Saturday, September 15, 2007

Another 6.3 million people's information stolen at Ameritrade

According to the AP, Ameritrade is reporting that someone hacked into their systems and made off with 6.3 million people's information:
Online brokerage TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken.

The company would not share many details of its investigation, including when the hack took place, because it is still looking into the theft and cooperating with investigators from the FBI, Securities and Exchange Commission, Financial Industry Regulatory Authority and local authorities.
Allegedly, Ameritrade has known about this for awhile and it might have been the threat of legal action, which prompted them to come forward now:

But Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade's servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber. The company said Friday the problem had recently been fixed.

The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.

"They preferred putting out a press release with their own language in it rather than have the court order them to put out a release with our language," Kamber said.
While maintaining confidentiality in an investigation is sometimes necessary, you would think that someone might want to warn the 6.3 million people, who were affected by this?

They might want to start monitoring their finances, carefully.

In addition to this, the stated need for confidentiality is coming from Ameritrade and not a law enforcement source involved in the investigation. The claim that a federal hearing might have forced disclosure might make some wonder about the credibility of what is being said, also.

The verbiage used in the Ameritrade press release states that social security numbers don't "appear" to have been taken is a little scary, also. Does this mean that they aren't sure?

Why would a hacker only take contact information, when social security and dates of birth were available in the same database, also?

My guess is that dates of birth and social security numbers would make the information more valuable to the hackers, who compromised the system.

The press release does state that account numbers and passwords were in a different database, and were not compromised.

Security and identity theft experts are speculating that the information taken could be used to phish for additional information, which then could be to commit identity theft. Phishing is where an e-mail from an official looking, but spoofed (impersonated) source tricks someone into giving up sensitive information.

Tricking people into giving up their information is also known as, social engineering.

Crimeware might also be used to steal the additional information. Once downloaded crimeware, steals information from a system automatically, normally using keylogging software. Crimeware can be picked up by clicking on the link of a phishy e-mail.

According to the Anti-Phishing Working Group, who studies this carefully has reported crimeware use is on the rise. One of the reasons for the rise in crimeware is that DIY (do-it-yourself) kits are being sold on the black market. This allows less sophisticated criminals to get into the game.

The CNet version of the story, quotes Graham Cluley (Sophos) as speculating how Ameritrade's system was probably compromised:
"There are only two different ways this could have happened. There was either a vulnerability with their Web site and it was hacked, or someone internally gained access with a Trojan horse."
Ameritrade has hired ID Analytics, Inc. to monitor what is going on and determine if any identity theft occurs out of all of this.

They are also providing additional information on their site about this unfortunate event for their customers.

The TJX data breach, which compromised over 45 million people, has caused a lot of uproar about how data breaches should be handled and who should pay for them.

Class action law suits are being brought forth and legislation is being introduced to determine, who pays for all the damage, when a data breach occurs.

This is becoming extremely costly for the companies being breached. The last report I saw about the cost incurred so far by TJX is $256 million. The sad thing is that I doubt this is the final figure.

Legislation in California is awaiting Arnold Schwarzenegger's signature, which will require retailers to reimburse financial institutions for the cost of fixing breached financial data. Interestingly enough -- in this data breach and the last major one, I've written about (Certegy) -- the data was not stolen from a retailer.

The Privacy Rights Clearinghouse, PogoWasRight and all compile information on data breaches, which happen so frequently, they are becoming almost "too routine" news events.

If anyone, who was has been affected by a data breach wants independent advice on what to do if you become an identity theft victim, the Privacy Rights Clearinghouse has a very informative page about this, here.

AP story by Josh Funk, here.

Internet crime victims report counterfeit American Express gift cheques being sent to them!

Scam (too good to be true) lure courtesy of miriyaparino at Flickr.

Counterfeit checks like all the ones recently discovered by an International law enforcement team being sent from Nigeria aren't the only bogus financial instruments being sent all over the world.

In this recent effort against this activity, over 15,000 counterfeit instruments were discovered in a months time.

For the past couple of weeks, I've received a lot of e-mail and blog comments from people receiving counterfeit American Express gift cheques in the mail with instructions to cash them and wire the proceeds (minus a paltry commission) back to the sender (scammer).

The reason for all the e-mails and comments are because of previous posts, I've written about these counterfeit financial instruments.

Other than having their financial world ruined, there are reports of people getting arrested after trying to pass some of these instruments. One victim recently wrote me after discovering she had been scammed -- and told me that when she tried to report her problems to the authorities, they advised her to seek legal advice before proceeding -- or she might be charged with money laundering.

The American Express gift cheques can be verified by calling 1-800-525-7641.

Counterfeit MoneyGram and U.S. Postal money orders are still also being sent to people as payment for goods, or in too good to be true lures that are nothing more than a scam.

A lot of these bogus financial instuments come from work-at-home scams, secret shopper, romance, lottery and auction scams. New varieties of these scams appear from time to time, but the common denominator in any advance fee (419) scam is that it is too good to be true and it makes little, to no sense.

Another common denominator in most of these scams is that they will try to get you to wire money. Here is what I wrote about this in a previous post:
The fraudsters want you to cash these counterfeit gift cheques and send (normally wire) the money back to them. When they are discovered to be fraudulent -- you end up taking the "rap" for the scammer and they disappear in an "electronic mist."
If you've received any of these items in the mail, I've compiled a lot of information on how to identify them and report them to the right people, here.

Another development being seen is that real scammers are getting their hands on these instruments, who have no intention of wiring any money, anywhere. In effect, they are scamming the scammers. This makes it a lot harder to figure out, whether or not, a person is a victim or a scammer. Maybe this is one of the reasons more people are getting arrested?

Of course, if the victim never wired the money, they are probably lining their own pockets (my opinion).

The bottom line is that falling, or getting involved in one of these scams can cause you a lot of financial pain and suffering and you might even get into worse trouble.

Friday, September 14, 2007

Attacks on scam fighting sites prove that they are making an impact against Internet crime!

Just got a comment on my post, Anti scammers under attack by Storm botnet from the folks at Artists Against 419 stating that their site is back up after being under a DDOS (Distributed Denial of Service) attack.

After seeing this, I ran into a good article covering the recent attacks on anti-scam sites by Erik Larkin at PC World (courtesy of InfoWorld). In the article, Eric quoted Paul Laudanski as saying:
"The criminals are in it for the money," he says. "It's a huge business for them. [But] we're in it for the feeling that we get being on the side of right."

So this assault shows that "these sites are definitely doing something right," he says, "because we've got the attention of these scammers. It gives us greater resolve."

PC World story, here.

CastleCops is a great place to learn about the sometimes murky waters of the Internet. CastleCops also runs (PIRT)-The Phishing Incident Reporting and Termination Squad, where volunteers report and take out the bad guys, who make life on the Internet a pain for the rest of us. They are always looking for volunteers to help then fry phish called "handlers," and people, who are willing to forward their phishy e-mails to them.

PIRT takes these sites down and makes sure they get reported to all the appropriate places, including law enforcement.

The Artists Against 419 state what they do on their main page:

The Internet is great, isn't it? It's a magical place, where you can buy anything you want, meet new people, find information... and lose all your money to scammers.

We've never liked that last part, so we started to fight back. Over time our art has evolved, and we now maintain the largest online repository of web sites used in internet fraud.

We offer a complete public interface for our site visitors, as well as database access through webservices which can be used for automated retrieval of fake bank entries. Web browser toolbars use our database feed to warn users that a site they visit is a fake company run by scammers. But most importantly, we continue to build better relations with other anti-fraud organizations and webhosting companies, to pursue our goal of ridding the Internet of fraudulent web sites.
Both of these organizations are run by volunteers that care. They can always use the support of the people they protect. If you get a minute, I recommend taking a look at them to see what they are doing to make the Internet a safer place.

We should all "resolve" to give these fine people our support!

CastleCops has a new online forum about the DDOS attacks, here.

Priest convicted on fraud charges

It never seems to amaze me, who gets caught committing fraud. Here is a story that confirms that fact. A former priest has been convicted of stealing a lot of money from his flock and the Church.

A former priest pleaded guilty to stealing hundreds of thousands of dollars from his church by setting up secret bank accounts to pay for a life of luxury, including traveling around the world and buying a condominium.

The Rev. Michael Jude Fay, who resigned last year as pastor of St. John Roman Catholic Church, pleaded guilty Wednesday to interstate transportation of money obtained by fraud. He faces up to 10 years in prison, a $250,000 fine and must pay restitution.

Prosecutors said Fay took between $1 million and $2.5 million over seven years, but the priest has disputed that. He admitted taking between $400,000 and $1 million.
Of course, using religion as a guise to cover wrongdoing is nothing new. Last I heard, the Church is still settling a lot of litigation for sexual predators posing as men of God.

AP story by John Christoffersen, here.

Here is a previous post, I did in the same vein:

Fraudsters Use Religion to Cover their Misdeeds

When considering our privacy, who should we fear more -- the NSA, or the communications companies?

I then came upon a story that explains one of the reasons why communications companies might be in such a hurry to bundle communications services.

Frequently, we see articles about the NSA violating people's privacy. Recently, there was quite a stir about certain communications companies, who were providing them with a lot of personal information.

Who should we fear more, the NSA, or the communications companies?

David Lazarus (LA Times) did a really interesting story of how these new bundle communications deals have you agree to a thousand word privacy policy, which essentially allows them to share your most personal details with just about ANYONE!

Selling and reselling people's information has led to a loss of privacy and is probably the root cause of a lot of identity and information theft. While selling information to the NSA makes good press -- on a personal level, I fear other entities -- who steal and (sometimes buy) this information a lot more than the NSA.

Of course, this is is my opinion, but trust me, I can back it up.

The motivation to gather all this personal information is simple, it's worth a lot of money.

Here is an excerpt from David's story, which I highly recommend anyone link to and read.

"All your eggs are in one communications basket," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. "If a company wants to, it can learn a great deal about you -- and it probably wants to."

More often than not, it'll also want to turn a fast buck by selling at least a portion of that info to marketers.

All leading telecom companies are aggressively pushing these bundled service plans after investing billions of dollars in high-speed digital networks. For consumers, the upside is often a hefty savings compared with acquiring the same services from multiple providers.

The downside is that you're making intimate details of virtually all your network activities available to a single company -- and possibly government officials.
David Lazarus's story can be seen by linking, here.

Another thing to be careful of are marketing promotions from some of these companies, which expire at a certain point.

If you fail to cancel, or renew them, the price of them frequently explodes to an unreasonable (higher than market) cost.

Most of them do claim (if you bother to call and ask why) to have sent you a notice in the mail. Problem is they look just like all the other junk mail (marketing) offers that we frequently throw into the shredder without reading.

Best bet is to (if possible) put a reminder on your computer to cancel, or renew the deal.

Privacy notices and marketing promotions seem to have a lot of fine print. Here is another post, I did about privacy notices:

Not answering a Privacy Notice gives the sender permission to sell your personal/financial information

Here is another interesting article from the Electronic Frontier Foundation on this subject about a call by "Representative Edward J. Markey to launch an investigation into violations of customer privacy by the major telecommunications companies."

Sunday, September 09, 2007

Anti scammers under attack by Storm botnet

I happened to be checking out the Artists Against 419 site (one of my favorites) and discovered that the site is under a pretty nasty DDOS attack.

But apparently, it doesn't stop there. I found this on SlashDot written by capnkr and posted by CowboyNeal:

"It looks like the efforts of the anti-scammers at sites like 419eater, Scamwarners, Artists Against 419, and possibly others have become the target of the Storm botnet. Spamnation has a post about it, and as of this writing none of the above listed sites are responding. Spamnation reports that CastleCops and other anti-spam forums are being DDoSed as well.

Sounds like a massive, concerted effort against the folks who are fighting the good fight. Although I hate it for the owners and admins of the above sites, I think it shows without a doubt that their efforts to 'get back' at the scammers are working."

CastleCops has given some temporary hosting to the Artists, and has a forum discussing the current attacks, here.
The scammers have been going after CastleCops for quite awhile now, and it appears that this time, they were unable to do much damage.

Last week, I did a post about blogger accounts becoming infected by the storm worm. This phenomonen was discovered by Alex Eckelberry, CEO Sunbelt Software, who is a blogger user, also.

The sheer power of the Storm botnet is said to rival the power of the world's top super computers. Wikipedia has been keeping up on the developments regarding it, here.