Saturday, December 30, 2006

The Road Home for Katrina Victims is Frustrating

With all the allegations of "poorly spent money" in the hurricane disasters, it's become apparent that a lot of money hasn't reached the people, who need it.

For instance, take the "Road Home Program", which has paid a company called ICF International over $60 million to issue $4 million in checks. The program is intended to assist victims in getting back into "livable housing," and will manage the distribution of $7.5 billion in federal relief money.

ICF International is a "consulting firm" based in Fairfax, Virginia. According to Wikipeida, it's services have been used by the U.S. Environmental Protection Agency, the Department of Homeland Security, the Department of Energy, the United States Postal Service, and Housing and Urban Development.

The program has it's own website, which states:
The Road Home program was created by Governor Blanco, the Louisiana Recovery Authority, and the Office of Community Development. The program is funded by the U.S. Department of Housing and Urban Development.
There has been a lot of criticism that ICF has been slow to fill positions for the project. Interestingly enough, there are a lot of positions (still not filled) advertised on their website.

The Times Picayune did an excellent assessment of the lack of program staffing, here.

The "Road Home" website also states that it dispels a lot of myths about the program, but it appears not everyone is "buying their version" of what is going on.

Because of the allegations of "mismanagement," the Louisiana House and Senate have passed two resolutions to terminate ICF's $756 million contract. They are also calling for an investigation into "possible conflicts of interest."

The Times Picayune reported:

The House and Senate, in separate unanimous votes, also passed House Concurrent Resolution 34 by Rep. Cedric Richmond, D-New Orleans, ordering a special legislative panel of New Orleans lawmakers and the Louisiana Recovery Authority -- the state agency overseeing recovery operation in the state -- to investigate ICF's handling of the contract. It was amended by Rep. Jim Tucker, R-Algiers, to also urge the federal Securities and Exchange Commission to probe ICF's public stock offering, shortly after winning the state contract, for possible conflicts of interest.

The Times Picayune article, here.

Sue Sturgis, who writes for Facing South, has also written some interesting commentary on the program.

Ms. Sturgis points out that ICF initially was involved in a contract to help the state decide how to spend federal grant money, which conceptualized the "Road Home Program." During this time frame, ICF decided to seek the "lucrative program administration project."

When the Louisiana Board of Ethics raised concerns that this contract might be perceived as giving ICF an unfair advantage in getting the larger contract, ICF ended the initial one. The payout for the first contract was $900,000, while the Road Home Program could pay ICF up to $756 million.

She also brings out other concerns the Board had with some of the banking relationships that were being proposed by ICF to administer the funds.

Facing South article, here.

Whether conflicts of interest exist remains to be seen. What can be clearly seen is that taxpayer money intended to help Katrina victims isn't getting to those who need it very quickly.

Red tape and excuses aren't going to be acceptable when there are a lot of people still living in "not very nice" conditions.

And until this matter is rectified, there are going to be "voices" calling for some "accountability."

Some of these voices are getting pretty loud.

This month, federal investigators plan to release audit results on contracts given to "so called" politically connected firms in the Katrina crisis. Speculation has it that these audits are going to reveal additional concerns about how money was squandered in the Katrina aftermath.

Friday, December 29, 2006

Ask Eric if there is "Zero Liability" in Identity Theft

Sometimes to understand what an identity theft victim is faced with you need to hear about it from a person, who has actually experienced it.

We live in a world where our information is gathered, sold and not protected very well. Meanwhile, there seems to be an army of fraudsters compromising credit issuers, who issue credit without checking very carefully.

Then there is the advertising, which claims that their financial products have a "zero fraud liability."

The Boston Globe did an interesting story that shows the liability innocent people face when they become identity theft victims.

Beth Healey writes:

Eric W. Carroll's credit report says he has a home in Florida, a wife named Katrina, and a pile of unpaid bills.

He first learned this when a debt collector called him in 2002, dialing his apartment in Bridgewater, yet asking for an Eric W. Carroll from Avon Park, Fla. Carroll insisted there was some mistake: He was not married, and he had never lived in Florida.

Nearly five years later, collectors are still hounding the wrong Eric Carroll.

Boston Globe story, here.

And even though Eric seems to have done all the right things, he seems to still be suffering.

There is no zero liability for identity fraud and we need to stop "sugar coating" the true impact it has on individual people.

Here are two places, I've recently "blogged" about where people can voice their opinion to people that can make a difference:

Tell it to the Identity Theft Task Force

Consumers Union Calls for Congress to Protect People's Personal Information

Government uses "phishing" techniques to test information security

Internet abuse in the workplace has been a concern for a long time.

Now the federal government is going to phish their own employees to determine if they will "click" on malicious links.

Wade-Hahn Chan of FCW.com reports:

Phishing is a technique of tricking or coercing users into giving up personal information, revealing log-in names and passwords or visiting malware or virus-infected Web sites. The government-sanctioned attacks will be designed to test how well federal workers adhere to organization's e-mail security policies.


FCW.com article, here.

Most stories about phishing concentrate on attacks for personal information, which is later used in financial crimes. While this type of phishing is bad enough, spear phishing targets an organization's information.

With the amount of data breaches - both in the private and public sector - the concerns that employees might be compromising large amounts of information is very real. If anyone wants to see a long list of these breaches (courtesy of the Privacy Rights Clearinghouse) compiled in the past couple of years, you can do so, by clicking here.

No matter how much security you use to protect a system, most of it proves worthless, if a person with access compromises it.

And although most stories about phishing emphasize the impact this has on identity theft and financial crimes, espionage is a valid concern, also.

This might be a very effective tool to raise "employee awareness" on "information security."

Thursday, December 28, 2006

Federal Trade Commission will fight Internet Crime across Borders

Internet crime of often "elusive" because it crosses borders with "a click of a mouse." To fight this a new law has just been signed by President Bush, which gives the Federal Trade Commission a license to go after the problem at it's source.

In their recommendations to Congress, the FTC wrote:

Using Internet and long-distance telephone technology, unscrupulous businesses can strike quickly on a global scale, victimize thousands of consumers, and disappear nearly without a trace, along with their ill-gotten gains. For example, deceptive spammers can easily hide their identities, forge the electronic path of their email messages, and send messages from anywhere in the world to anyone in the world. Fraudulent overseas telemarketers can also victimize American consumers and hide their ill-gotten gains in offshore bank accounts.

The US Safe Web Act contains the following provisions:

Broadening Reciprocal Information Sharing and International Investigative Cooperation.

The FTC can now share confidential information in consumer protection cases with foreign law enforcers. The Act further allows the FTC and foreign law enforcement agencies to obtain investigative assistance from one another, while exempting information from foreign agencies from public disclosure laws. This provision addresses the concern expressed by some foreign government agencies that materials they share with the FTC might be publicly disclosed in response to an inquiry under the Freedom of Information Act (FOIA). This concern is reflected in certain foreign laws where the foreign consumer protection agency is not permitted to share information with the FTC unless the information is kept confidential. For example, Canada's Competition Act and the European Unions enforcement cooperation regulation contain such confidentiality requirements.

Enhancing Confidentiality of FTC Investigations.

Prevents notifying subjects of investigations if they may be likely to destroy evidence or move assets offshore.

Protecting Certain Entities Reporting Suspected Fraud and Deception Violations.

The Act protects a limited category of entities from liability for voluntary disclosures to the FTC relating to suspected fraud and deception. This provision is similar to longstanding protections for financial intuitions making disclosures to the FTC and is necessary to encourage reporting of suspected violations to federal agencies.

Allowing Information Sharing with Federal Financial and Market Regulators.

This provision assists the FTC in tracking proceeds of fraud and deception sent through U.S. banks to foreign jurisdictions so they can be returned to victims.

Enhancing Cooperation between FTC and DOJ in Foreign Litigation.

Permits the FTC to work with DOJ to increase the resources relating to FTC-related foreign litigation, such as freezing foreign assets and enforcing U.S. court judgments abroad.

Clarifying FTC Authority to Make Criminal Referrals.

Authorizes the FTC to share information with criminal authorities, which will improve information sharing with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue.

Report to Congress.

The Act requires the FTC to report to Congress within three years from the date of enactment, describing the use of the FTC's expanded authority and activities under the Act.

US Safe Web Act FTC document, here.

Although this law has just been enacted, it takes away a lot of the barriers to effectively going after individuals and organizations (businesses) that enable the growing problem of cybercrime.

Recently, I've written that technology will never solve Internet crime. It might stop it, or slow it down - but in the end "technology defeats technology."

Holding individuals and organizations accountable is likely to be a lot more effective. This new law breaks down a lot of the barriers that have prevented law enforcement agencies from doing so.

This (in my opinion) is a start in the right direction.

Interestingly enough, Microsoft has taken a similar approach - taking legal action worldwide. Here is a previous post, I wrote about this approach:

Does Microsoft's Approach to Addressing Counterfeiting Make More Sense?

Wednesday, December 27, 2006

Tell it to the Identity Theft Task Force

Fighting Back Against Identity Theft - Federal Trade Commission

On May 10, 2006, the Federal Identity Theft Task Force was formed and has been working on what some believe is a national crisis. And it very well could be, identities are a very personal matter and should be considered, "sacred."

Now they soliciting advice from the public on how they can improve upon the recommendations they've already come up with.

I got this from the press release on the Federal Trade Commission's website:

The Federal Identity Theft Task Force, chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft. The public comments on these issues will supplement the research and analysis being conducted, provide further information about the proposals being considered, and identify areas where additional recommendations may be warranted.

You can visit the Federal Identity Theft Task Force's site, here.

For all of us who have been "ranting" about this problem, here is our chance to voice our opinions and make a "difference" in what has become a significant problem.

The site has a lot of resources for victims and those who might become one.

They also have two "interesting" ten-minute videos about identity theft:

English, here.

Espanol, here.

Tuesday, December 26, 2006

More Allegations of Money Wasted in Katrina

Recently, I blogged about - whether or not - we would ever discover how much money was wasted in the Katrina disaster. Unfortunately, this statement is turning out to be more accurate that I would have liked it to have been.

Hope Yen of the AP is reporting:

Federal investigators have already determined the Bush administration squandered $1 billion on fraudulent disaster aid to individuals after the 2005 storm. Now they are shifting their attention to the multimillion dollar contracts to politically connected firms that critics have long said are a prime area for abuse.

In January, investigators will release the first of several audits examining more than $12 billion in Katrina contracts. The charges range from political favoritism to limited opportunities for small and minority-owned firms, which initially got only 1.5 percent of the total work.
Government officals (past and present) are now alleging that the dollar amount wasted could exceed $2 billion.

AP story (courtesy of the Washington Post), here.

It will be interesting to see how this plays out and what evidence is brought to light as a result of this.

The sad truth is that there are still a lot of people suffering as a result of this disaster. And it doesn't make sense that they should be when this kind of money was available.

Here is a post, I wrote about the results of a recent GAO (Government Accountability Office) audit:

Will We Ever Discover the True Losses in the Katrina Disaster?

Saturday, December 23, 2006

It's illegal to ask someone to send in "fees" for a loan!

Fake websites offering loans, or credit cards at "too good to be true" terms are taking advantage of the post-Christmas blues. If an unwary person responds to them, they will ask for "up-front" fees before issuing the loan, or credit card.

Bottom line is that it is ILLEGAL to ask for up-front fees in order to secure a credit-card, or a loan. If someone asks you to do this, it's a scam!

The person sending these fees never receives the loan, or credit card and becomes an advance fee loan fraud victim.

Annys Shin of the Washington Post writes:
The scam has been around for decades. Many consumers are not aware that it is illegal to charge lending fees in advance. People with poor or no credit are enticed by ads, direct mail solicitations or telemarketing calls promising fast money at favorable terms.

The Internet has made it easier for scam artists to find victims. Consumers are drawn in by legitimate-looking Web sites, complete with privacy policies, customer service numbers and online loan applications. Soon after filling out applications, the victims typically receive phone calls saying their loans were approved, but because of their credit ratings, they must first wire deposits or collateral.

Washington Post article, here.

Fake websites are nothing new - they are used in a lot of Internet criminal activities. The Artists Against 419 go after some of these websites, which may be viewed, here.

I just did a post the other day citing a FTC action against a payment processor, who was aiding some of these advance fee criminals, here.

And if you spot one of these scams, or have been a victim of one - I highly recommend you report it to the FTC, here.

2006 was the Year of Internet Crime - 2007 is predicted to be even worse

Have you noticed spam getting past your e-mail filters lately? You're not alone, experts are saying 2006 was the worst year ever in Internet crime - and it appears - security fixes are being defeated.

Brian Krebbs (Washington Post) is warning:

Few Internet security watchers believe 2007 will be any brighter for the millions of fraud-weary consumers already struggling to stay abreast of new computer security threats and avoiding clever scams when banking, shopping or just surfing online.

Washington Post story, here.

Brian cites that in October 90 percent of all e-mail received was spam. And most spam is a come-on for one fraud scheme, or another.

Since "security fixes" are being defeated pretty quickly by organized criminals - who allegedly hire their own computer security experts - the only viable recourse is to go after the source(s) with the intent to put the people behind it out of business.

Resources allocated to fund the investigation of financial crimes are (normally) not funded very well and the people investigating them are "overwhelmed." Maybe we should take some of the money being spent on developing "fixes" and use it to solve the real problem, which is a social one. Prevention seems to only work temporarily.

Security fixes are needed, but if we don't aggressively go after the sources, the criminals develop countermeasures and we have to start all over again.

After all - it seems that organized criminals and some say, terrorists are flocking to this activity because it's financially lucrative and a lot less dangerous than other criminal activities. Until we make it more dangerous for them, the problem is likely to keep growing.

John Bambenek (Assistant Politics Editor for Blogcritics and academic professional for University of Illinois) recently wrote a compelling essay about this subject, here.

Here is a previous post, I wrote about why we are approaching this problem the wrong way:

Are We Addressing Cyber Crime from the Wrong End

Fraudulent Gift Cheque Update from American Express

Since September, I've been writing about counterfeit American Express Gift Cheques showing up in a variety of Internet fraud schemes.

Readers have reported receiving these items primarily as a result of work-at-home scams, but they can show up in a variety of Internet fraud come-ons. They might also show up in secret shopper, romance, lottery and auction scams.

The fraudsters want you to cash these counterfeit gift cheques and send (normally wire) the money back to them. When they are discovered to be fraudulent - you end up taking the "rap" and they disappear in an "electronic mist."

Several readers reported being asked to wire the money to Nigeria and the United Kingdom. I recently wrote a post based on large amounts of counterfeit financial instruments being found at airports in the United Kingdom (allegedly from Nigeria), here.

Most of the counterfeit gift cheques, seen thus far, have been in the $500.00, or $1000.00 denominations. Note American Express doesn't issue gift cheques for more than $100.00.

American Express states in their bulletin that gift cheques are safe when verified prior to negotiating them. Anyone can call them and verify an item at 1-800-525-7641.

Unfortunately, a lot of people don't verify these items. Many people have also deposited them, initially received credit, and then had their accounts garnished when the items returned.

I've also had a couple of people write me and say they were arrested for trying to cash them. Presenting counterfeit financial instruments is considered a crime in most places. It will be up to the person arrested to prove they were a victim of a scam and not involved, intentionally.

American Express gift cheque bulletin, here.

Listed below are the posts, I've written since September, along with some scary comments from readers:

Counterfeit American Express Gift Cheques

Counterfeit American Express Gift Cheques (Update)

American Express Gift Cheques Being Circulated in Internet Scams

American Express gift cheques aren't the only items that have been counterfeited and passed via Internet scams. In the past we've seen a lot of Postal Money Orders and Travelers Express (MoneyGram) money orders being counterfeited, also.

Tuesday, December 19, 2006

Is Spending $550 Billion on RFID Going to Protect Us?

RFID is making the news again and some prominent politicians are saying we need take a hard look at it before we spend $550 billion (11 billion for each State) implementing it.

RFID is being implemented, or being recomended for implementation (worldwide) to verify a person's identity electronically when identification is presented. And there are people claiming it can already be compromised, or that it is just a matter of time before it will be.

EWeek wrote an interesting article about this about why two of our leaders don't feel RFID is safe, or a wise investment of taxpayer resources:

Sen. Daniel Akaka, D-Hawaii, and Sen. John Sununu, R-N.H., said they take issue with the technological implications of the act.

Sen. Akaka said that if the proposed national database were to be breached it would "provide one-stop access to virtually all information necessary to commit identity theft," and pointed to a study by the National Governors Association estimating that states would have to come up with a total of about $11 billion each to implement the necessary infrastructure to verify information electronically. Akaka will chair the Senate Homeland Security and Governmental Affairs subcommittee the group that has jurisdiction over the relationship between the federal and state governments in 2007.

The Emerging Applications and Technology Subcommittee, part of the Data Privacy and Integrity Committee that advises DHS, toned down its harsh criticisms of RFID technology used to identify individuals referring to the e-passport and PASScard ID card in a report released Dec. 13.

EWeek story, here.

And in another story a few thousand miles away from Washington, an Aussie hacker is claiming he can already hack Australian and British passports.

Sydney Morning Herald story, here.

Technology, including RFID is making people billions of dollars. Unfortunately, there is growing evidence that RFID isn't 100 percent secure. If RFID is easily hacked, there will be other (or maybe the same people) making a lot of money selling "security" to protect people from it.

Tracking inventory in Walmart's supply chain is one thing, but tracking humans is something that needs to be thought out, carefully. And $550 billion is a huge expenditure of the taxpayer's hard-earned money! We need to ensure this is a wise investment and that that individual privacy doesn't suffer because of it.

You can read Senator Akaka's press release on this subject, here.

And to go to Senator Sununu's page (couldn't find a release about RFID yet), click here.

For my previous posts on this subject, click here.

Monday, December 18, 2006

Colorado Identity Theft Victim Shares Her Personal Feelings on the Immigration Raids

When I saw the recent immigration raids in Colorado and all the "media spin" on them, I had a lot of mixed feelings about the issue.

Then I came upon an interesting editorial from an actual identity theft victim.

The Nothern Colorado Tribune published a story by Teresa Myer, identity theft victim and free-lance writer, which said:

As I learned of the immigration raids taking place throughout the country Tuesday, I wondered if one of those arrested was me.

Since 2001, someone has been using my name and Social Security number to gain employment as a seasonal worker.

In June 2004, I received a letter from the Internal Revenue Service, stating I owed more than $1,200 in taxes for "unreported income." The businesses that reported that I had been working for them included a pecan sorting facility in Deming, N.M., and several ConAgra facilities in Texas, Colorado and New Mexico.

Teresa's story goes on to express the long-term problems identity theft victims face, here.

The reason I had a mixed feelings about the immigration raids was because I have nothing against people trying to realize the American dream, but on the other hand, illegal immigration is becoming a big problem.

The problem is that an organized criminal element seems to be controlling their access to our dream and there are "greedy businesses," who benefit financially by not paying a "fair wage." There is also a substantial "social cost," when government services are being used to provide benefits at everyone's expense. And the cost has gotten so "high," some government programs are literally going "bankrupt."

Perhaps, if the "greedy businesses," were forced to pay for these benefits, hiring illegal aliens wouldn't be so profitable?

If you would like to read more about organized criminals providing other people's identities to fuel this problem, I wrote this post a few months ago:

Mexican Organized Crime Ring is Mass Producing Fake Documents ...

Sunday, December 17, 2006

Consumers Union Calls for Congress to Protect People's Personal Information

The Consumers Union is calling for voters to let their elected officials know they are concerned about identity theft.

Here are what the Consumers Union considers to be the key issues:

In every state, you should be able to place a "security freeze" on your credit file so thieves can't open new accounts in your good name. Companies and agencies should be required to notify you when the security of your private information has been breached. If lawmakers are serious about making us more secure, this should be the first thing they do when they return to Washington. Help us send this clear message now to your Congressional Representative and Senators.

If you are concerned about this issue, you can add your thoughts by sending a message to Congress, here.

The last time this issue came up before the election - a bill was being pushed through. Here is more information on it and what I wrote about it:

Don't Allow HR 3997 to Take Away Rights from Identity Theft Victims

This bill is still pending - and if passed in it's current version - it threatens to mute State laws already enacted to protect people from identity theft.

Click here to Guard your Identity

Saturday, December 16, 2006

Boeing Holds Employee Accountable in Laptop Theft

Laptops are stolen all the time - and far too often - they contain personal and financial information that can be used for identity theft purposes.

The Boeing Company announced Thursday that they fired the employee, who had their laptop stolen and compromised 400,000 people's personal information. This wasn't the first Boeing employee that lost a laptop containing sensitive information.

Boeing is saying that the computer was "password protected," and they believe the intent of the thief was to steal the laptop rather than breach the information on it. They are also saying that there is no evidence of identity theft, but are "assuming the worst case scenario."

I sometimes wonder if the same public relations firm prepares all these statements. They all say about the same thing - that there is no evidence the information has been used to commit "identity theft."

Of course, with all the attention brought upon this, even if the original motive was to steal a laptop, the thief probably is now aware the laptop contains a lot of information that can be sold for a price.

It's become pretty easy to find a place to sell stolen information with carder forums designed to do so operating on the Internet. Previous post, here.

The employee was terminated (fired) for not having the information "encrypted" per Boeing policy, which was implemented because of the earlier "laptop thefts."

Even if the information were encrypted - in theory at least - encrypted data can still be hacked by someone with the knowledge to do so. Another problem is that if information can be downloaded, it can be compromised by a dishonest insider, or with a "compromised password."

Just last week, the media was awash with stories of IT students being "courted" to work for organized criminal groups - which more and more - seem to be getting involved in technology based crimes, including "identity theft."

I did a post with my thoughts on this matter, here.

In all fairness, Boeing isn't the only organization losing laptops with personal information on them. The Privacy Rights Clearinghouse, which maintains a chronology of "known data-breaches," hit the 100 million mark this week (number of people compromised in the U.S., alone). Just this week, they documented eight "known" breaches.

Note, they can only document the "known breaches" and breaches that previously were "unknown" seem to be appearing, all too often.

Encryption and computer security measures are only one part of the solution. It's the information that the bad guys are after and we need to stop keeping it in places where it's too easily stolen.

Firing one employee is unlikely to have any impact on the overall problem.

James Wallace, Seattle PI has an extensive article about the Boeing story, here.

Discarded Computers might still have a lot of Sensitive Information on them

One of the ways identities are compromised is when computers are discarded without properly "washing" the hard-drive with specialized software, or destroying the hard-drive, itself.

I did a post in about this, here.

Bill Lambrecht of the St. Louis Post - Dispatch wrote an interesting article, where they purchased several old computers in Nigeria and were able to get a lot of information from them.

Interestingly enough, he quotes a prominent Nigerian, Oladele Osibanjo, who is a regional coordinator for the Basel Convention - a global treaty intended to protect people from the mishandling of hazardous materials as saying:

"The e-waste you are exporting is coming back to you in the form of cyber-crime. Maybe when Americans realize what is happening, they will be a little more careful."

While Mr. Osibanjo is trying to warn us about identity theft, I'm certain his true concerns lie more with hazardous materials that are damaging people's health in other countries. When I went to their site, the fact that this occurs, alarmed me.

St. Louis Post - Dispatch article, here.

Although the article is extremely informative - and there is ample proof of fraud coming from Nigeria - I continue to be amazed at the amount of press they receive about it.

With the recent ABC 20 20 story brought about by a certain former politician, who is behind bars and might be Chelsea Clinton's father-in-law someday, Nigerian fraud is again making headlines.

Stealing and using information is a worldwide problem and there are criminals involved in the "trade" in a lot of places.

So far as Chelsea, it must be hard to be Bill and Hillary's daughter, and she certainly doesn't seem to get in as much trouble as some twins, who were in South America recently.

Saying that, the story calls attention to what I consider the potential of a huge problem. Companies and organizations are constantly upgrading their computers and a lot of them get discarded.

Besides identity theft, there is a huge potential that "sensitive information" could be sifted from these hard-drives that would compromise trade secrets, or even government information.

Friday, December 15, 2006

Romanian Second-Chance eBay Scammers Busted

The federal authorities are charging twenty-one Romanian fraudsters, who scammed a lot of people in second chance auction scams. According to the federal authorities, the scam was active for about three years and a lot of the victims lived in the Chicago area.

From the article, it was one of the (now) notorious second-chance scams, where a person is given a second chance to win an auction and asked to wire money to a distant locale (in this instance Romania).

Of course, once the money is wired, the person who sent it, never receives "fair value" for their hard-earned money. Please note that wiring money is a "common ploy" in all sorts of Internet scams. I would take a deep breath, when asked to wire money on a transaction (normally overseas) that seems a little "too good to be true."

In this instance, the federal authorities are asking for people, who think they might have been victims to come forward:

Anyone who believes they may have been a victim may e-mail inquiries to usailn.victim.witness@usdoj.gov. Include your name, address, phone number, 10-digit Western Union Money Transfer Control Number, amount transmitted, date funds were provided and the name of the individual to whom the funds were sent. Victims may also call a toll-free hotline number for updates about the case – (866) 364-2621.

Second chance scams have been active on auction sites - you can read all about them on Google, here.

Western Union has a page warning people about wiring money to people they don't really know, here.

I read about this on CBS2chicago.com, who has more details on this story, here.

Tuesday, December 12, 2006

Another Record Set for Phishing and it appears Anti-Phishing Measures are being Defeated

Brian Krebs of the Washington Post did an interesting post on his blog about how phishing is increasing (again) and how anti-phishing measures (some recently marketed to users) are failing already.

Brian writes:

The Anti-Phishing Working Group reports that 52 percent more phishing sites were recorded on the Internet than a month earlier and nine times as many as were spotted in October 2005. The steep increase coincides with a massive spike in the volume of spam circulating on the Internet. According to e-mail security firm Postini, 90 percent of all e-mail these days is spam.

Brian's post, here.

Also mentioned is "Rockphishing," which takes advantage of zombie computers formed into botnets. The result is that it is making phishing extremely hard to trace.

Brian did an excellent job in his post - and I highly recommend reading it.

I wrote recently about how technology isn't winning the war against cybercrime. It seems like a lot of expensive anti-phishing software is proving this all over again.

Maybe a better approach would be to follow the money instead? After all - I'm pretty sure that is what the cybercrimals are really after.

Will We Ever Discover the True Losses in the Katrina Disaster?

The Government Accountability Office (GAO) has issued another report stating that the fraud losses in Katrina and Rita are a lot higher than previously disclosed to the public.

The report states:
  • Almost $20 million in double payments was paid to people claiming damage to the same property in both hurricanes (Katrina and Rita).
  • Almost $17 million in improper or fraudulent "rental assistance" payments given to people already receiving free housing.
  • 500 foreign students received $3 million in aid.
  • $156,000 was given to foreign workers on temporary visas.

Sadly enough, the report indicates that FEMA disabled a system (edit check in NEMIS) that would have caught people using duplicate information (social security numbers) to make claims in both hurricanes. In five of the six cases examined, the claimants didn't even have to provide proof that they had conducted repairs after receiving money for the first claim.

I have no personal experience with "edit check in NEMIS," but computers run pretty fast in today's world, and it doesn't make sense to me that an entire system designed to detect fraud was disabled?

Didn't we have enough personnel to do a manual check when duplicate social security numbers were noted? And even if this were so - why didn't FEMA take action (themselves) to identify the issues before the GAO investigated?

The use of other people's social security numbers is nothing new and probably could have been anticipated, fairly easily.

There is also a lot of missing equipment. The report shows that 34 percent of the property purchased to aid efforts has either been lost, or stolen. In the case of 2o flat bottom boats purchased - only two remain missing - however twice the retail price was paid to a vendor, who also failed to pay for 11 of the boats he sold to the government.

Even scarier, the report indicates that FEMA overstated the amount of found property reported in July hearings to Congress. This was based on an e-mail sent by DHS (Department of Homeland Security) on the eve of the hearings.

FEMA's estimate of the monetary impact of fraud in Katrina was $290 million, however if one is to believe the GAO report, the real losses surpass $1 billion.

With the stories that surfaced about prison inmates making claims and stolen information (social security numbers) being used in claims for addresses that were vacant lots - it's entirely possible that there is additional fraud that hasn't, or never will be discovered.

There were also a lot of stories of charities being defrauded and even fake charities being set-up. The GAO report only addresses the fraud losses incurred by the government.

GAO report, here.

Report Fraud, Waste and Abuse to the GAO, here.

FraudNET (Report Fraud, Waste and Abuse)

One might come to the conclusion that we wasted a lot of money on Katrina, but this is far from being true. In fact, a lot of people are still suffering as a result of these disasters, and the truth is that the money could have been used for better purposes.

I plan to explore this more in detail in future posts, but for now, I'll pass on a site that is devoted to the real victims in these disasters:

Beyond Katrina: The Voice of Hurricane & Disaster Recovery

Monday, December 11, 2006

Hotmail Accounts being held for Ransom

Websense sent out an alert showing how Hotmail accounts are being held for ransom. Here's the warning (courtesy of Websense):

Websense® Security LabsTM has received reports of a new form of cyber-extortion. Unlike previously documented cases (where end-users were infected with malicious code, certain file types were encoded or encrypted, and a ransom message was left on the machine), this attack compromises users' online web mail accounts. When end-users logged into their web mail accounts (in this case Hotmail), they noticed that all their 'sent' and 'received' emails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back.

In this case, the end-users had recently visited an Internet cafe where their credentials may have been compromised.

The email, which was poorly written in Spanish, roughly translates in English to:

"If you want to know where your contacts and your emails are then pay us or if you prefer to lose everything then don't write soon!"

Websense alert, here.

Computers at Internet cafes and libraries have been known to contain all kinds of malware, and or crimeware.

It's probably best to be extremely careful when entering any sort of personal information on them.

Organized Crime in North America

Despite stories of organized criminal "types" becoming more and more involved in Internet crime, organized crime (itself) is a phenomenon that's been around for a long time.

The Internet is merely another "avenue" for "organized criminals" to commit their misdeeds.

I happened to read an interesting article by Joan Delaney of the Epoch Times in Canada about the Triads (Chinese Mafia), which have been operating in North America since we imported a lot of Chinese nationals in the 1850s to work the gold fields and build the railroads.

The article states:

A 2004 Criminal Intelligence Service Canada (CISC) report stated that Asian organized crime presents a major threat in Canada because of its many widespread and well-run criminal operations. CISC said Asian-based street gang violence is on the rise in several cities, and that the street gangs have connections with more sophisticated Asian organized crime groups—in other words, the Triads.

At a local level, Asian gangs are involved in a long list of criminal activities: credit card fraud, luxury car theft, prostitution, home invasions, staged vehicle accidents, contract killings, assaults, welfare and employment insurance fraud, drug trafficking, software piracy, loan-sharking, and illegal gaming. While scattered from coast to coast, Asian gangs are most active in Vancouver, Calgary, Edmonton, and Toronto, the CISC report said.

Epoch story, here.

Interestingly enough the article also cites the Triads as being tied to the Vietnamese gangs and even the Hells Angels.

Note that these "outfits," probably expanded their activities to Canada from the United States.

Going to the CISC report, which I found published on the Internet, I found a lot of interesting information about organized criminal activity in North America and even a pretty good "analysis" of potential ties to terrorist groups.

CISC report, here.

Note that the report references a lot more that Asian crime and is a pretty interesting "read" for anyone interested in the subject.

Sunday, December 10, 2006

Should We Trust Computers to be the Voice of the People?

If you were to ask Christine Jennings -- and a lot of voters in Sarasota County -- the answer is "no."

Does it make sense that 18,000 voters in Sarasota County, Florida - most of whom used a computer to vote - would go to the polls and fail to pick a candidate for the House of Representatives?

Hundreds of voters have signed affidavits attesting to the fact that when they checked to see if their votes tabulated properly - their vote for Ms. Jennings didn't record properly.

A reasonable person might deduct - the computers were flawed - and a lot of people failed to check the fifteen page ballot. Voters shouldn't have to go through a fifteen page ballot to look for programming flaws!

MIT professor, Charles Stewart, claims that the possibility of an undervote of this size occurring is 1 in 5 million.

Here is an opportunity to discover the truth behind all these allegations, which worry a lot of us. Forty percent of the voters were forced to vote on electronic machines in the last election - with no paper trail to back up the results.

With all the pre-election "buzz" in the media about the dangers of electronic voting, perhaps we all might benefit from an opportunity to discover the truth?

Some of us are getting tired of hearing that our votes didn't count and then seeing the whole matter "downplayed" (supposedly) in the best interests of the people.

Perhaps there is more at stake than one election in Florida? Maybe this is an opportunity to explore this issue (electronic voting with no paper audit trail) a little more deeply?

Maybe that's why Arnold Schwarzenegger - a Republican - mandated that California's electronic machines be backed up with a paper trail. For more information on this from verifiedvotingFoundation.org - link here.

And Senator Feinstein has introduced legislation requiring that electronic voting systems have a verifiable audit trail, here.

This isn't a matter that should be dictated by partisan politics. After all the voice of the people is what made this country great and that voice should be considered "sacred."

For an interview with Sandy Powers, a senior citizen with 25 years using a computer (courtesy of YouTube), link here. This was in response to allegations that this entire matter was the result of voters being computer illiterate.

Friday, December 08, 2006

IT Students Aren't the Only Human Resources that Internet Criminals Desire

In the past couple of days, I've seen a lot of articles about IT (Information Technology) students being taken to the dark-side (recruited) by organized crime.

Reuters is quoting a McAfee report released in the past couple of days.

Although, hiring IT students seems to be the latest story going around, recruiting people to commit Internet crime is nothing new. As the article aptly states, organized crime has the money to recruit whatever experts they need.

And IT students aren't the only ones being recruited.

Starting with the fall of the (Soviet Union) "evil empire" and the rise of Eastern European organized crime, there have been a lot of "technical experts" being used for nefarious purposes. The Reuters article mentions that the tactics being used are the same ones used by the KGB to recruit spies.

In fact many experts speculate that Eastern European crime has a lot of "highly placed" former KGB types in their ranks.

In 1997, FBI Director Louis Freeh stated before Congress:

The Russian syndicates conduct the most sophisticated criminal operations ever seen in the United States, based on their access to expertise in computer technology, encryption techniques and money-laundering facilities that process hundreds of millions of dollars.

According to Freeh, part of that expertise is said to be provided by "former KGB officers working directly with some of those organized crime groups, and that poses an additional level of threat and sophistication.
Story courtesy of Risk Assessment Services, here.

And Russian organized criminals aren't the only players out there.

Dr. Phil Williams, a visiting CERT (Computer Emergency Readiness Team) scientist wrote about this a few years ago:

In recent years, there has been a significant increase in the sophistication of organized crime and drug trafficking groups. Colombian drug trafficking organizations, for example, have followed standard business practices for market and product diversification, exploiting new markets in Western Europe and the former Soviet Union. Criminal organizations and drug traffickers have increasingly hired financial specialists to conduct their money laundering transactions. This adds an extra layer of insulation while utilizing legal and financial experts knowledgeable about financial transactions and the availability of safe havens in offshore financial jurisdictions. Similarly, organized crime does not need to develop technical expertise about the Internet. It can hire those in the hacking community who do have the expertise, ensuring through a mixture of rewards and threats that they carry out their assigned tasks effectively and efficiently.
Dr. Williams full essay, here.

Although, I'm sure IT students are being recruited -- they probably aren't the first -- or the only type of experts being hired.

And there are a lot of disorganized criminals recruiting people, also.

Here are a some previous posts, I've done on so-called "disorganized criminals," who recruit other people to do their "dirty work."

Work at Home Scams

Cyber Gangs Luring Children to Launder Money

BBB Worker Takes Job Processing Fraudulent eBay Transactions

The Hurricane Disasters are a Sad Commentary on Society

During the Katrina and Rita disasters, I blogged frequently about what appeared to massive amounts of fraud going on. Reuters is now reporting that the dollar loss has topped 1 Billion dollars, here.

From government employees to fake charities, it appears a lot of people took advantage of those less fortunate than them in their "time of need."

And not very much of the money seems to have been recovered despite well publicized efforts.

Sadly enough, the public awareness of all the fraud is also likely to make it harder for victims in future disasters. The bottom line is that people - who take advantage of others in their time of need - should suffer severe consequences.

Perhaps, a lack of consequences (common in fraud schemes) is the reason this occurred? To prevent this from happening in the future, we need to make sure there are severe consequences for those committing the fraud, as well as, those who enable it by a lack of oversight.

After all, we were in a state of emergency, when these disasters occurred.

I'm afraid the amount of fraud we've seen come out of these disasters - which affected a lot of innocent people - is a sad commentary on our society as a whole.

Let's hope we do a little better next time.

To read my previous posts on this matter, link here.

Thursday, December 07, 2006

Walmart Employee Scams Customers via Electronic Checks

Processing checks electronically is becoming a standard practice, brought about the Check 21 law, or ACH (Automated Check House) processes.

Electronic checks save businesses a lot of money in processing costs.

Walmart is one business taking advantage of electronic checks - and when a check is written to Walmart - it's scanned in their point-of-sale system - then returned to the customer. From there, everything is handled "electronically."

I read a story put out by KRTK Houston about a Walmart employee, who scammed a customer by keeping the check (supposed to be returned), then used it to purchase merchandise and gift cards numerous times.

KRTK Houston story with video presentation, here.

When the customer noticed the fraudulent transactions on her account, she reported it to the Walmart and the employee was arrested.

The story also indicates that there are other victims out there that haven't been identified yet.

According to the story, the customer isn't being made whole by her bank because she didn't discover the transaction within thirty days and Walmart isn't refunding her money, either.

When check fraud occurs, victims are normally made whole by their bank, who goes after the business by charging them back for the transaction. If a business refunds the customer for their losses, the customer might be able to have the transactions charged back to them, also.

My guess is that Walmart isn't refunding the money because the bank still might charge-back the transactions to them?

Of note, it's probably not completely fair that Walmart is the only one being mentioned in the article. There is no mention of what bank is involved. I hope Walmart and the bank have since sorted this whole thing out and taken care of the people, who were victimized as a result of this.

After all - it only makes sense to do so - processing checks electronically saves them a lot of money by not having to process paper and if more stories surface (like this one), it's likely to affect "consumer trust."

I read consumer tips all the time that we should use our credit cards versus debit cards because they offer better protection in the case of fraud.

Tom Fragala (CEO of Truston) wrote a great post about this, here.

Wednesday, December 06, 2006

Store Detective Discovers Traveling Credit Card Ring

I came across an interesting story about how a store detective at Target caught a group of traveling credit card fraudsters in Washington.

The store detective noted suspicious behavior - customers purchasing large amount of gift cards and did a little checking. When he did, he discovered that the cards being used were counterfeits.

When the merry trio was arrested at a bank down the street, police discovered maps to area retailers, a lot of counterfeit credit cards and - of course - gift cards.

After being identified, the authorites determined that the fraudsters had traveled to Washington from California.

The fraudsters claim that they were using the gift cards to buy things for themselves. Let see, they travel from California to Washington and use numerous counterfeit credit cards to obtain merchandise for themselves?

And the authorities aren't buying their story either -- they are being charged with "leading organized crime."

My guess is that they were going to find a way to convert the gift cards to cash. I recently wrote about the problems associated with gift card fraud and how they are being fenced on auctions all over the Internet:

Why Buying Gift Cards on Auction Sites isn't a Good Idea

Normally - I write from a broader perspective - but this story illustrates how we might be rubbing elbows with some fairly sophisticated "criminal types," while out doing our Christmas shopping.

Jeremy Palowski of the Olympian wrote the story, which attracted my attention to this, here.

Sunday, December 03, 2006

An Identity Theft Protection and Recovery Service Based on Trust

The new identity theft protection and recovery service by Truston is live. The service is unique because it doesn't require you to give up your personal information, which could be stored in a database, and used to commit identity theft if it falls into the wrong hands.

In case you've missed the weekly stories, databases are being compromised all the time and according to the Privacy Rights Clearinghouse (which is keeping tabs), 97,326,222 people in the United States have been compromised by data-breaches since February, 2005.

I probably need to make a disclaimer that this number might grow before I publish this post. Nonetheless, here are the ugly statistics as of this writing.

Tom Fragala, who is the CEO and a former identity theft victim himself did a great post on his blog describing the service:

myTruston is a web-based service that protects you from identity theft. It is simple and safe.

How simple? One minute sign up. And myTruston works by providing you a recipe-like format, one task at a time, for dealing with identity theft. That goes for both prevention and recovering from fraud.

Why is it safe? Because our members never send us any confidential personal information. All we need is your email address to help you. Every other prevention and recovery service requires you to give them your name, address, SSN, and even power of attorney.

What does it cost? Our prevention services will always be free! And our recovery services are free until January 2007.

We’re getting some nice kudos from people. You can see an updated list here. One example:

"Very slick. You're a genius for coming up with something so simple yet effective & helpful. I'll definitely spread the word." - Jed Tucker, myTruston member

The bottom line is that finally we have a resource where someone can protect themselves and recover (if they are victimized) without putting themselves at additional risk.

And even I had no problem "navigating" it!

Here's the previous post, I did about myTruston:

Truston - An Identity Theft Service I Trust

If you would like to check out myTruston, link here.

Saturday, December 02, 2006

Terrorism on the Internet?

SITE (The Search for International Terrorist Entities) has published an analysis of a new "how to beat Internet security" magazine sent out to password protected "jihadist forums."

SITE reports:

The first issue of what is indicated to be a periodic magazine, Technical Mujahid [Al-Mujahid al-Teqany], published by al-Fajr Information Center, was electronically distributed to password-protected jihadist forums today, Tuesday, November 28, 2006. This edition, 64-pages in length, contains articles that primarily deal with computer and Internet security, in addition to other pieces explaining Global Positioning System (GPS) satellites and video types, editing, and encoding into different formats. The editors of the publication state that it was written to heed the directives of the Emir of al-Qaeda in Iraq, Abu Hamza al-Muhajir, and his call for technical support. Material such as this, regarding anonymity on the Internet, concealing of personal files locally on a computer, and utilizing all schemes of encryption, is to serve as electronic jihad, and a virtual means of supporting the Mujahideen.

Full analysis, here.

In another story out there, CIO Today is reporting:

According to the U.S. Computer Emergency Readiness Team (US-CERT), a joint venture between the U.S. Department of Homeland Security and private industry, threats were found on an Islamist Web site calling for attacks against U.S. financial Web sites through December, until the "infidel new year."

CIO Today story, here.

According to the story, there has been no evidence of any attacks and the alert is only to caution the industry.

Nonetheless, similar activity has been seen in the recent past:

Israeli Sites Under Attack by Islamic Hackers

I wonder how many attacks never happen because of some dedicated individuals at US-CERT and SITE?

International Identity Theft Gang Tied to Bank

The Serious and Organised Crime unit, the UK's financial crimes warriors, have delivered a significant punch to an organized identity theft gang, believed to have been in operation for ten years.

The gang, which seems Eastern European in origin, operated behind the cover of a "Moscow Bank" in Great Britain and Spain. Victims have been traced throughout Europe and the United States.

Fake identities and cloned credit cards were used to purchase "electrical goods," which were later fenced on eBay. The illicit proceeds of these transactions were "laundered" via PayPal and WorldPay accounts.

The TimesOnline reported:

Police discovered bogus passports, council tax documents, electoral registration applications, and bank statements as well as employment references from both an unsuspecting firm of solicitors and a fake one that were used to create false identities.

Cloned credit cards were used to buy cameras, computers, iPods, computer games, Royal Mint coin collection sets and other goods such as Liverpool FC strips from a variety of website traders. These items were then auctioned on eBay.

Link to TimesOnline story, here.

Unfortunately, a lot of the evidence was destroyed when one of the alleged gang members (while handcuffed) hit a power switch that wiped out the information.

Because of this - the true monetary implication will probably never be able to be determined from this activity.

Of course, even if the information was recovered, it's entirely possible that there are other databases that have yet to be discovered, or never will be.

Tuesday, November 28, 2006

Technology isn't stopping Spam

Anyone noticed that spam is filling up your inbox? No, it's not your imagination, experts are saying the volume has increased up to 300 percent -- depending who you talk to.

As usual - in the technology versus technology battle - the bad guys seem to have defeated a lot of the countermeasures (spam-filters) that have been developed in recent years.

If you would like to see all the technical explanations, Network World did an excellent article with links to previous articles, here.

According to the Network World article, a certain Amichai Inbar a.k.a. John Che Blau and Jonathan Blau is behind a lot of it (operating out of Tel-Aviv).

I'm sure there are those developing additional countermeasures - which will be made available at a price - but I have a better idea. Use existing laws to take away Mr. Inbar's "ill-gotten proceeds" and put him and all his friends where they belong (prison).

Once they start taking away all the "ill-gotten proceeds," there would probably be plenty of it to fund additional legal actions!

So far as countermeasures being developed to meet this latest threat, history dictates that in a matter of time, they will be obsolete, also.

It probably wouldn't be hard to find the "spam kings," they don't seem to be hiding in caves on the Pakistani/Afghani frontier.

In fact, according to Spamhaus - the largest point of origin by far is the United States.

Perhaps, Microsoft is setting the example (after themselves being attacked for years) and taking legal action.

In my opinion, Microsoft is leading the way towards an effective resolution of this problem.

Here is an interesting site from "Ban Spam," with International contacts on where to report spam (broken down by all the different scam variations and countries).

The more spam that is reported provides valuable intelligence to those, who are taking legal action to stop it.

Monday, November 27, 2006

Tickets to the Oprah Show Smell a little Phishy

First gypsies impersonate Dr. Phil and now someone is selling tickets to the Oprah show that smell a little "phishy."

Illinois Attorney General, Lisa Madigan warned the public in a official statement:

In this case, e-mail recipients are asked to submit personal information and told they will receive tickets to The Oprah Winfrey Show after verification of certain financial information and/or the wiring of money to an unknown third party. However, according to Harpo Productions, Inc., The Oprah Winfrey Show does not sell tickets or ticket travel packages to fans. Consumers should disregard any e-mail that purportedly comes from The Oprah Winfrey Show offering show taping tickets for a fee.

No one is reporting any cases of identity theft yet, however one this is certain; wire money to anyone for Oprah tickets and you are going to lose out!

Tickets to watch a taping of the Oprah show are free!

Fraudsters and Phishermen love to have money wired to them - because once it's picked up - it belongs to them and there is nothing the sender can do about it.

Western Union has a warning about wire transfer scams, here.

Of course, the personal information harvested from this phishing attempt might be for sale in underground forums (chat-rooms). More on this, here.

Please note that "unsolicited" requests for personal and financial information via the Internet are scams, no matter how official they might seem. Fake "official looking" websites - including banking sites - are all "too" common in the "sometimes" murky waters of the Internet.

For more on this, you can read the release from Attorney General Madigan's office, here.

The press release mentions information on where to report this scam at the bottom of the release (link above).

Sunday, November 26, 2006

India Deals with the Problem of Credit/Debit Card Cloning


We read a lot of stories about credit/debit card skimming in the West, but see very few stories about it in other parts of the world.

India, which has become a giant in IT circles is now being victimized by the problem.

In May, I did a post about cloned credit/debit cards showing up in India. Since then I've had the pleasure of corresponding with a "security person," who is sharing information with me regarding the scope of the problem.

In November, in another case, there were more arrests in three Indian cities - 6 skimmers, laptops, a desktop and cards were seized.

The activity was facilitated with the collusion of waiters and shop-keepers.

According to my "source," more card-skimming has been uncovered and the Indian authorities are hot on it's trail. We can probably expect to see a few more criminals arrested in the not so distant future.

Until recently, cloned cards were normally sent in the mail from other destination points in Asia.

Recently, the news media was awash with stories of information being compromised at call centers in India. The industry and the government in India have quickly moved to enact legislation to counter this threat.

The stories got a lot of attention (probably because it happened in India), but in reality, information and data breaches are happening (with too much frequency), worldwide.

India seems to be proactive (refreshing) in taking legal measures, which are far more effective that technological countermeasures, to protect it's citizens and the industry, itself.

Of note, the recent skimming/cloning activity seems to have been introduced by British based gangs and the UK is suffering a "large" issue with this type of activity.

Video (interesting) on skimming in India from IBN, here.

Interesting and "informative" discussion about cyber-law in India by Praveen Dalal, here.

Saturday, November 25, 2006

How to Protect Yourself from the Cyber Criminals on Cyber Monday

Black Friday has come and gone and now we have Cyber Monday to look forward to. Cyber Monday was coined by the National Retail Federation because it represents one the largest e-commerce shopping days of the year.

While shoppers search the Internet for all the "deals" that will be offered, another element - the cyber criminals - will be offering "goods and services" at too good to be true prices.

If we are to believe recent statistics, the cyber-criminals will be out there in force.

According to the National Consumers League and National Cyber Security Alliance, ten percent of us could become a victim of Internet crime.

Gartner Inc. recently reported that the number of phishing attempts has nearly doubled in the past two years and the Anti-Phishing Working Group has reported similar statistics.

Phishing is a leading cause of identity theft and financial crimes, where someone receives an e-mail appearing to from be a legitimate company (normally financial institution). In the e-mail, instructions are contained to click on a link leading to a fake website, where the goals is to con someone into giving up information (personal and financial).

Auction fraud has also grown to the point that it now is the number-one complaint filed with the Internet Crime Complaint Center or IC3. Internet auctions have become a popular place to buy Christmas gifts.

And a massive bot-net of "zombie" computers designed to attack in-boxes across the world has been seen forming on the horizon to facilitate the "holiday attack." Anyone noticed how many spam e-mails are getting past your spam filters lately? The speculation is that these will be to perform phishing expeditions, and or spread other scams.

The National Consumers League and the National Cyber Alliance offer the following tips, here.

Government sources are also great places for information on how to protect yourself from cyber-criminals.

The Federal Trade Commission has a lot of great information on how to protect yourself and report suspected criminal activity, here. And not to be outdone, the FBI covers a lot of these crimes and has a place where they can be reported, here.

If you are a more "visual" type, the Federal Deposit Insurance Corporation (FDIC) has an excellent video - geared towards the average user - on how to avoid cyber-criminals, here.

While the cyber-criminals will be out there in force this holiday season - being aware helps guarantee that you will be one of the ninety percent that will "just say no" to their various schemes.

Always remember, if it's too good to be true, it probably isn't!

Are Counterfeit Documents being Mass-Produced in Nigeria?

In the past several years, we've seen all sorts of counterfeit financial instruments (money orders, cashiers checks and now American Express gift cheques) being passed in Internet scams.

A recent TimesOnline story stated:
Nigerians are forging passports and cheques on an industrial scale and that huge numbers of false documents are passing through provincial British airports.

The face value of the fraudulent financial instruments discovered in "routine checks" amounted to millions of dollars, and the documents (non-financial) are probably used in "illegal immigration.
Story, here.

The TimesOnline article also mentions that the UK is a staging ground for a lot of the stolen merchandise, which are proceeds of auction fraud.

According to the article, the activity also enables the criminals to return (easily) should they get caught:
Suspected Nigerian fraudsters, who have been deported in exchange for charges against them being dropped, are re-entering Britain using forged travel documents and resuming their activities, according to the study.

Other suspects are absconding and disappearing because, unless they are accused of crimes involving more than £50,000, they are being released on bail.

I wonder how many of them get bailed out on a stolen identity, assume another one, and go right back into business?

We seem to see story after story about what a huge problem counterfeiting has become. One of the main reasons is that technology makes it easy to do, and if anyone is caught, the consequences are minimal.

It's true that the article is about activity in the United Kingdom, but the problem isn't contained to the British Isles.

And Nigeria isn't the only place counterfeit documents are being made.

Asia has also been a reported "source" for a lot of counterfeiting. For instance, it's widely believed that North Korea has been flooding the world with "supernotes" (counterfeit $100 bills) that are almost impossible to tell from the real thing. Wikipedia article, here.

If you read through the article, it tells of ties to terrorist organizations and organized crime syndicates.

Nigeria might be a source of counterfeit documents, but they aren't the only one. The United States also is known to have a lot of counterfeit documents being produced, also.

If they didn't, it would be hard for the 14 to 20 million illegal immigrants to find jobs.

Swapmeetdave.com has an interesting page has an interesting page (with pictures) of a lot of the counterfeit items (from Nigeria), here.

Thursday, November 23, 2006

Consumers Union Calls for Credit Card Reforms on the Eve of Black Friday


Recently, I blogged about "Credit Card Gotchas" after being inspired by a e-mail I received from the Consumers Union.

I got another one that makes a lot of sense, which is to think carefully before spending money you don't have this weekend. Since tomorrow is "Black Friday," the biggest shopping day of the year, the timing is appropriate.

In their own words (or maybe I should say the words of the consumer):

Just as the holiday season gets ready to kick into high gear, Consumers Union is warning shoppers about the increasing number of credit card traps that can trip up consumers and lead to spiraling debt. To help get out the message and mobilize support for reform, the group is releasing "It's Always Christmas Time (For Visa)," an animated satire that takes aim at abusive credit card fees and practices.

"You can find yourself buried in debt if you aren't careful to avoid the credit card gotchas," said Michelle Jun, Staff Attorney for Consumers Union. "Too many credit cards are designed to get you in debt and keep you there."

“It’s Always Christmas Time (For VISA)” is a lighthearted take on the unexpected fees, interest rate hikes, and misleading contracts that are contributing to high credit card debt in the U.S.

After viewing the animation, viewers can send an email to Congress asking lawmakers to support credit card reforms. To view the animation, click on www.CreditCardReform.org.

Consumers enjoy few protections when it comes to credit cards and there are an increasing number of ways they can be penalized with fees or get stuck with higher interest rates:

Universal default: Your interest rate can skyrocket if your credit score declines because of your behavior with other creditors even if you always pay your credit card on time and never miss a payment. Some card issuers will raise your rate if you inquire about a car loan or open a new credit card.

Change of terms: Credit card terms keep changing. Read the fine print and chances are you’ll find this disclosure: “We reserve the right to change the terms (including the APRs) at any time for any reason.” A fixed rate is fixed until the bank gives you at least 15 days notice that it isn’t. If you want to keep your account open, you’ll pay the higher new rate on your existing balance.

Teaser rates: That low rate you signed up for expires suddenly and you end up paying more. A temptingly low introductory rate can climb to 30 percent or more. - more -Minimim payment: If you pay the minimum payment every month, you’ll end up paying a lot more than what you charged and you could be on the hook for a very long time.

On time payment: Card issuers are systematically mailing statements closer to the due date, giving customers less turnaround time. You can be hit with a late fee even if the payment is mailed on time. The average fee for a late payment has more than doubled in the past decade.

Double cycle billing: Finance charges are usually calculated using the average daily balance. If you alternate between paying off and carrying a balance, you’ll end up paying more interest.

Cash advance/convenience checks: The interest rates on these are higher than your credit card.

Penalty interest and fees: Late payments can raise your interest from 7% to 27%! Rather than rejecting charges that exceed your credit card limit, issuers today often let them go through but then charge a hefty fee -- as high as $39.

Fees, fees, and more fees: As if the penalties weren’t enough, you pay more fees for paying by phone or charging abroad. You may have to pay a fee to receive what used to be free year-end summary statements.

Balance transfer switcheroo: Transferring a balance from an account with a high APR to another one with a lower interest rate could come at a high cost. Any payments you make are typically applied first to the lowest rate balance. So while the credit card company uses your payment to quickly pay off that 0 percent transfer balance, you are piling up interest on purchases, at say, 18 percent. Multiple balance transfers will hurt your credit score.

Full article from Consumers Union, here.

I write about fraud from a victim's perspective, and I've often lamented on why it seems insane to keep writing-off not only monetary losses (passed on to everyone), but "seemingly," the millions of victims created by the not very secure handling of people's personal information.

People need to learn to be responsible when using credit - but that's hard to do - when credit card companies issue (too) large lines of credit to new customers and even send pre-approved offers to family pets (this actually happened at my house). My daughter had been using the dog's name when registering on certain websites.

It's not hard to see why so many are up to their necks in debt before they realize what happened, or why there is so much credit-card fraud. It all boils down to too much bad debt that eventually has to be compensated for.

I recently blogged about how sending mass-mailings of pre-approved credit card offers is dangerous to the recipient's financial health. There seems to be a trend of making it too easy to get credit and not paying enough attention to the consequences of doing so.

Perhaps, what is needed is a new era of responsibility? Bad debt is an expense on any financial statement and the quest to keep expanding customer bases has led to an environment of "robbing Peter to pay Paul." Since the issuers would go out of business if they weren't profitable, revenue streams are added to cover it, and "more."

And guess who ends up paying for it?

In my opinion - should we fail to address the problem soon - the bottom is likely to "fall out" sometime in the future and that isn't going to be a "good thing" for the credit-card- issuers, or their customers.

buySAFE Survey Reveals Customer's Fears about e-Commerce

Rob Caskey - who is buySAFE's marketing guru - sent me this interesting survey they conducted. What's interesting about the survey is that takes the fear of Internet fraud beyond bogus financial instruments and identity theft to a more basic level.

The survey reveals that the average person fears they won't get the product received, or get something other than what was represented. And if you consider all the variations of auction fraud on the Internet, this is what normally happens to the average customer when they are defrauded.

And - after all - when we go shopping the goal is to have a pleasant experience and get something we want. We don't want to have to constantly worry about getting ripped-off.

Here is what the press release from Market Wire had to say:

On the brink of Black Friday – the biggest shopping day of the year - identity theft and credit card fraud are not the only issues causing consumers to abandon their online shopping carts this holiday season. A recent survey by online trust and safety company buySAFE, Inc. (www.buysafe.com) and online market research service Insight Express revealed that respondents are almost equally concerned with the possibility of non-delivery or receiving something different than promised. These concerns – along with concerns about the trustworthiness of the retailer, quality of merchandise, and shipping costs -- are amplified when shoppers are considering buying from smaller, independent online retailers.

Detailed survey results, here.

There is no doubt that there are a lot of hard-working and "honest" sellers on the Internet, who have been hurt by all fraud that takes place on auction sites. In fact, according to the experts, auction-fraud seems to be the number-one complaint these days.

From legitimate accounts being taken over by phishing (eBay and PayPal are the two most targeted brands) to a wide-array of counterfeit and stolen goods being sold, consumers face the real fear of getting ripped-off when buying an item.

I had a conversation with another person who writes about fraud on the Internet recently, and we both agreed that the average Internet customer almost needs to become a "fraud expert" to ensure they aren't going to be "taken advantage of."

buySAFE has created it's own "niche" in the market by ensuring a seller is legitimate and giving their customers the "peace of mind" that they are dealing with a legitimate and "trusted" retailer.

Although the service isn't free to sellers (customers don't pay anything), it protects the average person from all the fraud we hear read about in the e-commerce world. So far as the honest sellers - who have been damaged by Internet fraud (consumer confidence) - it lets everyone know they are a "trusted source."

For the smaller seller and the person out there in search of a "good deal," the service allows them to focus on their primary goals (selling and shopping) and it leaves the "worrying" to someone else, (buySAFE).

buySAFE has a couple of bloggers on their team (who I've had the opportunity to correspond with) and I've found more than one interesting insight about e-commerce when reading them.

Jeff Grass, buySAFE CEO's blog, here.

Steve Woda, buySAFE founder and Chairman's blog, here.

Here is more about buySAFE, courtesy of the Market Wire release:

buySAFE, Inc. is the leading trust and safety company for e-commerce transactions. buySAFE qualifies merchants, identifies reputable online businesses with the buySAFE Seal, and uses surety bonds to provide broad protection for individual buyers from online transaction risks. The buySAFE bond is backed by Liberty Mutual, Travelers, and ACE USA for up to $25,000, and boosts consumer confidence for lesser-known online retailers, allowing them to compete with the big, established brands. buySAFE has issued more than 9.5 million surety bonds on individual online purchases. There are currently more than two million items bonded with buySAFE that can be found at www.buysafeshopping.com. buySAFE is headquartered in Arlington, Virginia. More information can be found at http://www.buysafe.com/.

Monday, November 20, 2006

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?

Whether by hacking databases, or placing skimming devices on point-of-sale systems, debit/credit card fraud is raising it's ugly head, worldwide.

After finishing my most recent post about skimming devices placed on BP point-of-sale systems in the UK, I read an article in Computer World about what might be the latest large data breach.

Jaikumar Vijayan writes:


Several financial institutions last week canceled thousands of credit and debit cards in Michigan because of fraud concerns related to an apparent data compromise at a convenience store chain, highlighting the wide effect that retail security breaches can have.


Jaikumar's story, here.

Jaikumar's story states that Wesco, a retailer, is suspected as being the point-of-compromise. Of course, Wesco isn't admitting this and merely states that the matter is under investigation.

Office Max was the suspected point-of-compromise in another case last fall and to the best of my knowledge - they never admitted to being involved. Dollar Tree and Sam's Club have also recently been suspected as being points-of-compromise in breaches, where large amounts of credit/debit card information were compromised.

Why are hackers targeting retailers? The answer might be that large amounts of account information - including PINs (personal-identification-numbers) - are being maintained in databases, which are poorly protected and therefore easily compromised (hacked).

In his story, Jaikumar interviewed an expert from Gartner (Avivah Litan):


It also wasn’t clear how the data might have been breached. But four out of five data compromises involve security breaches at point-of-sale systems, said Avivah Litan, an analyst at Gartner Inc. The POS systems at convenience and grocery stores, as well as gas stations, can be especially vulnerable because of a lack of IT security awareness and resources, Litan said.

Much of the exposure results from merchants connecting their POS terminals to IP-based networks, Litan said. Often, such systems store magnetic stripe data from cards and have default passwords that can be easily hacked, she added.

The Payment Card Industry security standard explicitly prohibits the storing of magnetic stripe data on POS systems. But retailers continue to do so, and many POS applications store the data by default, Litan said.


The problem is that the retailers never admit to being breached, the banks give out limited information when asked about it, and it appears that there are too many companies not following the Payment Card Industry Data Security Standard.

Perhaps the problem is that Payment Card Industry Data Security Standard isn't being enforced and the consequences are lacking for those in violation of it. At a minumum, shouldn't these companies be prevented from doing electronic payments by the industry?

Even if a lot of the losses are being written-off, they are normally passed on to everyone in the form of increased fees, interest rates, or in the case of retailers - higher prices. Despite this, there are also people that are denied compensation, especially if they fail to be timely in filing a claim; or a PIN was used and they can't tie it into a known breach.

With the amount of data-breaches, it's often difficult to figure out where any particular person's information was stolen from.

If the Payment Card Industry can't clean up their own backyard, perhaps it's time for some government inquiries into why so much information is being compromised?

Even without government intervention, there is the matter of consumer confidence to be considered. Consumer confidence is what makes businesses thrive, and a lack of it can be a disaster for all of those involved.

I'm sure there are retailers protecting their information properly, and the ones who aren't give everyone a bad name.

ATM Skimming Case Travels to 19 Countries on 5 Continents

Skimming device (courtesy of the "ATM Pool" at Flickr)


Police in the United Kingdom are calling an ATM skimming case, one of the biggest of it's kind. ATM skimming is where a debit-card's magnetic stripe is counterfeited (cloned) and the PIN (personal identification number) is compromised - normally with a hidden camera.

Official's estimate the fraud has already netted about $4.5 million and the counterfeit cards have been used in 19 countries and five continents.

According to the story published in the SundayMirror.co.uk:

The scam was uncovered after police launched an investigation - codenamed Operation Turner - after receiving 560 complaints. Detective Sergeant Dick Bollard, who is leading the probe, said: "This is one of the biggest scams of its kind. It's a very large and complex investigation which is expected to take a considerable amount of time.

"The investigation is ongoing and we are looking into a number of leads in the UK and abroad." A spokesman for trade organisation APACS, which helps banks fight fraud, said: "These scams have involved copying a card's magnetic strip and in cases filming a driver keying in a PIN number by using some sort of hidden camera.

SundayMirror.co.uk story, here.

Two suspected dishonest employees at BP gas stations (where the devices were planted) have been arrested. One of them might be an illegal immigrant, also.

If the cards have been used in 19 countries so far, it's safe to assume that the people behind this are pretty organized. Although no one ever knows for sure, there might be Internet chatrooms (forums) - where Internet fraudsters gather to barter and sell stolen information spreading the activity.

The UK has had a lot of this skimming lately and I did a recent post about it where Romanian Illegal Immigrants were to blame.

And the UK isn't the only place that is having problems with debit-card skimming at gas stations. A similar case happened at Arco stations in California and there have been many other instances, worldwide.

BP owns Arco in the United States.

Although a lot of skimming is attributed to devices being placed on (self service) point-of-sale terminals and ATM machines, there has been recent evidence cards are also being cloned after databases have been hacked at retailers.

Some who investigate this believe that the people behind this intentionally hold on to the stolen information before using it to frustrate investigative efforts that would discover their techniques, or operations. In some recent cases, the authorities could only speculate, which of the known breaches, an individual person's information was stolen in.

Skimming can also be accomplished by retail, or restaurant employees using portable "encoding devices." Unfortunately, most of the technology used is legal and can even be bought on eBay.

It pays to keep an eye on your card to make sure it isn't being swiped more than once.

There's probably not much an individual person can do when entire databases are compromised, but an individual can shield their PIN when using their debit card (strongly recommended).

At least if they don't have your PIN, they can't get cash; however they might still be able to use the card number for signature based, or e-commerce transactions. Note that credit-cards are cloned for the same purpose.

Last, but not least - debit cards don't offer the same protection as credit cards do. If you expect to recover your money, the allowed time frame to file a claim is a lot less than with a credit card.
It's a good idea to watch your statement carefully.

If you would like a more visual demonstration of how skimming occurs, Visa has a pretty telling page (portable devices), here.

Flickr has a link to a public group pictures of ATM machines, including skimming devices, here.

There are a lot of eyes out there (customers and employees) that might spot a suspicious device - if you do - never touch it and make sure you report it to law enforcement (immediately). Since the activity normally occurs in public (retail) spaces, an educated individual could very well make the difference in cracking one of these cases. Remember that anyone near the device - no matter how official they look - might be involved, themselves.