Does anyone know - whether or not - check fraud is on the rise?

I sometimes wonder - whether or not - anyone really knows how much check fraud is out there?

Law enforcement jurisdictions often have dollar amounts (some fairly high), which must be met before a case is actively investigated - causing it to be recorded as a statistic. And in the private sector - a lot of NOT very "clear reasons" are used to return checks, which might or (might not) mean fraud.

My two favorites reasons the banks use to return checks are "refer to maker" and "stop payment." This might mean someone was unhappy with a service that was performed, or it could mean the item is counterfeit and the owner of the account placed "stop payments" on the checks. It's even possible that items returned as NSF (non-sufficient funds) are forgeries, or counterfeits because the owner of the account has yet to discover their account has been compromised.

The same holds true with "fraud accounts" that banks open for crooks (new account fraud). New account fraud occurs when fraudster(s) open an account (often with fake information), write a series of checks for a lot more than what is in the account, and disappear (literally).

Often they do this over a weekend, and withdraw the amount they initially deposited, also.

New account fraud items normally return as (NSF) non-sufficient items until the bank closes the account. Once this occurs, they are classified as "account closed." Non-sufficient fund and account closed items are normally not considered a fraud classification.

The only thing that is certain is that the loser is going to be the party, who accepted the check, and not the banks. In fact -- some believe the banks are the winners in this process -- because they make a lot of money from "bounced check" fees.

In a lot of the recent Internet scams, customers have even gone to a bank employee to ask if an item is good. After trusting the employee's expertise, the check was deposited and the funds were made "available." A few days later, the item was returned as fraud and the customer's account was "garnished."

And in all the cases, I've heard where this happened, the bank didn't accept any liability. Here's a post, I wrote about this:

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

The other day, I came upon an article by SmartPros, indicating that a "possibility exists" that check fraud will rise in the coming year.

According to SmartPros:

Identity theft trends in the next year may include an increase in check fraud, check synthesizing and check counterfeiting, according to The Identity Theft Resource Center, a nonprofit victim assistance center.

SmartPros story, here.

In case no one has been watching - check fraud appears to have been growing rapidly over the past several years. It's true that all the bogus "financial paper" circulating aren't only checks, we are seeing a lot of counterfeit money orders, also.

Counterfeit cashier's checks and other bogus paper financial instruments (money orders, travelers and gift cheques) have been showing up in secret shopper, romance, lottery, work-at-home and auction scams at ever increasing rates. The situation seems to be getting worse - as more and more people - become Internet users.

In fact, eBay recently announced they will no longer offer any protection for paper financial instruments on their site.

And so far as the amount of them out there, there is evidence that bogus paper financial instruments are being produced on an industrial level:

Are Counterfeit Documents being Mass-Produced in Nigeria?

The Federal Deposit Insurance Corporation sends out alerts on all the counterfeit cashier's checks, which are pretty hard to keep up with. If you want to see what I mean, link here.

We read a lot about "DIY" (do-it-yourself) kits being sold to commit phishing and eBay fraud in shady Internet crime forums -- but in the case of checks -- DIY kits are openly sold in stores, and available on e-commerce sites.

In fact, there are a lot of "legitimate companies" selling all sorts of software, printers and even magnetic ink, which are capable of turning out some pretty convincing counterfeits. Throw in a computer, and it's not very difficult to start making checks.

To show all the "DIY check technology" for sale on the Internet, I ran a Google search, here. Of course, a lot of this (including the paper) can be bought at your local office supply store, also.

As with a lot of fraud, technology seems to be enabling the problem.

Although check fraud might continue to grow, there is little doubt that it's already a huge problem. BankersOnline did an article in 2002 stating:

About five years ago, U S NEWS and WORLD REPORT did the most in-depth study on this that we've had, and I've used their figures ever since. They probably are low by now. They said the financial institutions in the United States lose about $12 Billion a year in check fraud, and the retail industry loses a like amount. The total loss being $24 Billion as a result of check fraud. I think identity theft is getting a lot of publicity now - but it's been around for a long time. We just never gave it the designation of identity theft.

Since this report is now 5 years old and it is using figures that were 5 years old -- no one probably knows how much check fraud is really going on.

I guess until everyone comes up with some uniform standards, it's going to be impossible to determine how much check fraud is really out there.

BankersOnline article by Barbara Hurst, here.

A great resource on check fraud is the National Check Fraud Center. Their site provides a lot of expert information on check fraud and how to protect yourself from it.

Is check fraud on the rise? Despite the lack of statistics - my best guess is that it is!

0 comments

DIY (do it yourself) crimeware kits designed to steal personal information are for sale on eBay

Do it yourself (DIY) crimeware kits being sold on the Internet make it easy for non-technical criminals to commit fairly sophisticated (technical) crimes.

DIY crimeware kits have been credited with fueling the information (identity) theft crisis.

Ran into this interesting post on Cappnonymous (The Modern Day Beatnik Refuses to Die), which quotes a press release from PC Tools about crimeware for sale on eBay. The original press release from PC Tools points to eBay links, which have been deactivated.

Fortunately for those of us, who might be interested in taking a look at this, Cappnonymous was able to recreate a visual demonstration (screenshots) showing this illicit software being sold on eBay.

From the original press release from PC Tools:

Online auction site, eBay, is unwittingly selling software that is used to hack eBay user accounts and steal personal information, according to research from online security experts PC Tools.

A number of software items for sale on the world’s leading online auction site contain a variety of programs including keyloggers, trojans and other malware making devices that are aimed at helping users hack computers, websites and even individual user accounts.

The release quotes Mike Greene, VP Product Strategy at PC Tools as saying:

It is ironic that something intended ultimately to steal a consumer’s identification and financial information is being sold via what is one of the world’s number one targets for the ID theft.

Cappnonymous added his own sage comment:

Note a couple of the hilarities such as payment via Paypal and the Square Trade seal.

The seller’s feedback is 100%, so he/she must have some very happy buyers.

Cappnonymous post, which contains an excellent visual demonstration of this problem, here.

Although, eBay is frequently the subject of fraud articles, I'd like to point out that tools to commit cybercrime might be for sale on a variety of auction sites.

They are also being sold in a lot of other places on the Internet. Because the sellers are motivated to sell as many of them as they can, they will migrate to the best places to market their seedy products.

Some of them even provide technical support.

The Anti Phishing Working Group issued a detailed report last October regarding this problem, which can be seen, here.

0 comments

Spear phishermen target executives to steal company information

Shamus McGillicuddy of CIO News highlights an interesting fact, which is you never know, who is going to fall for a phishing scam.

The phishermen normally send out a lot of bait (spam) in the hopes of hooking a few phish.

Shamus writes:

Over the last week and a half, spam messages purported to be from the Internal Revenue Service and the Better Business Bureau have been specifically targeting senior-level corporate executives with phishing scams.

Experts say these targeted phishing attacks, sometimes called "spear phishing," are nothing new, but they illustrate that spammers are getting more adept at targeting sophisticated email users who have access to the most sensitive data within their companies.

Spear phishing is simply a more focused form of phishing, which uses more personal touches, such as a person's real name, and or title.

With all the information plastered over the Internet, or available for sale; it isn't hard for phishermen to get what they need (personal information) to go spear phishing.

Many private companies and government organizations recognize the danger phishing poses in the workplace. To counter this, and raise awareness; they are phishing their own employees.

Recently, I did a post about this, which revealed more employees fall for this, than many would like to admit:

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

There seems to be more and more phishing out there, which might be inspired by DIY (do it yourself) kits being sold over the Internet. DIY kits make it easy for not very sophisticated criminals to become expert phishermen.

The only good news about phishing is that with a little awareness, most people can spot this activity, because the phishing ploy doesn't make much sense, or is too good to be true.

CIO News story, here.

BBB Alert, here.

IRS Alert, here.

0 comments

Report Reveals That Internet Fraud Threatens E-Commerce

The Center for American Progress just released a report indicating that not enough is being done to protect the public from fraud on the Internet. It's also warning that the convenience, choices and lower prices enjoyed by Internet users are at risk because of this.

They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.

Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.

The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.

The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.

The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.

The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.

The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.

In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.

Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.

The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.

The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.

The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.

Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.

The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.

While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.

Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.

Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.

This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?

0 comments

SIRAS PI - tracking theft to the source

Graphic demonstration of anti-theft technology courtesy of SIRAS.com.

Criminals, who steal goods, whether with bogus financial instruments, or by more physical means might be in for a little surprise if the merchandise is protected by SIRAS PI.

Last week, SIRAS made this announcement in a press release:

SIRAS.com, the pioneer in Point-Of-Sale Electronic Product Registration used by leading manufacturers and retailers, has announced the nationwide launch of SIRAS P.I., a groundbreaking initiative to aid law enforcement officials in determining whether products they recover are, in fact, stolen, and if so, from where. Piloted by the Mesa, Arizona Police Department, SIRAS’s P.I. (Product Information) Database has already proven to be effective in helping law enforcement officials identify stolen items, report suspicious items, and apprehend and convict thieves. The database will be available, free of charge, to police and law enforcement agencies nationwide.

The way SIRAS works is simple, but effective. It tracks a product by recording the UPC (Universal Product Code) and the product serial number. SIRAS has the capability to determine where merchandise was stolen, whether from a merchant, manufacturer, or individual.

Earlier this year, SIRAS did some testing that revealed a substantial reduction in TV and MP3 player losses on products, where their technology was being used.

If deployed properly at the merchant level -- it could also determine how an item was purchased, and whether or not -- the method of payment used was legitimate. In theory, a merchant could also use the technology to impact credit card chargeback and fraud check losses.

I say "deployed properly" and "in theory" because the information to accomplish this (sales data) belongs to the company using SIRAS technology. Because of this, the capability to track sales information would have to be implemented inside the company. At most larger companies, this information is already tracked and analyzed to prevent and detect dishonest activity.

For years, most high-theft (shrink) merchandise has been secured so a thief can't merely pick it up from a shelf. When high-theft merchandise that was secured is stolen, it's normally because of one of two reasons. It was purchased with a bogus financial instrument, or an insider was involved in the theft.

Other reasons for secured merchandise being stolen might be a theft, directly from the manufacturer, or a theft during the shipping (transport) process. In these instances, if the merchandise was registered at the manufacturer, SIRAS can identify the point of compromise, also.

Technology has made it a lot easier for criminals to obtain and use fraudulent forms of payment. Information being compromised (data breaches) and anonymous places to communicate like Internet chat rooms, have given a lot of common criminals access to bogus financial instruments.

Along with the increased availability of fraudulent forms of payment, obtaining counterfeit identification documents has become fairly easy, and the identity used on them normally belongs to someone else. This has made it easy for a lot of retail criminals to operate as someone else.

Because of these new trends, current systems that record personal information to prevent fraud are becoming less effective than they use to be. I often wonder (no one probably really knows) how much of the information contained in them is incorrect.

In the recent data breach at TJX, one of the systems compromised was their refund database. Stories have circulated recently about the wrong people being pegged as frequent refunders, or bad check writers after their identities were stolen.

Neither one of these situations fosters good will, or trust with customers. Besides that, data breaches are becoming costly. The last I heard TJX has spent approximately $256 million dealing with the breach. With pending litigation, the cost is liable to keep going up.

With SIRAS, using personal information isn't necessary to determine, whether or not, a return is legitimate. SIRAS already has proven to be highly effective in reducing refund fraud without asking for one item of personal information.

An example of how some of the TJX data was used in a retail theft scenario can be seen, here.

Given that criminals that steal merchandise want to turn it into money, two methods are normally used. They either refund it somewhere, or fence it. Auction sites provide an easy and when combined with account-takeover activity (anonymous) venue for criminals to fence merchandise.

In the auction world, seller accounts are taken over all the time. This normally occurs when seller accounts are compromised by a phenomenon known as phishing. Phishing occurs when a person is tricked into giving up their access information after receiving a spam e-mail.

Compromised seller accounts are sold on the Internet the same way financial information is, and there is a trend in DIY (do-it-yourself) phishing kits being sold that enable non-technical criminals to get into the game.

eBay and PayPal are two of the most heavily phished brands. Once these accounts are compromised (taken over), they are used by criminals to fence merchandise and launder the monetary proceeds of their illicit sales.

Another growing trend related to phishing is when malware, also sometimes known as crimeware is used to steal information. The difference here is information is stolen from systems automatically (normally by keylogging software) and social engineering (trickery) is no longer necessary to get people to give up information.

Malware is often picked up by a computer system by clicking on a spam e-mail link, or by visiting a website designed to inject the software on a system. PC World recently did one of the many stories floating around about malware being sold on the Internet in the form of DIY kits.

In the story they wrote:

The global market for criminal malware now operates like a supermarket, complete with special offers and volume discounts, a security company has discovered.

Here again, this capability enables not very technically inclined criminals to get into the game. This has become a growing problem and I expect it to get worse before it gets better.

With the availability of all this personal and financial information, being sold on an economy of scale, current fraud protection systems are routinely being compromised by a lot of criminals.

There is an old saying in the investigations world, which is if you want to solve a crime, the easiest way is to follow the money.

SIRAS takes this one step further by tracking both the merchandise and can track the money ( if programmed to do so by the user). When you do this, the odds are far greater that the true culprit will be identified. They are normally associated with either the money, and or the merchandise.

Since the technology records both physical and UPC information, the database can determine exactly where the merchandise was compromised (stolen). Given that many merchants use digital video systems -- which are capable of storing video footage for a long time, it's also possible to obtain video evidence of the original transaction -- when sales information has been programmed to tie into the technology.

SIRAS has been used by select manufacturers and merchants for several years now -- however a new initiative, SIRAS PI, which was tested with Mesa PD -- makes the database available to law enforcement agencies free of charge.

Law enforcement can access the database either via the Internet, or by telephone. They can also add items to the database when they are reported stolen. If someone later tries to refund the merchandise at a participating retailer, the transaction can be automatically flagged.

Although a lot of fencing now occurs on the Internet, the technology is equally as effective in investigating more traditional property crimes, also. The bottom line is once merchandise is discovered, it can be tracked by SIRAS, if the item has been registered.

Recently, Chris Hansen (MSNBC), did a story about iPod theft. When Apple was approached about tracking the merchandise using Apple's registration database, they decided not to cooperate with MSNBC.

Undaunted by this, MSNBC purchased a bunch of iPods and engineered the registration disc to send them the information when the iPod was registered. They then left the iPods (new in the box) unattended, let them get stolen and tracked them to the crooks once the iPod was registered.

Chris Hansen made an excellent point on how databases can track stolen merchandise -- but in this instance, brand new iPods had to be left in public places to be stolen -- then registered to make the point.

If Apple used SIRAS technology to protect their merchandise -- it would have already been traceable, even if it was stolen from an individual -- who didn't provide the thief with the registration disc. It also would eliminate privacy concerns, which might be why Apple didn't want to cooperate with the MSNBC investigation?

When registering any product, a lot of personal information is normally asked for.

In any event, most criminals of the smarter variety aren't going to provide their personal information in the registration process. Most of them shy away from doing things, which might get them caught.

It would be interesting to have MSNBC, or another investigative news source do the same story with merchandise protected by SIRAS. The story might expose more than people, who stole because of an almost "too good to be true" opportunity was provided to them.

MSNBC iJacking story, here.

This brings up another potential benefit to this technology. Expensive portable electronics and other expensive toys like mountain bikes are stolen from the people who buy them (customers) all the time. Using SIRAS technology might even be a selling point that instills customer trust in the product they are purchasing.

This technology has prevention/investigation applications for corporations, law enforcement agencies and individuals, alike. It also doesn't require using people's personal information, which isn't as effective as it used to be, and is becoming more unpopular all the time.

In my opinion, this technology has the ability to make it a lot harder to get away with stealing merchandise and converting it into money.

Of course, the more it is used, the more effective it will become. Databases have a tendency to do this, or become more useful as they contain more information.

There are a lot of anti-theft/fraud technologies that claim to prevent theft/fraud. Very few of them also claim to be able to go after and hold the criminals committing the fraud/theft personally accountable.

The last I heard, most criminals still fear getting caught!

If you would like more information on the organized trade in counterfeit identification documents, the story of Suad Leija can be seen, here.

Suad's story has been covered extensively in the media, including by Lou Dobbs. Currently, she is writing a book and I keep in touch with her occasionally.

More information about bogus financial instruments can be seen, here and here.

A chronology of data breaches is compiled by the Privacy Rights Clearinghouse, here.

The best source on phishing is the Anti-Phishing Working Group and if you are interested in learning even more about phishing and want to see some totally fake banking sites, Artists Against 419 is another good place to visit.

Last, but not least, if you are interested in learning more about SIRAS PI, you can do so by visiting their site, here.

0 comments

RSA Report Points to an Increase in Cyber Crime

According to a recent report from RSA Security, phishing attacks increased 66 percent last year when compared to 2007. One reason cited for this are the increased availability of DIY (do-it-yourself) phishing kits, which are available for sale on the Internet.

Some of these kits even come with tech support. In the past few years, these kits have enabled a lot more people to get into the phishing game.

The statistics compiled in the Anti-Fraud Command Center Phishing Trends Report recorded 135,426 phishing attacks compared to 90,000 detected in 2007. Despite these ominous numbers, the report showed a marked decrease in the number of attacks between June and July. The amount of attacks then increased steadily until the end of the year and then dropped again in December. The RSA team attributed this to a drop in activity by a notorious gang of phishermen, known as the Rock Phish.

Although, no one seems to be exactly sure, the Rock Phish are a phishing gang that are allegedly of Romanian origin. Experts believe they are responsible for up to 50 percent of the phishing seen in the wild (on the Internet) today. To avoid detection, Rock Phishing attacks often update DNS records during an attack and change URLs, which confuse take-down efforts and allow them to bypass spam filters. They also use images in their spam e-mails, which make their work harder to be detected by spam filters. A lot of spam filters do not use OCR (optical character recognition) because it slows down the filtering process.

The (temporary?) reduction in attacks was attributed to the Rock Phish upgrading their infrastructure and switching to the use of a new botnet, called the "Asprox botnet."

A lot of the newer botnets — which spew out spam in the millions using zombies (compromised computers) — are using what is known are using fast flux technology. Fast flux is a DNS technique used to hide spam e-mails behind a constantly changing network of compromised computers (zombies), which have been taken over using malicious software to send out spam. Since these spam e-mails recruit new zombies all the time, it makes shutting down this type of activity pretty difficult. According to the report, fast flux attacks now comprise about half of all the activity out there.

From a global perspective, the United Kingdom (40 percent) was the most attacked country followed by the United States (37 percent). This was attributed to a focused attack on a number of financial institutions in the UK in 2008. The report also acknowledges increased activity in Latin America and the Pacific. A lot of experts believe we will see increased activity in other parts of the world as more people from these regions are introduced to the Internet. As this takes place, more computers will be compromised (become zombies) in these countries and the statistics will shift.

It should be noted that despite the increased activity in the United Kingdom, the United States still holds the dubious honor of being number one in hosting phishing attacks. They are also number one in brand names being attacked.

Of no surprise is the statistic that financial instituions are the favorite target in these attacks. It makes sense that the phishermen will continue to go where the money is and with the sour economy, there are a lot of social engineering lures that are ripe for exploitation. Fear is a time-honored social engineering lure, which gets people to click on links they should not have.

The conclusion of the report is that online crime continues to evolve, is becoming more dangerous, and new tools are being used to further the effort. My guess is that it will continue to grow as long as we focus on defending against it instead of going after the source of it! Of course, this is merely the opinion of this observer.

0 comments

Scammers trick grocery chain into sending them $10 million

(Photo courtesy of rcbatey at Flickr)

Normally, when e-mail scams are brought up, we think of unfortunate individuals falling for something that's too good to be true. A surprising discovery, found in federal court filings, proves that this isn't always the case.

Yesterday, Rebecca Boone of the Associated Press (courtesy of the StarTribune.com) reported:

Supervalu Inc., the Eden Prairie-based grocer, fell prey to an e-mail scam this year, sending more than $10 million to two fraudulent bank accounts, according to federal court filings.

Apparently, Internet e-mail scam artists accomplished this by sending spoofed e-mails impersonating Frito-Lay and American Greetings:

The company said it received two e-mails -- one from someone purporting to be an employee of American Greetings Corp. and another from someone claiming to be with Frito-Lay, according to the documents. Both e-mails claimed that the companies wanted payments sent to new bank account numbers.

At first, it appears that no one at SuperValu questioned the account changes and approximately $10 million was wired into them.

According to the article, the scam was discovered quickly and the FBI intervened. SuperValu will not comment on how much money they actually lost.

Either this is a fluke, or it shows a growing trend, where businesses are being specifically targeted in e-mail scams.

This isn't the only type of e-mail scam that has been targeting businesses and organizations.

Stories about what is known as spear phishing have been circulating recently. Spear phishing differs from regular phishing because indivduals are targeted by name, and as reported in some of these stories, sometimes by both name and title.

Previous posts, I've written about spear phishing can be seen, here.

Please note that stealing money isn't the only goal in spear phishing. Sometimes the goal is to steal information (which is worth money), also.

Phishing has become more sophisticated in recent history. Besides using social-engineering (trickery) to obtain information -- malware (sometimes known as crimeware) is downloaded into a system by opening a e-mail attachment -- which steals the information automatically and on an ongoing basis.

Another growing trend is the sale of DIY (do-it-yourself) phishing kits in underground (normally Internet) forums. These kits are enabling less technically inclined criminals to get into the game.

This goes to show that educating employees (especially those with access to financial assets, or valuable information) how to avoid being scammed might be something worth taking a look at.

On a final note, we need to remember that the same type of scam could be accomplished via snail mail with convincing letterhead, or even via a fax. The best way to avoid scams is to be able to recognize the behavior behind them.

AP Story, here.

0 comments

Data Theft Grows 68 Percent in 2008

Linda Foley at the Identity Theft Resource Center made an ominous announcement that data breaches were at an all time high. According to research conducted by the group, the number of data breaches has grown 68 percent in 2008 versus the same time period in 2007.

The current study acknowledges that some breaches are under reported and multiple breaches are sometimes reported as a single event. The breach at BNY Mellon and SunGard data were cited as an example of a single event affecting multiple businesses.

The report shows an increase in data breaches at businesses, financial institutions and health/medical institutions. Interestingly enough, breaches that involved the government/military and educational institutions showed a decrease.

Breaches are becoming more technology based, also. Electronic data breaches accounted for 80.7 percent of the total versus 19.3 percent, which were considered paper breaches.

I suspect that the increased activity at businesses and financial institutions is because the goal is to steal financial instruments that already have a cash value associated with them. As the general public has become more aware of the issues surrounding identity theft, opening fraudulent accounts with other people's information is becoming more difficult. More people are reviewing their credit and placing alerts/freezes on their individual reports, either by doing it themselves or paying a service to do it for them. When accounts are stolen that already have disposable spending power or (cash) on them, identity theft protection is unlikely to stop them from being compromised.

Because of the increased awareness, more fraudsters take over accounts instead of trying to open new ones. Most of the current identity theft protection methods being used will not stop this from happening.

So far as the statistic that electronic theft is becoming more prevalent than paper theft, perhaps shredding documents is making stealing paper harder? Of course, it might also mean that the methods to steal information electronically have become more advanced, also. Crimeware kits of the DIY (do-it-yourself) variety have spread this ability to people, who lack the technical skills to do it by themselves. There is a lot of evidence that these kits aren't too hard to purchase over the Internet and that sometimes they even come with technical support.

ID Analytics partnered with the study and added statistical information showing that 39 percent of data exposures were caused by missing or stolen devices in 2007. Their statistics also show that malicious intent in data breaches is a growing trend. Malicious intent categories include insider theft and access into account information by external methods (hacking).

A new trend, not specifically mentioned in the report, is large caches of stolen information being discovered that no one knew about before. Yesterday, Dark Reading announced that SecureWorks found one of these caches. Finjan has recently reported finding pretty much the same thing located on what they refer to as "crimeservers" on the Internet. The announcement by SecureWorks reported that hackers are using a trojan, called "Coreflood" also known as "AFCore."

SecureWorks reported that this trojan has gone undetected for a number of years and has compromised corporations, government agencies, healthcare agencies and "others." In this attack, one work station would be compromised and the hacker would wait for an administrator to log on. Once the administrator logged on to the infected work station, the hacker would then use the administrator's privileges to infect entire systems. This "hack" is being used to grab user names, passwords and even entire pages of information. Please note (my speculation) that this type of exploit is probably being used to steal more than financial information, also.

Given the fact that SecureWorks mentions government sites being hacked in this manner, there is no telling what the intent might be or who the information is being sold to (my speculation).

To the best of my knowledge, neither SecureWorks or Finjan have disclosed exactly who has been compromised or the exact details of the information to the general public.

This should lead the average person to believe that the problem of data breaches is far greater than anyone knows. The ITRC study explains why this is a problem when compiling any study on this subject.

Besides the ITRC, there are a lot of dedicated people gathering statistical information on data breaches. While they can only track information on the known occurrences, these people do a lot to educate the rest of us and raise the awareness level of what is becoming a growing problem.

The report gives credit to PogoWasRight, Attrition.org, breachblog.com, the Maryland and New Hampshire Attorney General breach notification lists and other sources that were used to compile this report.

The ITRC is a non profit organization designed to help businesses and people protect themselves from this clear and present danger to all of us. If you are interested in this problem, their site is a good place to educate yourself.

0 comments

Increase in Scams Attributed to Economy

I just finished reading an interesting article in the Wall Street Journal by M. P. McQueen, which suggests that the bear market is creating a bull market for fraudsters. According to the numerous experts cited in the article, the reason for this is economic gloom and doom with a healthy dose of anxiety.

This shouldn't be surprising because gloom, doom, and anxiety make effective social engineering tools that can be used to part people and businesses from their money.

The article references phishing expeditions that lead to fake Web sites — which often spoof a financial institution or government entity — and entice people into giving up enough of their personal details to drain their financial resources. It also mentions that some of these sites leave behind malicious software on a person's machine, which steal all these details automatically.
Also mentioned is the use of VoIP (Voice over Internet Protocol), caller-ID spoofing and cell phone technology to mount texting and vishing attacks. Vishing is merely another method of tricking people to give up personal and financial information via the telephone. In these attacks, the caller ID is spoofed to make it appear as if it is coming from a legitimate institution.

Apparently telephone technology is being used to commit other types of crimes, too. Many of our 911 centers cannot identify spoofed calls coming from computers using VoIP technology. This has led to S.W.A.T. teams being tricked into deploying in full battle gear to residential neighborhoods when no emergency existed. Of course, businesses use the same technology to trick people who have caller ID into picking up their telephones. You can even buy a card to do this at will from any telephone right over the Web.

It sometimes amazes me how much irresponsible technology there is out there, which is being sold legally. There are even Web sites, with disclaimers, that specialize in making this technology available to the general public. Of course, there are also complete DIY (do-it-yourself) phishing kits being sold over the Internet. Some of these even come with tech support. The phishing kits are illegal, but can be found for sale in chat rooms if you know where to look for them. Sadly, the truth is that these chat rooms aren't very hard to find. The fine line between legitimate enterprise and scams is often a little blurry.

The WSJ article quotes a lot of experts, including Gartner, the FBI and the National White Collar Crime Center, who all seem to agree that scams are on the rise. An interesting phenomenon called out were small fraud charges being found on accounts. I guess taking small amounts, which might be mistaken for bank fees, is a good way to stay under the radar. A lot of people don't realize how many small fees are being charged to their account and it can be quite confusing at times. I guess the crooks are trying to make themselves look like bankers (speculation) and it's probably a good time for all of us to review our statements, carefully.

Speaking of fees, which are used as revenue streams by a lot of businesses, the WSJ put out another article this entitled, "In the Fight Against Bill Creep, Every Extra Fee Is the Enemy." Besides being on the look out for cyber scammers, this article points out other reasons it is smart to review our financial statements with a keen eye these days.

Another notable trend in the past 12 months is executives being targeted. In this trend, specific people within organizations are being targeted and tricked into downloading malicious software on machines. In one of these scams last April, the targets were led to believe they were being subpoenaed to testify in federal court.

Last, but not least, the article points out that job scams are on the rise. It's a well established fact that job sites from Monster to Craigslist have scammers operating on them to recruit people to launder money, cash bogus financial instruments or give up all their personal and financial information. Adding fuel to this fire, it was disclosed recently that Monster.com had been hacked.

Capping off this interesting article — which is a pretty good recap of recent scam activity — is Pam Dixon of the World Privacy Forum pointing out that scammers have learned how to use "spell check." In the past, one of the best ways to identify a scam was it's lack of proper spelling and grammar. While the scammers might have have learned to use spell check, it might also point out that there are more and more people out of work (with better grammar skills), who are becoming scammers.

The WSJ quoted a lot of experts that agree with them that scam activity is on the rise. Another interesting read supporting this (not mentioned in their article) is the recent report that was commissioned by McAfee. This report points to all the unsecured data out there that is fueling the rise in cyber crime. They estimate, at this point, that the financial implications have reached $1 trillion. They also have some interesting information about social engineering and how it is being currently used to commit scams in the current economic environment in another set of articles on their main site.

In my opinion, it makes sense that scams of all kinds are on the rise. There is a lot of confusion going on and people are getting desperate. It might be desperation that is causing more people to get involved in scams on both sides of the fence. For the majority of us, who just want to ride these times out and survive the mayhem, the best thing to probably do is be extra diligent in our financial matters and use a little good old fashioned common sense.

Having dealt with a few scammers in my life, I've found that most of them aren't the most intelligent people around. The best thing to do is to think carefully before jumping in anything of a financial nature these days.

0 comments

The continuing saga of Vladuz and Phishing on eBay

Here is an update to the ongoing saga of Vladuz versus eBay. Apparently, Vladuz, or someone claiming to be him, accessed eBay's servers and suspended some eBay accounts.

Ina Steiner reports on the AuctionBytes blog:

eBay confirmed that a known fraudster had limited access to a very small number of eBay accounts on the eBay.com site and the company appeared to have reacted quickly to block him on Friday. eBay spokesperson Nichola Sharpe said, "At no point did the fraudster get any access to financial information or other sensitive information." In a strange twist, some users reporting the incident said they had been openly critical of a hacker calling himself Vladuz and had been suspended briefly during the incident.

It is strange that some of the people suspended were openly critical of Vladuz?

Notably, this is the first time eBay has admitted Vladuz accessed their servers.

In another development, eBay, PayPal and Yahoo are joining forces to combat phishing. Phishing is a phenomenon that has caused a lot of eBay and PayPal account holders a lot of grief. Experts maintain that eBay and PayPal are the two most phished brands out there.

Phishing is where an account holder is duped into giving up their access information via social engineering (trickery).

The intent of the phishermen, who target eBay/PayPal accounts is normally to take the account over and commit even more fraud.

This activity gets more sophisticated all the time with crimeware (malware) being used (which steals the information automatically), and DIY (do-it-yourself) phishing and hacking kits being marketed in underground Internet forums.

Reuters, courtesy of the Washington Post is reporting:

EBay and PayPal have upgraded their computer systems to support an emerging technology standard known as DomainKeys invented by Yahoo that authenticates e-mail senders are who they say they are, allowing Yahoo to block fake e-mails.

The technology upgrade will be made available to Yahoo Mail users worldwide over the next several weeks, the company said.

If you are interested in how bad the phishing phenomenon is getting, the National Consumers League has a very well written and informative paper on the subject, here.

They also have an interesting document, which although is a little dated, shows the increase in auction fraud and calls out that eBay severed their ties with them.

It should be noted that auction fraud doesn't only occur on eBay. It can and does happen on all the auction sites. The reason we hear more about it on eBay is because they are the used by more people than the other sites.

For the scammers that means there are more potential victims to harvest there.

NCL article on auction fraud, here.

AuctionBytes blog post on this, here.

Reuters story on eBay/PayPal's efforts to combat phishing, here.

Here is my most recent post about Vladuz allegedly raising his head again:

Did Vladuz hack eBay, or is stockpiled stolen information being used to make it look like he did?

0 comments

Why it's become TOO easy for restaurant workers to skim payment cards

We seem to be seeing a record amount of credit/debit (payment) card fraud recently. The latest is a $3 million scheme -- where restaurant servers were recruited to steal their customer's financial information -- using portable skimming devices, which seem to be easily purchased over the Internet.

Samuel Maull of the Associated Press is reporting:

Thirteen people were indicted Friday on charges stemming from their roles in the credit card fraud, prosecutors said.

The credit card account information was stolen from customers who visited restaurants in Manhattan's Chinatown and other parts of the New York metropolitan area, as well eateries in Florida, New Hampshire, New Jersey and Connecticut.

Full AP story, courtesy of the Washington Post, here.

The Manhattan DA's site has a lot more information on this case, which reveals most of the defendants appear to have worked in Asian restaurants, were extremely organized and traveled the country buying high-end electronics.

The DA press release shows how they were turning the stolen merchandise into cash, which is the goal of most of these criminals:

THOMAS JUNG, JOON HEE KIM, JUN SHOJI, RICHARD LEE, JENG SEAK LEE, PHIL ANG, ALEX KIM and others in small groups to areas within and outside of New York State to purchase high-end electronics merchandise – such as laptop computers, Sony Play Stations, GPS navigation systems, high-end digital cameras and IPods.

PAO provided each shopper with 20 to 40 counterfeit credit cards with the expectation that each “shopper” would make fraudulent purchases in an amount that averaged $1,000 per counterfeit card. If a “shopper” was provided with 30 counterfeit credit cards, the “shopper” was expected to make $30,000 in fraudulent purchases. PAO made the travel arrangements for the “shoppers,” which included airline flights, car rentals, and hotel rooms for shopping trips in New York, New Jersey, Connecticut, Illinois, California, Oregon, Washington, Ohio,
Pennsylvania, and North Carolina.

The “shoppers,” who were paid approximately 15% of the retail value of the merchandise they bought, delivered the merchandise to PAO, who then sold the stolen goods to defendant JOHN DOE. In turn, DOE sold the goods to electronics and computer stores in Queens.

You can read the full press release, here.

Unfortunately, this problem is enabled by portable devices, which are too easy to obtain. A website, I found recently (called Hackers Homepage) seems to openly sell everything a wannabe card skimmer would need to do this. They even sell the high-quality card blanks - with the ability to place holograms on them - right over the Internet!

Of note, this site (which I hope is under surveillance) also sells more sophisticated skimming devices designed to be placed on point of sale systems, and advertises other devices and publications that would appear to enable a lot of different financial crimes.

A lot of this stuff can also be purchased on auction sites (like eBay) as demonstrated, here.

Perhaps, if we want to see a decrease in this activity, we need to enact laws that will control some of the technology, which makes it TOO easy for anyone to do.

This along with DIY (do it yourself) auction fraud and phishing kits, also being sold over the Internet, make it too easy for ANY criminal to commit pretty sophisticated crimes.

Throw in carder forums, which sell all the information being stolen, and there is no wonder why this has become a rapidly growing PROBLEM.

The bottom line is that easily purchased technology is making the problem worse, and the problem is spreading so rapidly, law enforcement has a hard time keeping up with it.

This IS NOT a victimless crime, just ask any of the people having their information stolen, or one of the businesses that have lost money from it. Of course, when businesses lose money, they have to raise prices, which means we are all paying for it.

To watch a pretty telling video on YouTube about how restaurant workers skim payment cards, link here.

0 comments

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

Not so long ago, I did a post about how the federal government was phishing their own employees.

It didn’t surprise me that many of the phish took the bait, pretty easily. It would just mean that the federal employees, who were phished are no different from the general population on the Internet.

After all, there wouldn’t be so much phishing, if it didn’t work.

Apparently, the practice is catching on and Amy Joyce of the Washington Post did an interesting article about why the idea might be a good one.

In the article, James MacDougall (South Carolina’s computer security guru) as saying:

You can spend all the money on the technology you want, MacDougall said. But if the end users are doing dangerous behavior, there is almost no cure for that.

Mr. MacDougall has hit an important point right on the head and phishing tends to set new records, every time the Anti Phishing Working Group issues their monthly report. Their most recent report (April) indicates that not only did the number of phishing sites set a new record, but their numbers more than doubled over the previous month (March).

Spam filters designed to stop phishy e-mails seem to be under major attack, and haven't been very effective in the recent past, either.

Maybe, we are spending too much money on technology to solve the problem rather than using some good old fashioned common sense?

One of the reasons, technology tends to be defeated, or used by criminals – is that it is too easily compromised by human beings. Most financial scams rely on the greed factor, or getting people to fall for something that's too good to be true.

It doesn’t take a genius to buy DIY (do it yourself) crime kits, which are readily available over the Internet, and commit what some might consider, sophisticated criminal activity.

Relying on technology to protect us without human oversight is a big mistake, and this holds true, for more than financial crimes.

Government and private systems are attacked all the time for their information.

Technology is a wonderful tool and makes things easier, but it has limitations. Instead of throwing all of our resources into technology, which seems to have a limited life span, maybe we need to focus more on the human factors that put us at risk, daily.

Thought provoking story by Amy Joyce, here.

0 comments

Another 6.3 million people's information stolen at Ameritrade

According to the AP, Ameritrade is reporting that someone hacked into their systems and made off with 6.3 million people's information:

Online brokerage TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken.

The company would not share many details of its investigation, including when the hack took place, because it is still looking into the theft and cooperating with investigators from the FBI, Securities and Exchange Commission, Financial Industry Regulatory Authority and local authorities.

Allegedly, Ameritrade has known about this for awhile and it might have been the threat of legal action, which prompted them to come forward now:

But Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade's servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber. The company said Friday the problem had recently been fixed.

The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.

"They preferred putting out a press release with their own language in it rather than have the court order them to put out a release with our language," Kamber said.

While maintaining confidentiality in an investigation is sometimes necessary, you would think that someone might want to warn the 6.3 million people, who were affected by this?

They might want to start monitoring their finances, carefully.

In addition to this, the stated need for confidentiality is coming from Ameritrade and not a law enforcement source involved in the investigation. The claim that a federal hearing might have forced disclosure might make some wonder about the credibility of what is being said, also.

The verbiage used in the Ameritrade press release states that social security numbers don't "appear" to have been taken is a little scary, also. Does this mean that they aren't sure?

Why would a hacker only take contact information, when social security and dates of birth were available in the same database, also?

My guess is that dates of birth and social security numbers would make the information more valuable to the hackers, who compromised the system.

The press release does state that account numbers and passwords were in a different database, and were not compromised.

Security and identity theft experts are speculating that the information taken could be used to phish for additional information, which then could be to commit identity theft. Phishing is where an e-mail from an official looking, but spoofed (impersonated) source tricks someone into giving up sensitive information.

Tricking people into giving up their information is also known as, social engineering.

Crimeware might also be used to steal the additional information. Once downloaded crimeware, steals information from a system automatically, normally using keylogging software. Crimeware can be picked up by clicking on the link of a phishy e-mail.

According to the Anti-Phishing Working Group, who studies this carefully has reported crimeware use is on the rise. One of the reasons for the rise in crimeware is that DIY (do-it-yourself) kits are being sold on the black market. This allows less sophisticated criminals to get into the game.

The CNet version of the story, quotes Graham Cluley (Sophos) as speculating how Ameritrade's system was probably compromised:

"There are only two different ways this could have happened. There was either a vulnerability with their Web site and it was hacked, or someone internally gained access with a Trojan horse."

Ameritrade has hired ID Analytics, Inc. to monitor what is going on and determine if any identity theft occurs out of all of this.

They are also providing additional information on their site about this unfortunate event for their customers.

The TJX data breach, which compromised over 45 million people, has caused a lot of uproar about how data breaches should be handled and who should pay for them.

Class action law suits are being brought forth and legislation is being introduced to determine, who pays for all the damage, when a data breach occurs.

This is becoming extremely costly for the companies being breached. The last report I saw about the cost incurred so far by TJX is $256 million. The sad thing is that I doubt this is the final figure.

Legislation in California is awaiting Arnold Schwarzenegger's signature, which will require retailers to reimburse financial institutions for the cost of fixing breached financial data. Interestingly enough -- in this data breach and the last major one, I've written about (Certegy) -- the data was not stolen from a retailer.

The Privacy Rights Clearinghouse, PogoWasRight and Attrition.org all compile information on data breaches, which happen so frequently, they are becoming almost "too routine" news events.

If anyone, who was has been affected by a data breach wants independent advice on what to do if you become an identity theft victim, the Privacy Rights Clearinghouse has a very informative page about this, here.

AP story by Josh Funk, here.

0 comments

Is Target's payment card and new refund procedure stopping retail criminal activity?

Will stricter return policies drive Target's customers, elsewhere? Some are saying their new return policy (which will require a receipt for cash returns of $20 or more) -- isn't very customer friendly --and might do just that. Some are also questioning, whether another policy (how they verify plastic transactions) is enabling fraud to occur within their four walls.

So far as the new refund policy, Target's response is that this will affect a very small amount of its customers. Chris Serres, Star Tribune, Minneapolis - St. Paul gives Target's rationale for this:

Target officials said the new limits affect fewer than 5 percent of its customers. Shoppers who have bought products with credit cards, debit cards or checks can still return them without receipts, without having to worry about the new limits.

"While we expect the changes to ... impact a very small number of guests, our goal is to minimize losses regardless of amount," said Amy von Walter, a Target spokeswoman.

Law enforcement officials have a different take on this:

Target's practice of not checking the IDs of credit card holders has made it a target for more sophisticated fraudsters, said Brandon Deshler, an officer with the Edina Police Department and a detective with the Minnesota Financial Crimes Task Force, a state law enforcement agency. "There is a real inconsistency here," he said.

Sophisticated fraudsters are becoming the norm with data breaches, carder forums, and do it yourself (DIY) crime kits being marketed via the Internet.

I keep reading about how identity theft is tied into methamphetamine use, but in reality, it might also be tied into heroin use, or any other narcotic that people get addicted to. Addicts often turn to retail crime to support their habits, also.

Before the Internet made sophisticated fraud pretty easy to accomplish, addicts did a lot of shoplifting (boosting) to support their habits.

As time went on, retailers got smarter. They started locking up high value (shrink) merchandise and tightened up their return policies. To get past this, many retail criminals use fraudulent payment devices, which are pretty easy to obtain.

Organized criminals now make their "cut" selling the information and devices to less sophisticated crooks, who do all the dirty work for them. Deals are made on the Internet with a click of a mouse, and these devices are (normally) shipped from foreign sources, where it is hard to identify the criminals behind it.

Fraudulent devices are ordered in chat rooms, paid for by wire transfer or PayPal, and shipped to these (questionably) sophisticated criminals UPS, or Fedex, worldwide. Sometimes, they are shipped in bulk to one location and then redistributed. This is another method used to make tracking these devices to their original source, difficult.

Because of the growing availability, retail criminals are using fraudulent payment devices to obtain and then refund merchandise.

If customers using credit cards, debit cards and checks are still allowed to return them without receipts, I'm guessing a lot of refund fraud will still occur.

I wondered how customers, using payment devices (checks, credit cards, debit cards) could get a refund without a receipt? Just to make sure, I called my local Target and told them I lost my receipt from a credit card purchase. I was told to bring my credit card in and they could look up the information.

In light of the many recent data breaches, such as TJX -- where at least 45 million customers were compromised -- this thought scared me. Even if their systems are completely safe (not sure if any really are), does this mean that a dishonest employee could access my information? Employee dishonesty has long been (and still is) a major problem at most businesses.

The best thought out security can be beat by one person with access to it!

One of the systems compromised at TJX was their refund authorization system. Not allowing easy access, or even maintaining personal and financial information is the recommended way to prevent data theft.

Besides that, I often wonder how accurate the data is in some of these refund systems. These days, crooks use a lot of other people's information.

Since Target relies on electronic authorization systems (they don't even require their staff to check ID) on credit/debit card transactions, the law enforcement official quoted above might have a very valid concern.

But this isn't the only time, I read about this concern in the past week.

An article came out from Washington about an enraged identity theft victim, who after realizing no one was doing anything with her case, decided to beat the pavement (investigate), herself. Working with a reporter, she did her own check of retailers and here is what happened at Target (as reported on KOMOTV.com):

We did the same thing at Target. This time, we included wine in our purchase thinking some stores require an ID check when buying alcohol. At no point during our checkout did the Target clerk even ask to see the credit card. The clerk never asked for an identification check.

In a statement, Target says it does not require its clerks to handle or inspected credit cards.

Instead the store relies on an electronic authorization system where the customer swipes their own credit card through a reader."Electronic authorization is faster and more accurate than relying on visual inspection of verification of written signatures," says Brie Heath of Target.

Even with these systems, where a customer swipes their own card, a lot of retailers require that the clerk check identification AND inspect the card on signature transactions. In fact, a lot of pos (point-of-sale) systems prompt the customer and the clerk to do so.

Counterfeiting payment cards has become so easy to do that it's now done in garages with hardware that can (unfortunately) be bought over the Internet. Granted, identification can also being counterfeited, but at least visual inspection is going to making it a little harder to commit payment (debit/credit) card fraud.

The truth is that electronic verification systems read data, and in the case of debit and credit card data, it's being transferred (counterfeited) all the time.

Many might ask why Target would rely on an electronic system with so much fraud going on out there? One reason might be that when a card is "swiped" (electronically authorized), it is pretty hard for the bank to charge it back to Target.

When this happens, I'm guessing that Target isn't the one taking the loss, the bank does.

Chargebacks are becoming a huge issue, and many merchants (especially e-commerce merchants) are saying they are unfair to them, also. These merchants claim the rules favor the banks, who are passing off the costs of fraud to them. With the recent TJX data breach, and the realization of how expensive information theft has become, we can expect to see more controversy on this issue.

It's sad that businesses seem to be spending more time going after each other than the criminals behind the activity (my emphasis).

We also need to consider the considerable grief, victims go through in this process. Victims can be held liable for losses, have their credit ruined, and are even charged with crimes they didn't commit. Some of these victims are undoubtedly past, present, or future customers.

It's pretty easy for me to understand law enforcement officials and identity theft victims might be a little frustrated with Target's policies.

There is no doubt that the amount of refund and payment device fraud is growing. Businesses do have the right to protect themselves, but passing the financial loss to another business, and ultimately (all of us) does little to stop the problem. In fact, it might be one of the reasons this type of fraud is growing.

It would be unfair to single out Target on these issues. Other retailers need to be looking at them, also. Retailers are sold expensive security technology and too often (my emphasis) find that someone has figured out a way to exploit it.

Systems get defeated by human beings all the time. The best defense against this are other human beings. Removing human interface from the equation makes it easier to commit fraud (my emphasis).

Star Tribune article, here.

KOMOTV.com article about the identity theft victim doing her own investigation, here.

0 comments