Saturday, August 18, 2007

Russian identity thieves target the rich and famous

Photo courtesy of CarbonNYC at Flickr

An interesting story hit the news this week about some Russian identity thieves targeting the rich and famous.

The ringleader was talked into meeting Federal Agents in the Dominican Republic, then entered the country (he believed illegally) and was arrested. Not very bright, especially given the clout of his intended victims.

Tom Fragala at the Truston Blog had some interesting and well thought out commentary about how the less rich and not so influential might be targeted in a caper like this.

In Tom's own words:

ID thieves going after the ultra-rich or celebrities is nothing new. That is not what makes this story interesting to me. It’s that the “ring” of thieves showed a bit of ingenuity in how it targeted the victims. The ring leader allegedly did public records searches such as home purchases. That’s right, if you purchase a home, then tremendous amounts of information about you is made available to anyone for a small fee. The law requires the information is made public via a UCC filing (uniform commercial code). Then using that information, such as the bank listed on the mortgage documents, and piecing together parts of your identity from other places, your financial accounts might be able to be compromised. In other words, if the thief knows your brokerage account is with Wells Fargo, the thief can then pose as you to authorize a withdrawal. Perhaps a wire transfer to Russia, Vanuatu or Nigeria.

And your bank is not necessarily going to come riding to the rescue and return your funds because, well, “they have to, right?” Not exactly. Can you name the US federal statute that provides consumer fraud protections for your brokerage or home equity account like FCRA does for your credit card? Don’t waste your time, it doesn’t exist. What about the Federal Trade Commission, don’t they help you? Nope, they have no jurisdiction. Banking oversight is handled by a hodge podge of agencies depending on where and how your bank/credit union is chartered.
According to the story, the information to do this was data mined online (probably from a County or State website).

Too much personal information being stored on government sites is a huge problem. Recently, I did a post about Betty Ostegren a.k.a. (also known as) the Virginia Watchdog. Betty actively goes after State and County governments, who leave information on their sites that could be used to commit identity theft, or worse. Although, a lot of sites have pulled some of the information off their sites, it's still a major problem.

When I was working on the post, Betty was able to show me how she has been able to view the personal information of a lot of prominent people from the comfort of her home.

In this instance, the crooks were caught, but the amount of money they almost got away with is scary.

Truston blog post, here.

Tom is the CEO of Truston, which is the only identity theft detection/recovery service (that I know of) that doesn't require you provide all your personal information to them. They are also unique in the fact that their detection (prevention) services are free.

A lot of identity theft services out there require you to surrender all your information and even give them your power of attorney.

As evidenced in the recent Certegy data breach, a dishonest employee, who has been given access to the information can compromise the best computer security. Besides internal compromises, external hackers seem to still be able to get into databases. TJX was recently compromised by hackers, who stole about 45 million personal and financial records.

A lot of their critics were quick to point out that they shouldn't have been storing some of this information in their proprietary databases.

Interestingly enough, one of main principles of PCI (Payment Card Industry) data security standards is to not store information in too many different places. These standards were set by the payment card industry to protect information, but as of this writing, not everyone has adopted them.

This is a Catch 22 (no-win) situation because (I suspect) many merchants store information to avoid chargebacks for fraudulent transactions.

I've often wondered how quickly this would all get fixed if compliance was mandatory to accept debit/credit card transactions?

Storing our personal and financial information in too many places is probably one of the root causes of the problem with data breaches.

Friday, August 17, 2007

Are fraudulent practices partially to blame in the current mortgage crisis?

We seem to be facing a looming financial crisis because of irresponsible lending practices that enabled a lot of people to buy property that was beyond their means.

Many will blame the people, who took out the mortgages, but are there other factors bear consideration when looking into the cause?

Although fraud hasn't been cited as a reason, government investigators might be pretty busy in a effort to discover why this problem occurred.

The Herald Tribune is reporting:

Within the next six months, it should be clear how regulators will proceed against those companies, said Michael Malloy, a former enforcement official of the U.S. Securities and Exchange Commission.

"Odds being what they are, somebody's going to get hooked," said Malloy, who now teaches at the McGeorge School of Law, part of the University of the Pacific. "From an investigative point of view, they'll be looking at how much of this was the result of stupidity and misfortune and how much is broader manipulation."

The broader manipulation could include failing to appropriately disclose the value or the risk of securities backed by subprime loans, which could constitute fraud, experts say.
Mortgage fraud is a bigger problem than most people think.

A good place to learn about all the various schemes and who is getting caught committing mortgage fraud is the Mortgage Fraud Blog, which can be viewed, here.

Herald Tribune story, here.

Class action law suit filed against Certegy for data breach

Data breaches are likely to become costly to organizations who fail to protect their information. The TJX data breach (45 million people and counting compromised) has inspired several legal actions in both the United States and Canada.

Now a similar action is being brought against Certegy, a check verification company, who had an insider sell information to a still (as far as I know) undisclosed data broker.

An August 15th press release announced:

The law firm of Girard Gibbs LLP ( has filed a class action complaint on behalf of approximately 8.5 million consumers nationwide whose financial and personal data was stolen by an employee of Certegy Check Services, Inc. and Fidelity National Information Services, Inc (NYSE: FIS) and released to unauthorized third parties. The complaint alleges that a senior database administrator misappropriated the confidential information of millions of consumers and then sold the data to direct marketing firms and data brokers who may have resold it to others.

Certegy and FIS had a duty to safeguard the confidential data of consumers from any breach, including that of their employees. Once the internal breach became known, it should have been communicated to the public in a timely and adequate manner,” said Eric Gibbs, one of the attorneys for the plaintiff. “The failure by these companies to make the internal data breach immediately known exposed consumers to direct marketing campaigns and the risk of unauthorized use of their bank accounts and identity theft.”
This case is interesting because it involves customer information that was obtained at merchants, who used the service to verify whether a person's check, or sometimes payment card was good.

I wrote a couple of posts about Certegy, which received a lot of comments. One comment (in my opinion) by a "Risk Manager" opened up another can of worms:

I think there is a bigger issue here that Certegy does not "own" the data that was stolen but in fact it is records of Certegy customers like businesses that contract Certegy for check-cashing services. I would ask Certegy to confirm what they store on their systems, how long they store it and why bank account and credit card numbers are stored AND investigate if Certegy violated any Visa/PCI mandates.

This seems to be a reasonable question, especially in light of some of the more high profile data breaches, we've recently seen. However in this instance, since all it takes is one person (who has access) to compromise information, it probably wouldn't have made much difference.

The reality is that Certegy sells the fact that they store a lot of information on people to merchants. Without this information, they wouldn't have a service to sell.

Nonetheless, the statement does warrant consideration as to how well third party databases are protected, especially when they contain detailed personal and financial information?

I'm not sure why the data broker, who bought the information hasn't been identified? They are responsible for buying and selling information all the time. Information is worth money and is being sold (some believe haphazardly) all the time.

Recently, it was disclosed that a data broker sold lists targeting elderly gamblers to sweepstakes (lottery) scammers. New York Times article, here.

Current laws enable financial institutions to sell your information, unless you go through a pretty complicated process of opting-out. They are required by law to notify you of your rights, but these are often sent out via snail mail and called "privacy notices." I've often made the mistake of thinking they were junk mail and shredded them.

They don't make it easy for the average person to protect their information.

I wonder how much personal information is sold to people that shouldn't be getting it? Even if we manage to opt-out today, how much of our information is already stored on a database somewhere?

Since the people enabling information to be compromised are making billions of dollars by selling it -- perhaps more of these lawsuits are one way to hold them accountable and bring some sanity to what is becoming a situation -- which seems to get worse all the time?

Of course, more laws to protect consumers are needed, also!

As I stated earlier, this is going to be interesting. I don't know where it will go, but maybe this is a signal to the people data mining our information to wake up and smell the coffee?

If they don't, they might end up dealing with a lot of litigation, which is always very costly.

It also might put them out of business. Dark Reading did an article this week about another third party vendor Verus, who folded after it was disclosed that they lost a lot of people's information from several hospitals. The point of compromise in this situation was the failure of some IT people to leave a firewall up when transferring information between servers.

Here are my two previous posts on the Certegy breach:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Sunday, August 12, 2007

Identity theft, the crime that can follow a person for years!

I first started reading David Lazarus at the San Francisco Chronicle early in 2006, when he wrote about a huge data breach that was later tied to Office Max. Please note that Office Max never quite admitted to being the point of compromise.

That data breach was tied to payment card fraud that spread quickly across the entire country.

Since then it's become very apparent that hackers have been targeting merchants for the credit/debit (payment) card information they've been storing in not very safe places.

David has left his digs at the San Francisco Chronicle and now writes for the LA Times.

In what appears to be his first story for them, he wanted to let his readers know:
The honchos here at the paper say I should devote my first column to introducing myself. At the moment, there's only one thing I want anyone to know about me: I'm not Derrick Davis.

And I want this guy out of my life once and for all.
David understands the frustration a lot of people go through when someone takes over their financial life.

In David's case, the person who stole his identity wasn't even here legally. Apparently, he was also able to use a social security number that didn't match his name to run up lines of credit and open checking accounts. It's amazing that the credit was issued, when discrepancies like these existed.

Davis was eventually caught, but only because David worked the case himself and had a sympathetic soul (Postal Inspector), who took the information for action.

Even then since Davis was an illegal immigrant, the worst that happened to him was being deported to Jamaica.

Trust me, catching an identity thief is rare and hard to accomplish, unless you know the right people. The odds of not getting caught are 99 to 1, according to statistics.

All of this occurred in 2003 and David is still suffering from the episode.

When he moved to LA from San Francisco and tried to buy a new house, David discovered that the credit bureaus were still listing some of the bad debt Davis created. The mortgage company even suggested that David pay the debt Davis had incurred to allow their deal to go through on schedule.

Being well connected, David was able to get a couple of comments from Linda Foley at the Identity Theft Resource Center:
The question is not if you'll become a victim of identity theft. It's when. It's the crime that keeps on giving. It's the never-ending story.

You think you get everything solved, and then it's like a ghost that reappears.

I'll follow David's work to the LA Times. I've always found him to be an excellent read and very knowledgeable on this subject. He has educated a lot of people this growing problem, and even has helped enact laws that protect people from this crime.

When I first started reading his articles, I had just discovered my information had been stolen in the compromise that Office Max never admitted to.

I guess I'll have to keep wondering if that unfortunate episode will come back to haunt me sometime in the future.

David's introduction to his new readers at the LA Times, here.