Saturday, March 10, 2007

Mike Rothman's book on being an effective CSO

Mike Rothman (CSO type and blogger) is now a published author in his own write.

What I like about his blog (in Security Incite) is that it takes a balanced approach to computer security (protecting information). His blog considers the technological, as well as, the social aspects of protecting information.

In my opinion, he takes a balanced (holistic) approach to increasingly important issues surrounding protecting information.
In Mike's own words (from Security Incite):

It is with great pleasure that I announce the availability of The Pragmatic CSO: 12 Steps to Being a Security Master. It's been an interesting process and I learned a lot. I'm sure you will be pleased with the outcome.

With protecting information becoming a huge issue, the fact that Mike approaches the problem via a learning process says a lot. Issues with protecting information change (sometimes daily).

This book is well worth a look at not just by CSO types, but it might be a valuable tool for anyone, who considers information a valuable asset.

Link to information on Mike's new book, here.

Friday, March 09, 2007

What a santuary city (Los Angeles) thinks of BofA and their no SSN credit-card product

Just read an interesting article from the Los Angeles Business, which indicates that 74 percent of the respondents in an informal poll are against Bank of America's "no SSN needed" credit-card product.

Pretty interesting since in Los Angeles, even the LAPD (Los Angeles Police Department) can't ask if someone is there legally, or not.

A lot of people seem to be upset that this financial product will help enable illegal immigration and make it (easier) to commit identity theft and credit card fraud.

Criminals and a lot of illegal aliens are already using other people's social security numbers. Obtaining a fake SSN is no problem in Los Angeles, or just about any other area in the United States.

A lot of illegal aliens pay for the credit they get with other people's identities. After they assume and probably (pay for) a good identity, it isn't prudent to invite negative attention.

So far as illegal immigration, Bank of America isn't the only company enabling illegal immigration. In fact, they are merely going after a market segment, that has no problem finding employment.

Even if fraud does go up, I doubt Bank of America is planning to lose any money off this product. High interest rates and a hefty fee structure can cover a lot of fraud write-off.

With that thought in mind, is Bank of America taking advantage of the very people, they claim to be helping?

Just this week, Congressional hearings were held about credit card companies taking unfair advantage of the public with the interest rates and fees, they already have in place.

USA today has an interesting editorial about the hearings entitled "When interest rates hit 32%, there ought to be a law."

So far as the fraud aspect, there are many who think part of the problem is that the industry has been issuing credit, somewhat irresponsibly. This makes it pretty easy to commit credit-card fraud.

Another big story this week is the Visa summit, where the payment card industry is meeting to discuss fraud issues. Perhaps, high interest rates and hidden fees aren't covering fraud losses as well as they used to?

Recently, merchants and credit issuers have been arguing about who should be responsible for eating the costs in data-breaches. All is not well within the industry, itself.

I'm not sure how much all these events tie in together, but maybe someone should start listening to the honest customers?

After all, when all is said and done, honest customers end up paying for all the fraud, as well as, the salaries of those selling these financial products.

Maybe what we really need to do is figure out why credit card fraud and identity theft is so easy to commit. Hopefully, the Visa summit will be a forum that will inspire some good ideas (and commitments) that can be put into practical use.

Interesting comments from readers (potential customers) courtesy of the Los Angeles Business, here.

Thursday, March 08, 2007

Nigerian (419) fraud is a worldwide problem

Nigerian (419) fraud is showing an alarming increase in India (900 percent) in one year. Pramit Pal Chaudhuri of the Hindustan Times is reporting:

The world's most widespread financial fraud, the Nigerian 419 scam, is finding new pastures in Asia. India is the third fastest growing market with the defrauders' earnings from Indians increasing nine-fold in one year, says a report by the Dutch firm Ultrascan Advanced Global Investigations.

Almost every cellphone and email user has been solicited by a 419 con man. The best-known ploy is a message claiming there are unclaimed fortunes in banks that can be accessed if someone puts up a little money upfront.

Pramit quoted some interesting figures in his article suggesting the worldwide bill for this type of fraud is $3.88 billion.

Pramit's (interesting) story, here.

Pramit cites intelligence from the Dutch firm Ultrascan Advanced Global Investigations. They have a lot of interesting facts about Nigerian fraud, here.

In October (2005), I did a post exploring how some rationalize this activity in Nigeria:

419 From the Other Side of the Fence

The post references a Nigerian pop singer (Osofia) and a song he did about the infamous scam:

"I go chop your dollar"

Perhaps, Osofia should update his song to include all the other currencies being chopped?

FBI alerts the public about a growing trend in mortgage fraud

According to the FBI, mortgage fraud is a growing issue. To back this up, they are saying:

Mortgage Fraud Suspicious Activity Reports (SARs) referred to law enforcement by financial institutions increased from 17,127 SARs in Fiscal Year 2004 to 35,617 SARs in Fiscal Year 2006, reflecting estimated losses of $946 million. FBI Mortgage Fraud investigations have focused on large-scale frauds perpetrated by organized crime and industry insiders, including attorneys, brokers, appraisers, and realtors. Since September 2002, the number and types of investigations have increased from 436 to 1,036. Of these current cases, 51% involve expected losses in excess of $1 million, and 57% involve our federally insured financial institutions as victims.

Full alert (courtesy of the FBI), here.

Here is a file, with a poster about mortgage fraud (also courtesy of the FBI), here.

If you know about any mortgage fraud, or other crime that the FBI investigates - report it online, here.

Mortgage fraud doesn't only hurt financial institutions, the words identity theft and mortgage fraud are frequently showing up in the same cases.

Here is a post, I wrote in January about this growing phenomenon.

Tuesday, March 06, 2007

Ruby Tuesday serves a blow to credit card skimmers

Ruby Tuesday is doing something about credit card fraud. They announced yesterday that they will be introducing an ultra-secure (encrypted) credit card system to protect their customers from fraud.

The AP is reporting:

The system, which is expected to be in all the restaurant chain's 900 locations by April, leaves no credit card information at the restaurant and is instead sent to the bank in encrypted form. The system is said to help prevent identity theft.
Criminals (some say of the organized type) have been targeting a lot of unprotected information, recently. Some of this information is bartered in underground chat rooms set up for this purpose.

Of note, Visa International commented that the new system is fully compliant with PCI data protection standards.

AP story, here.

If you would like to see the sheer volume of recent data breaches, has a chronology, here.

If you would like to see how easy it is for your payment card information to get skimmed at a restaurant - you can view an interesting video, here.

Sunday, March 04, 2007

It pays to be observant when paying with your credit card

Dishonest employees at your local restaurant, or store might be making a little spending money selling your card information. Leaving your card unattended (even for a couple of seconds) can make you a victim.

An interesting video on YouTube (posted by kamranakhtar) shows why.

You Tube video, here.

This video was first shown on the TechEBlog, as far as I can tell.

Organized retail criminals sell their ill-gotten proceeds in many places

Organized retail crime is becoming a "buzz word" within the retail security industry. Because of this fact, many large retailers employ dedicated specialists to deal with the issue.

Some estimates (RILA) reflect that this could be a $34 billion a year problem.

I've seen a lot of recent stories about merchandise being fenced on auction sites. Although, this is a big problem, stolen goods are fenced in other places, also.

WKYC news (Ohio) is reporting that 19 homes and business were recently raided, illustrating how organized some of this activity can be.

Very interesting video, here.

The Washington Post, did an interesting article about organized retail crime in 2005, here.

It noted that federal law enforcement is getting involved in the prosecution of these cases, because of their impact, and (probably) the fact that they cross state lines, frequently.

RILA (The Retail Industry Leaders Association) proposed changes to Congress to deal with the problem, here.

Of note, they quote the FBI as saying that organized retail crime is funding terrorist organizations.

Another problem (the FBI calls out) is when outdated medicine and items, such as baby formula are repackaged and sold as new.

This could pose significant health risks to those, who purchase these stolen items.

Besides the fact that we all pay for this with our hard earned money (higher prices), our safety is being compromised by these criminals, also.

Should recent prosecutions for fraud in Katrina remind us of something?

Bruce Alpert, of the Times Picayune did an excellent article about a lot of recent prosecutions for fraud in the aftermath of the hurricane disasters.

One woman, LaWanda Williams collected $267,377.15 in an identity theft scheme using several other people's information.

I wonder if any of the people (who had their information stolen) were denied benefits, as a result of LaWanda's activities?

And LaWanda is just one example of people's greed. FEMA and Army Corps of Engineers officials, Red Cross employees and many others took advantage of the situation.

In fact, fraud was being committed as far away as California, where 71 cases have been documented.

Bruce Alpert's article, here.

Bruce's article points out that this isn't the first time fraud occurred after a disaster. Similar fraudulent claims occurred after 9-11 and the Tsunami disaster.

The money lost to fraud is a symptom of the larger problem, which was a disaster preparedness system that failed. The resulting confusion enabled a lot of fraud to occur, and probably made it too easy to commit.

I doubt any of the people now being prosecuted thought they were going to be caught.

As the old saying goes - "an ounce of prevention is worth a pound of cure." Our focus needs to be towards preventing this from happening again.

If you would like to learn more about the hurricane disaster - and how how people are still being "cured" two years after the fact - Beyond Katrina has a lot of information on the subject.