Saturday, August 18, 2007

Russian identity thieves target the rich and famous


Photo courtesy of CarbonNYC at Flickr

An interesting story hit the news this week about some Russian identity thieves targeting the rich and famous.

The ringleader was talked into meeting Federal Agents in the Dominican Republic, then entered the country (he believed illegally) and was arrested. Not very bright, especially given the clout of his intended victims.

Tom Fragala at the Truston Blog had some interesting and well thought out commentary about how the less rich and not so influential might be targeted in a caper like this.

In Tom's own words:

ID thieves going after the ultra-rich or celebrities is nothing new. That is not what makes this story interesting to me. It’s that the “ring” of thieves showed a bit of ingenuity in how it targeted the victims. The ring leader allegedly did public records searches such as home purchases. That’s right, if you purchase a home, then tremendous amounts of information about you is made available to anyone for a small fee. The law requires the information is made public via a UCC filing (uniform commercial code). Then using that information, such as the bank listed on the mortgage documents, and piecing together parts of your identity from other places, your financial accounts might be able to be compromised. In other words, if the thief knows your brokerage account is with Wells Fargo, the thief can then pose as you to authorize a withdrawal. Perhaps a wire transfer to Russia, Vanuatu or Nigeria.

And your bank is not necessarily going to come riding to the rescue and return your funds because, well, “they have to, right?” Not exactly. Can you name the US federal statute that provides consumer fraud protections for your brokerage or home equity account like FCRA does for your credit card? Don’t waste your time, it doesn’t exist. What about the Federal Trade Commission, don’t they help you? Nope, they have no jurisdiction. Banking oversight is handled by a hodge podge of agencies depending on where and how your bank/credit union is chartered.
According to the story, the information to do this was data mined online (probably from a County or State website).

Too much personal information being stored on government sites is a huge problem. Recently, I did a post about Betty Ostegren a.k.a. (also known as) the Virginia Watchdog. Betty actively goes after State and County governments, who leave information on their sites that could be used to commit identity theft, or worse. Although, a lot of sites have pulled some of the information off their sites, it's still a major problem.

When I was working on the post, Betty was able to show me how she has been able to view the personal information of a lot of prominent people from the comfort of her home.

In this instance, the crooks were caught, but the amount of money they almost got away with is scary.

Truston blog post, here.

Tom is the CEO of Truston, which is the only identity theft detection/recovery service (that I know of) that doesn't require you provide all your personal information to them. They are also unique in the fact that their detection (prevention) services are free.

A lot of identity theft services out there require you to surrender all your information and even give them your power of attorney.

As evidenced in the recent Certegy data breach, a dishonest employee, who has been given access to the information can compromise the best computer security. Besides internal compromises, external hackers seem to still be able to get into databases. TJX was recently compromised by hackers, who stole about 45 million personal and financial records.

A lot of their critics were quick to point out that they shouldn't have been storing some of this information in their proprietary databases.

Interestingly enough, one of main principles of PCI (Payment Card Industry) data security standards is to not store information in too many different places. These standards were set by the payment card industry to protect information, but as of this writing, not everyone has adopted them.

This is a Catch 22 (no-win) situation because (I suspect) many merchants store information to avoid chargebacks for fraudulent transactions.

I've often wondered how quickly this would all get fixed if compliance was mandatory to accept debit/credit card transactions?

Storing our personal and financial information in too many places is probably one of the root causes of the problem with data breaches.

No comments: