Saturday, August 12, 2006

Trust and Risk in the Workplace

Dr. Monica Whitty (pictured on the left) of Queens University in Northern Ireland (Belfast) is conducting a formal study on "Trust and Risk in the Workplace."

In Dr. Whitty's own words, here is why she is conducting this study:

"A number of surveys have been run on internet usage, yet researchers still know little about how individuals use their work computers. The purpose of this study is to ascertain how individuals in different countries use their work computers and/or laptop computers. It also asks how they protect their work computers and/or laptops from security risks."

There have been a lot of "compromises" that have occurred because of "not very safe" computer practices in the workplace, therefore this survey might reveal some interesting insights.

Furthermore, a lot of people/organizations have been "victimized" because they didn't have the necessary computer protection (which might change daily), or they simply didn't follow some of the "safety rules," that are now a "necessity" when navigating the murky waters of the Internet.

The survey is open to the citizens of the United Kingdom, United States, Australia, the Netherlands and Singapore who use a laptop, or desktop at work.

If you are interested in taking the survey, link here.

Dr. Whitty's personal page and biography can be found, here.

Friday, August 11, 2006

If You Receive a Qchex (Check), Extreme Caution is Recommended

Qchex is a company that makes checks for their customers and returns them via e-mail. They even offer a free check printer (with a $100.00 purchase) on their site guaranteed to be "100 percent Bank-compliant."

Also - in their efforts - to make the checks "look good," they provide magnetic ink and the latest in check paper.

I wrote a couple of posts about how this was being leveraged by Internet fraudsters in all their favorite scams and the FDIC issued a nationwide alert on the Qchex issue.

Fraud Qchex (checks) seemed to disappear for awhile, but readers and knowledgeable sources are saying they are seeing them reappear in all the favorite Internet scams.

If you read the security disclaimer at Qchex - after sifting through all the protections most Internet fraudsters easily defeat - they state (in bold letters), "Qchex does not endorse or guarantee transactions undertaken by its members."

Kind of scary that Qchex doesn't even trust the people using their services. To me, this means that a prudent soul shouldn't give them their complete trust either.

Anyone who negotiates a fraudulent Qchex item (no matter how innocently) will be held responsible (victimized). A lot of people have already learned this, the "hard way."

There are two places Qchex fraud should be reported to:

The first is the Federal Deposit Insurance Corporation (FDIC),

And the second is the Federal Trade Commission (FTC), link here.

I did a previous post - which has a lot of the same information - but (if you're interested) there are some pretty telling comments by some of the victims. Link, here.

The Privacy Rights Clearinghouse wrote a "telling" article about Qchex, here.

Department of Transportation Joins the Lost Laptop "Hall of Shame"

Here we go again - it's amazing that with about 91 million Americans compromised - we still have laptops containing people's personal information available for the taking.

There were several stories of this, but I found the one from the "Department of Homeland Stupidity," the most appropriate:

A U.S. Department of Transportation laptop containing names, birthdates, addresses and Social Security numbers of about 133,000 Florida driver license, commercial driver license and pilot’s license holders was stolen from an employee’s car, the department said Wednesday.

The theft occurred on July 27, but Acting Inspector General Todd Zinser said he was not aware that it had contained personal information until last weekend.

The password-protected laptop contains personal information for approximately 42,792 Florida pilots, approximately 80,667 Miami-Dade County CDL holders, and approximately 9,005 individuals who obtained their personal driver’s licenses and approximately 491 drivers who obtained their CDLs from the Largo licensing examining facility near Tampa.

Link, here.

Here is a previous post, I did on the most recent desktop taken from a VA contractor that contained personal information:

Another Computer with VA Data has Gone Missing

This was announced shortly after the arrest of two teenagers - who stole a laptop containing 26.5 million veterans private information.

Advertise for a Roommate and Get Scammed

I was reading about this "overpayment scam," which is targeting roommate ads. I've had readers send me questions about similar "scam attempts" about an apartment they were renting.

The scam works this way, someone answers the ad you placed for a roommate, or apartment. They will normally be visiting from a foreign country and offer terms that are extremely attractive a.k.a., "too good to be true."

They then send you a large amount of money -- normally in the form of a counterfeit cashiers check -- which will be more than the amount of the lucrative offer and ask you to wire the money back to them. Please note, they might use all sorts of bogus financial instruments, such as counterfeit money orders.

If someone falls for it -- they wire the money back via Western Union or MoneyGram -- and shortly thereafter, your bank comes after you for depositing a counterfeit financial instrument.

Because current laws dictate how long a check can be held, banks often issue the funds -- and have even been known to tell their customer the check is good -- then give their customer the bad news later.

Here is a recent post, I wrote about that:

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

For the article, from the Tucson Citizen that inspired me to write this post, link here.

Thursday, August 10, 2006

Keeping kids safe on the Internet

Young people are frequently Internet victims. Here is an extremely good article by Ryan Holeywell, Gannett News Service about how "young people" can protect themselves.

From the article:

The Federal Trade Commission reports that in 2005 Americans ages 18 to 24 made more than 69,000 identity theft complaints — more than any other age group. Here are 10 ways students can prevent identity theft and the headaches that come with it.

1. Watch what you blog. Millions of young people keep online diaries that are usually available to anyone surfing the Web. Safe blogging means not posting any personally identifiable information other than your first name, says Linda Foley, co-executive director of the Identity Theft Resource Center in San Diego. "There's nothing wrong with blogging," Foley says. "Blogging can be fun — as long as you do it safely."

2. Don't get caught in a phishing net. Phishers try to steal your personal information by misdirecting you to a counterfeit Web page that looks identical to one you might use to pay a credit card bill or check your cellphone minutes. On this page, they ask you to type in personal information, such as your Social Security number and harvest this information. Doug Jacobson, an associate professor of computer and electrical engineering at Iowa State University, says an easy way to spot phishing is by hovering the cursor over a hyperlink while looking at the bottom of the browser. If the URL displayed seems very long, it's probably a fraud. "Think of the computer as your phone," Jacobson said. "If someone called you out of the blue on the phone and asked for your Social Security number, you wouldn't do it."

For the full article and additional tips, link here.

Of note, vishing attacks (using the telephone to steal information) are on the rise. I'm not sure I completely agree with Mr. Jacobson on this one.

Young people (too often) are the targets of more serious crimes involving their personal safety.

Here is ANOTHER resource that teaches the young (and us older folks) how to be safe in the cyberworld:


Tuesday, August 08, 2006

The Art of Defeating a PayPal Scammer - Part II

Saw this one on Digg:

"Among the files actually hosted by the scammer is this image. It is only 3k, but imagine the impact it could have if we all worked together? If you have Flash installed you automatically attempt to download that image once per second. The more users idle on this page, the greater the likelihood the that this scammer's tool will be brought offline."

Note you have to scroll down to see all the screen shots.

The Art of Defeating a Paypal Scammer

There are a lot of scam baiting sites out there. Just visiting these sites can lead to crimeware being installed on a system. It can be even more dangerous if personal contact is made with one of the scammers. In fact, many of the "scam baiting sites" specifically warn newcomers about this.

A Google search reveals how popular this "scam baiting" has become. Link, here.

While scam baiting might seem fun, it has little impact on the scammers. Most of the fake sites simply move on to another location. Moving (frequently) is part of their standard method of operation to confuse investigative efforts.

What will have a more (lasting) impact is getting the information to places that have the resources to put a few of them in "jail." There are a lot of places you can do this.

Here is where you can report phishing (as described in the Digg article).

PIRT Phishing Incident Reporting and Termination Squad

They make sure it gets to all the appropriate people.

Here is another collection of places to report Internet scams:

Report Fraud to the FTC
Internet Crime Complaint Center (FBI)
Internet Fraud (U.S. Department of Justice)
Report Internet Securities Fraud (SEC)
Serious Fraud Office-UK

The 419 Coalition Website has a lot of information on where to report Internet scams, worldwide.

Too many people ignore the scams they see on the Internet. And innocent people do fall for them. If everyone took the time to report scams, we would see a lot less fraud on the Internet.

Monday, August 07, 2006

Another Computer with VA Data has Gone Missing

Two days after two teenagers were arrested for the stolen computer that contained the personal information of 26.5 million veterans - the VA is reporting that another computer has "gone missing." This time the impact is smaller - it only contained the information of 38,000 veterans.

Unisys, the VA contractor, who lost the computer claims it didn't have any financial information - but if you read into it a little deeper - they state:

"In the latest case, Unisys told the VA on Aug. 3 that the computer was missing from the company's offices in Reston, Va., the VA said. The VA and Unisys said the data may include names, addresses, Social Security numbers and dates of birth."

My analysis of this is that there were no credit card numbers, or bank accounts - but generally everything else an I.D. thief needs to go out and create a lot of "financial information."

Gotta love some of these "press releases."

For the Reuters story - courtesy of CNet, link here.

Here is post, I did reflecting my thoughts on the last VA computer that went missing:

The VA Data Breach is a Symptom of a Bigger Problem

I close this post with that thought.

Sunday, August 06, 2006

Botnets used to Scam eBay Users

With all the talk about the DefCon (Black Hat) conference in Vegas, this story seems to have gone to the wayside.

Botnets are used by organized criminals - who employ hackers (the malicious sort) - to commit crime on the Internet. Now they are being used on eBay to create phony customer feedback scores and commit auction fraud.

Botnets consist of computer systems that have been taken over after malware is downloaded. The systems are then turned into "zombies" and can be controlled remotely. The "zombie computers" are then used by their owners to commit all kinds of mischief (the illegal type).

Gregg Keizer, TechWeb Technology News reports:

Scammers are using bots to create bogus eBay accounts that boast trustworthy profiles in a new scheme to rip off buyers, a security company said Monday."

The scam, said Sunnyvale, Calif.-based Fortinet, is a new twist on an old con where criminals set up bogus auctions, rake in the proceeds, and then scram, never intending to ship anything to buyers."

Long-time eBay users, however, have gotten wise to such double-crosses, and have learned to avoid auctions where the seller has little or no transaction record and/or little or no buyer feedback.

The new dodge, however, makes that defense useless.

According to Fortinet, the racket uses a bot to create a large number of fake accounts, then applies a spider to scavenge eBay for 1-cent "Buy Now" items, then purchase them.

Once they get a "good rating" going, the scam begins.

Link to the full story by TechWeb, here.

Of course, phishing takes a toll on eBay users, also. Normally, the intent here is to takeover a account with a good rating and then disappear.

Interestingly enough, PIRT run by CastleCops and Sunbelt Software just released the Top Phished Brands - which confirms that eBay and it's sister organization PayPal are phished more than any other brands.

Technology continues to be leveraged by criminals to commit crime on auction sites. In this instance, the recommendation is to read the feedback of the seller "carefully" and beware of anyone with too many 1-cent auctions.

It also pays to ensure the protection for your system is up-to-date and avoid clicking on any links that you aren't certain of.

Here is a good post about how to avoid fraud on auction sites:

How to Protect Yourself on eBay

To avoid phishing scams - which often lead to malware downloads - the APWG (Anti Phishing Working Group) has a good link, here.

Expert Warns RFID Passports AREN'T Completely Safe

Looks like a lot of "information" is coming out from the "Hackers Convention" (DefCon) in Vegas. Here - AGAIN - an expert is warning that using RFID in passports might have security implications.

Here is an interesting article from Dan Goodin of the AP:

Electronic passports being introduced in the U.S. and other countries have a major vulnerability that could allow criminals to clone embedded secret code and enter countries illegally, an expert warned.

A demonstration late Friday by German computer security expert Lukas Grunwald showed how personal information stored on the documents could be copied and transferred to another device.

It appeared to contradict assurances by officials in government and private industry that the electronic information stored in passports could not be duplicated.

Link to AP article, here.

Here is a recent post, I wrote about another warning concerning the use of RFID in passports:

RFID Hacked Again and Vendor Says it's as Safe as Anything in Your Wallet!

Are Retail Refunds Violating Customer Privacy?

There is no doubt that fraudulent refunds from shoplifting cost billions. It's a way for criminals who target the retail industry to get cash.

To protect themselves from refund fraud, many retailers maintain the personal information of refunders in databases. With the identity theft crisis in "full bloom," many customers aren't very happy at having to provide personal information when they return a defective product.

Chelsea Emery of Reuters recently wrote:

Receipt in hand, Peter Soltesz expected his trip to Home Depot Inc. to return a $25 faucet part would be quick and uneventful.

But the Rockville, Maryland, consultant went home with the part -- and without his cash -- when the clerk insisted on recording his driver's license data.

"A driver's license is one of those pieces of key, secure information that identifies me," said Soltesz, a computer and telecommunications specialist.

"I'm more than happy to give it to a bank, but a Home Depot, for goodness sake? They can't clean a store, much less protect my information."

Please note that information is compromised at banks, quite frequently, also.

Of course, within the retail industry -- it's known that shoplifters aren't the only culprits in the refund fraud world -- dishonest employees (also) use refunds as way to steal cash. When an employee does a fraudulent refund and takes the cash - the loss transfers to the physical inventory (goods on hand) - and their till will balance. By the time an inventory occurs (once or twice a year), the loss will reflect as missing product, and it's impossible to determine whether it was due to internal, or external theft.

Since the employees have access to these (refund) data bases, my guess is that they use existing customer information, or make it up. Previous surveys within the retail industry have cited employee theft as the number one cause of losses.

The 16 billion dollar loss figure was put together by Dr. Richard Hollinger of the University of Florida and the most recent study reflected an increase in "organized retail crime." With the "identity theft crisis" in full bloom, it's probable that many of the "more organized criminals," have access to multiple identities.

Bad check writers frequent retailers all the time and are known to refund merchandise to get cash. There are databases to prevent check fraud and the way criminals often defeat them is to assume a "good identity." Again, due to the identity theft problem, identities have become cheap and are being marketed in chat rooms and rogue websites on the Internet.

If many of the criminals committing the $16 billion in fraud are circumventing the system - a lot of this data currently maintained probably is flawed.

Sadly enough, consumers like Peter are probably reacting to recent news events.

Recently - although never admitted to - it was alleged that "Office Max" was the point of compromise in a debit-card breach. In the past week, it has also "come to light" that "Dollar Tree" (another retailer) was the point of compromise in another breach.

If financial systems can be "hacked" at retailers, it's conceivable that this data base could be compromised, also.

According to the Privacy Rights Clearinghouse - which has been following this - 91 million people have had their data exposed in the past couple of years. And the list keeps growing.

For their chronology, link here.

Technology makes crime become more sophisticated on a daily basis and the "bad guys" are constantly looking to defeat "security measures." Unless these measures evolve, they can become "not very effective" in a short amount of time.

I'm not sure what the answer is. Retailers have the right to protect their assets, but at what cost and how effective is the process? Another issue is with all the "identities" floating around and "employee abuse," is there a potential for honest people to be tagged as shoplifters?

Sadly enough - as evidenced in the Reuters story - I doubt Peter will be giving Home Depot any business soon. This is going to hurt retailers, also.