Saturday, November 10, 2007

Visa's big break to TJX on security standards during their data breach!

The TJX data breach -- which in case you haven't heard just doubled it's estimate of records compromised from 45 to 90 million -- has caused a lot of finger pointing between the financial and retail sectors.

Of course, this was revealed in court filings (like the revelation below) and I'll be surprised if anyone is willing to answer any questions about it.

The latest is that Visa knew that TJX had "extensive security problems," but chose to let them off the hook to become PCI compliant until 2009.

Evan Schuman of EWeek reports:

Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8.

The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJX's systems, starting the work that would ultimately become the worst data breach in credit card history.

Ironically -- while hackers were happily stealing a lot of PEOPLE's personal and financial information -- Visa wrote TJX telling them they would be holding off from fining them as long as they were diligent in fixing the problem.

In 2007, Visa fined one of TJX's banks before the deadline had expired.

PCI compliance standards are enforced by the payment card industry themselves. All that seems to be coming out of the largest data breach in history is a lot of finger pointing and litigation, which like fines, are driven by a financial incentive.

I hate to say it, but neither side of the fence wants to stop using plastic. They both are making billions of dollars in the process.

Perhaps -- if an entity with no financial stake in all this dictated the standards --the people having their information stolen by criminals would be a LOT better off.

The question is when are people (customers) going to come first?

eWeek story, here.

Thursday, November 08, 2007

Symantec reports on spam trends for 2007

Photo courtesy of slumberparty_uk at Flickr

According to Symantec's November report about 70.5 percent of the e-mail sent to your inbox is spam. This is pretty frustrating for a lot of us, who have to rely on spam filters that don't seem to work very well.

If you are like me, I get spam in my inbox and have legitimate e-mail mistaken as spam and sent to my bulk folder.

I've also heard of a lot of spam being able to bypass corporate spam filters recently. This can be particularly dangerous if an employee clicks on something that is malicious in nature.

Some experts have tested employees with phishy (spam) e-mails to see if they would fall for the bait. A large percentage of them did.

I mentioned corporations in the paragraph above, but this can happen at any organization.

In keeping with tradition, the spam kings stay on top of current events and ensure their social engineering lures are what would be considered newsworthy and even trendy.

From the Symantec November Report:

Ron Paul, MP3s, and global warming…what do they all have in common? No, it’s not some new presidential campaign. They were all topics leveraged in new spam tactics in October.

Even as the game becomes more sophisticated, most spam isn't effective unless it can lure a human being into whatever scheme it is attempting to pull.

Spam is already being seen that impersonates (spoofs) presidential candidates and claims to support environmental causes.

In the case of spam that impersonates environmental causes, a lot of them might include a survey asking for a lot of personal and financial information.

So far as the election campaign spam going around, we will probably see attempts to misdirect campaign contributions, commit identity theft and possibly even be used as a tool to spread misinformation (smear tactics).

One thing to remember is that giving out information to someone you really don't know tends to put you at an extreme risk of becoming an identity theft victim.

So far as financial scams go, the spammers also appear to be very interested in the real estate market:

Last month, Symantec reported how spammers had taken an interest in the housing market slowdown by offering different home refinancing deals. In an ongoing attempt to leverage capital by any means possible, the latest variations suggest releasing equity from your parents’ home.

Anyone, who falls for a not very legitimate scheme involving real estate is probably going to be taken to the cleaners. Sadly, fraudsters often target desperate people looking for a (too good to be true) way out of the mess they are already in.

The current real estate crisis is giving them an easy vehicle to do this!

With a reported 1,000,000 foreclosures pending in the United States and a possible loss of $200 billion to the lenders, this trend particularly bothers me.

The report also mentions Russian Bride scams, pump and dump stock scams using MP3, and spam e-mails using links containing Google searches.

The links containing Google searches misdirect the user to pretty questionable e-commerce sites, which could be (probably are) nothing more than a ploy to steal someone's money.

The information on the links using Google searches is explained in full on the Symantec blog, here.

This latest report indicates that spam is a problem that isn't going away in the near future. Spam is a known vehicle for everything from deceptive advertising to outright scams on the Internet.

Besides protecting your system, which Symantec is in the business of doing, being aware of the social engineering lures is the key to not becoming a Internet fraud statistic. It's refreshing to see Symantech address this with these reports, also.

For the full report, which has more spam variations than I've mentioned in this post, click here.

Symantec also does a blog on current online fraud schemes that are circulating, which can be seen, here.

Wednesday, November 07, 2007

A few hard questions for Governor Spitzer to answer

I've written a few posts about Suad Leija, the young woman who has provided a lot of the evidence leading to the recent arrests of the main players (jefes) involved in the largest counterfeit documents cartel operating in the United States and Mexico.

These documents are sold to whoever has the money to buy them. Besides illegal immigrants, it’s safe to assume a portion of them have been sold to criminals and possibly even terrorists.

The cartel I'm referring to is known as the Castorena Leija-Sanchez organization.

According to ICE (Immigration and Customs Enforcement), this organization was making about $300 million a year selling counterfeit documents. If one were to consider that each one of these documents has a street price of about $100, this would mean they are responsible for about 60 million counterfeit documents being put in circulation.

If each person bought two of these counterfeit documents that would equate to about 30 million people, who have used these documents.

On the site -- Suad’s husband, who uses the pseudonym of Lazarus -- has put up a video with a few questions directed at Governor Eliot Spitzer (NY) regarding his intent to issue driver's licenses to illegal immigrants.

You might want to know what the Castorena Leija-Sanchez and Eliot Spitzer have in common? The answer is that counterfeit documents issued by the Castro Leija-Sanchez organization will probably be used to establish the identifying information for the driver's licenses in New York State.

When this happens, we will have a lot of legitimately issued driver's licenses with not very legitimate information on them!

Here are the questions, which have been made into a video and released on YouTube:

1. Is Governor Spitzer replacing the members of the Castorena Leija-Sanchez organization by providing identification documents to people, who have broken the law?

2. Is a public official, who is sworn to uphold the laws of the United States and the State of New York aiding in the commission of criminal activity by providing documents that support illegal immigration?

3. If it is Governor Spitzer’s sworn duty to uphold the law should the people he serves insist his driver's license is taken away and he be impeached?

4. Is it fair for Governor Spitzer to break the law to get votes?

5. Since this card identifies the holder as someone, who has broken the law is it a get out of jail free card?

When law enforcement personnel discover that a illegal immigrant has broken the law, they are supposed to report them to the federal authorities. This is so they can be deported. Unless I'm missing something in all the hype that has resulted from this issue, this license will clearly identity the holder as a illegal alien.

If I were an illegal immigrant, I might be worried that if the political climate shifted, the licenses might be used to track down and deport people. Most of them are probably going to continue to use counterfeit documents that will not identify them as people, who are breaking the law.

Some of these concepts might be confusing to the average person, who has had the pleasure of living in a sanctuary city.

In a sanctuary city, the politicians tell the police not to ask any questions about a suspect’s immigration status. In other words, they are directed to bury their heads in the sand on this law. Sadly enough, this is also the case when illegal immigrants are arrested for serious crimes.

Here is a story from about an attorney (David Klehm), who is suing the San Francisco PD for not reporting illegal aliens. The same attorney has filed similar law suits in Los Angeles and San Jose.

The problem with issuing any identification document for a person -- who has entered the country illegally -- is how we know the document they are using to get a legitimate ID is in fact legitimate, itself.

This explains how most of the 9/11 terrorists managed to operate pretty freely before committing their heinous crime.

Most of the 9/11 hijackers used counterfeit documents, sometimes known as feeder documents to get legitimate driver’s licenses. Feeder documents are documents that are used to obtain legitimate documents. The goal of most people using counterfeit documents is to eventually get legitimate documents.

I doubt seriously that issuing driver's licenses to illegal immigrants is going to stop their primary goal, which is to establish themselves as legitimate citizens.

In 2004, Congressman Ed Royce made the following statement about provisions being stripped from the 9/11 bill regarding border security:

The 19 9/11 hijackers had 63 validly issued U.S. driver's licenses between them. What were they using that many for? They were moving around the country undetected and plotting and planning. In fact, as many as eight of them were even registered to vote. They then used those bogus licenses to board U.S. planes.

Congressman Royce further put things into perspective by saying:

Driver's licenses were the 9/11 terrorists' license to kill and to kill massively. We know that.

"They had 63 of these driver's licenses between them, for the 19 of them. And these identification documents gave these hijackers unfettered access to nearly everything they needed to plan and carry out their attacks on Washington, D.C. and on New York City. And the identification cards also allowed them to remain in the country with the appearance of legitimacy long after their visas had expired and their presence in the United States became illegal.

These provisions, designed to protect our borders were taken out of the bill despite the fact that 87 percent of the public supported having them included.

On a personal level, I’m more worried about National Security than anything else, but there are a lot of people saying these driver’s licenses enable voter fraud, also.

The Wall Street Journal published an editorial by John Fund on November 2nd, which explains this better than I can.

The editorial states one reason some politicians might be in favor of handing out these driver's licenses:

The background here is the National Voter Registration Act, commonly known as "Motor Voter," that President Bill Clinton signed into law in 1993. It required all states to offer voter registration to anyone getting a driver's license. One simply fills out a form and checks a box stating he is a citizen; he is then registered and in most states does not have to show any ID to vote.

Come to think of it, there has been a lot of controversy this week about how Bill’s better half answered some questions regarding this issue.

Perhaps, she can help Eliot answer the questions posed to him? After all, they both represent the great State of New York. Her answers have seemed to get a lot of attention already.

The problem of illegal immigration isn't going to be easily fixed. Granting driver's licenses to illegal immigrants adds fuel to an already out of control fire we are facing in this country. This is especially true when we lack the means to verify exactly, who they are in the first place.

The bottom line is that it enables more serious crimes than illegal immigration and our politicians have a sworn duty to protect us from being harmed by it!

There is an e-book written about Operation Paper Tiger, which documents the story of how the Castorena Leija-Sanchez family was investigated by the authorities. The book contains transcripts (taken from wire taps) of the organization in operation.

If you were on the fence as to whether or not our borders are secure, or just want to know how insecure they really are, the book is a must read.

Currently, the book is only available on the Paper Weapons site, here.

Tuesday, November 06, 2007

San Francisco Supervisor charged with bribery, extortion, mail and voter fraud!

There are some of us wondering how many more politicians will be caught with their hands in the cookie jar. In the past few years, quite a few of them seem making a mockery of the oath they took when they went into public service.

One of the San Francisco's own is being prosecuted for a host of fraud charges, including the fact that he himself committed voter fraud.

Karen Gullo at is reporting:

Ed Jew, a member of San Francisco's board of supervisors, was charged today with fraud, bribery and extortion for allegedly soliciting $80,000 from business owners in exchange for using his influence with the city's planning commission.

An indictment handed down today by a federal grand jury in San Francisco accuses Jew, 47, of soliciting bribes from Quickly tapioca drink shops in San Francisco, according to a statement by the U.S. Attorney's Office for the Northern District of California. In May, Jew accepted $40,000 in cash from Quickly representatives, prosecutors said.
SF Supervisor Ed Jew is also under investigation for committing voter fraud. SF Gate (Cecilia M. Vega, Jaxon Van Derbeken) reported in June:

Embattled San Francisco Supervisor Ed Jew surrendered to Burlingame authorities Tuesday night after San Francisco's chief prosecutor filed criminal charges against him and issued a warrant for his arrest, saying the lawmaker lied about where he lives in order to run for office.

Jew, who turned himself in with his bail bondsman at his side, posted $135,000 bail and was released.

The arrest and felony charges bring to a head a City Hall scandal that has dogged the rookie supervisor ever since FBI agents last month raided his city office, his residences and his Chinatown flower shop.

Interestingly enough, Wikipedia has a very detailed write-up on the ongoing Ed Jew saga, here. story, here. story, here.

Monday, November 05, 2007

Will the current mortgage crisis result in more mortgage fraud?

Will irresponsible lending practices and in some instances, fraud end up being the cause for an overall problem in the credit industry?

In case you haven't noticed, there seems to be a lot of homes up for sale. I'm even starting to see signs stating that the house in question is being sold by the bank.

We are even seeing signs that the problem might be worse than expected within the credit industry.

Reuters (courstesy of CNBC) is reporting:

Total losses stemming from writing down the value of mortgage-linked securities could be as high as $200 billion, with financial institutions sitting on at least $60 billion in losses that have not yet been disclosed, JPMorgan said Monday.

Banks and insurers, including Merrill Lynch, Ambac Financial Group and MBIA have reported third-quarter losses as they write down the value of securities, including collateralized debt obligations, or CDOs, backed by residential mortgages.

There is much more to come, JPMorgan analyst Chistopher Flanagan said on a conference call with clients.

In a different story, it was also announced that the CEO of Citibank is stepping down because of losses incurred by sub prime mortgages.

Forbes reported:

In a statement Sunday night, Prince said “it is my judgment that given the size of the recent losses in our mortgage-backed securities business, the only honorable course for me to take as chief executive officer is to step down. This is what I advised the board.”
Of course, Mr. Prince doesn't have anything to worry about personally. There are now reports surfacing that he could walk away from Citibank with $31 million in his pocket.

I could go on and on about the irresponsible lending practices that lured people into buying homes they could ill afford. Hidden in all the irresponsible lending practices is a fair amount of fraud.

Instances of mortgage fraud seemed to rise during the boom in the real estate market. The best resource (I know of) that addresses mortgage fraud is the Mortgage Fraud Blog authored by Rachel Dollar, who is an attorney specializing in the field.

If you are interested in the amount of fraud seen in the mortgage industry, the Mortgage Fraud Blog is an excellent resource.

Fraud associated with mortgages is unlikely to go down anytime soon. We will probably see a lot of fraudulent schemes pop up luring people with the promise of getting out of their personal mortgage crisis.

If anyone is interested, the Mortgage Bankers Association has a pretty decent consumer protection site ( to educate the public on this type of fraud, here.

Reuters story (courtesy of CNBC), here.

Forbes story, here.

Sunday, November 04, 2007

eBay shoppers crack QVC fraud case

eBay and auction sites are found to have HOT merchandise being sold on them too frequently (my opinion). I ran across a story in the Register, written by Dan Goodin, where two eBay customers cracked a $412,000 fraud case being committed against QVC.

As reported by Dan Goodin:

A woman has pleaded guilty to fleecing the QVC home-shopping networking of more than $412,000 by exploiting a gaping hole in its website that allowed her to receive merchandise without paying for them.

Quantina Moore-Perry ordered handbags, jewelry and electronics and then immediately canceled the transactions. The flaw allowed the North Carolina woman to take delivery of more than 1,800 items without being billed. Moore-Perry would then sell the booty on eBay, according to the Associated Press, which cited authorities.
I wonder if QVC offered a reward to the two eBay shoppers, who discovered this flaw in their system?

This would also make me wonder if this woman was the only one who has defrauded QVC in this manner?

There is a lot of controversy surrounding the sale of stolen merchandise on eBay and other auction sites. I've heard that some companies now have a dedicated person in their security departments to watch these sites for stolen merchandise.

Register story, here.

For other posts, I've written concerning stolen merchandise on auction sites, click here.

IRS Phishing Scam lures victims with a donation plea for the Southern California Fires

In an apparent scam that packs a double whammy, the IRS is being impersonated in a spoofed e-mail requesting donations for the recent Southern California fires.

From the IRS press release:

The Internal Revenue Service today warned taxpayers to be on the lookout for a new e-mail scam that appears to be a solicitation from the IRS and the U.S. government for charitable contributions to victims of the recent Southern California wildfires.

In an effort to appear legitimate, the bogus e-mails include text from an actual speech about the wildfires by a member of the California Assembly.

The scam e-mail urges recipients to click on a link, which then opens what appears to be the IRS Web site but which is, in fact, a fake. An item on the phony Web site urges donations and includes a link that opens a donation form which requests the recipient’s personal and financial information.

It appears that in this scam, people are being solicited for both money and their personal information.

The IRS is warning that this is likely to make them a victim of identity theft, and that providing any personal and financial information is likely to result in a person having a lot more money taken from them than they intended to give:

The bogus e-mails appear to be a “phishing” scheme, in which recipients are tricked into providing personal and financial information that can be used to gain access to and steal the e-mail recipient’s assets.

The IRS also believes that clicking on the link downloads malware, or malicious software, onto the recipient’s computer. The malware will steal passwords and other account information it finds on the victim's computer system and send them to the scamster.

Generally, scamsters use the data they fraudulently obtain to empty the recipient’s bank accounts, run up charges on the victim’s existing credit cards, apply for new loans, credit cards, services or benefits in the victim’s name or even file fraudulent tax returns to obtain refunds rightfully belonging to the victim.
If you happen to run into one of these spoofed e-mails, here is something you can do to help the IRS and people, who might fall for this:

Recipients of the scam e-mail can help the IRS shut down this scheme by forwarding the e-mail to an electronic mail box,, using instructions found in “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes” on this site. This mail box was established to receive copies of possibly fraudulent e-mails involving misuse of the IRS name, logo or Web site for investigation.

IRS press release on the latest spoof using their name, here.

Fraudsters have been using the IRS name to scam people on an ongoing basis. Frequently, the name of other government agencies are used as a badge of authority by scammers, also.

Other posts regarding this phenomenon can be seen, here.

Governor Schwarzenegger in California stated that there will be zero tolerance for fraud in wake of the fires. His press release, along with numbers to report suspected fraud can be seen, here.

Sadly, whenever disaster strikes, scammers of all sorts pop out of the woodwork to steal money from people.

In case you don't have time to link to the press release, the number is 800-952-5210.