Saturday, October 20, 2007

Payment card fraud victims being denied compensation

Apparently, fraudsters are now able to clone some payment cards, assign a new PIN -- and it appears that the customer's old PIN was used when the bank reviews the transactions.

Card Guide (UK) is reporting:

The Chip and Pin technology that has been in use in the UK over recent years is supposed to be practically fraud proof, but this is not the case, as thieves can clone cards and put a new PIN number onto the card – this is known as a YES card.

However, it appears to the bank that the original card and PIN have been used, and therefore banks claim that either the customer carried out the transaction themselves or they gave their PIN number to someone or were careless with the security of their PIN.

Card Guide story, here.

There have been many instances, where payment card thieves were able to get card details, along with the PIN numbers. It can happen to just about anyone, even when they are being careful.

If you have had a fraud claim denied because the bank claims you were careless, you might want to read about instances (substantiated), where PIN details were stolen using pretty sophisticated methods, here.

Of course, there are and always have been people, who try to claim fraud for their own financial advantage. Because of this, it seems some innocent people are getting their claims denied (my opinion).

Figuring out, who is guilty of this is getting harder all the time.

My guess is that with all the fraud involving payment cards, it's no longer an expense the banks can continue to write-off as a cost of doing business.

Banks denying claims because they say a customer compromised their own information is nothing new.

One example of how this happens can be seen on BankofAmericaSucks.com, here.

I guess all the zero liability ads we see all the time aren't exactly one-hundred accurate?

If you have wrongfully had a claim denied, I've seen individuals made whole by escalating the matter with the financial institution. In some instances, using a consumer advocate was necessary.

On a final note, in most businesses, the cost of fraud is passed off to everyone, when we pay more for goods and services. The truth is we are all held liable for the cost of fraud!

Scammers trick grocery chain into sending them $10 million


(Photo courtesy of rcbatey at Flickr)

Normally, when e-mail scams are brought up, we think of unfortunate individuals falling for something that's too good to be true. A surprising discovery, found in federal court filings, proves that this isn't always the case.

Yesterday, Rebecca Boone of the Associated Press (courtesy of the StarTribune.com) reported:
Supervalu Inc., the Eden Prairie-based grocer, fell prey to an e-mail scam this year, sending more than $10 million to two fraudulent bank accounts, according to federal court filings.
Apparently, Internet e-mail scam artists accomplished this by sending spoofed e-mails impersonating Frito-Lay and American Greetings:

The company said it received two e-mails -- one from someone purporting to be an employee of American Greetings Corp. and another from someone claiming to be with Frito-Lay, according to the documents. Both e-mails claimed that the companies wanted payments sent to new bank account numbers.
At first, it appears that no one at SuperValu questioned the account changes and approximately $10 million was wired into them.

According to the article, the scam was discovered quickly and the FBI intervened. SuperValu will not comment on how much money they actually lost.

Either this is a fluke, or it shows a growing trend, where businesses are being specifically targeted in e-mail scams.

This isn't the only type of e-mail scam that has been targeting businesses and organizations.

Stories about what is known as spear phishing have been circulating recently. Spear phishing differs from regular phishing because indivduals are targeted by name, and as reported in some of these stories, sometimes by both name and title.

Previous posts, I've written about spear phishing can be seen, here.

Please note that stealing money isn't the only goal in spear phishing. Sometimes the goal is to steal information (which is worth money), also.

Phishing has become more sophisticated in recent history. Besides using social-engineering (trickery) to obtain information -- malware (sometimes known as crimeware) is downloaded into a system by opening a e-mail attachment -- which steals the information automatically and on an ongoing basis.

Another growing trend is the sale of DIY (do-it-yourself) phishing kits in underground (normally Internet) forums. These kits are enabling less technically inclined criminals to get into the game.

This goes to show that educating employees (especially those with access to financial assets, or valuable information) how to avoid being scammed might be something worth taking a look at.

On a final note, we need to remember that the same type of scam could be accomplished via snail mail with convincing letterhead, or even via a fax. The best way to avoid scams is to be able to recognize the behavior behind them.

AP Story, here.

USPIS Presents: Work@Home Scams: They Just Don't Pay!


The United States Postal Inspectors have produced a pretty telling video showing how Internet criminals lure people into taking jobs that will cause them financial and legal trouble.

The film entitled, Work@Home Scams: They Just Don't Pay shows what happens to people, who accept work-at-home jobs that aren't what they appear to be.

It also speaks to how this problem has grown from ads in the classified section of newspapers and magazines to being plastered all over the Internet.

A lot of us probably see spam e-mails offering these too good to be true jobs that don't make sense on a daily basis. You might also run into one of these scams on a job-site, such as Monster.com.

Another fact is that applying for one of these jobs can lead to giving up your personal information, which will later be used to steal your identity.

Please remember these scams still show up in the classified ads of newspapers and magazines, also.

Here is (what I consider) an interesting story about someone falling for one of these scams that should have known better (my opinion):

BBB Worker Takes Job Processing Fraudulent eBay Transactions

Friday, October 19, 2007

How much money is lost by businesses due to coupon fraud?

Here is an interesting blurb about an Arby's employee, who stole $14,524 by using coupons to conceal the fact he was dipping into the till.

NBC10.com (Philadelphia) is reporting:

A fast-food restaurant employee was charged with theft after police said he was skimming the cash register by using coupons.

Curtis Smith, 32, of Coatesville, was an employee at the Arby's store located on Concord Pike for several years, police said.

Police said Smith used $1 off coupons at the register and would then take that money from the register. He obtained between $50 and $150 at a time, police said.

The investigation started because of declining revenues at the restaurant.

Coupon fraud can be a huge problem for companies, who use them as marketing tools. A few years ago, Subway discontinued a promotion because too many coupons were being reproduced and sold on auction sites.

CouponInfo.com has some pretty good descriptions of the types of coupon fraud going on out there. According to the site, there is even an underground market in counterfeit coupons.

They state that coupon fraud costs companies millions of dollars a year.

After reading this, I decided to go on eBay and see if I could find coupons for sale. After going to the site, I was able to find quite a selection. If you want to take a look, click here.

Because everyone always picks on eBay, I decided to see what Google had to say. After doing this, I was amazed at the market out there in selling coupons.

No wonder CouponInfo.com couldn't put an exact figure to the losses caused by coupon fraud. It would be pretty hard to figure out!

Going back to the story about the Arby employee, the article doesn't state where he got the $14,523 in coupons. Of course, it's hard to say, but it wouldn't be hard to find them by doing a little surfing on the Internet.

Maybe this is something that businesses, who issue and redeem coupons should watch a little more carefully?

NBC.com story, here.

Thursday, October 18, 2007

P2P under Congressional scrutiny - FTC to investigate

Although there are legitimate uses for P2P (peer to peer) software, there is no doubt that there are a lot of dangers to using it, also.

Officially, the concerns are how this exposes people to identity theft -- but this costs the entertainment industry (who probably have a few lobbyists dedicated to this matter) a lot of money when they don't get their royalties (money) on music and videos -- which people download for free using P2P.

Now Congress is asking the Federal Trade Commission to take a deeper look into the matter.

Still worried that peer-to-peer filesharing networks like Lime Wire are causing users to "inadvertently" expose sensitive documents, posing potential security risks, members of Congress are now asking for a formal investigation into the phenomenon.

The latest concern from the House of Representatives Committee on Oversight and Government Reform, judging by a 7-page letter (click for PDF) dated Wednesday to Federal Trade Commission chairwoman Deborah Majoras, appears to be this: Peer-to-peer networks may make unsuspecting consumers vulnerable to identity theft.

The same group of politicians, led by Reps. Henry Waxman (D-Calif.) and Tom Davis (R-Va.), suggested earlier this summer that peer-to-peer networks can pose a "national security" threat by allowing users to expose sensitive information unwittingly. (Some politicians, particularly those with entertainment industries in their districts, also took the opportunity once again to condemn unlawful transfer of copyrighted content via the networks.)

I've written a little about why it isn't a good idea to use some of the P2P networks out there:

Japanese cop exposes confidential information on 6,000 people using P2P (file-sharing) software

How P2P Software like Limewire Compromises Personal and Financial Information

Besides being a potential national security threat and an identity theft venue, most of this software is liable to do a lot of damage to your system. And unless you are pretty technically inclined, you will probably have to spend a little of your hard-earned money to fix the damage it will cause!

CNet news blog story, here.

Krackin software will crack your computer's security!


(Screen shot courtesy of Websense)

Krackin is one place you don't want to try to download music, or videos. The result will be your computer becoming what is known as a zombie, which will be used to spew out spam e-mails, which facilitate Internet fraud.

If you have clicked on this, I highly recommend reading the link in Websense's alert, which I have provided below.

Websense is reporting:

Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see (http://www.websense.com/securitylabs/blog/blog.php?BlogID=141).

This site poses as a new piece of software called "Krackin v1.2" and advertises:

* Easy to install
* Auto-Virus scanning* Mobile Source Downloading
* IP Blocking to Prevent Tracking
* Unwanted User Blocking

Users with unpatched computers are automatically exploited. Users with patched computers are prompted to download and run a file called "kracking.exe" This file contains the Storm payload code.

Websense alert, here.

On a final note, if you are a parent, this would be a good topic to cover with younger family members. From the appearance of the screenshot above, it would likely attract younger users.

Monday, October 15, 2007

Student narrowly escapes expulsion for revealing data breach

It might be a good idea to be careful (or extremely anonymous), when reporting a data breach.

Jaikumar Vijayan at Computer World is reporting an interesting case -- where reporting a data breach brought about some personal grief for both the person, who reported it -- and the person they reported it to.

This person, who was a student, was almost expelled for bringing the matter to light. And the person, who it was reported to is no longer employed.

I guess whistle-blower laws don't apply at institutions of higher-learning?

For more information on whistle-blower laws, whistleblower.com is a decent reference.

Jaikumar writes:

A student at Western Oregon University who accidentally discovered a file containing personal data on a publicly accessible university server and then handed that data over to the student newspaper has narrowly escaped being expelled for his actions.

But a contracted adviser to the newspaper has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university's policies relating to handling of personally identifiable data.

Brian Loving, a student at WOU, stumbled upon a file containing the names, Social Security numbers and grade point averages of between 50 to 100 students on a publicly accessible university server in June. Loving downloaded a copy of what he discovered and handed it over to the Western Oregon Journal, the campus newspaper.
Institutions of higher learning are frequently the targets of hackers stealing information. This has been well documented by the Privacy Rights Clearinghouse, Attrition.org and PogoWasRight.

Given all this evidence, it amazes me that the highly educated people running these institutions still insist on using social security numbers as the primary method of identifying their students.

Social security numbers are worth money to the people, who like to steal them. Perhaps, if these institutions of higher learning, understood this a little better, they wouldn't be targeted nearly so often.

A little common-sense goes a long way.

Computer World story, here.

If you get a chance, read the comments on Jaikumar's story. Some of them are pretty good!

Schwarzenegger vetoes data breach bill

It appears the data breach bill, which went to Governor Schwarzenegger's desk for signature has been vetoed.

Cheryl Walker at the OC Register is reporting:

An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger.

In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards.

He also contended the bill lacked clarity and could increase the cost of compliance for small businesses.
There seems to be little press coverage on this and I couldn't find any comment from Arnold about it on his site.

There has been a lot of coverage about a NRF (National Retail Federation) letter calling out that businesses, who accept credit cards are forced to maintain credit card information for 18 months to protect themselves from fraud (chargebacks).

Here is a post, I did on that subject:

Retailers call for a level playing field on data security

Maybe this bill was too unfair towards businesses, who accept plastic, and favored the financial services industry a little too much? The bill would have pushed more of the financial responsibility towards businesses versus the card issuers, themselves.

The sad thing is that with all the bickering between these two large sectors, it's probably the little person, who will lose out in the long run.

Although, with a lot of litigation being raised, data breaches are becoming extremely costly. Maybe both sides of the equation need to get together and come up with something that will work for everyone?

After all, they do share one thing in common, which is their customers!

OC Register story, here.

Sunday, October 14, 2007

Why Mahmoud Ahmadinejad might not want transparency in Iran's financial dealings

Over the weekend, the press has been awash with a story that Iran is refusing to adhere with International money laundering standards.

It appears Mahmoud Ahmadinejad and his motley crew of religious extremists don't want anyone looking at their money flow "too closely." My guess is that it might reveal that some of the money is coming from questionable sources.

From the AFP:

The United States Friday welcomed action by an international anti-money laundering watchdog urging Iran to close loopholes in its financial system and take steps to limit terrorist financing.

US Treasury Secretary Henry Paulson said he was pleased with the statement earlier Friday by The Financial Action Task Force, which groups 34 countries, calling on the Islamic Republic to take action.

The Financial Action Task Force has taken a dramatic step in highlighting the significant threat Iran poses to the international financial system," Paulson said in a statement.

"As the premier standard-setting body for countering terrorist financing and money laundering, the FATF's expression of concern toward Iran speaks volumes."
Of course, it's probably not a coincidence that Iran is next door to Afghanistan, where opium production has reached an all-time high. Please note that most of the opium production is backed by the Taliban, who aren't exactly friendly towards the West, either.

In case, you are interested in a non-Western source -- which might support this contention read the Daily Times of Pakistan -- where they recently reported a large heroin/hashish bust on the border of Iran and Afghanistan, here.

What's interesting is that penalties in Iran for drugs are pretty harsh, despite the fact that they seem to have a drug problem within their country. If you continue to the bottom of this post, a video is referenced showing the drug problem in Iran.

The use of drugs is forbidden in the Islamic religion.

Nonetheless, it seems that if the money from drugs is for what they (Mahmoud and motley crew) and the Taliban perceive as a good cause, they seem to look the other way. Otherwise, it is logical that they would embrace financial transparency within their borders.

To sum this up, it's no secret that Iran supports and funds a lot of terrorist activity. The fall-out from this terrorist activity causes a lot of pain and suffering to a lot of people, worldwide.

Since drugs are forbidden by the Islamic religion, this clearly shows how Mahmoud Ahmadinejad and his motley crew of religious extremists are no more than a bunch of hypocrites.

A wise person once told me if you want to get to the bottom of a problem -- follow the money. It always tells the truth.

AFP story, here.

At the bottom of this post is a YouTube video, which shows a woman smoking heroin. It also shows that she has to prostitute herself to survive.

Women have been treated pretty harshly in Iran since religious extremists took over. This is part of an interesting series, which was aired on the CBC (Canadian Broadcasting Corporation).

Casual sex is highly frowned upon in Iran, also. If you take a look at the video, the woman stops at a pharmacy to purchase condoms. This would lead me to believe there is more casual sex in Iran than we are led to believe.

Mahmoud also claims there are no, or at least very few gay people in Iran. I'll bet the CBC, or another reputable news organization (given the proper resources) might prove him wrong about this, just like they did in this telling series.

I would guess that gay people have a vested interest in staying in the closet under his regime.