Saturday, March 24, 2007

FBI is going after Internet crime in Russia and Romania

A lot of experts believe that carder forums (selling stolen personal and financial details) are run overseas by Romanian and Russian organized crime.

Nate Anderson (ars technica) wrote an interesting article about this, where he said:

One American in Virginia, who goes by the Internet nick "John Dillinger," agreed to cooperate with "vendors" from Eastern Europe. These groups "acquired" credit card numbers, then sent them by e-mail and instant message to Dillinger, who then encoded them onto credit cards. He then took these credit cards to ATMs and made cash withdrawals; a percentage of the money was then sent back to the "vendor" and Dillinger kept the rest. Dillinger was eventually busted by the feds, though, and was sentenced in February 2007 to 94 months in jail.

This is a good example of how the Internet is enabling a global identity theft crisis.

Apparently, the problem is big enough for the FBI to send assets to Romania and Russia to go after the problem.

Of course, since most of the stolen information comes from the West, I guess that it means the Russians and Romanians are sending assets abroad or recruiting them there, also.

Nate's article, here.

In the past few days, 6 arrests in Florida are being tied into the TJX data breach (which might be the largest known compromise) to date.

Although, no one seems to be saying for sure, I doubt the six arrested are the main players in the TJX breach. They probably purchased the information, elsewhere.

The total damage being reported in the Florida case is $8 million. The case was identified when the perps made some (extremely) large gift card purchases.

Maybe that's why they got caught, or they got (slightly) greedy?

IT also probably isn't entirely fair to keep publishing the TJX breach. Personal and financial details have been stolen from a LOT of places. The known places can be viewed at, here.

This is a global problem and it's going to take a global effort to put a stop to it!

Thursday, March 22, 2007

SIRAS – Smart technology that protects profit and privacy

Organized retail crime, according to RILA (Retail Industry Leaders Association), is a $34 billion a year problem. A study at the University of Florida conducted by Dr. Richard Hollinger suggests that 9 percent of all refund activity or $16 billion is fraudulent.

At most merchants today, refunds are tracked with personal information. While this was effective 10 years ago, the information in the current databases might not be as accurate as it once was.

Personal and financial information is stolen and sold in a lot of places, most notably over the Internet. A perfect example is the recent compromise of consumer data at TJX stores. This information is turned into fraudulent identification and financial instruments and sold to criminals.

It is likely that criminals can assume multiple identities, using other people’s information to refund merchandise. In fact, payment (credit/debit) card and bad check fraudsters already demonstrate this ability on a daily basis.

With the negative publicity surrounding data breaches and identity theft, honest customers are nervous when asked to surrender their personal details. Recently, privacy groups and Senator Chuck Schumer have been openly critical of current systems, which gather personal information.
A company named SIRAS provides a means to protect an organization’s bottom line and their customer information, also. The way they do it is so simple, it’s brilliant. Instead of tracking personal information, SIRAS tracks the merchandise, itself.

The SIRAS system captures the UPC and serial number of a product at the point-of-sale and creates an electronic receipt. This enables a merchant to determine exactly when and where it was sold AND how it was paid for.

SIRAS can tell when the merchandise was never purchased (stolen), or if it was purchased at another retailer. It also can identify counterfeit merchandise, price switching and altered/counterfeit receipts. Because it ties into a sales transaction, the system could also identify fraudulent forms of payment used to purchase the merchandise, or if the item has been a chargeback issue.

SIRAS makes it pretty hard do a fraudulent refund. Getting series of numbers to match can be extremely difficult, if not almost, impossible.

The data is compiled into customized reporting tools, which can be leveraged to determine risk factors when merchandising products. These tools also have extremely useful applications from an intelligence (analysis) and investigation perspective.

Besides organized retail crime, the largest losses suffered by merchants are caused by internal theft. Fraudulent refunds, “sweetheart returns,” enable dishonest employees to steal cash, or issue credit to payment cards. Like their external counterpart, internal criminals now have to use personal information to prompt a point-of-sale system to issue a refund. Again, this information (which might not be accurate) corrupts a lot of the current databases.

Dishonest employees are going to have a hard time being able to match UPC/serial number to a legitimate sale. This will prevent employees from attempting to commit refund fraud, and should they decide to do so, the custom reporting tools (when used properly) would identify the culprits, with ease.

SIRAS can track and identify retail theft a long way past the refund counter. With its unique ability to track merchandise to a sale, SIRAS can be used to identify merchandise sold in fencing operations (and more likely) via Internet auctions.

In fact, SIRAS has been used to help prove criminal cases, or to obtain search warrants by law enforcement.

The system can also be used to identify counterfeit goods, wherever they might be appear for sale.

Other benefits include being able to better manager warranty programs and in the case of call centers (crucial in e-commerce), it provides their employees with direct access to the original purchase information.

An effective merchandising application, I noted was the ability (via analysis) to identify products that have a high rate of being defect rate, or that aren’t as easy to use, as advertised.

SIRAS has applications that go far beyond fraud at the refund counter.

The system is easily incorporated with patented technology into current point of sale systems and employee training is minimal. Being that it replaces many labor intensive tasks, payroll can be better spent in other areas.

SIRAS applications are beneficial not only to manufacturers and traditional retailers, but the system is equally effective in e-commerce applications.

This technology is already being used by several major retailers and manufacturers. You can view a list of them on their website (listed below).

With privacy becoming a bigger issue all the time, SIRAS provides a smart way to protect assets and not expose customer information. SIRAS makes it harder to commit fraud in a retail environment, while making it easier (customer friendly) to return an item without a paper receipt.

More information about SIRAS and who uses their services can be viewed at:
CNET's story about the TJX data breach can be viewed, here.

Wednesday, March 21, 2007

(Update: TJX data confirmed as used in Florida Case) Is the information being sold in carder forums being used in organized retail crime?

Underground carder forums (selling personal and financial information) are making it too easy to commit financial crimes. Symantec released a report showing that a credit-card number (with verification number) is sold for as little as $1 to $6. Complete information to take over an identity (government ID, social security number, bank account number, date of birth, etc.) costs about $14 to $18.

Here is an example of how this stolen information might be used by criminals. I happened to run across a good example of this in the News-Press (Southwest Florida):
Six people suspected of using stolen credit cards to purchase an estimated $8 million in WAL-MART and Sam’s Club gift cards were arrested in by Gainesville Police in a four-month ongoing investigation, according to a report released Monday by the Florida Department of Law Enforcement.
The bogus credit-cards were being used to purchase high-end electronic merchandise and gift cards.

News-Press story, here.

*Update (3/23/07): An article from InfoWorld is stating that the data used in this scheme is part of the TJX data breach. InfoWorld story, here. It still isn't clear how the culprits obtained the information, or how they, had the information made into counterfeit instruments.

Symantec's report covers all the different methods information is being stolen. One of the more common methods is referred to as phishing. This normally happens when a person clicks on a link from a spam e-mail sending them to a fake site (requesting personal information).

Note that sometimes the fake sites only ask for your personal and financial details (referred to as social-engineering), but more and more, computers are infected with malware when someone is tricked into clicking on a link they shouldn't have.

Malware records people's personal details (automatically) and sends them back to the scammers.

Symantec's press release on their report, here.

If you are wondering why the retail crooks were buying gift cards. Here is a previous post, I did on that subject:

Why Buying Gift Cards on Auction Sites isn't a Good Idea

Sunday, March 18, 2007

PIN pads replaced at Wendys to steal payment card details

More payment cards have been skimmed (financial details hijacked) as a result of PIN pads being replaced. This time the breach occurred at a Wendys in a busy part of Edmonton, Canada.

A "Bluetooth" device was used in the phony PIN pads to transmit all the card details, using a wireless connection.

The fraud was discovered when a large number of Edmonton cards started showing up with unusual activity in Montreal.

According to the Edmonton Police, about 400 cards have been identified as having been compromised and used (cloned), but there could be more. They also stated that they don't believe there was employee involvement in the scheme.

One person was arrested in Montreal, but the authorities are saying they don't believe this person was a "major player."

This activity is probably being accomplished with a device known as a point-of-sale (POS) data logger. The stated legitimate purpose of this device (found on a webpage called is to back up data in case of a power failure. It even advertises that it will capture PIN numbers when they are entered on a keypad.

The advertising jargon for this particular device states:
Once the data is logged, the device can be EASILY AND QUICKLY removed (takes about 2 seconds for installation or removal) from the store POS machine and plugged into another computer where you can download and save the data.
Hackers Homepage (who claims they are the only ones selling these devices) offers them for $395 each. IF you buy 100 of them, they will sell them to you for $9,999 (a savings of $30,000 off retail).

I'm amazed that these devices are for sale right over the Internet. Maybe someone in law enforcement will read this and do a little checking on this e-commerce enterprise.

Recently in Rhode Island (United States), a similar scheme was uncovered at Stop and Shop stores. Four males from California were eventually arrested after being spotted by employees tampering with a PIN pad.

Edmonton Police press release, here.

Here is my previous post on the Rhode Island scheme:

Could the arrests in the Stop and Shop data breach indicate a tie to Armenian Mobsters?