Wednesday, August 06, 2008

Largest Identity Theft Ring in History Indicted

Yesterday, the U.S. Department of Justice announced that eleven perpetrators behind the largest known identity theft ring in history have been charged with conspiracy, computer intrusion and identity theft.

Allegedly, the group is responsible for stealing and selling more than 40 million credit and debit card numbers. The credit and debit card numbers were intercepted electronically at nine retailers, who transmitted their unprotected financial information using wireless networks. Once they hacked into the wireless networks, the group would install sniffer packets to capture card numbers and PIN numbers.

TJX, who was severely criticized for their breach of approximately 8.5 million records wasn't the only retailer being compromised. BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW were being compromised, also. The restaurant chain Dave and Busters was also compromised by having "sniffer packets" installed on their point of sale terminals by the group.

Merchants have been under fire for not meeting PCI data security standards, which were developed by the payment card industry to protect systems against compromises. The National Retail Federation has fired back at the payment card industry for forcing merchants to store sensitive information, which can easily be stolen. In a recent data breach involving the theft of 4.2 million card numbers, Hannaford Brothers had been certified as being PCI compliant, which led a lot people to speculate that PCI data security standards might be outdated, themselves.

Sniffer packets are used to monitor information in a network and can be used to gather a lot of sensitive information. Detecting a sniffer packet on a wireless network is known to be extremely difficult. A practice known as "wardriving" is when people drive around and try to pick up wireless signals from unprotected networks. Computer security experts highly recommend making wireless networks secure, including those of the home variety, by password protecting them. Software to assist people, who do this, is freely available on the Internet.

After the information was stolen it was stored on encrypted computer servers in Eastern Europe and the United States. Some of the stolen data was sold to other information criminals via the Internet. The group also counterfeited their own cards and used them to steal money from ATMs.

Recently, Finjan, a computer security company, announced finding servers with a lot of stolen information on the Internet. At least one the crimeservers found by Finjan wasn't even password protected. Finjan reported finding these crimeservers using simple Google searches.

The money was laundered using internet based currencies and by moving funds through banks in Eastern Europe.

Three executives at E-Gold, which is a internet based currency, recently pleaded guilty to allowing criminal activity of this nature (money laundering) using their service.

The criminal activity started in 2003 and went right up to the present time. Albert "Segvec" Gonzalez, of Miami, one of the main players in the group was previously arrested for similar activity in 2003. During the current investigation, the Secret Service discovered Gonzalez was working as a government informant and involved in the criminal activity at the same time.

Also charged in the indictments yesterday were Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia. Hung-Ming Chiu and Zhi Zhi Wang, of the People's Republic of China were also charged. Sergey Pavolvich, of Belarus and Ukranians Dzmitry Burak and Sergey Storchak were also named in the indictment. Two U.S. citizens Christopher Scott and Damon Patrick Toey, finished up the long list of names from all over the world involved in this organized criminal enterprise.

The range of the activity took place in numerous countries, including the United States, Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines and Thailand.

These indictments are the result of a three-year investigation conducted by the Secret Service. As the case progresses, it is being reported that they will be working closely with the IRS, on the money laundering aspect of the case.

Sunday, August 03, 2008

Bills Introduced to Combat Organized Crime on Auction Sites

While stories of individual people getting scammed on auction sites are legendary, individuals aren't only ones victimized on these sites. Large retailers and brand owners are victimized when their stolen or counterfeit merchandise is sold on these sites, also.

In response to this, two bills are being introduced to combat this problem in the halls of Congress.

The reason this has become a growing issue is that criminals can net 70 percent of the value of stolen merchandise on an auction site versus the going 30 percent received on street corners, flea markets and pawn shops. So far as all the knock-off (counterfeit) goods being sold on auction sites, it's hard to put a dollar loss to it, but many believe it's substantial.

According to the International Anticounterfeting Coalition, counterfeiting costs U.S. businesses $200 to $250 billion a year. Counterfeiting and e-fencing pose safety risks to the public-at-large, also. Outdated or merchandise that isn't what it is advertised to be could potentially poison people, or cause bodily harm when it doesn't work like it's supposed to.

Simply stated auction sites, provide an anonymous marketing environment to sell both stolen and counterfeit goods.

“By hiding behind the anonymity of the Internet, they can make more money with less risk of getting caught than selling to a stranger on a street corner who might turn out to be a police officer. This bill would lift that cloak and help law enforcement put on-line criminals where they belong – behind bars,” according to Joe LaRocca, the National Retail Federations Vice President of Loss Prevention.

To address this problem, a federal bill (H.R. 6713, the E-Fencing Enforcement Act of 2008) is being introduced by Representative Bobby Scott, chairman of the House Judiciary Committee’s Subcommittee on Crime, Terrorism and Homeland Security.

The bill will require on-line auction operators to maintain information about high-volume sellers and provide the information to a person with "standing" once a police report is filed. The definition of a person of standing would be a law enforcement officer or a representative from a company, who has an interest in the merchandise being illegally sold on an auction site.

This is the second bill introduced recently to combat organized retail crime, which costs retailers anywhere from $15 to 30 billion a year. On July 15th, H.R. 6491, the Organized Retail Crime Act of 2008, was introduced by Representative Brad Ellsworth, a former county sheriff, along Representative Jim Jordan, as the lead co-sponsor. The bill establishes that unless auction site owners can show specific steps to prove goods being sold were not being obtained by theft or fraud, they could be viewed as "facilitating" the activity. This bill will also require site operators to cooperate with the police and organizations with a stake in stopping the activity. In certain instances, it will also allow merchants to initiate civil actions over stolen merchandise being sold on an auction site.

In the past, auction operators have been criticized for not effectively cooperating with companies and law enforcement when they made an inquiry into suspected criminal activity on their sites. It has also been established that smaller (individual) victims and merchants often receive little to no assistance after being victimized in an Internet auction deal.

E-fencing, phishing, counterfeit goods and the use of fraudulent financial instruments to buy merchandise from unsuspecting customers have all victimized countless people and organizations on auction sites.

Criminals often lure people to do their dirty work, also. Recruits are normally harvested off the Internet, sometimes from job sites, and offered work to reship stolen merchandise and or launder money from fraudulent transactions. Much of this activity involves sending money, or hot merchandise across an International border --making it extremely difficult to track.

A lot of criminal activity is facilitated on auction sites by what is known as phishing. Phishing is where an account owner is tricked into giving up their account details, either via social engineering, or more and more often, after downloading some malicious sofware. The stolen account details are then used to take-over the account and use it for illicit purposes.

In fact, eBay and PayPal accounts are frequently the most phished brands out there.

Phishing, normally facilitated by spam e-mails, is another ever-growing criminal activity on the Internet. Recent studies by the Anti Phishing Working Group show that it is becoming more automated and malicious software (crimeware) used to automatically steal information is becoming more prevalent.

There is little doubt that a lot of the criminal activity on auction sites is sophisticated and reeks of organized crime.

For anyone investigating fraud on an auction site, the only way to effectively do so, is to have access to information quickly and with as little red tape as possible. A lot of these crimes cross over borders quickly and by the time and investigator gets what they need, the trail is often pretty cold.

When auction site owners -- who suffer no financial liability and collect a lot of revenue in fees from this activity -- don't cooperate or move too slowly, it only ensures that criminals will be laughing all the way to the bank.

Even the government has had their stolen inventory sold on eBay and Craigslist. In April, the GAO issued a report that military items, including F-14 components, were being sold on auction sites. In August of last year, a U.S. Attorney was quoted as saying that stamps being stolen from self service vending machines with cloned payment cards were being sold on auction sites. At the time, I ran a simple search query and found some pretty good deals on stamps. As of today, these great deals still exist. Many of them are being sold below cost and the last I checked the Postal Service still offers credit. Why would someone sell stamps below cost?

In my opinion, both of the bills don't only serve the large merchants out there, but have the potential to protect everybody from fraud on auction sites. While both of these bills are being driven by the National Retail Federation, I see a lot of benefits to passing them for everyone concerned with fraud on auction sites.

I highly recommend that these other people, join in with the NRF and the Congressmen involved, and support getting these bills passed.

Saturday, August 02, 2008

Countrywide Insider Steal's 2 Million People's Information

On Friday, the FBI arrested a former Countrywide employee and his accomplice for stealing and selling personal information (including social security numbers) obtained from people applying for mortgages. According to news sources, the number of people compromised was about 2 million.

The Countrywide inside man was identified as Rene L. Rebollo Jr., who worked at Countrywide's sub prime lending division, Full Spectrum Lending. Also arrested was Wahid Siddiqi, who was the alleged information reseller in the caper. Both arrests took place in Southern California.

The criminal complaint alleges that Rebollo downloaded 20,000 names a week for about two years. The batches of 20,000 were sold for about $500 to Siddiqi. This amounts to about 25 cents a person compromised.

According to a spokeswoman at Countrywide, the investigation shows that 19,000 peoples information has been actually used.

Beth Givens, of the Privacy Rights Clearing House was quoted in a story about this in the LA Times and aptly pointed out Rebollo sold the information at well below known black market prices. Although the prices for stolen information -- which is sometimes sold in underground Internet forums has dropped in recent years -- a name that has a matching social security number is worth well more than 25 cents a pop.

The official spin is that this information was used for leads to sell real estate, but my speculation is that how would anyone know for sure? According to the news reports, the information was being sold to companies. The FBI posing as a company was able to buy records for Siddiqi.

If it was sold to companies, who knows who they might have sold it to, or if they have any dishonest employees selling it, elsewhere?

This made me wonder if any of the companies buying the information will be publicly disclosed? In a similar case at Certegy -- where another dishonest employee was caught and convicted for selling stolen information to "companies" -- the companies involved were never made public or charged with any crime (to my knowledge). Court records indicated a co-conspirator in this case, but again (to my knowledge) no one has ever revealed exactly who this mysterious co-conspirator was?

Givens also pointed out that names, which include a social security number and perhaps financial data, can be used to commit what is known as new account fraud. New account fraud is where an identity thief poses as their victim and opens new lines of credit. Once this is done the first time, the thief (sometimes thieves) continue to open lines of credit until the victim's credit report makes them look like a deadbeat.

My guess is that the affected people will be offered some sort of credit monitoring/identity theft protection. While this prevents some forms of identity theft, it doesn't necessarily protect from all the ways a stolen identity can be used. Some examples of when it might not show up on a credit report are cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

Recently, the Privacy Rights Clearinghouse, issued a well written fact sheet pointing out that existing credit monitoring/identity theft protection services do not protect a person from all forms of identity theft. I highly recommend that anyone -- who thinks their identity has been compromised -- read this fact sheet before buying or relying on the free protection offered in the aftermath of a known data compromise.

If and when -- employers are required to react to workers using social security numbers that do not match -- the millions of illegal immigrants already over here are going to have to use real social security numbers and a matching name to remain employed, or obtain employment. While the federal law on this has been tied up in federal court, some States have already enacted similar legislation. This type of identity theft normally doesn't appear on a credit report and is often discovered when a person files their tax return, or gets their social security earning statement and notices employment listed they never had.

A statistic that might support this is the IRS revealing that identity theft used to file tax returns has grown 644 percent in recent years. The two main reasons cited for this were people using them to obtain employment or to file a fraudulent tax return to obtain a phony refund, normally using what is known as the earned income credit.

Stories of large scale data breaches seem to surface, frequently. Despite this, there are a lot more that no one ever finds out about. Recent evidence revealed by Finjan, a computer security outfit, supports the contention that we really don't know how much stolen information there is out there, or how it is being used. Finjan has been discovering what they term as crime servers on the Internet, which contain all kinds of stolen information. This information included compromised patient data, bank customer data and even sensitive e-mail communications. At least some of this information wasn't even password protected on the crime server.

This particular data breach at Countrywide will probably fade into the mist fairly quickly. It does show that any and all security measures can and will be defeated when a person who has access is the point of compromise. The sad fact is that despite a lot of efforts -- until the issues that fuel (enable) this problem are addressed -- we will continue to see personal and financial information stolen.

We have made personal and financial information worth a lot of money and there are a lot of people buying and selling it. Some of them even have legitimate or semi-legitimate status. The more this occurs means the information is going to be electronically transmitted (sold) and then stored in a lot of different places. As long as this keeps happening, it's probably impossible to protect all of it.