Saturday, May 05, 2007

How to avoid getting your information stolen via wireless connections

Yesterday, I wrote about how the FBI is warning us that personal details can be stolen (i-jacked) when using public computers. This occurs using crimeware, previously installed on a public computer, logs the keys you are stroking and sends the information (electronically) to criminals.

It can be dangerous to look at any of your online financial information on these (public access) machines.

When writing about this phenomenon, I remembered that even using your personal computer at a public place with a wireless connection can expose a person's personal and sometimes, financial details.

Just the other day, Martin Bosworth, over at Consumer Affairs, wrote an excellent piece covering this danger, where he stated:

Sending unencrypted information over any unfamiliar network can turn your computer into an open book -- with pages full of your personal information.

Many of these connections are appear to be legitimate connections because they are spoofed (camouflaged to appear as if they are a trusted connection).

Spoofing a connection, or site isn't very hard to do. They simply copy and transpose pictures and statements (words) from legitimate sites to their own. The Artists Against website has a portal, where you can see fake websites that are up and running on the Internet, here.

Martin's article contains some excellent tips on how to navigate the murky waters of public hot spots, safely.

They can be viewed, here.

Interestingly enough, wireless technology, isn't only used to compromise individuals. In the recent TJX data breach, where some are saying 200 million records were stolen since 2003, reports are saying the data was stolen, using wireless technology.

It's being reported that this was accomplished from a car with a laptop. Driving around with a laptop, using other people's wireless connections, is sometimes referred to as "war-driving," which is my new word for the day.

Joseph Pereira (Wall Street Journal) wrote about this (courtesy of the Northwest Florida Daily News), here.

Friday, May 04, 2007

TSA loses 100,000 employee records and discloses the matter, immediately

For the first time, I can remember a data-breach is being reported the day after it was discovered by an agency entrusted to protect and serve the public at large. Here is part of the press release from the Transportation Security Agency (TSA):

Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation.

Of note, the information compromised here is everything an identity thief would need to completely assume another person's identity, sometimes referred to in carder forums as a "full."

Carder forums (chatrooms) are where a lot of stolen personal and financial information is sold, right over the Internet.

Their press release on this unfortunate matter states they have extensive data protection protocols, which I would hope include the fact that the data (stored on a portable device) was encrypted.

I'm sure some are going to try to bash TSA for this incident, however I am going to take a different stance, which is they appear to be handling the matter a lot more responsibly than many organizations that have breached, recently. In my humble opinion, the TSA is taking this seriously and handling this matter the best way possible. Data breaches embarrass a lot of organizations -- too many of them would rather avoid the negative publicity -- instead of doing the right thing to protect their (in this case OUR) most valuable asset, people.
I'm not thrilled with this data breach -- or that information continues to be left where it shouldn't be -- but disclosure (being more honest) goes a long way towards fixing the overall problem.

Recently, a TSA employee caught a culprit with 43 different driver's licenses and a lot of bogus payment devices. We need to remember that the people compromised by this, protect all of us!

I really liked their statement about what they intend to do about it - if wrongdoing is discovered:

TSA has extensive data protections protocols and training in place for its employees regarding data privacy. TSA has zero tolerance for employees not following policies on data protection and will take swift disciplinary action, including dismissal, against individuals found to be in violation of our procedures.

I'm not able to comment on TSA's data privacy procedures (never seen them), but one person with access, who violates any data privacy procedure can do a lot of damage.
If anyone knows something about this data-breach, information can be submitted to the FBI (investigating agency), here.

Data breaches have happened at a lot of places. If you are interested in reading more about them and where they occurred, the Privacy Rights Clearinghouse maintains a chronology, here.

A lot of data breaches occur when information is stored on portable (easily stolen) devices. Some claim that even if encryption is present on the device, the wrong person can still (sometimes) access the information.

The full press release can be read, here. They also link to the new government site on identity theft (worth a read if you haven't seen it yet), here.

You never know who might be selling hot merchandise on eBay

Normally, I avoid writing about petty crime, but this one is too good to pass up.

From SF Gate:

A Hillsboro mother found her daughter's missing winter coat on eBay, and now a teacher at the girl's elementary school faces charges of theft and computer crimes.

The teacher, who was placed on administrative leave pending the outcome of her trial, claims she found the jacket in the lost and found.

Of course, Mom claims she had already checked there!

With all the alleged fencing that occurs on auction sites, this person is either very unlucky, or doesn't cover her tracks very well. I would have to recommend, she sticks with teaching elementary students.

A couple of days ago, I wrote about what might happen to credit cards and identification left haphazardly in a lost and found:

Airline employees and correctional officer arrested for credit card fraud

Full story from SF Gate, here.

FBI warns of banking details being i-jacked (stolen) at Internet cafes and hotel business centers

It could be pretty expensive to check your online banking assets at Internet cafes, or at the public computer in a hotel's business center.

Here is an interesting article by Robert Schmidt at, quoting FBI sources, where he says:

Tens of millions of dollars have been looted from online brokerage accounts in a fast-growing fraud that targets unsuspecting hotel guests and Internet cafe patrons, Federal Bureau of Investigation officials say.

The way this is done isn't new, the crooks simply install keylogging software on these public machines. As I've written before, keylogging software (itself) is legal and can be purchased by anyone over the Internet. Some of the legal (marketing) justifications are to spy on employees, spouses and your children.

Oh I forgot, they are also used by private investigators, like the ones busted in the recent HP scandal.

Keyloggers are often dropped (installed) on computers via spam e-mails, when an unsuspecting person clicks on the wrong link, also. According to the Anti-Phishing Working Group, the use of them is growing, rapidly. February set an all time record for this type of activity, according to their monthly report.

Although keyloggers are legal, when used by criminals to steal personal and financial information, we refer to them as crimeware (go figure)?

To read the full article at, click here.

I wonder if the FBI's job would be easier if laws were enacted to stop certain companies from enabling this growing problem?

Wednesday, May 02, 2007

Airline employees and correctional officer arrested for credit card fraud

A lot of payment (credit/debit) card fraud is caused by dishonest employees, who skim the information from cards; or might even simply forget to return them to you. And when they "forget" to return them, it might be intentional!

The New York City District Attorney's Office announced:

Manhattan District Attorney Robert M. Morgenthau announced today the arrest of four JetBlue employees and a New York City Department of Corrections Officer for the unauthorized use of credit cards from Jet Blue customers.

Press release, here.

Pretty scary, that Jet Blue (airline) personnel and a correctional officer, who should be people that can be trusted, seem to have given a black eye to their professions.

I saw this story the day after I had to go back to a Del Taco, who failed to return my card to me. After going to considerable trouble to get my card back (which I should probably cancel), I was amazed that no one apologized to me for what had occurred.

They even charged me for the ice tea, I ordered when returning to get the card.

On a more serious note, businesses should always make sure lost payment devices and identification are properly secured. They should only be maintained for a short period of time, then destroyed to prevent someone compromising (using) them.

Many people would be shocked at how often these lost and found items are maintained (sometimes for years) in not very secure places, such as an unlocked drawer.

At least, the Del Taco manager did make me show ID to get my card back, but she didn't do very much to make me rave about their customer service. A kind, or sympathetic word can do a lot of smooth out an unfortunate situation, like this one!

So far as restaurant employees involved in credit card fraud, a lot has been written about this, recently.

Here is my version of what a lot of people have been writing about:

Why it's become TOO easy for restaurant workers to skim payment cards

Please note, it's probably not fair to single out restaurant workers, this can occur at any business that accepts plastic, or even checks.

Washington Post exposes another reason why Katrina victims are still suffering

The hurricane disasters, and their commentary on social issues, continue to amaze me. To me, the rest of the world can learn a lot by studying the ongoing problems related to the disaster.

The amount of money wasted, or lost to fraud (over a billion and growing) is a sad commentary, when a lot of the victims are still living in the now (infamous) FEMA trailers.

Now a new allegation is being brought forth, which is that $854 million in aid promised by our allies, wasn't even accepted. I find this pretty interesting as people are suffering nearly two years, afterwards?

Even more shameful was that expert search and rescue personnel, were turned down, immediately after the hurricane, when they probably would have been extremely helpful:

And while television sets worldwide showed images of New Orleans residents begging to be rescued from rooftops as floodwaters rose, U.S. officials turned down countless offers of allied troops and search-and-rescue teams. The most common responses: "sent letter of thanks" and "will keep offer on hand," the new documents show.

This fact, given the problems in the initial response, amazes me.

Original Washington Post article, here.

I wonder how our allies, many of who have accepted similar aid from us in the past, felt when we turned their generous offers down?

More recently, the Post is reporting that Congress intends to look into this. The article regarding this can be read, here.

I'm not sure when the story on Katrina will be over. The bottom line is that there are still a lot of hurricane victims, who could use a helping hand. A good place to learn more about this is Margaret Saizan's site (Beyond Katrina), which can be seen, here.

Tuesday, May 01, 2007

Phishermen use call-forwarding scam to avoid detection when bank notes suspicious activity

Most of get a lot of phishy e-mails requesting personal and financial information from criminals pretending to be a trusted brand. Now they are adding a devious twist designed to beat fraud detection software, which is used by a lot of companies as a means to detect fraudulent transactions, early on.

Herb Weisbaum of (Seattle) reports:

The mass e-mail I saw claimed to be from Bank of America -- big banks are a prime target for these scams because they have so many customers.

The e-mail says, "During our regular update and verification we could not verify your current phone number. Either your information has been changed or it is incomplete.

"The message tells you to confirm your phone number right away “or your account will be suspended indefinitely.”

Not only are you supposed to give them you phone number, you're instructed to forward your calls to the Bank of America Security Department, and they give you that number.
Herb's full story, here.

When the institution notes suspicious activity and calls, the now forwarded call goes to the scammer, who assures them "all is well."

Call-forwarding being used to defraud people isn't exactly new, but this is a new twist. In the past, scammers have called the telephone company and told them that a business line was having problems, then instructed them to forward the call to another number (theirs). This is normally done to businesses, who accept payment information over the telephone.

Of course, the goods, or services are never received and the information is later used for criminal purposes, or to steal money.

This practice is enabled by telephone companies not verifying (authenticating) information when a call forwarding request is placed. Most telephone companies allow the owner of a line to protect it with a password, however unless the owner does so, they are open to this sort of attack.

It's probably a good idea (especially for businesses) to have a password placed on their account!

Consumer Affairs wrote about another variation of the call-forwarding scam -- which is designed to charge the victim for long distance calls (possibly used by fraudsters, or even inmates to commit crimes) -- where the victim is tricked into call-forwarding their number.

Note that the command for call forwarding at most telephone companies is "72#" or "*72," then the telephone number. The inmate or fraudster will normally pose as a telephone tech, who tells you there is a problem with the line. Call-forwarding can be disabled by entering "72#" or "*72."

Please note, at some businesses, the command is "90#".

This scam is frequently used by prisoners in correctional institutions to make free calls and targets both personal and business lines. Another good reason for businesses to password protect their telephone account and consider disabling call forwarding. Most telephone companies charge extra for this service, anyway.

Consumer Affairs story, here.

Monday, April 30, 2007

E Gold accused of being a money laundering vehicle for financial fraudsters and child pornographers

To anyone familiar with crime on the Internet, allegations of criminals using, or manipulating E Gold are nothing new. Like wire transfers, E-Gold gives their customers the ability to transfer the value of gold, electronically. To transfer the gold's value, all anyone needs is a e-mail address, account number and password.

Because of this, the accounts can be prone to phishing, and or crimeware (malware) attacks, using keylogging software. When this happens, the phishermen clean out the account and transfer it, elsewhere. E-Gold's terms of service stipulate that once a transfer is done, it cannot be reversed.

It should be noted that Internet criminals use wire transfer services (MoneyGram, Western Union) for the same reason -- they provide a lot of anonymity.

Apparently a task force from the Department of Justice has been looking into the money laundering angle, and is charging E Gold with several federal charges.

Here is a summary of the action against E Gold from the DOJ press release:

A federal grand jury in Washington, D.C. has indicted two companies operating a digital currency business and their owners on charges of money laundering, conspiracy, and operating an unlicensed money transmitting business, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney for the District of Columbia Jeffrey A. Taylor announced today.

The basis of the DOJ charges are:

The indictment alleges that E Gold has been a highly favored method of payment by operators of investment scams, credit card and identity fraud, and sellers of online child pornography. The indictment alleges that the defendants conducted funds transfers on behalf of their customers, knowing that the funds involved were the proceeds of unlawful activity; namely child exploitation, credit card fraud, and wire (investment) fraud; and thereby violated federal money laundering statutes. The indictment further alleges that the defendants operated the E Gold operation without a license in the District of Columbia or any other state, or registering with the federal government, and thereby violated federal and state money transmitting laws. The indictment alleges that this conduct occurred at various times from 1999 through December 2005.

It appears a lot of different federal agencies worked on this investigation:

The case is being investigated by the U.S. Secret Service with the assistance of the IRS and the FBI. The case is being prosecuted by the U.S. Attorney’s Office for the District of Columbia and the Computer Crime and Intellectual Property Section of the Criminal Division. Assistance is also being provided by the Child Exploitation and Obscenity Section and the Asset Forfeiture and Money Laundering Section of the Criminal Division.

Full DOJ press release, here.

Besides allegedly being used to launder money, E Gold is often used in advance fee and auction scams, which trick people into sending their hard earned cash to fraudsters. I've written about the auction, secret shopper, romance, lottery and job variations of advance fee scams on this blog, frequently.

Like the problems with accounts being phished, or their value being drained because of crimeware, little can be done once the gold (converted to a monetary value) has been transferred.

When password details can be stolen, accounts can be taken over, also. This happens happens frequently on auction sites; when trusted accounts are compromised, then used for fraudulent purposes.

Wikipedia has an extensive article about Advance Fee (419), here.

It will be interesting to see how this plays out!

Sunday, April 29, 2007

Another former IRS employee pleads guilty to fraud

For the second time in the recent past, a former IRS employee (this time a deputy director) is guilty of committing fraud. Specifically, he helped a dishonest tax preparation service convince tax payers to claim illegal deductions, by claiming they were legal.

From the DOJ press release:

A former Internal Revenue Service (IRS) district director, pleaded guilty today to conspiring to defraud the United States through his involvement in a tax fraud scheme promoted by the Topeka, Kansas-based “Renaissance, The Tax People, Inc.,” the Justice Department and the Internal Revenue Service announced. During a hearing before U.S. District Judge Carlos Murguia in Kansas City, Kan., Jesse Ayala Cota admitted defrauding the U.S. Treasury of more than $1.3 million and to earning more than $300,000 from his participation in the scheme.

Cota, 65, of Vista, Calif., admitted in his plea agreement that from 1997 though April 2002, the conspirators, through Renaissance, operated a scheme to defraud the government and individuals by marketing a program designed to sell illegal tax deductions through false and misleading representations. His co-conspirators, Todd Eugene Strand and Daniel Joel Gleason, previously pleaded guilty to the same fraudulent scheme. Additionally, Cota admitted that during his participation in the conspiracy, those involved prepared or had others prepare false federal income tax returns resulting in a tax loss of approximately $1.3 million.

Full DOJ release, here.

I wonder what will happen to all the people that were convinced to use the illegal deductions?

Here is the post, I recently did about another former IRS type committing a different type of refund fraud:

Former IRS employee charged with a different type of refund fraud

So far as dishonest tax preparers, I covered this recently, also. A major Jackson Hewitt franchisee is under investigation for allegedly committing $70 million in tax fraud.

Of course, they should be considered innocent until proven guilty.