Saturday, August 25, 2007

Monster.com might be sending you a letter that your information was compromised


Photo courtesy of shane_allen at Flickr

If you posted your information for a job on Monster.com, you might be getting a letter notifying you that your personal details have been compromised:

Joseph Menn, Los Angeles Times is reporting:

Monster.com said Thursday that 1.3 million users had personal information stolen by criminals who hacked into the job-placement website. The company said it would warn each of the victims by mail.

Monster parent Monster Worldwide Inc. said it identified the victims after analyzing the data found this week by computer security firm Symantec Corp., which had estimated that hundreds of thousands of people were at risk.


In this latest data breach, it is being reported that only names, addresses and e-mail addresses were stolen. This information will likely be used to lure potential job candidates into what are known as job scams.

In a job scam, a person is recruited into cashing bogus financial instruments, or laundering the proceeds of Internet crime. In most instances, these bogus employers will request a lot of personal and financial information (supposedly to vet the new employee)and this is probably where someone would put themselves at a real risk of becoming an identity theft victim.

The LA Times article also stated:

Also Thursday, some Monster users said they had received such e-mails as far back as February.

Since job scams are nothing new and Monster isn't the only site, where scammers gather information to lure people into doing their dirty work, it's very possible that the current data breach has nothing to do with the e-mails going as far back as February.

I've seen these types of e-mails going back a lot further that February.

Here is a previous post, I did with an emphasis on the social engineering aspects of job scams:

Internet criminals stealing information from job sites isn't anything new!

LA Times article, here.

7-Eleven Clerk accused of stealing winning lottery ticket from customer

This story shows why it might be important to be careful when checking your lottery ticket at your local 7-Eleven.

Art Campos at the Sacramento Bee is reporting:

A man who went to a 7-Eleven in Roseville to check on his lottery tickets had picked the right numbers, but state officials said it was the clerk who almost hit the jackpot.

The female clerk told the customer he won $4 on his Mega Millions picks for Aug. 14, and then pocketed his winning ticket worth $555,000, California Lottery officials said.

However, the clerk's alleged scheme fell apart after the unnamed victim became suspicious and called lottery officials.
It turns out that the California lottery officials were not very amused:

Donald Currier, the lottery's chief legal counsel, said it was the second time in two years that a retail clerk had been arrested for allegedly stealing a winning ticket.

"To any clerks out there who think they can steal a winning ticket, we'll get you," Currier said. "Clerks just don't get away with it."
Apparently, this also happened in 2006 in Southern California.

Lottery security officials recommend you always sign your tickets. This will make it a lot harder for a dishonest employee to try to take advantage of the situation.

Sacramento Bee article, here.

Friday, August 24, 2007

Internet criminals stealing information from job sites isn't anything new!

The recent reports about 1.3 million Monster users having their information stolen from the job site has become somewhat of a major news story. While this seems shocking, the truth is that job sites have been targeted for the information they contain, or to recruit people to commit crimes (sometimes unknowingly) for quite awhile now.

Jim Finkle at Retuers (courtesy of the Washington Post) recently covered this story:

Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential information from some 1.3 million job seekers, a company executive told Reuters on Thursday.

Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide Inc said were stolen from its clients, in one of the biggest Internet security breaches in recent memory.

They launched the attack using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program known as Infostealer.Monstres, said Patrick Manzo, vice president of compliance and fraud prevention for Monster, in a phone interview.
Symantec -- who broke the story has published some of the examples of the fake job offers being sent to people -- posting their resumes on Monster, here.

People can protect themselves by being aware of the social engineering aspects of these scams. The job offers are always too good to be true and normally don't make very much sense.

Most of them are ploys to either cash bogus financial instruments, or launder the proceeds of Internet crime. Another red flag is that the employee is solicited to wire money, normally across a International border.

The employee (victim) then ends up financially liable, and in some instances, can even end up facing criminal charges. In most areas, cashing bogus financial instruments and money laundering is considered a crime.

The scammers, who offer these jobs intend to get someone else to take all the risk for them, while they reap most of the financial rewards.

Monster isn't the only place, where this happens. The risk is there on just about any of the Internet job sites, including Craigslist.

If you use these sites, it's a good idea to verify, who you are talking to before accepting a job offer.

The Privacy Rights Clearinghouse has an excellent page about job scams on their website, here.

Because these fake employers gather their victims's personal and financial information, they are likely to become an identity theft victim, also.

The page on the Privacy Right Clearinghouse site gives good advice on how to deal with this, also.

The good news is these scams are pretty easy to spot and a little awareness can prevent them from happening altogether.

Reuters story (courtesy of the Washington Post), here.

Tuesday, August 21, 2007

The sad state of affairs in the information (identity) theft crisis

It shouldn't surprise anyone that data breaches are becoming more prevalent than ever, or that identity theft is up fifty percent since 2003.

Robert L. Scheier (courtesy of InfoWorld) wrote an article about this that is getting a lot of play in the press:

Today's electronic world is a risky place for your personal data -- and it's not getting any safer. More than 158 million data records of U.S. residents have been exposed as a result of security breaches since January 2005, according to The Privacy Rights Clearing House, a nonprofit consumer rights organization.

As fast as banks, merchants and consumers add new layers of security to their storage systems and network, say security analysts, new technologies -- or simply careless users -- create new security holes that aggressive and sophisticated identity thieves eagerly exploit. The result, says Avivah Litan, a vice president and distinguished analyst at Gartner Inc., is that "things will get worse before they get better."

Whether information is being stolen by phishing, pharming, hacking, insider theft, or common dumpster diving - the problem seems to be growing by leaps and bounds.

An interesting aspect, which I've covered in previous posts is that criminals seem to be using technology as a marketing tool - just like their counterparts in more legitimate businesses:

Criminals are also getting smarter. Larry Ponemon, chairman and founder of Ponemon Institute, which conducts research on privacy and security issues, calls it "inverted customer relationship management," in which criminals target the wealthiest individuals for their attacks.

Some are even buying marketing lists to piece together profiles of "who's got the Platinum [American Express card] and who's got the account with Merrill Lynch and who doesn't," says Litan.
I found this particularly interesting because a reasonable person would have to question, who is selling them these lists?

In the most recent high profile data breach to hit the news at Certegy, a dishonest insider sold the information to a broker. Interestingly enough, as far as I know, this information broker has yet to be identified. The next question might be - who did the information broker sell the information to?

Recently, another data broker (InfoUSA) was pegged for selling marketing lists to sweepstakes scammers.

Perhaps PogoWasRight, who states "We have met the enemy and he is us" hits the reason for the problem right on the nose.

A lot of people are making billions, if not trillions of dollars making it easy to use information. So much information has been plastered in so many places, we seem to have lost track of it all.

This gives the criminals behind this phenomenon a lot of places to steal, or even buy everything they need to commit identity theft.

Another sad statistic is that these criminals seem to rarely get caught. Pretty sure the last statistic I saw was less than 1 percent. This makes it a pretty lucrative criminal enterprise to be involved in.

Despite this, we still don't have a law that addresses data breaches?

With the elections coming up, perhaps we should be asking our elected leaders, why this is the case?

The only way to turn this trend around is to make everyone involved in it, more accountable.

Interesting article by Robert L. Scheier, here.

The article mentions statistics gathered by the Privacy Rights Clearinghouse, which I quote frequently. Other places that gather information on this are PogoWasRight and Attrition.org.

And all of them will be the first to tell you - these are only the breaches we know about. The mysterious criminals stealing the information would rather not disclose, who they are stealing IT from. Of course, the people getting the information stolen from them would probably rather not make it public, either.

Sunday, August 19, 2007

A look into Arizona's identity theft and counterfeit document problem


Fake ID picture courtesy of caural at Flickr

I've done a couple of posts about how new employment verification laws are likely cause more illegal immigrants to use real identities. In the not too distant future, Social Security numbers are probably going to have to be able to be tied into a real identity to meet federal employment eligibility requirements.

Arizona -- which already ranks extremely high in incidents of identity theft, according to the various studies conducted on the subject -- might be on the front line of a new effort designed to stem the flow of illegal immigration.

Daniel González (Arizona Republic) did an interesting story on this issue in Arizona:


Arizona's new employer-sanctions law requires companies to verify worker eligibility through a federal database. Lawmakers in other states also are taking steps to make it more difficult for illegal immigrants to use fake documents to land jobs, hoping the crackdown will cut down on illegal immigration. And under new rules announced last week by the Bush administration, employers risk prosecution if they don't fire workers whose names and Social Security numbers don't match.

But nobody thinks the fraudulent-document industry in Arizona will dry up and disappear. If anything, it's going to get bigger and more sophisticated as criminals who make fake documents adapt to meet demand. The database can't flag documents made with stolen identities, where the names and numbers match. As a result, a proliferation of fraudulent IDs, combined with identity theft, could undercut the employer-sanctions law.

In July, Arizona signed a pretty tough law designed to go after employers, who hire illegal immigrants:


In July, Gov. Janet Napolitano signed a tough employer-sanctions law aimed at turning off the job magnet that draws illegal immigrants. The law, which takes effect Jan. 1, revokes business licenses of employers caught knowingly hiring illegal workers a second time. It also requires the more than 150,000 licensed Arizona employers to run Social Security numbers and other data for new employees through the federal Basic Pilot Program, an electronic verification system. Arizona businesses employ about 2.6 million workers.

Two other states, Colorado and Georgia, have passed similar laws.

David's interesting article goes on to give some scary (real world) examples of how easily counterfeit documents are obtained.

In the article, David cites an Arizona Task Force, which was able to get all kinds of counterfeit documents using names of known terrorists.

The crooks and gangsters behind data breaches -- which frequently make the news, and already provide a lot of information to criminals in too many places, including Internet chatrooms -- are probably gearing up to sell to a potentially large market segment (20 million people).

Of course, a lot of legitimate businesses are already marketing to this segment of society. How many times do we hear, "press 1 for English ..," when using the services of a lot of the businesses out there?

It's become easy to counterfeit documents and too much information has already been compromised. A lot of these documents are produced in apartments and garages, using portable technology, easily purchased from a variety of sources. It doesn't take a lot of expertise to accomplish what causes a lot of damage to the person, who has had their identity stolen.

The criminals selling the information and producing the counterfeit documents don't really care, who is buying them as long as they are getting paid.

There is no easy solution to this. There are a lot of reasons from the rights of the middle class (who foot the bill for all of this) to our health and well-being, which dictate that stronger action needs be taken.

I just hope, we aren't planning to take half-steps and end up with a bigger problem.

The key would be to look at the enabling factors, which make it pretty easy to use someone else's information. The government, financial, retail and IT sectors need to start working together instead of against each other. Recently, this problem seems to be turning into a blame game, where everyone seems to be blaming each other.

Hopefully, most of them are already taking measures to do this. Getting caught losing information doesn't exactly inspire consumer confidence, or the trust of the voting public.

Besides that, it's getting more and more expensive to clean up the mess that this problem causes. Maybe the cost (money involved) will be what finally gets a few people's attention!

Daniel González's very interesting article, here.