Friday, February 27, 2009

FTC Site Teaches Public How to Avoid Bad Deals

March 1st through the 7th is Consumer Awareness Week. This year, the Federal Trade Commission (along with an army of partners) are providing a user-friendly set of free e-tools designed to help the average "Joe or Jolene" safely navigate the murky waters they face in the current economic environment.

Besides teaching us how to make the most of our financial resources, the tools also teach how to avoid the underground army of not very honest people who are spreading more economic doom and gloom with too-good-to-be-true schemes designed to take advantage of the grim economic situation.

The Web site for the 11th annual National Consumer Protection Week is now up and running. Launched by the Federal Trade Commission and its NCPW (National Consumer Protection Week) Steering Committee partners, the site gives people free tools to make smart business decisions in today’s economy. The information on the site is designed to help the average person get the most value for their money, whether they are trying to improve their credit history, tell the difference between a real deal and a rip-off, or protect their mortgage from foreclosure or foreclosure rescue scams. It explains their rights under various laws and tells how to file a complaint or seek assistance from the appropriate government agency.

According to the Federal Trade Commission, scam artists, fraudsters, hackers and flim flam artists follow the headlines and use the current economic downturn to part people from their hard-earned (and ever-dwindling) financial resources. The NCPW Web site has tools (educational resources) to teach people how to recognize a ripoff, sniff out a scam and ensure they are getting value for their dollar in today's marketplace.

The site has tips on a wide range of topics from partner organizations. These tips include from how to get a free credit report to how to spot a telemarketing scam and how to deal with debt to how to deter and detect identity theft and from how to avoid home and auto repair scams. Also included is detailed information on how to file a complaint with the appropriate agency if you do run into an issue.

Of course, on a personal level, I always recommend reporting them if you spot a problem and are able to avoid becoming a statistic, also. This can prevent a less educated person from becoming a victim and is a good deed.

National Consumer Protection Week

The FTC partners involved in providing this information include the AARP, the Comptroller of the Currency, the Consumer Federation of America, the Council of Better Business Bureaus, the Federal Citizen’s Information Center, the Federal Communications Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Association of Attorneys General, the National Association of Consumer Agency Administrators, the National Consumers League, the U.S. Department of the Treasury, the U.S. Postal Inspection Service, and the U.S. Postal Service.

The FTC also just released the top complaints they received in 2008. For the ninth year in a row, identity theft came in at number one. 1,223,370 complaints were received in 2008. 313,982 (26%) were related to identity theft.

Not surprisingly, with all the data breaches seen recently, credit card fraud was the most common form reported. This was followed by government documents/benefits fraud at 15%, employment fraud at 15%, phone or utilities fraud at 13%, bank fraud at 11% and loan fraud at 4%.

Other complaint categories included Third Party and Creditor Debt Collection, Shop-at-Home and Catalog Sales, Internet Services, Foreign Money Offers and Counterfeit Check Scams, Credit Bureaus, Information Furnishers and Report Users, Prizes, Sweepstakes and Lotteries, Television and Electronic Media, Banks and Lenders, Telecom Equipment and Mobile Services, Computer Equipment and Software, Business Opportunities, Employment Agencies and Work-at-Home, Internet Auction, Advance-Fee Loans and Credit Protection/Repair, Health Care, Auto Related Complaints, Travel, Vacations and Timeshare Plans, Credit Cards, Magazines and Buyers Clubs and Telephone Services.

Please note these are statistics where people were victimized. The information on the NCPW site is designed to keep people from becoming one (a statistic).

Thursday, February 26, 2009

Crimes Against Businesses Contribute to Job Losses

Organized retail crime costs retailers billions of dollars. In an era, where retailers are closing stores or going completely out of business, it's logical to assume that organized retail crime is a contributing factor to retailers shutting their doors and people losing their jobs. With the sour economy inspiring more and more theft and fraud, it is becoming more critical than ever before for companies to control their losses in their struggle to remain viable.

When retailers lose money to theft, the end result can be (assuming they don't go bankrupt) that jobs are cut. Payroll is normally the largest and most controllable expense in any business. When businesses start to show negative earnings — like a lot of them are right now — payroll is normally the first place they look to cut when trying to avoid shutting their doors.

In an effort to fight what experts say is a $30 billion a year organized retail crime issue, the National Retail Federation is welcoming legislation being introduced to give them more tools to fight this problem. Yesterday, three bills were introduced in Congress to assist retailers and law enforcement in this effort.

The three bills introduced are "the Combating Organized Retail Crime Act of 2009, sponsored by Senate Majority Whip Richard J. Durbin, D-Ill.; the Organized Retail Crime Act of 2009, sponsored by Representative Brad Ellsworth, D-Ind.; and the E-Fencing Enforcement Act of 2009, sponsored by House Judiciary Committee Crime, Terrorism and Homeland Security Subcommittee Chairman Bobby Scott, D-Va. The measures are similar to legislation first introduced last summer" according to the press release and podcast on this matter by the National Retail Federation.

In case you are unfamiliar with "Organized Retail Crime," it involves organized retail theft activity for profit. Once the merchandise is stolen, it is fenced (sold) to get a cash value out of it. Traditionally, this merchandise was sold at flea markets/dishonest retailers, but more and more often nowadays, retail crime rings are turning to auction sites to unload their stolen goods.

The reason for this is if they sell it on an auction site, they make a lot more money than in the more traditional fencing venues. Experts believe they net 70 percent of the retail value by selling their stolen wares on an auction site versus the 30 percent of retail value they receive in more traditional fencing venues.

Another possible factor contributing the problem is that consumers — who are operating with ever-decreasing personal budgets — are flocking to these sites to stretch their buying dollars. Without knowing it, they might be adding fuel to the fire and unknowingly buying this stolen merchandise.

Even if the retailer can prove that merchandise on an auction site is stolen, it can be extremely difficult for them to get the site to cooperate in going after the criminals selling it. Due to a lot of red-tape imposed by these sites to release information, it requires a lot of time/effort to get the site to cooperate in an investigation. Because of this, the crooks are normally long gone before any effective investigative action is taken.

Another phenomenon called phishing makes the activity even more anonymous/hard to track on auction sites. Phishing is where a person (user) is tricked into giving up their credentials to an account. For years, eBay and PayPal have ranked as some of the most phished brands out there. Criminals use this information to take over an account and commit fraud using someone else's selling account. When investigating auction fraud, time is of the essence, otherwise the trail is often too cold to track. The crooks use one of these accounts for a short period of time and then move on to another phished account to avoid detection.

Organized retail crime is also taking advantage of the identity theft/financial crimes phenomenon and working with the hacking element that has been attacking the financial industry. Counterfeit payment cards (credit/debit), checks and identification are all being used to electronically boost merchandise and walk right out the store with it. In the TJX data breach — which was the largest hack of financial data to date — a group was caught using cloned payment cards to buy $8 million worth gift cards from Walmart. In the more recent data breach at Heartland Payment Systems — which looks like it might surpass TJX in the amount of data stolen — the only arrests made thus far were a group using the stolen data to clone gift cards. Since gift cards are redeemed at retailers, this is yet another example of how the financial hackers and organized retail crime types are working together. To me, this is evidence that organized retail crime is becoming more sophisticated in their theft techniques, which will likely make this problem get even worse than it already is.

The three bills being introduced will force auction sites to cooperate with retailers and law enforcement, define organized criminal activity as a federal offense and establish stricter sentencing guidelines for criminals convicted of organized retail crime. Too frequently, under current laws, criminals involved in this activity are treated like petty thieves and get a slap on this wrist when they are caught. Last, but not least, it will hold auction sites more accountable for the sale of stolen merchandise if it could have been prevented.

Besides fencing, there is a lot of other fraud on auction sites that isn't necessarily tied in to fencing and victimizes auction customers/sellers, more personally. Legitimate e-commerce sellers are frequently ripped off with bogus financial instruments. Buyers are also defrauded in a wide variety of scams on these sites. Like the major retail types, who are behind this legislation, the more ordinary victims are often hung out to dry when they try to get any assistance from the auction sites. There is little doubt (my opinion) that auction sites need to clean up all the fraud that occurs on them. While they do provide value and a fun way to buy things, there have been too many innocent people victimized on them.

While this legislation primarily focuses on fencing, it's a start in the right direction. Perhaps other groups should join in and support this legislation, which if passed, will likely set some needed legal precedents. It will also make it a little harder for the criminally inclined to operate on auction sites.

Supporting this legislation makes a lot of sense for a lot of different reasons. These are not victimless crimes and the consequences are being felt by innocent consumers and businesses.

Sunday, February 22, 2009

Are E-Commerce Merchants at Risk in Mystery Data Breach?

Days before the Heartland Data Breach was announced, volunteer computer security experts at the Open Security Foundation had already figured out what had occurred. Many believe Heartland is going to become the largest data breach in history and will surpass the TJX caper. At this point, only time will tell.

Now the folks at the Open Security Foundation are predicting another data breach at a card processor/acquirer that hasn't been announced to the public yet. For over a week, they have been speculating about this mysterious data breach based on a tip, which was corroborated by other anonymous sources.

In their latest post, they state they knew it was a card not present breach at a processor/acquirer, but didn't initally report it. They are now reporting this development based on it being revealed by another source.

On February 21, 2009, revealed evidence of this data breach based on information sifted from two credit union sites ( and Pennsylvania Credit Union Association CardNet).

The only data elements at risk are account numbers and expiration dates. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. The period of exposure being reported is from February to August of 2008.

It has also been written that the exposure was enabled by malicious software that was placed on the unknown acquirer/processor's system. Both of the credit union sources also state that it is being left up to the card issuers, whether to issue new cards or monitor the accounts for fraud. Reissuing cards has become a major expense to the card issuers after a data breach is discovered.

This makes me wonder if we will discover that the acquirer/processor was PCI DSS (Payment Card Industry Data Security Standards) compliant? PCI DSS is the payment card industry's own set of standards to protect data. In many of the recent breaches, the "breached" met this standard, which has led to questions as to whether it is really effective or not.

Both articles also indicate that Visa/Mastercard are not revealing the source of this breach until the "mysterious source" of it makes their own announcement on the matter.

Given these reports, my speculation is that this information could be used in e-commerce type transactions. If only primary account information and expiration dates were exposed — counterfeiting it on cloned cards is unlikely. It simply wouldn't be feasible to do so by the criminals involved.

This doesn't mean that there are no financial risks involved to businesses in this data breach. E-commerce fraud is a big problem and its estimated impact on merchants last year was $4 billion. To fight this problem, most e-commerce merchants manually review orders to detect fraud, which can be a substantial payroll cost. The percentage loss to fraud in e-commerce has been stable for about three years, but since sales have increased, the dollars lost to it are growing.

Card-not-present chargebacks are frequently returned to merchants as chargebacks. The best way of avoiding these types of chargebacks is to verify transactions using the address verification service (AVS), the card verification value code 2 (CVV2), the card validation code 2 (CVC2), and the card identification (CID) when processing transactions. Smaller merchants — who ironically are charged the highest interchange fees for accepting card payments — are at the most risk because fraudsters count on the fact that they do not verify a lot of this data because of the associated costs and their ability to afford doing so.

Perhaps this one of the reasons why there is no rush to reissue cards. If the only information stolen can be used in card-not-present transactions, the card issuers are at little risk of suffering any financial losses. They will simply charge them back to the merchants, who failed to ensure the transaction wasn't fraudulent. It might be a good time for e-commerce merchants to be more cautious.

From what I can gather, this matter isn't exactly confidential; having said that, it appears that primarily financial institutions are being warned and not the e-commerce merchants who logically will be the primary target if this stolen information is used. The costs in the aftermath of data breaches are substantial and who bears the brunt of them is becoming a hot topic.

To close this post, I will refer to a good information source on preventing chargebacks from Wells Fargo. There are a lot of other sources, but a lot of them are selling something. If anyone has any other good sources, please feel free to leave a comment and share them with everyone!