Saturday, April 28, 2007

While everyone sues TJX, the criminals are laughing all the way to the bank

Here is a great example of why there is so much identity theft. In Ontario, a man and his wife went right back committing identity theft, while on bail for running a payment card (debit/credit card) skimming operation. As you will see, they were by no means, small operators.

From newsregiondurham.com, Jeff Mitchell reports:

Hundreds of new charges have been laid against a fraud suspect and his wife after Durham cops busted the two as they allegedly broke his bail conditions.

Police say they found evidence of widespread fraud when they searched the King City home of the man, arrested here last fall in connection with a credit and debit card skimming operation at a north Oshawa gas bar.

One fraud investigator said lists of debit and credit card numbers found in the home amounted to "an encyclopedia" of apparently stolen data.

Here is what they got caught with, while on bail for victimizing (probably) thousands of people:

During the arrest both occupants of the car were found to have counterfeit credit cards in their possession, police said. A subsequent search of their home resulted in the seizure of credit card writing equipment, 200 phoney credit cards and hundreds of pages of credit and debit card data, police said.

Police also seized the BMW, claiming it's proceeds of crime.

I guess no one figured out the BMW was paid for by theft, the first time around?

And meanwhile, lawyers and the banking industry are organizing law suits against TJX for their recent data breach.

Unless, we start making it dangerous for the criminals to commit financial crimes, the problem will keep growing!

While a lot of people focus on civil remedies, the criminals are laughing all the way to the bank. After all, they aren't being sued. AND the sad truth is that not very many of them are being caught.

The costs of litigation and fraud are both normally passed on to the consumer. Simple economics dictates that if they were not, the business would cease to exist. The fact that the banking industry (which could also be criticized for enabling some of this problem) is behind some of this litigation, bothers me!

Someone once said, "it isn't wise to throw stones when you live in a glass house."

Maybe I should do a few posts about how the banking industry makes it too easy to commit some of these crimes? For starters, we could discuss how easy it has become to counterfeit their payment devices, which is how the information is being turned into cash (what the criminals are after). We could also discuss how little they do to verify information, when issuing a credit card and all the unsolicited offers for credit (which are routinely stolen) out of the mail.

Thinking of that, I did a post about how easily criminals can manipulate this:

Ever wonder how well you are protected from credit card fraud?

Another thing to consider is that merchants already bear a lot of the cost of fraud becaue of chargebacks. This is where the bank charges back the fraud to the merchant. Many merchants feel strongly that they are already bearing the brunt of paying for all the fraud because of this practice.

For more information on this subject, visit Merchant911.org, here.

There is no doubt that the true victims of identity theft deserve compensation, but to me some of this litigation is designed (my emphasis) to pass the buck. As I stated earlier, when the buck is passed, it gets charged to the consumer (in the end), anyway.

When is someone going to start addressing the real problem? The facts are that it's too easy to commit payment card fraud, not very many criminals are getting caught, and when they are -- the consequences are pretty minimal.

Full story from newregiondurham.com (about the crooks out committing crime on bail), here.

Wednesday, April 25, 2007

President's Identity Theft Task Force issues recommendations


The Identity Theft Task Force has issued the formal recommendations they've been putting together since May, 2006. The recommendations include feedback solicited from the general public.

The final report is comprehensive -- identifying all the issues that have made identity theft and the financial crimes that result from it -- a major concern in the public eye.

The report does (slightly) downplay the problem of data-breaches, noting no significant increase in financial crimes and identity theft from them. I'm not sure, I completely agree with this, but other's could probably argue this point with me. Despite this, it does make a lot of great recommendations on how to limit our exposure to the problem.

In all fairness, it's very difficult, if not impossible, to identify the original point of compromise in an identity theft case. In most cases, the best guess rule applies. With information being sold over the Internet, the criminal using the information probably isn't sure where it came from originally, either. And even if they were to tell us, most of them can't be considered 100 percent credible.

Underground carder forums seem to be selling personal and financial information, too inexpensively. This phenomenon ties the less sophisticated identity thieves with those of a more sophisticated (organized) nature. Given this, the problem has the ability to expand, rapidly.

As there is more demand, we might see more information being used in all sorts of crimes and Internet access is growing, rapidly.

Congress considered several bills on data breaches in their last session, but failed to pass any of them. Protecting against data breaches is going to be an expensive proposition and my guess is that there is a lot of lobbying going on by the organizations that will ultimately pay for protecting the information better.

The report calls for stricter laws and more aggressive enforcement, which is something that should be taken seriously. In my opinion, a large part of the problem is that identity theft is too easy to commit, extremely profitable, and consequences are minimal, if caught.

Also called for is more cooperation of an International nature, which is going to be a key part of any resolution to what is rapidly becoming a global problem.

The full report can be seen, here.

The Task Force's homepage, which has more good information, can be seen, here.

FEMA declares they are becoming stronger after realizing how much money was wasted in the hurricane disasters!

Hope Yen at the AP has written an article based on a report by the Inspector General at Homeland Security that $3.6 billion in contracts were awarded to companies with ties to the Republican Party rather than to local companies, impacted by the Katrina/Rita hurricanes.

She quotes Senator Dorgan, who requested the audit, as saying:

"This confirms what we already knew about FEMA — there was a staggering level of incompetence, and the victims of Katrina, as well as taxpayers, are taking it on the chin," Sen. Byron Dorgan (news, bio, voting record), D-N.D., who requested the audit, said Monday.

Dorgan, who chairs the Democratic Policy Committee, said that it was ironic that the new contracts were aimed at helping small businesses in the region get back on their
feet, but instead "some very big interests got some very lucrative contracts."

"There are a lot of things wrong with this, so this report should be a warning signal to Homeland Security and FEMA," he said.


Government investigators already estimate over $1 billion in losses due to waste.

FEMA's response was:
In response, FEMA in the report disagreed that the wide price variations put taxpayers at risk. The agency contended that it was comfortable with bidders' financial viability based in part on past performance. In cases where contract prices appeared unreasonably high, those would be offset with lower payments later on subsequent work orders, FEMA officials said.

FEMA spokesman Aaron Walker said Monday that the agency welcomed the audit's findings and was working hard on improvements to better perform its duties "while being a conscientious steward of taxpayer dollars." He said that FEMA contracting officers did a "remarkable job" given their short time frame.

The audit will assist in making "the new FEMA stronger, more flexible and cost-effective," Walker said in a statement.

Full AP story with links to the Homeland Security report, here.

Both sides can argue, but one thing is apparent, which is we probably could have done a lot more for the victims with the resources we spent!

If mistakes like this ($1 billion and counting) were made at a private organization, do you think the people making them would still be employed?

Probably, not very likely! Perhaps, I could get "the Donald" to comment, but that's not very likely, either.

The political climate on wasted government money is heating up. Recently, I blogged about $2 billion, allegedly wasted by a company (recently sold off by Halliburton) called KBR:

The case of an alleged $2 billion government contract fraud/abuse in Iraq/Afghanistan

In this case, it appears that we could have better served those, who are serving US!

Sunday, April 22, 2007

Why it's become TOO easy for restaurant workers to skim payment cards

We seem to be seeing a record amount of credit/debit (payment) card fraud recently. The latest is a $3 million scheme -- where restaurant servers were recruited to steal their customer's financial information -- using portable skimming devices, which seem to be easily purchased over the Internet.

Samuel Maull of the Associated Press is reporting:

Thirteen people were indicted Friday on charges stemming from their roles in the credit card fraud, prosecutors said.

The credit card account information was stolen from customers who visited restaurants in Manhattan's Chinatown and other parts of the New York metropolitan area, as well eateries in Florida, New Hampshire, New Jersey and Connecticut.

Full AP story, courtesy of the Washington Post, here.

The Manhattan DA's site has a lot more information on this case, which reveals most of the defendants appear to have worked in Asian restaurants, were extremely organized and traveled the country buying high-end electronics.

The DA press release shows how they were turning the stolen merchandise into cash, which is the goal of most of these criminals:

THOMAS JUNG, JOON HEE KIM, JUN SHOJI, RICHARD LEE, JENG SEAK LEE, PHIL ANG, ALEX KIM and others in small groups to areas within and outside of New York State to purchase high-end electronics merchandise – such as laptop computers, Sony Play Stations, GPS navigation systems, high-end digital cameras and IPods.


PAO provided each shopper with 20 to 40 counterfeit credit cards with the expectation that each “shopper” would make fraudulent purchases in an amount that averaged $1,000 per counterfeit card. If a “shopper” was provided with 30 counterfeit credit cards, the “shopper” was expected to make $30,000 in fraudulent purchases. PAO made the travel arrangements for the “shoppers,” which included airline flights, car rentals, and hotel rooms for shopping trips in New York, New Jersey, Connecticut, Illinois, California, Oregon, Washington, Ohio,
Pennsylvania, and North Carolina.

The “shoppers,” who were paid approximately 15% of the retail value of the merchandise they bought, delivered the merchandise to PAO, who then sold the stolen goods to defendant JOHN DOE. In turn, DOE sold the goods to electronics and computer stores in Queens.

You can read the full press release, here.

Unfortunately, this problem is enabled by portable devices, which are too easy to obtain. A website, I found recently (called Hackers Homepage) seems to openly sell everything a wannabe card skimmer would need to do this. They even sell the high-quality card blanks - with the ability to place holograms on them - right over the Internet!

Of note, this site (which I hope is under surveillance) also sells more sophisticated skimming devices designed to be placed on point of sale systems, and advertises other devices and publications that would appear to enable a lot of different financial crimes.

A lot of this stuff can also be purchased on auction sites (like eBay) as demonstrated, here.

Perhaps, if we want to see a decrease in this activity, we need to enact laws that will control some of the technology, which makes it TOO easy for anyone to do.

This along with DIY (do it yourself) auction fraud and phishing kits, also being sold over the Internet, make it too easy for ANY criminal to commit pretty sophisticated crimes.

Throw in carder forums, which sell all the information being stolen, and there is no wonder why this has become a rapidly growing PROBLEM.

The bottom line is that easily purchased technology is making the problem worse, and the problem is spreading so rapidly, law enforcement has a hard time keeping up with it.

This IS NOT a victimless crime, just ask any of the people having their information stolen, or one of the businesses that have lost money from it. Of course, when businesses lose money, they have to raise prices, which means we are all paying for it.

To watch a pretty telling video on YouTube about how restaurant workers skim payment cards, link here.