Saturday, October 21, 2006

American Express Gift Cheques Being Circulated in Internet Scams

A couple of weeks ago, I updated an earlier post about counterfeit American Express Gift Cheques and asked my readers to help me discover exactly how these items were surfacing.

Prior to this, I knew they were showing up over a wide geographical area, but no one was "sharing" how they happened to get them.

One reader wrote in and said:

"I was almost duped into this. I responded to an ad on I was told that this person was an artist that needed a way of getting his money from clients in the US. This person was going to give me 10% of every artwork he sold. I bought in to this hook, line and sinker. However, when the payment came it was from Nigeria that made me suspicious. I checked online and verified these with American Express they asked me for all the information I had on the person I received these cheques from and had me write a series of numbers and letters on the back of the cheques and send them back to them. Thanks to your website I was able to prevent this from happening to me."

Several other readers wrote in and reported getting them as a result of being hired to process payments a.k.a. (also known as) a "job scam," or as an "overpayment scam" for something they were selling online. The goal in an "overpayment scam" is to have the amount "overpaid" wired to a far-away locale.

In every report, the reader had been asked to negotiate the items and wire the majority of it (minus a commission) to either Nigeria, or the United Kingdom. The return addresses (where they were being sent from) were from all over the United States and as stated above, Nigeria.

Interestingly enough, I haven't seen any warnings in the press, or from American Express about this.

The best way for someone to protect themselves is to verify them with American Express by calling their verification number at 1-800-221-7282. American Express claims that if you do this, they will either tell you the item is fraudulent, or reimburse you if they make a mistake.

If you spot any of this activity, I would report it to:

Internet Crime Complaint Center (FBI)

If it involves receiving these through the mail, you can also report it to the Postal Inspectors, here.

Besides counterfeit cashier's checks - which seem to change "affected financial institutions" daily - we have seen (mostly) counterfeit money orders (U.S. and Travelers MoneyGram) being used in Internet misdeeds in the past couple of years.

Here are some previous posts about similar, or the same activity:

Counterfeit American Express Gift Cheques

Counterfeit Cashier's Checks Fuel Internet Crime

Counterfeit Postal Money Orders Showing Up in IScams Again

Postal Money Order Romance Scam

Counterfeit Travelers Express (MoneyGram) Money Orders Showing Up ...

Thursday, October 19, 2006

How a Merchant Can Protect Their Customer's Personal and Financial Information

Visa and the U.S. Chamber of Commerce issued a report on the leading causes of data-breaches.

Here are the top five reasons:

Storage of mag stripe data - The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card's mag stripe in violation of PCI. This can happen because a number of POS systems improperly store this data, and the merchant may not be aware of it.

Missing or outdated security patches - In this scenario, hackers are able to penetrate merchants' or service providers' systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.

Use of vendor supplied default settings and passwords - In many cases, merchants receive POS hardware or software from outside vendors, which install them using default settings and passwords that are often widely known to hackers and easy to guess.

SQL injection - Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant's Internet applications (e.g. shopping carts).

Unnecessary and vulnerable services on servers - Vendors often ship servers with unnecessary services and applications enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack.

Ironically, merchants attempting to protect themselves from fraud (chargebacks) can end up compromising their customer's information by storing "unnecessary and sensitive" data.

Here is what they recommend doing to protect systems from being breached:

Ask their POS or payment software vendor (or reseller/integrator) to confirm their software version does not store mag stripe data, CVV2, PINs or encrypted PIN blocks. If it does, they should have these elements removed immediately.

Ask their payment software vendor for a list of files written by the application and a summary of the content to verify prohibited data is not stored.

Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.

Search for and expunge all historical prohibited data elements that may reside within their payment system infrastructure.

Confirm that all cardholder data storage is necessary and appropriate for the transaction type.

Verify that their POS software version has been validated as compliant with the Visa Payment Application Best Practices. A list of PABP-compliant applications is available at

According to Visa:

"Merchants are permitted to store only specific data elements from the mag stripe to support card acceptance, according to Visa. This data includes cardholder's name, primary account number, expiration date and service code. However, merchants should store this data only if needed, and they must protect it as required by the Payment Card Industry (PCI) Data Security Standard."

Green Sheet article, here.

More good information on this from the U.S. Chamber of Commerce, here.

If anyone is interested in the number of data breaches recorded recently by the Privacy Rights Clearinghouse (which makes this information relevant), click here.

Data breaches are bad publicity for merchants and they damage the people that support their businesses (customers).

Wednesday, October 18, 2006

Fraudsters Impersonate Bank Security Departments to obtain CVCs

You get a call from your credit card company's security department and they already have your credit card number. Does that mean you should trust what they are saying?

Probably, not a good idea!

The Sussex Sun is reporting:

A new credit card scam has emerged and police are cautioning people to be leery of phone callers saying they represent a credit card company.

The twist to this latest scam is that the caller does not ask for a credit card number, but for the three-digit security number on the back of the card.

According to police, the caller identifies himself or herself as an employee of VISA or MasterCard working in the security and fraud department.

Sussex Sun Story, here.

The "telephone fraudster" then brings up an "alleged" fraud purchase and when the intended victim claims to have never made it - they are conned into giving up the three-digit number (CVC) on the back of their card.

A lot of e-commerce companies are now requiring this CVC (Card Verification Code) to make online, or telephone purchases.

CVC is an extra layer of protection, common in the credit and debit card industry.

Unfortunately, there is a lot of credit card information being bought and sold in "carder" rooms. From the "carder" perspective, cards with the CVC included are worth a lot more than cards without them.

Link to my most recent post about this, here.

The Sussex article recommends you call your credit card company and report the attempt. I agree with them this since - if you get a call like this - the crooks already have your number!

It's also probably a good idea to take a look at your credit report and make sure they aren't already compromising your information. If they are - I have a lot of links on this site on where to go and seek help.

This activity is also sometime known as "Vishing," Wikipedia already has a good article on this, here.

Indian Government Passing Legislation to Punish Cyber Criminals

There has been a lot of "buzz" in the press about data breaches at Indian call centers. It appears that the Indian government is responding by enacting legislation to punish the offenders.

The Hindustan Times is reporting:

With the passing of amendments to the Information Technology Act 2000, law enforcing agencies have been given some extra teeth to curb video voyeurism, child pornography, phishing and fraudulent transactions on the net.

They also point out that:

The changes, however, will increase pressure on the business process outsourcing (BPO) companies. To clear the clouds over the handling of sensitive foreign data by Indian companies, especially the IT enabled sector, the proposed amendment has Section 43(2), which puts companies under legal obligation to keep client data secure, in addition to being contractually obliged to do so for their clients.

Hindustan Times story, here.

There is no doubt that the BPO industry in India is growing at a phenomenal pace. Unfortunately, this has also probably made them a target for data breaches - which more and more - appear to be controlled by organized criminals, who have developed worldwide networks.

Data breaches don't only occur in India.

It's great to see them move rapidly to address this problem. Perhaps, they are setting an example for the rest of us?

Tuesday, October 17, 2006

Feedback Farms and the Need for Third Party Verification Sources eBay

Steve Swoda wrote an interesting commentary about Feedback Farms on eBay.

In his own words:

Last week, Ina Steiner documented the basic story of 'Feedback Farms' on eBay.

I have to be honest, these scams continue to amaze me, and one has to conclude that these scams are damaging and undermining the entire feedback/merchant rating system. If fraudsters can so easily create feedback/merchant ratings in the thousands, then buyers will have to increase their vigilance online. From a buyer's point of view, it continues to be more and more difficult to truly discern good from bad.

Link, here.

Steve makes a good argument about how the need for "third party verification" process is becoming necessary for (prudent consumers) in the e-commerce world.

His company (buySAFE) provides this type of service and is free to the consumer, who chooses to shop where their "seal of approval" has been given.

Answer a "Too Good to be True" Work-at-Home Ad and Take the Rap for the Phishermen

Ryan Naraine of eWeek did an interesting story about how the phishermen launder their ill-gotten proceeds:

"The dramatic rise in phishing and identity theft attacks includes a well-organized offline component—the not-so-innocent "money mule" recruited by fraudsters to launder stolen money across the globe."

"The ads appear innocently on all the major employment listing sites, offering stay-at-home positions titled "shipping manager," "private financial receiver" or "sales representative."

eWeek story, here.

In the article, they responded to a Craiglist Ad - where after being prompted to submit personal and financial information to the Russian Mob - a base salary of $2000.00 a month was offered, plus $50.00 for each wire transfer and or shipment successfully received by them.

I agree with the article that people involved in this "aren't always so innocent," but since all the stolen money and merchandise will be sent to the new employee -- guess where law enforcement is going to trace it to?

Here is where anyone accepting these jobs could end up.

Also mentioned in the article was that prospective employees for these mobsters are required to submit a lot of personal and financial information about themselves to "hired." My guess is that this will be used to commit even more crimes without the knowledge of the employee (identity theft).

Trust me, Boris and his merry band of "Vlads" are expert at this.

Here is a story about a Better Business Worker caught up in one of these job scams:

BBB Worker Takes Job Processing Fraudulent eBay Transactions

Sunday, October 15, 2006

eBay Seller Cites Lack of Action Taken on Fakes/Copycats

Microsoft, Louis Vuitton, Dior Coutre and Tiffany's have ample resources to battle fraud and fakes on eBay, but what about smaller merchants, who are having their hard work copied and sold on the site?

Michel Leah Keck - an original artist - who sells her work on eBay wrote an interesting post about how eBay merchants are victimized by fakes and copycats.

Apparently, despite numerous complaints about her work being copied and sold, eBay has done little to nothing to rectify her situation. One seller (colorartzone) relisted her work after eBay allegedly received 50 complaints for copyright violations and trademark infringement.

From her blog post, here are eBay's responses to her complaints:

Each time this happens we ask eBay ‘why is this seller allowed to remain an eBay seller?” -- their reply "we can’t answer that question for you." When asked, how many times is this seller going to be allowed to infringe on our copyrights and IP rights, ebay’s response, “we can not share that information with you.” It is just eBay victimizing the victim but not assisting us by taking stiffer penalities against these fraudulent sellers.

Sadly enough, Michel says this has cost her business a 50 percent reduction in revenue.

Link to Michel's post, here.

She provides an interesting link to the copycat's listings, which seems to drive her point home.

Michel sums it up rather well, when she says:

The fact of the matter is eBay doesn't want to lose sellers, no matter what type of fraudulent activity they are participating in. It appears eBay is more concerned with raking in the listing fees, than controlling the crime that takes place daily on their servers. We realize eBay can not control people... there are going to be thieves in this world.. they have no control over that. However allowing these sellers to remain on their site for repeated cases of infringement is, to me, just as illegal.

After dealing with this serious situation over and over again we are beginning to rethink just who the con artist really is in this situation.

Stories, such as this, will do little do bolster "consumer trust," which is what made eBay successful.

On a side-note, Michel's work is rather interesting and there are some of us, who would rather have the "real thing." If you are an art-lover, I recommend taking a look at her work. There's a great slide show of it on her post.

Is Phishing Netting More Victims than Previously Reported?

Are more people being caught in phishing scams than previously reported? A study by Indiana University illustrates that this is very likely the case:

"The study, one of the first of its kind, reveals that phishers may be netting responses from as much as 14 percent of the targeted populations per attack, as opposed to 3 percent per year."

The study was conducted by simulating "phishy" e-mails from eBay. They then monitored how many people clicked on the link (lure) and logged on their site.

Phishing is a leading cause of identity and financial information theft.

The reason why phishing might be under reported is that a lot of people don't want to admit they fell for a phishing scam.

Interesting read, here.

I recommend we all take the time to report the "phishy" e-mails in our inboxes.

Here are two places, one can do so:

PIRT Phishing Incident Reporting and Termination Squad