Saturday, June 25, 2005

Fraud Gangs Plant Insiders

Although, it is difficult to get specifics, organized gangs are now very much involved in the fraud business. Some of them are local, however others from Africa, Eastern Europe and Asia are operating in an international arena.

Many of these groups seek to recruit, or plant people in organizations to steal information and or commit large scale frauds themselves. The reason they put these plants in organizations is to skim identities (identity theft) and to carry out embezzlement schemes. Some of these gangs are known to be violent and use coercion and threats of violence to persuade their targets to assist them. In the case of illegal aliens, it is known that they sometimes hold relatives hostage to force the illegal to do their bidding. It is also not unknown for employees to be kidnapped, or black mailed and forced to provide information and or give access to financial assets.

Here are some generic guidelines to protect any business. Since personal safety can be at stake, these are also good guidelines for an employee to evaluate their own safety in their workplace.
  1. Protect your employee's personal information as diligently as you protect your customers. This includes having their full names displayed anywhere where someone use the information to find out where they live.
  2. Personnel information and home telephone numbers should be protected and never thrown away without being destroyed. This information should be secured and limited access maintained. Often plants are in contract agencies, such as those that provide janitorial/guard services.
  3. Train employees with access to sensitive information and or financial assets to vary their routes to work and be wary of anyone following them.
  4. If one of these employees fails to show up for work and there is no apparent reason find out the reason why. Ensure you have good emergency contact information on each employee.
  5. Avoid letting the public be able to distinguish, which employees are new.
  6. Make your employees aware of gang recruitment efforts and ask that they report any attempts to a responsible party. Ensure that the employees are comfortable by maintaining strict confidentiality standards.
  7. Develop law enforcement contacts (Federal/Local) to determine if plants are known in your area.
  8. Be wary of changes in an employees financial situation, such as coming into unexplained amounts of cash.
  9. When applicants are applying for sensitive/responsible positions ask why they want that position and watch their demeanor when they answer.
  10. When doing reference checks on applicants do a reverse directory to ensure who you are calling. This can be done for free on the internet.
  11. Do thorough background checks, inclusive of criminal and credit records. Ensure the data on all reports matches the application and that any presented identification documents are valid. Be wary of applicants where no credit history exists, or it doesn't match other documents that show their personal history.

With all of the recent data intrusions and large scale frauds, it is imperative that the business world become more diligent in protecting their people and assets. Awareness is key and more and more, every person out there is on the front line of protecting our society at large. Should you spot any of this activity in your workplace, report it through the proper channels at work and or to the authorities.

To view a memo from the OCC on this subject, click on the title of this post.

E-Commerce and Customer Confidence

The research firm Gartner conducted a survey of 5,000 people, which indicates that one out of three Internet users are buying less online. The reasons stated are the daily headlines reporting personal data being compromised, identity theft and the growing problem of phishing.

This survey indicates that 80 percent of the people surveyed have stopped opening e-mails from unknown sources. They are also using online banking services less frequently with 14 percent surveyed indicating that they no longer pay their bills online.

This lack of confidence could have a serious effect on the profitability of major corporations. Electronic bills cost about half of what a paper one does and a lot of marketing is conducted via e-mail campaigns. The time is now for the private sector to take notice and invest more in protecting the confidence of their customers. Quite often, as I have stated previously, the people doing these sort of crimes were not very sophisiticated and one might deduct that some of these corporations could have been more diligent in their security procedures.

This growing problem (if left unchecked) has the potential to create a negative effect on the economy. Daily, we hear calls for measures that will reduce civil liberties (such as national identity bills), but the reality is that the true problem is one of lax laws and not enough enforcement resources allocated to combat what has become an international problem.

Wednesday, June 22, 2005

Cardsystems Violated Mastercard/Visa Credit Card Rules

It has now come to light that in the recent breach of up to 40,000,000 credit accounts, Cardsystems was gathering information on people that they weren't allowed to. Allegedly, it was to determine why certain transactions wouldn't process.

There are also reports out of Australia that this fraud was spotted six months ago by banks over there, which again makes one wonder exactly who knew and when. The scope of this breach is far reaching, with cards in Europe, Asia and Australia being reported compromised.

In the end, many are saying that in previous years, this breach probably would have gone unreported and that these breaches are being reported now due to recent legislation in California, which requires disclosure.

It is apparent that more of this sort of legislation should be considered. There should also be outside auditing/investigations of these occurrences to protect the consumer and determine if laws were violated for profit incentives. Another thing to consider is that these types of intrusions are likely to erode consumer confidence, which can take a devastating toll on the financial well being of these organizations. The time for effective action is now.

Sunday, June 19, 2005

Identity Theft at Large Corporations

It is now being reported that CardSystems, the affiliate of Mastercard International, where 40,000,000 people's information was compromised, knew of the breach as early as May 22nd. They are saying that they were told by the FBI not to release the information, which presumably would give them (FBI) an edge in identifyng the criminal(s).

Interestingly enough, today there are official statements being made by Mastercard that a much smaller amount of accounts (68,000) are considered to be high risk. They are saying that the information exposed didn't include social security numbers and birthdates, which would be needed to assume someone's identity. Only 13.9 million of the credit card accounts were Mastercard. Estimates on the other's (American Express, Discover and Visa) are not yet clear.

At this point, there seems to be a lot of differing estimates and the information was kept quiet for a period of time. Unless, someone could see some facts backing up these estimates and what information was taken, it would be hard for anyone to have a level of comfort as to what has actually occurred.

There seems to be an alarming pattern of these large scale losses of personal information. Earlier this month, Citigroup reported that UPS lost loan information from 3.9 million customers of Citifinancial, who does personal and home loans. In February, Choicepoint Inc. disclosed that fraudsters using stolen identities created fifty fake businesses that pulled personal information on approximately 145,000 people. In March, LexisNexis Inc. disclosed that fraudsters had broken into a database giving them access to 32,000 people. In May, Merlin Information Services, which provides information to law enforcement, investigators and collections personnel had 9,000 people's information stolen when someone posing as a professional investment advisor was given access to their database. There were also large numbers of people's information stolen from Bank of America and DSW Shoe Warehouse.

Nexis Lexis has since increased their estimate to 310,000 from their initial estimate of 32,000. It's hard to say what estimates are 100 percent credible. Did these organizations discover the full scope of the breach and is it in their best interests to disclose the information?

There is legislation being considered to better protect our personal information. It is imperative that we fully examine these recent events and consider the costs to the individual and to the credibility of our financial systems.