Friday, February 27, 2009

FTC Site Teaches Public How to Avoid Bad Deals

March 1st through the 7th is Consumer Awareness Week. This year, the Federal Trade Commission (along with an army of partners) are providing a user-friendly set of free e-tools designed to help the average "Joe or Jolene" safely navigate the murky waters they face in the current economic environment.

Besides teaching us how to make the most of our financial resources, the tools also teach how to avoid the underground army of not very honest people who are spreading more economic doom and gloom with too-good-to-be-true schemes designed to take advantage of the grim economic situation.

The Web site for the 11th annual National Consumer Protection Week is now up and running. Launched by the Federal Trade Commission and its NCPW (National Consumer Protection Week) Steering Committee partners, the site gives people free tools to make smart business decisions in today’s economy. The information on the site is designed to help the average person get the most value for their money, whether they are trying to improve their credit history, tell the difference between a real deal and a rip-off, or protect their mortgage from foreclosure or foreclosure rescue scams. It explains their rights under various laws and tells how to file a complaint or seek assistance from the appropriate government agency.

According to the Federal Trade Commission, scam artists, fraudsters, hackers and flim flam artists follow the headlines and use the current economic downturn to part people from their hard-earned (and ever-dwindling) financial resources. The NCPW Web site has tools (educational resources) to teach people how to recognize a ripoff, sniff out a scam and ensure they are getting value for their dollar in today's marketplace.

The site has tips on a wide range of topics from partner organizations. These tips include from how to get a free credit report to how to spot a telemarketing scam and how to deal with debt to how to deter and detect identity theft and from how to avoid home and auto repair scams. Also included is detailed information on how to file a complaint with the appropriate agency if you do run into an issue.

Of course, on a personal level, I always recommend reporting them if you spot a problem and are able to avoid becoming a statistic, also. This can prevent a less educated person from becoming a victim and is a good deed.

National Consumer Protection Week


The FTC partners involved in providing this information include the AARP, the Comptroller of the Currency, the Consumer Federation of America, the Council of Better Business Bureaus, the Federal Citizen’s Information Center, the Federal Communications Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Association of Attorneys General, the National Association of Consumer Agency Administrators, the National Consumers League, the U.S. Department of the Treasury, the U.S. Postal Inspection Service, and the U.S. Postal Service.

The FTC also just released the top complaints they received in 2008. For the ninth year in a row, identity theft came in at number one. 1,223,370 complaints were received in 2008. 313,982 (26%) were related to identity theft.

Not surprisingly, with all the data breaches seen recently, credit card fraud was the most common form reported. This was followed by government documents/benefits fraud at 15%, employment fraud at 15%, phone or utilities fraud at 13%, bank fraud at 11% and loan fraud at 4%.

Other complaint categories included Third Party and Creditor Debt Collection, Shop-at-Home and Catalog Sales, Internet Services, Foreign Money Offers and Counterfeit Check Scams, Credit Bureaus, Information Furnishers and Report Users, Prizes, Sweepstakes and Lotteries, Television and Electronic Media, Banks and Lenders, Telecom Equipment and Mobile Services, Computer Equipment and Software, Business Opportunities, Employment Agencies and Work-at-Home, Internet Auction, Advance-Fee Loans and Credit Protection/Repair, Health Care, Auto Related Complaints, Travel, Vacations and Timeshare Plans, Credit Cards, Magazines and Buyers Clubs and Telephone Services.

Please note these are statistics where people were victimized. The information on the NCPW site is designed to keep people from becoming one (a statistic).

Thursday, February 26, 2009

Crimes Against Businesses Contribute to Job Losses

Organized retail crime costs retailers billions of dollars. In an era, where retailers are closing stores or going completely out of business, it's logical to assume that organized retail crime is a contributing factor to retailers shutting their doors and people losing their jobs. With the sour economy inspiring more and more theft and fraud, it is becoming more critical than ever before for companies to control their losses in their struggle to remain viable.

When retailers lose money to theft, the end result can be (assuming they don't go bankrupt) that jobs are cut. Payroll is normally the largest and most controllable expense in any business. When businesses start to show negative earnings — like a lot of them are right now — payroll is normally the first place they look to cut when trying to avoid shutting their doors.

In an effort to fight what experts say is a $30 billion a year organized retail crime issue, the National Retail Federation is welcoming legislation being introduced to give them more tools to fight this problem. Yesterday, three bills were introduced in Congress to assist retailers and law enforcement in this effort.

The three bills introduced are "the Combating Organized Retail Crime Act of 2009, sponsored by Senate Majority Whip Richard J. Durbin, D-Ill.; the Organized Retail Crime Act of 2009, sponsored by Representative Brad Ellsworth, D-Ind.; and the E-Fencing Enforcement Act of 2009, sponsored by House Judiciary Committee Crime, Terrorism and Homeland Security Subcommittee Chairman Bobby Scott, D-Va. The measures are similar to legislation first introduced last summer" according to the press release and podcast on this matter by the National Retail Federation.

In case you are unfamiliar with "Organized Retail Crime," it involves organized retail theft activity for profit. Once the merchandise is stolen, it is fenced (sold) to get a cash value out of it. Traditionally, this merchandise was sold at flea markets/dishonest retailers, but more and more often nowadays, retail crime rings are turning to auction sites to unload their stolen goods.

The reason for this is if they sell it on an auction site, they make a lot more money than in the more traditional fencing venues. Experts believe they net 70 percent of the retail value by selling their stolen wares on an auction site versus the 30 percent of retail value they receive in more traditional fencing venues.

Another possible factor contributing the problem is that consumers — who are operating with ever-decreasing personal budgets — are flocking to these sites to stretch their buying dollars. Without knowing it, they might be adding fuel to the fire and unknowingly buying this stolen merchandise.

Even if the retailer can prove that merchandise on an auction site is stolen, it can be extremely difficult for them to get the site to cooperate in going after the criminals selling it. Due to a lot of red-tape imposed by these sites to release information, it requires a lot of time/effort to get the site to cooperate in an investigation. Because of this, the crooks are normally long gone before any effective investigative action is taken.

Another phenomenon called phishing makes the activity even more anonymous/hard to track on auction sites. Phishing is where a person (user) is tricked into giving up their credentials to an account. For years, eBay and PayPal have ranked as some of the most phished brands out there. Criminals use this information to take over an account and commit fraud using someone else's selling account. When investigating auction fraud, time is of the essence, otherwise the trail is often too cold to track. The crooks use one of these accounts for a short period of time and then move on to another phished account to avoid detection.

Organized retail crime is also taking advantage of the identity theft/financial crimes phenomenon and working with the hacking element that has been attacking the financial industry. Counterfeit payment cards (credit/debit), checks and identification are all being used to electronically boost merchandise and walk right out the store with it. In the TJX data breach — which was the largest hack of financial data to date — a group was caught using cloned payment cards to buy $8 million worth gift cards from Walmart. In the more recent data breach at Heartland Payment Systems — which looks like it might surpass TJX in the amount of data stolen — the only arrests made thus far were a group using the stolen data to clone gift cards. Since gift cards are redeemed at retailers, this is yet another example of how the financial hackers and organized retail crime types are working together. To me, this is evidence that organized retail crime is becoming more sophisticated in their theft techniques, which will likely make this problem get even worse than it already is.

The three bills being introduced will force auction sites to cooperate with retailers and law enforcement, define organized criminal activity as a federal offense and establish stricter sentencing guidelines for criminals convicted of organized retail crime. Too frequently, under current laws, criminals involved in this activity are treated like petty thieves and get a slap on this wrist when they are caught. Last, but not least, it will hold auction sites more accountable for the sale of stolen merchandise if it could have been prevented.

Besides fencing, there is a lot of other fraud on auction sites that isn't necessarily tied in to fencing and victimizes auction customers/sellers, more personally. Legitimate e-commerce sellers are frequently ripped off with bogus financial instruments. Buyers are also defrauded in a wide variety of scams on these sites. Like the major retail types, who are behind this legislation, the more ordinary victims are often hung out to dry when they try to get any assistance from the auction sites. There is little doubt (my opinion) that auction sites need to clean up all the fraud that occurs on them. While they do provide value and a fun way to buy things, there have been too many innocent people victimized on them.

While this legislation primarily focuses on fencing, it's a start in the right direction. Perhaps other groups should join in and support this legislation, which if passed, will likely set some needed legal precedents. It will also make it a little harder for the criminally inclined to operate on auction sites.

Supporting this legislation makes a lot of sense for a lot of different reasons. These are not victimless crimes and the consequences are being felt by innocent consumers and businesses.

Sunday, February 22, 2009

Are E-Commerce Merchants at Risk in Mystery Data Breach?

Days before the Heartland Data Breach was announced, volunteer computer security experts at the Open Security Foundation had already figured out what had occurred. Many believe Heartland is going to become the largest data breach in history and will surpass the TJX caper. At this point, only time will tell.

Now the folks at the Open Security Foundation are predicting another data breach at a card processor/acquirer that hasn't been announced to the public yet. For over a week, they have been speculating about this mysterious data breach based on a tip, which was corroborated by other anonymous sources.

In their latest post, they state they knew it was a card not present breach at a processor/acquirer, but didn't initally report it. They are now reporting this development based on it being revealed by another source.

On February 21, 2009, databreaches.net revealed evidence of this data breach based on information sifted from two credit union sites (TVACU.com and Pennsylvania Credit Union Association CardNet).

The only data elements at risk are account numbers and expiration dates. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. The period of exposure being reported is from February to August of 2008.

It has also been written that the exposure was enabled by malicious software that was placed on the unknown acquirer/processor's system. Both of the credit union sources also state that it is being left up to the card issuers, whether to issue new cards or monitor the accounts for fraud. Reissuing cards has become a major expense to the card issuers after a data breach is discovered.

This makes me wonder if we will discover that the acquirer/processor was PCI DSS (Payment Card Industry Data Security Standards) compliant? PCI DSS is the payment card industry's own set of standards to protect data. In many of the recent breaches, the "breached" met this standard, which has led to questions as to whether it is really effective or not.

Both articles also indicate that Visa/Mastercard are not revealing the source of this breach until the "mysterious source" of it makes their own announcement on the matter.

Given these reports, my speculation is that this information could be used in e-commerce type transactions. If only primary account information and expiration dates were exposed — counterfeiting it on cloned cards is unlikely. It simply wouldn't be feasible to do so by the criminals involved.

This doesn't mean that there are no financial risks involved to businesses in this data breach. E-commerce fraud is a big problem and its estimated impact on merchants last year was $4 billion. To fight this problem, most e-commerce merchants manually review orders to detect fraud, which can be a substantial payroll cost. The percentage loss to fraud in e-commerce has been stable for about three years, but since sales have increased, the dollars lost to it are growing.

Card-not-present chargebacks are frequently returned to merchants as chargebacks. The best way of avoiding these types of chargebacks is to verify transactions using the address verification service (AVS), the card verification value code 2 (CVV2), the card validation code 2 (CVC2), and the card identification (CID) when processing transactions. Smaller merchants — who ironically are charged the highest interchange fees for accepting card payments — are at the most risk because fraudsters count on the fact that they do not verify a lot of this data because of the associated costs and their ability to afford doing so.

Perhaps this one of the reasons why there is no rush to reissue cards. If the only information stolen can be used in card-not-present transactions, the card issuers are at little risk of suffering any financial losses. They will simply charge them back to the merchants, who failed to ensure the transaction wasn't fraudulent. It might be a good time for e-commerce merchants to be more cautious.

From what I can gather, this matter isn't exactly confidential; having said that, it appears that primarily financial institutions are being warned and not the e-commerce merchants who logically will be the primary target if this stolen information is used. The costs in the aftermath of data breaches are substantial and who bears the brunt of them is becoming a hot topic.

To close this post, I will refer to a good information source on preventing chargebacks from Wells Fargo. There are a lot of other sources, but a lot of them are selling something. If anyone has any other good sources, please feel free to leave a comment and share them with everyone!

Friday, February 20, 2009

RSA Report Points to an Increase in Cyber Crime

According to a recent report from RSA Security, phishing attacks increased 66 percent last year when compared to 2007. One reason cited for this are the increased availability of DIY (do-it-yourself) phishing kits, which are available for sale on the Internet.

Some of these kits even come with tech support. In the past few years, these kits have enabled a lot more people to get into the phishing game.

The statistics compiled in the Anti-Fraud Command Center Phishing Trends Report recorded 135,426 phishing attacks compared to 90,000 detected in 2007. Despite these ominous numbers, the report showed a marked decrease in the number of attacks between June and July. The amount of attacks then increased steadily until the end of the year and then dropped again in December. The RSA team attributed this to a drop in activity by a notorious gang of phishermen, known as the Rock Phish.

Although, no one seems to be exactly sure, the Rock Phish are a phishing gang that are allegedly of Romanian origin. Experts believe they are responsible for up to 50 percent of the phishing seen in the wild (on the Internet) today. To avoid detection, Rock Phishing attacks often update DNS records during an attack and change URLs, which confuse take-down efforts and allow them to bypass spam filters. They also use images in their spam e-mails, which make their work harder to be detected by spam filters. A lot of spam filters do not use OCR (optical character recognition) because it slows down the filtering process.

The (temporary?) reduction in attacks was attributed to the Rock Phish upgrading their infrastructure and switching to the use of a new botnet, called the "Asprox botnet."

A lot of the newer botnets — which spew out spam in the millions using zombies (compromised computers) — are using what is known are using fast flux technology. Fast flux is a DNS technique used to hide spam e-mails behind a constantly changing network of compromised computers (zombies), which have been taken over using malicious software to send out spam. Since these spam e-mails recruit new zombies all the time, it makes shutting down this type of activity pretty difficult. According to the report, fast flux attacks now comprise about half of all the activity out there.

From a global perspective, the United Kingdom (40 percent) was the most attacked country followed by the United States (37 percent). This was attributed to a focused attack on a number of financial institutions in the UK in 2008. The report also acknowledges increased activity in Latin America and the Pacific. A lot of experts believe we will see increased activity in other parts of the world as more people from these regions are introduced to the Internet. As this takes place, more computers will be compromised (become zombies) in these countries and the statistics will shift.

It should be noted that despite the increased activity in the United Kingdom, the United States still holds the dubious honor of being number one in hosting phishing attacks. They are also number one in brand names being attacked.

Of no surprise is the statistic that financial instituions are the favorite target in these attacks. It makes sense that the phishermen will continue to go where the money is and with the sour economy, there are a lot of social engineering lures that are ripe for exploitation. Fear is a time-honored social engineering lure, which gets people to click on links they should not have.

The conclusion of the report is that online crime continues to evolve, is becoming more dangerous, and new tools are being used to further the effort. My guess is that it will continue to grow as long as we focus on defending against it instead of going after the source of it! Of course, this is merely the opinion of this observer.

Sunday, February 15, 2009

Sending Children to the Slammer for Profit

On February 12, 2009, two judges appeared in federal court to plead guilty to $2.6 million in income tax and wire fraud. The crimes they were charged with resulted from locking up teenagers for profit in Scranton, PA.

Judge Michael T. Conahan and Judge Mark A. Ciavarella Jr. were the two barristers, who received kickbacks to send teens to privately run detention centers. Apparently, Conahan secured the contracts and Civarella kept them filled with fresh prisoners (victims?) from his docket (court calendar). The privately run centers in questions were PA Childcare and its sister organization, Western PA Childcare.

A press release on January 28th from the Administrative Office of the Pennsylvania Courts announced the two judges' removal from the bench. The release goes into detail about the charges that were brought against them.

In one example cited by the NY Times, a teenager was given three months for setting up a MySpace page mocking her assistant principal at a Wilkes Barre, PA high school. The student in question, Hillary Transue, was a stellar student and had never been in trouble before. At the end of the hearing, with her parents watching, she was handcuffed and taken away. In another case, a teenager got three months for giving another teenager a black eye.

This is scary in a society where Paris Hilton and Lindsay Lohan get a few days for doing a lot more than putting up a MySpace page or giving someone a black eye!

Senior Judge Arthur Grim has been appointed by the State Supreme Court to figure out what to do with the estimated 5,000 juveniles who have been sentenced by Judge Ciavarelli since the scheme started in 2003. A lot of these children were first time offenders and some of them are still locked up.

The case has shocked local residents, already strained by recent losses of a lot of industrial jobs and the shutting down of coal mines. It has also brought up a debate about how children are represented in the legal system when they face charges.

Just last year, a motion was filed by the Philadelphia-based Juvenile Law Center in behalf of 500 juveniles who had appeared in front of Ciavarelli without representation. The motion was originally denied, but it has now been reopened. Statistics show that about 50 percent of the children who waived their right to counsel in front of Ciavarelli went to the slammer. The Supreme Court ruled in 1967 that juveniles have a right to counsel, but in some states, including Pennsylvania, they are allowed to waive it.

Given the reduced tax base in the area, the money stolen in this instance could certainly have been put to better use, too.

Even worse, although Judge Ciavarella admitted to the kickbacks, he is contending that the juveniles in question deserved what they got. This is pretty arrogant, especially considering that the facts show that he sentenced a lot more of his cases (25%) to these privately run detention facilities than the state average of of 1 in 10.

I'm frequently amazed how people who have obviously done something terribly wrong rationalize their behavior.

If Ciavarella and Conahan (Judge titles intentionally removed) accept the plea bargain being offered by the government, they will get 87 months in the slammer, lose their pensions, and be disbarred. The executives running the privately run detention centers haven't been charged yet, but are expected to be.

I first saw a mention of this story on Alex Eckelberry's Sunbelt blog. His comment was "how sick." In closing, "I second that motion."

Sunday, February 08, 2009

Spammers Love to Hurt Internet Users

Love is a many splendored social engineering tool and spammers are busy sending out a whole lot of their particular brand of love across the electronic universe.

An interesting blog post (Love Hurts) by Kevin Haley at Symantec points out that malicious code writers are busy spreading their work in attachments hidden in the millions of spam messages being spewed out by zombies (compromised computers). If you click on one of these attachments — and your machine isn't bulletproof — it also can become a zombie and used as part of a botnet to send out more spam. Botnets are groups of compromised computers used to form a super computer. Of course, downloading malware can also mean that all your personal and financial information will be stolen, too. Please note (as you will see below) that some forms of malware currently being sent out can do both.

Kevin's blog post came out at almost the same time Symantec issued it's monthly Spam Landscape Report. With Valentine's Day coming up, love is a predictable lure and it's probably a good idea to make sure you know who loves you before clicking on any links in an e-mail.

Another predictable finding in the report is that spam levels are continuing to rise to normal levels after they fell when McColo was shut-down. McColo (a Web service hosting provider) was shut down in November after it was discovered they were the source of a large number of botnets, which are used to send out spam. Last month, 79 percent of all e-mail was spam. The report also notes that the point of origin for spam is shifting a little. Although the United States is still number one, the number of active zombies in other countries is rising. While some of this is being attributed to McColo, the report points out that this might point to the fact that some of these countries have an increasing number of users accessing the Internet.

From a spam-commerce point of view, the report indicates weight loss products, counterfeit drugs, cheap watches and porn top the list of items available at super-cheap prices as Valentine's Day approaches.

Besides Valentine's Day, President Obama also continues to be used as a spam lure, according to the report. A lot of this spam contains malware with files names such as usa.exe, obamanew.exe, statement.exe, barackblog.exe and barackspeech.exe. The malware being spread in these spam e-mails is called the W32.Waledac, which is capable of both stealing sensitive personal and financial information and turning a machine into a zombie. It also establishes a backdoor to a machine so it can be remotely accessed.

Current events (and holidays) have been and probably will continue to be used as social engineering lures to snare the unwary.

Also noted was a rise in Russian spam hawking goods and services. With cheap long distance services using VoIP, the Russians have actually set up telephone numbers for their intended victims to call. My guess is that they will entice someone to send money, which can't be recovered when the person sending it discovers they've been scammed.

Chinese gambling spam is also mentioned as a new phenomenon in the report. It appears to be patterned after English language gambling spam, but is written in Chinese.

Last, but not least, Nigerian spam is mentioned. Nigerian or 419 spam is named after the section of the Nigerian penal code dealing with fraud. It normally is a come-on for lost riches or winning a lottery and has a lot of spelling and grammatical errors. Typically known as advance fee fraud, the victim is enticed in sending money across a border (wire transfer is preferred) to secure their fortune. Of course in the end, the victim never receives anything and is often left in financial ruin.

There are many twists to advance fee and one of them is to send a bogus financial instrument to a person with instructions to cash it. If the person doesn't get arrested for presenting it, they are instructed to send the money back to the scammer. Of course, the cashing institution eventually figures out the instrument is bogus and the victim is held liable for it.

A lot of people think that advance fee all comes from Nigeria, which isn't true. I've personally traced it to a lot of other places and called some of the telephone numbers. The person answering didn't sound Nigerian and I've spoken to a few people from Nigeria in my time. Naturally, this doesn't mean that scam activity is not coming from Nigeria and just that not all of it does.

Pam Dixon, of the World Privacy Forum, went on record recently that the spelling and grammatical errors aren't being seen as much in advance fee lures anymore. Obviously, advance fee scammers, wherever they hail from, are being more careful and have discovered spell check?

To close, the Anti-Phishing Working Group's recent report on phishing, which is delivered via spam, has noted that the number of crimeware-spreading URLs out there has increased 258 percent versus the same time period last year. It also noted a record high in the amount of hijacked and victimized brand names. Last but not least, it noted another record in the amount of malicious application variants being seen in the wild (on the Internet).

This would suggest that spam is getting more dangerous and the people sending it are becoming more sophisticated. The smartest thing to do with all spam is to delete it. Making sure your computer's security is updated with a known and reliable vendor is also a smart thing to do. After all, as I've speculated many times before, most fraud, phishing and financial misdeeds on the Internet start with spam.

The $9 Million Electronic Robbery at RBS WorldPay

With the Heartland Data Breach still fresh in the news, word of a $9 million heist using data from another payment card processor (RBS WorldPay) has hit the air waves. RBS WorldPay reported in December that their payroll card system was hacked and 1.5 million financial and 1.1 million personal records were compromised. Payroll cards are used by employers to pay their employees by loading their pay onto a debit card.

A Fox News investigation has now revealed that on November 8th, a coordinated attack netted $9 million using cloned cards in 49 cities, worldwide. The attack occurred all over the United States, Montreal, Moscow, and Hong Kong in about 30 minutes.

Another scary aspect to this attack was that the hacker was able to remove the daily withdrawal limits of the cloned cards. According to the Washington Post, 100 cards were used and fake deposits were used to refuel the balance on the cards. Large withdrawals were then made again and again on the cloned cards. Please note this represents that a very small percentage of the total cards compromised were used in scheme. No information was available on how they refueled the accounts.

I've seen accounts refueled using bogus checks, however in this instance, I would suspect it occurred in a more electronic manner. This leads me to believe we will see more disclosures regarding this case as time goes on.

According to official reports, there are no primary suspects in the case. Photographs of some of "lower level soldiers" used to withdraw the money have been released in the hope that (if caught) they will provide information on the people, who provided them with the cloned cards. Unfortunately, with the anonymous nature of the Internet, coupled with the fact that chat-rooms are often used to facilitate the distribution of stolen data, the lower level soldiers might not know the identities of the main players, themselves.



In the recent Heartland breach, it was disclosed that they met PCI DSS (Payment Card Industry Data Security Standards). According to Visa's list of PCI DSS certified vendors, "RBS Lynk" (Royal Bank of Scotland) is certified. PCI DSS standards are the payment card industry's solution to protecting their data from being misused.

I also discovered that RBS World Pay and TrustWave put out a press release in 2007 announcing they were providing level 3 and level 4 merchants with a specialized data security service to identify their risks and vulnerabilities. The idea behind this service is to help these merchants become PCI DSS compliant.

Interestingly enough, TrustWave also certified Heartland in 2008, according to the article I read in Dark Reading.

PCI DSS has been criticized as being expensive for merchants and now we are seeing it compromised, too. The sad thing is that despite a lot of money being shelled out to become PCI DSS compliant, the people shelling it out seem to be just as vulnerable as they were before. In fact, someone might conclude that PCI DSS is giving everyone a faux sense of security (opinion).

As usual, in these cases, a class action law suit has been filed against RBS WorldPay. WorldPay has also announced the cardholders will not be held liable for the charges, according to the page on their site about this matter.

Thus far, according to all the sources I read, no identity theft has occurred. My guess is that because the 1.1 million people compromised are monitoring their credit, none will occur in the short-term. In most of the many breaches I've read about, very little of the information was used after the breach was disclosed. If you think about it, this makes sense because measures have been taken to make the information useless to criminals.

To close, I would like to add another thought. The fact that payroll information — which included personal information — was hacked might point to another example of how storing too much personal information in too many places is the root cause of the problem.

There has been a push to put everything from payroll to government benefits on payment cards. When this occurs, personal information as well as the financial data used to produce the debit card accounts is stored to process the transactions. Since employers (and the government) use vendors (card issuers) to accomplish this task, this means we have sensitive information being transferred to third parties. It wouldn't surprise me if these third parties transfer the information somewhere else when they outsource it, all over again.

Perhaps, what is needed is a common sense solution to the problem. As long as we keep sending information all over the place, it creates too many points where it can be compromised. The bottom line to all this is we appear to be making it too easy for criminals to take advantage of the situation.

The costs are getting out of control, too. Although I've never seen any information on how much of this is going on, the Washington Post quoted a source from the security industry (Ori Eisen, 41st Parameter) as stating $50 million was lost in one month in New York City alone last year.

I wonder if any of our bail-out (taxpayer) money is being used to cover these losses. Although, I can't say for sure, the people it was given to can't seem to say where it has gone, either. Granted, it might be a long shot, but the money had to be given to cover losses caused by people who were a little too greedy in the first place. We need to wake up and realize that there is no free lunch and the costs of all these types of scenarios are passed to all of us when history is written.

There is no such thing as zero fraud liability!

Tuesday, February 03, 2009

Increase in Scams Attributed to Economy

I just finished reading an interesting article in the Wall Street Journal by M. P. McQueen, which suggests that the bear market is creating a bull market for fraudsters. According to the numerous experts cited in the article, the reason for this is economic gloom and doom with a healthy dose of anxiety.

This shouldn't be surprising because gloom, doom, and anxiety make effective social engineering tools that can be used to part people and businesses from their money.

The article references phishing expeditions that lead to fake Web sites — which often spoof a financial institution or government entity — and entice people into giving up enough of their personal details to drain their financial resources. It also mentions that some of these sites leave behind malicious software on a person's machine, which steal all these details automatically.
Also mentioned is the use of VoIP (Voice over Internet Protocol), caller-ID spoofing and cell phone technology to mount texting and vishing attacks. Vishing is merely another method of tricking people to give up personal and financial information via the telephone. In these attacks, the caller ID is spoofed to make it appear as if it is coming from a legitimate institution.

Apparently telephone technology is being used to commit other types of crimes, too. Many of our 911 centers cannot identify spoofed calls coming from computers using VoIP technology. This has led to S.W.A.T. teams being tricked into deploying in full battle gear to residential neighborhoods when no emergency existed. Of course, businesses use the same technology to trick people who have caller ID into picking up their telephones. You can even buy a card to do this at will from any telephone right over the Web.

It sometimes amazes me how much irresponsible technology there is out there, which is being sold legally. There are even Web sites, with disclaimers, that specialize in making this technology available to the general public. Of course, there are also complete DIY (do-it-yourself) phishing kits being sold over the Internet. Some of these even come with tech support. The phishing kits are illegal, but can be found for sale in chat rooms if you know where to look for them. Sadly, the truth is that these chat rooms aren't very hard to find. The fine line between legitimate enterprise and scams is often a little blurry.

The WSJ article quotes a lot of experts, including Gartner, the FBI and the National White Collar Crime Center, who all seem to agree that scams are on the rise. An interesting phenomenon called out were small fraud charges being found on accounts. I guess taking small amounts, which might be mistaken for bank fees, is a good way to stay under the radar. A lot of people don't realize how many small fees are being charged to their account and it can be quite confusing at times. I guess the crooks are trying to make themselves look like bankers (speculation) and it's probably a good time for all of us to review our statements, carefully.

Speaking of fees, which are used as revenue streams by a lot of businesses, the WSJ put out another article this entitled, "In the Fight Against Bill Creep, Every Extra Fee Is the Enemy." Besides being on the look out for cyber scammers, this article points out other reasons it is smart to review our financial statements with a keen eye these days.

Another notable trend in the past 12 months is executives being targeted. In this trend, specific people within organizations are being targeted and tricked into downloading malicious software on machines. In one of these scams last April, the targets were led to believe they were being subpoenaed to testify in federal court.

Last, but not least, the article points out that job scams are on the rise. It's a well established fact that job sites from Monster to Craigslist have scammers operating on them to recruit people to launder money, cash bogus financial instruments or give up all their personal and financial information. Adding fuel to this fire, it was disclosed recently that Monster.com had been hacked.

Capping off this interesting article — which is a pretty good recap of recent scam activity — is Pam Dixon of the World Privacy Forum pointing out that scammers have learned how to use "spell check." In the past, one of the best ways to identify a scam was it's lack of proper spelling and grammar. While the scammers might have have learned to use spell check, it might also point out that there are more and more people out of work (with better grammar skills), who are becoming scammers.

The WSJ quoted a lot of experts that agree with them that scam activity is on the rise. Another interesting read supporting this (not mentioned in their article) is the recent report that was commissioned by McAfee. This report points to all the unsecured data out there that is fueling the rise in cyber crime. They estimate, at this point, that the financial implications have reached $1 trillion. They also have some interesting information about social engineering and how it is being currently used to commit scams in the current economic environment in another set of articles on their main site.

In my opinion, it makes sense that scams of all kinds are on the rise. There is a lot of confusion going on and people are getting desperate. It might be desperation that is causing more people to get involved in scams on both sides of the fence. For the majority of us, who just want to ride these times out and survive the mayhem, the best thing to probably do is be extra diligent in our financial matters and use a little good old fashioned common sense.

Having dealt with a few scammers in my life, I've found that most of them aren't the most intelligent people around. The best thing to do is to think carefully before jumping in anything of a financial nature these days.