Sunday, June 29, 2008

Wards will now start notifying customers their information was stolen in December

The Associated Press announced on Friday that old time retailer Montgomery Ward is the latest victim of a data breach, where at least 51,000 records were compromised. The unfortunate problem now is they failed to notify the victims, which is the law in 44 States.

Since Montgomery Ward declared bankruptcy in 2001 this announcement might sound confusing, but the company was resurrected in 2004 under the name, Direct Marketing Services Incorporated. Direct Market Services sells merchandise under the names,,, (and two more) online.

Allegedly, hackers gained access by going through another Direct Marketing Services site,

When they discovered the hack in December, they did notify their payment processor, Visa and Mastercard, but failed to notify any individual customers. Of course, they now plan to do so after being asked about it by the Associated Press.

The hat tip in this instance goes to CardCops, which a group of cyber sleuths who track stolen payment card data in underground carder forums for financial institutions. CardsCops spotted a group of 200,000 card numbers for sale (including CVC data) on one of the forums (chatrooms) they were monitoring. After tracing some of these cards to their owners, they discovered that they were had one thing in common (Wards).

At this point, it is unclear on whether the official estimate of 51,000 missing records is correct, or the hackers misrepresented the number of cards available in their underground forum.

When asked for some commentary, Visa declined to comment, MasterCard stated they warned the issuing banks to watch for suspicious activity and Discover stated they issued new cards.

Wards is not alone in not notifying their customers, or the public promptly when a data breach occurs. Recently lamented about this in a post suggesting we are a long way from full disclosure in data breaches.

Even without all the known data breaches, there are many that are never discovered. Besides that, information is stolen all the time on a smaller scale by dishonest employees, phishing and (despite all the shredders) from the trash.

The sad truth is from the criminal perspective, stolen information that hasn't been detected is worth more than information that is known to be "hot."

If you would like to see more information on the known data breaches, the DLDOS database at is a good resource. PogoWasRight is also another place that covers the privacy concerns arising from this problem, which faces us all.

Wednesday, June 25, 2008

Retailers Honor Sleuths Who Smashed $100 Million Organized Retail Crime Ring

The National Retail Federation is recognizing a couple of individuals, both from law enforcement and within their own ranks, for their contributions in smashing a $100 million organized retail crime ring. These crime fighters are being honored at the NRF Loss Prevention Conference & EXPO in Orlando, Florida.

The two being honored are Detective Ostojic, of the Polk Country Sheriff's Department, and Ron Averette from the loss prevention department at Publix Supermarkets. In June 2007, the two began comparing notes on a group that was stealing large amounts of merchandise. Subsequently, Detective Ostojic was able to tie in cases at other retailers and Averette (along with Ostojic) presented the pattern of activity to the Florida Department of Law Enforcement and Florida State Attorney's Office. This led to a task force being formed under the leadership of Special Agent Telly Sands from the Florida Department of Law Enforcement.The result of the task force's efforts were that 18 people were identified as being involved in the ring and subsequently arrested.

The FBI estimates that organized retail crime costs retailers an estimated $30 billion dollars a year. To date, this is the largest documented case where organized retail crime was identified as being the cause.

These rings use flea markets, Internet auction sites like eBay and Craigslist, rogue e-commerce sites, and even seedy merchants to sell their goods. Some retail loss prevention departments have dedicated personnel to investigate stolen merchandise on auction sites.

In this case, a lot of the stolen merchandise were health and beauty aids. Some of these products have expiration dates, which might lead to health and safety concerns for the end user.

Mark Albright wrote an article about this case in the Saint Petersburg Times, where he mentioned specific brands the group deemed desirable for resale. By doing a search on eBay, I found a wide selection of Gillette razor blades, Prilosec, Crest WhiteStrips, and Oil of Olay available on the site. Please note that I have no way of telling if these items were the result of organized retail crime or obtained legitimately. I do know that large companies generally frown on having their products sold on auction sites and I saw some extremely good prices listed for these products.

According to the article in the Saint Petersburg Times some of the shoplifters (boosters) involved have rap sheets (criminal records) ranging from sex crimes to armed robbery and attempted murder.

A recent survey indicated that retailers are seeing an increase in organized retail crime activity. The cost of this type of crime is eventually added into the cost of the product being stolen, which means we all end up paying for it.

This activity has been known to run smaller businesses bankrupt. Even at larger retail organizations, out of control losses often dictate that operating budgets need to be trimmed. Since payroll is often the largest operating cost in an organization, this leads to reductions in hours and positions to keep a company afloat. Simply stated, activity like this can cost people their jobs.

Legislation has been passed in many states and more is forthcoming to make organized retail crime penalties stiffer.

Tuesday, June 24, 2008

Inside CRM publishes 50 ways to protect your privacy!

I got a tip from Fiona King at InsideCRM magazine about an article they published that lists fifty tips to protect your privacy, personal and financial information. InsideCRM represents the customer relationship management industry.

The article intended to provide useful tips to protect the average person from fraud, phishing, and all the assorted financial misdeeds facing the average person in today's world. The tips provide information on how these scams originate and emphasize how a person can take back control of their personal and financial information.

The article covers how to protect yourself both on and offline and how you can track your personal information on the Internet. Although I've seen many of these tips before, putting them all in a one-page format makes this article a useful tool. Along with the fifty tips are useful links, which direct the reader to the source material about the particular tip.

The CRM industry has a stake in fighting the battle against scams that are being made easier by technology. Consumer trust is a key factor in any type of business involving customers.
One growing concern that can give the industry a bad rap (even though the legitimate CRM center had nothing to do with it) is a phenomenon called vishing where personal information is stolen by calling people up on the telephone. This type of activity is a growing phenomenon. In most cases, the crooks impersonate a legitimate organization when doing this.

My personal tip on how not to get caught in a vishing expedition is to remember that no reputable organization will ever call (unsolicited by you) and ask for personal or financial information. If this occurs, a red flag should go up in your head and I recommend verifying the number via a known third party source and calling them back. Do not rely on caller ID; spoofing services (which fake caller ID) numbers are available to anyone with the capital to purchase them on the Internet.

The article lists some useful tips when dealing with VoIP (Voice over Internet Protocol) technology, which many believe is the cause in the recent surge of vishing activity. The reason for this is that it has made calling long distance cheap and vishing scams now come from all over the world, making them hard to investigate or trace.

Additionally, CRM centers often deal in personal and financial information. One of the biggest consumer trust issues that faces the industry is when information is breached from within a CRM center. Recent reports of information being stolen at CRM centers have made internal security at CRM centers a priority.

Please note that CRM centers are not the only places personal and financial information are compromised. This is becoming a sad reality and any business that deals in "information" needs to be aware of the potential risks of having this valuable commodity stolen from under their noses.

Most technology scams involve healthy does of social engineering (human trickery) to make them work. Education is the best defense against social engineering and InsideCRM has provided all of us with a valuable tool to do this with!

Sunday, June 22, 2008

Yes we can protect the citizen from the Big Oil Scam!

Recently, I've written a couple of posts about energy speculation and why it's part of the reason for the current energy crisis. This occurs when speculators buy oil on paper with credit, the oil is never delivered and then we are told that supply and demand is driving the prices up.

Then all of a sudden, I read a story that Barack Obama is calling for an end to the speculation many believe is the cause of the out-of-control prices. Some think these high prices are being enabled by a law known as the "Enron Loophole." One would think that after studying all the fraud and financial misdeeds in the Enron scandal -- anything they pushed through Congress would have had action taken on it a long time ago?

Perhaps, I'm a bit of a conspiracy theorist, but having lived in California at the time of the Enron scandal -- I can see clear similarities between that time and now. Two of them are how it is hitting the pocketbook of the average person and that that the economic law of supply and demand is being used as an excuse.

From an article in the Washington Post by Anne E. Kornblut:

Sen. Barack Obama on Sunday rolled out a proposal to curb speculation in energy markets, a plan his advisers said would help stabilize soaring gas prices.

Obama proposed a four-step program that would, among other things, close a so-called "Enron loophole" that protects some energy futures trading from oversight by the Commodity Futures Trading Commission, his advisers said.

The Washington Post article quoted the McCain camp as saying:

"The truth is Barack Obama is following John McCain's lead to close a Wall Street loophole that was signed into law by President Bill Clinton," McCain campaign spokesman Tucker Bounds said in a statement. "John McCain has supported bipartisan efforts to close this loophole and will work to address abuses in oil speculation. Barack Obama has voted the party line for Democrats who claim the loophole is fixed. The fact that Barack Obama is attacking John McCain, despite McCain's leadership on the issue, shows that Barack Obama is driven by the partisan attacks that Americans are tired of."

Do we have a reversal going on? Prior to this all we've seen are statements on conservation and allowing the oil companies to drill in places they weren't allowed to before.

Please note -- the quote from the McCain camp is partially true -- Mr. McCain has in the past supported legislation to close the Enron Loophole. The problem is that it's been awhile since he has brought up doing anything about it. Perhaps, Mr. Obama will make him remember his original concerns with the problem?

MSNBC's Keith Olbermann did an interesting story on this, which I first saw on my daughter's blog (, which can be seen, here.

This investigative report points out that Ken Lay starting laying the ground work for the Enron Loophole under the first Bush administration with the blessing of then "new" U.S. Commodity Futures Trading Commission. The Enron Loophole was actually signed into law under the Clinton Administration.

Fast forward to the present and the U.S. Commodity Futures Trading Commission is now going to host a International energy market manipulation conference to look into the speculation issue. Is this a sign that the Enron Loophole has gotten out-of-control?

It also points out that it is probable the speculators will do the same thing with alternative energy sources once they come into vogue.

Of course in all fairness to John McCain, he did vote with the minority in 2002-2003 to close this loophole.

Bill O'Reilly also did an interesting talking point on this subject last Wednesday called "Who Is Hurting You at the Gas Pump." Mr. O'Reilly made a great argument that a large percentage of the prices at the pump are being caused by greedy speculators and that the oil industry and OPEC are along for the ride.

Hopefully, Mr. Obama's statement will inspire the rest of the leadership in Washington to do the right thing and take a serious look at this problem.

In closing, those of us who remember the 70's need to remember we should have been taking a holistic approach to the energy problem long ago. We need to develop alternative sources and find ways to produce energy that aren't going to ruin the planet.

If we ignore the recent lessons on how volatile the energy market is -- there is little doubt we will see the problem in the future again -- and wonder why we didn't do anything about it NOW.

I hope this doesn't turn into a flurry of attacks between Mr. Obama and Mr. McCain. Wouldn't it be nice to see them join hands and do what is in the interest of the general public? I'd also like to see support in Washington to foster what should be a bi-partisan effort.

I'm pretty sure the voting public would appreciate this and should they fail to do so might express their frustrations when they exercise their right to vote!

Identity Theft Service wins Network Products Guide 2008 Product Innovation Award

Tom Fragala announced on his blog that "Truston received a 2008 Product Innovation Award from Network Products Guide for our myTruston Software-as-a-Service (SaaS) platform."

Tom is a well known blogger on the subject of identity theft, was really a victim himself and has spent a lot of time advocating for victims.

He quoted Networks Product Guide as saying:

“Truston's innovative SaaS platform offers an organized approach to getting a stolen identity back and keeping it safe.

myTruston is the only ID theft product that does not require sensitive data, is the only SaaS product in the space, supports virtually all fraud types, has unlimited content extensibility, is built on a patent-pending task management engine and allows for seamless integration with partner's web sites.”

Truston is a platform that allows the individual to protect themselves and recover from identity theft without handing over their personal and financial information. Many of their competitors maintain this information in databases, which seem to be compromised, frequently.
Some of them also require you sign a power of attorney to use their service.

In fact, there is so much compromised information out there, no one is really sure how much there is. Finjan, a noted computer security company, has recently been finding crime servers containing a lot of stolen information that no one knew had been compromised before. Ironically, the owners of these crime servers didn't even bother to password protect them in certain instances.

Despite this, we read about known data breaches all the time.

This isn't the first award Truston has received from the Technology industry and I suspect it won't be the last.

The neat thing is that if you are reading this post, Tom is still offering a free 45 day trial. Of course, the protection part always has been free.

If you would like to try the services for free, click here.

Recently MyTruston created a partnership with Identity Force and their platform is now being used by government agencies. These include the Department of Veterans Affairs, FEMA, US Coast Guard, Transportation Safety Administration, and Department of Energy.

While identity theft is a growing problem and no one can protect themselves 100 percent, MyTruston offers a platform to do so that is at least as good (if not better) than anything else in the industry. If you see advertising for an identity service that is 100 percent bulletproof, I recommend exercising the sage principle of caveat emptor (buyer beware) before shelling out your hard-earned money.

The reason I say better is that it was built on principles that protect privacy and by an individual that wanted people to "trust" his product.

If you would like to learn more about MyTruston, their site has a FAQ page that answers a lot of questions.

Press release on this latest award, here.

Friday, June 20, 2008

Mortgage crooks arrested nationwide in FBI sweep!

Recently, the FBI hinted that a lot of criminals might be getting arrested for contributing to the mortgage meltdown.

It appears that they are now backing up their words with some action.

From the FBI press release:

From March 1 to June 18, 2008, Operation Malicious Mortgage resulted in 144 mortgage fraud cases in which 406 defendants were charged. Yesterday, 60 arrests were made in mortgage fraud-related cases in 15 districts. Charges in Operation Malicious Mortgage cases were brought in every region of the United States and in more than 50 judicial districts by U.S. Attorneys’ Offices based upon the law enforcement and investigative efforts of participating law enforcement agencies. The FBI estimates that approximately $1 billion in losses were inflicted by the mortgage fraud schemes employed in these cases.

Most notably two Bears and Sterns executives were taken off the job in handcuffs:

Today, the U.S. Attorney’s Office for the Eastern District of New York announced an indictment against two senior managers of failed Bear Stearns hedge funds, charging Ralph Cioffi and Mathew Tannin with conspiracy, securities fraud and wire fraud. Cioffi was also charged with insider trading. The indictment alleges that the managers marketed the two funds as a low risk strategy, backed by a pool of debt securities such as mortgages. The indictment alleges that by March 2007, the managers believed the funds were in grave condition and at risk of collapse, but made misrepresentations to stave off investor withdrawal. The funds subsequently collapsed in the summer of 2007 resulting in approximately $1.4 billion in losses to investors.

There is no doubt that a lot of dishonest and very greedy people took advantage of the public at large.

Some people are comparing the mortgage crisis with another economic crisis, where only a rumor of fraud has been suggested thus far.

One of the reasons housing costs skyrocketed and them plummeted was a lot of property flipping. "Many experts blame the US real estate bubble in 2004 and 2005 on investor speculation and "irrational" flipping. Very low interest rates were a root cause, but speculation and flipping compounded the bubble," according to Wikipedia.

Most of this was based on speculation that the price would keep going up.

Now it is rumored that a key reason energy prices are skyrocketing is speculation in the oil market. Huge chunks of oil are bought on paper and paid for with credit. In a lot of instances, the oil is never even actually delivered. The result is that we hear that the price is being driven up because of demand.

Bill O'Reilly (Fox News) did a pretty interesting talking point on this subject, where he said:

Bottom line: Oil is being artificially marketed, and because we all need oil to live, we must pay what the industry dictates because there is no competition.

Add to this the oil speculators. These are people who buy oil contracts for delivery in the future. Only they don't really want the oil. They want the paper.

Speculators bet that oil prices will go higher, and if they do, they sell the paper to concerns that will actually take the oil. If prices go lower, the speculators lose their money.

But get this. The speculators don't have to pay cash to buy the paper contracts. They use credit, so it is easy to play this Las Vegas-type game.
Being just an average person, this leads me to believe that we might see (my opinion) some scandals come out in the future in the energy market, just as we are seeing them now come out in the mortgage meltdown now.

At the end of his talking point, Bill lamented that any help might be a long way off because of all the special interests the oil industry has in Washington.

Interestingly enough, a scandal is now brewing about two prominent Washington types getting sweetheart deals from a mortgage company, while all the real estate speculation was ongoing. The latest is that this money will be given to charity, but it illustrates Bill's last thought on why relief for the average person in the oil crisis might be a long way off.

Granted this is a speculation on my part, but it doesn't appear that it's illegal to speculate, does it? Well I suppose, as long as the person doing the speculating isn't ripping the general public, it isn't.

A short while ago, I did another post on this matter:

Does our current economic situation make sense?

Given that the U.S. Commodity Futures Trading Commission is hosting a International energy market manipulation conference to look into this, perhaps we will hear a rumor that the authorities are hot on the trail of this issue, also.

Maybe some wishful thinking on my part, but remember I'm only speculating!

FBI press release on the recent arrests, here.

Wawa gas pumps latest target of payment card skimming devices!

When I'm traveling on business in the Mid Atlantic, Wawa is a great place to stop. They literally provide just about anything a road warrior would desire.

Unfortunately their self service pumps are the latest targets of payment card (credit/debit) skimming devices. Just about any self service machine that accepts payments, or dispenses money (ATM machines) can have a skimming device mounted to it.

CBS 3 Philadephia reports:

With gas prices rising and the state of the economy in disarray, even thieves are resorting to more creative measures. At least two Wawa filling stations in the Philadelphia area have fallen victim to a string of recent credit card skimming scams.

"Just like any identity theft, until you see it on your credit card or bank statements, it's really important to check for any usual transactions," said Ela Voluck of AAA.

Thieves place a device over the card reader and can instantly record the information on the card.

Unfortunately, no pictures of the devices at Wawa seem to be available.

Recently, Redbox, a company that dispenses movies at self-service kiosks were the target of skimming devices. I have to commend them for being transparent and proactive by letting the public see exactly how this occurs.

They provided a warning on their website, along with some interesting pictures.

The only defense a person has is to carefully inspect these devices at self service places, such as the gas pumps at Wawa. Some of them are pretty bad and will literally fall off if handled too roughly.

Here are some pictures of skimming devices:

Skimmers are mounted on ATM machines, or any remote self service device. There are also portable ones that dishonest employees use to skim a card when they take it for payment.

Google has a neat sampling of pictures, which can be seen, here.

Monday, June 16, 2008

$60 billion would provide a lot of health care to the people who need it!

The candidates all are talking about making the health care system available to everyone. I wonder if any of them have considered that a lot of tax dollars are already being handed over to crooks scamming the current system providing free healthcare to the general public? Some estimate that this costs the taxpayers up to $60 billion a year.

$60 billion would go a long way to helping people, who need medical attention and can't afford it.

Carrie Johnson of the Washington Post writes:

All it took to bilk the federal government out of $105 million was a laptop computer.

From her Mediterranean-style townhouse, a high school dropout named Rita Campos Ramirez orchestrated what prosecutors call the largest health-care fraud by one person. Over nearly four years, she electronically submitted more than 140,000 Medicare claims for unnecessary equipment and services. She used the proceeds to finance big-ticket purchases, including two condominiums and a Mercedes-Benz.
And while law enforcement efforts are admirable in going after this, it is is being described as a game of "Whack a Mole."

The article sums up the problem rather nicely:

A critical aspect of the problem is that Medicare, the health program for the elderly and the disabled, automatically pays the vast majority of the bills it receives from companies that possess federally issued supplier numbers. Computer and audit systems now in place to detect problems generally focus on overbilling and unorthodox medical treatment rather than fraud, scholars say.

"You should be able to spot emerging problems quickly and address them before they do much harm," said Malcolm Sparrow, a Harvard professor and author of "License to Steal," a book about health-care fraud that advocates for greater federal vigilance. "It's a miserable pattern, a cycle of neglect followed by a painful and dramatic intervention."

Southern Florida was targeted by the authorities because a large amount of money seemed to be going up in smoke there, according to the Washington Post article.

Miami became a focus for Medicare fraud after investigators realized that a good portion of the medical suppliers weren't even open during normal business hours and didn't even have working telephone numbers (?). Even worse, the Government Accountability Office has been calling out that these programs had weak oversight for about a dozen years (?).

Southern Califonia is also one of the targets in the latest efforts to correct this problem:

The strike force recently established a base in Los Angeles, another area rife with fraud. Prosecutors announced criminal charges last month against two medical equipment company owners who are accused of falsely billing Medicare more than $2 million. Plans call for a similar rollout this fall in Houston, another potential fraud hot spot.

The political candidates can promise free health care for everybody -- but unless we start exercising a lot more due diligence spending this money -- any system is likely to go broke in a short time. I'm all for better health care for all, but we need to start making sure the money is being spent on the people receiving the care.

Spending even more money on law enforcement task forces to combat a problem described as a game of "Whack a Mole" isn't very proactive, either.

What is needed is a little more common sense in running these programs. If the programs are this mismanaged, I would propose investigating the enablers of this problem (the program managers) and find out why they are wasting so much money. By doing this, we might start spending the money where it should be spent, or on people who need medical attention.

This might go a long way to having the means to provide care to the people, who the money was earmarked for in the first place!

Washington Post article, here.

Sunday, June 15, 2008

Credit Card fraud used to fund Terrorist Organization

Here is an example of cyber crime being used to fund terrorism. Fortunately, the person behind this is now behind bars.

The Sri Lanka Ministry of Defence website reported:

The mastermind behind the international credit card fraud for funding the LTTE terrorist organization has been arrested by the Special Task Force (STF) personnel while conducting a search operation in the Wellawatta area on Friday, June 13.

The suspect Anandan, alias Neshanadan Muruganandan, was in a super luxury apartment in Wellawatta at the time he was arrested by the special police team, sources said. He had a large number of Personal Identification Numbers (PIN) and bank receipts issued by both local and foreign banks, amounting to a massive sum of money, over Rs. 100 million, in his possession when he was arrested.

This isn't the first time a tie between payment (credit/debit) card fraud and funding terrorism has been suggested. In the past, it's been widely reported that Al Qaeda training manuals teach their minions to use credit card fraud as a way to survive in foreign lands.

There has also been speculation that organized crime and terrorists mingle in the underground economy when it suits their needs. In another story, also found on Sri Lanka's Ministry of Defence site, it mentions that 130,000 passports were stolen and that some of them were provided to the highest bidder (Al Qaeda).

Also mentioned in the interesting story is other ways this terrorist group, the Tamil Tigers, obtain their funding.

While I doubt organized criminals, and or terrorists are going to admit they are taking advantage of stolen personal and financial information in public, it could be a bigger problem than we realize (?).

Here in the West, Suad Leija and her husband have been trying to get this message out to everyone on their site (Paper Weapons). If you are interested in understanding how paper (and sometimes plastic) weapons might be used by people with twisted political objectives, I highly recommend visiting their site.

Send Dad a "Phishy" E-Card for Father's Day

In case you forgot to send a Father's Day card, here are some free ones courtesy of the fine folks at the Federal Trade Commission designed to educate him about phishing, which is a leading cause of identity theft on the Internet.

These were sent to me courtesy of Alvaro Puig from the Federal Trade Commission’s Division of Consumer and Business Education in Washington , D.C.

Please note that most of the consumer awareness materials from the FTC are available in both English and Espanol.

Avaro wrote:

With Father’s Day right around the corner, I wanted to let you know about our Father’s Day phishing e-card. This e-card, which is available at (and in Spanish) gives “Dear Old Dad” some useful tips on how to recognize and avoid phishing emails and protect his personal information. The e-card also links to our newly released “Phishy” videos that are designed to create awareness of phishing in a humorous way.

The FTC and their government agency partners provide a lot of free educational resources about fraud, phishing and financial misdeeds on the Internet at A lot of these presentations are visual and great tools to learn, or spread the word!

In the war against fraud, there is no more powerful tool than communication. The reason for this is that no matter how good a scam is -- human beings are less likely to fall for it if they are aware of the consequences.

More consumer awareness information can be obtained on the FTC's website and it is available in both English and Espanol.

Saturday, June 14, 2008

Phishermen stealing food from the mouths of Children

It never ceases to amaze me how cyber criminals seem to have NO conscience, whatsoever.

The FBI and IC3 are reporting that EPPICards, which are set up as debit cards to disburse child support payments are the latest target of the phishermen.

In this instance, they are literally stealing food from the mouths of children.

From the FBI press release:

The FBI and its partner, the Internet Crime Complaint Center (IC3), have received reports of phishing attacks targeting users of EPPICards. The EPPICard is similar to a debit card. EPPICards are issued by a state agency for the purpose of receiving child-support payments. The cards are currently used in 15 states.

Individuals have reported receiving e-mail or text messages indicating a problem with their account. They are directed to follow the link provided in the message to update their account or correct the problem. The link actually directs the individuals to a fraudulent web site where their personal information, such as account number and PIN, is compromised.
My humble guess is that if a parent is being forced to support their children by loading funds on a EPPIcard, the kids in question could really use the money.

If you happen to spot one of these phishing or vishing attempts, please take the time to report it to IC3.

If you want to learn more about phishing and other related Internet scams, the Federal Trade Commission (FTC) recently posted a series of videos on YouTube that can be viewed, here.

Full press release, here.

Sunday, June 08, 2008

NRF Survey shows Organized Retail Crime activity is growing!

According to FBI estimates, Organized Retail Crime (ORC) is a $30 billion a year business. The National Retail Federation's 2008 Organized Crime Survey shows another alarming trend, which is that the amount of e-fencing to sell stolen merchandise on auction sites like eBay and Craigslist has grown 6 percent.

Also mentioned in the survey are shady e-commerce sites being put up on the Internet to fence the proceeeds of ORC.

In case you've never heard the term, Organized Retail Crime, here is a good description of the activity:

Organized retail crime (ORC) refers to groups, gangs and sometimes individuals who are engaged in illegally obtaining retail merchandise through both theft and fraud in substantial quantities as part of a commercial enterprise. These crime rings generally consist of “boosters” who methodically steal merchandise from retail stores and fence operators who convert the product to cash or drugs, as part of the criminal enterprise. Some of the more sophisticated criminals engage in changing the UPC bar codes on merchandise so they ring up differently at checkout, this is commonly called “ticket switching.” Others use stolen or cloned credit cards to obtain merchandise or produce fictitious receipts to return products back to retail outlets.

The report acknowledges that these groups are using cloned credit cards to steal merchandise and or get the necessary receipts to refund the merchandise for cash.

In the wake of the TJX data breach, where up to 94 million personal and financial records were hacked, a group was caught in Florida using data from the breach (cloned cards) to buy a reported $8 million worth of gift cards.

Please note that TJX is hardly the only retailer, or financial services institution that has had personal and financial records hacked from their systems in recent history. does a good job of recording the known breaches on their Data Loss Database - Open Source .

Although not addressed in the current report, I suspect the use of fraudulent checks are used to obtain merchandise and receipts, also.

This could be fueled by another organized crime activity. Portable technology has made the counterfeiting of identification documents another growing trend. Over the past two years or so, I've had the pleasure of being able to speak with Suad Leija and her husband about this organized criminal activity on a semi-regular basis. Suad, the step-daughter of one of the top players in this game was recruited in an intelligence operation and eventually exposed a cartel operating throughout North America to the government. Prosecution of members of the cartel is ongoing in this case and Suad is currently working on a book.

These documents, which are available throughout the United States, can be easily used to support both check and refund fraud by using names that get past the data bases designed to protect retailers from these types of fraudulent activity.

Portable technology is also being used to clone payment cards and some of it is easily found on auction, or shady e-commerce sites set up to sell these devices. As of this writing, I was easily able to find credit card encoders for sale on eBay. A site called provides an array of devices that could be used to steal and produce payment (credit/debit) cards. They also provide tools to make counterfeit checks and even, paper for fake prescriptions. They do have a "disclaimer" stating that none of their products are to be used for illegal purposes, but it is pretty obvious someone could.

There is no doubt that there is a lot of technology that is enabling a lot of criminal activity out there!

NRF's Vice President of Loss Prevention, Joe LaRocca, made what I consider a sage comment on this activity:

“Law enforcement and retailers alike are fed up with organized retail crime rings and are stepping up efforts to stop them in their tracks,” said NRF Vice President of Loss Prevention Joseph LaRocca. “The brazen and unethical behavior of organized retail crime suspects results in possible health risks for consumers, adds unnecessary fees to consumers’ purchases and funds criminal enterprises, including the mob and terrorist organizations around the world.”

When I stated that this activity hurts all of us, the reason is that retailers have to make up the $30 billion they are losing to this activity somewhere. This normally equates to higher prices, or in extreme circumstances (especially in tight economic times) cutting payroll. Simply stated, people might be losing their jobs because of this activity.

So far as health risks, the report sums up the obvious risks rather well:

For example, criminals may not keep stolen merchandise in a temperature-controlled environment, so merchandise like baby formula and over-the-counter medicines can easily spoil. When criminals sell these items online through third party auction sites consumers are left with no way to guarantee they are getting safe and reliable healthy and beauty products.

I decided to see if I could find baby formula on eBay. As you can see - there seems to be a lot of it for sale on the site at discounted prices. At the time I checked 26 pages of it were for sale on the site.

Actual cases in the report that support how organized this activity has become are a $60-$100 million dollar case in Florida involving health, beauty, cosmetic products and over-the-counter medicines. Another case mentioned involved a high ranking member Gambino Crime Family and a sophisticated ticket/UPC switching case and extortion. In this case, a planted employee was making up the labels and providing temporary credit cards to move the merchandise through point-of-sale systems.

Recent initiatives to combat Organized Retail Crime include launching LerpNET, which is a crime database available to both retailers and law enforcement. Also highlighted was legislation against ORC throughout the country to "reduce the rewards and increase the risk" to the groups involved in it. Several States have already passed this legislation and more are considering it.

Full 2008 ORC Survey, here.

Large scale data theft of U.S. information uncovered in India

Stealing personal and financial information in large quantities isn't just a problem in North America and the Europe Union. As more IT functions are outsourced to a variety of countries, this information might be getting compromised from just about anywhere.

Recently, it was disclosed in the Indian press that a large amount of data was stolen by an Indian BPO from a company in United States. It's amazing this story didn't get very much coverage in the West, despite the fact that the data was stolen from a company called Noble Ventures, which is based in Florida? As a slight disclaimer ComputerWorld (Norway) and CIO (Australia) did cover the story, but I was unable to find anything about it in the American press.

I suppose in this instance we will have to rely on the Indian media to provide some transparency to this event. Parth Shastri at TNN reports:

It could well be one of the biggest data thefts in the country. An Ahmedabad-based BPO owner, Maulik Dave, has been accused of data theft from a Florida-based company and selling them to its rival companies in the US.

Dave stole data worth Rs 1 crore (ten million) from the company. With the help of his accomplice based in the US, Milan Dabhi, he sold the data to competitors of the company in the US.

Apparently this occurred after Dave got his contract cancelled with Noble Ventures Inc., who "provides customer database of 1.25 crore (ten million) US citizens to various marketing companies in the US and also has a client-base in other international markets," according to the TNN article.

Of even greater concern to me was the deduction (my speculation) that Dave had insider access to their systems after his contract was cancelled? From the article, it is unclear if this was because the access was never removed, or if he got it from another Noble Ventures employee, Milan Dabhi, who is based in the U.S. and allegedly Dave's accomplice.

In another article published by the IT Examiner in India a person claiming to be a spokesman for Noble Ventures, Sunny Vaghela with credentials as a cyber crime expert, claimed that the information was stolen, but never sold. The rationale for this was that Noble Ventures reported the theft to Indian authorities and a sting (?) was conducted.

From the IT examiner article:

He further added claiming the theft report of 12.5 million Americans’ personal and professional records to be untrue as he assumed of some kind of miscommunication between the reporters and the Police.
While I hope this is true, the logic in this is flawed (my opinion) because the information was stolen by someone, who had inside access prior to the discovery that the data was being compromised. How can it be determined that it was never sold to anyone else? Information is bought and sold in a lot of places, including underground Internet forums set up for illicit purposes. Additionally, no matter where it might have been sold, it is unlikely that anyone, who bought it illegally is going to stand up and be counted in this affair.

I went to the Noble Ventures site and they offer a lot of information for a price. Targeted data on executives, "heroes" (police and firemen), veterans and a slew of other marketing segments can be obtained. They even sell e-mail lists.

While I couldn't determine if this information was enough to open a line of credit, it could certainly be used to mount telemarketing scams, spam campaigns and even whaling (phishing) expeditions like the recent one we've seen targeting executives in the United States. Verisign just reported that 15,000 white collar types were speared in this expedition.

Please note that even though I am assuming no financial or SSN information was compromised -- if a dose of social engineering, phishing or malicious software is added to the equation -- getting the rest of the information to commit identity theft would probably be fairly easy.

Incidents, such as this, continue to point to the fact that there is too much information being stored in too many not very well protected places. In fact, this incident might point to the fact that the problem is getting worse.

We also need to remember that this information came from a U.S. company, and although I don't know where the server was physically located, it didn't have to be located in India for this to have occurred.

Information like this is protected by the FTC's Telemarketing Sales Rule.

Violations in the United States of this rule can be reported, here.

TNN story from India can be seen in full, here.

ComputerWorld, Norway story about this, here.

CIO Australia story, here.

Saturday, June 07, 2008

Does our current economic situation make sense?

Could major companies outsourcing jobs be an enabling factor in oil prices skyrocketing out of control? After all, the oil companies claim that increased demand in Asia (especially China and India) are a major reason prices skyrocket, weekly.

I guess this means we have outsourced so many jobs and manufacturing, they are using more oil?

Of course, some of other reasons used to justify oil prices increasing seem to not make very much sense. Sinister terrorist threats that never surface, or minor attacks have been used to drive the price of a barrel of oil up, also.

The problem is for the average person, it's hard to figure out if someone is telling the truth or offering us a convenient excuse for making an obscene amount of profit.

And if anyone were to blame the people in Asia for this, they would be sadly mistaken. I suspect they are being used for one thing and one thing alone, cheap labor. This cheap labor has some other ugly aspects to it, such as labor practices that wouldn't be tolerated in the West and a constant stream of unsafe and defective products being sold all over the world.

So far as placing blame, we might want to look at the few, who are making a ton of money by reducing their labor costs?

Last time I checked, the out-of-control gas prices and food shortages are impacting people in Asia and Africa pretty severely, also. Some say one of the reasons for this is all the corn being diverted to make ethanol.

While this is still merely a nuisance at the grocery store here in the West, they say it is sending people to bed hungry at night in less fortunate countries.

Sadly enough, experts are now telling us that using corn to produce Ethanol is unlikely to make an impact on the energy crisis, either. They say it uses more energy to produce than we get by using it. Is this just another venue for a few speculators to make a lot of money at the expense of everyone else?

I suppose this revelation is just another inconvenient truth?

Yesterday's sharp increase in the price in oil and the fact that we are seeing the largest loss in jobs in 20 years sparked the following commentary in the New York Times by Peter Goodman:

For tens of millions of Americans struggling to pay bills, the jobs report added an official stamp of authority to a dispiriting reality they already know: A deteriorating labor market is eliminating paychecks just as they are needed to compensate for the soaring cost of food and fuel, and as the fall in house prices hacks away at household wealth and access to credit.

The well-written commentary goes into a lot of specifics, which are pretty gloomy. It also contains quotes from the various presidential candidates, who offer completely different solutions to the problem.

For a long time, we have been hearing there is no fraud in the oil prices going out of control. Despite this the U.S. Commodity Futures Trading Commission is hosting a International energy market manipulation conference. Do they know something we don't?

Of course, in another contributing factor to the overall mess (the mortgage meltdown), the FBI recently announced that they are investigating several major companies. It's going to be interesting to see what becomes of that.

In both these contributing factors to the economic crisis, a lot of taxpayer dollars are being used to protect or bail out both of these industries. I've often wondered why the taxpayer gets to pay to protect oil producing countries and bail out corporations, who were clearly irresponsible in the way they did business?

With all the money they made, or are currently making, shouldn't they be held responsible for at least some of the costs?

If you look at the entire situation, it's hard to make sense or understand the reasons we are being given for why it is occurring.

What does make sense it that our overall perception of the public officials, who swear an oath to the protect it's citizens from enemies (both foreign and domestic)is at it's lowest ebb in history. Part of the reason for this is too many of them are getting caught with their hands in the cookie jar and the general consensus is that special interests seem to influence the way they vote more than anything else.

We are seeing a lot of talk about doing something about this problem, but little to no action being taken to correct it. A little less talk and more action might go a long way in fixing the problem. Otherwise, we might begin to think that all this talk is nothing more than a lot "hot air."

I'm not sure how much longer the voting public is going to put up with the current situation -- but one thing is clear -- politicians running for office are accepting a lot of money from lobbyists, which is a nicer word for "special interests."

As long as the public is getting gouged (my opinion) for no apparent reason, the ties between politicians and lobbyists are going to become more and more questionable.

One good place to keep up on these issues and or voice your opinion (my wife, Ellen is a big fan) is Lou Dobbs' site.

In fact, since I am slightly off my normal topic, I think I'll dedicate this post to her.

Friday, June 06, 2008

Spam ruse promising money for being an Internet crime victim spoofs IC3's name

(Picture courtesy of the FBI)

"The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA)," according to their website.

In their own words it provides a "vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime."

According to a recently released press release from the FBI's Cyber Division, the good name of IC3 is being spoofed (impersonated) to lure people into become victims of identity theft and financial crimes. In this instance, the specific come-on is a claim that they are passing out money to the victims of cyber crime.

Besides being devious - they obviously have a "sick sense of humor."

From the press release:

The FBI is asking the public to be aware of e-mail schemes containing various versions of fraudulent refund notifications claiming to be from the Internet Crime Complaint Center (IC3) and the government of the United Kingdom. The e-mails falsely state that refunds are being made available to compensate the recipients for their losses as victims of Internet fraud.

The perpetrators of this fraud use the names of people not associated with the Internet Crime Complaint Center, but give them titles in an attempt to make the e-mails appear official. The perpetrators use IC3’s logo and the former name of IC3, the Internet Fraud Complaint Center (IFCC), as well as the names of the Bank of England and the Metropolitan Police (U.K.) in the e-mails.

According to the FBI, the intended victim is required to sign a wire transfer release form in order to receive their refund. In actuality the scammers behind this will probably use the release form to have the bank wire all the money out of an account to them.

I haven't seen one of these spam e-mails yet. They could use different come-ons, or even drop malicious software on your system. When this occurs malware steals all the information from your computer, automatically.

If you would like to learn about cyber scams, the FBI site has a lot of relevant information. They are also requesting that if you spot one of these scams to report it directly to the "real" IC3 site.

Press release on this matter, here.

Monthly Spam report reveals how uncertain economic times are fueling new scams!

(Courtesy of Symantec)

With prices rising out-of-control and foreclosure signs being used to market real estate, one might think that scam artists and other less than ethical people would lay off for awhile. Think again, they are out in force and coming up with devious methods to make bad situations, worse.

I follow Symantec's spam report on a monthly basis. If you want to get an idea of what fraud campaigns are being run by cyber criminals, or what new twists to old scams are surfacing - it's a great place to get an overview.

Interestingly enough, the report starts with a comparison of e-mail spam to the lunch meat it is named after:

The harsh economic times can be witnessed from every angle, with the rise not only in email spam, but also the sales of the actual lunchmeat product, Spam. According to NBC’s Brian Williams, the spike in Spam sales is a huge economic indicator of the times, and families trying to do more with less. The exact same could be said for email spam. With spam messages accounting for over 80% of email in May 2008, the economic slowdown and its effects are definitely being targeted by spammers – preying on the hardships of people not only in the United States, but Worldwide.

In the past month, the economic stimilus program and the disasters in China and Myanmar have clogged inboxes with come-ons designed to trick people out of their money, or even worse (if a little malware is dropped) all the personal and financial information off their computer.

The report also highlights a campaign in China, offering fake invoices to avoid paying taxes.

Also noted was a scam to sell tickets to the Championship League Final, which was the biggest football (soccer) event in recent times:

The biggest football game in the European football calendar took place on May 21, 2008 in Moscow. Tickets were in big demand all over Europe for this event, and spammers certainly took notice.

Under the guise of a travel agency, the spammer offered the recipient “a unique opportunity” to acquire tickets for the game. The prospective customer was asked to click on a link to purchase the tickets and provide personal details. The recipient was then instructed to go to a legitimate online payment site to complete the transaction.

When the recipient paid for the tickets using the legitimate online payment site, the spammer requested that they email their name, surname and the unique online payment voucher number to the spammer in order to receive the tickets. The legitimate online payment website for the Champions League Final clearly states that the unique voucher number should never be emailed and only used on secure websites that accept their payments.
Please note that ticket scams are nothing new and the more popular the event is, the more likely spammers (scammers) are going to try to dupe people out of their money in the hopes of securing a ticket.

The June report highlights how spam has become a problem that has become International in nature!

Full June report from Symantec can be accessed, here.

Previous posts I've done on the monthly Spam Report can be seen, here.

Sunday, June 01, 2008

Fraudsters mutate counterfeit MoneyGram money order scam to fool victims/financial institutions

Counterfeit MoneyGram Money Orders seem to be surfacing all over the place, again! Here is what I wrote about them the last time I posted on them:

Recently, MoneyGram removed the Travelers Express name from their money order product. The new version is branded simply as MoneyGram, printed in Spanish (Espanol) in addition to English.

The old version with the Travelers Express name have been counterfeited and circulated via Internet scams for a couple of years. A lot of them had Walmart's logo printed on them. We've seen similar counterfeit American Express Gift Cheques and Postal Money Orders in recent years, also. Some of these items are still in circulation, including the older Travelers Express version.
For a long time, the counterfeiters seemed to prefer using a Walmart logo. Some of them even came with a letter from Walmart Financial Services.

The newer version, I saw on Friday bear a CVS Pharmacy logo and they are being distributed in lower dollar amounts. Presumably, the high dollar amounts $700.00 and over were being looked at too closely by financial institutions.

Not sure, but they could be starting to use a variety of logos to make them look legitimate. If anyone reading this has seen different, please add a comment to let everyone know.

The newer items seem to be in denominations of $500.00 or less.

These items normally are obtained when a person gets involved in a too good to be true financial scheme, or is solicited by a beautiful woman (or man) needing to be rescued from a foreign locale. This normally occurs on the Internet.

Here are some examples of the lures used to pass these items, along with links to old posts:

Some of these lures include, but aren't limited to (new lures surface frequently), secret shopper, romance, lottery, work-at-home and auction scams.
Sadly enough, the lowering of the dollar amount seems to have had limited success because I am getting reports that some of these items have been cashed at financial institutions.

The saddest part of all of this is (from an earlier post):

A common denominator in most of the scams is that there will be a request to send the proceeds, minus your paltry cut (normally via wire transfer) back to the person sending you the instruments. That is (unless) they are buying goods from you. In this case, your property is what they want you to send to them.

In other words, if the item is cashed at a financial instiution, when it comes back as a counterfeit -- they will hold you and YOU ALONE liable.

Even sadder, people are also getting arrested for passing them. When counterfeit instruments started getting passed in Internet scams, the financial institutions were a lot more forgiving. This isn't necessarily the case anymore with the amount of losses being taken out there.

More and more often, criminals pretend to be victims and pass the items. I call these people, "reverse scammers" because they have no intention of wiring any money back to the original scammer.

If you are a true victim, I recommend taking to the good folks at FraudAid, who advocate for the people that are really victims. The key is being able to show all the correspondence, along with proof that money was actually wired. If you kept the money from the transaction, it is going to be hard claiming "victim status."

The best way to avoid getting scammed is to call and verify the item at MoneyGram, itself. This can be done by calling 1-800-542-3590. In almost (although not always in theory) all cases, this call will reveal the item as a counterfeit.

MoneyGram money orders aren't the only instruments being counterfeited. Counterfeit cashier's checks, money orders, gift and travelers cheques are also being counterfeited and used in these types of scams.

If you want to learn more about these scams, I recommend going to, who has some great videos illustrating the scams used to pass these items.

Bank of Mellon reports a second data breach

Last week, the Bank of Mellon disclosed they had lost unencrypted tapes containing the personal and financial information of several million people about three months ago.

Now it is being revealed that about a month ago, another incident involving a missing (unecrypted) tape occurred. This time, scanned images of checks, along with other assorted sensitive information disappeared. The Check 21 Act, passed in 2004 allows financial institutions to electronically deposit images of checks instead of using the actual paper check, itself.

According to press release on the matter, they are now going to start using encryption. I wonder how many other institutions out there are still not encrypting all of their confidential information?

Ironically, if you read the privacy and security pages on Bank of Mellon's site, they seem to be very pretty savvy about both identity theft and privacy issues.

The first incident occurred on February 27th and the now revealed second incident occurred April 29th. If they knew it happened on April 29th, why wasn't this one reported with the other one? The February 27th incident was reported last week, which was well after April 29th.

Of course, I'm sure that the "official explanation" will be that they didn't know if it was really missing and no one is really sure if the information is being used to commit identity theft.

Here is the low down as reported in Pittsburgh Tribune Review on the April 29th occurrence.:

The most recent incident occurred on April 29 when a backup data-storage tape containing images of scanned checks and other payment documents was lost while being moved from Philadelphia to Pittsburgh, spokesmen for the bank said Friday. It involved data of 47 institutional clients and a yet to be determined number of individual customers.

A ComputerWorld article by Brian Fonseca highlighted concerns that are being investigated by Connecticut Attorney General Richard Blumenthal, who is working with his peers in other States to determine why it took so long to report the matter. AG Blumenthal is also asking some hard questions as to why some tapes disappeared and other ones arrived at the storage facility.

The obvious reason, he might ask this question is that it probably points to an insider being involved (my speculation). If this is the case, it is very likely they had somewhere to get rid of the information, or more specifically, sell it.

His press release on the matter listed a lot of institutions, who may have had customers compromised in these incidents.

One thing I wanted to add is that in the most recent occurrence, they are stating scanned checks were contained on the tape. This would make it pretty easy for criminals to use the information to produce counterfeit checks. In recent years, we've seen checks counterfeited on a massive scale, and sent all over the world via snail mail, or even Federal Express and UPS. A recent joint investigation conducted in several nations revealed that these items were being produced on an industrial scale in certain countries.

Many of these counterfeit checks are passed via "too good to be true scams" on the Internet. There are also organized criminal gangs that pass counterfeit checks, also.

Interestingly enough, the way laws governing counterfeit checks are written, the banks have almost zero liability and pass off the loss to the entity who accepted them.

Since counterfeit checks are normally exact copies of actual checks, this made me wonder if sometimes the source of the information to produce them is coming from all the scanned checks being electronically transferred between businesses and financial institutions? Payment (credit/debit) card is transmitted and stored pretty much the same way, and there is certainly a history of these transactions being targeted for criminal purposes, frequently.

According to their most recent press release, the Bank of Mellon is offering free credit monitoring and identity theft insurance through Experian. This has become standard in the wake of most data breaches, but it doesn't necessarily protect a person from all forms of identity theft.

Some examples of where free credit monitoring doesn't catch identity theft right away are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

Additionally, the ComputerWorld article mentions that at least one class action law suit has been filed as a result of this:

This week, a lawyer representing 40 affected individuals filed a class-action lawsuit against the New York bank in Connecticut Superior Court. Attorney Michael Stratton, who represents the plaintiffs, said he is seeking up to seven years of free credit monitoring and credit insurance for customers, along with unspecified damages.
I found a list of companies that might have had their customers compromised in these data breaches on the Connecticut AG site:

People's United Financial Inc., John Hancock Financial Services, Inc. (acquired by Manulife Financial Corporation), The Walt Disney Company, TD Bank Financial Group, The Bank of New York Mellon Corporation, Hudson United Bancorp (acquired by TD Bank Financial Group), United Parcel Service, Inc., Wachovia Corporation, MetLife, Hudson City Bancorp, Eastman Kodak Company, Burlington Resources (acquired by ConocoPhillips Inc.), Providian Financial (acquired by Washington Mutual, Inc.), Penn Fed Financial (acquired by New York Community Bancorp), ADESA, Inc., Alcatel-Lucent, Odyssey America Reinsurance Corporation, Seacoast Financials Services Corp. (acquired by Sovereign Bancorp), Viewpoint Bank, Diamond Shamrock (acquired by ConocoPhillips Inc.), Sound Federal Bancorp (acquired by Hudson City Bancorp), Big Lots, Inc., Guidant Corporation (acquired by Boston Scientific Corp), New York Community Bancorp and ACE Limited.

Bank of Mellon press release on this matter, which contains information for potential victims, here.