Saturday, February 16, 2008

The $54 million lost laptop law suit

Found this story on SANS Newsbites. Apparently, a former Best Buy customer is suing Best Buy after they lost her laptop and allegedly tried to cover up the matter.

After going to a link on Information Week, I discovered that the plaintiff in question, Raelyn Campbell started a blog to chronicle her battle with the retailer.

The blog states Raelyn's intention in her own words:

I have filed a lawsuit against Best Buy and launched this blog in an effort to bring attention to the reprehensible state of consumer property and privacy protection practices at America's largest consumer electronics retailer, with the hope that it might motivate Best Buy to effect changes and spare future consumers the experience I have been subjected to -- or worse.

Whether due to what seems to be a plague of bad customer service, inept employees or a combination of both, Raelyn charges that:

Her laptop went missing and the Geek Squad initially couldn't find it in their computer.

That later on, a computer entry mysteriously appeared which leads to speculation that the Geeks were covering their tracks.

She tried to settle for $5,000.00, but was continuously low-balled by Best Buy.

After she filed a law suit, Best Buy tried to offer $2500.00.

Raelyn declined this offer because (in her own words):
I advised Best Buy's lawyer that I would drop the suit if Best Buy would provide compensation for my expenses and time and address the shortcomings in its property and privacy protection practices.
Additionally Raelyn is charging that Best Buy broke D.C. law by not notifying her immediately that she could become an identity theft victim.

Her blog has a lot of links to other allegations of employee abuse at Best Buy, which can be seen, here.

Of note, this episode -- no matter whether you think a $54 million law suit is called for or not --brings up the very real problem of all the portable data we carry being exposed when we drop it off somewhere for repairs.

It's a far shot that a responsible business would knowingly employ personnel that steal, but dishonest employees are a reality in today's world. Since information isn't inventoried and can be copied, protecting it is a little more difficult than other assets such as money or merchandise. In fact, most of the time when information is stolen, no one ever probably notices it is missing (my opinion).

Since information is worth a lot of money, this poses a problem.

This leaves a lot of things to consider and my guess is that protecting information is going to be a hot subject for a long time to come.

There are a slew of comments on the blog, both bashing and praising Raelyn for this action. Please note on blogspot, Raelyn can control the comments and therefore is being transparent by publishing them all.

To end this post, I will refer to (what I consider) some sage advice and commentary from three SANS newsbite editors:

[Editor's Note (Pescatore): I was thinking of suing my employer for about that much for forcing to me to carry a laptop all the time. This does point out an issue where some companies have allowed employees to do business on personal laptops that get repaired at places that don't protect them very well, and then the business information ends up on eBay and thousands of customers have to get notified, etc. etc.

(Cole): This will continue to happen; so two key take aways. One, use folder level encryption with a strong passphrase so repair people will not have access to your data. Full disk encryption will not work, since the techs need to log into the system. Second, backup of all of your critical data on a removable drive.

(Schultz): It is easy to predict that lawsuits of this kind are going to proliferate in the future. Many organizations have been downright irresponsible in handling personal and financial information, let alone others' computers. The threat of a lawsuit is likely to force such organizations to radically tighten their procedures for handling such information and computing equipment.

If you are interested in reading more from the SANS people, I've provided a link to their SANS Newsbites page, here.

Thursday, February 14, 2008

EBT cards probably have done little to reduce benefits (welfare) fraud!

Several years ago, one of the reasons plastic electronic benefit transfer (EBT) cards were introduced was to reduce benefits (welfare) fraud.

Apparently, criminals preying on government entitlement systems have figured out how to keep right on scamming the system using this form of "plastic."

Dan Cortex of the Free Detroit Press reports:

An intricately coordinated raid 18 months in the making resulted in the arrests Tuesday of more than two dozen business owners and employees involved in a fraud that costs the state about $55 million annually.

At least 25 people were arrested when about 200 state, federal and local officials descended on the stores, mostly in Dearborn and Detroit.
Interestingly enough, the manner in which this was accomplished wasn't very sophisticated:

Instead of using the cards to buy food, State Police said some card owners collaborated with store owners to trade them in for cash at the stores -- often at half the value of the cards. The stores, in turn, collected the full amount on the debit cards from the state.
Before EBT cards the same thing used to occur using the paper food stamps issued to government assistance recipients. With the use of electronic payment systems, converting the benefits to cash is probably less labor intensive than it used to be for the criminals involved in this activity.

The article also mentions that bank accounts and passports were seized. Do passports being seized mean that some of these people aren't even citizens?

Because of this, I decided to dig a little further. I was able to find a little more information on the Michigan Attorney General's site.

Here is what they are being charged with:

The defendants are charged with a felony violation of the food stamp act for which the maximum penalties are 10 years imprisonment and/or $250,000 in penalties. In addition, the stores and its owners and employees are charged with conducting a continuing criminal enterprise (punishable by up to 20 years imprisonment and/or $100,000 and criminal forfeiture of proceeds), conspiracy (up to 5 years imprisonment and/or $10,000 fine), electronic benefit transfer (EBT) card fraud (4 years imprisonment and/or $4,000 fine), and money laundering (10 year imprisonment and/or $100,000 in fines).

Considering how easily this was done, I'm guessing that it might be happening in other places, also. Maybe other States should look into this matter like the great State of Michigan has? Given how easily this was accomplished, I doubt Michigan is the only place with a problem.

One thing is for certain - I don't think plastic has stopped very much of this particular type of fraud. The true victims in this are the people probably going hungry at the expense of these criminals. In reality, they are doing nothing more than stealing food from the mouths of children!

The insane thing is how did we ever think that electronic payment cards would reduce fraud? All anyone would have had to do is take a look at how easily debit and credit cards are compromised.

Also not mentioned in the mainstream media were the names of the alleged defendants. Given that passports were seized, I'm guessing that some of the alleged defendants might be considered a flight risk:

Citgo
8351 Woodward Detroit, Michigan

Nabil Shamel, owner

Jamal Chami, employee

Waad Fawazi, employee

Livernois Gasoline
7645 Livernois Detroit, Michigan


Hafaid Musleh-Mohmood Alkahif, owner

Abdul Fattah-Mohmood Alkahif, employee

Dheyab M. Alquhaif, employee

Ammar Mahmood Gobah, employee

Mustafa Mohamen-Ahmed Alqohaif, employee

Yousef Mohamed-Ahmed Alqohaif, employee

U&I Petro
8820 Wyoming Detroit, Michigan

Saleh Algathaithi, owner

Saif Ahmed Alghathie, employee

Hassan Ali Hussein, employee


C&M Mini Mart
18420 James Couzens Detroit, Michigan

Abdo Mahfouz, owner

Ali Abdo Mahfouz, employee

Tarek Moshen Baderddine, employee


Rowan Party Store
7000 Rowan
Detroit, Michigan


Saeb Abdul-Ghani Abdul-Ghani, owner

Joseph Soliman Elrubi, employee

Maher Diab, employee


Big Al's Marathon
3910 Grand River Detroit, Michigan


Hussien Kamel Beydoun, owner

Ali Hussein Beydoun, employee

Van Dyke Petro
19030 Van Dyke Detroit, Michigan

Taha Ahmad Dika, owner

Nizar Ali Nazha, employee

Michael Maher, employee

Bassel Ibrahim-El-Sayed-Sleim Hachem, employee

Schaefer & Puritan
15901 Schaefer Detroit, Michigan

Mr. and Mrs. Adel Mohamad Kobeissi, owner

Khaled Abid Al-Bonijim, employee

Moahamad A. Berro, employee

Detroit Free Press article, here.

Press release from the Michigan Attorney General's Office, here.

Article from 1998 (WRAL.com) about how EBT cards reduce fraud, here.

Wednesday, February 13, 2008

A badge of authority is a time tested tool cyber fraudsters use to steal cash!


(Photo courtesy of brykmantra at Flickr)

Using a badge of authority to lure victims is nothing new in social engineering circles. I've written about instances, where law enforcement agencies and the IRS have been used to hook victims for all kinds of sinister purposes.

Another badge of authority frequently used is security software. Historically, a victim was required to download something to become infected. This isn't completely the case anymore -- with advancements in hacker techniques -- all a person has to do is to visit an infected site to make their system become sick.

Of course, the less technical versions (requiring a person to click on something) are still out there, also.

Just the other day, John Leyden (Register) reported that an Indian antivirus site, AVSoft technologies was infecting unsuspecting visitors with the Virut virus. This virus opens a "backdoor on infected PCs, allowing hackers to download and run other malware (or anything else they fancy) onto infected computers," according to John.

In case anyone want more information on the Virut virus, Symantec's definition can be seen, here.

Recently, I also read a post by Alex Eckelberry at the Sunbelt blog, which showed that affiliates of reputable security software companies were spreading malware:

We’ve seen a number of examples lately of legitimate security companies being advertised through malware.

It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (meaning, people who make commissions sale they refer).
Alex finished his post with a sage comment for his peers:

Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.
Technology changes all the time, but the lures used to attract the unwary seem to remain the same. Interestingly enough, some of the same lures have been used for hundreds of years and will probably still being used long after this blog has been deleted by a search engine.

Alex's post, along with some interesting (educational comments) from people within the industry, can be seen, here.

Sunday, February 10, 2008

Does healthcare fraud tie into organized crime, illegal immigration and .... corporations?

Read a pretty interesting article about how identity theft is being used (more and more frequently) to commit healthcare fraud. The article also alleges that organized crime is exploiting this activity to their financial advantage.

Since organized criminals normally are hard to get a "quote" from, we'll have to speculate about how much they are involved in this phenomenon.

The article written by Jim McKay appeared in govtech.com and quoted a section chief (Sharon Ormsby) from the FBI:

At least 3 percent of U.S. health-care costs (about $60 billion) can be attributed to fraud, according to the National Health Care Anti-Fraud Association. Of that, 1 percent is attributed to medical ID theft - an ominous figure when the numbers are triangulated, according to Sharon Ormsby, section chief for the financial crimes section of the FBI.

"If you figure by 2012, national health-care expenditure costs for the country will be approximately $3 trillion, you look at the fact that the National Health Care Anti-Fraud Association conservatively estimates health-care fraud to be 3 percent to 5 percent of that expenditure amount," she said. "That's a significant amount of fraud, so we do have a strong interest in it."

Another interesting article related to the subject of healthcare fraud showed up in the news in the past few days, also. CBS News did a story about a "whistleblower," who turned in his superiors -- in this instance a hospital -- for fraudulently billing government healthcare programs.

Unlike the govtech.com article -- which only suggests a dollar loss -- the CBS piece estimates the cost of healthcare fraud at about $11 billion a year.

Sharyl Attkisson, a CBS correspondent covered this story and it points to more commentary about government waste in general on the Couric (Katie) and Co. blog.

Please note the whistleblower in this instance received $3 million for turning in his employer.

With the baby boom generation headed for retirement and reports of hospitals going under because they provide free healthcare for illegal immigrants, there is a lot of camouflage for healthcare fraud to hide in.

The fact that a hospital was in on the fraud shouldn't surprise a lot of people, either. If you are following the 2008 election, the subject of legitimate companies gouging the healthcare system for profit isn't a new topic.

There is little doubt that the subject of healthcare costs is a hot topic and will continue to be for a long time to come.

Govtech.com article, here.

Here is a story, I did in May that covers the ties between healthcare fraud, organized crime and illegal immigration:

Medicare Fraud arrests might expose ties to medical identity theft and organized crime