Saturday, November 18, 2006

Why Do We Keep Blaming Identity Theft Victims?

I just got done reading an article by Mark Seagraves (WTOP Radio) about 478 laptops that have been stolen from the IRS. Mark was able to obtain this information via the "Freedom of Information Act."

At first, I thought "here we go again," but in reality -- there are probably thousands of laptops that have disappeared in the private sector that were never made a public record via the "Freedom of Information Act."

In fact - in a lot of the data breaches observed - the breached seem to disclose as little as possible. I wonder if we know about every data-breach that might have occurred?

Articles about missing laptops compromising "millions" make good stories, but in reality, laptops are a desirable item and get stolen all the time. It's entirely possible they are bought and sold on the black market and even used by criminals, who are clueless of their "information value."

I predict sometime in the near future, we'll see a story on information was compromised by the theft of a smart phone. They're pretty easy to steal and (desirable), also.

On the other hand - with chat forums selling personal information for a few dollars a pop - the amount of compromised information out there is potentially huge.

Recently, we saw stories where personal information was being harvested off hard-drives that were thrown-away, or given to charity. How many hard-drives have been discarded without removing the information on them?

Again - with the amount of personal information being stolen and used in financial crimes - who knows? Some "expert" will argue that none of it has been used and the criminals using it are unlikely to comment.

No matter where it comes from, the astronomical increase in identity theft, clearly indicates that a lot of information is being compromised - whether stolen from a laptop, garbage can, or via malicious software, sometimes referred to as crimeware.

I had to chuckle recently when some "security experts" observed that in most identity theft cases, the information compromised came out of trash cans. Whether they are right, or wrong - the information sent in mass mailings starts in a database - sold for a profit and printed on a computer.

The only difference is the method of mail being used. Trust me, the Postal Inspection Service investigates a tremendous amount of fraud that is sent via snail mail and mail fraud is nothing new.

Yes - according to the experts - we are to blame and need to take action to ensure criminals don't compromise the sensitive information being sent to us in mass mailings. Is anyone paying us for our time to rectify a problem, we didn't create? Has anyone ever considered that maybe we shouldn't be mailing this type of information and then making it too easy to obtain one financial instrument, or another?

We see technology fixes, which are highly publicized, but seem to have short lifetimes after "saavy" criminals defeat them. An example of this is the "chip and pin" technology - which seemed to be compromised in no time at all on older ATM machines.

There are still a lot of older ATM machines to be used.

I've also seen "experts" blame people for not keeping their virus protection up-to-date, or falling for social engineering schemes. Are they to blame for e-commerce sites that are easily faked and complete "do it yourself" scamming kits routinely available on the Internet?

An entire security industry has grown up around this problem and if you want protection - which doesn't always work - you need to line someone's pockets. In fact - in many instances - you not only have to line their pockets once, but you also have to pay for all the countermeasures that are developed when their measures are defeated.

Businesses love income streams.

Then there are the faux providers of protection, which can lead to more information being sifted from your computer if you happen to download their "fixes." It's very difficult for most consumers to determine - who is reputable and who is not - when their ads are right next to each other on the Internet.

Sadly enough - one of the solutions has been to offer "identity theft insurance," which means that people are being asked to finance their own protection. A lot of this is being sold by the same people, who are buying and selling all the information that caused the problem in the first place.

We need to address to the real issue, which is there is too much information out there that is "poorly protected" and easily accessed for "dubious purposes."

Please note that I'm not advocating that people don't need identity theft protection, or to protect their systems. Virus protection, firewalls and identity theft protection are probably good things to have in the current enviroment we are dealing with.

And I'm not saying all the "experts" are wrong. Trust me, a lot of them are hard working, thoughtful and dedicated people trying to make a difference. The problem is that money can buy a lot of experts and those using and abusing people's personal information have plenty to spend.

We need to stop believing that technology can cure the problem and realize we are dealing with a social issue. The bottom line is that a lot of sensitive personal information is being poorly protected and too many people are being victimized by the use of it.

Since so much money is being made by making "sensitive information" too easy to access, the people making a lot of money are resistant to change. Until we make it less profitable for them to continue "enabling" the problem, the problem isn't going to disappear and is likely to grow.

If the people enabling the problem are "resistant to change," perhaps the answer is to create laws to protect the innocent and make it a little harder for the guilty to do business as usual!

Blaming victims for something they didn't cause is getting a little old!

Thursday, November 16, 2006

Flash Mob to Attack Fake Bank Sites this Weekend!

It seems the "artists" (Artists Against 419) are planning an offensive against Internet scammers this weekend.

They are inviting people to see what this is all about and participate if they wish.

In their own words:

Welcome to the Fifteenth Flash Mob!

Three years doesn't seem like a long time in the grand scheme of things. But in that time, aa419 has grown into a major anti-fraud force on the internet. A quick look at our database will tell you why -- we have identified more than 10,000 fake web sites in that time, and shut almost all of them down.

We're proud of finding and blacklisting all these scammers, but we're even more proud of working with hosters to get their sites offline. And to accomplish this, we rely on a fantastic group of volunteers, some of whom have killed hundreds of scam sites all on their own!

Listen to our Radio 419 broadcast during the flash mob, and join us in chat. We will be holding live tutorials throughout the Flash Mob, and this is an excellent chance for you to learn the nuts 'n' bolts of fake bank killing!

For more details, link here.

In case you didn't already know - 419 is the Nigerian Penal Code for advance fee fraud - which victimizes millions of unsuspecting people. The artists have very detailed descriptions of all the variations on their site.

The people behind this consider themselves "artists" because they trash fraudulent bank sites - also have a wonderful sense of humor - which is evident on the site, itself. All humor aside, the site is also an excellent place to learn how Internet scams work, and more importantly how to safely navigate "dangerous waters," while surfing.

Of note, they recently affiliated themselves with the Anti Phishing Working Group (APWG), which I reference (frequently) as a great resource to learn about phishing.

I did a recent post on how the Phishermen are Reeling in Record Catches.

Hopefully, the artists will hit them hard this weekend!

Wednesday, November 15, 2006

Why Buying Gift Cards on Auction Sites isn't a Good Idea

I recently did a post wondering if sites reselling gift cards would create an additional avenue for dishonest people to commit fraud. After all - gift card fraud - isn't new and eBay limits the sales of them on their sites because of the criminal activity associated with them.

The main reason eBay limited the sales on their site was pressure from the retail industry, or so I've read.

Fraud committed against retailers costs billions, and it's added into the "cost of goods sold," which means we are all paying higher prices because of it. There is a limit to being able to add the price of fraud into the cost of an item (competition) and when this happens, businesses fail.

A lot of people have lost their jobs when retail fraud couldn't be controlled.

In response to my original post, Joe LaRocca, Vice President of Loss Prevention for the National Retail Federation was kind enough to send me some links illustrating how big a problem this has become.

In November, the NRF released information that estimates retailers will lose $3.5 billion during the holiday (Christmas) season - link here.

Many retailers issue gift cards versus cash for refunds (especially when no receipt is present) and fraudsters sell them for cash. Joe provided me with an interesting link on this (story and video clip) from, here.

Refund fraud normally is a result of shoplifting, but when dealing with gift card fraud, we also need to include credit/debit card and check fraud. Retail fraudsters buy gift cards with their "bogus financial instruments" and then sell the cards for cash. Of course - they could be refunding merchandise bought with their bogus instruments - but it's easier (less work) for them to simply buy the "gift cards" and resell (fence) them.

Credit/debit card and check fraud are two activities that directly tie into "identity theft," which victimizes 9 million people a year in the United States, alone.

Besides the "indirect costs" we all pay - a lot of ordinary people become fraud victims after an encounter with a fraudster on an auction site. The Internet Crime Complaint Center cites auction fraud as their number one complaint and it keeps growing every year.

Besides placing yourself at risk - buying gift cards over the Internet - might be supporting the victimization of ordinary people and businesses alike!

Tuesday, November 14, 2006

Ever Wonder How Well the Credit Card Companies Protect Your Personal Information?

Ever wonder how well your personal information is protected by credit card issuers? If you are like most people - your mailbox is filled with pre-approved credit card offers.

In April, I did a post on how easy it was to tape together a ripped up credit card application, change the address and telephone number (a cell phone was used) and get a brand new credit card.

NBC News did basically the same thing that Rob - blogger did - and got similar results:

From the NBC News story:

You think ripping up those credit card applications is enough to prevent identity theft? Think again.

Getting the credit card applications has never been the problem. It's what to do after they pile up that's the real consumer dilemma.

We've been warned for years-- if you don't want 'em, destroy 'em. However, ripping and tearing may no longer seem like enough.

With five applications, and a little muscle, we started ripping. Scotch taped them back together. And wrote around the tape- filling out the application the way an identity thief might if he'd been digging in our garbage.

NBC News story, here.

And the results were a 60 percent success rate, or they got 3 brand new credit cards.

The official responses to how this happened by the credit card companies were:

In a statement, chase card services says it has "rigorous policies" for handling applications and a "special handling process" for the rare torn applications. In this case, however, "it is clear to us our procedures were not entirely followed for this particular application...and we are investigating."

For the two cards it issued, Bank of America, which merged with MBNA, says the applications "both went through the proper verification processes" and that "the signature, social security number and birth date matched" a (current) customer with excellent credit.

The company added that it sometimes sends cards to unrelated addresses as a convenience customers have requested.

Many of these institutions are claiming they have a "zero liability" for fraud - the reality is that we are all paying for it in the form of increased fees and interest rates.

After all - how would they stay in business otherwise?

A lot of them are also selling "identity theft products," which adds another revenue stream to their coffers. Some believe they have helped create this industry by not protecting their customer's information in a "responsible manner."

The conclusion of the NBC article was to "opt out" and of course - buy a good shredder.

You can opt out by calling 1-888-5-opt-out.

It's a shame that we all need to buy shredders and "opt out" to protect ourselves from "marketing practices" that victimize innocent people.

Here is a recent post, I did on how credit cards can (getcha):

A Hidden Cost of Identity Theft - "Credit Card Gotchas"

Sunday, November 12, 2006

The Phishermen are Reeling in Record Catches

No matter what expert you go to - phishing keeps increasing, both in the number of attacks and the amount of money stolen.

An example of this would be a recent story by Robert McMillian of IDG News Service. His story - quoting Gartner (a computer security research firm) - shows the dollar value has gone from $256.00 to $1244.00 per incident. Gartner is also claiming that the number of people victimized has risen from 1.9 million to 3.5 million. While most of the statistics are going up - there is one that isn't - the number of people recovering their money, which has gone down from 80 percent to 54 percent.

Please note, these are U.S. estimates - and to the best of my knowledge - the U.S. isn't the only one suffering.

McMillian's article also quoted Paul Laudanski (CastleCops and PIRT) as stating:

"Often companies are reluctant to share information for fear that it may lead to lawsuits. "The criminals are working together in this, but it's hard for us to work together."

Link to IDG story, here.

Mr. Laudanski has an excellent point here and it's not only true when it comes to phishing - data breaches and even auction fraud (another two lucrative Internet crime activities), frequently are downplayed and or "not disclosed" to the public.

Gartner estimates that phishing costs the U.S. $2.8 billion, but if you were to listen to the FBI, cyber fraud is costing us about 70 billion. Of course - Phishing isn't the only cybercrime out there.

Tom Young (Computing) quoted FBI special agent Mike Eubanks as saying less than 5 percent of the big "Cyber Crooks" are ever caught.

Agent Eubanks also said:

"Each year in the US, $70bn (£37bn) is lost to cyber fraud, and the problem is getting bigger. Many of the criminals come from Russia, Ukraine and Romania. These people are specialists in malcode, as well as in covering their tracks. They communicate through email and chat forums."

"In a computer crime the data is stale within weeks, and the evidence is in many different areas, personal PCs, corporate databases, all over the world which makes it particularly difficult. The IT industry needs to work with law enforcement, and use it as a selling point. The industry can look to see if it is experiencing crime that police are seeing, and vice versa. We need to put together a network that facilitates the sharing of data to analyze global trends."

Computing story, here.

Until the private sector decides to stop worrying about law suits and bad press - this is going to continue to be a losing battle for the people trying to put a stop it. Maybe the companies - who aren't disclosing information would react sooner if legal action was taken against them for not doing so.

Of course, the only way to do this would be to institute effective laws.

We still don't have an effective federal law that addresses disclosure in these incidents - and some suspect that efforts to do so are being hampered by "special interests."

The last federal version I saw (HR3997) would allow these very companies to decide - whether or not - it was necessary to disclose the information. Last I heard, public outcry stopped this bill from being passed, but it's still out there.

My opinion is that these companies and their special interests have long claimed they reimburse fraud victims. While this is true - there are many who aren't reimbursed - and that statistic (like all the others) is also going up. While some individuals might be getting reimbursed - the cost of all this is being passed to everyone - otherwise these companies would go "broke" pretty quickly.

Another thing to consider is that when a person's personal information is stolen and later used in identity theft, the odds are that no one will know exactly where the information got compromised. This is especially true, when no, or limited disclosure is given after a long internal investigation is the "norm."

And if we are to believe Mr. Laudanski and Special Agent Eubanks -- there is a lack of disclosure -- even to those attempting to go after the "bad guys" behind this activity.

It doesn't make sense not to help the people, who are protecting the public from criminal activity.

Unless something is done that serves the public interest instead of the private interest, the "Phishermen" will continue to reel in record catches and expand their activities.

In fact, they are probably laughing all the way to the bank!