Identity thieves seem to like to target the government. With April 15th nearing, the news is awash with fraudsters using other people's identities to claim an earned income tax credit worth thousands of dollars. Of course, we should feel sorry for the poor people, who had their identity stolen and used to file a bogus return. After all, they will have to deal with IRS, and prove they didn't file the fraudulent paperwork.
The saddest thing is that they will probably find out about it when they file a legitimate tax return, and it is denied. When this happens, they might have to prove, that they were not the person responsible for filing the faux (fake) return. In most instances, proving this will be hours of work and cost a little money.
In all fairness, it is evident that the IRS is taking tax fraud much more seriously than in the past. Because of this, we are probably seeing more of it being reported. The IRS has an excellent information page on their site to assist the people being victimized. Please note that anyone paying taxes is a victim of all this, and the money being lost, adds to the ever-growing deficit.
Another aspect of this fraud is that if the government can prove the refund was not negotiated for the right person, they can hold the financial institution paying out the money liable. Frequently when the fraudulent refund is received a counterfeit ID is produced to negotiate the instrument. In these cases, when the true person proves they did not file the bogus return, the loss is going to be charged right back to the financial institution that paid out the actual cash in the scheme.
Another good example of a government program being targeted is the recent disclosure that hackers compromised a State of Utah Medicaid database. Given the quality of information stolen (medical), it is prime to commit tax fraud (or medical fraud) against the government.
Current estimates put this data breach at 780,000 personal records compromised. It has also come to light that the data was not encrypted and that less than complex passwords were used to protect it. The Salt Lake City Tribune is also reporting that the manner in which this information was protected might be in violation of current federal regulations. Hard to believe with the number of publicly disclosed breaches that the data was not encrypted. You would think that this would be standard by now when protecting information that criminals can steal money with?
Pretty interesting that the World Privacy Forum is showing an interactive map on their site showing all the known occurrences of medical identity theft in recent years. While there are differing estimates on the costs of medical fraud, there is little doubt that it costs us billions of dollars, and the costs are passed on to all of us.
An article by Jaikumar Vijayan at ComputerWorld makes a pretty good argument that most of the data breaches in 2011 were avoidable. If this is the case, it should show us that this is an ever-growing problem and that we cannot afford to let our guard down.
If you think you might be a victim in the Utah breach, the State has set up a victim's assistance line at 1-855-238-3339.
Showing posts with label identity theft. Show all posts
Showing posts with label identity theft. Show all posts
Friday, April 13, 2012
Wednesday, July 07, 2010
Phony Collectors Want Your Credit/Debit Card Information
About a week ago, I was made aware of a fraud group operating from a Tampa, Florida number, who were calling people and using some pretty heavy-handed tactics to collect (steal) money. Interestingly enough, the person that let me know about this had never done business with the company being impersonated.
Please note, there might be a reason for alarm even if you don't think you owe a debt and a collector calls. With more and more people becoming identity theft victims, a call from a collector could be the first notification a person gets that someone else is using their information. Of course, in this instance, since the calls were bogus, it was not the case. In fact, if you give these scammers any information they can use, you will likely become an identity theft victim yourself.
The person who provided me with this information also provided me with the number she was called from. I called the number and, after a slight delay, I got a person with a Indian accent, who identified himself as "William Scott" from ACS, Inc. Leading him on, I told him my wife was always getting us into trouble by borrowing money — and that we had received a message to call them. He asked me for my wife's name and I made one up. He then told me to wait a minute, while he looked up the file. After about a minute, he said he had located the file and that she owed $500.00, and said this was a "serious legal issue we needed to get cleared up right away." He even offered to settle for $300.00, if I paid that day with a debit/credit card.
During my conversation with William, I could hear the chatter of other calls being made. Listening carefully, I noted that all the people, "chattering" in the background seemed to have Southern Asian (probably Indian) accents. This leads me to believe that the call was being forwarded, possibly overseas. This is not hard to do and there are a lot of legitimate call centers where callers are forwarded from a local number, all over the world.
I gave him an e-mail address so he could send me a payment authorization form and he told me to fill it out, sign it and e-mail it back to him. About an hour later. I got the form coming from an e-mail address, acscorpusa@gmail.com. It asked for personal identifiers, the card number, billing address, zip code, expiration date and CVC number. There is very little doubt in my mind if I had sent the form back to him the account I gave them would have been promptly cleaned out.
I ran the number (813-434-4611) on a site called PhoneValidator.com, which tells you what company a number belongs to and if it is a cell phone or a landline. This number belongs to a PaeTec Communications in Tampa, Florida. PhoneValidator.com offers two additional tools after you run the number. One is primarily a paid search (how they make money), but they offer Google results, also. When I ran the Google results, it identified the same scam, I had run into. One site, 800notes.com, had quite a few comments about it.
The payment authorization letter listed a fax number of 646-786-4401. I ran that number and it went to a landline in New York. Again, I ran the Google results, which revealed more people getting faux collection calls. Besides the fax number on the authorization letter — designed to clean out a payment card — was another number (813-435-1963) to call them back. Although, it was another Tampa number, it went to different telecom outfit. By running the Google results, lo and behold, more complaints about phony collection calls were found, some of which stated that some pretty crude and disgusting comments were made by some of these fake collectors.
Based on the comments I found, it appeared that this activity had been going for a long time, and the Indian accents seems to be a common theme. I did report this to the authorities — but besides getting an initial call back — I haven't heard anything from them since then.
It is not uncommon for scammers to set up legitimate sounding numbers, either. As long as the bill gets paid, very little due diligence is conducted by telecom types to ensure a number actually belongs to what it says it does. Sometimes the numbers are paid for with stolen financial instruments, and it is not uncommon to call one back a week later and find it has been disconnected.
I did more research on this activity and discovered that the BBB had an interesting write-up about similar (if not the same) fraudulent collection activity. The report lists 67 complaints they had received. Another write-up in August of 2009 from the BBB suggested that the scammers had so much personal information about the victims — a data breach was suspected. In this case, it was reported that the people behind this had social security numbers, addresses and knew how to contact their victim's relatives. It also stated that people were being threatened with criminal prosecution, if they did not pay.
If you are called by a collector and you do not know anything about the debt they are talking about, you should always ask them to send you documentation proving that you owe the debt. The Federal Trade Commission (FTC) has information on their site on what your rights are and the specific laws that legitimate collection agencies have to follow. You can also file an online complaint (highly recommended if you suspect abuse) and even watch a video on how to do it properly. They also provide a number (1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261) if you want to speak with a live human being.
The phenomenon of fraud by telephone is becoming more and more common. Officially dubbed "vishing," which is phishing by telephone, the people behind it spoof financial institutions to gather personal and financial details to commit identity theft and financial crimes. Cheap long distance — enabled by VoIP (Voice over Internet Protocol) — and caller ID spoofing (which is legal) have made vishing pretty easy to accomplish.
If you get a phone call that doesn't make sense, take a deep breath and then make sure the person calling you is legitimate before proceeding!
Please note, there might be a reason for alarm even if you don't think you owe a debt and a collector calls. With more and more people becoming identity theft victims, a call from a collector could be the first notification a person gets that someone else is using their information. Of course, in this instance, since the calls were bogus, it was not the case. In fact, if you give these scammers any information they can use, you will likely become an identity theft victim yourself.
The person who provided me with this information also provided me with the number she was called from. I called the number and, after a slight delay, I got a person with a Indian accent, who identified himself as "William Scott" from ACS, Inc. Leading him on, I told him my wife was always getting us into trouble by borrowing money — and that we had received a message to call them. He asked me for my wife's name and I made one up. He then told me to wait a minute, while he looked up the file. After about a minute, he said he had located the file and that she owed $500.00, and said this was a "serious legal issue we needed to get cleared up right away." He even offered to settle for $300.00, if I paid that day with a debit/credit card.
During my conversation with William, I could hear the chatter of other calls being made. Listening carefully, I noted that all the people, "chattering" in the background seemed to have Southern Asian (probably Indian) accents. This leads me to believe that the call was being forwarded, possibly overseas. This is not hard to do and there are a lot of legitimate call centers where callers are forwarded from a local number, all over the world.
I gave him an e-mail address so he could send me a payment authorization form and he told me to fill it out, sign it and e-mail it back to him. About an hour later. I got the form coming from an e-mail address, acscorpusa@gmail.com. It asked for personal identifiers, the card number, billing address, zip code, expiration date and CVC number. There is very little doubt in my mind if I had sent the form back to him the account I gave them would have been promptly cleaned out.
I ran the number (813-434-4611) on a site called PhoneValidator.com, which tells you what company a number belongs to and if it is a cell phone or a landline. This number belongs to a PaeTec Communications in Tampa, Florida. PhoneValidator.com offers two additional tools after you run the number. One is primarily a paid search (how they make money), but they offer Google results, also. When I ran the Google results, it identified the same scam, I had run into. One site, 800notes.com, had quite a few comments about it.
The payment authorization letter listed a fax number of 646-786-4401. I ran that number and it went to a landline in New York. Again, I ran the Google results, which revealed more people getting faux collection calls. Besides the fax number on the authorization letter — designed to clean out a payment card — was another number (813-435-1963) to call them back. Although, it was another Tampa number, it went to different telecom outfit. By running the Google results, lo and behold, more complaints about phony collection calls were found, some of which stated that some pretty crude and disgusting comments were made by some of these fake collectors.
Based on the comments I found, it appeared that this activity had been going for a long time, and the Indian accents seems to be a common theme. I did report this to the authorities — but besides getting an initial call back — I haven't heard anything from them since then.
It is not uncommon for scammers to set up legitimate sounding numbers, either. As long as the bill gets paid, very little due diligence is conducted by telecom types to ensure a number actually belongs to what it says it does. Sometimes the numbers are paid for with stolen financial instruments, and it is not uncommon to call one back a week later and find it has been disconnected.
I did more research on this activity and discovered that the BBB had an interesting write-up about similar (if not the same) fraudulent collection activity. The report lists 67 complaints they had received. Another write-up in August of 2009 from the BBB suggested that the scammers had so much personal information about the victims — a data breach was suspected. In this case, it was reported that the people behind this had social security numbers, addresses and knew how to contact their victim's relatives. It also stated that people were being threatened with criminal prosecution, if they did not pay.
If you are called by a collector and you do not know anything about the debt they are talking about, you should always ask them to send you documentation proving that you owe the debt. The Federal Trade Commission (FTC) has information on their site on what your rights are and the specific laws that legitimate collection agencies have to follow. You can also file an online complaint (highly recommended if you suspect abuse) and even watch a video on how to do it properly. They also provide a number (1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261) if you want to speak with a live human being.
The phenomenon of fraud by telephone is becoming more and more common. Officially dubbed "vishing," which is phishing by telephone, the people behind it spoof financial institutions to gather personal and financial details to commit identity theft and financial crimes. Cheap long distance — enabled by VoIP (Voice over Internet Protocol) — and caller ID spoofing (which is legal) have made vishing pretty easy to accomplish.
If you get a phone call that doesn't make sense, take a deep breath and then make sure the person calling you is legitimate before proceeding!
Sunday, June 28, 2009
Lucid Intelligence – A Free Way to Discover IF Your Identity Has Been Stolen!
Millions of personal and financial records have been compromised in recent years and the criminals involved in trading this information operate worldwide.
"A criminal might be based in Romania, using servers hosted in Russia, stealing data from people in Germany, to buy goods from an American retailer for delivery in the UK, using an Australian credit card," according to a new site called Lucid Intelligence, which seeks to level the playing field for the individual victims of these crimes.
Lucid Intelligence has set up a site that has a user-friendly tool that allows a person to see if their personal and or financial information is in the hands of criminals. It then provides resources – that are free for the most part – a person can use to protect themselves. The Lucid Intelligence Database contains the information of over 40 million people who have already been compromised.
Although, the site freely admits they can't do anything about getting your information back, the truth is that an aware person can take measures to make the information useless (and maybe more dangerous) for criminals to use.
Some of the ways the site suggests protecting yourself is setting up a Google Alert (detailed instructions included), getting a free credit report, finding some free identity theft protection and protecting your computer. Free options of doing this are identified on the site.
All of the records in the Lucid database have already been compromised by criminals and made available on the Internet. These stolen details were found in chat rooms, bulletin boards or FTP sites, which are used as underground forums to sell stolen information. Recently, two major reports indicated there is so much stolen information available, the law of supply and demand is causing prices to go down. This would suggest there is a glut of stolen information out there.
The information is stolen in a variety of ways. It can be stolen by hackers, who compromise a retail or banking system, dishonest employees at a wide variety of places or malicious software delivered by the botnets that "virtually phish" the digital world with billions of spam e-mails. Information can also be stolen when you pay a bill using a card or when an irresponsible employee throws it in trash. Please note, there are other ways information is stolen and I am only listing the more well-known methods.
A lot of the information in the database has been obtained by the highly skilled operators behind Lucid, who seek out and engage cyber criminals and beat them at their own game. These operators, who come from all walks of life, are volunteers and most (if not all of them) have put a few scammers behind bars.
There is little doubt that the amount of information in this database is going to grow and, whenever possible, Lucid records exactly where they discovered the information.
The information you input to do the searches is not maintained by Lucid until you request the detailed summary. There are reasons for this, which I will explain below. The site also doesn't use any cookies that are designed to track activity on a computer. From what I can see, everything associated with the site is designed to protect individual privacy and takes the necessary precautions to stop someone with malicious intent from exploiting the Lucid database itself.
If the search reveals your information has been compromised, they provide you with a limited summary. For an administrative fee – and only after your identity has been completely verified – they will provide you with all a detailed summary. The administrative fee of £10 (approximately $16.56) to get the detailed summary covers the costs of pulling the information. Included in the detailed summary is an individual risk analysis based on the information discovered.
In most cases, the limited summary, combined with the protection information, will be sufficient for most people.
In the past four years, Lucid has turned over the details of every credit card they've discovered to the “Dedicated Cheque and Credit Card Unit” in London and APACS. In turn, this information is turned over to the credit card issuer. Lucid has already provided the details of several hundred thousand compromised credit cards and it is estimated they have saved more than £200,000,000 (approximately $331,250,263) from being stolen. When considering this statistic, we need to remember that the actual card details came from all over the world.
It should be noted that payment (credit/debit) cards aren't the only type of information available for sale on the Internet. Lucid attempts to report all the information they discover if there is a place to report it to.
There are good reasons that Lucid doesn't turn these credit card details over to the card issuers directly. Replacing credit cards is costly and sometimes card issuers choose to merely monitor known compromised information and then issue a new card if there is suspected fraudulent activity. By reporting it to the authorities and APACS, Lucid ensures a record is maintained should someone run into complications with an issuer after they have been victimized. Despite all the zero liability ads out there, the sad truth is that not all victims come out of these schemes without losing money (sometimes a lot).
Another thing the Lucid database might reveal is synthetic identity theft before it comes back to haunt a person. Credit reports don't necessarily catch all forms of identity theft. Sometimes different parts of people's identities are used to forge a synthetic one. In these instances, because a lot of the information doesn't match, the credit bureaus don't pick it up.
Other examples where a credit bureau might not reveal identity theft are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and when it is used to commit crimes of other than a financial nature.
Another thing to consider is that since not all compromised information is used or used right away, the risk is there, but it will not show up on a credit report.
The people behind Lucid are also active in dealing with advance fee fraud (419) and the different varieties of this are covered on the site, also.
Last but not least, if you need further information they have a way to contact a member of the group.
The site is largely the work of Colin Holder, a retired Detective Sergeant from the United Kingdom, who is considered one of the leading experts in the world on advance fee fraud and identity theft. This isn't the first Web site Colin has set up, either. In 2001, he set up the Metropolitan Police Fraud Alert site and came up with the idea that later became the "KYC" and "Money Laundering" compliance database. His full biography, which is both impressive and extensive, can be found on the site.
Sunday, May 17, 2009
FaceBook Hack Reveals Trend in Targeting Social Networks
Attacking social networking websites is becoming more common all the time. My guess is that they are being leveraged by criminals, who are after the vast amount of personal information people willingly put up on these sites.
For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.
The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.
Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.
This information can then be used to commit financial crimes, using the victim’s identity.
I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.
According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.
Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.
First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.
Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.
Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.
When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.
So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.
While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.
Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.
The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.
Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!
For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.
The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.
Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.
This information can then be used to commit financial crimes, using the victim’s identity.
I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.
According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.
Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.
First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.
Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.
Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.
When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.
So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.
While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.
Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.
The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.
Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!
Friday, April 17, 2009
Twin Reports Suggest We are Losing the Cybercrime War
According to Symantec, malicious activity in 2008 amounted to 60 percent of all the activity they have recorded since they started keeping records. Last year, they recorded 1.6 million new malicious code signatures and blocked 245 million malware attacks from their users every month.
Many of these attacks – when the words malware or malicious code are used – are designed to steal information (preferably financial) or take command and control of a computer. Once command and control of a computer is accomplished – it’s called a zombie and networked into a botnet. A botnet works as a super computer and is used to spam the electronic universe. Some of these spam e-mails contain even more malware, which infects more unprotected systems.
In 2008, Symantec saw a 31 percent increase in the number of zombie computers. In 2008, Symantec observed an average of more than 75,000 active bot-infected computers each day, a 31 percent increase from 2007. Symantec's latest report, which covers January to December of 2008, suggests that 90 percent of these attacks are designed to steal information. Attacks using key loggers – which log a computer's keystrokes and send them to the criminals who installed the malicious code – grew from 72 to 76 percent of the activity observed by Symantec's security lab.
Many of these attacks use a technique known as phishing, which is normally delivered in a spam e-mail. Phishing either tricks people into giving up their information (social engineering) or gets them to download malicious code, which makes the process automatic. Last year, Symantec detected 55,389 phishing website hosts, which is where you are sent if you click on a link in a phish-mail. Spoofed financial services companies accounted for 76 percent of these lures compared to 52 percent in 2007.
Spam, which delivers most of this activity, continued to grow, too. This equated to 349.6 billion spam messages in 2008 compared to 119.6 billion spam messages in 2007, which is a 192 percent increase. According to the monthly spam report from Symantec, last month's spam social engineering themes included mortgage rescue, tax season, terror and scareware (fake antivirus solutions) for the much anticipated Conficker worm that was designed to hit on April Fool's Day. Please note that Conficker a.k.a. Downdaup is still a problem, but it didn't spread it's gloom and doom on April 1st to the degree it was expected to.
Cybercriminals have always been quick to exploit the headlines and with the sour economy in the news have been targeting the financial industry. Here also, Symantec saw an increase of personal and financial information being stolen by using financial institutions as bait. In 2008, this amounted to 29 percent of the activity compared to 10 percent in 2007.
In their latest report, Symantec leveraged information from their recent Report on the Underground Economy which points to an organized criminal community that specializes in the sale of stolen personal and financial information. They noted that the economic principle of supply and demand has come into play with this underground economy due to a glut of stolen data – causing prices to go down.
Most of this stolen information is sold in electronic forums, such as websites and Internet Relay Chat (IRC) channels. These forums enable information to be sold worldwide and make the activity anonymous. Because the activity is anonymous, it is very difficult to investigate or shut-down. Credit cards go anywhere from less than a dollar to about $30 and bank account credentials sell for anywhere from $10 to $100. Much of the cost depends on the perceived value of information and the amount of it, which is purchased.
Symantec isn't the only one releasing a report showing an alarming increase information theft. Verizon just released a report showing that 285 million information records were compromised in 2008, alone. While the Symantec report focuses more on individual attacks, the Verizon report studies the impact large scale attacks on businesses and organizations. When combined, the information in these reports is pretty revealing.
According to the Verizon report, the 285 million records stolen are greater than what was known to be stolen in 2004 to 2007. I say "greater" because I've often speculated that the most valuable information stolen is the data no one knows has been stolen. After information is known to have been stolen, measures are taken to protect it. This makes it useless or at least a lot harder to use.
Recently, underground services have also popped up in these underground forums, which allow information thieves to see if the information they are buying hasn't been compromised (pun intended).
Verizon, who investigated 90 data breaches last year, noted that malware is now being designed to steal debit card and PIN information. The report also breaks down the point of compromise by industry and how the data was breached. For instance, in the past year 93 percent of the activity compromised was at financial institutions. Also cited was that most attacks were accomplished by external entities (73 percent) taking advantage of procedural flaws, but that when the breach was assisted by an insider (20 percent) more data was stolen.
The trend towards compromising debit cards and PINS is likely because these instruments are the quickest route to obtaining cash. Obtaining cash is normally the ultimate goal of an information thief and stolen debit card information accomplishes this with a minimum of effort.
Also covered are breaches caused by partners (32 percent), which are external entities providing services to a business. Please note these percentages add up to more than 100 percent, which means that multiple points of compromise can be attributed to any one incident in some cases.
Both reports are an excellent read and point to the fact that there is a glut of stolen information for sale on the black market, which isn't good news. The fact that more information is being stolen than ever before – even when security procedures are ramped up on a regular basis – is not good news, either.
Perhaps both of these reports suggest the obvious, which is we are not winning the war against cybercrime and the problem is getting worse. Historically, these losses have been written off and the cost is passed to the consumer. With the sour economy and the fact that a lot of the financial industry is already on the brink of bankruptcy, writing off these losses might no longer be a realistic solution.
The reason criminals can easily exploit this information is that we are storing it in too many places that are too easy to access. The reason this has happened is because a lot of people are making a lot of money by using and selling this information. Making the information easy to access makes it easier to make money from it. I'm all for making money, but at what point does it prove to be irresponsible?
No security fix is going to solve this problem without a healthy dose of common sense being infused into the scheme of things!
After all, the economy is already in a lot of trouble because of some of same people making a lot of money, irresponsibly. My guess is we are getting to the point, where we will no longer be able to write-off the cost of being irresponsible to the consumer, as well as, the taxpaying public.
Many of these attacks – when the words malware or malicious code are used – are designed to steal information (preferably financial) or take command and control of a computer. Once command and control of a computer is accomplished – it’s called a zombie and networked into a botnet. A botnet works as a super computer and is used to spam the electronic universe. Some of these spam e-mails contain even more malware, which infects more unprotected systems.
In 2008, Symantec saw a 31 percent increase in the number of zombie computers. In 2008, Symantec observed an average of more than 75,000 active bot-infected computers each day, a 31 percent increase from 2007. Symantec's latest report, which covers January to December of 2008, suggests that 90 percent of these attacks are designed to steal information. Attacks using key loggers – which log a computer's keystrokes and send them to the criminals who installed the malicious code – grew from 72 to 76 percent of the activity observed by Symantec's security lab.
Many of these attacks use a technique known as phishing, which is normally delivered in a spam e-mail. Phishing either tricks people into giving up their information (social engineering) or gets them to download malicious code, which makes the process automatic. Last year, Symantec detected 55,389 phishing website hosts, which is where you are sent if you click on a link in a phish-mail. Spoofed financial services companies accounted for 76 percent of these lures compared to 52 percent in 2007.
Spam, which delivers most of this activity, continued to grow, too. This equated to 349.6 billion spam messages in 2008 compared to 119.6 billion spam messages in 2007, which is a 192 percent increase. According to the monthly spam report from Symantec, last month's spam social engineering themes included mortgage rescue, tax season, terror and scareware (fake antivirus solutions) for the much anticipated Conficker worm that was designed to hit on April Fool's Day. Please note that Conficker a.k.a. Downdaup is still a problem, but it didn't spread it's gloom and doom on April 1st to the degree it was expected to.
Cybercriminals have always been quick to exploit the headlines and with the sour economy in the news have been targeting the financial industry. Here also, Symantec saw an increase of personal and financial information being stolen by using financial institutions as bait. In 2008, this amounted to 29 percent of the activity compared to 10 percent in 2007.
In their latest report, Symantec leveraged information from their recent Report on the Underground Economy which points to an organized criminal community that specializes in the sale of stolen personal and financial information. They noted that the economic principle of supply and demand has come into play with this underground economy due to a glut of stolen data – causing prices to go down.
Most of this stolen information is sold in electronic forums, such as websites and Internet Relay Chat (IRC) channels. These forums enable information to be sold worldwide and make the activity anonymous. Because the activity is anonymous, it is very difficult to investigate or shut-down. Credit cards go anywhere from less than a dollar to about $30 and bank account credentials sell for anywhere from $10 to $100. Much of the cost depends on the perceived value of information and the amount of it, which is purchased.
Symantec isn't the only one releasing a report showing an alarming increase information theft. Verizon just released a report showing that 285 million information records were compromised in 2008, alone. While the Symantec report focuses more on individual attacks, the Verizon report studies the impact large scale attacks on businesses and organizations. When combined, the information in these reports is pretty revealing.
According to the Verizon report, the 285 million records stolen are greater than what was known to be stolen in 2004 to 2007. I say "greater" because I've often speculated that the most valuable information stolen is the data no one knows has been stolen. After information is known to have been stolen, measures are taken to protect it. This makes it useless or at least a lot harder to use.
Recently, underground services have also popped up in these underground forums, which allow information thieves to see if the information they are buying hasn't been compromised (pun intended).
Verizon, who investigated 90 data breaches last year, noted that malware is now being designed to steal debit card and PIN information. The report also breaks down the point of compromise by industry and how the data was breached. For instance, in the past year 93 percent of the activity compromised was at financial institutions. Also cited was that most attacks were accomplished by external entities (73 percent) taking advantage of procedural flaws, but that when the breach was assisted by an insider (20 percent) more data was stolen.
The trend towards compromising debit cards and PINS is likely because these instruments are the quickest route to obtaining cash. Obtaining cash is normally the ultimate goal of an information thief and stolen debit card information accomplishes this with a minimum of effort.
Also covered are breaches caused by partners (32 percent), which are external entities providing services to a business. Please note these percentages add up to more than 100 percent, which means that multiple points of compromise can be attributed to any one incident in some cases.
Both reports are an excellent read and point to the fact that there is a glut of stolen information for sale on the black market, which isn't good news. The fact that more information is being stolen than ever before – even when security procedures are ramped up on a regular basis – is not good news, either.
Perhaps both of these reports suggest the obvious, which is we are not winning the war against cybercrime and the problem is getting worse. Historically, these losses have been written off and the cost is passed to the consumer. With the sour economy and the fact that a lot of the financial industry is already on the brink of bankruptcy, writing off these losses might no longer be a realistic solution.
The reason criminals can easily exploit this information is that we are storing it in too many places that are too easy to access. The reason this has happened is because a lot of people are making a lot of money by using and selling this information. Making the information easy to access makes it easier to make money from it. I'm all for making money, but at what point does it prove to be irresponsible?
No security fix is going to solve this problem without a healthy dose of common sense being infused into the scheme of things!
After all, the economy is already in a lot of trouble because of some of same people making a lot of money, irresponsibly. My guess is we are getting to the point, where we will no longer be able to write-off the cost of being irresponsible to the consumer, as well as, the taxpaying public.
Sunday, December 14, 2008
Keeping an ID Theft Victim's Information Private is Catching On
Tom Fragala, CEO of Truston Identity Theft Services, started his MyTruston identity theft and recovery product based on the principle that he didn't believe an identity theft victim should have to give up their information to a third-party to protect themselves. After all, most of this information gets stored in a database, which is one of main places (besides trash cans) identity thieves go to steal information.
Information stored on databases is legitimately bought and sold by information brokers all the time. Criminals sometimes pose as having a legitimate interest to access the information. Of course, there have also been cases of dishonest employees selling it without a so-called legitimate purpose. This makes it extremely difficult to determine exactly where any stolen information originally came from. At this point in time, so much information has been stolen, we routinely hear about it being sold in chat rooms right over the Internet.
It didn't make sense to Tom to put all this information in another place, where it could potentially be compromised again. Databases have created an ability to store more information than ever before and transfer it with a click of a mouse.
Having been an identity theft victim himself, Tom had some rather personal feelings on the subject. It should also be mentioned that Tom has spent thousands of hours being a personal advocate for victims of this crime.
Since launching the do-it-yourself tool — where you don't have to be an expert to protect yourself or recover from identity theft — it has received numerous awards and become a hot topic within the technology industry itself. Besides not having to be an ID theft expert — you don't have to expose any of your personal information to a third party and the protection aspect is and always has been free. There is a charge for using the recovery tool, which can be cancelled anytime. I'll tell you a secret about that last statement, further down.
I discovered the latest news that the Truston concept is catching on when reading Tom's blog, which is well worth a read if you are interested in identity theft or privacy issues. "Today we announced that our MyTruston product has been included in the portfolio of the Affinion Security Center, the largest provider of identity protection and privacy services. Affinion has nearly 35 years of industry experience and over 65 million members of their many products. Clients of their identity protection and privacy products include Wells Fargo, Bank of America and The Hartford Insurance. Truston's Software-as-a-Service technology is deeply integrated within the Affinion Security Center’s core solution platform, IdentitySecure," according to Tom himself.
Just the day before, Truston also announced a partnership with CreditFYI, which is a one-stop shop for the best credit card rates, best loan rates, as well as, to learn how to protect your good name and credit rating.
Besides Affinion Group and CreditFYI, Truston is a private label partner with Identity Force, which provides identity theft protection services to the U.S. Government. Truston has been given a Four-Star rating by PC Magazine and has received several awards. "Truston's awards include a 2008 Product Innovation Award, a Hot Company 2008 Award, being selected for 10 Companies to Watch in 2008 by the Pacific Coast Business Times, the 2008 Tomorrow's Technology Today award, and it was identified as a leader by Javelin Strategy & Research in their December 2007 identity theft market report," according to the press releases.
If you are interested in just how user-friendly the tool is, the Truston site has a tour you can take.
I've also had the pleasure of speaking with Tom on several occasions and beta tested the tool myself before it rolled out. I've covered this in several blog posts on Tom and the MyTruston identity theft tool.
Now for the secret I promised earlier in the post. I mentioned that using the tool always has been and always will be free, but there is a nominal charge for using he recovery services. The secret is that if you go directly to the Truston site - you can use everything free for 45 days. Last, but not least, this free trial doesn't require you give them a credit card (which will get charged if you forget to cancel) until after the trial expires.
Saturday, December 06, 2008
Is the CheckFree Hack a New Information Theft Trend?
It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.
CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.
The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.
The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).
The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.
Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.
I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.
According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."
They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.
I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.
So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.
It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.
So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.
In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.
I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.
In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.
In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.
Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.
CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.
The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.
The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).
The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.
Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.
I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.
According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."
They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.
I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.
So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.
It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.
So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.
In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.
I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.
In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.
In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.
Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.
Friday, November 28, 2008
Home Equity ID Theft Ring Points to a Bigger Problem
On Monday, Federal authorities informed the public of a series of arrests where identity theft was used to steal the equity out of homes. I guess we've already lost so much money in the mortgage crisis, the identity thieves figured it wouldn't matter?
The four arrested on Monday were Derek Polk, Oluda Akinmola, Oluwajide Ogunbiyi, and Oladeji Craig. The four appeared in federal court in Los Angeles, Newark, Buffalo, and Springfield. Also arrested for home equity schemes between August and October were Daniel Yumi (Brooklyn), Yomu and Olokodana Jagunna (Queens), and Abayomi Lawal (Brooklyn).
Strangely enough — although no one in the mainstream media is saying — most of these names sound slightly foreign. Judging by the surnames my best guess is that they are originally from West Africa, probably Nigeria. Stories of Nigerian fraud are extremely popular in the media so I'm surprised no one took this opportunity to put that twist to this story.
In all fairness, in previous posts, I've lamented that fraudsters often pose as Nigerians or the media incorrectly pegs fraud as coming from Nigeria when it doesn't. There is no doubt Nigeria is known for a lot of fraud, but they didn't invent it and are not the only players in the game.
It should also be noted (out of fairness) that court documents reflect the federal authorities stating that this is the result of an investigation into a multi-national identity theft ring. There are a lot of fraud groups out there, both foreign and domestic, and many of the experts have concluded they are working together when it suits them.
The proceeds of these home equity scams were wired all over the world, including South Korea, Japan, China, Vietnam, Canada, and the United Kingdom. According to news accounts about $2.5 million was wired and the total take in the scheme was about $10 million.
Sadly — although this has been called out as a problem frequently — a lot of fodder (information) used in the scams was obtained by none other than public record searches. The public records used even contained credit applications, credit reports, and the victims' signatures, according to the FBI. BJ Ostegren — who was kind enough to give me a personal demonstration a while back — is the champion of exposing just how much of this information is out there for anyone to grab. If you want to see exactly how much information is available, her website is a good place to start.
Also mentioned in the criminal complaint was that fee-based Internet services were used to obtain some of the information. This is a huge business, which nets billions of dollars a year for the people selling it. I did notice that no one is saying which one of the services were used.
It should also be noted that information like this is bartered in forums on the Internet. Symantec just released a report showing how cheaply some of this information can be obtained. This type of activity is fairly well known and the FBI recently cracked one of the forums (Dark Market). This group allegedly racked up about $70 million in fraud, worldwide.
The individuals arrested in this scheme also used a lot of known technological fraud crutches, such as caller ID spoofing, prepaid cellular, and forwarding calls without the owner's knowledge. Tricking a phone company into forwarding calls is no problem for most fraudsters as little to no due diligence is performed before it is done. You can have your carrier block this feature, or password protect it (recommended) — however doing this is left entirely up to you. So far as caller ID spoofing — it's essentially legal — and anyone can purchase the means to do it right over the Internet.
There probably won't be any effort to change call forwarding, or caller ID spoofing as it is a lucrative income stream for telecom businesses.
You would think as long as we are in a world-class financial crisis, we might begin to wake up and smell the coffee? Although, we can't blame fraud as the cause of the entire crisis, I often wonder how much of a contributing factor it is. We've made identity theft too easy to do and hard to control. The people who committed this latest form of identity theft probably aren't the sharpest tools in the shed. They are just taking advantage of other people making a lot of money by making too much information available and not protecting it.
If you look in the mirror you might get an idea who suffers from this seeming inability to fix a growing problem. Even if you aren't victimized, we all pay for it in the end — either in an organization's expense line or in the form of a government bail-out.
I'll close with a with an interesting satire written by Phillip Maddocks, which came out in the Norwich Bulletin entitled, "Credit card fraud gangs say they can fix economy but need government loan." This satire is about the heads of several credit card gangs who are seeking a government handout to keep credit card fraud alive because it is beneficial to the economy.
Although this is a satire — it has a ring of truth to it!
Unfortunately, we allow a lot of dumb things to continue because someone thinks it's beneficial to the economy.
The four arrested on Monday were Derek Polk, Oluda Akinmola, Oluwajide Ogunbiyi, and Oladeji Craig. The four appeared in federal court in Los Angeles, Newark, Buffalo, and Springfield. Also arrested for home equity schemes between August and October were Daniel Yumi (Brooklyn), Yomu and Olokodana Jagunna (Queens), and Abayomi Lawal (Brooklyn).
Strangely enough — although no one in the mainstream media is saying — most of these names sound slightly foreign. Judging by the surnames my best guess is that they are originally from West Africa, probably Nigeria. Stories of Nigerian fraud are extremely popular in the media so I'm surprised no one took this opportunity to put that twist to this story.
In all fairness, in previous posts, I've lamented that fraudsters often pose as Nigerians or the media incorrectly pegs fraud as coming from Nigeria when it doesn't. There is no doubt Nigeria is known for a lot of fraud, but they didn't invent it and are not the only players in the game.
It should also be noted (out of fairness) that court documents reflect the federal authorities stating that this is the result of an investigation into a multi-national identity theft ring. There are a lot of fraud groups out there, both foreign and domestic, and many of the experts have concluded they are working together when it suits them.
The proceeds of these home equity scams were wired all over the world, including South Korea, Japan, China, Vietnam, Canada, and the United Kingdom. According to news accounts about $2.5 million was wired and the total take in the scheme was about $10 million.
Sadly — although this has been called out as a problem frequently — a lot of fodder (information) used in the scams was obtained by none other than public record searches. The public records used even contained credit applications, credit reports, and the victims' signatures, according to the FBI. BJ Ostegren — who was kind enough to give me a personal demonstration a while back — is the champion of exposing just how much of this information is out there for anyone to grab. If you want to see exactly how much information is available, her website is a good place to start.
Also mentioned in the criminal complaint was that fee-based Internet services were used to obtain some of the information. This is a huge business, which nets billions of dollars a year for the people selling it. I did notice that no one is saying which one of the services were used.
It should also be noted that information like this is bartered in forums on the Internet. Symantec just released a report showing how cheaply some of this information can be obtained. This type of activity is fairly well known and the FBI recently cracked one of the forums (Dark Market). This group allegedly racked up about $70 million in fraud, worldwide.
The individuals arrested in this scheme also used a lot of known technological fraud crutches, such as caller ID spoofing, prepaid cellular, and forwarding calls without the owner's knowledge. Tricking a phone company into forwarding calls is no problem for most fraudsters as little to no due diligence is performed before it is done. You can have your carrier block this feature, or password protect it (recommended) — however doing this is left entirely up to you. So far as caller ID spoofing — it's essentially legal — and anyone can purchase the means to do it right over the Internet.
There probably won't be any effort to change call forwarding, or caller ID spoofing as it is a lucrative income stream for telecom businesses.
You would think as long as we are in a world-class financial crisis, we might begin to wake up and smell the coffee? Although, we can't blame fraud as the cause of the entire crisis, I often wonder how much of a contributing factor it is. We've made identity theft too easy to do and hard to control. The people who committed this latest form of identity theft probably aren't the sharpest tools in the shed. They are just taking advantage of other people making a lot of money by making too much information available and not protecting it.
If you look in the mirror you might get an idea who suffers from this seeming inability to fix a growing problem. Even if you aren't victimized, we all pay for it in the end — either in an organization's expense line or in the form of a government bail-out.
I'll close with a with an interesting satire written by Phillip Maddocks, which came out in the Norwich Bulletin entitled, "Credit card fraud gangs say they can fix economy but need government loan." This satire is about the heads of several credit card gangs who are seeking a government handout to keep credit card fraud alive because it is beneficial to the economy.
Although this is a satire — it has a ring of truth to it!
Unfortunately, we allow a lot of dumb things to continue because someone thinks it's beneficial to the economy.
E-Cards with a Dangerous Twist Spotted on the Internet
(Courtesy of Websense)
With the holiday season upon us, spam campaigns of a malicious nature will start springing up bearing yuletide greetings.
Just the other day, Websense sent out an alert that malicious software authors already are using social engineering techniques with a Christmas theme to compromise your home machine. The instance they are reporting uses spam e-mails offering free animated postcards.
Those unfortunate enough to attempt to get free e-cards will download a Trojan. The spam e-mails are spoofed to appear as if they come from postcard.org. The fact that malware (postcard.exe) is being installed on a machine is covered up with a xmas.jpg image.
Quite simply, once installed it allows cyber-scrooges to control your machine and or steal all the personal and financial information off it. The information is then normally used to steal money.
This type of attack is nothing new and seems to surface every year at this time. The next step in these campaigns normally are more personalized spam e-mails designed to do the same thing (download malware). Please note these e-mails are normally spoofed to appear as if they come from a legitimate e-card retailer.
Last year, American Greetings put up a page on their site to educate people how to spot and avoid falling victim to this type of attack. First and foremost, they recommend that if you are suspicious at all to go to the company site and try to pick up the greeting from there. Most (if not all) of the legitimate sites offer this service. The page on their site contains additional ways to identify "e-card garbage" and is well worth a look if you are unfamiliar with how to spot malware attacks using spam e-mails.
American Greeting put up this page after an attack on their brand. In this attack, some of the e-mails appeared to come from a known (trusted) person. My guess is this happened from an already compromised machine, where a spammer gained access to an address book and sent the e-mails out. Some forms of malware do this without any human interface.
I went to the Postcards.org site and thus far they have no warnings about this that I could find.
While the best thing to do is to avoid clicking on spam e-mail containing malware, the second best thing is to employ solid anti-virus software and a firewall from a reputable vendor like Websense, Sunbelt, or Symantec. Most of these vendors are on top of malware being issued in the wild (on the Internet) and they even share information with each other.
Saturday, November 08, 2008
Telephone Call Offering to Lower Interest Rate is a Scam!
Cheap long distance, the ability to spoof caller ID and the credit crisis are being used to facilitate a scam called vishing. Although telephone (telemarketing) scams are nothing new, the term vishing probably came about because advances in telephone technology are being used to depart unsuspecting people of their hard-earned money.
The term vishing was coined from the word phishing. Internet scammers phish the waters of the Internet using spam e-mail as bait. Once a person falls for their "too good to be true" lure -- personal and financial information is stolen using social engineering (trickery) or malicious software designed to data-mine the information right off the infected machine. The personal and financial information is then used to commit financial crimes, which is often referred to as identity theft.
In the past week, I've received several calls where a computerized voice informs me that the offer to lower my interest rate is almost over. It then says to press "1" if I want to lower my interest rate.
I went ahead and pressed the number "1" to see what this "too good to be true" offer was all about. After a few seconds, a female voice came on and asked me if I was interested in lowering my interest rate. I told her I was and she asked me for the 800 number of my financial institution so she could verify my eligibility. Since this is public information, I went ahead and gave one to an institution, I no longer do business with. While I was digging up the number on the Internet, she made a lot of inquires about how many lines of credit I was behind on. After providing her with the 800 number, she asked me to give her all the credit card numbers that I wanted to lower the interest rate on.
At this point, I had very little doubt I was dealing with a scam designed to steal credit card numbers. At no point did she identify a financial institution -- and besides that -- no financial institution would make a cold call and ask for credit card numbers. Additionally, when was the last time a financial institution offered to lower an interest rate to an existing customer unless they were being bailed out by the government (taxpayer)?
I asked if she felt good about ripping people off and if I could speak to her supervisor. Of course, I was never referred to a supervisor and after cursing at me, she hung up. Trust me, from the vulgar language that was expressed, this call was not being recorded for training purposes!
In the past couple of years, we've seen reports of vishing. In the case, I'm writing about a dialer system is obviously being used. Dialers are used by collection agencies, telemarketing companies, political campaigns and even charities to direct calls to live employees. Basically, dialers screen the calls via computer to make the process more efficient.
Having never priced one, I decided to see what Google had to offer. I found them to be rather inexpensive starting at a mere few hundred dollars. There were also options to use already set-up systems on a cost-per-call basis.
Caller-ID spoofing services can be purchased legally and are used by a lot of legitimate companies to entice us to pick up calls. Because of this, it is probably wise not to put your faith in caller-ID.
Some blame VoIP (Voice over Internet Protocol) technology for vishing. VoIP has made calling long distance cheap.
So far as where the victim lists are obtained, they can be easily purchased. My phone number has been unlisted for over 20 years, but information brokers data-mine information from every source imaginable, including magazine subscriptions. Since these lists are worth money, companies who gather information routinely sell the marketing information they gather on all of us. It also isn't unknown for dishonest employees to sell information directly to criminals. Often this is done right on the Internet in chat rooms, which keeps the transaction fairly anonymous.
Recently, the FBI announced that they stung an Internet forum used to sell stolen information known as Dark Market. At it's peak, the group had 2500 registered members and it is estimated that they prevented losses of $70 million (worldwide) by cracking this case.
Even the IRS and Social Security have been impersonated in the past two years in vishing schemes.
InsideCRM magazine recently published an article detailing 50 ways to protect your privacy. This magazine represents the call center industry and has a stake in fighting vishing activity, which gives legitimate e-commerce a black eye. If you (like a lot of us) enjoy the hassle-free environment shopping at home, the article is a great educational resource.
The U.S. government has also set up a highly visual and interactive site to educate people about crimes being enabled by technology. Please note this site is available in Espanol, also.
While both of these sites are designed to cover computer security issues in addition to telecom type scams, we need to remember that a lot of these scams probably started before telephones or computers made them easier to do, as well as, more efficient.
Scams rely on human emotion and greed. Knowing this is the best way to prevent yourself from becoming a victim. The "too good to be true" principle coupled with "does the transaction make sense" is the best way to figure out whether an offer is legitimate or NOT!
The term vishing was coined from the word phishing. Internet scammers phish the waters of the Internet using spam e-mail as bait. Once a person falls for their "too good to be true" lure -- personal and financial information is stolen using social engineering (trickery) or malicious software designed to data-mine the information right off the infected machine. The personal and financial information is then used to commit financial crimes, which is often referred to as identity theft.
In the past week, I've received several calls where a computerized voice informs me that the offer to lower my interest rate is almost over. It then says to press "1" if I want to lower my interest rate.
I went ahead and pressed the number "1" to see what this "too good to be true" offer was all about. After a few seconds, a female voice came on and asked me if I was interested in lowering my interest rate. I told her I was and she asked me for the 800 number of my financial institution so she could verify my eligibility. Since this is public information, I went ahead and gave one to an institution, I no longer do business with. While I was digging up the number on the Internet, she made a lot of inquires about how many lines of credit I was behind on. After providing her with the 800 number, she asked me to give her all the credit card numbers that I wanted to lower the interest rate on.
At this point, I had very little doubt I was dealing with a scam designed to steal credit card numbers. At no point did she identify a financial institution -- and besides that -- no financial institution would make a cold call and ask for credit card numbers. Additionally, when was the last time a financial institution offered to lower an interest rate to an existing customer unless they were being bailed out by the government (taxpayer)?
I asked if she felt good about ripping people off and if I could speak to her supervisor. Of course, I was never referred to a supervisor and after cursing at me, she hung up. Trust me, from the vulgar language that was expressed, this call was not being recorded for training purposes!
In the past couple of years, we've seen reports of vishing. In the case, I'm writing about a dialer system is obviously being used. Dialers are used by collection agencies, telemarketing companies, political campaigns and even charities to direct calls to live employees. Basically, dialers screen the calls via computer to make the process more efficient.
Having never priced one, I decided to see what Google had to offer. I found them to be rather inexpensive starting at a mere few hundred dollars. There were also options to use already set-up systems on a cost-per-call basis.
Caller-ID spoofing services can be purchased legally and are used by a lot of legitimate companies to entice us to pick up calls. Because of this, it is probably wise not to put your faith in caller-ID.
Some blame VoIP (Voice over Internet Protocol) technology for vishing. VoIP has made calling long distance cheap.
So far as where the victim lists are obtained, they can be easily purchased. My phone number has been unlisted for over 20 years, but information brokers data-mine information from every source imaginable, including magazine subscriptions. Since these lists are worth money, companies who gather information routinely sell the marketing information they gather on all of us. It also isn't unknown for dishonest employees to sell information directly to criminals. Often this is done right on the Internet in chat rooms, which keeps the transaction fairly anonymous.
Recently, the FBI announced that they stung an Internet forum used to sell stolen information known as Dark Market. At it's peak, the group had 2500 registered members and it is estimated that they prevented losses of $70 million (worldwide) by cracking this case.
Even the IRS and Social Security have been impersonated in the past two years in vishing schemes.
InsideCRM magazine recently published an article detailing 50 ways to protect your privacy. This magazine represents the call center industry and has a stake in fighting vishing activity, which gives legitimate e-commerce a black eye. If you (like a lot of us) enjoy the hassle-free environment shopping at home, the article is a great educational resource.
The U.S. government has also set up a highly visual and interactive site to educate people about crimes being enabled by technology. Please note this site is available in Espanol, also.
While both of these sites are designed to cover computer security issues in addition to telecom type scams, we need to remember that a lot of these scams probably started before telephones or computers made them easier to do, as well as, more efficient.
Scams rely on human emotion and greed. Knowing this is the best way to prevent yourself from becoming a victim. The "too good to be true" principle coupled with "does the transaction make sense" is the best way to figure out whether an offer is legitimate or NOT!
Tuesday, October 07, 2008
How Using Pirated Software Turns People into Internet Crime Victims
The Business Software Alliance's October report called Online Software Scams: A Threat to Your Security reveals the dangers of buying or downloading pirated software. Sadly, pirated software doesn't always advertise that it is counterfeit and often appears to be the "real thing" to the untrained eye. This poses a clear and present danger to anyone shopping for software, whether it be on a e-commerce site, peer to peer (P2) site or at a more traditional shopping venue.
In the report's introduction it points to an actual example of how a misguided employee of the Wagner Resource Group of McLean Virginia used his office computer to download video and music files using Limewire and exposed the entire corporation to the dark side of the Internet. "In this case, the Wagner employee’s action set off a terrible chain reaction, opening up the firm’s computers to outsiders and exposing the names, dates of birth, and Social Security numbers of about 2,000 of the firm’s clients, including US Supreme Court Justice Stephen Breyer, according to the report.
Although many view downloading a video or music file as a victimless crime, the consequences can become personal when cyber criminals add a little malicious software (often referred to as crimeware) to the mix. Specifically, it can lead to identity (information) theft or turn a user's machine into a zombie, which is controlled remotely and used to commit other misdeeds on the Internet.
It is estimated that one-third of all software is counterfeit. In 2008, a study was conducted that revealed that if software piracy could be reduced by 10 percent in the United States it would generate 32,000 new jobs, 41 billion in economic growth and 7 billion in tax revenues.
A lot of pirated software is sold via downloads. When this occurs, the normal form of payment is a credit or debit card. This means that the person, who buys pirated software is providing this information to a criminal, who in turn might use it again or sell it to a third party. Like pirated software, credit/debit card information is sold on the Internet in underground chat rooms.
The report also covers another area, where Internet crime is known to flourish, or auction sites. In 2005, a study was done on software sold on eBay and roughly 50 percent of the items purchased had malicious/unwanted elements or had been tampered with.
While auction sites have worked with outside industries on preventing theft and abuse, they generally disclaim any responsibility for what occurs on their site. Additionally, there is little to no protection for the consumer buying these products (my opinion).
Because of this, the BSA is calling for auction sites to assume responsibility, step up the warning process on their sites and slow the process down by eliminating the "buy it now" process, which makes monitoring illegal sales nearly impossible.
The software industry isn't the only industry calling out issues with auction sites. In August, two bills were introduced to combat crime on auction sites, which were largely supported by the National Retail Federation. The sale of stolen or counterfeit goods in general has long been an issue on these sites. A good resource to learn about the danger of counterfeit goods in general is the International Anticounterfeting Coalition.
The BSA offers a lot of tips for consumers on how to avoid becoming a victim in their recently released report. It also offers a more visual means of learning by offering a video on the subject.
Suspected piracy can also be reported at http://www.bsacybersafety.com/ or by calling 1-888-NO-PIRACY.
In the report's introduction it points to an actual example of how a misguided employee of the Wagner Resource Group of McLean Virginia used his office computer to download video and music files using Limewire and exposed the entire corporation to the dark side of the Internet. "In this case, the Wagner employee’s action set off a terrible chain reaction, opening up the firm’s computers to outsiders and exposing the names, dates of birth, and Social Security numbers of about 2,000 of the firm’s clients, including US Supreme Court Justice Stephen Breyer, according to the report.
Although many view downloading a video or music file as a victimless crime, the consequences can become personal when cyber criminals add a little malicious software (often referred to as crimeware) to the mix. Specifically, it can lead to identity (information) theft or turn a user's machine into a zombie, which is controlled remotely and used to commit other misdeeds on the Internet.
It is estimated that one-third of all software is counterfeit. In 2008, a study was conducted that revealed that if software piracy could be reduced by 10 percent in the United States it would generate 32,000 new jobs, 41 billion in economic growth and 7 billion in tax revenues.
A lot of pirated software is sold via downloads. When this occurs, the normal form of payment is a credit or debit card. This means that the person, who buys pirated software is providing this information to a criminal, who in turn might use it again or sell it to a third party. Like pirated software, credit/debit card information is sold on the Internet in underground chat rooms.
The report also covers another area, where Internet crime is known to flourish, or auction sites. In 2005, a study was done on software sold on eBay and roughly 50 percent of the items purchased had malicious/unwanted elements or had been tampered with.
While auction sites have worked with outside industries on preventing theft and abuse, they generally disclaim any responsibility for what occurs on their site. Additionally, there is little to no protection for the consumer buying these products (my opinion).
Because of this, the BSA is calling for auction sites to assume responsibility, step up the warning process on their sites and slow the process down by eliminating the "buy it now" process, which makes monitoring illegal sales nearly impossible.
The software industry isn't the only industry calling out issues with auction sites. In August, two bills were introduced to combat crime on auction sites, which were largely supported by the National Retail Federation. The sale of stolen or counterfeit goods in general has long been an issue on these sites. A good resource to learn about the danger of counterfeit goods in general is the International Anticounterfeting Coalition.
The BSA offers a lot of tips for consumers on how to avoid becoming a victim in their recently released report. It also offers a more visual means of learning by offering a video on the subject.
Suspected piracy can also be reported at http://www.bsacybersafety.com/ or by calling 1-888-NO-PIRACY.
Sunday, August 24, 2008
How to buySAFE on the Internet
(Courtesy of buySAFE)
The Center for American Progress and the Center for Democracy and Technology recently released a report concluding that not enough is being done to protect the public from fraud on the Internet. "If problems such as malware, phishing, and spam are left unchecked, many consumers may lose trust and abandon e-commerce," according to the report.
What if a shopper could safely enjoy the convenience, lower prices and choices offered by the world of e-commerce, while avoiding all the fraud lurking on the Internet free?
In 2006, buySAFE entered the e-commerce scene with a unique concept, giving sellers the ability to become bonded and display the buySAFE seal on their site. Once a seller is bonded, the purchase is guaranteed up to $25,000.
The buySAFE guarantee covers virtually any loss that might occur during an online shopping transaction. This includes, but isn't necessarily limited to fraud, phishing and financial misdeeds.
Last month, they grew their concept with the buySAFE Shopping Advisor, which is a free software tool that rates the safety/security of all sites within a search term. The tool also points to sites sites with the buySAFE seal, which guarantees the transaction.
Shopping Advisor leverages buySAFE’s advanced technology and bonded merchant customer base to provide a fully closed-loop safe shopping experience. "There is nothing else like it in the world as it provides comprehensive safe shopping for consumers from search through purchase and beyond – guaranteed," according to Jeff Grass, buySAFE's CEO.
While buySAFE offers a free service to the e-consumer, they aren't in business to lose money. Some of the due diligence performed on every bonded merchant includes ensuring they have a SSL certificate and a privacy policy describing how they protect personal information. Additionally, bonded sellers are required to allow buySAFE access to inspect their business anytime they choose to do so.
Shopping Advisor provides a tool to analyze e-commerce sites and provides a safe shopping portal, which consists of bonded sellers, only. Once in the safe shopping portal every purchase is guaranteed within the limits of the bond buySAFE provides.
Shopping Advisor uses buySAFE's proprietary website inspection and assessment technology to analyze almost 100 different safety/security attributes of an e-commerce site. It then provides objective ratings on the site when searching with Google, Yahoo and MSN (Firefox is on the way). This allows the shopper to make an informed decision before forking over their hard-earned cash.
Within the Shopping Advisor tool is the Safe Shopping Portal providing alternative product choices from thousands of merchants that are protected with the buySAFE seal. It is within the Safe Shopping Portal that every purchase is guaranteed with a Bond of up to $25,000 and it's protected against identity theft, also.
Essentially, Shopping Advisor shows all the shopping opportunities for the search term listed, rates the sites in question and then gives the consumer the ability to make an informed buying decision. If the buyer chooses to buy a product via the Safe Shopping Portal, it is automatically guaranteed and the transaction is protected against identity theft for 30 days. When the buyer purchases an item from the Safe Shopping Portal, they automatically receive an e-mail with the specifics on the guarantee for their personal records.
buySAFE offers a lot of benefits to sellers, also. The biggest is which is what ensures any successful business, or the trust of it's customers. They've also added a cost-per-sale pricing model that has received positive feedback from the merchants using it. If a merchant needs more information on this, I'll refer them to Jeff Grass' blog, or the press release on this matter.
According to most if not all of the reports out there, Internet crime continues to grow and become more sophisticated. Saying that, no matter how sophisticated it becomes the primary motivation to commit cybercrime is money. This rings true from the most simple social engineering scheme to most sophisticated attacks using crimeware. What buySAFE has done is remove this primary motivator from the mix, or at least made it a lot less attractive to Internet fraudsters, charlatans and tricksters.
Shopping Advisor takes this concept to the next level by providing the consumer with a tool to make an educated shopping decision without falling prey to the pitfalls of a too good be true come-on. Too good to be true lures are the common theme Internet fraudsters, charlatans and tricksters use to snare their prey. In other words, Shopping Advisor is a tool a consumer can effectively use to practice the principle known as caveat emptor, or buyer beware.
buySAFE is also offering a shopper referral program. They pay $1.00 for every user referred to Shopping Advisor. This is a great fundraiser opportunity for charities, sports leagues, churches or any good cause.
Wednesday, August 13, 2008
BlackHat Experts Predict the Hot Computer Security Topics for 2009
On the opening day of the BlackHat 2008 conference, Symantec did an anonymous survey of the attendees to discover exactly what they thought would be the hot security topics in the upcoming year.
While no one can predict the future, I found some of this fairly interesting.
The sample group consisted of IT managers, security researchers, and executives from several different industries,and of course, the government. The group surveyed could be considered International in nature, also. Experts from North America, Latin America and the Asia Pacific all voiced their opinions regarding what will become the hot security topics in the upcoming year.
Most surveyed seemed to believe that Web 2.0 and vitualization will be exploited frequently in the next year. In the post, I read about this by Zulfikar Ramzan, he mentions that Symantec has invested considerable resources in developing technology to prevent exploits in both these areas. He also mentions that Symantec is developing solutions to the increased dangers of what is known as drive-by pharming. In drive-by attacks, all a user has to do is visit a malicious site to be be infected.
Earlier this year, Zuftikar reported on one of the first sightings of drive-by pharming in the wild.
Another ongoing concern, especially with crimeservers being found in the wild with gigabytes of personal and financial information is the ongoing issue of data theft. Data theft is and will probably be the primary motive for most of the exploits out there. On a personal level, what scares me, is the increasing sophisitication of the attacks and the ever increasing amount of information compromised.
The respondents in the survey believe that most data will be stolen via insufficient access controls, laptops gone missing, data sent to third parties, and data being wrongfully posted to the Internet, intranet, and extranet.
Another new solution mentioned by the respondents is whitelisting. In simple terms, whitelisting is where a system is protected by only allowing approved sources to integrate with it. If a file or application isn't approved by the whitelist, it simply will not run.
Also mentioned in the Symantec post are what motivates researchers to examine and sometimes even develop malicious technology for research purposes. Some mentioned they need to do it to accomplish their jobs -- while others mentioned personal profit and even fame as their primary motivation. So far as developing malicious technology for research purposes, the post points out the danger that some of this research might accidentially be leaked into the wild.
A recent example of this occurred with DNS Cache Poisioning, which was covered in more detail at the conference by the person who discovered it, Dan Kaminsky. DNS Cache Poisoning allows an Internet bad guy (or gal) to redirect a user to a malicious site without their knowledge. Within days of the information being leaked, instructions (computer code) was put into a hacker tool called Metasploit. Metasploit is a controversial tool used both by researchers to work on exploits and by hackers to launch attacks.
The DNS Cache Poisoning exploit was made public prematurely. Kaminsky and a whole crew of experts had secretly been working on solutions to protect systems from the exploit before it was leaked. On Monday, the Register reported that large areas of the Internet remain at risk.
So far as platforms that are of the most concern, the respondents listed XP over Vista, which is a turn around from last year where the concerns were exactly the opposite. A speculation for this was cited as the industry being slow to adopt to the Vista platform.
With DNS Cache Poisoning and Gigabytes of personal information being found floating around the Internet, there is little doubt 2009 is going to be an interesting and challenging year for the BlackHat attendees. In my humble opinion, it all boils down to the fact that information is worth a lot of money that criminals and businesses alike see as a cash cow.
Maybe in 2009, we will take a look at what enables the problem in the first place? Until we do, I fear the problem will only continue to grow.
While no one can predict the future, I found some of this fairly interesting.
The sample group consisted of IT managers, security researchers, and executives from several different industries,and of course, the government. The group surveyed could be considered International in nature, also. Experts from North America, Latin America and the Asia Pacific all voiced their opinions regarding what will become the hot security topics in the upcoming year.
Most surveyed seemed to believe that Web 2.0 and vitualization will be exploited frequently in the next year. In the post, I read about this by Zulfikar Ramzan, he mentions that Symantec has invested considerable resources in developing technology to prevent exploits in both these areas. He also mentions that Symantec is developing solutions to the increased dangers of what is known as drive-by pharming. In drive-by attacks, all a user has to do is visit a malicious site to be be infected.
Earlier this year, Zuftikar reported on one of the first sightings of drive-by pharming in the wild.
Another ongoing concern, especially with crimeservers being found in the wild with gigabytes of personal and financial information is the ongoing issue of data theft. Data theft is and will probably be the primary motive for most of the exploits out there. On a personal level, what scares me, is the increasing sophisitication of the attacks and the ever increasing amount of information compromised.
The respondents in the survey believe that most data will be stolen via insufficient access controls, laptops gone missing, data sent to third parties, and data being wrongfully posted to the Internet, intranet, and extranet.
Another new solution mentioned by the respondents is whitelisting. In simple terms, whitelisting is where a system is protected by only allowing approved sources to integrate with it. If a file or application isn't approved by the whitelist, it simply will not run.
Also mentioned in the Symantec post are what motivates researchers to examine and sometimes even develop malicious technology for research purposes. Some mentioned they need to do it to accomplish their jobs -- while others mentioned personal profit and even fame as their primary motivation. So far as developing malicious technology for research purposes, the post points out the danger that some of this research might accidentially be leaked into the wild.
A recent example of this occurred with DNS Cache Poisioning, which was covered in more detail at the conference by the person who discovered it, Dan Kaminsky. DNS Cache Poisoning allows an Internet bad guy (or gal) to redirect a user to a malicious site without their knowledge. Within days of the information being leaked, instructions (computer code) was put into a hacker tool called Metasploit. Metasploit is a controversial tool used both by researchers to work on exploits and by hackers to launch attacks.
The DNS Cache Poisoning exploit was made public prematurely. Kaminsky and a whole crew of experts had secretly been working on solutions to protect systems from the exploit before it was leaked. On Monday, the Register reported that large areas of the Internet remain at risk.
So far as platforms that are of the most concern, the respondents listed XP over Vista, which is a turn around from last year where the concerns were exactly the opposite. A speculation for this was cited as the industry being slow to adopt to the Vista platform.
With DNS Cache Poisoning and Gigabytes of personal information being found floating around the Internet, there is little doubt 2009 is going to be an interesting and challenging year for the BlackHat attendees. In my humble opinion, it all boils down to the fact that information is worth a lot of money that criminals and businesses alike see as a cash cow.
Maybe in 2009, we will take a look at what enables the problem in the first place? Until we do, I fear the problem will only continue to grow.
Wednesday, August 06, 2008
Largest Identity Theft Ring in History Indicted
Yesterday, the U.S. Department of Justice announced that eleven perpetrators behind the largest known identity theft ring in history have been charged with conspiracy, computer intrusion and identity theft.
Allegedly, the group is responsible for stealing and selling more than 40 million credit and debit card numbers. The credit and debit card numbers were intercepted electronically at nine retailers, who transmitted their unprotected financial information using wireless networks. Once they hacked into the wireless networks, the group would install sniffer packets to capture card numbers and PIN numbers.
TJX, who was severely criticized for their breach of approximately 8.5 million records wasn't the only retailer being compromised. BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW were being compromised, also. The restaurant chain Dave and Busters was also compromised by having "sniffer packets" installed on their point of sale terminals by the group.
Merchants have been under fire for not meeting PCI data security standards, which were developed by the payment card industry to protect systems against compromises. The National Retail Federation has fired back at the payment card industry for forcing merchants to store sensitive information, which can easily be stolen. In a recent data breach involving the theft of 4.2 million card numbers, Hannaford Brothers had been certified as being PCI compliant, which led a lot people to speculate that PCI data security standards might be outdated, themselves.
Sniffer packets are used to monitor information in a network and can be used to gather a lot of sensitive information. Detecting a sniffer packet on a wireless network is known to be extremely difficult. A practice known as "wardriving" is when people drive around and try to pick up wireless signals from unprotected networks. Computer security experts highly recommend making wireless networks secure, including those of the home variety, by password protecting them. Software to assist people, who do this, is freely available on the Internet.
After the information was stolen it was stored on encrypted computer servers in Eastern Europe and the United States. Some of the stolen data was sold to other information criminals via the Internet. The group also counterfeited their own cards and used them to steal money from ATMs.
Recently, Finjan, a computer security company, announced finding servers with a lot of stolen information on the Internet. At least one the crimeservers found by Finjan wasn't even password protected. Finjan reported finding these crimeservers using simple Google searches.
The money was laundered using internet based currencies and by moving funds through banks in Eastern Europe.
Three executives at E-Gold, which is a internet based currency, recently pleaded guilty to allowing criminal activity of this nature (money laundering) using their service.
The criminal activity started in 2003 and went right up to the present time. Albert "Segvec" Gonzalez, of Miami, one of the main players in the group was previously arrested for similar activity in 2003. During the current investigation, the Secret Service discovered Gonzalez was working as a government informant and involved in the criminal activity at the same time.
Also charged in the indictments yesterday were Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia. Hung-Ming Chiu and Zhi Zhi Wang, of the People's Republic of China were also charged. Sergey Pavolvich, of Belarus and Ukranians Dzmitry Burak and Sergey Storchak were also named in the indictment. Two U.S. citizens Christopher Scott and Damon Patrick Toey, finished up the long list of names from all over the world involved in this organized criminal enterprise.
The range of the activity took place in numerous countries, including the United States, Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines and Thailand.
These indictments are the result of a three-year investigation conducted by the Secret Service. As the case progresses, it is being reported that they will be working closely with the IRS, on the money laundering aspect of the case.
Allegedly, the group is responsible for stealing and selling more than 40 million credit and debit card numbers. The credit and debit card numbers were intercepted electronically at nine retailers, who transmitted their unprotected financial information using wireless networks. Once they hacked into the wireless networks, the group would install sniffer packets to capture card numbers and PIN numbers.
TJX, who was severely criticized for their breach of approximately 8.5 million records wasn't the only retailer being compromised. BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW were being compromised, also. The restaurant chain Dave and Busters was also compromised by having "sniffer packets" installed on their point of sale terminals by the group.
Merchants have been under fire for not meeting PCI data security standards, which were developed by the payment card industry to protect systems against compromises. The National Retail Federation has fired back at the payment card industry for forcing merchants to store sensitive information, which can easily be stolen. In a recent data breach involving the theft of 4.2 million card numbers, Hannaford Brothers had been certified as being PCI compliant, which led a lot people to speculate that PCI data security standards might be outdated, themselves.
Sniffer packets are used to monitor information in a network and can be used to gather a lot of sensitive information. Detecting a sniffer packet on a wireless network is known to be extremely difficult. A practice known as "wardriving" is when people drive around and try to pick up wireless signals from unprotected networks. Computer security experts highly recommend making wireless networks secure, including those of the home variety, by password protecting them. Software to assist people, who do this, is freely available on the Internet.
After the information was stolen it was stored on encrypted computer servers in Eastern Europe and the United States. Some of the stolen data was sold to other information criminals via the Internet. The group also counterfeited their own cards and used them to steal money from ATMs.
Recently, Finjan, a computer security company, announced finding servers with a lot of stolen information on the Internet. At least one the crimeservers found by Finjan wasn't even password protected. Finjan reported finding these crimeservers using simple Google searches.
The money was laundered using internet based currencies and by moving funds through banks in Eastern Europe.
Three executives at E-Gold, which is a internet based currency, recently pleaded guilty to allowing criminal activity of this nature (money laundering) using their service.
The criminal activity started in 2003 and went right up to the present time. Albert "Segvec" Gonzalez, of Miami, one of the main players in the group was previously arrested for similar activity in 2003. During the current investigation, the Secret Service discovered Gonzalez was working as a government informant and involved in the criminal activity at the same time.
Also charged in the indictments yesterday were Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia. Hung-Ming Chiu and Zhi Zhi Wang, of the People's Republic of China were also charged. Sergey Pavolvich, of Belarus and Ukranians Dzmitry Burak and Sergey Storchak were also named in the indictment. Two U.S. citizens Christopher Scott and Damon Patrick Toey, finished up the long list of names from all over the world involved in this organized criminal enterprise.
The range of the activity took place in numerous countries, including the United States, Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines and Thailand.
These indictments are the result of a three-year investigation conducted by the Secret Service. As the case progresses, it is being reported that they will be working closely with the IRS, on the money laundering aspect of the case.
Sunday, July 27, 2008
Fraud, Greed and Special Interests in the Mortgage Crisis Cost Everybody
(Actual photo of an an allegedly remodeled condo courtesy of the FBI)
If you think the factors that enabled the mortgage crisis have been fixed, think again.
An example of this might be the Tennessee minister (Reverend Steve Young)-- awaiting sentencing after pleading guilty to mail and wire fraud to commit mortgage fraud -- who was recently rearrested to protect the general public. While out on bond, Reverend Young was using the identities of members of his parish to obtain more fraudulent mortgages, according to an article I came across in commercialappeal.com.
Apparently, members of his parish turned Reverend Young in after discovering the mortgages when reviewing their credit reports. Of course, it is considered wise to review your credit report on a regular basis after already being exposed to identity theft.
With the current mortgage crisis going on the story of Reverend Young is just one of many examples of fraud, greed and corporate bailouts in the mortgage crisis. In April, the FBI released the 2007 Mortgage Fraud Report. The report refers to this type of fraud as a low risk, high yield enterprise. Maybe we wouldn't see so much mortgage fraud if it weren't so low risk and extremely profitable?
According to the report, the victims of mortgage fraud are many. They include the people living in the neighborhoods where the fraud occurred, borrowers, and the mortgage industry, itself. For instance, when properties are sold at artificially inflated prices, property taxes increase. After the bubble bursts and the fraud becomes apparent, sellers have a difficult time selling their homes because they owe more than what the house is worth. This leads to foreclosures and can cause neighborhoods to deteriorate, which tends to lower all the property values in the area.
With the release of the 2007 report, the FBI announced Operation Malicious Mortgage, which to date has netted an impressive amount of arrests. The latest in this ongoing operation are rumors that the FBI is investigating a major lender, IndyMac for mortgage fraud. Despite the arrests, a lot of people are still suffering after getting caught in up one of the schemes that contributed to where we are at today.
One of the better publications covering mortgage fraud is the Mortgage Fraud Blog. It has up-to-date information on Operation Malicious Mortgage and on the subject in general.
One might think now that we are well on our way into the mortgage crisis, fraud related to mortgages would be going down. Sadly, this isn't the case and the story of a minister released on bond after being convicted for mortgage fraud -- then rearrested for the same thing bears out this contention.
Another, even sadder twist are the desperate homeowners being taken in by scammers promising to rescue them from their current situation. Besides greed, fear is a often used method to snare victims in fraudulent schemes. In May, the Comptroller of the Currency Administrator of National Banks (Treasury Department) issued a warning on this subject. Some of the scams include what are known as lease-back or repurchase scams, refinance fraud and bankruptcy schemes. Quite often, these schemes are nothing more than a means to steal whatever equity the person being foreclosed on has in the property, leaving them with nothing.
Bringing the mortgage crisis down to a more human level is the HousingPANIC blog. The blog is a wealth of information from the consumer point of view and keeps track of high-profile types recently arrested for mortgage fraud.
Thus far, in what has been termed the mortgage crisis, we've seen the banking industry get bailed out (at taxpayer's expense), a lot of people getting arrested, but so far very little help for the people getting foreclosed.
I've seen this being rationalized as it's their own fault because they knew they were getting in over their heads. While this is true -- especially in the case of the big players in the mess -- many of the smaller players were being wooed, coerced and simply taken advantage of. To me at least, this bears consideration.
Finally, it appears that some help for the little people losing their shirts is on the way and the Senate finally got it together and passed a bill. The bill is expected to be signed by President Bush with "reservations." In reality this bill (H.R. 3221) extends a lifeline to Freddie Mac and Fannie Mae by allowing people being foreclosed on to convert to government loans. Freddie Mac and Fannie Mae have about $5 trillion in mortgages, which accounts for about half the outstanding loans in the United States.
Interestingly enough, it is being reported by the AP, that Senator Jim DeMint, R-South Carolina was banned by the Democratic leadership from calling for a vote to stop the companies benefiting from this from making political donations or lobbying for this bill. Apparently, although facing bankruptcy, these companies have enough money to spend on lobbyists and political contributions? In fact, Freddie Mac and Fannie Mae spent about $3.5 million in the first quarter of this year on lobbyists.
While I'm glad about half of the little people are finally getting some help, I have to question at what cost? The sad truth is that we (taxpayers) will pay for this and as usual, special interests and not the interests of the public seem to have too much influence in the decision process.
Another question yet to be answered is what happened to all the money these large corporations made during the housing boom? It appears the profits I'm referring to are made private, while the costs incurred from deceptive business dealings become public? To me, this is another example of how special interests can spin political outcomes in their own favor.
Of course, the even sadder truth is that the economy can't suffer too many more large employers posting large losses or going under. When this happens a lot of the little people working for them become unemployment statistics. This is probably the sad reality of the situation. There is little doubt, we need to fix the problem, but are we going about it in the most just manner?
I've often wondered how much better off we would all be if special interests (lobbyists) were banned, altogether? Given all the polls -- clearly showing a lack of confidence in our leaders -- watching special interests consistently receive preferential treatment is probably one of the reasons why. Perhaps, we would have more confidence in them, if we felt they were representing us in consideration for all the taxes we are being asked to pay.
Saturday, July 26, 2008
DNS Cache Poisoning Opens Doors for Internet Criminals
The electronic universe seems to get more dangerous all the time. A new systems vulnerability called DNS Cache Poisoning might allow an Internet bad guy (or gal) to redirect you to a malicious site without your knowledge. In the majority of instances, malicious sites are designed to steal personal and financial information.
DNS Cache Poisoning is a flaw in what is referred to as the domain name system (DNS) that allows domain names like "Walmart.com" to be changed into numeric code. In layman's terms, this makes it easier for networking hardware to route search requests. When exploited by hackers, the flaw could allow them to redirect Internet users to malicious sites.
Security Resercher, Dan Kaminsky -- who discovered the flaw several months ago -- reported it to the authorities and had been working in secret with the major security vendors on a fix. The plan was to coordinate a response before criminals discovered the flaw and started exploiting it. In March, experts from all over the world met at the Microsoft campus to put this plan into motion. On July 8th, patches were shipped from the major security vendors to protect systems against the flaw.
They were hoping this would give everyone 30 days to patch their systems, but it didn't work out the way it was supposed to.
On Wednesday, instructions how to use this flaw were posted on the Internet. Subsequently, these "instructions" (computer code) were put into a hacker tool called Metasploit, which makes them easy to use by not very technically inclined criminals.
Easy to use tools, sometimes referred to as DIY (do-it-yourself) kits, have been blamed for the ever increasing crime levels we see on the Internet today. They are sold fairly openly and sometimes even come with technical support.
Metasploit is open source computer project used to research exploits and vulnerabilities. While considered a useful tool by researchers, it can also be used by criminals to exploit vulnerabilities within systems.
Dan Kaminsky did an interesting blog post explaining this in detail that contains a DNS Checker to see if your internet service provider (ISP) has patched the flaw. I highly recommend everyone tests their system using this tool!
Thanks to this information being released on the Internet before everyone could get their systems fixed, the first attacks using this flaw are being seen in the wild (on the Internet). Yesterday, James Kosin announced on his blog that the attacks are starting and it's time to patch or upgrade now. Websense also announced the same thing with a security alert.
Impromptu research by Kaminsky reveals that as of yesterday just over 50 percent of the unique name servers are vulnerable to this attack. On July 9th, roughly 85 percent of the unique name servers were vulnerable. Undoubtedly, there are a lot of computer security types working this weekend.
Individual users, who have their systems set for automatic updates probably will receive the patch as soon as it's released by their provider. Please note that older systems might still be vulnerable until they are updated.
Robert Vamosi at CNet has aptly pointed out that home users might need to patch, also. Handy links to do so are linked from the article, he wrote on this.
I guess the best thing for us "little people" to do is to make sure our systems are updated. I would recommend doing it manually if you aren't set up for automatic updates.
Further details of this will be covered by Kaminsky at the upcoming Black Hat Conference scheduled on August 6th.
DNS Cache Poisoning is a flaw in what is referred to as the domain name system (DNS) that allows domain names like "Walmart.com" to be changed into numeric code. In layman's terms, this makes it easier for networking hardware to route search requests. When exploited by hackers, the flaw could allow them to redirect Internet users to malicious sites.
Security Resercher, Dan Kaminsky -- who discovered the flaw several months ago -- reported it to the authorities and had been working in secret with the major security vendors on a fix. The plan was to coordinate a response before criminals discovered the flaw and started exploiting it. In March, experts from all over the world met at the Microsoft campus to put this plan into motion. On July 8th, patches were shipped from the major security vendors to protect systems against the flaw.
They were hoping this would give everyone 30 days to patch their systems, but it didn't work out the way it was supposed to.
On Wednesday, instructions how to use this flaw were posted on the Internet. Subsequently, these "instructions" (computer code) were put into a hacker tool called Metasploit, which makes them easy to use by not very technically inclined criminals.
Easy to use tools, sometimes referred to as DIY (do-it-yourself) kits, have been blamed for the ever increasing crime levels we see on the Internet today. They are sold fairly openly and sometimes even come with technical support.
Metasploit is open source computer project used to research exploits and vulnerabilities. While considered a useful tool by researchers, it can also be used by criminals to exploit vulnerabilities within systems.
Dan Kaminsky did an interesting blog post explaining this in detail that contains a DNS Checker to see if your internet service provider (ISP) has patched the flaw. I highly recommend everyone tests their system using this tool!
Thanks to this information being released on the Internet before everyone could get their systems fixed, the first attacks using this flaw are being seen in the wild (on the Internet). Yesterday, James Kosin announced on his blog that the attacks are starting and it's time to patch or upgrade now. Websense also announced the same thing with a security alert.
Impromptu research by Kaminsky reveals that as of yesterday just over 50 percent of the unique name servers are vulnerable to this attack. On July 9th, roughly 85 percent of the unique name servers were vulnerable. Undoubtedly, there are a lot of computer security types working this weekend.
Individual users, who have their systems set for automatic updates probably will receive the patch as soon as it's released by their provider. Please note that older systems might still be vulnerable until they are updated.
Robert Vamosi at CNet has aptly pointed out that home users might need to patch, also. Handy links to do so are linked from the article, he wrote on this.
I guess the best thing for us "little people" to do is to make sure our systems are updated. I would recommend doing it manually if you aren't set up for automatic updates.
Further details of this will be covered by Kaminsky at the upcoming Black Hat Conference scheduled on August 6th.
Sunday, July 13, 2008
UC Irvine Staff Nails ID Thief in Texas
A former UnitedHealthCare worker, who stole the personal and financial information of at least 1100 University of California, Irvine students has been arrested in Dallas, Texas.
Michael Tyrone Thomas, of Fort Worth, was arrested at his home and is being held on $300,000 bail. The authorities are alleging Thomas stole the information while working at UnitedHealthCare in December 2007. They are also charging that Thomas used the information to fill out fraudulent tax returns using 163 identities stolen in the caper.
According to the Houston Chronicle, a spokesman for UnitedHealthCare didn't return their call concerning the arrest on Friday. I went to the UnitedHealthCare site and found nothing mentioned about this case as of this writing.
It appears that the investigation was initiated by the UC Irvine Police after students started complaining about identity theft in March. Specifically, they complained about someone using their information to fill out bogus tax returns. University computer experts took a look at their systems and found no signs of a breach. Subsequently, University Police investigating the case discovered all the students were enrolled in a insurance program administered by UnitedHealthCare.
A press release on the UC Irvine site gave credit to UCI Police Sergeants Tony Frisbee, Shaun Devlin and Corporal Caroline Altamirano for working closely on the case with the Dallas District Attorney's Office. The release indicates that they expect additional arrests and that the IRS will be investigating the tax fraud implications in the case.
Recently, the National Taxpayer Advocate, issued a report to Congress indicating that tax fraud involving the use of stolen identities has grown 644 percent in the past four years. In a lot of these cases, forged W-2's are used to claim an earned income credit, which can net the fraudster thousands of dollars per return.
In my post on this story, I mentioned that the IRS has a dedicated page to assist identity theft victims when their information has been used to commit tax fraud. The Houston Chronicle article mentioned that UnitedHealthCare will be offering free credit monitoring and that UCI will be offering loans to the affected students. It also mentioned that UCI Police Chief, Paul Henisey doesn't think the rest of the names were used because the reports of identity theft dropped off in late June.
Free credit monitoring seems to be the standard offer to victims when a data breach is disclosed, but it doesn't necessarily reveal all forms of identity theft. Credit bureaus do not track what information is being used to file a tax return and would be worthless in the already known cases. Other examples when credit monitoring might not be the end-all solution to identity theft protection are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.
If I were one of the affected UC Irvine students, I wouldn't turn down the free credit monitoring (it does help in a lot of instances), but I would also visit the Identity Theft Resource Center's Financial Identity Theft - More Complex Cases page to educate myself a little further.
So far as Chief Henisey's prediction that this case is over -- I certainly hope it is -- but it wouldn't be prudent for everyone to let their guard down just yet. Information is bought and sold in a lot of places (including over the Internet) for the purpose of identity theft. There is no way of telling, whether or not, any of this information was passed to someone else for a profit.
Saying that, it's refreshing to see the culprit caught in this case and the UC Irvine Police Department (along with other University staff) did an excellent job in their investigation. It isn't very often when one of these cases is traced to the person behind it.
Wednesday, July 09, 2008
Stolen Identities Used to File Tax Returns Grows 644 percent
The latest news in the identity theft arena is a statistic showing that IRS related identity theft has grown 644 percent in the past four years.
Nina Olson, the National Taxpayer Advocate, warned Congress in a report that identity theft is becoming one of the biggest issues facing taxpayers today. The two main reasons cited were identities stolen to file fraudulent refunds and to obtain employment.
As more pressure is being placed on employers to ensure their employees have a social security number that matches a name, more illegal immigrants are using an identity that matches the social security number on their employment records. No-match legislation, which was introduced by the Department of Homeland Security has been held up in a Federal Court, but some States are taking matters into their own hands. I also read an interesting article in the Twin Cities Daily Planet indicating that these letters are already causing action to be taken at some employers.
Prior to no-match legislation, anyone could simply make up a social security number and it would pass muster for employment reasons.
No matter what side of the fence someone is on from a political perspective, these no-match letters are likely to increase the amount of identity theft we are seeing in regards to tax returns. With all the stolen personal information and counterfeit documents being sold by organized criminals -- it probably isn't going to be hard to use someone else's identities for employment reasons. Stolen identities are available in a lot of places (including the Internet) and counterfeit documents are hawked on street corners across the country.
Another thing I've written about is the increasing amount of fraud being seen using the earned income credit to get a quick refund using someone else's information. The Earned Income Credit -- which is designed as a windfall of several thousand dollars for lower income people -- is easily manipulated by individuals and on a larger scale, by dishonest tax preparers to scam the IRS.
Last year, a large Jackson Hewitt franchisee was charged by the Justice Department for (allegedly) encouraging this type of fraud. Dishonest tax preparers often recruit low income people to used a forged W-2 (forms are easily available in Office Supply Stores) and get a quick refund of thousands of dollars. In other cases, this is also done using stolen identities, causing the legitimate person a lot of heartache when they go to file their return. Ironically, in years past, there have even been reports of this type of fraud being committed by prisoners who weren't being monitored, very well!
Easily available W-2 blanks and the seeming inability of the IRS to verify payroll information are two of the enabling factors of this type of fraud.
The recent report indicates that the IRS will start using a computer program to identify potential identity theft cases next year. It is also considering establishing an office to assist identity theft victims.
Olsen also plans to monitor the use of private debt collectors by the IRS, carefully. The reasons cited are a lack of transparency on the procedures used by these agencies and the potential for people's rights to be violated by these agencies.
Stories of identity theft victims being harassed by collections agencies for debts they were not responsible for are well documented and have caused innocent people a lot of pain and suffering.
Another thing to consider is that since this type of identity theft normally doesn't show up on a credit bureaus very quickly, we probably have a lot of people purchasing identity theft protection that will not necessarily detect the fact that they have become a victim. The Identity Theft Resource Center has information on how to check if your social security number is being used and what to do about it. The IRS also has a page on their site on how to deal with this issue.
The IRS also offers more information on their site about the Taxpayer Advocate Service and how they can assist the average person.
All in all, I consider this report timely and an issue that needs to be taken seriously given an already exploding statistic and the potential for this phenomenon to grow.
Nina Olson, the National Taxpayer Advocate, warned Congress in a report that identity theft is becoming one of the biggest issues facing taxpayers today. The two main reasons cited were identities stolen to file fraudulent refunds and to obtain employment.
As more pressure is being placed on employers to ensure their employees have a social security number that matches a name, more illegal immigrants are using an identity that matches the social security number on their employment records. No-match legislation, which was introduced by the Department of Homeland Security has been held up in a Federal Court, but some States are taking matters into their own hands. I also read an interesting article in the Twin Cities Daily Planet indicating that these letters are already causing action to be taken at some employers.
Prior to no-match legislation, anyone could simply make up a social security number and it would pass muster for employment reasons.
No matter what side of the fence someone is on from a political perspective, these no-match letters are likely to increase the amount of identity theft we are seeing in regards to tax returns. With all the stolen personal information and counterfeit documents being sold by organized criminals -- it probably isn't going to be hard to use someone else's identities for employment reasons. Stolen identities are available in a lot of places (including the Internet) and counterfeit documents are hawked on street corners across the country.
Another thing I've written about is the increasing amount of fraud being seen using the earned income credit to get a quick refund using someone else's information. The Earned Income Credit -- which is designed as a windfall of several thousand dollars for lower income people -- is easily manipulated by individuals and on a larger scale, by dishonest tax preparers to scam the IRS.
Last year, a large Jackson Hewitt franchisee was charged by the Justice Department for (allegedly) encouraging this type of fraud. Dishonest tax preparers often recruit low income people to used a forged W-2 (forms are easily available in Office Supply Stores) and get a quick refund of thousands of dollars. In other cases, this is also done using stolen identities, causing the legitimate person a lot of heartache when they go to file their return. Ironically, in years past, there have even been reports of this type of fraud being committed by prisoners who weren't being monitored, very well!
Easily available W-2 blanks and the seeming inability of the IRS to verify payroll information are two of the enabling factors of this type of fraud.
The recent report indicates that the IRS will start using a computer program to identify potential identity theft cases next year. It is also considering establishing an office to assist identity theft victims.
Olsen also plans to monitor the use of private debt collectors by the IRS, carefully. The reasons cited are a lack of transparency on the procedures used by these agencies and the potential for people's rights to be violated by these agencies.
Stories of identity theft victims being harassed by collections agencies for debts they were not responsible for are well documented and have caused innocent people a lot of pain and suffering.
Another thing to consider is that since this type of identity theft normally doesn't show up on a credit bureaus very quickly, we probably have a lot of people purchasing identity theft protection that will not necessarily detect the fact that they have become a victim. The Identity Theft Resource Center has information on how to check if your social security number is being used and what to do about it. The IRS also has a page on their site on how to deal with this issue.
The IRS also offers more information on their site about the Taxpayer Advocate Service and how they can assist the average person.
All in all, I consider this report timely and an issue that needs to be taken seriously given an already exploding statistic and the potential for this phenomenon to grow.
Subscribe to:
Posts (Atom)
