Saturday, August 04, 2007

Celebrities, including Paris Hilton become identity theft victims

(Courtesy of Flickr) Only the photographer knows who is behind the mask.

No one's identity is safe these days. It's just been reported that a lot of celebrity types, including Paris Hilton have had their identities jacked (stolen).

Tampa Bay's reports:
Investigators busted a massive identity theft ring allegedly operating out of a row home in Northeast Philadelphia Friday.

Police said the list of targeted victims includes celebrity names like Donovan McNabb, his mother Wilma, Jennifer Lopez, Paris Hilton, Whitney Houston, Patti LaBelle, Michael Vick and Microsoft founder Paul Allen.
Allegedly, a couple of fraudsters used change of address forms and had mail diverted to a Philadelphia address. They then used the information from the stolen mail to order checks and credit cards.

The article also states that one of the fraudsters was a former IRS employee, and that some of the information might have been stolen from their computers.

Considering the names they were using, one might wonder why no one noticed at the banks, credit card companies, or the post office when this scheme was first hatched?

In case any of these famous people are wondering why it was so easy to use such recognizable names, it might be because issuing credit cards, checks and (I'm guessing) address changes are approved by computers.

To demonstrate this, they might want to read a previous post I wrote:

Ever Wonder How Well the Credit Card Companies Protect Your Personal Information?

I did another post, where a cat was issued a credit card, also:

Should cats be issued credit cards?

According to the article, this case is still being investigated and the list of people compromised is likely to grow.

It will be interesting to see, if it is ever disclosed, how long this went on and how much money was stolen as a result of this! article, here.

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

(Courtesy of Flickr)

A new report issued by the Treasury Department's inspector general reveals that too many IRS employees compromised their user ID and password to an unknown person, who was actually a government auditor posing as a help desk employee.

Sixty percent of the IRS employees fell for the social engineering trick, sometimes referred to as vishing. This isn't the first time a test like this has been conducted. In 2004, 35 percent of the employees tested compromised information and in 2001, the failure rate was 70 percent.

In the recent past, the agency has also been criticized for it's aging computer systems and their name has been spoofed (impersonated) in phishing attacks.

I guess the IRS makes a good story, but they certainly aren't the only government agency, or private entity being compromised by activity like this.

Whether it's vishing or phishing -- where social engineering (fraud, deception etc.) techniques are used to trick people into giving up access to information that should be protected -- human beings are probably the biggest threat to information (computer) security.

True, the results of this report are shocking, but maybe we should listen to what it is telling us? If social engineering didn't work, my guess is that a lot of the current explosion in phishing and vishing activity would go away.

Even when malware, often referred to as crimeware, which steals information using technology is used, a human being has to be lured into clicking on a link, or visiting certain websites for the software to be implanted.

Maybe one of the problems is that people, who fall for these ploys are reluctant to admit they were tricked so easily? I've seen a lot of people fall for social engineering ploys, and not all of them are poorly educated, or what most of us would consider, stupid.

In fact, many us would probably be amazed at exactly who falls for social engineering ploys. Most people would rather remain anonymous because it's embarrassing to admit they were conned into whatever scheme they fell for.

Of course, the people I'm referring to have asked me to respect their privacy, and I'm an advocate of protecting that, along with being kind to victims, also.

Whether it is a government agency, big business, or non profit being targeted, the only thing that is consistent is we see more and more of this activity all the time. Trust me, if it didn't work, the criminals behind it wouldn't be wasting their time doing it.

If the activity is increasing, and social engineering it tied into most of it, the best thing we can do to defeat it, are more tests like these, combined with an effort to make people more aware of the problem.

While the results of this report aren't good, at least they are making the information public and not hiding it. My guess is that IRS employees aren't the only ones, who would fall for something like this.

Education and awareness are key in stopping this problem, which keeps growing by leaps and bounds!

Inspector General (Treasury Department) report, here.

Tuesday, July 31, 2007

Customer stops debit card skimming scheme at AM/PM

Another tale of a skimming device being found at a gas station has surfaced in the local Northern California news. In this instance, a savvy customer figured out what was going on and notified the Police.

Koula Gianulias CBS 13, Sacramento reports:

Skimming at the pump. Hundreds of dollars have been stolen from unsuspecting drivers. Recently, a local driver figured out he was being taken.

When Joe Schroder tried to pay for gas at the ARCO in Newcastle, he had some trouble sliding his ATM card into the slot.

“Got up under it, pry up on this. It popped off in my hand and I knew I had something there,” says Joe Schroeder.
In June, a similar problem occurred at AM/PM stations in Huntington Beach in Southern California. One of the reasons, authorities speculate card skimmers like AM/PM is because they only accept debit cards.

As far as I've heard, the suspects in this case are still at large, also.

Huntington Beach Independent article, here.

Koula got the official statement from the parent company, which is:

”The number one priority of BP, ARCO, AM/PM is the safety and security of our customers' every transaction, every day, at all of our sites. It is unacceptable that our customers and company have been targeted by these thieves. We are continually updating our systems to further protect our customers.”

Of course, in this case, it also helps to have aware customers frequenting your premises!

CBS13 story, here.

There is an excellent video on CBS13 link, showing how one of these devices can be installed at a gas station in 20 seconds, or less!

I've also done a few posts on skimming, which might help educate people, here.

If you scroll all the way to the bottom, there are a lot of pictures and links to more pictures to take a look at.

This activity doesn't only occur in the United States. It's happening all over the world.

Similar device discovered at a gas station in Great Britain. (Courtesy of Flickr)

Story about activity in Finland, here.

Will the Stevens raid cause voters to trust politicians even less?

I'm predicting the upcoming elections will be pretty interesting. Confidence in our political leaders seems to be at an all time low.

One particularly bothersome phenomenon are stories of elected officials being investigated for lining their own pockets. They seem to be surfacing with alarming frequency.

It's no wonder that both the executive branch and house seem to have one thing in common - ever decreasing public support.

The most recent event in this seemingly never-ending chain of disappointing stories is the raid on Senator Ted Stevens' Alaska retreat.

Dan Joling of the AP is reporting:

Federal agents with cameras searched the home of U.S. Sen. Ted Stevens amid questions about an oil company official's involvement in a 2000 renovation project that doubled the home's size, law enforcement officials said.

Stevens, 83, is under a federal investigation for his connections to Bill Allen, founder of VECO Corp., an Alaska-based oil field services and engineering company that has reaped tens of millions of dollars in federal contracts.

Allen was convicted earlier this year of bribing state lawmakers. He also oversaw the renovation of Stevens' home in the ski resort community of Girdwood, contractors involved in the work say.

This seems to be part of a larger investigation:

The Justice Department's probe into Allen's relationships has led to charges against state lawmakers and contractors. Last year, FBI raids on the offices of several Alaska lawmakers included Stevens' son, former Alaska Senate President Ben Stevens.

Neither the U.S. senator nor his son has been charged.
The AP Story also states that Alaska's only U.S. representative, Don Young, is also under investigation. This cannot be confirmed because the source was anonymous.

The AFP version of the story (courtesy of Yahoo News)cited unnamed sources as saying:

The investigations have prompted calls for ethics reform in Congress and damaged President George W. Bush's Republican party. Some party members blamed the corruption cases for helping hand their Democratic rivals control of Congress in legislative elections last year.
I found this an interesting statement because Republicans don't seem to be the only ones getting accused of lining their own pockets by using their political influence.

Let's not forget Rep. William Jefferson, D-La. has been indicted on federal charges of racketeering, money-laundering and soliciting. The investigation against Jefferson suggested ties to a foreign political figure, Abubakar Atiku (former Vice President of Nigeria).

Atiku was still in office, when the scandal made headlines. Interestingly enough, the connection between him and Jefferson seemed to be ignored by the Western press, however it was covered extensively in Nigeria and elsewhere in Africa.

Wikipedia has an interesting article tracking charges of corruption involving political figures. If you look at their document and note the amount of incidents since 1990, the problem seems to be growing.

Wikipedia article, here.

Of course, there was political corruption around before 1990, also. Maybe, the trend started earlier with the Abscam investigation in 1980?

Here is a FBI video of Jack Murtha dealing with a undercover FBI agent in the infamous Abscam investigation.

It's a sad commentary that so many of our leaders seem to be getting caught, or accused of being corrupt. Maybe this is one of the reasons that politicians seem to be losing the popular support of the people, they are supposed to be serving.

Whether this is all dirty politics, outright corruption, or a mixture of both -- it does little to bolster public confidence in our leaders.

After all, these are people, we (and our children) are supposed to look up to.

AP Story, here.

Correctional Officers steal credit cards from prisoners

Ran into a pretty sad story, where it was reported that two Baltimore correctional officers were caught stealing credit cards from inmates they were processing into jail.

John-John Williams IV of the Baltimore Sun reports:

Two corrections officers from the Central Booking and Intake Center were arrested yesterday and charged with stealing credit cards of people under arrest.

Lontona Maria Webb, 38, of the 3600 block of Clarinth Road and Latoya Renee James, 24, of the 1300 block of Dalton Road each face multiple counts of credit card fraud, identity theft and misconduct in office, according to charging documents.
The authorities investigating the case aren't commenting because the investigation is still underway.

It also appears that the Baltimore Sun and an attorney, who was arrested (charges later dropped) are responsible for alerting the authorities that their jail needs a little cleaning up:

Nicholas Panteleakis, 34, a city public defender, said that his credit card was used to make nearly $1,000 in fraudulent purchases at McDonald's, Target and a gas station.

Panteleakis said that his credit card company took care of all of the fraudulent charges.

The Sun detailed Panteleakis' claims of fraud at Central Booking in February. At that time, Panteleakis said he discovered that someone had used his credit card within six hours of his release from Central Booking. He said he believes the card was stolen after his wallet was checked as property at the facility when he was arrested on one count of loitering, a charged later dropped. He immediately canceled his credit card.

"If it wasn't for my access to the media and other avenues, I don't think anything would have become of it," he said. "People would still be having their stuff stolen from them."

As a result of this, officials at the jail have had video surveillance cameras installed to watch the area, where personal property is inventoried.

It's sad when we discover those, who have taken a sacred oath to uphold the law, violate it. They damage the reputation of their profession, and all the fine people, who take this oath seriously!

Unfortunately, this isn't the first time, I've done a post, where a correctional officer (and some Jet Blue employees) were stealing credit cards:

Airline employees and correctional officer arrested for credit card fraud

Baltimore Sun story, here.

Sunday, July 29, 2007

The Coalition Against Domain Name Abuse seeks to disable Cybersquatting

Cybersquatting is where people, who may have less than honorable intentions, set up a website with a domain name that appears to be a trusted brand, or organization.

Often, these domains are then used to commit financial crimes on the Internet.

In most of the recent disasters, most notably the Katrina hurricane, some of these look alike domain names were sold for a lot of money.

Sadly, these look-alike domain names, which victimize people and businesses, are being sold legally.

These look alike domain names are used in phishing scams, also. If you ever want to see a lot of fake websites, that appear to be real, visit Artists Against 419 and go to their Lad Vampire page.

Dibya Sarkar of the Washington Post is reporting about a coalition lobbying Congress to stop making this activity (like most crime on the Internet) too easy to accomplish:

Well-known companies such as Dell Inc., Yahoo Inc. and Marriott International Inc. are lobbying Congress for tougher laws targeting online scammers who profit from their brand names.

United as the Coalition Against Domain Name Abuse, 10 companies have hired the law firm Alston and Bird LLP to persuade federal lawmakers of the need to crack down against those who claim Web addresses, or domain names, that include _ or even resemble _ a legitimate company's trademark.

Washington Post story, here.

The coalition has set up a website, that anyone can join:

The Coalition Against Domain Name Abuse

The Post article failed to mention all the businesses backing the coalition. The entire list is located, here.

Orange County processing traffic citations in Mexico outrages citizens

If you get pulled over in Orange County in Southern California, the information for their traffic court system is likely to be processed in Mexico.

Gordon Dillow of the OC Register did an interesting editorial about this phenomenon and the subsequent fear and outrage this has caused among Orange Country residents:

The furor over Orange County Superior Court's "outsourcing" of traffic ticket processing to Mexico is understandable. After all, it brings together two issues of great concern to many people in this county: The outflow of jobs beyond our borders, and a deep distrust of our largely poor and widely corrupt neighbor to the south.

And it kind of makes you wonder what the boys down at the courthouse were thinking.

Sadly enough, Gordon points out that although the concerns over this are valid, getting people's personal DMV information isn't very hard to accomplish North of the border, either.

Interesting perspective by Gordon, here.

Until we address the issues that enable the mass abuse of people's identities, the problem will probably continue to grow. The problem always seems to be someone's bottom line and how far they are willing to go (at the expense of people) to make it fatter.

Lifelock CEO's identity theft case dropped - authorities cite coercion as the reason

No one can dispute that Lifelock -- the identity theft protection company offering a million dollar guarantee -- is pretty aggressive in their marketing tactics. They pay everyone from bloggers to the likes of Howard Stern, Rush Limbaugh and Fred Thompson to promote their products.

It now appears that marketing isn't the only thing they are aggressive at.

Recently, as a result of a New Times article, their founder Robert Maynard stepped down from his position after it was suggested that his stories of being an identity theft victim weren't exactly one-hundred percent accurate. Even more damaging was an allegation that Maynard used his father's identity to secure a American Express card that went bad.

The identity theft story had been often heralded as one of the reasons behind the Lifelock business concept.

Even though Maynard stepped down, it appears he is still making money from Lifelock and hawking it's products. At the time of this announcement a rumor came out that Todd Davis, Lifelock's CEO -- who plasters his social security number all over the Internet to show his confidence in Lifelock -- was himself a victim of identity theft.

It has now come to light that Mr. Davis wasn't happy with the Texas authorities sense of urgency on his personal matter and took it upon himself to send a film crew and Lifelock representative (private-eye) to his evil twin's house to get him to sign a prewritten confession.

Apparently, the suspect was told to either sign the prewritten confession and agree to community service, or the Police would be out to arrest him. None of the articles, I read indicated, whether or not, the suspect had any part in preparing the prewritten confession.

In defense of the authorities concerned, there is a lot of identity theft to investigate. It turns out they were waiting for additional evidence to tie the suspect into the use of Davis' identity. The evidence they were waiting for was records from ATT to verify the suspect's Internet Protocol address, which they had already subpoenaed.

Although, not specifically stated, this leads me to believe that the theft using Mr. Davis' identity was originated, where a lot of this type of theft starts, or on the Internet.

It also appears that the authorities had advised Davis to let them do their job, and he decided to do otherwise.

The person involved doesn't appear to be a very sophisticated identity thief. He is described by the Fort Worth authorities as "mentally disabled."

All I have to say is that it doesn't help Davis' marketing efforts when a mentally disabled person is able to commit identity theft using the social security number, he put up all over the Internet. Of course, the suspect in this case can't be considered very bright, either. Apparently, he got the social security number right off Lifelock's website, where Davis is basically daring someone to steal it.

I have to wonder if he wanted to get caught?

It doesn't seem reasonable when a film crew and private investigator use "pretty questionable tactics" (my opinion) to resolve the crime. Of course, this isn't only my opinion because the authorities in question have now dropped the case because of the sloppy investigative tactics referred to as "coercion."

To put this in perspective, this suspect, who is described as mentally disabled, stole $500.00 using Davis' identity, which is plastered on the Internet for all to see. According to the original New Age article, Maynard, who was or maybe still is his business partner, allegedly ran up a $170,000 tab using his father's identity.

We don't see Lifelock dispatching private eyes and a film crew to track down Maynard.

There was speculation when the original post came out on Lifelock someone was orchestrating a hit job on them. I don't know, if this is true, but Lifelock seems to leave themselves wide open for attack.

When reading about this post, I came upon a rather amusing summary of the Lifelock saga, written by Robert Cringley at InfoWorld entitled:

Dumb, dumber, and Davis

On a closing note, I am an advocate of pursuing identity thieves to the fullest extent of the law. However, we must always realize that in our zeal to do so, people have rights, which need to be protected, also.

There has been recent evidence of innocent people being charged with crimes because their identity was stolen. This makes it even more important to ensure that the person being charged is actually the guilty party.

Here is a post, I did about the wrong people being charged with a crime because their identities were stolen.