Saturday, July 07, 2007

Why the GAO report on Identity Theft might show that disclosure works!

I came across a thoughtful post about the recent GAO report on identity theft and data breaches written by Dissent, who blogs at the Chronicles of Dissent. This is a well-written analysis, and after reading it, I was inspired to think a few things through.

In Dissents own words:


The June GAO report, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown [GAO-07-737 (pdf)] was released today.

Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft ResourceCenter, and reports obtained from NY and NC under FOIA by Chris Walsh.

Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.


Of note, Dissent is affiliated with PogoWasRight.org, which is affiliated with Attrition.org, one of the sources tracking the never-ending saga of data breaches.

I'm going to link to the full article, which I think is a valuable read for anyone interested in this subject. Then I will give my personal opinion.

Chronicles of Dissent post, here.

Identity theft seems to a growing problem, at least whenever anyone takes the time to track the statistics. If this is true, then why would known data breaches result in very few cases of identity theft?

The answer is simple, when a data breach is exposed, it isn't as easy to use!

When a data breach occurs, the human element (compromised) normally takes a lot of measures to protect their information. In fact, an entire industry (identity theft protection services) has come about, which is automating the process. This makes it harder, and probably, a lot more dangerous to use the information.

Everyone involved in studying this admits there are a lot of compromises no one knows about. These unknown compromises are probably, where most of the information being used to steal identities is coming from. After all, they don't want to waste their time on information that won't work, or even worse, put them at risk of getting caught.

One of the reasons the problem is growing is that not many of them are getting caught (my opinion).

At best, once a breach is known, someone is going to have to hold on to the information for later use (after people and organizations let their guard down).

Perhaps, these highly publicized data breaches have stopped the information from being used? If this is the case, it's certainly a good argument for mandatory notification.

In closing, our personal information has been put in too many places, that don't seem to be protected very well. The reason for this is pretty simple, also. There is a tremendous amount of money being made from selling it to market products.

As long as our information is being used for a profit and isn't being protected properly, it's only fair that those profiting should be held liable for all the notifications and clean-up.

Of course, I'm also in favor of going after the people compromising the information with a little more gusto. Since this costs money, I have no doubt, who should be helping to pay for that, also.

*Update to article 7/10/07 - Dissent owns PogoWasRight and is no longer affiliated with Attrition.org. He was kind enough to add a comment to this post, which can be viewed at the bottom of this post, here.

No one can ever be certain of anything until things become more transparent. This is why I often add that some of my thoughts are purely opinion, based on my observations of this phenomenon. I am always open to considering all points of view, and in fact, learn a lot by doing so.




(Courtesy of Flickr)

Friday, July 06, 2007

If your car gets stolen, eBay might be a good place to look for it!

If your car was recently stolen, it might be a good idea to check out the listings on eBay, according to Dariusz Grabowski, a.k.a (also known as) as the "eBay king of stolen cars."

Rick Hepp at the Star-Ledger reports:

Grabowski and his crew would buy junked or damaged vehicles at auctions and look for similar newer cars to steal. Once they found a car they wanted, they would get its vehicle identification number, usually found in sales ads or right on the car's windshield.

Today's newer car keys can only be duplicated if their computer chips are programmed according to the vehicle identification numbers. Car owners who lose their keys and want duplicates generally go to locksmiths who program the new keys by getting "key codes" from database companies hired by auto manufacturers.

Posing as a locksmith, Grabowski got these codes from the database companies and then made brand new keys. His crew took the keys and simply drove off with the cars.

Before selling the cars, they made them look legitimate by switching the vehicle identification numbers with the ID numbers of the junked cars they had bought.

Grabowski learned how to do all of this by surfing websites that provide technical assistance to locksmiths, and interestingly enough, buying any hardware he needed, on eBay:

You go online, you find anything you need," Grabowski told the investigators in the videotaped interview. "You can go on eBay at this point and purchase any of the equipment you need. Of course, I might pick this up easier than other people.
From there, Grabowski got a business license, which he made on a computer "real quick" and lavished special attention on a female owner of a company licensed to provide locksmiths with the necessary code to clone keys.

Grabowski and crew have all been convicted, but their victims are still paying the price for their misdeeds. New Jersey State Investigator, Jeffrey Lorman was quoted in the article as saying:

The buyers were happy with the cars, they got a great deal. Then we found out about Dariusz and the stolen cars were recovered. Some of these people are still paying for cars they no longer have.
The article mentioned that Grabowski was affiliated with a lot of other Polish nationals, involved in the business of stealing cars, also.

Our friend Dariusz, might or might not be the eBay king of stolen cars. If he is, he isn't alone, at least according to Google. A simple Google search reveals a large amount of information related to scams involving automobiles on eBay, here.

Fraud, Phishing and Financial Misdeeds a.k.a. (sometimes) FraudWar has a lot of information on auction fraud (if anyone is interested), here.

My advice is to be extremely cautious when buying a car on an auction site! If you choose to be cautious a good place to perform due diligence is CarBuyingTips.com, which can be seen, here.

The word is caveat emptor, latin for "buyer beware."

Star-Ledger article, here.

Wednesday, July 04, 2007

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Large data breaches are becoming a VERY frequent news event! This time only 2.3 million records were stolen, a mere fraction of the amount (45 million plus) TJX lost. In this instance, we are told we have nothing to fear because the information was sold to a data broker.

Ron Word of the AP (courtesy of the Washington Post) reports:

Fidelity National Information Services, a financial processing company, said yesterday that a worker at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information.

This occurred at one of their subsidiaries, Certegy Check Services.

According to the article:


About 2.2 million records stolen from Certegy contained bank account information and 99,000 contained credit card information, company officials said.

Since Certegy verifies check transactions, this probably means a lot of checking account information in addition to some credit and personal information. From a financial crimes perspective, this information could be used to commit a lot of identity theft, check and credit card fraud.

The company claims the information was sold to data brokers, who sold it to direct marketers. Their president, Renz Nichols, "believes" this is the extent of the damage.

Not sure, if I can "believe" that no one is at risk. The last time I checked, identity thieves normally shy away from revealing exactly, who they intend to compromise next. It's bad for business. Besides that, is this based on the word of someone, who stole the information and sold it in the first place?

Interestingly enough, the data broker is unnamed at this point. The AP article does say they are claiming they didn't know the information was stolen. I wonder how this data broker verifies the information they get, and who they are getting it from?

Data brokers and credit bureaus sell information all the time. Recently, a data broker (InfoUSA) was caught selling direct marketing information to spammers, who commit lottery fraud schemes.

The sad thing is that once the information starts getting sold, it becomes available to more and more insiders, who might sell it to the wrong person, assuming it hasn't been already.

And there is so much information to be sold, no one is ever sure exactly where it came from. Criminals are even selling it via the Internet to other criminals.

AP Story (courtesy of the Washington Post), here.

Attrition.org is tracking data breaches, here. The amount of them that happen is pretty scary!

I've written a lot of about how data brokers make billions buying and selling our information, which can later used against us, here.

They don't believe they are enabling a worldwide problem, either.

At least that's what I keep hearing, whenever a new data breach is announced.

FlexiSpy - software that spies on people via their smart phone


There is already a lot of "buzz" that mobile phones, especially those of the smarter variety, will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Here is FlexiSPY's marketing pitch (from their site):

Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms etc.
If FlexiSPY is installed on a smart phone, it downloads data to their server 4 times a day, which can be accessed via the Internet by anyone paying for their service 24 hours a day, 7 days a week.

The FlexiSPY site blasts F-Secure, a security vendor, for calling their software a trojan, and claims FlexiSPY will not answer their e-mails. This is probably because F-Secure was the first one to question this software and it's potential abuse factor. The site claims F-Secure's true intent is to sell their own software, which can remove FlexiSPY.

This is partially true, billions are made in the spy versus spy (white-hat versus black-hat) world of computer security. Although, in all fairness, F-Secure isn't the only on record that is worried about the use of FlexiSPY's spyware.

According to FlexiSPY, their software IS NOT a trojan because it has to be loaded on a telephone by a human being, and the software doesn't replicate itself.

I wonder how long it will be before a hacker figures out how to drop the software remotely? Of course, it also makes sense that FlexiSPY wouldn't want someone to be able to replicate their software. Replicated software doesn't make them any money.

I'll leave it to the reader's imagination how a product like this could be used by criminals, spies, or stalkers.

It never ceases to amaze me how some of these products are sold right over the Internet to ANYONE! It gives credence to the old saying, "there ought to be a law."

FlexiSPY even lists several electronic publications on their site as "talking about them." I decided to see what a few of them (besides F-Secure) had to say.

Gizmodo states:
The software allows a sickening amount of privacy invading features.

Endgaget states:

While FlexiSPY is designed to install itself invisibly, it's now been officially categorized as a trojan (which, face it, it really is) and has been added to F-Secure's virus database.

And the Register states:

A piece of software which allows a user to track another person's mobile phone use would be almost impossible to use in the UK without breaking the law, according to a surveillance law expert.

If fact, using this software could be illegal and subject to penalties in most of the civilized world. Most of these countries would require some sort of court order, even if this technology were to be used by law enforcement.

Gizmodo story, here.

Engadget story, here.

Register story, here.

FlexiSPY acknowledges the same concern that the surveillance law expert brings up in the Register article about them:
It is the responsibility of the user of FlexiSPY to ascertain, and obey, all applicable laws in their country in regard to the use of FlexiSPY for "sneaky purposes". If you are in doubt, consult your local attorney before using FlexiSPY. By downloading and installing FlexiSPY, you represent that FlexiSPY will be used in only a lawful manner. Logging other people's SMS messages & other phone activity or installing FlexiSPY on another person's phone without their knowledge can be considered as an illegal activity in your country. Vervata assumes no liability and is not responsible for any misuse or damage caused by our FlexiSPY. It's final user's responsibility to obey all laws in their country. By purchasing & downloading FlexiSPY, you hereby agree to the above.

I guess the old latin saying "caveat emptor" (buyer beware) applies in this instance!

Sunday, July 01, 2007

Phishermen impersonate DOJ in spam e-mail



DOJ logo. The press release mentions that the e-mail contains their official logo. Copying graphics is extremely easy to do. Internet criminals do this to make their spam e-mails look more official, or even to create totally spoofed (impersonated) websites.

Recently, Internet Phishermen have spoofed the IRS, FTC and the FBI to trick people into giving out personal/financial information. Of course, they spoof a lot of other organizations, also.

Apparently, the e-mail even contains the DOJ logo on it. This isn't very hard to do because copying graphics takes very little technical skill. To demonstrate, I will copy the DOJ logo and place it at the top of this post.

Because this is so easy to do, a lot of fake websites (mostly financial institutions) are all over the Internet.

From the DOJ press release dated June 27th:

The Department of Justice has recently become aware of fraudulent spam e-mail messages claiming to be from DOJ. Based upon complaints from the public, it is believed that the fraudulent messages are addressed "Dear Citizen." The messages are believed to assert that the recipients or their businesses have been the subject of complaints filed with DOJ and also forwarded to the Internal Revenue Service. In addition, such email messages may provide a case number, and state that the complaint was "filled [sic] by Mr. Henry Stewart." A DOJ logo may appear at the top of the email message or in an attached file. Finally, the message may include an attachment that supposedly contains a copy of the complaint and contact information for Mr. Stewart.

Although most phishing attempts are designed to trick people into giving up their personal/financial information, malware (crimeware) automates the process. Here is what the DOJ has to say about that:

Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by "double-clicking" on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.
Press release with links of where to report these phishy e-mails, here. There are also some links to government sites designed to educate the public on Internet crime on the news release, also.

If you would like to see how easy it is to copy graphics and make a fraud website look like a legitimate one, Artists Against 419 has a lot of actual examples on their site (see Lad Vampire link), here.

The Anti Phishing Working Group compiles statistics on spam and phishing. Every time they issue a new report (monthly), a new record seems to be set. APWG site, here.





Graphic illustration of what might happen to your computer after "double clicking" on an e-mail attachment from the Phishermen (courtesy of the FBI)!

It appears even the FBI has a sense of humor! Great picture (my opinion).

The problem of unsafe products from China are just a symptom of the bigger problem!


Interesting picture about consumer protection, courtesy of Flickr.

In the past couple of months, we've seen some alarming stories about dangerous products coming from China.

Dirk Lammers of the Associated Press wrote:

Poisoned pet food. Seafood laced with potentially dangerous antibiotics. Toothpaste tainted with an ingredient in antifreeze. Tires missing a key safety component. U.S. shoppers may be forgiven if they are becoming leery of Chinese-made goods and are trying to fill their shopping carts with products free of ingredients from that country. The trouble is, that may be almost impossible.

The Lammers family shopped far and wide, and came to the conclusion that merchants sell all kinds of products from China. Even more alarming, even if the label didn't say "made in China," it likely has a component (ingredient) that was.

The reason for this is simple, companies make billions off the cheap labor found in China and other less developed countries lacking the same level of consumer protection, we think (my opinion) we have.

The U.S. Bureau of Labor Statistics, which keeps tally of labor costs abroad, doesn't seem to have any data on China, or India for that matter. I mention India because, we seem to be in the market for a lot of their labor, recently.

The closest I could find was Sri Lanka, which in 2005 (most recent year available) has a labor compensation rate of 52 cents an hour.

I noticed a lot of countries left out. For instance, the region to the South of the United States, only has data for Mexico and Brazil. Mexico, which has a better economy than most of the area, has a labor cost of $1.57 an hour.

Maybe this is one of the major reasons our border to the South isn't very secure. Minimum wage, or even welfare benefits must seem like a king's ransom to some of these people.

Going back to China, I was able to find an estimate of labor costs in China by using Google. Judith Banner wrote in the Monthly Labor News Review:


Employees in China’s city manufacturing enterprises received a total compensation of $0.95 per hour, while their non-city counterparts, about whom such estimates had not previously been generally available, averaged less than half that: $0.41 per hour. Altogether, with a large majority of manufacturing employees working outside the cities, the average hourly manufacturing compensation estimated for China in 2002 was $0.57, about 3 percent of the average hourly compensation of manufacturing production workers in the United States and of many developed countries of the world.

A little higher than the government figure for Sri Lanka, but not much. Of course, I can think of a lot of countries, we outsource the cost of labor to, not included on the government list.

It makes sense -- that since a lot of these countries have a much lower standard of living, as well as, not very many consumer protection laws -- unsafe products have the capability to spread, worldwide.

In fact, with counterfeiting (another worldwide problem) thrown in, who knows what might show up in the supply chain? For example, it was recently disclosed that counterfeit drugs from China were likely being dispensed from pharmacies in the United States.

Chris Hansen, Dateline, did a pretty revealing story about this, here. The FDA did announce new rules, shortly after this, but I'm not sure this makes us very safe. All sorts of illegal drugs, make it past customs, daily.

I'm not sure if blaming China is the solution. After all, we aren't only outsourcing labor costs over there. Many of the other countries we outsource labor to, don't protect their people very well, and could care less about, consumer protection, also.

In fact, in many of these countries, people have a hard enough time keeping food on table!

Perhaps, we should take a closer look at ourselves? There are corporations here in the West, making a lot of money by stocking these products on our shelves. And at less than 60 cents an hour in labor costs, it must be extremely profitable for them.

The worker in China, or Sri Lanka isn't living very well off less than 60 cents an hour.

Perhaps, if certain companies had to start paying the true costs of padding their bottom lines with cheap labor, it wouldn't be as profitable.

I was amazed that despite all the special interests, obviously behind the recent immigration bill, that it was promptly defeated by the voice of the public. Many of us believe this bill, was at least in part, a ploy to drive down the cost of labor.

I'm not saying that all the politicians had ulterior motives, or that all corporations lack ethics, but it did reveal that the voter (individual person) has a choice, and more importantly, a voice!

It might be wise for politicians and corporations to get more on board with their voters, and customers.

If you are interested in learning more about this, I recommend Lou Dobbs, who has become extremely outspoken about a "war against the middle class." His site can be viewed, here.

Here are some references used for this post.

Article by Judith Bannister (Monthly Labor News Review), here.

Article by Dirk Lammers (AP), courtesy of the Washington Post, here.

Counterfeiting merchandise is enabled by outsourcing labor (my opinion). I've written a lot about this, here.

Previous posts about China and other dangerous activities coming from there, including espionage and hacking, can be viewed, here.