Saturday, February 18, 2006

eBay's Fraud Hall of Shame

eBay's revenue continues to grow AND despite a growing number of victims, they seem to be blame everyone, but themselves. I recently wrote a post: How Much Fraud Can eBay's Customers Endure? There are some pretty good descriptions (with references) on this post about all of the various forms of fraud found on eBay.

Fraudulent forms of payment, Advance fee fraud (419) scams, phishing and account takeovers are common. Counterfeit merchandise and misleading ads abound on the site and by the time there is any response by eBay, the damage is often done.

So far as misleading ads, here is a post, I did during the Christmas Season: XBox Latest Lure in Auction Scams. People were tricked into buying the box, versus the contents by ads, which were written in a deceptive manner.

Yahoo's Group, eBayFraud is trying to do something about it. In their own words, here is what they are working towards accomplishing:

"This Group is designed to share information regarding fraud on eBay, including law enforcement, legal proceedings, reimbursement and fraud prevention. Members are welcome to post links, files, databases and messages that are relevant to this topic. You can also use the chat function for more direct communication."

I was recently contacted by them and asked to help publicize their efforts.

Here from the site is a compilation of articles about the fraud problem on eBay. Essentially, this is eBay's Fraud Hall of Shame:

Department of Homeland Security and NCSA 2006 Emerging Internet Threat List

This tidbit, is from

Authorities unable to track most money lost to alleged eBay scam

On 2/9/06, Chris W. Colby of wrote this:

Authorities are unable to track lost money to alleged eBay scam

Seeing Fakes, Angry Traders Confront Ebay

1/29/06 Katie Hafner of, wrote:

Warrants for Arrest Issued in eBay Scam Case

On 1/26/06, a press release from, stated:

2005 Fraud Trends: Consumers Being Hounded by Internet and Telemarketing Scams

1/19/06, NCL News, wrote:

2005 Fraud Trends: Official Report

Consumers Question eBay's Security

On 12/20/05, Martin H. Bosworth of, wrote:

eBay Admits Growing Fraud Problems

On 12/16/05, Geoff Duncan of Designtechnica News, wrote:


On 3/3/05, John Yembrick of the United States Attorney General for the Southern District of Texas wrote:

Online auction scams soar, Complaints nearly double

On 2/2/05, Carolyn Said, Chronicle Staff Writer ( wrote:

AND these are but stories from the past year, or so.

Here is another telling statistic, which reveals eBay's refusal to face up to reality. When reporting the top ten scams of the year, the National Consumers League noted:

"In the fall of 2003, online giant eBay removed the link from it's site, As a result, the number of auction complaints reported dropped to 1/6 its previous level. Based on statistics prior to eBay's action, NCL estimates that there would have been 30,720 auction complaints in 2005, representing 71 percent of complaints."

Should eBay continue to IGNORE this problem AND fail to get in front of it, the number of victims will continue to grow.

Is Asia Becoming a Greater Target for Fraud

I've often commented about the borderless nature of crime on the internet. On the internet, crime is as far away as a click of the mouse. With the rapid growth of technology, internet crime is also spreading and creating a pool of victims in Asia.

In fact, Bangalore is becoming a center for "Information Services." Here is an earlier post, I did about that and fraud implications:

What are the Security Implications of Outsourcing

Here is evidence that one international corporate entity (Visa International) that recognizes this and is taking action.

The Edge Daily is reporting:

Visa Asia Pacific has uncovered and shut down 20 spoof websites to prevent cardholders from succumbing to online data theft. Here is the story regarding Visa's Asian adventure:

Visa shuts down 20 spoof, phishing websites

Here is another story regarding the same issue, but more of a warning:

Visa Remind Cardholders To Ignore E-mail Scams

Both of the articles suggest a resource for reporting phishing that is new, to me at least:

There are many, who fear the implications of internet crime in Asia. I fear it not only in Asia, but everywhere in the world. The key is protecting each other through awareness AND realizing "It's a Small World After All."

Friday, February 17, 2006

Who Really Profited in the Hurricane Disasters

In reference to this week's news about mismanagement in the Katrina disaster, the Washington Post is saying:

"The Senate as well as the White House should conclude from this story that FEMA "reform" cannot amount to mere organizational change or undue attention to the overworked question of whether the agency belongs inside DHS. The agency needs some much simpler changes, too: It could start, for example, by learning who made these terrible decisions and relieving them of their duties immediately."

Apparently, along with the rampant fraud that was going on, FEMA spent 900 million on modular homes, which by their own regulations aren't permissible for use in the area they bought them for. These homes will now be sold for pennies on the dollar and many of them have warped from sinking into the mud.

Here is the editorial from the Washington Post:

Waste, Fraud and Abuse

I did a post on the fraud in Katrina, where I stated: No Wonder We are Facing a Budget Crisis.

In this post, I estimated fraud could have been 691 million. This was based on figures cited in an article, I read.

Perhaps someone should be taking a closer look at this....specifically to see who profited from it?

Thursday, February 16, 2006

Internet Crime Predictions for 2006

2005 saw internet crime becoming more and more prevalent. Here is a press release from the National Cyber Security Alliance and the Department of Homeland Security predicting what is in store for us in 2006:

According to the 2006 Department of Homeland Security and NCSA Emerging Internet Threat List ( viruses continue to pose a threat to consumers, as malicious codes become more sophisticated and targeted towards popular activities, such as Instant Messenger and text messaging. Wireless devices, such as PDAs and cell phones are also becoming increasingly more vulnerable to hackers and viruses. Phishing continues to be an ongoing threat to consumers as they become more prevalent and sophisticated in obtaining consumers’ personal and financial information. Five online preparedness best practices are also highlighted to offer consumers the necessary tips on how to take action against cyber thieves and avoid becoming victim to Internet crime this year.

Emerging Threats for 2006:

Hackers use Instant Messaging to spread viruses and worms.

Phishing fraud becomes more prevalent and sophisticated.

Viruses attack cell phones and PDAs.

Hackers target online brokerage accounts.

Online Preparedness Practices:

Practice the core three protections – install, configure, regularly update.

Do not open unexpected emails.

Do not download attachments in unsolicited emails.

Take precautions to protect your mobile devices.

Here is a link to their Stay Safe Online site, which has a lot of relevant information on how to protect yourself from these threats.

The Anti-Phishing Working Group (APWG) just released their December Phishing Activity Trends Report, which shows an increase in activity. They reported 4,630 sites distributing crimeware in November to 7,197 in December.

Here is the definition of crimeware from Wikipedia:

"Crimeware (as distinct from spyware, adware, and malware) is designed to (through social engineering or technical stealth) perpetrate identity theft to access a computer user's online accounts at financial services companies and online retailers for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the thief controlling the crimeware."

"Crimeware can surreptitiously install keystroke loggers to collect sensitive data—login and password information for online bank accounts, for example—and report them back to the thief. A crimeware program can also redirect a user's browser to a counterfeit website controlled by the thief even when the user types the website's proper domain name in the address bar. Furthermore, crimeware can wait for the user to log into their account at a financial institution, then drain the account behind the scenes."

Knowledge and awareness are the best defenses against internet crime. Unfortunately (all too often), internet crime goes unreported. A good place to report internet criminal activity is the Internet Crime Complaint Center (FBI).

Reporting it provides valuable intelligence (real time) to the cyber crime warriors, who are out there protecting US!

Wednesday, February 15, 2006

Office Max Denies Being Hacked in Debit Card Breach

Last week, I got a rather unfortunate letter from my bank. It informed me that they suspected fraud on my debit card, which turned out to be true.

After a little research of the available media coverage and my own shopping habits, it seemed to me that I could reasonably deduct where this all started at.

Last weekend, I had a feeling that Office Max was going to be discovered as the point of compromise and did this post: Is Office Max the Point of Compromise in the Debit Card Theft Case.

On Monday, David Lazarus of the San Francisco Chronicle reported Office Max as being the point of compromise. The Chronicle and David Lazarus have been instrumental in breaking this story despite all the "no comments" from the financial industry.

Here is the story from the Chronicle naming Office Max:

OfficeMax at center of major data-security breach with debit cards

The saga continues and Channel 5 of the San Francisco Bay area is now reporting:

"As OfficeMax denies that its computer systems were hacked and that customers' financial information was stolen, investigators are looking into the possibility that the same kinds of cyber thieves may have struck again at Sam's Club."

"But the FBI confirms it is investigating the possible theft of OfficeMax customer data that led to several major banks canceling thousands of debit cards."

On a even more ominous note, Channel 5 reported:

"The FBI fears the stolen money is going to international organized crime rings, or even funding terrorist organizations."

For the full story from CBS 5:

Sam's Club Customers' Credit Card Info Exposed

California State Sen. Jackie Speier, D-Hillsborough has already expressed concern that California's strict disclosure laws might have been violated AND now the Financial Times is reporting:

"Barney Frank, the senior Democrat on the house financial services committee, said on Wednesday he would consider legislation to require credit card companies to name the party responsible for consumer data breaches."

Here is the story from the Financial Times:

Credit card handling lapses spur regulatory effort

It's been established and reported that Visa and Mastercard admitted to knowing that the breach occurred at a retailer, but wouldn't identify which one. This lead to a lot of speculation in the press that Sam's Club (another recent breach) was the source.

Of course, based on my personal experience, I know I have never bought anything at Sam's Club.

The most recent reports are saying that the FBI is investigating to see if a tie between the two cases exist. This makes more sense to me. When I was following this story, I noticed that the recent breach seemed to be Northern California specific, while the Sam's Club case has proven to cover different geographic areas.

This isn't to say that there isn't a tie. With all the data breaches in the past couple of years, it seems to me that highly organized gangs are maliciously attacking corporations to steal information.

It's going to be interesting to see how the legal part of this comes out.

Here is a pretty good explanation of California laws by the Privacy Rights Clearinghouse:

California Identity Theft Laws

In addition to this, there is also been a civil law suit filed for the California victims of the Cardsystems (Mastercard) breach. The lawsuit alleges that consumers were not notified in a timely manner.

Here is an article from CNet regarding this:

Lawsuit seeks disclosure in credit card heist CNET

Other notable "data breaches" in the recent past have been the Boston Globe, Choice Point, Wachovia Corporation, Bank of America, Time Warner and even educational institutions, such as Boston College and the University of California, Berkeley.

Office Max has the right to deny they are the source, but unless Channel 5 is mistaken, the FBI is on the case and they are looking at them.

I'm sure no one at these corporations, or institutions wished for the breach to occur. The question is, whether or not, keeping everything secret serves the public interest. When this story broke, it was because Bank of America got in front of it and addressed it. As a result, they probably took the initial heat, but as history is written, it might show they did the right thing. It's now very obvious that they were not the only financial institution, or retailer that had reason to suspect their customers might be in harm's way.

This is going to get VERY INTERESTING!

Tuesday, February 14, 2006

PayPal Customers Under Constant Attack by Phishing Fraudsters

In the past couple of months my Spam Filter has been filling up with fake e-mail from PayPal. In the month of February, I have received 24 of them, so far. Other's I seem to be receiving a lot of also are "Microsoft" security updates and "Wells Fargo On Line."

Granted, I am only a humble user of the WWW, but if I am receiving this many attempts, perhaps it is a concern.

The intention of all this e-mail is to commit phishing, where someone is duped into giving up personal AND or financial information. This information is is then used in the crime known as identity theft.

In addition to this, malware (malicious software) is often injected on a system, when these "spoofed sites" are visited.

Here is a link from PayPal, which describes the activity relevant to PayPal and it's sister company, eBay: PayPal - Protect Yourself from Fraudulent Emails.

The Anti-Phishing Working Group (APWG) is a known authority on Phishing. Besides being a wealth of information, they offer some relevant information for consumers:

How to Avoid Phishing Scams

What To Do If You've Given Out Your Personal Financial Information

Phishing is becoming a huge problem and can cause severe financial hardship. PayPal and eBay are certainly not the only organizations that are spoofed. In fact, any site dealing with people's financial information is a potential target.

With computers and internet access becoming cheaper all the time, the number of potential victims is growing daily. Knowledge and awareness are key to defeating internet crime. You can do your part by learning and then sharing this awareness with those you care about.

Sunday, February 12, 2006

No Wonder We are Facing a Budget Crisis

No wonder our government is facing a budget crisis. Programs designed to help those in need seem to be suffering from rampant fraud.

Eric Lipton of the New York Times is reporting:

"Thousands of applicants for federal emergency relief money after Hurricanes Katrina and Rita used duplicate or invalid Social Security numbers or bogus addresses, suggesting that the $2.3 billion program was a victim of extensive fraud, a Congressional auditor will report Monday."

According to FEMA, one third of the applications had information that wasn't correct. This is probably a pretty good indicator of fraud.

Hmmm...a 2.3 billion dollar program AND one third of the applications had information that wasn't correct, this translates to a potential 691 million in fraud. Of course, this is only a approximate figure.

AND this doesn't include all the charity organizations that were probably fraud victims, also. Of course, the sad truth is that fraudsters were posing as charity organizations, also.

Here is the story from the New York Times:

Auditors Find Huge Fraud in FEMA Aid

None of this should be surprising, there were a lot of reports of fraud (all across the country) on fraud in the wake of the hurricane disasters this year.

Here are some of the posts, I did at the time:

Katrina Fraud Status

Fraud Relating to Katrina in Full Swing

Katrina Fraud Far and Wide

Here is a more recent one, I did on a different subject, but indicative that our social programs are suffering from rampant fraud:

Back to Work Programs a Fraud Heaven for Scammers

If a third of the FEMA dollars and 40-50 percent of Childcare dollars in California are being paid out to fraudulent claims, there is no wonder the government is having financial difficulties.

The only solution to this mess is GREATER ACCOUNTABILITY by those administering these programs. On the other end of the spectrum, laws need to be enacted to severely punish greedy people who take advantage of disaster situations AND prosecution efforts need to meet a standard that makes the activity dangerous.

The sad things is that WE all are victims of this activity because it's our tax dollars paying for it. Americans are some of the most giving people in the world, but we need to be giving to the needy instead of supporting the greedy.