Saturday, September 29, 2007

Tools to verify those too good to be true financial instruments you got in the mail


(Counterfeit check picture courtesy of cknlomein at Flickr)

There are a record amount of counterfeit cashier's checks, official checks, money orders, travelers and gift cheques in circulation. This is an attempt to pass on information that the average person can use to tell IF the item is real or a counterfeit (fake).

As a disclaimer -- this is only a guide and if you deposit or cash items from people you don't know -- you do so at your own risk. The quality of these items is getting better all the time.

I’ve put together a list of the known counterfeit items in circulation, along with the current telephone numbers to verify them. You will probably receive these items after being lured with a (too good to be true) get rich quick scheme that doesn't make very much sense.

The best method to verify an item is to go to the maker, or issuer of the check (cheque). They probably will know if they issued it. The key here is to make sure you are speaking with the real issuer (maker) of the item.

Never trust a number provided on the instrument, fake telephone numbers are sometimes set up that will even verify in 411 (information).

Simply stated, as long as the communication companies think they are being paid, setting up a fake number is no problem. We are seeing fake numbers set up by scammers pretty frequently.

Since these numbers are often set up in 411 (information) rather easily, I recommend using Phonevalidator.com. This site provides a service that shows if a number belongs to a cell, or a land line. It also provides telephone directory and Google results for the number queried.

Quite often, fake numbers set-up to verify checks are cell phones.

The Internet is a good way to find the true issuer (maker) of an item. The key is to make sure you are visiting a legitimate site.

Fake websites (especially those pretending to be financial institutions) are a growing problem, also. An easy way to check if a site is legitimate is by using TrustWatch, which verifies whether a site is known (trusted) or not.

If you are interested in taking a look at some fake sites, claiming to be financial institutions the Artists Against 419 has some great examples of them on their site.

A common denominator in most of the scams is that there will be a request to send the proceeds, minus your paltry cut (normally via wire transfer) back to the person sending you the instruments. That is (unless) they are buying goods from you. In this case, your property is what they want you to send to them.

Some of these lures include, but aren't limited to (new lures surface frequently), secret shopper, romance, lottery, work-at-home and auction scams.

The National Consumers League recently set up a site (fakechecks.org), which is a great reference on Internet scams involving checks (complete with visual presentations), here.

So far as auction scams, eBay will no longer offer any protection for paper financial instruments on their site.

Here are some of the known items being counterfeited in large quantities and literally circulating worldwide:

Visa Travelers Cheques: 1-800-227-6811.

MoneyGram Money Orders (counterfeits may still use the old Travelers Express logo): 1-800-542-3590.

US Postal Money Orders: 1-877-876-2455 (mail fraud) option 4, then go to option 2.

American Express Gift and Travelers Cheques: 1-800-221-7282.


FDIC Alerts on the counterfeit cashier's and official checks in circulation, here. There is a feature that allows you to search them. I would try it by using the name of the institution.

Counterfeit cashier's and official checks change almost daily. The counterfeiters use legitimate account numbers and convincing looking check stock that will verify in most automated telephone verification systems.

It's probably good advice to never trust an automated system. In the case of a counterfeit, real ABA/account numbers are used by the counterfeiters. Because the information is real, they get past an automated verification system fairly easily. If you really want to know and believe an item is a counterfeit, ask to speak to a live person, preferably in the fraud department.

If you are dealing with a suspected counterfeit cashier's, or official check, I highly recommend reading a post I collaborated on with Tom Fragala (CEO of Truston Identity Theft Protection Services):

Counterfeit Cashier's Checks Fuel Internet Crime

Bank employees sometimes verify counterfeit instruments as legitimate. In some instances, especially at a teller window, they have been mistaken. If this occurs, you will be notified days later and the bank will take no responsibility.

Even more alarming, I have talked to and get comments/e-mails from people all the time who are getting arrested after trying to negotiate these items.

Here is what I wrote about this growing phenomenon in a previous post, along with my personal speculation as to why this is happening more frequently:
When the check is discovered to be fraudulent, anywhere from right on the spot to about ten days later the person passing the item is left holding the bag. This can translate into a loss of their freedom (getting arrested), being held financially liable, or a combination of both these consequences.
The real victims can probably blame this new phenomenon on all the criminals, who are pretending to be victims and then cashing the items themselves. Here is how I described this in a recent post, where an International task force discovered millions of dollars (face value) of these items destined to be shipped, worldwide:

A new trend has been noted called reverse-scamming, also. This occurs when scammers have the bogus instruments sent to them, cash them and then never follow the instructions to wire the money.

If confronted, these reverse scammers will normally claim to be victims. A key way to pick out a reverse scammer is that, in most instances they forget to wire the money back to the scammer that sent them the counterfeit instrument.

Thursday, September 27, 2007

eBay responds to the alleged Vladuz hacking incident

eBay is responding to the latest (alleged) attack on their site by Vladuz by confirming that the account information was valid, however the credit card numbers were not.

Here is what the Chatter (eBay's blog team) has to say regarding their investigation:

I've been in touch with our operations and security teams, and I have more information I can share with you about yesterday's incident on the Trust & Safety discussion forum. In brief, very early yesterday morning, a fraudster posted contact information and alleged credit card numbers for about 1,200 members on our Trust & Safety discussion forum on eBay.com.

While the issue was very unfortunate, it was clearly falsified to cause public concern. Early on eBay's teams verified that the credit card "data" did not match anything on file for these members on eBay or PayPal. After more investigation, including phone conversations with many of the members, it appears that these numbers were not valid at all.

Each of these accounts was the victim of an Account Take Over, most likely through a successful phishing campaign. eBay has been in contact by phone with many of these members, and there is a My Messages email going out to impacted accounts to further our reach.

1200 successful account-takeovers is a fairly large asset for a criminal to part with, even if the credit card numbers were no good. In the hand of the wrong people, 1200 eBay and PayPal accounts can be used to commit a lot of crime.

Here is a description of how account-takeovers are sometimes used from my original post on this latest incident:

Account-takeovers enable criminals to scam others, using someone else's information. They can also be used to fence (sell) stolen merchandise with a high degree of anonymity. It should also be noted that stolen payment (credit/debit) card details are often used to purchase the merchandise, which is then fenced.

To cover their tracks, the scammers often dupe people into laundering the proceeds of these sales in work-at-home (job) scams and wiring the money, normally across a border.


Although eBay is stating that the credit card numbers in this case were no good, they are for sale, along with account-takeover information on the Internet. Because this information is sold over the Internet, the criminals are able to buy and sell this information (globally) without ever actually meeting each other in person.

As I stated in my earlier post, phishing is a method, where a lot of personal and financial information is stolen, also.

Thus far, all anyone can do is speculate as to how the accounts were compromised. It will be interesting to see if anyone gets to the bottom of what actually occurred.

The Anti-Phishing Working Group tracks phishing activity and many experts claim that eBay and PayPal are the most frequently phished brands. They also have some excellent information on how to avoid being a victim and what to do if you think you've become one.

Auction fraud doesn't only occur on eBay and can happen on any of the auction sites out there. The criminals behind this activity tend to go after what is the most popular, which probably has more to do with why they target eBay than anything else.

If you get phishy e-mails that ask you to provide your eBay, or PayPal account numbers, the Chatter recommends you report them to spoof@ebay.com or spoof@paypal.com. They also recommend to go to their Security & Resolution Center if you encounter a problem.

Another place to report phishy e-mails is CastleCop's PIRT Phishing Incident Reporting and Termination Squad. Please note you can also report this activity on the Anti-Phishing Working Group's site, also.

Reporting a phishing attempt might prevent someone else from becoming a victim. Sadly enough, if you have an e-mail address, you probably see phishing attempts on a daily basis.

Post from the Chatter, here.

Wednesday, September 26, 2007

Video shows mock cyber attack on power grid

Ted Bridis and Eileen Sullivan of the AP are reporting about a video, which shows how a cyber attack might shut down our utilities.

From the AP article (courtesy of the Washington Post):

The video, produced for the Homeland Security Department and obtained by The Associated Press on Wednesday, was marked "Official Use Only." It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous turbine shudders as pieces fly apart and it belches black-and-white smoke.

Although, this attack never took place, the article quotes goverment sources as saying:

President Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation." Ominously, the Idaho National Laboratory _ which produced the new video _ has described the risk as "the invisible threat."
Experts said the affected systems were not developed with security in mind.

Now for the good news:

The Homeland Security Department has been working with industries, especially electrical and nuclear companies, to enhance security measures. The electric industry is still working on their internal assessments and plans, but the nuclear sector has implemented its security measures at all its plants, the government said.

In July the Federal Energy Regulatory Commission proposed a set of standards to help protect the country's bulk electric power supply system from cyber attacks. These standards would require certain users, owners and operators of power grids to establish plans and controls.
The bad news, not mentioned in this article, is that some say foreign nations (China in particular) routinely attempt to hack into government systems.

Previous posts, I've written about alleged hacking attempts from China can be seen, here.

Of course, the Chinese government denies this is the case!

AP Story, courtesy of the Washington Post, here.

Did Vladuz hack eBay, or is stockpiled stolen information being used to make it look like he did?


(Picture courtesy of Yahoo Group, eBay_scamkillers)

There is a lot of speculation that eBay was hacked once again, and that Vladuz might be behind the latest episode.

Vladuz, who takes his name from a famous Romanian prince, Vlad Tepes, has plagued eBay with a string of hacking attacks in the past. Vlad Tepes was the inspiration for the novel, Dracula. In Internet folklore, Romanian scammers are often referred to as "Vlads."

Of course, eBay is denying that they were actually hacked. I'll let the reader form their own opinion.

Auction Bytes (Ina Steiner) is reporting:

eBay closed its Trust & Safety discussion board for hours on Tuesday after threads began appearing listing the names and addresses of eBay members. eBay spokesperson Nichola Sharpe said, "We think the fraudster obtained the eBay User names and IDs from previous account takeovers." The credit card information that was published alongside 1,200 names, User IDs and addresses were not associated with the financial information on file for those users at eBay or PayPal, Sharpe said.

Unfortunately, with the amount of account-takeovers caused by Phishing, eBay can suggest other ways the information might have been stolen. Phishing is where users are tricked into giving up their personal details, or downloading malware (crimeware), which steals it right off their hard drive.

I don't know which is worse, that they were hacked in this incident, or that all this information was compromised a long time ago? If it were compromised a long time ago, as eBay states, how much more compromised eBay information is out there?

The Cappnonymous Buds Blog has put together a pretty visual demonstration that makes a pretty good argument that eBay was hacked.

Account-takeovers enable criminals to scam others, using someone else's information. They can also be used to fence (sell) stolen merchandise with a high degree of anonymity.

It should also be noted that stolen payment(credit/debit) card details are often used to purchase the merchandise, which is then fenced.

To cover their tracks, the scammers often dupe people into laundering the proceeds of these sales in work-at-home (job) scams and wiring the money, normally across a border.

Whether Vladuz is behind this latest attack remains to be seen. But the fact remains, that there is a lot of fairly organized crime targeting eBay (my opinion) and other auction sites, on a daily basis.

Previous posts, I've written about eBay and auction fraud can be read, here.

In case anyone is interested in the graphic photo at the top, here is a post I did about a Yahoo Group that call themselves the eBay_scamkillers.

They are an all volunteer group, many of whom have impressive credentials, that are responsible for putting a lot of eBay scammers, where the sun don't shine (prison).

Monday, September 24, 2007

Trans Union and Equifax will offer a nationwide credit freeze at a cost

It appears that both Trans Union and Equifax will be offering consumers the ability to freeze their credit, albeit for what some consider too much money. Thus far, Experian remains undecided, whether or not, they will follow suit.

Martin Bosworth (Consumer Affairs) put together a nice read, which explains the new service being offered by two of the three (major) credit bureaus:

In a surprise reversal and a major win for consumers, the Trans Union credit bureau announced that it would offer consumers the ability to "freeze" their credit files in all 50 states in order to protect themselves against identity theft and fraud.

The service will be available in the 11 states that do not already have credit-freeze laws, costing consumers $10 to set the freeze and $10 to unlock it, and will "meet or exceed the requirements" of states with existing freeze laws.

Perhaps, the credit bureaus are giving into laws already enacted in a lot of States, and have decided to make a some revenue on what is quickly becoming mandatory? More from Martin's article:

Thirty-nine states and the District of Columbia already have laws in place enabling consumers to freeze their credit, with varying rules and costs for usage. The credit and financial industries have aggressively lobbied against credit freeze laws, claiming they would reduce the availability of credit and discourage shoppers from making big-ticket purchases due to the time spent unlocking a credit account.

Efforts by the credit industry to push weaker national credit protection laws that would preempt state law stalled out in Congress. States such as Utah have passed laws enabling citizens to freeze and unfreeze their credit accounts in as little as 15 minutes.

Martin quoted one of his counterparts at Consumer Affairs, Gail Hillebrand as bringing up a very valid (my opinion) point:

If the bureaus have the technical means to enable instant locking and unlocking of credit, they should not be charging high fees to use a service that can be turned on and off in minutes.

After all -- there are many who believe, the credit bureaus, who make a lot of money by selling the information they compile -- are partially to blame for enabling what has become a major concern (identity theft).

Although this is progress, I would much rather see effective laws passed in all 50 states, or a "consumer friendly" one passed in Congress.

Excellent read from Martin, here.

Here is a previous post, I did regarding personal information being sold by credit bureaus:

How does a telemarketer get your unlisted number?

Update: Experian joined ranks and is offering this service now, also. Washington Post article on this, here.

Sunday, September 23, 2007

TJX class action settlement only addresses about one percent of the total people compromised

Friday evening, MarketWatch announced that TJX -- who suffered a data breach compromising over 45 million of their customers --has agreed to settle the class action lawsuits that were filed against them after the data breach was disclosed.

The class action lawsuits referred to were filed in both the United States and Canada.

Since most of the financial losses have been incurred by financial institutions -- who had to reissue the compromised cards and settle the fraud claims -- this settlement appears to primarily address the customers compromised by the breach of TJX's refund database.

This would amount to about 455,000 people, or one percent of the total number of people compromised.

Another issue that is still pending is how information is stored, and who will be responsible for paying for the administrative costs arising from data breaches in the future. Consumers Union is pushing that one of these bills, already passed in California, be signed into law. Minnesota has already passed legislation that addresses this.

MarketWatch reports:
Under the settlement, which is subject to court approval, TJX will offer three years of credit monitoring and identity theft insurance to customers who returned merchandise without a receipt and to whom the company sent letters reporting that their driver's licenses or other identifying information may have been compromised.

TJX will also reimburse the customers for documented costs of certain license replacements and certain losses from identity theft if identification numbers compromised were the same as their Social Security numbers.

The company will hold a one-time three-day customer appreciation event, in 2008 or later, at which prices will be reduced by 15%.
One thing that concerns me is that the settlement offer states that one of the requirements to receive compensation will be that the identification number compromised has to match their Social Security number.

I guess that TJX and their affiliates don't want to address the rising phenomenon of synthetic identity theft? When synthetic identity theft is committed different parts of a persons identity are crafted to create a new one.

Stephen Coggeshell of ID Analytics was recently quoted as saying:
Five years ago, this crime was hardly seen. Eighty-five to 90 percent of identity fraud is really this synthetic ID fraud, as opposed to the true name identity theft.
Just because the identity and the Social Security number were not compromised together doesn't assure that that the person involved will not become a victim.

This led me to wonder how many Social Security numbers could have been compromised? The answer was right on a FAQ sheet on the TJX site:
We do not receive or store customer social security numbers per se. However, the drivers' license or military ID numbers customers provide us in unreceipted merchandise return transactions are, in some cases and in some states, the same numbers as their social security numbers. We are writing directly to customers we were able to specifically identify whose drivers' license, military or state ID numbers, together with their names and addresses, were found in the information believed compromised and identifying where we believe those numbers may be social security numbers.

Laws have been passed that prohibit the practice of placing Social Security numbers on identification documents.

In the identity theft world -- which is what the concern about this data breach is all about, when a SSN or SIN (in Canada) is compromised -- the criminal compromising the information has all the information necessary to complete a full identity assumption.

In the dark world of Internet forums that sell this information, a complete identity (SSN, or SIN included) is often referred to as a "full." The complete information on a person is simply worth a little more money to the criminals purchasing it.

Retail criminals, who causes billions in losses a year, often refund the merchandise to launder the proceeds of their efforts into cash. This was the very reason -- most retailers implemented databases to track the information of people, who show up at refund desks -- a little too frequently.

With the increasing availability of fake identification and bogus financial instruments -- already being used at retailers to steal merchandise, with a focus on high-value items that are locked up -- it's likely that a lot of the information in these databases isn't completely accurate.

I would guess that the same people, using the bogus financial instruments, purchase the merchandise with them and then head to the refund counter.

So far as the TJX offer to settle this portion of their liability, it still has to be accepted by the court. Of even greater importance is that retailers need to take a hard look at how these refund databases are protected -- and -- whether or not, they are as effective in stopping refund fraud as they used to be.

For more information on the issue of using Social Security numbers on identification documents, the Privacy Rights Clearinghouse has a document, here.

The University of California submitted an interesting document to the Federal Trade Commission on the subject of synthetic identity theft, which can be seen, here.

Last, but not least, Tom Fragala at Truston put together a pretty neat blog post with a lot of references about synthetic identity theft, here.