Friday, July 04, 2008

California Lottery Nails Dishonest Retailers

When you cash in a small lottery prize at a lottery retailer, the amount might not exactly what you were were entitled to receive.

On 7/1/08, the California Lottery announced that they are using undercover agents to sting dishonest retailers, who cheat lottery winners out of their prizes. The press release on this matter pointed to a case in Morgan Hill, California where a dishonest retailer (and another individual) are being charged with grand theft of lottery tickets ranging in value from $500 to $25,000.

I decided to see if I could find any additional information on arrests and discovered another one that was reported by cbs13.com in Lodi, California. CBS 13 in Sacramento, with cameras rolling, approached Baljut Kang (one of the two arrested in Lodi), who refused to talk at first. Eventually, Kang stated to the reporter that the undercover agents found "some ticket in the garbage," which made them think she and her son were committing fraud (?).

According to the article, an undercover agent turned in one ticket worth $990 receiving only $24. Another ticket was presented at the retailer worth $25,000 and the agent was paid $10 for it. The article also states that this was the result of a statewide lottery sting. Other retailers were caught in Southern California.

The official press release indicates that this is the first enforcement effort of this kind anywhere in the country. This made me wonder if other States should run sting operations, also?

While dishonest retailers getting caught cheating customers is something new, lottery scams are big business for criminals. Spam e-mails, unsolicited telephone calls and even snail mails are used to dupe people into thinking they have won the lottery. Frequently, a person is then asked to negotiate a fraudulent instrument to cover tariffs and taxes and wire the money across an International border.

The California lottery has an interesting page, which can be seen on their website warning the public about this type of activity. In February, I did a post on the eve of a $270 Mega Million Lottery prize, about fraudsters attempting to impersonate the California lottery to trick unsuspecting people into cashing worthless checks.

Please note that scams -- where unsuspecting people are duped into cashing worthless checks and wiring the money before the financial institution catches on -- aren't limited to the lottery variety. Other varieties involving bogus financial instruments include work-at-home (job) scams, secret shopper, romance and auction scams. Known bogus items in circulation are Postal Money Orders, Travelers Express (MoneyGram) Money Orders, American Express Gift Cheques and Visa Travelers Cheques. A good site to learn more about scams involving fake checks is FakeChecks.org.

In California when you claim a ticket for a prize under $600, the retailer has to validate it in a machine, which prints a receipt showing exactly how much the prize was for. A good idea is to make sure you take a look at this receipt to ensure you are getting the right amount of money.

If you note suspicious activity, I'm sure that the dedicated law enforcement personnel at the California Lottery would like to hear from you. They can be reached at 1-800-LOTTERY.

Tuesday, July 01, 2008

Data Theft Grows 68 Percent in 2008

Linda Foley at the Identity Theft Resource Center made an ominous announcement that data breaches were at an all time high. According to research conducted by the group, the number of data breaches has grown 68 percent in 2008 versus the same time period in 2007.

The current study acknowledges that some breaches are under reported and multiple breaches are sometimes reported as a single event. The breach at BNY Mellon and SunGard data were cited as an example of a single event affecting multiple businesses.

The report shows an increase in data breaches at businesses, financial institutions and health/medical institutions. Interestingly enough, breaches that involved the government/military and educational institutions showed a decrease.

Breaches are becoming more technology based, also. Electronic data breaches accounted for 80.7 percent of the total versus 19.3 percent, which were considered paper breaches.

I suspect that the increased activity at businesses and financial institutions is because the goal is to steal financial instruments that already have a cash value associated with them. As the general public has become more aware of the issues surrounding identity theft, opening fraudulent accounts with other people's information is becoming more difficult. More people are reviewing their credit and placing alerts/freezes on their individual reports, either by doing it themselves or paying a service to do it for them. When accounts are stolen that already have disposable spending power or (cash) on them, identity theft protection is unlikely to stop them from being compromised.

Because of the increased awareness, more fraudsters take over accounts instead of trying to open new ones. Most of the current identity theft protection methods being used will not stop this from happening.

So far as the statistic that electronic theft is becoming more prevalent than paper theft, perhaps shredding documents is making stealing paper harder? Of course, it might also mean that the methods to steal information electronically have become more advanced, also. Crimeware kits of the DIY (do-it-yourself) variety have spread this ability to people, who lack the technical skills to do it by themselves. There is a lot of evidence that these kits aren't too hard to purchase over the Internet and that sometimes they even come with technical support.

ID Analytics partnered with the study and added statistical information showing that 39 percent of data exposures were caused by missing or stolen devices in 2007. Their statistics also show that malicious intent in data breaches is a growing trend. Malicious intent categories include insider theft and access into account information by external methods (hacking).

A new trend, not specifically mentioned in the report, is large caches of stolen information being discovered that no one knew about before. Yesterday, Dark Reading announced that SecureWorks found one of these caches. Finjan has recently reported finding pretty much the same thing located on what they refer to as "crimeservers" on the Internet. The announcement by SecureWorks reported that hackers are using a trojan, called "Coreflood" also known as "AFCore."

SecureWorks reported that this trojan has gone undetected for a number of years and has compromised corporations, government agencies, healthcare agencies and "others." In this attack, one work station would be compromised and the hacker would wait for an administrator to log on. Once the administrator logged on to the infected work station, the hacker would then use the administrator's privileges to infect entire systems. This "hack" is being used to grab user names, passwords and even entire pages of information. Please note (my speculation) that this type of exploit is probably being used to steal more than financial information, also.

Given the fact that SecureWorks mentions government sites being hacked in this manner, there is no telling what the intent might be or who the information is being sold to (my speculation).

To the best of my knowledge, neither SecureWorks or Finjan have disclosed exactly who has been compromised or the exact details of the information to the general public.

This should lead the average person to believe that the problem of data breaches is far greater than anyone knows. The ITRC study explains why this is a problem when compiling any study on this subject.

Besides the ITRC, there are a lot of dedicated people gathering statistical information on data breaches. While they can only track information on the known occurrences, these people do a lot to educate the rest of us and raise the awareness level of what is becoming a growing problem.

The report gives credit to PogoWasRight, Attrition.org, breachblog.com, the Maryland and New Hampshire Attorney General breach notification lists and other sources that were used to compile this report.

The ITRC is a non profit organization designed to help businesses and people protect themselves from this clear and present danger to all of us. If you are interested in this problem, their site is a good place to educate yourself.

Sunday, June 29, 2008

Wards will now start notifying customers their information was stolen in December

The Associated Press announced on Friday that old time retailer Montgomery Ward is the latest victim of a data breach, where at least 51,000 records were compromised. The unfortunate problem now is they failed to notify the victims, which is the law in 44 States.

Since Montgomery Ward declared bankruptcy in 2001 this announcement might sound confusing, but the company was resurrected in 2004 under the name, Direct Marketing Services Incorporated. Direct Market Services sells merchandise under the names Wards.com, SearsHomeCenter.com, SearsShowplace.com, SearsRoomforKids.com (and two more) online.

Allegedly, hackers gained access by going through another Direct Marketing Services site, HomeVisions.com.

When they discovered the hack in December, they did notify their payment processor, Visa and Mastercard, but failed to notify any individual customers. Of course, they now plan to do so after being asked about it by the Associated Press.

The hat tip in this instance goes to CardCops, which a group of cyber sleuths who track stolen payment card data in underground carder forums for financial institutions. CardsCops spotted a group of 200,000 card numbers for sale (including CVC data) on one of the forums (chatrooms) they were monitoring. After tracing some of these cards to their owners, they discovered that they were had one thing in common (Wards).

At this point, it is unclear on whether the official estimate of 51,000 missing records is correct, or the hackers misrepresented the number of cards available in their underground forum.

When asked for some commentary, Visa declined to comment, MasterCard stated they warned the issuing banks to watch for suspicious activity and Discover stated they issued new cards.

Wards is not alone in not notifying their customers, or the public promptly when a data breach occurs. Recently lamented about this in a post suggesting we are a long way from full disclosure in data breaches.

Even without all the known data breaches, there are many that are never discovered. Besides that, information is stolen all the time on a smaller scale by dishonest employees, phishing and (despite all the shredders) from the trash.

The sad truth is from the criminal perspective, stolen information that hasn't been detected is worth more than information that is known to be "hot."

If you would like to see more information on the known data breaches, the DLDOS database at Attrition.org is a good resource. PogoWasRight is also another place that covers the privacy concerns arising from this problem, which faces us all.