about the activity are the Anti-Phishing Working Group and Artists Against 419. Besides goverment resources, there are private warriors out there dedicated to taking down phishing sites, also. The PIRT Phishing Incident Reporting and Termination Squad run by CastleCops, a site dedicated to computer and internet security, is a leader in this private effort to curb phishing. PIRT goes after phishing as it occurs in the "wild," or on the Internet.

Most of the information gathered by these groups is provided and used as intelligence by law enforcement resources. As a disclaimer, in this case, it is unknown what private resources might have contributed intelligence to this effort.

Law enforcement resources on a local, national and international level contributed to this latest series of arrests. Most experts agree that cybercrime has flourished in the past because of the inability of members of the "white side of the fence" to come together as a team. Sadly, the members of the "black side of the fence" have seemed to embrace teamwork and the result has been devastating, to say the least.

Last month, Attorney General Mukasey announced a "Law Enforcement Strategy to Combat International Organized Crime." This strategy was developed to combat a growing threat to the stability of U.S. interests posed by organized crime groups.

DOJ press release, here.

Sunday, May 18, 2008

Chinese Red Cross Site hacked to steal donations!

Whenever a disaster occurs, there are always dishonest people trying to steal the proceeds of charitable contributions.

This is always sad because it takes away from the people, who are in need.

Heike over at the Dark Visitor is reporting that a Red Cross site has been hacked with the intent of "electronically" removing money intended to help the earthquake victims in China:

Verified by the Ministry of Public Security, a section of the official Red Cross website has been illegally hacked. According to the report, criminal elements gained access to the section of the website that held the special accounts for earthquake disaster relief donations.

An individual named Li Bujiu, had opened four fraudulent bank accounts to steal the funding.

Full story with more details from the Dark Visitor Site (Inside the World of Chinese Hackers), here.

Thus far, we haven't seen the flood of phishing, fake charity websites and the like come about as the result of the earthquake in China, or the cyclone in Myanmar reported in the West? Even this story isn't up on Google News yet.

Reuters did recently report that fraud is occurring inside China as a result of the earthquake disaster:
Police issued a warning after a flurry of text messages hit mobile phones, soliciting disaster assistance in emotional appeals, only asking that funds be deposited in private accounts.

The Reuters story -- which does mention that the Red Cross was shut down because of too many vistors (?) and had a page listing bank accounts to contribute to (??) -- can be seen, here.

The story in Reuters references the site, http://www.crcf.org.cn, which as of this writing appears to be up and running.

Not sure why more news on disaster fraud from China isn't being seen? It could be attributed to the "Great Firewall of China," or the fact that hacking and committing fraud carries far more serious consequences in China than it does here in the West.

Generally, if caught, offenses like hacking can mean the death penalty in China. In 2006, China carried out ten times more executions than the next country who still uses captial punishment. Generally, they use one round from an assault rifle (hollow-point) to the back of the head.

Of course, that doesn't mean that there isn't a lot of hacking coming from China. We see stories all the time about Chinese hackers committing corporate and government espionage. The Dark Visitor is an excellent site, run by a former intelligence type, about the mysterious world of hacking in the People's Republic.

I guess the difference on whether you get a bullet in the head, or not depends on whether certain authorities approve of your activity (my opinion). Of course, they are not beyond setting an example from time to time if certain political conditions exist.

Last year, China executed their former food and safety chief (Zheng Xiaoyu) for taking bribes in the wake of all the news stories about defective and dangerous products being exported from China.

With all the humans rights violations, fraud, hacking and deception that occur in the People's Republic, it's amazing that so many companies in the West continue doing business with them.

Sadly enough, some believe this has been at the expense of many people in their own countries. Given the human rights violations, it is also at the expense of a lot of Chinese people, also!

Perhaps, I'm old fashioned, but I sometimes wonder when people will come first?

Sadly enough, greed often gets in the way of this concept.

Friday, May 16, 2008

Mortgage scams target the "already unfortunate!"

I guess I'm one of the luckier people out there. When housing prices skyrocketed, I chose to remain happy with my humble digs and watch the frenzy. Now that the bottom has fallen out of the housing boom, at least I'm still semi-whole.

The reason I can only say that I'm semi-whole is that last month I mailed a check to the IRS. In reality, it's probably going to be "proceeds from tax coffers" paying for the mess that was created.

There was fraud in the housing boom. Exactly how much, nobody really knows or is saying. With a lot of desperate people out there -- one thing is for certain -- there are going to be dishonest people approaching them with fraud schemes promising to get them out of their current dilemma.

The FBI just released an interesting report showing fraud trends that contributed to the current financial crisis the housing boom has caused. It's key findings were that mortgage fraud is on the rise, subprime loans contributed to mortgage fraud, the downward trend in housing will continue and that the current financial crisis is creating a new wave of fraud targeting the people, who have already lost their shirts, as as result of this crisis.

From the press release on this subject:

The latest mortgage scams run the gamut: from “builder-bailout” schemes where developers unload excess inventory through financial trickery…to foreclosure rescue frauds that trick homeowners into signing over the deed to their house; from seller-assistance scams that use false appraisals to sell homes…to identity theft that leads to home equity credit lines being opened and drained. See the report for more details.

The report lists the two main categories of mortgage fraud:

Mortgage loan fraud is divided into two categories: fraud for property and fraud for profit.

Fraud for property/housing entails misrepresentations by the applicant for the purpose of purchasing a property for a primary residence. This scheme usually involves a single loan. Although applicants may embellish income and conceal debt, their intent is to repay the loan.

Fraud for profit, however, often involves multiple loans and elaborate schemes perpetrated to gain illicit proceeds from property sales. It is this second category that is of most concern to law enforcement and the mortgage industry. Gross misrepresentations concerning appraisals and loan documents are common in fraud for profit schemes and participants are frequently paid for their participation.
The full report, which goes into a lot of detail on current trends can be seen, here.

Besides the latest report, the FBI has a page on their website dedicated to educating the average person how they might be taken to the cleaners as a result of mortgage fraud.

The page has information on a lot of the recently discovered schemes. Included is a well-written story about a pretty scary phenomenon called, "house stealing."

House stealing is where mortgage fraud meets identity theft.

… The con artists start by picking out a house to steal—say, YOURS. … Next, they assume your identity—getting a hold of your name and personal information (easy enough to do off the Internet) and using that to create fake IDs, social security cards, etc. … Then, they go to an office supply store and purchase forms that transfer property. … After forging your signature and using the fake IDs, they file these deeds with the proper authorities, and lo and behold, your house is now THEIRS.*

Although not considered common, there was a recent case in Southern California involving a variation of this scheme and it involved over 100 homeowners. More recently, the Boston Globe reported that 11 individuals were indicted in a $10.6 million loan fraud scam. Straw buyers and identity theft are part of the formula in this case, also.

And it doesn't only happen in the United States, I've read of this occurring in Canada, also.

The FBI has allocated 200 agents and 33 task forces to investigate mortgage fraud, according to an article in Reuters that quoted FBI Director Robert Mueller. The article mentioned that 19 major corporations are under investigation and Mueller referred to the FBI's involvement in investigating the Saving and Loan crisis, Enron and World.com, while delivering his speech.

If you happen to get approached with an offer that seems a little too good to be true (or are suspicious of a past scheme) you can report the matter to the FBI. The people behind these schemes have caused a lot of pain and suffering for a lot of people and besides that, if you pay taxes, you are probably paying for this problem.


(Courtesy of the FBI site - click for larger image)

Wednesday, May 14, 2008

Another law suit filed against Lifelock identity theft protection services in West Virginia

Despite all the publicity that Lifelock continues to do well, a third class action has been filed against them for misleading advertising in West Virginia.

From the PR Newswire release:

Marks & Klein, LLP today filed its third class action lawsuit against LifeLock, Inc., a provider of identity theft protection services, and its CEO Richard "Todd" Davis. The lawsuit was filed in the Circuit Court of Jackson County, West Virginia (Docket No. 08-C-69), on behalf of Kevin Gerhold of Falling Rivers, as well as all other LifeLock subscribers in West Virginia.

This follows similar class actions filed in New Jersey and Maryland.

"The lawsuits allege that LifeLock and its multi-million-dollar advertising campaign provided false and misleading information about the limited level of identity protection the company provides, and failed to warn them about the potential adverse impact the company's services could have on their credit profiles," according to the press release.

Additionally, the release alleges that Lifelock CEO, Todd Davis has been a victim of identity theft multiple times since using his SSN as a marketing tool to sell the service.

So far only one instance of this has been reported. Here is what I wrote about it in a previous post about pending litigation between Experian and Lifelock:

Shortly thereafter, CEO Todd Davis made headlines when he organized a "posee," complete with film crew to go after the person, who stole his identity to get a loan. The identity thief in question was described as mentally disabled by the authorities and the charges were dropped because of the questionable tactics used, referred to as coercion.
So far as Lifelock not protecting people from all forms of identity theft, as alleged in all three of these actions, I offered my speculation (opinion) on what that was referring to:

Another reason there is no way to guarantee protection is that not all identity theft shows up on credit bureaus. Some examples of this are in cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

The press release indicates that other law suits are being considered in other States.

An item of interest not disclosed in all the other actions was that a woman had her stolen debit card used to purchase identity theft services from Lifelock:

Beyond the charges leveled in the Complaints, lead counsel Paris related the story of a Wisconsin consumer who contacted the firm regarding her accidental experience with LifeLock. "Her debit card was stolen and the thief had the audacity to use the card to buy a subscription to LifeLock," he noted. "Most disturbingly, LifeLock issued the subscription to the thief in the thief's name, clearly failing to verify the appropriate information."

I guess the person, who did this believes in protecting their own identity, at least, as long as, they aren't paying for it, themselves?

The services offered by Lifelock aren't much different than a lot of other services being offered by other companies. This has often led me to wonder if the actions against Lifelock are only the beginning?

The identity theft industry, which is growing at a double-digit rate, has attracted a of start up companies and it can be difficult for the consumer to determine exactly what they are paying for.

Most of the experts (not selling services) agree most people can fix their identity for free, and in the long run, they might do a better job of it, themselves.

If someone were to do this, a good place would be the FTC's Identity Theft page. Other decent free resources are the Identity Theft Resource Center and the Privacy Rights Clearinghouse.

Tuesday, May 13, 2008

State's top lawman takes a "Don't mess with Texas" approach to fighting identity theft


(Texas Attorney General Greg Abbot)

Texas Attorney General, Greg Abbott, is teaching the business world not to mess with the personal information of Texans.

Using a series of laws that he wrote an essay on, AG Abbot has taken legal action against Radio Shack, CVS Pharmacy and CNG Financial Corporation doing business as as Check and Go and Southwestern & Pacific Specialty Finance for not properly protecting people’s information. His office also has pending action against “Select Physical Therapy Texas Limited Partnership and its parent company, Select Medical Corporation, as well as Minnesota-based LifeTime Fitness for improperly discarding customer records,” according to a press release on his site.

Notably, it didn't take a crack team of computer security geeks to crack these cases. In all of these instances, the investigators used a more old fashioned, but often effective investigative technique called dumpster diving.

Going back to my original premise that there is a lot of unprotected information being compromised too easily, these cases represent how much low hanging fruit is available to identity thieves.

This probably wouldn’t surprise anyone who has taken a look at Attrition.org’s Data Loss Database - Open Source. Fairly frequently, mass amounts of information go missing for not very "technical" reasons.

On Tuesday, the Texas AG site announced a new tool to assist Texans in recovering from becoming an identity theft victim:

The Attorney General’s Identity Theft Victim’s Kit offers a step-by-step priority checklist that victims can use as soon as possible to prevent further damage. Once the identity theft has been confirmed, for example, victims should quickly close all bank, credit, utility and service accounts. Next, victims should contact one of the major credit bureaus and request that fraud alerts or security freezes be placed on their credit reports. This action prevents new accounts from being opened fraudulently under victims’ names.

Also mentioned in the press release is that it still pays to report identity theft to the Federal Trade Commission. They point out that, "many creditors will accept this affidavit on victims’ behalf in lieu of a police report about the crime."

They also point out something that I think is even more important:

A recent trend among identity thieves suggests the criminal may use victims’ personal information to obtain a driver’s license, file for bankruptcy, seek Social Security benefits or apply for a passport. In such cases, the Identity Theft Victim’s Kit instructs victims to immediately contact any government agencies approached by identity thieves.

A lot of people have been led to believe that the final solution to preventing identity theft is to monitor your credit bureau. Unfortunately, a lot of this has been driven via advertising campaigns by some of the pay for protection identity theft services.

Identity theft isn't only a problem in financial crimes. Criminals steal identities to work, obtain government benefits and to commit a wide range of "other than financial crimes."

Critics of the pay for protection industry have often pointed out these paid services, although convenient, accomplish what a person could do free-of-charge, themselves. Since it is an unregulated industry, the services offered varying levels of protection, also.

There are some of these services that are way better than others, and if you decide to go shopping for one, the term "caveat emptor" (buyer beware) is a wise principle to apply.

This site, http://www.texasfightsidtheft.gov/index.shtml, offers one click access to all the steps a person needs to take to recover from becoming an identity theft victim. It also offers a lot of resources that a prudent person can use to prevent identity theft.

After reviewing this site, I noted that it could be used by citizens of just about anyone residing in the United States of America.

In closing, the approach taken by Attorney General Abbott and his office is refreshing and a lot of other elected officials would benefit from studying what I consider a "no nonsense" approach to combating identity theft.

Sunday, May 11, 2008

Symantec May Spam Report reveals IRS e-mail leads to vampire game?

Symantec just released it's monthly spam report. I always find these reports a valuable tool to see exactly what trends the cybercriminal and less than ethical e-commerce communities have been up to in the past month.

Although most of us view spam as a major nuisance, the fact remains that spam is the preferred vehicle of marketing garbage and ripping off human beings on the Internet.

This month continues a nasty trend where spammers and phishermen (identity and information thieves) continue to manipulate Google's search engine:

For some time, spammers have used reputable brands to try and deliver spam and phishing messages to end-users. In the last year, Google has become a favorite target for some spammers. In November 2007, Symantec reported the emergence of a technique where spammers manipulated Google’s advanced search query and the “I’m feeling lucky” option to direct users to a spam site. In February 2008, Symantec reported that spammers had manipulated parameters in Google URLs used for AdSense and redirected unsuspecting end-users to a spam website. In April 2008 phishing emails purporting to come from the Google AdWords service have emerged. Google AdWords is a service that allows advertisers to intelligibly connect with individuals who search using Google. In the Google AdWords phishing samples that have emerged, the end-user is encouraged to click on a link to update their billing information and/or renew their account. The link in these phishing emails leads to a fraudulent website where personal information is requested and harvested.
Spear phishing, where specific people are targeted arrived in inboxes in the form of fake government subpoenas addressed to corporate executives. Also seen were come-ons to become a movie star, spam being sent in the form of instant messages and the 419 (Advance Fee) boys inserting calendar reminders in their spam to remind people send them their money.

While closely related to the long known use of job sites to gather information to commit identity theft, a new twist has been noted where professional networking sites are used for this purpose, also.

From the May report:

One of the side effects stemming from the growth of personal and professional networking sites is the increase in unsolicited emails that operate under the guise of connecting business professionals with their peers. The recipient is asked to join the “inner circle” and is encouraged to supply the network with their professional history by clicking on a URL which brings the user to a registration page. The page requests personal information that could be used for identity theft and could fuel future spam attacks.

In these monthly reports, Symantec normally has one twist with a particularly ghoulish or amusing angle. This month is no exception and they are reporting an IRS spam campaign that leads to a site where you can raise a vampire from the dead:

This time, instead of the refund link taking you to a site to steal your credentials, the link takes you to a popular web-based game in which you incarnate a vampire. The vampire gains more power every time end-users click on his link. It’s a rough, dark world out there… be warned.
I found this especially ironic because scammers and spammers are often referred to as ghouls or vampires when being described in literary terms. So far as the connection to all of this with the IRS, I'll leave that to the reader's imagination.

The IRS having their name spammed is nothing new. As predicted, there is an IRS spam (phishing) campaign going on right now using the tax stimulus program as a come-on to steal personal and financial information, which will probably be used to commit financial crimes. I'm predicting this might be a topic of interest on the June Spam Report.

The full report on the State of Spam for the month of May may be seen courtesy of Symantec, here.

FBI reports tax stimulus phishing campaign underway

The FBI Cyber Investigations Division issued a press release that spammers are phishing for people's personal details using the tax stimulus program as bait.

The Federal Bureau of Investigation warns consumers of recently reported spam e-mail purportedly from the Internal Revenue Service (IRS) which is actually an attempt to steal consumer information. The e-mail advises the recipient that direct deposit is the fastest and easiest way to receive their economic stimulus tax rebate. The message contains a hyperlink to a fraudulent form which requests the recipient's personally identifiable information, including bank account information. To convince consumers to reply, the e-mail warns that a failure to complete the form in a timely manner will delay the issuance of the rebate check.

My guess is that the intent in getting your bank account information is to take it over and drain it of all it's assets.

Please note that phishing normally requires a person to willingly give up their information, but more and more, a new phenomenon is being seen called a drive by infection is being seen in the "wild" a.k.a. the Internet.

I wrote about this recently in a post called, "Nowadays, all you need to do is visit the wrong site to have your personal information stolen! "

As noted in the post, the phishermen have been seen using social engineering ploys, along with malicious software in conjunction with each other.

If you want to learn more via FBI recommended educational tools, or report a phishy e-mail, here is a way you may do so:

Please notify the IC3 by filing a complaint at www.ic3.gov. More information on scams is also available on www.fbi.gov and www.lookstoogoodtobetrue.com.

You can also report IRS related phishing scams to phishing@IRS.gov, here.

FBI press release with example of one of the phishmails, here.

In case you want to see when you are going to get your "actual" stimulus check (if you qualify), the IRS has a tool to figure it all out on their site.

Wednesday, May 07, 2008

Stolen information from 40 financial and medical institutions discovered on rogue server

Once in awhile, I speculate that stolen information is a lot more valuable to the criminal element before it becomes apparent that it's been stolen. I've also speculated aloud that there is probably a lot more stolen information out there than we are aware of. The good folks at Finjan are well on their way to substantiating this speculation.

Yesterday, they announced the following on their malicious page of the month:

While we were examining malicious code, we came across a domain which was being used as a command and control for the Crimeware that was executed on attacked machines. The domain was also used as the “drop site” for private information being harvested by that Crimeware.

When we further examined this server, we found the stolen data left unprotected and available for anyone on the web (i.e. no access restrictions, no encryption whatsoever).

The server that we analyzed contained more than 1.4Gb of data (both business and personal related) collected from infected PCs, which consisted of 5,388 unique log files, that were traced back to 5,878 distinct IP addresses. Both email communications and web related data were found.
The information discovered was from 40 unnamed financial and medical institutions from several different continents. The server used to store this information was being moved frequently, but if found, anyone could access it.

They made the observation that last year, according to what statistics are available, 8.5 million records were compromised. One of these statistics, obtained from IC3 states that 20 percent of the 206,884 cases (roughly 40,000) were due to computer hacking. Finjan points out that on this one server, they discovered approximately 5,000 records.

I’ll let the reader do their own math, but if this is true there is probably a lot of unknown hacking activity happening in the wild.

Please note that all the kind people compiling statistics only know what is reported to them, and some of them have been very vocal in pointing this out. My personal guess is that there is so much stolen information out there that when any individual case is investigated, it’s almost impossible to do more than speculate, exactly where the point of compromise occurred.

Besides that, hackers are unlikely to want to reveal where they are stealing all their information from. Once revealed, it’s harder to use and not worth as much money.

The information on the server included compromised medical information, online banking information (including passwords) and complete logs of payment card (debit/credit) card transactions, including CVV2 information and the miscellaneous “extras.” This all occurred on “supposedly” secure sites.

I found this interesting because the merchants have been under fire for becoming compliant with PCI data security standards in light of a few highly publicized data breaches. Of course in the recent Hannaford case, they were compromised and had been certified as being PCI compliant. PCI data security procedures are the payment card industries own standards for protecting information.


Based on these findings, hackers don’t have to compromise a merchant to steal everything they need to commit financial crimes and it’s pretty obvious that financial institutions are being compromised, also.

Also found on the server was a lot of business proprietary information harvested from a lot of internal e-mail accounts. In the past year or so there seems to have been a lot of campaigns to obtain other than financial information from businesses. The clear intent in this activity is corporate espionage (my speculation).

Finjan reports that this particular theft campaign was made possible with a do-it-yourself (DIY) crimeware kit called the AdPack Toolkit. They also reported that this kit gives the user command and control functions, enabling them to execute admin functions with the illicit software.

Finjan is not revealing (they never do) exactly which institutions were compromised. Even though they are not revealing names, they did report the activity to law enforcement and the institutions involved.

Saturday, May 03, 2008

Truston ID Theft protection and recovery platform rakes in another award!

It appears that Tom Fragala and the MyTruston team have raked in (yet) another award. This time from the Pacific Coast Business Times as one of the hot start-up companies coming from California's Central Coast.

Tom Fragala, Truston's CEO wrote on his blog, "This recognition comes on the heels of being named a 2008 Hot Company and receiving a technology award from the Info Security Products Guide."

Here is the reason why they were chosen:


Truston's MyTruston® service is the only fully online identity theft recovery system. It is web-based software that can help millions of people easily recover from and prevent identity fraud by supporting virtually any type of ID theft. MyTruston walks consumers step-by-step through the entire prevention or recovery process—dramatically reducing the time, financial cost, and emotional impact. And it can easily be embedded into a partner's own website on a private-label basis.


The press release also contains a comment from Tom Fragala, CEO of Truston:


“The Pacific Coast Business Times recognition of Truston as one of the hottest startups in Central California further validates our innovative products and strategy of offering our services to large partners in the identity theft, direct marketing and financial services markets,” said Tom Fragala, CEO and founder at Truston. “Superior technology and support for partners differentiates Truston from other companies in the identity theft protection market.”


Tom developed Truston based on his own personal experience as an identity theft victim and has spent thousands of hours assisting other victims of identity theft.

Because of this, coupled with the fact that he is selling this technology to large partners, he still takes care of us "little people" by offering a free 45 day trial (no credit card needed) of the Truston platform.

Saying that, I should mention that the platform has always protected people free of cost and only charges for using it to recover after a person is a confirmed identity theft victim. Most companies charge you right from the beginning and will only help you if you were paying at the time of the crime (pardon the pun). Many of them also require that you surrender all your personal details, which they maintain on a database. Information on databases are a favorite place for identity theft thieves to obtain the resources they need to commit their crimes.

There are some, who believe one of the root causes of identity theft is the multi-billion dollar business of buying and selling information, which is normally maintained in databases.

If you are interested in checking out the Truston platform while it is still free, I've provided a link, here.

Does the proposed class action settlement in the Certegy data breach case lack teeth?

I happened to notice, I was getting a lot of hits on some posts about the Certegy data breach and discovered that there is a proposed settlement in the class action law suit against them.

Tim Wilson at Dark Reading pointed out that this settlement amounts to Certegy paying less than $1 per victim and wrote:

Certegy Check Services is proposing to settle a class action lawsuit of last year's security breach on behalf of 8.4 million victims for about $4 million.

According to a report in the St. Petersburg (Fla.) Times, Certegy will also offer free credit monitoring services to some victims and reimbursement of credit monitoring expenses totaling $1 million on a first-come-first-served basis.
He also surmised in his article that:

While plaintiffs' lawyers hailed the offer as a victory, critics said the relatively small settlement will not help the cause of identity protection. The massive TJX breach also resulted in a relatively small settlement for the victims, netting about $6.5 million for customers.

Of note, I would imagine the plantiff's lawyers made A LOT more than $1 each for orchestrating this event. In all fairness, given the precedent set by similar actions might mean there isn't a very "deep pocket" on this type of action.

At $1 million for monitoring divided by 8.4 million potential victims, if any of them want the free monitoring, they better move quickly.

So far as the $4 million being set aside to make victims whole, I wonder how hard it is going to be for them to prove (as required by this settlement) that Certegy was the point-of-compromise in their case? The general rule of thumb is that identity thieves, even if they are caught (rare), probably aren't 100 percent sure where the information came from themselves. There is so much stolen information out there, it's being traded over the Internet.

The sad truth is that with all the data breaches out there, it might be hard to prove exactly where an identity theft victim's information was compromised.

So far as the criminal prosecution of the employee, one William Sullivan, who sold off 8.5 million people's records, I did a post in November about how he was able to make a plea bargain and get a reduced sentence in this case. There was a mention of a data broker being a co-conspirator, but they never seemed to be named (at least in public).

Personally, I've always had mixed feelings about law suits that result when data breaches occur. There is an argument that at least some (my opinion) of the organizations being breached are victims in the overall equation, also.

Saying that, if this class action and the one for TJX have set the legal precedent on this type of action, they are unlikely to serve as much of a deterrent against data breaches, or all the identity theft that results from them. Furthermore, the criminal prosecution of William Sullivan in his case is unlikely to be much of a deterrent, either.

In fact these results are probably going to do little to inspire organizations to protect their information better and for some, will probably be viewed as a cost of doing business.

I guess it's time to go back to the drawing board to figure out a way to effectively address information/identity theft and data breaches?

Here are the original posts, I did on this matter, which contain some angry commentary from more than one victim:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

Friday, May 02, 2008

Federal Reserve backs proposing reforms on credit card rules

Credit card fees, which a lot of consumer groups, have called out as unfair and abusive are in the news again. Today, the Federal Reserve Board proposed changes, which some believe have been a long time coming.

From the Federal Reserve's press release:

The Federal Reserve Board on Friday proposed rules to prohibit unfair practices regarding credit cards and overdraft services that would, among other provisions, protect consumers from unexpected increases in the rate charged on pre-existing credit card balances.
Without going to to the regulations governing this, here is what is being proposed:

Banks would be prohibited from increasing the rate on a pre-existing credit card balance (except under limited circumstances) and must allow the consumer to pay off that balance over a reasonable period of time.

Banks would be prohibited from applying payments in excess of the minimum in a manner that maximizes interest charges.

Banks would be required to give consumers the full benefit of discounted promotional rates on credit cards by applying payments in excess of the minimum to any higher-rate balances first, and by providing a grace period for purchases where the consumer is otherwise eligible.

Banks would be prohibited from imposing interest charges using the "two-cycle" method, which computes interest on balances on days in billing cycles preceding the most recent billing cycle.

Banks would be required to provide consumers a reasonable amount of time to make payments.
Sub prime credit card products are also being addressed by limiting fees that can be automatically applied to a balance. Greater transparency on interest rates and credit limits is being proposed, also.

ConsumersUnion.org issued a press release the day before the Federal Reserve did offering a mixed reaction to the proposal:

"It’s about time federal regulators offered consumers some relief from unfair bank practices," said Consumers Union Financial Services Campaign manager Gail Hillebrand. "This proposed rule finally acknowledges that some practices just aren’t fair. All the disclosure in the world can’t make it fair to send the bill too close to the due date; to raise the interest rate on money already borrowed: or to charge a fee for a problem caused by the bank’s practice to allow a credit hold or a debit hold.”

The proposed rules respond to a sustained outcry from consumers and strong interest in Congress in credit card reform and in reform of bank account practices such as overdraft loans.
Consumers Union praised the approach of the proposed rule to ban, not just require more disclosure about, some of the worst credit card practices.

They also issued a press release on April 30th commending Senator Dodd, who is the Senate Banking Committee Chairman, for introducing the Credit Card Accountability, Responsibility and Disclosure Act.

ConsumersUnion.org has long been critical of the credit card industry and has an ongoing campaign to bring about reforms to the industry.

Federal Reserve press release, here.

Thursday, May 01, 2008

Internet Gangstas don't appreciate software piracy, either!

Crimeware salesmen, like most e-commerce types, take a dim view when their creations are knocked-off (pirated). To protect themselves, they warn their customers (Internet criminal types) that if their products are counterfeited, they can and will be reported to the anti-virus companies.

Specifically, the verbiage used as reported on the Symantec blog is, "the binary code of your bot will be immediately sent to antivirus companies."

The reason reporting reporting the binary code of a bot defeats the crimeware kit in question (Zeus) was mentioned in a previous post on this blog:

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

Here are the details, as reported on the Symantec blog by Liam OMurchu:

Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.



2. The Client:
1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.


It should be noted that these crimeware kits, as I've written frequently, make it fairly easy for not very technical criminals to commit technical crimes. As noted in their licensing agreement, the criminals selling these kits in underground forums even provide technical support.

Interestingly enough, Liam noted:

Despite the clear licensing agreement and the associated warnings, this package still ended up being traded freely in underground forums shortly after it was released. It just goes to show you just can’t trust anyone in the underground these days.

Of course, in most instances, there is no honor among thieves.

Liam notes that this licensing agreement is for much talked about Zeus kit, which has "drive-by" capabilities. If you are unfamiliar with what "drive by" means on the Internet, it means that your computer only needs to visit a site to become infected.

Here is a previous post, I recently did about the "drive by" problem, which is making the Internet a more dangerous place all the time:

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

Liam's post on the Symantec blog, here.