Sunday, August 24, 2008

How to buySAFE on the Internet

(Courtesy of buySAFE)

The Center for American Progress and the Center for Democracy and Technology recently released a report concluding that not enough is being done to protect the public from fraud on the Internet. "If problems such as malware, phishing, and spam are left unchecked, many consumers may lose trust and abandon e-commerce," according to the report.

What if a shopper could safely enjoy the convenience, lower prices and choices offered by the world of e-commerce, while avoiding all the fraud lurking on the Internet free?

In 2006, buySAFE entered the e-commerce scene with a unique concept, giving sellers the ability to become bonded and display the buySAFE seal on their site. Once a seller is bonded, the purchase is guaranteed up to $25,000.

The buySAFE guarantee covers virtually any loss that might occur during an online shopping transaction. This includes, but isn't necessarily limited to fraud, phishing and financial misdeeds.

Last month, they grew their concept with the buySAFE Shopping Advisor, which is a free software tool that rates the safety/security of all sites within a search term. The tool also points to sites sites with the buySAFE seal, which guarantees the transaction.

Shopping Advisor leverages buySAFE’s advanced technology and bonded merchant customer base to provide a fully closed-loop safe shopping experience. "There is nothing else like it in the world as it provides comprehensive safe shopping for consumers from search through purchase and beyond – guaranteed," according to Jeff Grass, buySAFE's CEO.

While buySAFE offers a free service to the e-consumer, they aren't in business to lose money. Some of the due diligence performed on every bonded merchant includes ensuring they have a SSL certificate and a privacy policy describing how they protect personal information. Additionally, bonded sellers are required to allow buySAFE access to inspect their business anytime they choose to do so.

Shopping Advisor provides a tool to analyze e-commerce sites and provides a safe shopping portal, which consists of bonded sellers, only. Once in the safe shopping portal every purchase is guaranteed within the limits of the bond buySAFE provides.

Shopping Advisor uses buySAFE's proprietary website inspection and assessment technology to analyze almost 100 different safety/security attributes of an e-commerce site. It then provides objective ratings on the site when searching with Google, Yahoo and MSN (Firefox is on the way). This allows the shopper to make an informed decision before forking over their hard-earned cash.

Within the Shopping Advisor tool is the Safe Shopping Portal providing alternative product choices from thousands of merchants that are protected with the buySAFE seal. It is within the Safe Shopping Portal that every purchase is guaranteed with a Bond of up to $25,000 and it's protected against identity theft, also.

Essentially, Shopping Advisor shows all the shopping opportunities for the search term listed, rates the sites in question and then gives the consumer the ability to make an informed buying decision. If the buyer chooses to buy a product via the Safe Shopping Portal, it is automatically guaranteed and the transaction is protected against identity theft for 30 days. When the buyer purchases an item from the Safe Shopping Portal, they automatically receive an e-mail with the specifics on the guarantee for their personal records.

buySAFE offers a lot of benefits to sellers, also. The biggest is which is what ensures any successful business, or the trust of it's customers. They've also added a cost-per-sale pricing model that has received positive feedback from the merchants using it. If a merchant needs more information on this, I'll refer them to Jeff Grass' blog, or the press release on this matter.

According to most if not all of the reports out there, Internet crime continues to grow and become more sophisticated. Saying that, no matter how sophisticated it becomes the primary motivation to commit cybercrime is money. This rings true from the most simple social engineering scheme to most sophisticated attacks using crimeware. What buySAFE has done is remove this primary motivator from the mix, or at least made it a lot less attractive to Internet fraudsters, charlatans and tricksters.

Shopping Advisor
takes this concept to the next level by providing the consumer with a tool to make an educated shopping decision without falling prey to the pitfalls of a too good be true come-on. Too good to be true lures are the common theme Internet fraudsters, charlatans and tricksters use to snare their prey. In other words, Shopping Advisor is a tool a consumer can effectively use to practice the principle known as caveat emptor, or buyer beware.

buySAFE is also offering a shopper referral program. They pay $1.00 for every user referred to Shopping Advisor. This is a great fundraiser opportunity for charities, sports leagues, churches or any good cause.

Saturday, August 23, 2008

Cost Plus Customers Compromised in Data Security Incident

Cost Plus World Market is another retailer, where customers were unknowingly giving criminals access to their bank accounts when they made a purchase.

On July 22nd, the company announced that after a thorough investigation they learned the Electronic Funds Transfer devices (PIN pads) might have been been compromised at eight Southern California stores by unauthorized third parties.

Since then three additional stores have been identified as being compromised.

The first hint of trouble was in June when two employees reported unauthorized transactions on their debit cards. By early July, the banks were reporting a unusual amount of fraud accounts that had one thing in common, they had been used at Cost Plus.

I picked up this story in an article on published yesterday (08/22/08). The only other mention of it, I could find was in a report by FOX News on 7/22/08.

Both the article and the official press release state that only debit and not credit cards have been reported compromised. Given that the hardware compromised accepts both credit and debit cards for payment, my humble guess is that credit card information might have been compromised, also. The reality is that you need both a card number and a PIN to get cash. The other reality is that card numbers can often be used without a PIN. My guess is that (at least so far) the crooks behind this were after fast cash.

Cost Plus is working with their payment card processors and the banks to identify customers, who might have been compromised. They have also brought in a external data security vendor (Verizon Business/Cybertrust) to analyze their systems. PIN pads are being replaced in all their stores, nationwide.

Compromises involving PIN pads have become more frequent in recent years. Cases are now being seen despite the fact that the retailer was compliant with payment card industry security standards. Speculation is that this is done when the information is being transmitted internally before it is transmitted to a payment card processor. Once the internal system is compromised, the hackers use sniffer programs to gather all the information and a data compromise is born.

In the early reports of PIN pad compromises, the actual PIN pads were being replaced. The crooks would later come back and in and retrieve the PIN pad to gather the payment card information or pick up via a wireless connection.

Since then my speculation is that the hacking methods being used have become more sophisticated and PCI data protection standards -- designed to protect merchants from data compromises -- might no longer be 100 percent effective.

Data compromises cost the victim affected, the retailer and the financial institutions issuing the payment cards.

I tend to write on behalf of the victim and I wanted to point to an excellent article by Tom Fragala, where he analyzes the protections offered when using credit and debit cards. General consensus is that it is a lot safer to use a credit card from a consumer point-of-view. Note I'm saying this from a security point-of-view because too much credit card debt isn't always a good thing, but that's a whole other subject.

Tom is a fellow blogger, and the CEO of a privacy friendly identity theft protection service (Truston) that just won another in what is becoming a long string of awards. They also offer a 45 day (completely) free trial to use their services.

As long as there is a lot of money to be stolen from payment cards, criminals are going to be motivated to defeat security fixes.

The recent news that one of these retail hacking rings were caught and put behind bars probably will go a lot farther in preventing data compromises than security fixes, which seem to be counter-fixed, fairly frequently.

The eleven Cost Plus Stores known to have been compromised were San Diego (372 Fourth Avenue, San Diego, CA 92101); Oceanside (2140 Vista Way, Oceanside, CA 92054); La Jolla (8657 Villa La Jolla Drive Suite 117, La Jolla, CA 92037); Mission Viejo (28341 Marquerite Parkway, Mission Viejo, CA 92692); San Dimas (638 West Arrow Highway, San Dimas, CA 91773); Valencia (25676 North The Old Road, Valencia, CA 91381); Palm Desert (44-439 Town Center Way, Palm Desert, CA 92260); Oxnard (221 Esplanade Drive, Oxnard, CA 93030); Westlake Village (Thousand Oaks) (160 Promenade Way, Westlake Village, CA 91362); Tucson East (5975 E. Broadway, Tucson, AZ 85711); and Tucson (4821 North Stone Avenue Tucson, AZ 85704).

Cost Plus also has a FAQ page for people, who think they may have been compromised.

Monday, August 18, 2008

Report Reveals That Internet Fraud Threatens E-Commerce

The Center for American Progress just released a report indicating that not enough is being done to protect the public from fraud on the Internet. It's also warning that the convenience, choices and lower prices enjoyed by Internet users are at risk because of this.

They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.

Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.

The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.

The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.

The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.

The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.

The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.

In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.

Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.

The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.

The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.

The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.

Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.

The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.

While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.

Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.

Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.

This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?

Sunday, August 17, 2008

Cyber Warfare, Not Just a Theory Anymore?

Last week, the news of a cyber attack by Russia against Georgia made this type of warfare become a chilling reality. According to an article in the LA Times, it also revealed how ill-prepared most of the world is to deal with this new threat.

Most of the experts now agree that cyber attacks started well before lead started flying and were not very sophisticated by current standards. Most of the attacks were run of the mill DDOS (Distributed Denial of Service) type events designed to deface and shut down government sites.

One of the problems is that no one can actually pin the attacks to the Russians. As usual, botnets of zombie computers were used to facilitate the assault on the sites in question. Since these zombie computers are taken over by malicious software -- normally after an unsuspecting user clicks on a link in a spam e-mail -- the computers used in the attack probably resided in locations all over the world. Botnets are also used to send out the spam e-mails with the malicious links that turn systems into what are known as zombie computers, which add to the power of the botnet.

Researchers at Shadowserver, a volunteer group monitoring cyber attacks, have traced the attacks against Georgia as starting in July and being based out of the United States, according to an article in the New York Times. The Times article suggested that there might be ties in this attack to Russian organized cyber criminals.

It should be noted that the words Russia and cyber crime bring up pages of results on most search engines. Russian organized crime is also known to have a global reach so it is no surprise that some of the current DDOS attacks were traced to a server in the United States. Simply stated, these attacks can be made to appear as if they are coming from just about anywhere.

While this is one the first times cyber warfare has actually occurred, it's starting to become a topic of concern in government circles. As a matter of fact, in April it was a hot topic at the NATO summit and an EU conference. China is also known to be actively seeking a cyber warfare capability and gets accused of hacking into other government's websites all the time.

Last year, Estonia suffered cyber attacks, which were allegedly facilitated by Russian Hackers, also. In an interesting development, Network World reported that they are sending cyber defense advisors to assist the Georgians.

Wikipedia has an interesting article (Wiki) on cyber warfare. It cites that McAfee stated in their 2007 annual report that approximately 120 countries have been developing cyber warfare capabilities designed to disrupt financial markets, government computer systems and utilities. The article also lists several examples of attacks, which many suspect were facilitated by the Russians or the Chinese, that have recently occurred.

The McAfee report surmised that cyber attack capabilities are becoming a global issue as well as a threat to national security. Current events seem to be making that prediction turn into reality.

Saturday, August 16, 2008

Lottery Bandit Nabbed in California

While too good to be true lottery scams hit the news all the time, stories of crimes involving real lotteries happen less frequently.

Apparently, a 37-year-old Ceres, California man was arrested by local and state detectives after stealing thousands of lottery tickets in a series of burglaries stretching throughout California's Central Valley. I suppose this takes the gambling addiction warnings on the California lottery site to a new level?

The lottery addict in question, one Matthew Roberts, is a suspect in 30 burglaries from November to June that had one common denominator -- the theft of lottery tickets. During the arrest at a house in Ceres, several other people were arrested for drug and parole violations, also.

Investigators with the California Lottery’s Law Enforcement Division began to see a pattern in the lottery ticket thefts that were occurring, according to the press release on this matter. They began working with the local authorities in the area where the burglaries were occurring.

In May, alert SaveMart grocery store employees noted an individual attempting to cash in a on a winning lottery ticket reported stolen in the burglaries. They were able to get a license plate number and this led to Roberts being identified as the lottery ticket bandit.

Roberts has been charged in three of the burglaries and for auto theft. According to the authorities, there will be additional charges filed in the coming weeks as well as additional arrests. I guess this means that there might be additional lottery bandits still at large?

In this instance, we are probably dealing with a not so bright criminal. Given that lottery security is extremely tight and the inventory is tracked by computer -- stealing lottery tickets probably isn't the smartest way to win a lottery. It's pretty obvious that the alert employees at SaveMart were tipped off electronically that the ticket(s) being presented were "hot."

This isn't the first time in recent history, the California Lottery Police have made headlines. In May, it was announced that they were using undercover agents to catch dishonest retailers, who were cheating winners out of their prizes. Winning tickets of $500 to $25,000 were presented to retailers and several of them were caught pretending the prize was smaller and keeping the proceeds for themselves. Several arrests were made throughout California as a result of the sting.

FBI Educates Public on Mortgage Scams

A lot of people are in dire financial straights because they got sucked into what is now being called the mortgage crisis.

Now that the problem is being examined carefully, a lot of fraud is being blamed as being a contributing factor to the entire mess. The problem is that the fraud aspect of the mortgage crisis is hardly over. Mortgage scams designed to take advantage of people in financial trouble are flooding the Internet and even the classified section of local newspapers.

Mortgage fraudsters for the most part don't have a conscience and could care less if they steal from your grandparents, neighbors or you!

The FBI, who has put more than a few of these people behind bars in recent history is using the intelligence gathered in their investigations to reach out to the public on how to avoid becoming conned with promises of a new beginning, or rescue from their current dilemna.

“And while some of these steps may require you to do a little extra work now in the long run it may save you aggravation, money, and even your house,” according to Special Agent Scott Broshears, a mortgage fraud supervisor with the FBI.

The first recommendation is to get referrals and then check out the licenses of real estate and mortgage professionals with government (state and local) regulatory agencies.

They also recommend that you do your own research on what homes have been sold for in your area. Checking out tax assessments is one way to do this.

Beware of too good to be true mortgage deals, especially using a no money down gimmick.

Never let anyone talk you into making a false statement on a mortgage application. This is how a lot of people ended up with mortgages they couldn't afford in the first place.

Don't sign a blank document or a document with blank lines. Something could be added later. Read everything thoroughly and if you don't understand everything completely get legal assistance.

Don't get conned into paying an upfront fee to get out of mortgage trouble. Be especially wary if these solicitations come from e-mail or web advertisements. You will likely be out the up-front fee and in the same boat as before you paid for the assistance.

In more sophisticated upfront (advance) fee schemes involving foreclosure fraud, victims are even talked into signing over their property. The victim loses the upfront fee, their house and still owes their mortgage when this occurs. Advance fee fraud has been around for centuries and is merely a false promise of something that is too good to be true in return for an advanced payment.

On a final note, the FBI recommends that if you are facing foreclosure, the best thing to do is to see if your lender will work for you.

Agent Broshears and the men and women working with him have seen their case-load with mortgage fraud triple in the recent past. By sharing these tips, learned from real life investigations, they hope to make their job easier and see a few less people victimized by this growing phenomenon.

If you need more information on mortgage fraud, the FBI has a page on their site dedicated to this subject.

Wednesday, August 13, 2008

BlackHat Experts Predict the Hot Computer Security Topics for 2009

On the opening day of the BlackHat 2008 conference, Symantec did an anonymous survey of the attendees to discover exactly what they thought would be the hot security topics in the upcoming year.

While no one can predict the future, I found some of this fairly interesting.

The sample group consisted of IT managers, security researchers, and executives from several different industries,and of course, the government. The group surveyed could be considered International in nature, also. Experts from North America, Latin America and the Asia Pacific all voiced their opinions regarding what will become the hot security topics in the upcoming year.

Most surveyed seemed to believe that Web 2.0 and vitualization will be exploited frequently in the next year. In the post, I read about this by Zulfikar Ramzan, he mentions that Symantec has invested considerable resources in developing technology to prevent exploits in both these areas. He also mentions that Symantec is developing solutions to the increased dangers of what is known as drive-by pharming. In drive-by attacks, all a user has to do is visit a malicious site to be be infected.

Earlier this year, Zuftikar reported on one of the first sightings of drive-by pharming in the wild.

Another ongoing concern, especially with crimeservers being found in the wild with gigabytes of personal and financial information is the ongoing issue of data theft. Data theft is and will probably be the primary motive for most of the exploits out there. On a personal level, what scares me, is the increasing sophisitication of the attacks and the ever increasing amount of information compromised.

The respondents in the survey believe that most data will be stolen via insufficient access controls, laptops gone missing, data sent to third parties, and data being wrongfully posted to the Internet, intranet, and extranet.

Another new solution mentioned by the respondents is whitelisting. In simple terms, whitelisting is where a system is protected by only allowing approved sources to integrate with it. If a file or application isn't approved by the whitelist, it simply will not run.

Also mentioned in the Symantec post are what motivates researchers to examine and sometimes even develop malicious technology for research purposes. Some mentioned they need to do it to accomplish their jobs -- while others mentioned personal profit and even fame as their primary motivation. So far as developing malicious technology for research purposes, the post points out the danger that some of this research might accidentially be leaked into the wild.

A recent example of this occurred with DNS Cache Poisioning, which was covered in more detail at the conference by the person who discovered it, Dan Kaminsky. DNS Cache Poisoning allows an Internet bad guy (or gal) to redirect a user to a malicious site without their knowledge. Within days of the information being leaked, instructions (computer code) was put into a hacker tool called Metasploit. Metasploit is a controversial tool used both by researchers to work on exploits and by hackers to launch attacks.

The DNS Cache Poisoning exploit was made public prematurely. Kaminsky and a whole crew of experts had secretly been working on solutions to protect systems from the exploit before it was leaked. On Monday, the Register reported that large areas of the Internet remain at risk.

So far as platforms that are of the most concern, the respondents listed XP over Vista, which is a turn around from last year where the concerns were exactly the opposite. A speculation for this was cited as the industry being slow to adopt to the Vista platform.

With DNS Cache Poisoning and Gigabytes of personal information being found floating around the Internet, there is little doubt 2009 is going to be an interesting and challenging year for the BlackHat attendees. In my humble opinion, it all boils down to the fact that information is worth a lot of money that criminals and businesses alike see as a cash cow.

Maybe in 2009, we will take a look at what enables the problem in the first place? Until we do, I fear the problem will only continue to grow.

Monday, August 11, 2008

This Year, Fraud Will Cost Businesses $994 Billion in the U.S.!

U.S. organizations lose about 7 percent of their revenues to fraud, according to the Association of Certified Fraud Examiners. When compared to the projected U.S. Gross Domestic Product for 2008 -- 7 percent equates to $994 billion.

In their just released Report to the Nation on Occupational Fraud and Abuse, the average case cost a business $175,000. In a quarter of 959 cases used to compile the study, the loss was $1 million or more. The most costly type of fraud was financial statement fraud -- more commonly known as cooking the books -- which cost organizations an average of $2 million.

Not surprisingly, smaller businesses suffered the greatest losses. I say not surprisingly, because smaller businesses normally can't afford dedicated resources to detect and prevent fraud. For small businesses, the average case studied cost about $200,000.

The most common type of fraud found in the study was corruption and the second most common was fraudulent billing. The average scheme wasn't detected for two years and the most common form of detection was from a human being tipping off management, or a business owner.

In the small business fraud model, check tampering was a common cause, also.

Businesses that had fraud controls did a lot better than businesses that didn't, according to the study. For instance, businesses that did surprise audits suffered an average loss of $70,000, while businesses that didn't suffered an average loss of $207,000. Other controls that made an impact cited in the report are anonymous hot lines, training management to detect fraud and hiring dedicated personnel to detect and resolve fraud.

According to the report, fraud perpetrators can be identified by the behaviors they display. These include living beyond their means, financial difficulties or even by trying to please their boss by making it appear that the business is doing better than it really is. Please note that in the case of larger corporations, the word "boss" can mean investors or shareholders.

Please note there are many more signs of dishonesty and recommended controls for small business owners. Another good resource to read about these subjects is put out by the National Association of Veterans' Research and Education Foundation.

The extensive report covers all type of fraud, whether they are financial, or otherwise. The three main categories it is broken down into are Corruption, Asset Misappropriation and Fraudulent statements. Corruption schemes entail bribery, conflicts of interest, illegal gratuities and economic extortion. Asset Misappropriation schemes (most common) cover cash manipulation, inventory theft, and fraudulent disbursements.

For those businesses, who can't afford hired help to deal with fraud, I guess this means a owner should check their books and accounts randomly without letting their employees know when they are going to do it. They should also diversify controls and oversight (separate key duties). No one person should have complete control over a revenue stream or valuable asset. Additionally -- there are third-party anonymous hot line services and if they are too expensive -- a creative small business owner might set up a telephone line with a voice mail and have some posters made.

So far as training management and employees on what to be aware of -- the current AFCE report is a wealth of information, also. A little awareness and knowledge of how fraud is facilitated can go a long way towards preventing it, as well as, giving your human resources the knowledge to spot and report it.

Most fraud is defeated by people, who are knowledgeable of what to look for. This is because fraud schemes rely on tricking everyone else to think nothing is going on.

On a final note, if you are a small business owner and detect fraud, I recommend leaving any legal recourse matters to someone who is familiar with how to do it. Handling these matters the wrong way can add to the problem by causing other losses, such as civil litigation or the protecting yourself against it. In any situation, where a crime is detected, the best thing to do is to contact the authorities and seek their assistance with it.

Wednesday, August 06, 2008

Largest Identity Theft Ring in History Indicted

Yesterday, the U.S. Department of Justice announced that eleven perpetrators behind the largest known identity theft ring in history have been charged with conspiracy, computer intrusion and identity theft.

Allegedly, the group is responsible for stealing and selling more than 40 million credit and debit card numbers. The credit and debit card numbers were intercepted electronically at nine retailers, who transmitted their unprotected financial information using wireless networks. Once they hacked into the wireless networks, the group would install sniffer packets to capture card numbers and PIN numbers.

TJX, who was severely criticized for their breach of approximately 8.5 million records wasn't the only retailer being compromised. BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW were being compromised, also. The restaurant chain Dave and Busters was also compromised by having "sniffer packets" installed on their point of sale terminals by the group.

Merchants have been under fire for not meeting PCI data security standards, which were developed by the payment card industry to protect systems against compromises. The National Retail Federation has fired back at the payment card industry for forcing merchants to store sensitive information, which can easily be stolen. In a recent data breach involving the theft of 4.2 million card numbers, Hannaford Brothers had been certified as being PCI compliant, which led a lot people to speculate that PCI data security standards might be outdated, themselves.

Sniffer packets are used to monitor information in a network and can be used to gather a lot of sensitive information. Detecting a sniffer packet on a wireless network is known to be extremely difficult. A practice known as "wardriving" is when people drive around and try to pick up wireless signals from unprotected networks. Computer security experts highly recommend making wireless networks secure, including those of the home variety, by password protecting them. Software to assist people, who do this, is freely available on the Internet.

After the information was stolen it was stored on encrypted computer servers in Eastern Europe and the United States. Some of the stolen data was sold to other information criminals via the Internet. The group also counterfeited their own cards and used them to steal money from ATMs.

Recently, Finjan, a computer security company, announced finding servers with a lot of stolen information on the Internet. At least one the crimeservers found by Finjan wasn't even password protected. Finjan reported finding these crimeservers using simple Google searches.

The money was laundered using internet based currencies and by moving funds through banks in Eastern Europe.

Three executives at E-Gold, which is a internet based currency, recently pleaded guilty to allowing criminal activity of this nature (money laundering) using their service.

The criminal activity started in 2003 and went right up to the present time. Albert "Segvec" Gonzalez, of Miami, one of the main players in the group was previously arrested for similar activity in 2003. During the current investigation, the Secret Service discovered Gonzalez was working as a government informant and involved in the criminal activity at the same time.

Also charged in the indictments yesterday were Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia. Hung-Ming Chiu and Zhi Zhi Wang, of the People's Republic of China were also charged. Sergey Pavolvich, of Belarus and Ukranians Dzmitry Burak and Sergey Storchak were also named in the indictment. Two U.S. citizens Christopher Scott and Damon Patrick Toey, finished up the long list of names from all over the world involved in this organized criminal enterprise.

The range of the activity took place in numerous countries, including the United States, Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines and Thailand.

These indictments are the result of a three-year investigation conducted by the Secret Service. As the case progresses, it is being reported that they will be working closely with the IRS, on the money laundering aspect of the case.

Sunday, August 03, 2008

Bills Introduced to Combat Organized Crime on Auction Sites

While stories of individual people getting scammed on auction sites are legendary, individuals aren't only ones victimized on these sites. Large retailers and brand owners are victimized when their stolen or counterfeit merchandise is sold on these sites, also.

In response to this, two bills are being introduced to combat this problem in the halls of Congress.

The reason this has become a growing issue is that criminals can net 70 percent of the value of stolen merchandise on an auction site versus the going 30 percent received on street corners, flea markets and pawn shops. So far as all the knock-off (counterfeit) goods being sold on auction sites, it's hard to put a dollar loss to it, but many believe it's substantial.

According to the International Anticounterfeting Coalition, counterfeiting costs U.S. businesses $200 to $250 billion a year. Counterfeiting and e-fencing pose safety risks to the public-at-large, also. Outdated or merchandise that isn't what it is advertised to be could potentially poison people, or cause bodily harm when it doesn't work like it's supposed to.

Simply stated auction sites, provide an anonymous marketing environment to sell both stolen and counterfeit goods.

“By hiding behind the anonymity of the Internet, they can make more money with less risk of getting caught than selling to a stranger on a street corner who might turn out to be a police officer. This bill would lift that cloak and help law enforcement put on-line criminals where they belong – behind bars,” according to Joe LaRocca, the National Retail Federations Vice President of Loss Prevention.

To address this problem, a federal bill (H.R. 6713, the E-Fencing Enforcement Act of 2008) is being introduced by Representative Bobby Scott, chairman of the House Judiciary Committee’s Subcommittee on Crime, Terrorism and Homeland Security.

The bill will require on-line auction operators to maintain information about high-volume sellers and provide the information to a person with "standing" once a police report is filed. The definition of a person of standing would be a law enforcement officer or a representative from a company, who has an interest in the merchandise being illegally sold on an auction site.

This is the second bill introduced recently to combat organized retail crime, which costs retailers anywhere from $15 to 30 billion a year. On July 15th, H.R. 6491, the Organized Retail Crime Act of 2008, was introduced by Representative Brad Ellsworth, a former county sheriff, along Representative Jim Jordan, as the lead co-sponsor. The bill establishes that unless auction site owners can show specific steps to prove goods being sold were not being obtained by theft or fraud, they could be viewed as "facilitating" the activity. This bill will also require site operators to cooperate with the police and organizations with a stake in stopping the activity. In certain instances, it will also allow merchants to initiate civil actions over stolen merchandise being sold on an auction site.

In the past, auction operators have been criticized for not effectively cooperating with companies and law enforcement when they made an inquiry into suspected criminal activity on their sites. It has also been established that smaller (individual) victims and merchants often receive little to no assistance after being victimized in an Internet auction deal.

E-fencing, phishing, counterfeit goods and the use of fraudulent financial instruments to buy merchandise from unsuspecting customers have all victimized countless people and organizations on auction sites.

Criminals often lure people to do their dirty work, also. Recruits are normally harvested off the Internet, sometimes from job sites, and offered work to reship stolen merchandise and or launder money from fraudulent transactions. Much of this activity involves sending money, or hot merchandise across an International border --making it extremely difficult to track.

A lot of criminal activity is facilitated on auction sites by what is known as phishing. Phishing is where an account owner is tricked into giving up their account details, either via social engineering, or more and more often, after downloading some malicious sofware. The stolen account details are then used to take-over the account and use it for illicit purposes.

In fact, eBay and PayPal accounts are frequently the most phished brands out there.

Phishing, normally facilitated by spam e-mails, is another ever-growing criminal activity on the Internet. Recent studies by the Anti Phishing Working Group show that it is becoming more automated and malicious software (crimeware) used to automatically steal information is becoming more prevalent.

There is little doubt that a lot of the criminal activity on auction sites is sophisticated and reeks of organized crime.

For anyone investigating fraud on an auction site, the only way to effectively do so, is to have access to information quickly and with as little red tape as possible. A lot of these crimes cross over borders quickly and by the time and investigator gets what they need, the trail is often pretty cold.

When auction site owners -- who suffer no financial liability and collect a lot of revenue in fees from this activity -- don't cooperate or move too slowly, it only ensures that criminals will be laughing all the way to the bank.

Even the government has had their stolen inventory sold on eBay and Craigslist. In April, the GAO issued a report that military items, including F-14 components, were being sold on auction sites. In August of last year, a U.S. Attorney was quoted as saying that stamps being stolen from self service vending machines with cloned payment cards were being sold on auction sites. At the time, I ran a simple search query and found some pretty good deals on stamps. As of today, these great deals still exist. Many of them are being sold below cost and the last I checked the Postal Service still offers credit. Why would someone sell stamps below cost?

In my opinion, both of the bills don't only serve the large merchants out there, but have the potential to protect everybody from fraud on auction sites. While both of these bills are being driven by the National Retail Federation, I see a lot of benefits to passing them for everyone concerned with fraud on auction sites.

I highly recommend that these other people, join in with the NRF and the Congressmen involved, and support getting these bills passed.

Saturday, August 02, 2008

Countrywide Insider Steal's 2 Million People's Information

On Friday, the FBI arrested a former Countrywide employee and his accomplice for stealing and selling personal information (including social security numbers) obtained from people applying for mortgages. According to news sources, the number of people compromised was about 2 million.

The Countrywide inside man was identified as Rene L. Rebollo Jr., who worked at Countrywide's sub prime lending division, Full Spectrum Lending. Also arrested was Wahid Siddiqi, who was the alleged information reseller in the caper. Both arrests took place in Southern California.

The criminal complaint alleges that Rebollo downloaded 20,000 names a week for about two years. The batches of 20,000 were sold for about $500 to Siddiqi. This amounts to about 25 cents a person compromised.

According to a spokeswoman at Countrywide, the investigation shows that 19,000 peoples information has been actually used.

Beth Givens, of the Privacy Rights Clearing House was quoted in a story about this in the LA Times and aptly pointed out Rebollo sold the information at well below known black market prices. Although the prices for stolen information -- which is sometimes sold in underground Internet forums has dropped in recent years -- a name that has a matching social security number is worth well more than 25 cents a pop.

The official spin is that this information was used for leads to sell real estate, but my speculation is that how would anyone know for sure? According to the news reports, the information was being sold to companies. The FBI posing as a company was able to buy records for Siddiqi.

If it was sold to companies, who knows who they might have sold it to, or if they have any dishonest employees selling it, elsewhere?

This made me wonder if any of the companies buying the information will be publicly disclosed? In a similar case at Certegy -- where another dishonest employee was caught and convicted for selling stolen information to "companies" -- the companies involved were never made public or charged with any crime (to my knowledge). Court records indicated a co-conspirator in this case, but again (to my knowledge) no one has ever revealed exactly who this mysterious co-conspirator was?

Givens also pointed out that names, which include a social security number and perhaps financial data, can be used to commit what is known as new account fraud. New account fraud is where an identity thief poses as their victim and opens new lines of credit. Once this is done the first time, the thief (sometimes thieves) continue to open lines of credit until the victim's credit report makes them look like a deadbeat.

My guess is that the affected people will be offered some sort of credit monitoring/identity theft protection. While this prevents some forms of identity theft, it doesn't necessarily protect from all the ways a stolen identity can be used. Some examples of when it might not show up on a credit report are cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

Recently, the Privacy Rights Clearinghouse, issued a well written fact sheet pointing out that existing credit monitoring/identity theft protection services do not protect a person from all forms of identity theft. I highly recommend that anyone -- who thinks their identity has been compromised -- read this fact sheet before buying or relying on the free protection offered in the aftermath of a known data compromise.

If and when -- employers are required to react to workers using social security numbers that do not match -- the millions of illegal immigrants already over here are going to have to use real social security numbers and a matching name to remain employed, or obtain employment. While the federal law on this has been tied up in federal court, some States have already enacted similar legislation. This type of identity theft normally doesn't appear on a credit report and is often discovered when a person files their tax return, or gets their social security earning statement and notices employment listed they never had.

A statistic that might support this is the IRS revealing that identity theft used to file tax returns has grown 644 percent in recent years. The two main reasons cited for this were people using them to obtain employment or to file a fraudulent tax return to obtain a phony refund, normally using what is known as the earned income credit.

Stories of large scale data breaches seem to surface, frequently. Despite this, there are a lot more that no one ever finds out about. Recent evidence revealed by Finjan, a computer security outfit, supports the contention that we really don't know how much stolen information there is out there, or how it is being used. Finjan has been discovering what they term as crime servers on the Internet, which contain all kinds of stolen information. This information included compromised patient data, bank customer data and even sensitive e-mail communications. At least some of this information wasn't even password protected on the crime server.

This particular data breach at Countrywide will probably fade into the mist fairly quickly. It does show that any and all security measures can and will be defeated when a person who has access is the point of compromise. The sad fact is that despite a lot of efforts -- until the issues that fuel (enable) this problem are addressed -- we will continue to see personal and financial information stolen.

We have made personal and financial information worth a lot of money and there are a lot of people buying and selling it. Some of them even have legitimate or semi-legitimate status. The more this occurs means the information is going to be electronically transmitted (sold) and then stored in a lot of different places. As long as this keeps happening, it's probably impossible to protect all of it.