Saturday, January 20, 2007

TJX named as point-of-compromise in International data breach - millions of people at risk!

Data breaches are happening at an alarming rate. Until some meaningful action is taken to address them, such as following already established principles (data and PCI security compliance), we're probably going to see them continue.

Reuters is reporting (courtesy of the Washington Post):

TJX said the breach involves the computer network that handles credit card, debit card, check and return transactions at its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico; and its Winners and HomeSense stores in Canada.

It said the intrusion could also affect customers at stores in the United Kingdom and Ireland, and its Bob's Stores in the United States.
Reuters story, here.

This time not only credit and debit-card information was compromised, but check and all the personal information gathered when someone makes a refund might have been exposed, also.

The breach - reported to have been discovered in December - was kept quiet at the request of law enforcement.

The company has set up hot-lines, which are 866-484-6978 in the United States, 866-903-1408 in Canada and 0800-77-90-15 in the U.K. and Ireland. I called one of them and they didn't seem to be able to answer much, but told me if I wanted more information to go their website, here.

The problem in these large data breaches at merchants (TJX isn't the only one) is that too much personal and financial information is being maintained in databases, which aren't protected properly.

The Privacy Right's Clearinghouse maintains ample evidence of this, here.

The Payment Card Industry has already established data security standards, which aren't being followed in a lot of cases. Visa did a press release announcing that they are offering financial aid to Level 1 and Level 2 merchants. There is also mention that fines will be increased for merchants who fail to comply.

Unfortunately, even Visa states that compliance for Level 1 merchants is at 36 percent and 15 percent for Level 2 merchants.

Although, I commend the action by Visa, I fear fining non-compliant entities might not be enough.

Tech Web's "Dark Reading," has an excellent essay on the need to become more proactive, here.

In their essay, they state:
One recommendation is that Congress pass a law that compels organizations to protect sensitive information rather than one that simply determines when and how customers will be notified after the fact. There's been a consensus in Congress that standards are needed to safeguard personal information, but there's been a lack of unanimity in the details of how this should be done, says, Liz Gasster, acting executive director and general counsel for the Cyber Security Industry Alliance. "It was a real letdown for the citizens of this country that legislators weren't able to overcome their differences last year and pass a law," she says, adding that one big sticking point was Congress not wanting IT security improvements to create additional costs for industries operating in their constituencies.
Maybe with a new Congress, we'll see some "forward thinking" on this issue? After all, it's their responsibility to represent the people, who are having their personal and financial information compromised.

It would also be nice to see more funding to go after the criminals behind this growing problem. After all - the companies being breached aren't the source of this issue.

And besides enacting legislating and prosecuting the criminals doing this, we have the matter of "trust" and "consumer confidence" to consider. These are two "key" business principles that fuel economies. Failure to do something now; might lead to some unfortunate consequences, later.

If you would like to learn more about payment card compliance and data security, here's a site I recommend:

PCI and Data Security Compliance

Here's a previous post, I wrote on this subject:

With all the data breaches - something needs to be done!

Will a hot-line being staffed 24 hours solve the fraud problem in Los Angeles?

A story recently hit the press about Los Angeles County (potentially) losing $2 billion a year to fraud. That's a lot of taxpayer money!

This dollar figure was "estimated" (using Association of Certified Fraud Examiner statistics), which say that 5 percent of all revenues (generic) are lost to "employee fraud, waste and abuse." Nonetheless, there have been a lot of recent allegations of "too much fraud" occurring in Los Angeles County.

The problem with any fraud statistic is that the intention of the people - who commit financial misdeeds (fraud) - normally like to keep it rather anonymous. I keep seeing different figures (the $2 billion was from an article a couple of weeks ago), but the truth is - all anyone knows - is that it appears to be a substantial problem.

Now the County officials are announcing a fraud hot-line to report instances of government fraud and abuse will be manned 24/7.

The LA Times is reporting:
Ratcheting up efforts to crack down on bureaucratic waste, fraud and abuse, Los Angeles officials unveiled a 24-hour whistle-blower hot line Thursday to take tips from workers and the public.

The latest move to clean up City Hall comes two years after the City Controller's Office created a special task force to investigate fraud.

LA Times story written by Rick Orlov, here.

If you are a resident of Los Angeles County and have something to report, the number is (866) 428-1514.

In the recent article, I read quoting the $2 billion loss figure, there were also allegations that very few people are ever prosecuted, or even lose their jobs when caught committing fraud in the County.

In fact, a recent story stated:

Despite the large number of prosecutions, critics said only a small proportion of county employees found to have engaged in fraud and misconduct are disciplined or charged criminally.

While investigators substantiated 120 fraud hot-line cases last year, only 38 employees, or 32 percent, were fired, suspended, transferred or allowed to resign.

Does this mean that the County is losing $2 billion a year to fraud, the hot line only netted 120 "substantiated cases," and of the personnel implicated - 68 percent of them are still employed?

I'm just an "average person," but to me, increasing the fraud hot-line hours isn't going to make this problem go away.

And not going after the problem "aggressively enough" isn't fair to the honest citizens of Los Angeles, who are "footing the bill" for all of this.

I wonder how many private companies would put 2 out of 3 people bilking their bottom lines back to work?

I feel sorry for the investigators trying to put a dent in this problem!

Here is another post, I did on fraud in Los Angeles:

Los Angeles Grand Jury Calls Child Care Program an ATM for Thieves

Friday, January 19, 2007

A new work-at-home business that scams everyone!

With the recent raids on Swift by ICE - a lot of people have wondered how much phony identification is out there. The most recent story about this is out of the Toronto area, where a large counterfeiting ring was discovered in a residential neighborhood.

The home based business was producing counterfeit identification, credit cards, government benefit cards and passports. In other words, they were making anything a criminal, illegal alien, or terrorist would desire - right out of a private home.

The City News (Toronto) is reporting:

The hunt began last May when Red Rocket officials put out a notice about phony Metropasses that were being distributed in the city. From there, they began to follow a long and winding road of deception that eventually led cops to a residence in Mississauga.

Armed with a search warrant, they entered the home last December 20th, and discovered illegal equipment - like computers, hot stamp pressers, special inks and more - that allowed suspects to turn out the illegal phonies by the thousands. They also found seemingly endless supplies of the finished products.

They were stunned to see scores of blank cards, OHIP cards, altered driver's licenses, even passport photos arrayed inside the home.

City News story with interesting video, here.

It's no wonder that both Canada and the United States (as well as many others) are having a huge problem with illegal immigration, border security and financial crimes.

Here are some similar stories about the same activity in the United States:

Is Bashing DHS for the Swift Raids Fair?

Mexican Organized Crime Ring is Mass Producing Fake Documents - and Considers Terrorism an American Problem

And the UK seems to have discovered the same problem:

International Identity Theft Ring tied to Bank

Of course, the people doing this don't honor borders, or jurisdictions - which means the proceeds from this problem can "easily travel" and victimize a lot of people.

Wednesday, January 17, 2007

OCC is warning the public about counterfeit cashier's checks

I've written a lot about counterfeit cashier's checks, which have spread via the Internet in a number of different scams. Known scams include winning the lottery, secret shopping, overpayment for an item sold on an auction site, or assisting a romantic interest found in a chat-room.

The people who do this are creative and you never know what new "scam mutation" will be discovered tomorrow.

The OCC is warning:

However, cashier’s checks lately have become an attractive vehicle for fraud when used for payments to consumers. Although the amount of a cashier’s check quickly becomes “available” for withdrawal by the consumer after the consumer deposits the check, these funds do not belong to the consumer if the check proves to be fraudulent. It may take weeks to discover that a cashier’s check is fraudulent. In the meantime, the consumer may have irrevocably wired the funds to a scam artist or otherwise used the funds – only to find out later, when the fraud is detected – that the consumer owes the bank the full amount of the cashier’s check that had been deposited.

The OCC offers a lot of insight about the growing problem of counterfeit cashier's checks, here.

Also contained is a FDIC Bank locator, which is an excellent tool because in a lot of scams - the crooks set up phony telephone numbers and even addresses to make themselves appear legitimate.

In the case of cashier's checks, the issuing bank (not yours) is the best place to validate whether an item is legitimate, or not.

FDIC tool, here.

If you would like to see if a particular bank has been targeted with counterfeit cashier's checks - the FDIC issues alerts, here.

Another item to key on is the "scam behavior," which normally will always involve sending money to someone in anticipation of something that is too good to be true!

Sunday, January 14, 2007

Does anyone know - whether or not - check fraud is on the rise?

I sometimes wonder - whether or not - anyone really knows how much check fraud is out there?

Law enforcement jurisdictions often have dollar amounts (some fairly high), which must be met before a case is actively investigated - causing it to be recorded as a statistic. And in the private sector - a lot of NOT very "clear reasons" are used to return checks, which might or (might not) mean fraud.

My two favorites reasons the banks use to return checks are "refer to maker" and "stop payment." This might mean someone was unhappy with a service that was performed, or it could mean the item is counterfeit and the owner of the account placed "stop payments" on the checks. It's even possible that items returned as NSF (non-sufficient funds) are forgeries, or counterfeits because the owner of the account has yet to discover their account has been compromised.

The same holds true with "fraud accounts" that banks open for crooks (new account fraud). New account fraud occurs when fraudster(s) open an account (often with fake information), write a series of checks for a lot more than what is in the account, and disappear (literally).

Often they do this over a weekend, and withdraw the amount they initially deposited, also.

New account fraud items normally return as (NSF) non-sufficient items until the bank closes the account. Once this occurs, they are classified as "account closed." Non-sufficient fund and account closed items are normally not considered a fraud classification.

The only thing that is certain is that the loser is going to be the party, who accepted the check, and not the banks. In fact -- some believe the banks are the winners in this process -- because they make a lot of money from "bounced check" fees.

In a lot of the recent Internet scams, customers have even gone to a bank employee to ask if an item is good. After trusting the employee's expertise, the check was deposited and the funds were made "available." A few days later, the item was returned as fraud and the customer's account was "garnished."

And in all the cases, I've heard where this happened, the bank didn't accept any liability. Here's a post, I wrote about this:

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

The other day, I came upon an article by SmartPros, indicating that a "possibility exists" that check fraud will rise in the coming year.

According to SmartPros:
Identity theft trends in the next year may include an increase in check fraud, check synthesizing and check counterfeiting, according to The Identity Theft Resource Center, a nonprofit victim assistance center.
SmartPros story, here.

In case no one has been watching - check fraud appears to have been growing rapidly over the past several years. It's true that all the bogus "financial paper" circulating aren't only checks, we are seeing a lot of counterfeit money orders, also.

Counterfeit cashier's checks and other bogus paper financial instruments (money orders, travelers and gift cheques) have been showing up in secret shopper, romance, lottery, work-at-home and auction scams at ever increasing rates. The situation seems to be getting worse - as more and more people - become Internet users.

In fact, eBay recently announced they will no longer offer any protection for paper financial instruments on their site.

And so far as the amount of them out there, there is evidence that bogus paper financial instruments are being produced on an industrial level:

Are Counterfeit Documents being Mass-Produced in Nigeria?

The Federal Deposit Insurance Corporation sends out alerts on all the counterfeit cashier's checks, which are pretty hard to keep up with. If you want to see what I mean, link here.

We read a lot about "DIY" (do-it-yourself) kits being sold to commit phishing and eBay fraud in shady Internet crime forums -- but in the case of checks -- DIY kits are openly sold in stores, and available on e-commerce sites.

In fact, there are a lot of "legitimate companies" selling all sorts of software, printers and even magnetic ink, which are capable of turning out some pretty convincing counterfeits. Throw in a computer, and it's not very difficult to start making checks.

To show all the "DIY check technology" for sale on the Internet, I ran a Google search, here. Of course, a lot of this (including the paper) can be bought at your local office supply store, also.

As with a lot of fraud, technology seems to be enabling the problem.

Although check fraud might continue to grow, there is little doubt that it's already a huge problem. BankersOnline did an article in 2002 stating:

About five years ago, U S NEWS and WORLD REPORT did the most in-depth study on this that we've had, and I've used their figures ever since. They probably are low by now. They said the financial institutions in the United States lose about $12 Billion a year in check fraud, and the retail industry loses a like amount. The total loss being $24 Billion as a result of check fraud. I think identity theft is getting a lot of publicity now - but it's been around for a long time. We just never gave it the designation of identity theft.

Since this report is now 5 years old and it is using figures that were 5 years old -- no one probably knows how much check fraud is really going on.

I guess until everyone comes up with some uniform standards, it's going to be impossible to determine how much check fraud is really out there.

BankersOnline article by Barbara Hurst, here.

A great resource on check fraud is the National Check Fraud Center. Their site provides a lot of expert information on check fraud and how to protect yourself from it.

Is check fraud on the rise? Despite the lack of statistics - my best guess is that it is!