Saturday, October 29, 2005

Advance Fee Loan Scams

I was reading "Ask the Private Investigator," which is a blog that is linked to mine and saw a post on Advance Fee Scams taking another "twist," or mutation. From there, I did a "news search" on Yahoo and found an article by Stephanie Zimmerman of the Chicago Sun Times dated October 24th on this very subject.

Ms. Zimmerman writes:

"The loan approvals seemed like the end to their troubles, but little did two suburban women know, they were about to get even deeper in debt.

Sadly, they were not alone: More than 4.5 million Americans were said to have lost money to advance-fee loan schemes last year in an old ripoff that's seen a resurgence in Chicago and nationally. So-called loan brokers -- often people based across the border in Canada -- tell consumers they have been approved for a loan, then ask them to pay a "security fee" to guarantee they will make their monthly payments.

Once the money is wired, the "loan" disappears.

"We are hearing on a daily basis from people who have lost money to advance fee loans," said Steve Bernas, vice president of the Better Business Bureau of Chicago and Northern Illinois."

Most of the solicitations (ads) target people, who have bad credit and promise loans even to those in bankruptcy. The ads are being found in "classified sections" and on the internet. The recently reported scams come out of Canada, which more and more, is becoming an origin point for advance fee activity.

The FTC also has some recommendations on what to look for:

Don’t pay for the promise of a loan. It’s illegal for companies doing business by phone in the U.S. to promise you a loan and ask you to pay for it before they deliver.

Requiring advance fees for loans also is illegal in Canada.

Ignore any ad — or hang up on any caller — that guarantees a loan in exchange for a fee in advance.

Remember that legitimate lenders never guarantee or say that you will receive a loan before you apply, or before they have checked out your credit status or contacted your references, especially if you have bad credit or no credit record.

Don’t give your credit card, bank account, or Social Security number on the telephone, by fax, or via the Internet unless you are familiar with the company and know why the information is necessary.

Don’t make a payment to an individual for a loan; no legitimate lending organization would make such a request.

Don’t wire money or send money orders for a loan through Western Union or similar companies. You have little recourse if there’s a problem with a wire transaction. Legitimate lenders don’t pressure you to wire funds.

If you are not absolutely sure who you are dealing with, get the company’s number in the phone book or from directory assistance, and call it to make sure you’re dealing with the company you think you are. Some scam artists have pretended to be the Better Business Bureau or another legitimate organization.

Check out questionable ads by calling Project Phonebusters in Canada toll-free at 1-888-495-8501. If you live in the U.S. and think you’ve been a victim of an advance-fee loan scam, report it to the FTC online at http://www.ftc.gov or by phone, toll-free, at 1-877-FTC-HELP (1-877-382-4357).

Advance Fee Scams seem to mutate continuously. With ever growing numbers of people gaining access to the internet, there are a larger pool of victims to be harvested by the cybercriminals. Unfortunately, as this pool of victims grows, we are now seeing the less fortunate (people who already have financial problems) being taken advantage of.

You can read Stephanie Zimmerman's article at:

http://www.suntimes.com/output/news/cst-nws-loan24.html

For the FTC publication on this matter, click on the title of this post.

Friday, October 28, 2005

RFID, A Necessary Evil; or an Invasion of Privacy?

With the State Department's (United States) announcement of adding RFID (Radio Frequency ID) chips to passports, the controversies surrounding this technology are again making headlines. Please note that other countries, especially in the European Union are also implementing RFID technology for identification purposes.

The Pakistan Passport Authority is already using RFID tags in it's passports. This might be an interesting place to study it's effectiveness because Pakistan seems to continue to be a sanctuary for terrorists and is known to be a origin and transshipment point for a lot of drug smuggling.

In recent years, RFID has been the "buzz word" in the security industry, however there are those that challenge it's long-term effectiveness. There are also those who fear that it will be abused, violating our rights to privacy and even other's from the religious community, who fear RFID is the mark of the beast mentioned in the Book of Revelation (Revelation 13:16).

The definition of RFID in Wikipedia is "an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. An RFID tag is a small object that can be attached to or incorporated into a product, animal, or person. RFID tags contain antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver. Passive tags require no internal power source, whereas active tags require a power source."

The proverbial question is RFID a necessary means of protecting ourselves, or in the end will the technology be abused to violate privacy, such as spyware and adware have already done.

This technology has been around for awhile. Currently, Wal-Mart and the United States Department of Defense are using this technology to manage their supply chains, as well as, prevent pilferage and theft. With decreasing costs, we can expect to see a lot more of this technology deployed by both the private and public sectors in the near term.

Besides being used for identification, RFID tags are being used as quick pay devices for fuel and tolls, theft tracking devices, to track animals and there have even been some implanted in humans.

Some of the security concerns already raised are if the ability to read them is too universal, they could pose a risk to personal location privacy, especially in the corporate/military environments. Another concern being raised by privacy groups are RFID devices being embedded in products (which aren't removed when purchased) that could be tracked from great distances. Because of this, they could be used for so-called "marketing" purposes, which invade personal privacy.

There are also concerns that these "tags" could be cloned.

If these tags could be cloned, they could be used in producing false identification, which is alarming considering the technology is being used for high security applications like "proximity cards used to access secure facilities, or vehicle immobilizer anti-theft systems which use an RFID tag embedded in the vehicle key. It is also a problem when RFID is used for payment systems, such as contactless credit cards (Blink, ExpressPay), the ExxonMobil Speedpass, and even in RFID enhanced casino chips."

"With wireless technology, RFID tags can be scanned from afar. Because of this, there is even more potential for abuse than the reencoding of magnetic stripe technology. There are defenses built into these tags, which fall into two categories. There are those use "cryptographic protocols. A typical example of the "RF-based" defense relies on the fact that passive RFID tags can only be activated by a reader in close proximity, due to the limited transmission range of the magnetic field used to power the tag. RFID manufacturers and customers occasionally cite this limitation as a security feature which (intentionally or otherwise) has the effect of limiting scanning range. However, while this approach may be successful against direct tag scanning, it does not necessarily prevent "eavesdropping" attacks, in which an attacker overhears a tag's response to a nearby, authorized reader. Under ideal conditions, these attacks have proven successful against some RFID tags at a range of more than sixty feet."

"A second class of defense uses cryptography to prevent tag cloning. Some tags use a form of "rolling code" scheme, wherein the tag identifier information changes after each scan, thus reducing the usefulness of observed responses. More sophisticated devices engage in challenge-response protocols where the tag interacts with the reader. In these protocols, secret tag information is never sent over the insecure communication channel between tag and reader. Rather, the reader issues a challenge to the tag, which responds with a result computed using a cryptographic circuit keyed with some secret value. Such protocols may be based on symmetric or public key cryptography. Cryptographically-enabled tags typically have dramatically higher cost and power requirements than simpler equivalents, and as a result, deployment of these tags is much more limited. This cost/power limitation has led some manufacturers to implement cryptographic tags using substantially weakened, or proprietary encryption schemes, which do not necessarily resist sophisticated attack."

Last, but not least, there are "social" factors to be considered. Even with the best technology available, we have seen many technologies "hacked" that are supposed to protect us today. In the past couple of years, we have also seen massive data intrusions, many of which were accomplished by simple theft and or insider collusion.

In fact, a lot of the organized gangs committing fraud today, have access to a lot of displaced "highly educated" computer scientists, which already assist them in hacking technology at every turn for their criminal purposes. This is especially true of the area, formerly known as the Soviet Union, where a lot of these gangs are based.

One of the reasons, we are considering this technology is certainly the 9-11 attacks. We can implement the best technology available, however unless it is worldwide, the "bad and the ugly" will be able to obtain identification based on other identification. In fact several of the 9-11 attackers did just this in Virginia. In other words, it probably wouldn't have made any difference if RFID technology was in place in the 9-11 disaster.

Technology is merely a tool. Even though it continues to amaze me at how quickly it advances, it doesn't replace the human mind. While RFID technology is a tool to use for our protection, we must continue to examine, whether or not, it has potentials for abuse.

TrustWatch Search Engine

There is a new free search engine designed to protect people from fraud, phishing and financial misdeeds on the internet.

"GeoTrust, Inc., a leader in identity verification solutions for e-business and a leading issuer of digital certificates for web security, today announced an expanded set of features for TrustWatch(TM) Search, the first free trusted search service aimed at helping consumers avoid becoming victims of web-based fraud, identity theft and phishing scams. In its initial release, the TrustWatch Search service verified sites that were secure for e-commerce and confidential transactions; now, the service verifies many content sites as well. Additionally, Certified Store rating data from CNET is displayed within TrustWatch to allow consumers to consider additional data when evaluating online merchant sites."

"Sites that can be verified receive a green "verified" rating; sites that do not have enough data to be verified, but are not known to be fraudulent, receive a yellow "not verified" rating; and known fraudulent sites display a red "warning" rating. If a site is deemed to be both verified and secure for the exchange of confidential data, it receives a lock icon next to the green verification rating."

If anyone would like to take a look at it go to: http://www.trustwatch.com/.

According to their press release: "TrustWatch Search also works with leading providers of blacklist data, such as Cyota and the Anti-Phishing Working Group, to alert consumers to fraudulent sites. TrustWatch Search uses Ask Jeeves search technology to provide search results.

Another good feature of this site is that the average person can report suspicious sites. The average fraudulent website is normally only up for a matter of days and since "Trust Watch" shares and reports their information, this could become a valuable "intelligence" resource that aids awareness, investigation and prosecution. As always, I highly recommend and encourage people to report suspicious activity.

Unfortunately (for me), this site only has a "yellow" (not verified) rating thus far. Maybe one of these days, I will get a "green rating."

To read the entire press release, click on the title of this post.