Tuesday, April 28, 2009

NFCC Launches New Site to Assist Consumers in Financial Trouble

The National Foundation for Credit Counseling (NFCC) has revamped their web site to provide consumers in financial trouble with a wide array of e-tools designed to help them solve their problems. The site also provides access to an NFCC-certified counselor to work with them on a more personal (human) level.

“It can be argued that there has never been a time when consumers needed financial tools more. And, when you need help, you want it fast. You don’t have time to waste going from site to site. You might say the NFCC is the HOV lane of the Information Highway,” said Gail Cunningham, spokesperson for the NFCC.

Sadly enough, the current economic crisis continues to spawn a lot of too-good-to-be-true financial rescue schemes. These offers -- which frequently put the consumer in even more financial distress -- are being hawked via spam e-mails and other advertising venues at an alarming rate. The NFCC, which has been around for over fifty years, and is one place where a person can reach out for some legitimate help without getting themselves in even more financial hot water.

The newly redesigned site has a lot of practical tools including a printable budget worksheet for tracking monthly expenses, access to financial calculators to help understand how long it will take to pay off credit card debt, what amount of mortgage debt can reasonably be sustained, or how long it’s going to take to save enough money for that special purchase.

There are also consumer tips on relevant everyday topics such as saving, credit, debt, and job loss, among others; consumer resources such as NFCC publications and videos and useful links; and videos of financial fast facts along with real life success stories, and a “Tell Us Your Story” area for consumers to voice how they’re faring in today’s economic environment.

Consumers in financial distress can reach out to a live person at the NFCC Member Agency closest to them through a secure online portal. NFCC counselors can provide assistance and advice with credit counseling, housing counseling and bankruptcy counseling and education.

On a lighter side, there is even a poll where someone can express their opinion about the current financial issues and see how they compare with the rest of the country.

The NFCC has been in the news in the past few days for striking a deal with credit issuers to help consumers facing overwhelming credit balances get out of debt. Thus far, ten of the top credit issuers have agreed to roll out two special needs repayment plans, and the NFCC hopes more will follow suit.

Last month, according to Moody's credit card index, uncollectible credit card debt surged to a 20-year high at 8.82 percent. Additionally, the Fitch Credit Card Index reported credit card delinquencies have increased 36 percent in the past six months.
Michelle Singletary covered this story at the Washington Post. The NFCC also has more information on this in a press release they put out on April 15th.

The NFCC marked April as Financial Literacy Month and has launched a lot of events designed to promote financial responsibility. The newly designed site is one of them. The climax of their efforts is on April 28th when they present the National Survey Results on Consumer Financial Literacy to Congress.

Another event scheduled on April 28th will be a special MSN Message Board Event, where NFCC-certified counselors will be on-hand from 9 a.m. to 9 p.m. (Eastern Standard Time).
Besides providing e-tools to promote financial education, the NFCC can also be reached at 1-800-388-2227 to speak to a counselor near you. Para ayuda en EspaƱol Ilama al 1-800-682-9832.

Saturday, April 25, 2009

Scammers Exploiting MoneyGram Money Order Verification System

If you were scammed recently with a money order, the counterfeit might have been an instrument spoofing the MoneyGram brand. These money orders have been known to appear in all the too good to be true/don’t exactly make sense come-ons being passed by spam e-mails or via a direct solicitation in a chat room.

In case you are not familiar with all the variations of these come-ons, they include , but aren't limited to (new lures surface frequently), the secret shopper, romance, lottery, work-at-home and auction scams.

The common denominator in most of the scams is there will be a request to send the money you receive via wire transfer (if you don’t get caught), to the fraudster sending you this garbage for a small cut of the total amount. That is unless they are buying goods from you. In this case, the item you are selling is what they want.

In the past, a simple call to MoneyGram’s verification line (1-800-542-3490) normally was all that was needed to reveal the fact that the item was fraudulent. Unfortunately, this is no longer the case. The criminals producing these instruments are now taking advantage of a flaw in the automated verification system, which is tricking people into believing that the money orders are good.

When a MoneyGram money order is called in for verification, the system prompts the user to enter all the particulars of the instrument, including the serial number and dollar amount. If the system doesn’t spot a discrepancy, it gives out a standard disclaimer stating there are no stops or holds on the item. If the system catches a discrepancy, it directs the caller to a live operator during their business hours.

In recent weeks, I’ve received reports of this being exploited in two ways. In the first instance – a legitimate money order is purchased for a small amount (normally $1.00) –then is chemically washed and altered to reflect a large dollar amount. It is then passed before it registers in the verification system – and since the system doesn’t recognize the dollar amount – it gives out the standard disclaimer that tells the caller there are no stops or holds on the item. According to the people, I’ve asked, money orders do not register in the system for anywhere between 24 and 96 hours after being issued by a MoneyGram agent.

In these instances, since the item was printed on actual paper, it contains all the known security features. These include a heat sensitive circle, which changes color when rubbed.

A second variation of this scam has also been seen. In this variation, the instrument is a copy of a money order purchased for a small dollar amount. These will pass muster in the system as described above, but the security features will not be present. In this second version of the scam, the dates were printed to make it appear as if the item had been purchased several weeks before the legitimate item actually was. I suspect this was to trick people, who had already discovered the "washed instrument" mutation of this scam.

When I first started getting reports on these variations of the scam, I thought it might be only targeting a limited geographical area. Normally when washing items occurs, this is the case. Since then, I've discovered this is happening throughout North America and the items are being shipped using overnight services, such as Federal Express and UPS.

I have also had reports that these are being passed not only via online come-ons, but also by professional groups who specialize in passing counterfeit instruments.

I went to the MoneyGram site to see if there were any warnings about this specific scam and found none. They do have a consumer protection area on their site, which refers to all the come-ons to trick people to cash these items. They also have information on how to verify their product in the FAQ area for customers on their site.

The sad fact is that money order companies do not take a loss on these instruments. When the items is discovered to be a fraud – they return it to the institution who cashed it and the institution goes after (if they can find them) – the person who cashed them. With any money order, it is nearly impossible to be made whole by the issuing company, itself. In fact, many experts will tell you that accepting a money order is more risky than accepting a personal check. If you listen to the disclaimer on the verification line it tells you exactly that.

So far as getting these instruments in too good to be true online scams – with the sour economy – I am seeing more and more people who really want to believe they have come into a financial windfall. When they fall for these scams – one thing is for certain – which are they are going to be held liable for cashing the items when the scam is discovered. This will certainly include being held financially liable, but can also mean facing criminal charges.

So far as counterfeit MoneyGram instruments – although a lot of them seem to be out there – they are not the only items being counterfeited. U.S. Postal Money Orders have been seen frequently in the past, too. Recently, the U.S. Postal Service redesigned their product and has a new page on their site to help consumers verify their product. Counterfeit cashier's checks, money orders, gift and travelers cheques are also known to be frequently counterfeited and used in these types of scams.

If you want to learn more about these scams, I recommend going to fakechecks.org, where you can see some highly visual demonstrations of these schemes. Another good resource on this subject – particularly if you are a victim – is FraudAid. The folks at FraudAid actually provide resources and advocate for people falling for these scams.

Friday, April 17, 2009

Twin Reports Suggest We are Losing the Cybercrime War

According to Symantec, malicious activity in 2008 amounted to 60 percent of all the activity they have recorded since they started keeping records. Last year, they recorded 1.6 million new malicious code signatures and blocked 245 million malware attacks from their users every month.

Many of these attacks – when the words malware or malicious code are used – are designed to steal information (preferably financial) or take command and control of a computer. Once command and control of a computer is accomplished – it’s called a zombie and networked into a botnet. A botnet works as a super computer and is used to spam the electronic universe. Some of these spam e-mails contain even more malware, which infects more unprotected systems.

In 2008, Symantec saw a 31 percent increase in the number of zombie computers. In 2008, Symantec observed an average of more than 75,000 active bot-infected computers each day, a 31 percent increase from 2007. Symantec's latest report, which covers January to December of 2008, suggests that 90 percent of these attacks are designed to steal information. Attacks using key loggers – which log a computer's keystrokes and send them to the criminals who installed the malicious code – grew from 72 to 76 percent of the activity observed by Symantec's security lab.

Many of these attacks use a technique known as phishing, which is normally delivered in a spam e-mail. Phishing either tricks people into giving up their information (social engineering) or gets them to download malicious code, which makes the process automatic. Last year, Symantec detected 55,389 phishing website hosts, which is where you are sent if you click on a link in a phish-mail. Spoofed financial services companies accounted for 76 percent of these lures compared to 52 percent in 2007.

Spam, which delivers most of this activity, continued to grow, too. This equated to 349.6 billion spam messages in 2008 compared to 119.6 billion spam messages in 2007, which is a 192 percent increase. According to the monthly spam report from Symantec, last month's spam social engineering themes included mortgage rescue, tax season, terror and scareware (fake antivirus solutions) for the much anticipated Conficker worm that was designed to hit on April Fool's Day. Please note that Conficker a.k.a. Downdaup is still a problem, but it didn't spread it's gloom and doom on April 1st to the degree it was expected to.

Cybercriminals have always been quick to exploit the headlines and with the sour economy in the news have been targeting the financial industry. Here also, Symantec saw an increase of personal and financial information being stolen by using financial institutions as bait. In 2008, this amounted to 29 percent of the activity compared to 10 percent in 2007.

In their latest report, Symantec leveraged information from their recent Report on the Underground Economy which points to an organized criminal community that specializes in the sale of stolen personal and financial information. They noted that the economic principle of supply and demand has come into play with this underground economy due to a glut of stolen data – causing prices to go down.

Most of this stolen information is sold in electronic forums, such as websites and Internet Relay Chat (IRC) channels. These forums enable information to be sold worldwide and make the activity anonymous. Because the activity is anonymous, it is very difficult to investigate or shut-down. Credit cards go anywhere from less than a dollar to about $30 and bank account credentials sell for anywhere from $10 to $100. Much of the cost depends on the perceived value of information and the amount of it, which is purchased.

Symantec isn't the only one releasing a report showing an alarming increase information theft. Verizon just released a report showing that 285 million information records were compromised in 2008, alone. While the Symantec report focuses more on individual attacks, the Verizon report studies the impact large scale attacks on businesses and organizations. When combined, the information in these reports is pretty revealing.

According to the Verizon report, the 285 million records stolen are greater than what was known to be stolen in 2004 to 2007. I say "greater" because I've often speculated that the most valuable information stolen is the data no one knows has been stolen. After information is known to have been stolen, measures are taken to protect it. This makes it useless or at least a lot harder to use.

Recently, underground services have also popped up in these underground forums, which allow information thieves to see if the information they are buying hasn't been compromised (pun intended).

Verizon, who investigated 90 data breaches last year, noted that malware is now being designed to steal debit card and PIN information. The report also breaks down the point of compromise by industry and how the data was breached. For instance, in the past year 93 percent of the activity compromised was at financial institutions. Also cited was that most attacks were accomplished by external entities (73 percent) taking advantage of procedural flaws, but that when the breach was assisted by an insider (20 percent) more data was stolen.

The trend towards compromising debit cards and PINS is likely because these instruments are the quickest route to obtaining cash. Obtaining cash is normally the ultimate goal of an information thief and stolen debit card information accomplishes this with a minimum of effort.

Also covered are breaches caused by partners (32 percent), which are external entities providing services to a business. Please note these percentages add up to more than 100 percent, which means that multiple points of compromise can be attributed to any one incident in some cases.

Both reports are an excellent read and point to the fact that there is a glut of stolen information for sale on the black market, which isn't good news. The fact that more information is being stolen than ever before – even when security procedures are ramped up on a regular basis – is not good news, either.

Perhaps both of these reports suggest the obvious, which is we are not winning the war against cybercrime and the problem is getting worse. Historically, these losses have been written off and the cost is passed to the consumer. With the sour economy and the fact that a lot of the financial industry is already on the brink of bankruptcy, writing off these losses might no longer be a realistic solution.

The reason criminals can easily exploit this information is that we are storing it in too many places that are too easy to access. The reason this has happened is because a lot of people are making a lot of money by using and selling this information. Making the information easy to access makes it easier to make money from it. I'm all for making money, but at what point does it prove to be irresponsible?

No security fix is going to solve this problem without a healthy dose of common sense being infused into the scheme of things!

After all, the economy is already in a lot of trouble because of some of same people making a lot of money, irresponsibly. My guess is we are getting to the point, where we will no longer be able to write-off the cost of being irresponsible to the consumer, as well as, the taxpaying public.