Friday, May 11, 2007

British citizens accused of child porn found to be fraud victims

Information (identity) theft sometimes leads to innocent people being charged with a crime. Recently, I've been reading about how British citizens were accused of viewing child pornography, when they were actually victims of credit card fraud.

The Guardian did an excellent article about this, explaining how the porn industry supplements it's income with payment (debit/credit) card fraud. This explains how innocent people, who are victims of credit card fraud, get accused of crimes they didn't commit:


One method used from 1999 by criminals, including the Gambino mafia family in the US, was to offer free tours, or access for a credit card payment as small as $1.95, to adult sex sites. Customers had to provide name, address, card details, and email address and password. The criminals then reused the data or traded them online with other fraudsters.

Operating out of Indonesia, Russia or Brazil, many of the webmasters linked via Landslide appear to have obtained and swapped lists of stolen cards and charged them up through different portals, usually for amounts of less than $50 - small enough that unwary people might not spot them on a credit card statement.


The current arrests stem from a larger investigation, where a U.S. based child porn website (Landslide Inc.) was investigated, revealing 250,000 credit card numbers (used on the site), belonging to card holders, worldwide.

Copies of the hard drives were provided to British law enforcement. Subsequently, thousands of British citizens were investigated, as a result of having their credit card number show up as having paid for Landslide's seedy services.

The investigation began in 1999 and was conducted by the United States Postal Inspection Service and Dallas Police Department. It exposed how the Internet is used to commit this disgusting crime (child pornography), globally, with the click of a mouse.

The investigation tracked activity to 60 different countries. 120 people were eventually arrested in the United States. Pete Townsend, the Who's guitarist was arrested for viewing child porngraphy in this investigation, also.

54,348 of the credit card numbers discovered in the U.S. search warrant were identified as having been stolen from Levenger Incorporated, a luxury goods company. Of course, Levenger declined to comment on how the information was stolen.

The Guardian article makes a clear argument that many more of the numbers taken in the search warrant could have been stolen (in a lot of places) and used on the Landslide site.

The sheer amount of stolen information and fraudulent payment devices circulating via the Internet is victimizing innocent people, and more than likely giving guilty people, plausible deniability.

Not everyone caught in this was a victim of credit card fraud. Exploiting children is one of the most disgusting crimes I can think of. People, who exploit children, deserve to be punished, severely.

It's apparent that our inability to address the source(s) of crime on the Internet is having VERY severe consequences on the people, who are victimized by it.

Innocent, or guilty, 39 people have committed suicide over this. Wouldn't it be nice if some of these child pornographers/credit card fraudsters could be charged with murder, or at least manslaughter?

USPIS press release on Operation Avalanche, here.

Suspected crimes against children can be reported to the National Center for Missing and Exploited Children, here.

Well researched article from the Guardian, here.

Thursday, May 10, 2007

Does it really matter how well a bank protects their site?

Dark Reading had a story that caught my eye (courtesy of Bank Systems & Technology) stating that a 150 million people in the United States are scared of online banking.

For fear of becoming the next victim of identity theft, 150 million U.S. consumers don't bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers' confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research (Pleasanton, Calif.) for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.

One thing to consider is that in most instances, where an individuals banking or personal information is compromised -- it is because they downloaded malware (crimeware), or they gave it up by more social means -- often referred to as phishing.

A bank site might be well protected, but if your computer system is NOT, it's probably still at risk. There are also a lot of spoofed fake bank sites out there that look pretty convincing to the untrained eye.

If you are unfortunate to pick up a keylogger -- everything you "key" is logged and sent back to the person -- who dropped it on your system. If the crook gets your user name and password, no amount of security on the bank's site is going to stop you from being victimized.

Most keyloggers are dropped on a system, when the user clicks on a link they shouldn't have in a spam e-mail.

Perhaps, the key is to make sure your system is well protected, and learn to protect your information, personally.

I use online banking myself, but I'm not going to rely on the bank to protect me.

The best defense against identity theft is using common sense, which in the case of computer systems, should include current protection from a reliable computer security vendor. Of course, being aware of the more social ways information is stolen is highly recommended, also!

My own bank tries to sell me online banking as a means of preventing identity theft. They remind me (every time I log on) that it's a way to prevent my personal information (sent in snail mail marketing offers) from being stolen.

On a personal note, I remind myself, I'm saving a tree or two. It also reduces the amount of documents, I have to shred. Thinking of it that way, gives me more peace of mind.

The last time I asked a Postal Inspector, mail theft hasn't stopped, and still is a way identity thieves steal a LOT of information.

You can opt out from receiving this snail mail (highly recommended), here. If you do, the credit bureaus will stop marketing your personal information, and it will be less available to steal.

As long as corporations are making a lot of money by keeping the commodity (our information) easy to use, criminals are going to find ways to steal it. After all, it's become highly profitable for them, also.

Dark Reading article (courtesy of Bank Systems and Technology), here.

Monday, May 07, 2007

Is Target's payment card and new refund procedure stopping retail criminal activity?

Will stricter return policies drive Target's customers, elsewhere? Some are saying their new return policy (which will require a receipt for cash returns of $20 or more) -- isn't very customer friendly --and might do just that. Some are also questioning, whether another policy (how they verify plastic transactions) is enabling fraud to occur within their four walls.

So far as the new refund policy, Target's response is that this will affect a very small amount of its customers. Chris Serres, Star Tribune, Minneapolis - St. Paul gives Target's rationale for this:

Target officials said the new limits affect fewer than 5 percent of its customers. Shoppers who have bought products with credit cards, debit cards or checks can still return them without receipts, without having to worry about the new limits.

"While we expect the changes to ... impact a very small number of guests, our goal is to minimize losses regardless of amount," said Amy von Walter, a Target spokeswoman.

Law enforcement officials have a different take on this:

Target's practice of not checking the IDs of credit card holders has made it a target for more sophisticated fraudsters, said Brandon Deshler, an officer with the Edina Police Department and a detective with the Minnesota Financial Crimes Task Force, a state law enforcement agency. "There is a real inconsistency here," he said.

Sophisticated fraudsters are becoming the norm with data breaches, carder forums, and do it yourself (DIY) crime kits being marketed via the Internet.

I keep reading about how identity theft is tied into methamphetamine use, but in reality, it might also be tied into heroin use, or any other narcotic that people get addicted to. Addicts often turn to retail crime to support their habits, also.

Before the Internet made sophisticated fraud pretty easy to accomplish, addicts did a lot of shoplifting (boosting) to support their habits.

As time went on, retailers got smarter. They started locking up high value (shrink) merchandise and tightened up their return policies. To get past this, many retail criminals use fraudulent payment devices, which are pretty easy to obtain.

Organized criminals now make their "cut" selling the information and devices to less sophisticated crooks, who do all the dirty work for them. Deals are made on the Internet with a click of a mouse, and these devices are (normally) shipped from foreign sources, where it is hard to identify the criminals behind it.


Fraudulent devices are ordered in chat rooms, paid for by wire transfer or PayPal, and shipped to these (questionably) sophisticated criminals UPS, or Fedex, worldwide. Sometimes, they are shipped in bulk to one location and then redistributed. This is another method used to make tracking these devices to their original source, difficult.

Because of the growing availability, retail criminals are using
fraudulent payment devices to obtain and then refund merchandise.

If customers using credit cards, debit cards and checks are still allowed to return them without receipts, I'm guessing a lot of refund fraud will still occur.

I wondered how customers, using payment devices (checks, credit cards, debit cards) could get a refund without a receipt? Just to make sure, I called my local Target and told them I lost my receipt from a credit card purchase. I was told to bring my credit card in and they could look up the information.

In light of the many recent data breaches, such as TJX -- where at least 45 million customers were compromised -- this thought scared me. Even if their systems are completely safe (not sure if any really are), does this mean that a dishonest employee could access my information? Employee dishonesty has long been (and still is) a major problem at most businesses.

The best thought out security can be beat by one person with access to it!

One of the systems compromised at TJX was their refund authorization system. Not allowing easy access, or even maintaining personal and financial information is the recommended way to prevent data theft.


Besides that, I often wonder how accurate the data is in some of these refund systems. These days, crooks use a lot of other people's information.

Since Target relies on electronic authorization systems (they don't even require their staff to check ID) on credit/debit card transactions, the law enforcement official quoted above might have a very valid concern.

But this isn't the only time, I read about this concern in the past week.

An article came out from Washington about an enraged identity theft victim, who after realizing no one was doing anything with her case, decided to beat the pavement (investigate), herself. Working with a reporter, she did her own check of retailers and here is what happened at Target (as reported on KOMOTV.com):


We did the same thing at Target. This time, we included wine in our purchase thinking some stores require an ID check when buying alcohol. At no point during our checkout did the Target clerk even ask to see the credit card. The clerk never asked for an identification check.

In a statement, Target says it does not require its clerks to handle or inspected credit cards.
Instead the store relies on an electronic authorization system where the customer swipes their own credit card through a reader."Electronic authorization is faster and more accurate than relying on visual inspection of verification of written signatures," says Brie Heath of Target.

Even with these systems, where a customer swipes their own card, a lot of retailers require that the clerk check identification AND inspect the card on signature transactions. In fact, a lot of pos (point-of-sale) systems prompt the customer and the clerk to do so.

Counterfeiting payment cards has become so easy to do that it's now
done in garages with hardware that can (unfortunately) be bought over the Internet. Granted, identification can also being counterfeited, but at least visual inspection is going to making it a little harder to commit payment (debit/credit) card fraud.

The truth is that electronic verification systems read data, and in the case of debit and credit card data, it's being transferred (counterfeited) all the time.

Many might ask why Target would rely on an electronic system with so much fraud going on out there? One reason might be that when a card is "swiped" (electronically authorized), it is pretty hard for the bank to charge it back to Target.

When this happens, I'm guessing that Target isn't the one taking the loss, the bank does.


Chargebacks are becoming a huge issue, and many merchants (especially e-commerce merchants) are saying they are unfair to them, also. These merchants claim the rules favor the banks, who are passing off the costs of fraud to them. With the recent TJX data breach, and the realization of how expensive information theft has become, we can expect to see more controversy on this issue.

It's sad that businesses seem to be spending more time going after each other than the criminals behind the activity (my emphasis).

We also need to consider the considerable grief, victims go through in this process. Victims can be held liable for losses, have their credit ruined, and are even charged with crimes they didn't commit. Some of these victims are undoubtedly past, present, or future customers.

It's pretty easy for me to understand law enforcement officials and identity theft victims might be a little frustrated with Target's policies.

There is no doubt that the amount of refund and payment device fraud is growing. Businesses do have the right to protect themselves, but passing the financial loss to another business, and ultimately (all of us) does little to stop the problem. In fact, it might be one of the reasons this type of fraud is growing.


It would be unfair to single out Target on these issues. Other retailers need to be looking at them, also. Retailers are sold expensive security technology and too often (my emphasis) find that someone has figured out a way to exploit it.

Systems get defeated by human beings all the time. The best defense against this are other human beings. Removing human interface from the equation makes it easier to commit fraud (my emphasis).

Star Tribune article, here.

KOMOTV.com article about the identity theft victim doing her own investigation,
here.