Saturday, May 03, 2008

Truston ID Theft protection and recovery platform rakes in another award!

It appears that Tom Fragala and the MyTruston team have raked in (yet) another award. This time from the Pacific Coast Business Times as one of the hot start-up companies coming from California's Central Coast.

Tom Fragala, Truston's CEO wrote on his blog, "This recognition comes on the heels of being named a 2008 Hot Company and receiving a technology award from the Info Security Products Guide."

Here is the reason why they were chosen:

Truston's MyTruston® service is the only fully online identity theft recovery system. It is web-based software that can help millions of people easily recover from and prevent identity fraud by supporting virtually any type of ID theft. MyTruston walks consumers step-by-step through the entire prevention or recovery process—dramatically reducing the time, financial cost, and emotional impact. And it can easily be embedded into a partner's own website on a private-label basis.

The press release also contains a comment from Tom Fragala, CEO of Truston:

“The Pacific Coast Business Times recognition of Truston as one of the hottest startups in Central California further validates our innovative products and strategy of offering our services to large partners in the identity theft, direct marketing and financial services markets,” said Tom Fragala, CEO and founder at Truston. “Superior technology and support for partners differentiates Truston from other companies in the identity theft protection market.”

Tom developed Truston based on his own personal experience as an identity theft victim and has spent thousands of hours assisting other victims of identity theft.

Because of this, coupled with the fact that he is selling this technology to large partners, he still takes care of us "little people" by offering a free 45 day trial (no credit card needed) of the Truston platform.

Saying that, I should mention that the platform has always protected people free of cost and only charges for using it to recover after a person is a confirmed identity theft victim. Most companies charge you right from the beginning and will only help you if you were paying at the time of the crime (pardon the pun). Many of them also require that you surrender all your personal details, which they maintain on a database. Information on databases are a favorite place for identity theft thieves to obtain the resources they need to commit their crimes.

There are some, who believe one of the root causes of identity theft is the multi-billion dollar business of buying and selling information, which is normally maintained in databases.

If you are interested in checking out the Truston platform while it is still free, I've provided a link, here.

Does the proposed class action settlement in the Certegy data breach case lack teeth?

I happened to notice, I was getting a lot of hits on some posts about the Certegy data breach and discovered that there is a proposed settlement in the class action law suit against them.

Tim Wilson at Dark Reading pointed out that this settlement amounts to Certegy paying less than $1 per victim and wrote:

Certegy Check Services is proposing to settle a class action lawsuit of last year's security breach on behalf of 8.4 million victims for about $4 million.

According to a report in the St. Petersburg (Fla.) Times, Certegy will also offer free credit monitoring services to some victims and reimbursement of credit monitoring expenses totaling $1 million on a first-come-first-served basis.
He also surmised in his article that:

While plaintiffs' lawyers hailed the offer as a victory, critics said the relatively small settlement will not help the cause of identity protection. The massive TJX breach also resulted in a relatively small settlement for the victims, netting about $6.5 million for customers.

Of note, I would imagine the plantiff's lawyers made A LOT more than $1 each for orchestrating this event. In all fairness, given the precedent set by similar actions might mean there isn't a very "deep pocket" on this type of action.

At $1 million for monitoring divided by 8.4 million potential victims, if any of them want the free monitoring, they better move quickly.

So far as the $4 million being set aside to make victims whole, I wonder how hard it is going to be for them to prove (as required by this settlement) that Certegy was the point-of-compromise in their case? The general rule of thumb is that identity thieves, even if they are caught (rare), probably aren't 100 percent sure where the information came from themselves. There is so much stolen information out there, it's being traded over the Internet.

The sad truth is that with all the data breaches out there, it might be hard to prove exactly where an identity theft victim's information was compromised.

So far as the criminal prosecution of the employee, one William Sullivan, who sold off 8.5 million people's records, I did a post in November about how he was able to make a plea bargain and get a reduced sentence in this case. There was a mention of a data broker being a co-conspirator, but they never seemed to be named (at least in public).

Personally, I've always had mixed feelings about law suits that result when data breaches occur. There is an argument that at least some (my opinion) of the organizations being breached are victims in the overall equation, also.

Saying that, if this class action and the one for TJX have set the legal precedent on this type of action, they are unlikely to serve as much of a deterrent against data breaches, or all the identity theft that results from them. Furthermore, the criminal prosecution of William Sullivan in his case is unlikely to be much of a deterrent, either.

In fact these results are probably going to do little to inspire organizations to protect their information better and for some, will probably be viewed as a cost of doing business.

I guess it's time to go back to the drawing board to figure out a way to effectively address information/identity theft and data breaches?

Here are the original posts, I did on this matter, which contain some angry commentary from more than one victim:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

Friday, May 02, 2008

Federal Reserve backs proposing reforms on credit card rules

Credit card fees, which a lot of consumer groups, have called out as unfair and abusive are in the news again. Today, the Federal Reserve Board proposed changes, which some believe have been a long time coming.

From the Federal Reserve's press release:

The Federal Reserve Board on Friday proposed rules to prohibit unfair practices regarding credit cards and overdraft services that would, among other provisions, protect consumers from unexpected increases in the rate charged on pre-existing credit card balances.
Without going to to the regulations governing this, here is what is being proposed:

Banks would be prohibited from increasing the rate on a pre-existing credit card balance (except under limited circumstances) and must allow the consumer to pay off that balance over a reasonable period of time.

Banks would be prohibited from applying payments in excess of the minimum in a manner that maximizes interest charges.

Banks would be required to give consumers the full benefit of discounted promotional rates on credit cards by applying payments in excess of the minimum to any higher-rate balances first, and by providing a grace period for purchases where the consumer is otherwise eligible.

Banks would be prohibited from imposing interest charges using the "two-cycle" method, which computes interest on balances on days in billing cycles preceding the most recent billing cycle.

Banks would be required to provide consumers a reasonable amount of time to make payments.
Sub prime credit card products are also being addressed by limiting fees that can be automatically applied to a balance. Greater transparency on interest rates and credit limits is being proposed, also. issued a press release the day before the Federal Reserve did offering a mixed reaction to the proposal:

"It’s about time federal regulators offered consumers some relief from unfair bank practices," said Consumers Union Financial Services Campaign manager Gail Hillebrand. "This proposed rule finally acknowledges that some practices just aren’t fair. All the disclosure in the world can’t make it fair to send the bill too close to the due date; to raise the interest rate on money already borrowed: or to charge a fee for a problem caused by the bank’s practice to allow a credit hold or a debit hold.”

The proposed rules respond to a sustained outcry from consumers and strong interest in Congress in credit card reform and in reform of bank account practices such as overdraft loans.
Consumers Union praised the approach of the proposed rule to ban, not just require more disclosure about, some of the worst credit card practices.

They also issued a press release on April 30th commending Senator Dodd, who is the Senate Banking Committee Chairman, for introducing the Credit Card Accountability, Responsibility and Disclosure Act. has long been critical of the credit card industry and has an ongoing campaign to bring about reforms to the industry.

Federal Reserve press release, here.

Thursday, May 01, 2008

Internet Gangstas don't appreciate software piracy, either!

Crimeware salesmen, like most e-commerce types, take a dim view when their creations are knocked-off (pirated). To protect themselves, they warn their customers (Internet criminal types) that if their products are counterfeited, they can and will be reported to the anti-virus companies.

Specifically, the verbiage used as reported on the Symantec blog is, "the binary code of your bot will be immediately sent to antivirus companies."

The reason reporting reporting the binary code of a bot defeats the crimeware kit in question (Zeus) was mentioned in a previous post on this blog:

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

Here are the details, as reported on the Symantec blog by Liam OMurchu:

Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.

2. The Client:
1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.

It should be noted that these crimeware kits, as I've written frequently, make it fairly easy for not very technical criminals to commit technical crimes. As noted in their licensing agreement, the criminals selling these kits in underground forums even provide technical support.

Interestingly enough, Liam noted:

Despite the clear licensing agreement and the associated warnings, this package still ended up being traded freely in underground forums shortly after it was released. It just goes to show you just can’t trust anyone in the underground these days.

Of course, in most instances, there is no honor among thieves.

Liam notes that this licensing agreement is for much talked about Zeus kit, which has "drive-by" capabilities. If you are unfamiliar with what "drive by" means on the Internet, it means that your computer only needs to visit a site to become infected.

Here is a previous post, I recently did about the "drive by" problem, which is making the Internet a more dangerous place all the time:

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

Liam's post on the Symantec blog, here.

Sunday, April 27, 2008

DOJ announces strategy to go after organized crime in a borderless environment

I've often written about borderless crime being committed with a click of a mouse, as well as, the lines that law enforcement jurisdictions impose, which can make investigative and prosecution efforts, frustrating.

The Attorney General and the Justice Department are announcing a new strategy to go after the problem.

From the press release on

Today, Attorney General Michael B. Mukasey announced a new strategy in the fight against international organized crime that will address this growing threat to U.S. security and stability. The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment) and will address the demand for a strategic, targeted, and concerted U.S. response to combat the identified threats. This strategy builds on the broad foundation the Administration has developed in recent years to enhance information sharing, and to secure U.S. borders and financial systems from a variety of transnational threats.

In the press release, Attorney General Mukasey sums up the threat by saying:

The strategy specifically reacts to the globalization of legal and illegal business; advances in technology, particularly the Internet; and the evolution of symbiotic relationships between criminals, public officials, and business leaders that have combined to create a new, less restrictive environment within which international organized criminals can operate. Without the necessity of a physical presence, U.S. law enforcement must combat international organized criminals that target the relative wealth of the people and institutions in the United States while remaining outside the country.

Also stated in the verbiage of the press release is that there will be more coordination of information between federal law enforcement agencies. "This unprecedented coordination will include utilizing all available U.S. government programs and capabilities, including existing economic, consular, and other non-law enforcement means," according to Attorney General Mukasey.

"The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment)," according to the press release.

The press release identifies and defines the following strategic threats:

International organized criminals have penetrated the energy market and other strategic sectors of the U.S. and world economy. As U.S. energy needs continue to grow, so too could the power of those who control energy resources.

International organized criminals provide logistical and other support to terrorists, foreign intelligence services, and foreign governments, all with interests acutely adverse to those of U.S. national security.

International organized criminals traffic in people and contraband goods, bringing people and products through U.S. borders to the detriment of border security, the U.S. economy, and the health and lives of those human beings exploited by human trafficking.

International organized criminals exploit the U.S. and international financial system to move illegal profits and funds, including sending billions of dollars in illicit funds through the U.S. financial system annually. To continue this practice, they seek to corrupt financial service providers globally.

International organized criminals use cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.

International organized criminals are manipulating securities exchanges and engaging in sophisticated fraud schemes that rob U.S. investors, consumers, and government agencies of billions of dollars.

International organized criminals have successfully corrupted public officials around the world, including in countries of vital strategic importance to the United States, and continue to seek ways to influence—legally or illegally—U.S. officials.

International organized criminals use violence and the threat of violence as a basis of power.

What alarmed me the most in this news release, especially with out of control oil prices, was that organized crime was involved in the energy sector. Randall Mikkelsen at Reuters must have been interested in this statement and questioned Alice Fisher, head of the DOJ criminal division. Fisher seemed downplay the statement by saying "I don't think that you can directly link the two." Fisher did go on to state that organized crime had a foothold in global financial markets?

To me, that's at least as scary as organized criminals being involved in the energy sector. What we do know is that both the financial and energy sectors seem to be causing the average citizen a considerable amount of pain and suffering, lately.

The reason for this response might be that investigative entities don't generally want to comment on the specifics of any ongoing investigations? There are good reasons for not doing so.

Interestingly enough, the Organised Crime and Corruption Reporting Project, which is run by some Eastern European journalists has covered potential organized criminal involvement in the energy sector in Eastern Europe. On a story, which can be seen on the home page of the site, it states:

In between are the energy traders. They say they are the future of low-cost energy but that is a promise yet to be fulfilled. These politically connected and well-financed businessmen have reaped billions in sales, often at the expense of state companies. Investigators in a number of countries are trying to determine whether some of them made their millions in profits illegally or legally in systems that have few laws and not enough regulations.

Although the executives at Enron were never found to be involved with organized crime, the Enron debacle illustrates how a little dishonesty in the energy sector can create a lot of financial havoc for a lot of people!

Also alarming, is the statement that public officials around the world are being corrupted by these groups.

As I stated in the first paragraph, I've often written about some of the items now being identified as strategic threats. We live in a society, where identities are stolen in mass, counterfeiting is rampant and rumors of foreign governments hacking into military and industrial systems are surfaced, too frequently.

And so far as hacking, criminal organizations -- who seem to be run as efficiently as any successful corporation -- appear to have the ability to crack into whatever defenses the good guys put into place. There has been speculation that these groups can afford to recruit the best and the brightest in a lot of "disciplines" in addition to information technology, also.

These factors have also enabled a lot of other (even more dangerous) criminal activity to spread at what some consider, epidemic proportions.

Given all these trends, the only successful strategy is to go after the people behind it. Nothing else has seemed to work very well, at least so far!

The full press release can be seen, here.

Reuters story can be seen, here.

I would also like to thank Suad and Lazarus at Paper Weapons, Heike at The Dark Visitor (information on Chinese hacking) site and the journalists at the Organised Crime and Corruption Reporting Project for the links, which I seeded in this post to make a point.