Saturday, February 17, 2007

Why don't all the identity theft statistics say the same thing?

Consumer Affairs wrote an interesting article about all the recently released identity theft surveys.

Martin H. Bosworth reports:

The financial services industry, hoping to befuddle the new Congress, has been busily laying down a smokescreen claiming that identity theft is on the wane.

But the Federal Trade Commission's latest compilation of consumer complaints and a survey by the National Crime Prevention Council should do much to clear the air.

Martin's article, here.

Who should we believe, the government, or the financial services industry?

The civil servants behind the government surveys have no financial interest in all of this. On the other hand, the financial services industry have a huge financial interest. At least as long as they can still profit by writing all the losses off.

It's going to cost them some of their (hefty) profit margins to properly protect all the information they've been data-mining on all of us for decades. It also might force them to be more responsible when selling their products.

Interestingly enough, privacy and consumer advocates all seem to agree with the government.

Of course in any statistical analysis, there are a lot of unknowns. The Privacy Rights Clearinghouse regularly updates their statistics about how many people's personal information has been compromised in February, 2005.

They admit that their analysis might not be 100 percent accurate when they state:

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals. In reality, the number given below is much larger. For many of the breaches listed, the number of records is unknown.
It's also come to light recently that there is a flourishing market on the Internet, selling personal and financial information (wholesale), in underground chat-rooms.

This might support some of the data the Privacy Rights Clearinghouse has been compiling.

Of course, the people involved in this activity are unlikely to comment, or provide statistics of their own. I don't think it would be in their best interest to do so.

Doing so, might hurt their money flow, or cause them to lose their freedom.

The problem is that too many people have financial interests in what some of these surveys are selling to the public.

I think the Latin phrase, caveat lector (reader beware) certainly applies in this instance. I have a hard time believing what I read in some of this statistical analysis.

Thursday, February 15, 2007

Is Julie Amero (in reality) another victim of Internet crime?

Internet crime is a growing problem. Every week, we seem to read of large scale data breaches, and spam is filling up our inboxes, despite the spam filters designed to stop it.

The spam getting past these filters is often riddled with deceptive lures (links) to all sorts of porn sites. In turn, these sites often infect machines that aren't properly protected with adware, spyware, malware and even crimeware.

So far as properly protecting our machines, this can be a chore, also. It requires frequent updates, and new exploits are discovered all the time.

Sometimes even legitimate sites are hacked and people get infected just by surfing, or visiting (what they think) is a trusted site.

Criminals of all sorts, including those of an organized nature are getting involved in Internet crime. In fact, many believe the problem is growing because very few get caught, and even if they do, very little happens to them.

I was amazed when I got an e-mail from Alex Eckelberry (CEO Sunbelt Software) that a substitute teacher (Julie Amero) had been convicted for some porn that had shown up on a classroom computer.

A jury has already found her guilty and she could face up to 40 years in prison. Even worse, it appears the stress of the trial may have caused her to have a miscarriage.

Is her conviction a miscarriage of justice? Many computer experts (including Alex) seem to think so.

Alex writes a very convincing argument, where he states:
When I first read of the case, my reaction was how illogical it all sounded: A middle-aged, substitute female teacher accessing porn on a classroom computer, in front of her students on one particular day? It made no sense.
He's right, it doesn't make sense.

An article from the Norwich Bulletin stated that:

Computer expert W. Herbert Horner, testifying in Amero's defense, said he found spyware on the computer and an innocent hair styling Web site "that led to this pornographic loop that was out of control."
"If you try to get out of it, you're trapped, according to Horner."

Anyone, who has surfed the Internet knows there are a lot of malicious sites designed to lure people to click on them, using seemingly innocent lures.

She was also convicted on testimony that she must have had to physically click on the sites in question. According to Alex and other computer security experts, the pop-ups from these sites leave the same imprint as if they had been physically clicked on.

Alex wrote in the Norwich Bulletin:

The computer was also found to be riddled with spyware -- programs that generate popups and degrade system stability.

Spyware may or may not have played a direct part in this incident, but the fact it was on the system creates additional damning evidence of the state of this computer system. What is extraordinary is the prosecution admitted there was no search made for spyware -- an incredible blunder akin to not checking for fingerprints at a crime scene.

Alex also states that this was an old system, without adequate protection, despite the fact that federal law mandates that it should have been in place.

Julie, herself claims the website in question was accessed by students when she went to the restroom. When she noticed it, no matter what she did, more pop-ups would surface.

More on Herb Horner's analysis (courtesy of the Sunbelt blog), here.

In a criminal case, the standard is that a person should be found innocent if there is reasonable doubt. After reading about this case, it makes sense to me, that we have a lot of reasonable doubt that Julie is guilty.

At best, the investigation used to convict her seems to have been poorly researched, and therefore, flawed.

Porn is a big component of Internet crime, which according to a WebMD survey reaches a lot of children. This research was conducted by interviewing children, themselves.

Some of the children interviewed were the same age as the ones in Julie's class that day.

Survey, here.

So far as a connection to real (organized) crime, porn was allegedly one of the Gambino crime families biggest earners ($350 million).

Besides being unjust, going after Julie Amero, is a big waste of resources (taxpayer dollars) that could be put to better use.

Wednesday, February 14, 2007

Valentine's Day Virus moving quickly across the Internet

Sophos is reporting a nasty virus, which if downloaded, sends more e-mail to everyone in your address book.

They suspect that the worm opens a gateway, which will allow your computer to be turned into a zombie and be used to send more spam e-mails.

Here is a portion of the alert from Sophos:
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread worm posing as a St Valentine's Day greeting which is spreading fast across the internet

The W32/Dref-AB worm has been deliberately spread via email in readiness for office workers and home computer users to find the malicious Valentine email in their inbox first thing in the morning. Since midnight GMT the Dref-AB worm has accounted for 76.4% of all malware sighted at Sophos's global network of virus monitoring stations.

Subject lines used in the attack are many and varied, but all pose as a romantic message. Some of them include "A Valentine Love Song", "Be My Valentine", "Fly Away Valentine", "For My Valentine", "Happy Valentine's Day", "My Lucky Valentine", "My Valentine", "My Valentine Heart", "My Valentine Sunshine", "Send Love On Valentines", "The Valentine Love Bug", "The Valentines Angel", "Valentine's Love", "Valentine's Night", "Valentine Letter", "Valentine Love Song", "Valentine Sweetie", "Valentines Day Dance", "Valentines Day is here again", and "Your Love on Valentine's".
Sophos alert, here.

Spam is getting out of control and seems to be defeating spam filters (too often). Here is more evidence of this problem:

2006 was the Year of Internet Crime - 2007 is predicted to be even worse

Spoofed (counterfeit) BBB e-mails contains virus

If you get an e-mail from the Better Business Bureau stating you have received complaints don't click on the link to view them.

Annys Shinn (Washington Post) is reporting:

The Better Business Bureau network was the target of a "spoofing" scam yesterday in which thousands of businesses in the United States and Canada received e-mails encouraging them to download what is thought to be a computer virus.

The e-mails, using the name of the 95-year-old network of nonprofit groups that looks into consumer complaints, told businesses that they were the subject of a complaint and included a link to view related documents. Clicking on the link, however, accessed the address book of an infected computer and distributed the counterfeit e-mail to more recipients, said Steve Cox, spokesman for the Council of Better Business Bureaus.

Washington Post article, here.

Wandering to the BBB site to see what they had to say, I found a little more information. Apparently, if you click on the link, it downloads an executable file, believed to contain a virus.

The BBB and others are calling this a phishing attempt, but in phishing the intent is normally to get the user to provide personal, and or financial information to the sender. Since this doesn't seem to be the case, and no one is saying exactly what the executable file (virus) is, this doesn't appear to be phishing.

It will be interesting to see exactly what this executable file does, but some computer viruses (crimeware and malware) download keyloggers, which log a person's keystrokes and are used to steal personal and financial information.

Other computer viruses might turn a computer into a zombie, which allows someone else to use it for their own purposes (sending spam or denial of service attacks). Zombie computers are formed into what is known as botnets (groups of zombie computers), which are used for illicit purposes by their "controller."

You can download a lot of nasty things by clicking on something from someone you don't know. And the people behind it like to spoof well known entities, such as the BBB. Organizations from eBay to the FBI have been spoofed in the past.

Example of spoofed e-mail from the BBB site:

From: operations@bbb.org [mailto:operations@bbb.org]
Sent: Tuesday, February 13, 2007 6:06 AM To: XXXX
Subject: BBB Case #263621205 - Complaint for XXXX

Dear Mr./Mrs. XXXX

You have received a complaint in regards to your business services. The complaint was filled by Mr. XXXX on 02/05/2007/

Use the link below to view the complaint details:

DOCUMENTS FOR CASE #263621205

Complaint Case Number: 263621205
Complaint Made by Consumer Mr. XXXX Complaint
Registered Against: Company XXXX
Date: 02/05/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

DOCUMENTS FOR CASE #263621205

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

Tuesday, February 13, 2007

Don't be lured with promises of something too good to be true when filing your taxes

Tax season brings with it all kinds of fraud. A lot of immoral sorts try to get someone to fall for something that's too good to be true. They get away with it because people are afraid of what they might owe, or they take advantage of what I call the "greed factor."

One thing is certain, if you fall for their promises, you're going to be left holding the bag. This means financial hardship (at a minimum) and could mean incarceration (jail).

I firmly believe that education is the best weapon against fraud. And the best places to educate yourself about tax fraud is none other than the IRS website, itself.

They keep a close eye on trends involving tax fraud and publish the information for free.

On February 7th, they published the 2007 "Dirty Dozen Tax Scams."

Here are the 12 most prevalent scams, according to the IRS:

1. Zero Wages. In this scam, new to the Dirty Dozen, a taxpayer attaches to his or her return either a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 that shows zero or little wages or other income. The taxpayer may include a statement indicating the taxpayer is rebutting information submitted to the IRS by the payer. An explanation on the Form 4852 may cite "statutory language behind IRC 3401 and 3121" or may include some reference to the paying company refusing to issue a corrected Form W-2 for fear of IRS retaliation. The Form 4852 or 1099 is usually attached to a “Zero Return.” (See number four below.)

2. Form 843 Tax Abatement. This scam, also new to the Dirty Dozen, rests on faulty interpretation of the Internal Revenue Code. It involves the filer requesting abatement of previously assessed tax using Form 843. Many using this scam have not previously filed tax returns and the tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses the Form 843 to list reasons for the request. Often, one of the reasons is: "Failed to properly compute and/or calculate IRC Sec 83––Property Transferred in Connection with Performance of Service."

3. Phishing. Phishing is a technique used by identity thieves to acquire personal financial data in order to gain access to the financial accounts of unsuspecting consumers, run up charges on their credit cards or apply for new loans in their names. These Internet-based criminals pose as representatives of a financial institution and send out fictitious e-mail correspondence in an attempt to trick consumers into disclosing private information. Sometimes scammers pose as the IRS itself. In recent months, some taxpayers have received e-mails that appear to come from the IRS. A typical e-mail notifies a taxpayer of an outstanding refund and urges the taxpayer to click on a hyperlink and visit an official-looking Web site. The Web site then solicits a social security and credit card number. In a variation of this scheme, criminals have used e-mail to announce to unsuspecting taxpayers they are “under audit” and could make things right by divulging selected private financial information. Taxpayers should take note: The IRS does not use e-mail to initiate contact with taxpayers about issues related to their accounts. If a taxpayer has any doubt whether a contact from the IRS is authentic, the taxpayer should call 1-800-829-1040 to confirm it.

4. Zero Return. Promoters instruct taxpayers to enter all zeros on their federal income tax filings. In a twist on this scheme, filers enter zero income, report their withholding and then write “nunc pro tunc”–– Latin for “now for then”––on the return. They often also do this with amended returns in the hope the IRS will disregard the original return in which they reported wages and other income.

5. Trust Misuse. For years unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits, and the IRS is actively examining these arrangements. There are currently more than 200 active investigations underway and three dozen injunctions have been obtained against promoters since 2001. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

6. Frivolous Arguments. Promoters have been known to make the following outlandish claims: the Sixteenth Amendment concerning congressional power to lay and collect income taxes was never ratified; wages are not income; filing a return and paying taxes are merely voluntary; and being required to file Form 1040 violates the Fifth Amendment right against self-incrimination or the Fourth Amendment right to privacy. Don’t believe these or other similar claims. These arguments are false and have been thrown out of court. While taxpayers have the right to contest their tax liabilities in court, no one has the right to disobey the law.

7. Return Preparer Fraud. Dishonest return preparers can cause many headaches for taxpayers who fall victim to their schemes. Such preparers derive financial gain by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Taxpayers should choose carefully when hiring a tax preparer. As the old saying goes, “If it sounds too good to be true, it probably is.” And remember, no matter who prepares the return, the taxpayer is ultimately responsible for its accuracy. Since 2002, the courts have issued injunctions ordering dozens of individuals to cease preparing returns, and the Department of Justice has filed complaints against dozens of others. During fiscal year 2005, more than 110 tax return preparers were convicted of tax crimes.

8. Credit Counseling Agencies. Taxpayers should be careful with credit counseling organizations that claim they can fix credit ratings, push debt payment plans or impose high set-up fees or monthly service charges that may add to existing debt. The IRS Tax Exempt and Government Entities Division is in the process of revoking the tax-exempt status of numerous credit counseling organizations that operated under the guise of educating financially distressed consumers with debt problems while charging debtors large fees and providing little or no counseling.

9. Abuse of Charitable Organizations and Deductions. The IRS has observed increased use of tax-exempt organizations to improperly shield income or assets from taxation. This can occur, for example, when a taxpayer moves assets or income to a tax-exempt supporting organization or donor-advised fund but maintains control over the assets or income, thereby obtaining a tax deduction without transferring a commensurate benefit to charity. A “contribution” of a historic facade easement to a tax-exempt conservation organization is another example. In many cases, local historic preservation laws already prohibit alteration of the home’s facade, making the contributed easement superfluous. Even if the facade could be altered, the deduction claimed for the easement contribution may far exceed the easement’s impact on the value of the property.

10. Offshore Transactions. Despite a crackdown by the IRS and state tax agencies, individuals continue to try to avoid U.S. taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance to do so. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions. During fiscal 2005, 68 individuals were convicted on charges of promotion and use of abusive tax schemes designed to evade taxes.

11. Employment Tax Evasion. The IRS has seen a number of illegal schemes that instruct employers not to withhold federal income tax or other employment taxes from wages paid to their employees. Such advice is based on an incorrect interpretation of Section 861 and other parts of the tax law and has been refuted in court. Lately, the IRS has seen an increase in activity in the area of “double-dip” parking and medical reimbursement issues. In recent years, the courts have issued injunctions against more than a dozen persons ordering them to stop promoting the scheme. During fiscal 2005, more than 50 individuals were sentenced to an average of 30 months in prison for employment tax evasion. Employer participants can also be held responsible for back payments of employment taxes, plus penalties and interest. It is worth noting that employees who have nothing withheld from their wages are still responsible for payment of their personal taxes.

12. “No Gain” Deduction. Filers attempt to eliminate their entire adjusted gross income (AGI) by deducting it on Schedule A. The filer lists his or her AGI under the Schedule A section labeled “Other Miscellaneous Deductions” and attaches a statement to the return that refers to court documents and includes the words “No Gain Realized.”

Two items fell off the list this year:
Two noteworthy scams have dropped off the “Dirty Dozen” this year: “claim of right” and “corporation sole.” IRS personnel have noticed less activity in these scams over the past year following court cases against a number of
promoters.

Dirty Dozen press release, here.

If you are a victim of one of these scams, you can report it, here.

Notably, they mention that reporting a scam might qualify you for a reward, but reporting one of these scams might (also) prevent someone else from becoming victimized.

There is also a lot of other free information and tools to do your taxes on the main IRS website, here.

Monday, February 12, 2007

Trooper discovers a lot of counterfeit instruments used to commit identity theft/financial fraud

I recently did two posts:

Is tracking fraudulent refund information effective and could it be putting people at risk of becoming an identity theft victim?

Paper weapons (counterfeit documents) enable more serious crimes than illegal immigration and identity theft

I wrote both of these to show how easy criminals seem to be getting around existing systems designed to stop them.

Here is a rather obscure story that illustrates how widespread counterfeit identification and the use of other people's identities to commit crime might be.

Santiago Esparza of the Detroit News reports:

Troopers with the Michigan State Police Richmond Post stopped a man and a woman on eastbound Interstate 94 near Joy Road and discovered much more than two people not wearing seat belts.

The troopers found dozens of driver's licenses, social security cards, credit cards, debit cards and check cards. The troopers also found checks, check registers and other items that could be used to purchase items with fake identification, according to a Michigan State Police press release issued today.

Santiago's story, here.

I doubt if the two people were using their own identities to purchase, or return merchandise. IT also doesn't look like they had a problem getting a lot of other people's information to use for illicit purposes.

Sunday, February 11, 2007

Information Week exposes the Internet Underworld

With the TJX data breach fresh in the news, Larry Greenemeier and J. Nicholas Hoover (Information Week) have written one of the most informative articles to date on the hacker underworld.

They are warning us that:

Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with stolen credit card data, driver's license numbers, and malware, the programs that let hackers exploit the security weaknesses of commercial software. Cybercriminals have become an organized bunch; they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together.

The article covers the mysterious carder forums - where other people's financial information is bought and sold and how the information is paid for (wire transfer, PayPal, e-gold). It also shows how they avoid detection by anti-money laundering laws by what is know as "layering" (splitting up large sums into smaller ones).

There is also interesting information about the shady world where malware (crimeware) is being produced to steal the data.

Information Week article, here.

In case you were interested, here is how much (roughly) this information is being sold for:

The Black Market

$980-$4,900
Trojan program to steal online account information

$490
Credit card number with PIN

$78-$294
Billing data, including account number, address, Social Security number, home address, and birth date

$147
Driver's license

$147
Birth certificate

$98
Social Security card

$6-$24
Credit card number with security code and expiration date

$6PayPal
account logon and password

Data: Trend Micro

The conclusion of the article isn't new, which is that the business world needs to protect it's data better and law enforcement faces obstacles in going after borderless crimes. Until laws are enacted, which allow the problem to be solved, it will likely flourish and grow.

Blaming FEMA for the fraud in Katrina isn't going to solve the problem

There is no doubt about it - the Katrina and Rita debacle - was NOT a shining moment in our nation's history. Fifteen months later as New Orleans prepares to celebrate "Fat Tuesday" (Mardi Gras), more allegations of fraud and mismanagement are coming to light.

Two reporters (Michelle Roberts and Frank Bass) of the AP wrote an interesting article about how FEMA now wants $300 million back in claims paid for households that didn't exist, according to official pre-hurricane census figures.

Even more interesting is that they did their own analysis using the federal Freedom of Information Act, which deducts that a lot more than $300 million might come out in the wash before all is said and done.

Here is what they said in their article:
But an Associated Press analysis of government data obtained under the federal Freedom of Information Act suggests the government might not have been careful enough with its checkbook as it gave out nearly $5.3 billion in aid to storm victims. The analysis found the government regularly gave money to more homes in some neighborhoods than the number of homes that actually existed.

The pattern was repeated in nearly 100 neighborhoods damaged by the hurricanes. At least 162,750 homes that didn't exist before the storms may have received a total of more than $1 billion in improper or illegal payments, the AP found.

Full story (ABC news version), here.

While there is no doubt a big problem exists, we need to put the overall issues in perspective and I'm not sure FEMA is entirely to blame.

David Garratt, FEMA's deputy director is saying that officials were in a "no win" situation. And while, I'm not here to defend FEMA, he probably has a valid point.

When the federal government got involved, fraud artists from all over the world were setting their sights on what they saw as a "lucrative opportunity."

A lot of the fraud that occurred didn't necessarily come from the areas affected by the hurricane.

Couple this, with a lot of pressure to right all the initial blunders in the disaster, which most of us were watching "live," and mistakes were made.

Sadly enough, fraud prevention systems in place, were deemed to cumbersome and disabled. Again, there was a lot of pressure (rightfully so) to take swift action to help a lot of people, who were in harm's way.

We can blame FEMA all we want, but the fact is that fraud is growing at a rapid rate, and the federal government isn't the only one with inadequate fraud prevention systems.

For example, in Southern California (pretty far from Louisiana), there was another interesting article about the taxpayers footing a $1.5 billion a year bill for fraud, here.

And while there seems to be a lot of government fraud, fraud in the private sector is growing by leaps and bounds, also. There is no doubt that identity theft (another growing problem) helped fuel the fraud in the hurricane disasters.

There is a lot of evidence to suggest that much of this fraud is enabled by information that has been data-mined on all of us, which isn't protected very well. Some suggest that technology and the information sector, which make a lot of money selling their wares are the root cause of all of this.

Unfortunately, those committing fraud are too keenly aware of this.

Blaming FEMA is unlikely to correct the overall problem. And if their fraud prevention systems were inadequate, perhaps we should be looking at who sold them the faulty systems?

Perhaps, when history is written, the Katrina disaster is a warning of the looming disaster we all face if we don't stop viewing fraud as a "victimless crime."

Fifteen months later (as Mari Gras approaches), there are still a lot of people suffering from the hurricane disasters.

If you would like to learn more about this, Margaret Saizan's site (Beyond Katrina) is a great resource.

I wonder how much good the money would have done for the true victims if it hadn't been stolen from underneath them?