Saturday, November 25, 2006

How to Protect Yourself from the Cyber Criminals on Cyber Monday

Black Friday has come and gone and now we have Cyber Monday to look forward to. Cyber Monday was coined by the National Retail Federation because it represents one the largest e-commerce shopping days of the year.

While shoppers search the Internet for all the "deals" that will be offered, another element - the cyber criminals - will be offering "goods and services" at too good to be true prices.

If we are to believe recent statistics, the cyber-criminals will be out there in force.

According to the National Consumers League and National Cyber Security Alliance, ten percent of us could become a victim of Internet crime.

Gartner Inc. recently reported that the number of phishing attempts has nearly doubled in the past two years and the Anti-Phishing Working Group has reported similar statistics.

Phishing is a leading cause of identity theft and financial crimes, where someone receives an e-mail appearing to from be a legitimate company (normally financial institution). In the e-mail, instructions are contained to click on a link leading to a fake website, where the goals is to con someone into giving up information (personal and financial).

Auction fraud has also grown to the point that it now is the number-one complaint filed with the Internet Crime Complaint Center or IC3. Internet auctions have become a popular place to buy Christmas gifts.

And a massive bot-net of "zombie" computers designed to attack in-boxes across the world has been seen forming on the horizon to facilitate the "holiday attack." Anyone noticed how many spam e-mails are getting past your spam filters lately? The speculation is that these will be to perform phishing expeditions, and or spread other scams.

The National Consumers League and the National Cyber Alliance offer the following tips, here.

Government sources are also great places for information on how to protect yourself from cyber-criminals.

The Federal Trade Commission has a lot of great information on how to protect yourself and report suspected criminal activity, here. And not to be outdone, the FBI covers a lot of these crimes and has a place where they can be reported, here.

If you are a more "visual" type, the Federal Deposit Insurance Corporation (FDIC) has an excellent video - geared towards the average user - on how to avoid cyber-criminals, here.

While the cyber-criminals will be out there in force this holiday season - being aware helps guarantee that you will be one of the ninety percent that will "just say no" to their various schemes.

Always remember, if it's too good to be true, it probably isn't!

Are Counterfeit Documents being Mass-Produced in Nigeria?

In the past several years, we've seen all sorts of counterfeit financial instruments (money orders, cashiers checks and now American Express gift cheques) being passed in Internet scams.

A recent TimesOnline story stated:
Nigerians are forging passports and cheques on an industrial scale and that huge numbers of false documents are passing through provincial British airports.

The face value of the fraudulent financial instruments discovered in "routine checks" amounted to millions of dollars, and the documents (non-financial) are probably used in "illegal immigration.
Story, here.

The TimesOnline article also mentions that the UK is a staging ground for a lot of the stolen merchandise, which are proceeds of auction fraud.

According to the article, the activity also enables the criminals to return (easily) should they get caught:
Suspected Nigerian fraudsters, who have been deported in exchange for charges against them being dropped, are re-entering Britain using forged travel documents and resuming their activities, according to the study.

Other suspects are absconding and disappearing because, unless they are accused of crimes involving more than £50,000, they are being released on bail.

I wonder how many of them get bailed out on a stolen identity, assume another one, and go right back into business?

We seem to see story after story about what a huge problem counterfeiting has become. One of the main reasons is that technology makes it easy to do, and if anyone is caught, the consequences are minimal.

It's true that the article is about activity in the United Kingdom, but the problem isn't contained to the British Isles.

And Nigeria isn't the only place counterfeit documents are being made.

Asia has also been a reported "source" for a lot of counterfeiting. For instance, it's widely believed that North Korea has been flooding the world with "supernotes" (counterfeit $100 bills) that are almost impossible to tell from the real thing. Wikipedia article, here.

If you read through the article, it tells of ties to terrorist organizations and organized crime syndicates.

Nigeria might be a source of counterfeit documents, but they aren't the only one. The United States also is known to have a lot of counterfeit documents being produced, also.

If they didn't, it would be hard for the 14 to 20 million illegal immigrants to find jobs. has an interesting page has an interesting page (with pictures) of a lot of the counterfeit items (from Nigeria), here.

Thursday, November 23, 2006

Consumers Union Calls for Credit Card Reforms on the Eve of Black Friday

Recently, I blogged about "Credit Card Gotchas" after being inspired by a e-mail I received from the Consumers Union.

I got another one that makes a lot of sense, which is to think carefully before spending money you don't have this weekend. Since tomorrow is "Black Friday," the biggest shopping day of the year, the timing is appropriate.

In their own words (or maybe I should say the words of the consumer):

Just as the holiday season gets ready to kick into high gear, Consumers Union is warning shoppers about the increasing number of credit card traps that can trip up consumers and lead to spiraling debt. To help get out the message and mobilize support for reform, the group is releasing "It's Always Christmas Time (For Visa)," an animated satire that takes aim at abusive credit card fees and practices.

"You can find yourself buried in debt if you aren't careful to avoid the credit card gotchas," said Michelle Jun, Staff Attorney for Consumers Union. "Too many credit cards are designed to get you in debt and keep you there."

“It’s Always Christmas Time (For VISA)” is a lighthearted take on the unexpected fees, interest rate hikes, and misleading contracts that are contributing to high credit card debt in the U.S.

After viewing the animation, viewers can send an email to Congress asking lawmakers to support credit card reforms. To view the animation, click on

Consumers enjoy few protections when it comes to credit cards and there are an increasing number of ways they can be penalized with fees or get stuck with higher interest rates:

Universal default: Your interest rate can skyrocket if your credit score declines because of your behavior with other creditors even if you always pay your credit card on time and never miss a payment. Some card issuers will raise your rate if you inquire about a car loan or open a new credit card.

Change of terms: Credit card terms keep changing. Read the fine print and chances are you’ll find this disclosure: “We reserve the right to change the terms (including the APRs) at any time for any reason.” A fixed rate is fixed until the bank gives you at least 15 days notice that it isn’t. If you want to keep your account open, you’ll pay the higher new rate on your existing balance.

Teaser rates: That low rate you signed up for expires suddenly and you end up paying more. A temptingly low introductory rate can climb to 30 percent or more. - more -Minimim payment: If you pay the minimum payment every month, you’ll end up paying a lot more than what you charged and you could be on the hook for a very long time.

On time payment: Card issuers are systematically mailing statements closer to the due date, giving customers less turnaround time. You can be hit with a late fee even if the payment is mailed on time. The average fee for a late payment has more than doubled in the past decade.

Double cycle billing: Finance charges are usually calculated using the average daily balance. If you alternate between paying off and carrying a balance, you’ll end up paying more interest.

Cash advance/convenience checks: The interest rates on these are higher than your credit card.

Penalty interest and fees: Late payments can raise your interest from 7% to 27%! Rather than rejecting charges that exceed your credit card limit, issuers today often let them go through but then charge a hefty fee -- as high as $39.

Fees, fees, and more fees: As if the penalties weren’t enough, you pay more fees for paying by phone or charging abroad. You may have to pay a fee to receive what used to be free year-end summary statements.

Balance transfer switcheroo: Transferring a balance from an account with a high APR to another one with a lower interest rate could come at a high cost. Any payments you make are typically applied first to the lowest rate balance. So while the credit card company uses your payment to quickly pay off that 0 percent transfer balance, you are piling up interest on purchases, at say, 18 percent. Multiple balance transfers will hurt your credit score.

Full article from Consumers Union, here.

I write about fraud from a victim's perspective, and I've often lamented on why it seems insane to keep writing-off not only monetary losses (passed on to everyone), but "seemingly," the millions of victims created by the not very secure handling of people's personal information.

People need to learn to be responsible when using credit - but that's hard to do - when credit card companies issue (too) large lines of credit to new customers and even send pre-approved offers to family pets (this actually happened at my house). My daughter had been using the dog's name when registering on certain websites.

It's not hard to see why so many are up to their necks in debt before they realize what happened, or why there is so much credit-card fraud. It all boils down to too much bad debt that eventually has to be compensated for.

I recently blogged about how sending mass-mailings of pre-approved credit card offers is dangerous to the recipient's financial health. There seems to be a trend of making it too easy to get credit and not paying enough attention to the consequences of doing so.

Perhaps, what is needed is a new era of responsibility? Bad debt is an expense on any financial statement and the quest to keep expanding customer bases has led to an environment of "robbing Peter to pay Paul." Since the issuers would go out of business if they weren't profitable, revenue streams are added to cover it, and "more."

And guess who ends up paying for it?

In my opinion - should we fail to address the problem soon - the bottom is likely to "fall out" sometime in the future and that isn't going to be a "good thing" for the credit-card- issuers, or their customers.

buySAFE Survey Reveals Customer's Fears about e-Commerce

Rob Caskey - who is buySAFE's marketing guru - sent me this interesting survey they conducted. What's interesting about the survey is that takes the fear of Internet fraud beyond bogus financial instruments and identity theft to a more basic level.

The survey reveals that the average person fears they won't get the product received, or get something other than what was represented. And if you consider all the variations of auction fraud on the Internet, this is what normally happens to the average customer when they are defrauded.

And - after all - when we go shopping the goal is to have a pleasant experience and get something we want. We don't want to have to constantly worry about getting ripped-off.

Here is what the press release from Market Wire had to say:

On the brink of Black Friday – the biggest shopping day of the year - identity theft and credit card fraud are not the only issues causing consumers to abandon their online shopping carts this holiday season. A recent survey by online trust and safety company buySAFE, Inc. ( and online market research service Insight Express revealed that respondents are almost equally concerned with the possibility of non-delivery or receiving something different than promised. These concerns – along with concerns about the trustworthiness of the retailer, quality of merchandise, and shipping costs -- are amplified when shoppers are considering buying from smaller, independent online retailers.

Detailed survey results, here.

There is no doubt that there are a lot of hard-working and "honest" sellers on the Internet, who have been hurt by all fraud that takes place on auction sites. In fact, according to the experts, auction-fraud seems to be the number-one complaint these days.

From legitimate accounts being taken over by phishing (eBay and PayPal are the two most targeted brands) to a wide-array of counterfeit and stolen goods being sold, consumers face the real fear of getting ripped-off when buying an item.

I had a conversation with another person who writes about fraud on the Internet recently, and we both agreed that the average Internet customer almost needs to become a "fraud expert" to ensure they aren't going to be "taken advantage of."

buySAFE has created it's own "niche" in the market by ensuring a seller is legitimate and giving their customers the "peace of mind" that they are dealing with a legitimate and "trusted" retailer.

Although the service isn't free to sellers (customers don't pay anything), it protects the average person from all the fraud we hear read about in the e-commerce world. So far as the honest sellers - who have been damaged by Internet fraud (consumer confidence) - it lets everyone know they are a "trusted source."

For the smaller seller and the person out there in search of a "good deal," the service allows them to focus on their primary goals (selling and shopping) and it leaves the "worrying" to someone else, (buySAFE).

buySAFE has a couple of bloggers on their team (who I've had the opportunity to correspond with) and I've found more than one interesting insight about e-commerce when reading them.

Jeff Grass, buySAFE CEO's blog, here.

Steve Woda, buySAFE founder and Chairman's blog, here.

Here is more about buySAFE, courtesy of the Market Wire release:

buySAFE, Inc. is the leading trust and safety company for e-commerce transactions. buySAFE qualifies merchants, identifies reputable online businesses with the buySAFE Seal, and uses surety bonds to provide broad protection for individual buyers from online transaction risks. The buySAFE bond is backed by Liberty Mutual, Travelers, and ACE USA for up to $25,000, and boosts consumer confidence for lesser-known online retailers, allowing them to compete with the big, established brands. buySAFE has issued more than 9.5 million surety bonds on individual online purchases. There are currently more than two million items bonded with buySAFE that can be found at buySAFE is headquartered in Arlington, Virginia. More information can be found at

Monday, November 20, 2006

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?

Whether by hacking databases, or placing skimming devices on point-of-sale systems, debit/credit card fraud is raising it's ugly head, worldwide.

After finishing my most recent post about skimming devices placed on BP point-of-sale systems in the UK, I read an article in Computer World about what might be the latest large data breach.

Jaikumar Vijayan writes:

Several financial institutions last week canceled thousands of credit and debit cards in Michigan because of fraud concerns related to an apparent data compromise at a convenience store chain, highlighting the wide effect that retail security breaches can have.

Jaikumar's story, here.

Jaikumar's story states that Wesco, a retailer, is suspected as being the point-of-compromise. Of course, Wesco isn't admitting this and merely states that the matter is under investigation.

Office Max was the suspected point-of-compromise in another case last fall and to the best of my knowledge - they never admitted to being involved. Dollar Tree and Sam's Club have also recently been suspected as being points-of-compromise in breaches, where large amounts of credit/debit card information were compromised.

Why are hackers targeting retailers? The answer might be that large amounts of account information - including PINs (personal-identification-numbers) - are being maintained in databases, which are poorly protected and therefore easily compromised (hacked).

In his story, Jaikumar interviewed an expert from Gartner (Avivah Litan):

It also wasn’t clear how the data might have been breached. But four out of five data compromises involve security breaches at point-of-sale systems, said Avivah Litan, an analyst at Gartner Inc. The POS systems at convenience and grocery stores, as well as gas stations, can be especially vulnerable because of a lack of IT security awareness and resources, Litan said.

Much of the exposure results from merchants connecting their POS terminals to IP-based networks, Litan said. Often, such systems store magnetic stripe data from cards and have default passwords that can be easily hacked, she added.

The Payment Card Industry security standard explicitly prohibits the storing of magnetic stripe data on POS systems. But retailers continue to do so, and many POS applications store the data by default, Litan said.

The problem is that the retailers never admit to being breached, the banks give out limited information when asked about it, and it appears that there are too many companies not following the Payment Card Industry Data Security Standard.

Perhaps the problem is that Payment Card Industry Data Security Standard isn't being enforced and the consequences are lacking for those in violation of it. At a minumum, shouldn't these companies be prevented from doing electronic payments by the industry?

Even if a lot of the losses are being written-off, they are normally passed on to everyone in the form of increased fees, interest rates, or in the case of retailers - higher prices. Despite this, there are also people that are denied compensation, especially if they fail to be timely in filing a claim; or a PIN was used and they can't tie it into a known breach.

With the amount of data-breaches, it's often difficult to figure out where any particular person's information was stolen from.

If the Payment Card Industry can't clean up their own backyard, perhaps it's time for some government inquiries into why so much information is being compromised?

Even without government intervention, there is the matter of consumer confidence to be considered. Consumer confidence is what makes businesses thrive, and a lack of it can be a disaster for all of those involved.

I'm sure there are retailers protecting their information properly, and the ones who aren't give everyone a bad name.

ATM Skimming Case Travels to 19 Countries on 5 Continents

Skimming device (courtesy of the "ATM Pool" at Flickr)

Police in the United Kingdom are calling an ATM skimming case, one of the biggest of it's kind. ATM skimming is where a debit-card's magnetic stripe is counterfeited (cloned) and the PIN (personal identification number) is compromised - normally with a hidden camera.

Official's estimate the fraud has already netted about $4.5 million and the counterfeit cards have been used in 19 countries and five continents.

According to the story published in the

The scam was uncovered after police launched an investigation - codenamed Operation Turner - after receiving 560 complaints. Detective Sergeant Dick Bollard, who is leading the probe, said: "This is one of the biggest scams of its kind. It's a very large and complex investigation which is expected to take a considerable amount of time.

"The investigation is ongoing and we are looking into a number of leads in the UK and abroad." A spokesman for trade organisation APACS, which helps banks fight fraud, said: "These scams have involved copying a card's magnetic strip and in cases filming a driver keying in a PIN number by using some sort of hidden camera. story, here.

Two suspected dishonest employees at BP gas stations (where the devices were planted) have been arrested. One of them might be an illegal immigrant, also.

If the cards have been used in 19 countries so far, it's safe to assume that the people behind this are pretty organized. Although no one ever knows for sure, there might be Internet chatrooms (forums) - where Internet fraudsters gather to barter and sell stolen information spreading the activity.

The UK has had a lot of this skimming lately and I did a recent post about it where Romanian Illegal Immigrants were to blame.

And the UK isn't the only place that is having problems with debit-card skimming at gas stations. A similar case happened at Arco stations in California and there have been many other instances, worldwide.

BP owns Arco in the United States.

Although a lot of skimming is attributed to devices being placed on (self service) point-of-sale terminals and ATM machines, there has been recent evidence cards are also being cloned after databases have been hacked at retailers.

Some who investigate this believe that the people behind this intentionally hold on to the stolen information before using it to frustrate investigative efforts that would discover their techniques, or operations. In some recent cases, the authorities could only speculate, which of the known breaches, an individual person's information was stolen in.

Skimming can also be accomplished by retail, or restaurant employees using portable "encoding devices." Unfortunately, most of the technology used is legal and can even be bought on eBay.

It pays to keep an eye on your card to make sure it isn't being swiped more than once.

There's probably not much an individual person can do when entire databases are compromised, but an individual can shield their PIN when using their debit card (strongly recommended).

At least if they don't have your PIN, they can't get cash; however they might still be able to use the card number for signature based, or e-commerce transactions. Note that credit-cards are cloned for the same purpose.

Last, but not least - debit cards don't offer the same protection as credit cards do. If you expect to recover your money, the allowed time frame to file a claim is a lot less than with a credit card.
It's a good idea to watch your statement carefully.

If you would like a more visual demonstration of how skimming occurs, Visa has a pretty telling page (portable devices), here.

Flickr has a link to a public group pictures of ATM machines, including skimming devices, here.

There are a lot of eyes out there (customers and employees) that might spot a suspicious device - if you do - never touch it and make sure you report it to law enforcement (immediately). Since the activity normally occurs in public (retail) spaces, an educated individual could very well make the difference in cracking one of these cases. Remember that anyone near the device - no matter how official they look - might be involved, themselves.