Stop Identity Theft Crime

Wednesday, July 29, 2009

FTC Grants Another 3 Month Reprieve for Red Flags Rule Enforcement

FTC Announces Expanded Business Education Campaign on 'Red Flags' Rule

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. (emphasis added)

The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA’s definition of “creditor” includes any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

The FTC’s Red Flags Web site, www.ftc.gov/redflagsrule, offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule.

Although many covered entities have already developed and implemented appropriate, risk-based programs, some – particularly small businesses and entities with a low risk of identity theft – remain uncertain about their obligations. The additional compliance guidance that the Commission will make available shortly is designed to help them. Among other things, Commission staff will create a special link for small and low-risk entities on the Red Flags Rule Web site with materials that provide guidance and direction regarding the Rule. The Commission has already posted FAQs that address how the FTC intends to enforce the Rule and other topics – www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm. The enforcement FAQ states that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.

The three-month extension, coupled with this new guidance, should enable businesses to gain a better understanding of the Rule and any obligations that they may have under it. These steps are consistent with the House Appropriations Committee’s recent request that the Commission defer enforcement in conjunction with additional efforts to minimize the burdens of the Rule on health care providers and small businesses with a low risk of identity theft problems. Today’s announcement that the Commission will delay enforcement of the Rule until November 1, 2009, does not affect other federal agencies’ enforcement of the original November 1, 2008, compliance deadline for institutions subject to their oversight.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

MEDIA CONTACT:: Office of Public Affairs
202-326-2180

(Red Flags July 09)

Business owners can also take a needs assessment free at www.RedFlagsRulePolicy.com

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Tuesday, July 28, 2009

ID Theft Ring Allegedly Bribed California DMV Employees

ID Theft Ring Allegedly Bribed DMV Employees

Counter-terrorism investigators busted an alleged identity theft ring whose members are suspected of bribing Department of Motor Vehicles employees in Inglewood and several states to provide fake documents.

Los Angeles police, the FBI, DMV and District Attorney's Office teamed up to track a Pakistani woman and 13 alleged accomplices, the Los Angeles Times reported on its Web site.

Shamsha Laiwalla, 44, who recently pleaded guilty to federal charges of identity theft stemming from the investigation, paid DMV workers to provide driver's licenses and other documents, Los Angeles police and federal officials told The Times.

For $3,500, she offered to provide a driver's license, birth certificate and Social Security card to an undercover agent pretending to be a Pakistani who sneaked into the United States, The Times reported.

The names of least some of her alleged clients have turned up in ongoing federal investigations into national security issues, LAPD Deputy Chief Michael Downing told the newspaper.

...in 2007, one of her contacts changed DMV records for members of a criminal organization that dealt drugs and sold counterfeit goods in Los Angeles' garment district...

Authorities suspect that money from the group went to Hezbollah, the Iran-backed militant Shiite Muslim group in Lebanon.

...."We have no idea how many thousands of people might be out there with these documents," LAPD Detective Mark Severino told the newspaper. "If we're talking about counter-terrorism issues, that's a scary thought." (Full text at www.nbclosangeles.com)

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Monday, July 20, 2009

Lexis-Nexis Breach Linked to Crime Family

Well, I'm back from a short vacation of taking my son and friends to Lake Havasu and 120 degree weather. Obviously, while I was away - the id theft cats still played.

Lexis-Nexis Breach Linked to Crime Family
Analyst: 'Days of Amateurs Committing Breaches are Well Behind Us'
July 17, 2009 - Linda McGlasson, Managing Editor

Lexis-Nexis made public notification of a data breach that federal authorities say is tied to a New York mafia crime family. The New York-based company has sent more than 13,000 letters to former customers whose personal data may be at risk. The 13,000 customers may have been targeted for extortion and identity theft.
Earlier in May, the U.S. Attorney General's office in Southern District of Florida handed down an indictment charging 11 men with racketeering conspiracy. The 11 had ties to the Bonnano organized crime family.
.....The alleged suspect, Lee Klein, one of the 11 charged in the indictment, "was an employee of a former Seisint customer who misused his employer's Accurint access. As such, we notified all individuals whose information could have been viewed in connection with the limited searches that law enforcement believed were unauthorized. We provided notice in accordance with the law because the customer was no longer in business," the Lexis-Nexis representative says.

Accurint is used by law enforcement and other entities to verify identity and locate people. Lexis-Nexis says 13,329 letters were sent to individuals on behalf of Seisint's former customer in connection with this investigation. ....

How it Happened
According to the indictment, Klein worked for the criminal "crew" of Thomas Fiore, an associate of the Bonanno organized crime family.
The indictment alleges that Klein illegally used "information obtained from computer databases in order to acquire identification information regarding potential victims of extortion" and people suspected by Fiore's criminal organization of being involved with law enforcement.
Klein allegedly provided Fiore with "corporation names, addresses and account numbers to facilitate the manufacture and negotiation of counterfeit checks."
In addition, the indictment alleges that members of the criminal crew used threats of force and violence, including conspiracy to commit murder, to advance the objectives of the enterprise.
...The Bonanno crime family was making money from the sale of unauthorized identification documents (including social security numbers and health and life insurance applications). "If the mafia considers that selling sensitive information is a legitimate line of business, then clearly the days of just amateurs committing breaches are well behind us," Holland observes. (Full text at www.bankinfosecurity.com)

I used to use Lexis-Nexis while in law enforcement to track down criminals on the run. I was impressed when I used their system to run my own name and it generated about a 12 page report including all my neighbors (from 3 previous addresses) and their contact information as well.

Ya gotta love technology!

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Friday, July 10, 2009

Legal Eagles Don't Want Red Flags Waving in Their Faces

Statement of H. Thomas Wells, Jr., President, American Bar Association
Re: Fair and Accurate Credit Transaction Act 'Red Flags' Rule

CHICAGO, June 22, 2009 - The American Bar Association urges Congress and the Federal Trade Commission to exempt lawyers from the Red Flags Rule that imposes requirements on creditors to detect the warning signs of identity theft in their day-to-day operations. The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent. However, the Commission’s application of the Rule to lawyers is unnecessary and not supported by law. Lawyers are not engaged in the type of commercial activity that Congress was attempting to regulate with the FACT Act and should not be considered creditors under the Red Flags Rule.

Congress intended the FACT Act to apply to financial institutions and other businesses that extend credit, not to lawyers who merely bill for services after they are performed. Regardless of the specifics of billing arrangements used in client-lawyer relationships, lawyers cannot ethically charge for legal services until they are rendered.

Lawyers’ fees already have been determined not to be credit transactions by the Second Circuit Court of Appeals. Further, the D.C. Court of Appeals has held “that the regulation of the practice of law is traditionally the province of the states” and that federal law “may not be interpreted to reach into areas of State sovereignty unless the language of the federal law compels the intrusion.” Nowhere in the FACT Act did Congress even imply that it intended to regulate lawyers with respect to their client relationships, and lawyers should not be considered creditors simply because they bill for legal services only after those services are rendered.

Treating lawyers as creditors under the FACT Act would impose an undue burden on law firms, especially solo practitioners, and would accomplish very little. The type of identity theft addressed by the Rule would be present only if an individual pretended to be someone else; a person would have to assume not only another person’s identity, but his or her legal needs as well. Compliance with the Act would complicate client arrangements and require a major commitment of lawyers’ time, yet the FTC has failed to identify a single case of identity theft in the legal service context, suggesting that such a scenario is far-fetched, if not impossible.

The American Bar Association applauds the federal government’s efforts to protect American consumers from the devastation of identity theft, but strongly urges the FTC to direct its efforts at the problems Congress intended to address. The ABA will work with Congress and the Federal Trade Commission to ensure that, when the final Red Flags Rule goes into effect, the Rule will not apply to lawyers engaged in the practice of providing legal services to clients.

Wednesday, July 8, 2009

Athletes Not Exempt From Id Theft

Vontae Davis identity theft incident is another reminder for athletes By CARLOS FRIAS
Palm Beach Post Staff Writer
Saturday, June 27, 2009

Marlins infielder Wes Helms didn't have to hear about Dolphins rookie Vontae Davis being victimized by identity theft to know the hassle it can mean.
Helms learned that lesson years ago after seeing the stress it caused outfielder Geoff Jenkins, his former teammate with the Milwaukee Brewers. Someone apparently used Jenkins' information to open several credit cards and racked up "a good bit" of debt.
It took Jenkins more than a year to clear up his credit and deal with banks that had been defrauded in his name.

"He'd come in every day and be on the phone with somebody about it," Helms recalled. "As an athlete, you already have enough stress on you. You don't need something else pressing on your mind."

Helms then hired a service - they cost as little as $10 a month - to monitor his and his family's credit and bank accounts.

"We've got our guard up," Helms said.

Davis is learning that lesson, too. Apparently, a man stopped for traffic infractions June 9 in Champaign, Ill., showed police Davis' driver license and drove off a free man. Davis' wallet was stolen several months ago while he was a student at the University of Illinois.

Last week, national media reports identified the Dolphins' cornerback as the man cited.

Davis' grandmother, Adaline, got this forwarded text from his brother, Vernon, a tight end with San Francisco: "Your brother got arrested in Illinois."

Vontae, who was practicing with the Dolphins in Davie on June 9, was joking when he sent the text. But his grandmother didn't know what to think.

"It was like the blood rushed to my head," Adaline remembered. "I was thinking he got mixed up with some boys and got arrested."

Identity theft and fraud affected nearly 10 million Americans last year at a cost of more than $48 billion, according to Javelin Strategy & Research. Athletes can be particularly vulnerable because details about them - dates of birth and family members' names, for example - are available in press guides and on the Web. (Full text at www.palmbeachpost.com)

Tuesday, July 7, 2009

Playing Catch-Up!

Wow! I can't believe it's been over 2 weeks since I have had the time to post an article. I've been busy assisting clients due to the FTC's Red Flags Rule and been out of town in more training. Anyway, here are a few things that happened in the last few weeks.

TJX settles over breach with 41 states for $9.75 million
In a move to close the door on the largest reported retail data breach in history, TJX announced Tuesday that it has settled with 41 states who were probing the discount merchant's data security practices.

TJX, which operates more than 2,500 outlets nationwide, agreed to pay $9.75 million to settle investigations by 41 state attorneys general, who were looking into the monster breach, announced in January 2007, that exposed as many as 94 million credit and debit card numbers.

Under the agreement, TJX will pay $5.5 million in settlement fees, plus $1.75 million to cover the cost of the states' investigations. In addition, the company will provide $2.5 million to establish a new Data Security Fund that states will use for a number of data security initiatives, including researching the benefits of technology, developing best practices or model laws, and establishing consumer outreach programs. (Full story at scmagazineus.com)

Customs and Border Protection agents have discovered more than 500 cases of potential identity theft since January of this year, authorities said.According to a CBP news release, officers encounter "numerous cases of identity theft on a daily basis," usually through stolen or fabricated documents."Because our officers are in a position to uncover attempts at entering the U.S. by utilizing someone else's identity, we take the responsibility seriously and work with the U.S. attorney's office to seek prosecution on all cases we encounter," said Director of Field Operations David Higgerson.

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Tuesday, June 23, 2009

California District Court Rules Against Lifelock

Last month, the District Court in California granted Experian’s motion for partial summary judgment on its claim for unfair competition against Lifelock. However, Lifelock has filed a motion to reconsider in California’s U.S. District Court in the case of Experian v. LifeLock

In this case, Experian seeks to block Lifelock from placing fraud alerts for consumers.

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Saturday, June 20, 2009

Betsy Broder of the FTC Presents Testimony Regarding ID Theft

On June 17, Betsy Broder, Assistant Director of the Division of Privacy and Identity Protection at the the Federal Trade Commission (FTC) presented testimony regarding identity theft before the U.S. House Subcommittee on Information Policy, Census, and National Archives of the Committee on Oversight and Government Reform. The testimony summarized the FTC's efforts to fight identity theft through:

► Participation on the President's Identity Theft Task Force;

► Law enforcement on data security;

► Consumer and business education; and

► Implementation of the identity theft-related provisions of the Fair and Accurate Credit Transactions Act (FACT Act).

The testimony also discussed the FTC's legislative recommendations on developing national data security standards, granting the FTC authority to seek civil penalties in data security cases, and passing legislation to help reduce the unnecessary use and display of social security numbers.

To read the whole testimony click here.

Friday, June 19, 2009

New Indiana Law Creates ID Theft Unit in AG's Office

A new law enacted by the Indiana General Assembly to protect consumers will take effect on July 1.

The first, Public Law 137, is the state’s latest weapon in the war against identity theft. Authored by State Rep. Linda Lawson, D-Hammond, the legislation creates a unit within the Attorney General’s Office to investigate and prosecute ID theft and to assist victims.

“As Hoosiers increase their reliance on electronic forms of payment, the risk of identity theft will continue to grow,” Lawson said in a statement released on Wednesday by the media office of the Democratic Caucus. “By giving the Attorney General’s Office additional powers to stop identity theft, we can greatly reduce the instances of these crimes and save innumerable Hoosiers from financial ruin.”

Other provisions of the law:

To stop sloppy business practices which increase the risk of ID theft, the law requires database operators to report security breaches to the Attorney General and forces businesses which handle personal information to implement reasonable security procedures.
The law requires businesses to make reasonable efforts to verify the identity of an applicant before extending a line of credit and bars businesses from denying credit to an applicant because he is a past victim of identity theft.

“Identity theft was the top consumer complaint made to the Federal Trade Commission in 2008,” the statement said. “Studies show that there were approximately 9.9 million ID theft victims in the U.S. that year. Of that number, 328 complaints were made directly to the Indiana Attorney General’s Office.”

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Friday, June 12, 2009

Six federal agencies issued a set of FAQ's on Identity Theft Rules

Six federal agencies issued a set of frequently asked questions (FAQs) today to help financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards comply with federal regulations on identity theft and discrepancies in changes of address.

The "Red Flags and Address Discrepancy Rules," which implement sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), were issued jointly on November 9, 2007, by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC).

The rules require financial institutions and creditors to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.

The agencies' staff have jointly developed answers to these FAQs to provide guidance on numerous aspects of the rules, including which types of entities and accounts are covered; establishment and administration of an Identity Theft Prevention Program; address validation requirements applicable to card issuers; and the obligations of users of consumer reports upon receiving a notice of address discrepancy.

Download the complete FAQ document here.

Monday, June 8, 2009

What You Don't Know About the World's Worst Breaches - Dr. Peter Tippett on the 2009 Data Breach Investigations Report

What You Don't Know About the World's Worst Breaches - Dr. Peter Tippett on the 2009 Data Breach Investigations Report
June 2, 2009 - Tom Field, Editorial Director

Verizon Business investigated 90 major data breaches in 2008, including 285 million compromised records. Nearly ¾ of those breaches were external hacks, and 99.9 percent of the records were compromised via servers and applications.

These are among the findings of Verizon's new 2009 Data Breach Investigations Report. In an exclusive interview, Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business, discusses:

The survey results;

What these results mean to financial institutions and government entities;

Which threats to watch out for most in the coming months.

Tippett is the chief scientist of the security product testing and certification organization, ICSA Labs, an independent division of Verizon Business. An information security pioneer, Tippett has led the computer security industry for more than 20 years, initially as a vendor of security products, and over the past 16 years, as a key strategist. He is widely credited with creating the first commercial anti-virus product that later became Norton AntiVirus.

....FIELD: Give us some highlights about this report that you have done.

TIPPETT: Well the report is different from most things we read in security because this is the actual data from our investigations of over 600 cases of computer crime that were the worst in the world; 90% of whatever made it to the major media were cases that we investigated; a third of all cases that have ever been published were cases that we investigated.

The quick, short story for the bank and financial industries this year is they have had an increase in organized crime and they were entirely focused at the financial sector, very focused. We saw an increase in sophisticated tool use. But the good news is that in all of those cases, they got in through some easy way. They got in somewhere on a non-sensitive, non-critical device where the password was password, or where it wasn't patched two years ago, or where it was a little SQL injection attack....

...FIELD: Now one of the interesting things I have heard secondhand about this report is that you talk about where a lot of these attacks are coming from and we've got people putting a lot of energy, particularly in financial services, on the insider threat. I am told that what you find sort of dispels some of that myth.

TIPPETT: Yeah. We all learned that 80% of all giant attacks are insider. But it turns out that 75% of our data is outsider and 30% or 40% are partner-type outsiders. Only 20% have anything to do with insiders and half of those were duped by the outsider, so only in the vicinity of 10% are true insider attacks, so it is not a very common mechanism. And again, this is of the bigger attacks... (Full interview at bankinfosecurity.com)

Tuesday, June 2, 2009

FTC Red Flags Rule Update

If you are unfamiliar with the Federal Trade Commission's Red Flags Rule then download a copy at www.ftc.gov/redflagsrule. Basically, if you are a creditor or have "covered accounts" then you must comply with the Rule.

Doctors, Dentists, and Veterinarians must all comply as they have lost their battle with the FTC, at least as of this date.

The best way to become compliant is by using IdBusiness and their online Red Flags Compliance module. It not only will assist you in creating your policy but trains your employees, and notifies your vendors as well.

Business owners may also want to download the following book "Protecting Personal Information - A Guide for Business" at www.ftc.gov/infosecurity

If you find that you do not need a Red Flags Policy, then I can assist you with setting up a Non-Public Information (NPI) policy at no direct cost to your company. Although, certain restrictions apply so give me a call.

If you need a Red Flags Policy, then click here for assistance.

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Monday, June 1, 2009

Classic Fraud: 6 Scams That Don't Go Away

Classic Fraud: 6 Scams That Don't Go Away
From Check Fraud to Phishing, All the Old Tricks are Back with a Vengeance
June 1, 2009 - Linda McGlasson, Managing Editor

Bank fraud has evolved over the last several years (See: Fraud Update: The 13 Hottest Schemes You Need to Prevent), but some classic variations keep financial institutions busy.
Here are six old fraud tricks that are back with new twists to bedevil fraud departments and information security professionals.
#1. Check Fraud
Last week, New York indicted 18 people in a massive check counterfeiting ring that cashed more than $1 million worth of checks at major New York City banks. This case causes even the best fraud departments in financial institutions to check their own programs and safeguards.
Attempted check fraud at U.S. banks totaled $12.2 billion in 2006, according to the latest biennial survey conducted by the American Bankers Association (ABA). Bank prevention systems caught 92 percent or $11.2 billion of check fraud attempts.
Actual bank losses totaled $969 million, compared with $677 million from the previous survey in 2004. ...
#2. Elderly and Immigrant Identity Fraud
Financial institutions' mortgage and loan officers need to pay attention to this kind of fraud. While not new, elderly and immigrant fraud is regaining popularity, especially in the age of identity theft. In this predatory practice, Jennifer Butts, Director of Operations at the Mortgage Asset Research Institute, explains that elderly and non English-speaking consumers are taken advantage of by fraudsters who steal their identities and use them in straw-buying or other property transactions.....
#3. ATM Fraud/Skimming

This type of fraud made it into President Barack Obama's speech announcing his cybersecurity initiative, when he said "thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world -- and they did it in just 30 minutes." The big question is: Can it happen at your institution? The answer is seen in the numbers from a Pulse EFT study (Pulse is one of the leading ATM/debit networks in the U.S.) -- the banking industry lost $662 million to debit card fraud in 2005. Of these losses, 60 percent resulted from ATM transactions, 37 percent from signature transactions, 37 percent from signature debit transactions and 3 percent from PIN point-of-sale (POS) transactions.....
#4. Phishing
Phishing continues to change and grow, and crimeware (or malware) is also growing, says noted phishing and crimeware researcher Dr. Markus Jakobsson, Principal Scientist at the Palo Alto Research Center, Palo Alto, CA. "There is a notable tendency for phishing to become more technical -- for example, using advanced obfuscation to combat anti-spam techniques," Jakobsson notes. At the same time, crimeware (what used to be called malware) is becoming increasingly more reliant on social engineering. "Trojan horses commonly use clever social engineering techniques to improve their success rates," he says.....
#5. Vishing
The increased number of "vishing" - or phone-based phishing -- scams hitting regions is cause for alarm. In the last week, there have been five different regions of the country hit by phishers using phone calls to solicit information about the person's credit union or bank account:
New England Federal Credit Union in Williston, VT reported that a vishing scam hit residents, and the Heritage Family Credit Union in Rutland, VT also reported a similar scam.

Customers of the Forward Financial Credit Union in Niagara, WI and the River Valley Bank in Iron Mountain, MI received calls last week from fraudsters asking for account information.

Asheville Savings Bank, Asheville, NC was alerted last week by its customers that a vishing scam targeting area residents was trying to get debit card numbers.

The final vishing scam of last week targeted all 22,000 residents of Guilford, CT. The calls started coming on May 24. Guilford Police say they believe by the time they were done every land line telephone in the town of 22,000 residents received a call.....
6. Insider Threat

The threat of a trusted employee or vendor taking sensitive information is not new, but the ways that insiders are getting to the juicy data or dollars is changing, according to Randy Trzeciak, Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. Collusion is the new way insiders are getting sensitive data. (Full Text at www.bankinfosecurity.com)

Tuesday, May 26, 2009

Fraud Update: The 13 Hottest Schemes You Need to Prevent

Below are just the highlight of each of the 13 Schemes. To read the whole report -click on the title above.

Fraud Update: The 13 Hottest Schemes You Need to Prevent
From Credit Bust-Out to In-Session Phishing, Fraudsters Are Finding New Ways to Ply Old Tricks
May 26, 2009 - Linda McGlasson, Managing Editor

The fraud fight is getting nastier by the minute, say experts familiar with the new schemes - and some old ones with new wrinkles -- being perpetrated by criminals against financial institutions and their customers. Here are 13 of the most prevalent ruses.
#1 -- Credit Bust-Out Schemes
By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit - or who might be the party responsible. How it works: According to Michael Smith, manager of the Fraud and Market Planning division at Lexis Nexis, consumers apply for credit from lenders using similar last names, oftentimes Eastern European or Balkan, in an intentional effort to capture financial access vehicles to cause delinquency.

#2 -- Customer Loan Account Takeover
This type of fraud occurs online, and a recent case study related by Avivah Litan, distinguished analyst at Gartner Group illustrates how customer loan account takeover happens. The case resulted in a $71,000 theft from a customer's loan account.
An online loan Web site gave a customer the ability to open demand deposit accounts (DDA), Litan explains, which were to be held as savings accounts that could only be opened and accessed via the Internet. "To open the account through the online loan application, a customer needed an existing relationship with another bank," Litan says. The customer would provide all the account information necessary for both banks to complete ACH transfers.
Prior to opening the account, the online loan application system would complete two test transactions and require the potential customer to confirm the exact dates and amounts of the transactions. "If the customer could not provide that confirmation, then it was thought to be attempted fraud, and the account relationships would be closed."
#3 -- Corporate Account Takeovers
Corporate account takeovers are becoming more prevalent says Gartner's Litan. "Corporate banks are reporting that criminals are targeting their cash management customers and moving money out of their accounts via innocent consumer accounts," she says. The owners fall for phishing e-mails that promise lucrative commissions for participating in the schemes.
#4 - Cross-Channel Call Center/Online CD Purchase Scam
A fraudster purchases multiple CDs online from one bank, funded by ACH Transfers from multiple compromised third-party accounts at other institutions, says Ori Eisen, former worldwide fraud director for American Express. How it happens: The perpetrator contacts the Call Center within 48 hours of the CD purchases to cancel the CDs and transfers the funds to yet another institution to liquidate. "Variable email addresses are used in an effort to mask identity," Eisen says. "Current procedures and safeguards at most financial institutions may not preclude the success of this type of cross-channel attack."
#5 -- Wire Fraud Account Grooming
Financial institutions are exposed to very high levels of risk within their online wire transfer processes. "Traditional methods of detection are very labor intensive, yielding high false positive rates and low recovery of stolen funds," Eisen says.
#6 -- In-Session Phishing
A somewhat recent tactic being perpetrated by fraud rings -- "in-session Phishing" -- has emerged as one of the chief threats to the breach of secured online assets. These attacks utilize vulnerabilities in the Javascript engine found in most of the leading browsers, including Internet Explorer, Firefox and even Google's Chrome, notes Eisen.
How it happens: Utilizing a host website that has been injected with malware acting as a parasite, this parasite monitors for visitors with open online banking sessions or similar protected asset sites (such as brokerage or retirement planning sites).
Using the Javascript vulnerability, the parasite can identify from which bank the victim has a session currently open by searching for specific sites pre-programmed in the malware itself. "There are no limits to the volumes of URLs a website hosting the parasite can test from the victim's machine. The malware asks: 'is my victim logged onto this XYZ bank website' and their browser replies either yes or no," Eisen says.
#7 -- ATM Network Compromises
The industry is seeing breaches at all stages in the payment process, including merchant terminals, the communication links between merchant acquirers, and (worst of all) core elements in ATM networks, according to Paul Kocher, Cryptography Research Institute's president and chief scientist. "Once the perpetrators have the contents of magnetic stripes and the corresponding PINs, the data is then sold to people who write the data onto counterfeit cards and drain customers' accounts," Kocher observes.

#8 -- Precision Malware Strikes
The most common defenses against malicious programs work by comparing programs against the signatures of known malware, says CRI's Kocher. As a result, attackers have learned that they can breach high-value targets' computer systems relatively easily, provided that their attack software does not spread so widely that antivirus companies get a copy and add it to their databases.

#9 -- PIN-Based Attacks
For the past 10 years, Verizon Business has tracked metrics and statistics from IT investigative cases, including incident response, computer forensic and litigation support, across the globe. The Verizon Business' just-issued 2009 Data Breach Investigation Report, shows more electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, says Bryan Sartin, director of forensics and investigative response at Verizon Business.
Driving this explosion in compromised records are more sophisticated attacks, specifically targeting the financial sector. In fact, 2008 saw three of the world's largest known data compromises on record.
#10 -- Account Manipulation
Aside from the five or six massive individual compromises that took place across the globe in 2008 is a vastly larger population of data breaches, also targeting financials, that garnered little public attention, Sartin notes. "Much of these involve unusually small populations of compromised records, yet massive fraud in terms of total dollar losses, resulting in significant impacts to the institutions affected. By and large, these cases appear in two forms: insider manipulation and application manipulation," he says.
#11 -- Fraud Pattern Changes
Fraud patterns changed dramatically in 2008 as a result of both reduced percentage of successful fraudulent transactions and arrest of individuals involved in organized fraud activity, says Verizon Business' Sartin. The new fraud patterns can be divided into two categories: random fraud patterns and global ATM transactions.
Random fraud patterns used by organized fraud groups involve similar purchases as seen prior to 2008, but in a random pattern. "In 20089, the fraudsters have adapted to completely random fraudulent purchases to make pattern identification much more difficult," he notes. The fraudsters began showing up at random stores in random time patterns to make identification of a pattern difficult or impossible. "No two purchases would be made at the same merchant location in a several month period. No pattern of purchases at each exit as a group drives up a highway. The purchases were at the same chain merchant stores of the same items, but now in a random pattern," he explains.
#12 -- Foreclosure Prevention Schemes
This doesn't hit a financial institution directly, but if an institution holds mortgages for "troubled" homeowners, this is a scheme you need to be on the lookout for, says Denise James, market planning director Lexis Nexis' Residential Mortgage Solutions. These foreclosure prevention schemes generally involve fraudsters posing as professional, knowledgeable foreclosure specialists. Homeowners facing the threat of foreclosure and nearing eviction are contacted by these "foreclosure specialists" who promise to work out their loan problems or buy their home and offer the homeowners tenancy. "Unfortunately for the homeowner, the fraudster has no intention of following through with these promises and instead will manipulate the homeowner into deeding the property to them," James says.
#13 -- Builder Bail-Out Fraud
This fraud involves securing funds for condominium conversion or planned community development properties that, unbeknownst to the investor (financial institution), will not be completed, says Butts of the Mortgage Asset Research Institute. The scams entail multiple purchases from would-be investors or false identities on fabricated loan transactions. "Investors are lured by photos or inspections of a few converted units used as models with promises of further rehabilitation of remaining units. Once the contracts are in place, the fraud continues as the perpetrator secures funding for the contracts," Butts explains. However, she adds, no additional work is done and the investors and lenders are left with incomplete and, in some cases, uninhabitable dilapidated buildings. (Full text at www.bankinfosecurity.com)

Tuesday, May 19, 2009

28,000 NJ unemployed IDs at Risk

Blunder puts IDs at risk
Social Security numbers 'misdirected' by agency Personal information of 28,000 'misdirected'
Tuesday, May 19, 2009
BY CHRIS MEGERIAN

STATEHOUSE BUREAU

Nearly 30,000 unemployed New Jersey residents now have something else to do besides looking for work: They can worry about who may have their Social Security number.

The Department of Labor and Workforce Development notified thousands of people last week that their personal information may have been sent to companies they never worked for.
Those who received warnings were told the state had no way of knowing whether their information was sent incorrectly.
"This letter is to inform you that due to an error at the Department of Labor and Workforce Development your name and Social Security number may have been accidentally delivered to an employer for which you did not work," the letter reads.

Also included in the letter were details on how to halt the release of credit information, which is allowed by New Jersey's Identity Theft Prevention Act. However, the letter also noted a freeze on credit reports can create problems when consumers seek loans that require creditors to access credit information.

"It's important to remember the information was not stolen, simply misdirected," reads the letter. "Nevertheless, you should be aware of the situation and alert for irregularities that may suggest your personal information may have fallen into the wrong hands."

Letter recipients were directed to call the New Jersey Division of Consumer Affairs for more information on credit reporting and identity theft protection. (Full text at www.nj.com)

Maybe if these people are lucky, someone will use their identity with a job and help improve their credit score.

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Sunday, May 17, 2009

California DMV Wants to Use Biometrics

A hint of "1984"

DMV wants to face identity theft head on

May 17, 7:49 AM

Remember that Visa Card campaign where everyone claimed to be Emmit Smith? Well, California's DMV is hoping to prevent license monkey-business by recording biometric data then matching it against existing records on file. Match up with an existing entry under a different name and you are a WINNER!

Privacy advocates see "Big Brother" written all over this. Authorities could scan crowds, identify people and then use that info to develop profiles. For example, you could show up at an anti-war rally and suddenly you're on a list that would make Senator McCarthy proud.
(Full text at www.examiner.com)

Friday, May 15, 2009

Heartland Data Breach: MasterCard, Visa Impose Hefty Fines

Heartland Data Breach: MasterCard, Visa Impose Hefty Fines
Processor says it Has Already Spent $12.5 Million in Fees, Penalties
May 14, 2009 - Linda McGlasson, Managing Editor
The Heartland Payment Systems (HPY) data breach has already cost the card processor millions in fines from Visa and MasterCard.
This news was revealed by CEO Bob Carr in Heartland's recent earnings call, wherein Carr said the much-publicized breach has already cost the company $12.5 million.
Other than legal fees and some related charges to the breach, much of that amount went toward fines imposed by Visa and MasterCard against Heartland's acquiring banks, Carr says.
A Visa source would not confirm the amount of the fine imposed, but Carr told investors that more than 50 percent of the $12.5 million relates to a fine that MasterCard assessed against its sponsor (acquiring) banks. "Ostensibly, because of an alleged failure by Heartland to take appropriate action upon having learned that its computer system may have been breached, and upon thereafter having discovered the intrusion," Carr states.
Heartland believes that it responded appropriately to all information that it learned regarding the possibility of a system breach and that, upon discovering the intrusion, it took immediate and extraordinary action to address the intrusion, Carr adds.
Heartland therefore considers the MasterCard fine to be in direct violation of both the MasterCard rules and applicable law, and the company "intends and is prepared to vigorously contest, and it has recommended to its sponsor banks that they vigorously contest through all means available, including litigation if necessary, any liability that may be asserted or imposed upon Heartland or its sponsor banks by reason of this fine," Carr says.
(Full text at www.bankinfosecurity.com)

Wednesday, May 13, 2009

Uni-ball® offers consumers an anti-theft solution with its specially formulated “Super Ink”

Identity theft scams are at an all-time high. As economic pressures continue to increase, identity thieves and other criminals are finding new (and traditional) ways to commit this crime, which rose 22 percent in 2008, and is expected to be even higher in 2009.

Uni-ball, a leading brand of pens, has an ongoing campaign to elevate awareness about the growing threat of identity theft. Many of uni-ball’s pens contain specially formulated ink that helps prevent check fraud. As it becomes more difficult to get new lines of credit, identity thieves may be increasingly drawn to commit check fraud. These crimes may take the form of stolen checks, using checks thrown into the trash by unknowing consumers, or a type of identity theft known as “check washing.” Check washing occurs when checks or other tax-related documents are stolen from the mail or by other means and the ink is erased using common household chemicals, allowing thieves to endorse checks to themselves. This is where inexpensive uni-ball pens can help. With exclusive "Super Ink™”, these pens help prevent document and check fraud by absorbing into the paper fibers. When an individual tries to wash or lift the inked information written on the document, the ink remains “trapped" within the fibers of the paper, thereby discouraging the efforts of identity thieves.

Doing something as simple as paying attention to the pen you use could potentially save you thousands of dollars and endless hours of headaches. “Uni-ball pens with uni-Super Ink help prevent identity theft,” said Steve Gradman, senior brand manager of uni-ball. “Our goal is to help ease the minds of individuals when writing sensitive materials – from legal and medical documents to checks and tax forms. It’s a simple, inexpensive pen, but it packs a lot of punch when it comes to identity theft prevention.”

For more information on uni-ball and uni-Super Ink, and to see check out which pens contain the special ink, visit www.uniball-na.com.

Saturday, May 9, 2009

Hackers Breach UC Berkeley Database

On Friday, UC Berkeley officials announced that hackers infiltrated restricted computer databases, putting at risk health and other personal information on 160,000 students, alumni and others.

The data included Social Security numbers, birth dates, health insurance information and some medical records dating back to 1999.

As of 05/05/09, there has been 190 data breaches with over 11 million records compromised nationwide.

To learn more about Identity Theft and what to do if you are a victim, visit www.StopIdTheftCrime.com and subscribe to the newsletter to obtain your free 46 page eBook "Fighting Back Against Identity Theft".

Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!

Shameless plug
the Best Identity Theft Protection available dot com

Thursday, May 7, 2009

Hacker says he stole confidential medical data on 8 million Virginia residents

Hacker says he stole confidential medical data on 8 million Virginia residents
May 06, 2009 | Molly Merrill, Associate Editor and Chip Means, Web Editor
RICHMOND, VA – A Virginia government Web site was replaced last week with a ransom note from a hacker claiming he stole 8.3 million patients' personal and prescription drug information. The hacker says he wants $10 million for the safe return of the information.

The Virginia Prescription Monitoring Program's site tracks prescription drug abuse and contains 35.5 million prescriptions in addition to enrollees' personal information, such as names, social security numbers and addresses.

According to Wikileaks.org, an online clearinghouse for leaked documents, on April 30 the secure site for the Virginia Prescription Monitoring Program was replaced with the following ransom demand:

"Attention Virginia! I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password." (Click here to see full ransom note).

The hacker, who taunts the FBI and lists his own email address as "hackingforprofit@yahoo.com," claims the database of prescriptions has been bundled into an encrypted, password-protected file.

The Virginia Department of Health Professions Web site has been temporarily disabled and now features a notice saying the site is "experiencing technical difficulties which affect computer and email systems." According to the department's director, Sandra Whitley Ryals, the breach is under federal investigation.

Speculation has risen about whether or not the Virginia Department of Health Professions has back-ups of the patient database.

"It is possible that they do have back-up, but they fear the massive damage if patients data is used for identity theft," says Deborah C. Peel, MD, founder of Patient Privacy Rights.(Full text at www.healthcareitnews.com)