2012: Year of the Skimmer

Fraud Losses to Increase; Mag-Stripe Vulnerabilities to Blame
By Tracy Kitten, January 18, 2012

Fraud losses linked to card skimming are quickly hitting epidemic proportions. Robert Siciliano, a security expert and McAfee consultant, says 2012 will be to skimming what 2011 was to the hacker and hacktivist. "2012 will be the Year of the Skimmer," he says. "Skimming fraud is an epidemic," says Mike Urban, who oversees product management for Fiserv's Financial Crimes division. "And it continues to grow every year."

Some big skimming cases have grabbed headlines in recent months. Last June, four men were charged for their alleged involvement in a $1.5 million ATM skimming scheme that targeted Citibank and JPMorgan Chase ATMs in New York, Chicago and Miami. And 28 suspects were indicted in November for their alleged connection to an organized credit-card skimming ring that recruited waiters and waitresses at high-end restaurants in Manhattan to collect card details from American Express accountholders. Card skimming itself is relatively simple. "It's very low-tech," Urban says.

To read the entire article, click here: http://www.bankinfosecurity.com/articles.php?art_id=4417&rf=2012-01-18-eb&elq=bfc58a74b5204885bb25f0936a6ba29b&elqCampaignId

Feds Bust $2 Million Fraud Scam

Bank Insiders Key to Alleged ID Theft Scheme        

By Tracy Kitten, December 22, 2011

U.S. federal authorities have indicted 55 suspects for their alleged involvement in an identity-theft and financial crime ring that used insiders at banks, a non-profit institution, a high-end car dealership and a real-estate management company to steal personally identifiable information from more than 200 individuals and organizations.    
      

According to charges filed by the Manhattan District Attorney, stolen names, dates of birth, addresses, Social Security numbers and financial information were used through a variety of schemes to defraud victims and financial institutions. Between May 2010 and September 2011, the New York crime ring is accused of stealing more than $2 million from JPMorgan Chase Bank, TD Bank, Citibank, Discover and American Express. The charges include conspiracy to commit grand larceny, grand larceny, criminal possession of stolen property, identity theft and criminal possession of a forged instrument.

The 18-month investigation, which relied on court-ordered eavesdropping, physical surveillance, computer forensics and analysis of credit card, banking and phone records, remains open.

"Today's indictment reveals another tool of organized identity thieves - insiders who betray their employers and prey on clients," said Manhattan District Attorney Cyrus R. Vance in a statement about the case. "These insiders used their positions to gain access to client data, and then sold that data to make money for themselves and their accomplices."

To read the entire article, click here: http://www.bankinfosecurity.com/articles.php?art_id=4350&rf=2011-12-22-eb&elq=2089d9f1275c4a69a721677f9c7f3d06&elqCampaignId=1034

94 Indicted in Fraud Scheme

Crime Ring Accused of Stealing $450,000 from TD Bank
By Tracy Kitten, Managing Editor, BankInfoSecurity, CUInfoSecurity

A simple savings and checking-account deposit and transfer scam, which resulted in the theft of more than $450,000 from TD Bank, is believed to have exploited basic weaknesses in the bank's funds-availability practices.

The Manhattan District Attorney's Office announced Wednesday that 94 individuals had been indicted for their roles in the scheme, which between August 2009 to May 2011 relied on the deposit of cold checks and transfers between savings and checking accounts at TD Bank.

The crime ring - allegedly led by two Bronx men and one suspect whose address remains unknown - is accused of opening more than 90 bank accounts at TD Bank to deposit bad checks and later withdraw funds before TD learned the deposits had bounced.

Traditionally, funds are not available until deposited checks clear; but the transfer of funds via telephone from savings accounts to checking accounts allowed immediate access, prosecutors say - a process the recruiters exploited.

The indictments claim the defendants then withdrew the funds from ATMs at casinos in Atlantic City and Connecticut or from Western Union offices in Manhattan. The indictments' charges include conspiracy to commit grand larceny, grand larceny and criminal possession of a forged instrument.
Joel Luciano, 30, and Freddie Mercado, 25, both of the Bronx, and Jose M. Cruz, 34, address unknown, have been charged with orchestrating the TD scam. Six other defendants working under the trio as recruiters also have been accused of playing lead roles, by allegedly hiring 85 front-liners who wrote the bad checks used to open the new TD Bank accounts.

To read the entire article, click here: http://www.bankinfosecurity.com/articles.php?art_id=4313

FBI Warns of New Fraud Scam

Zeus Variant Can Defeat
Two-Factor Authentication

By Tracy Kitten

The Federal Bureau of Investigation has issued a warning about a new Zeus malware attack targeting commercial bank accounts, ultimately leading to incidents of corporate account takeover. The Zeus variant used: a malware called Gameover, which the FBI says is able to defeat several forms of dual-factor authentication. To protect themselves, the FBI suggests consumers and businesses pay attention to suspicious e-mails. In the case of the Gameover attacks, e-mails purporting to come from NACHA-The Electronic Payments Association contained malicious links. NACHA does not traditionally send e-mails directly to businesses or consumers. Receipt of a direct e-mail from an organization such as NACHA should raise a red flag.

But according to the FBI's Denver Cyber Squad, it's not just phishy emails and dual-factor get-arounds that have made the Gameover attacks forces to be reckoned with. As it turns out, the fraudsters behind this scheme combined a number of tactics, including the use of money mules and denial of service attacks, to con businesses and banks out of funds.

To read the entire article, click here:
http://ffiec.bankinfosecurity.com/articles.php?art_id=4295&rf=2011-12-02-eb&elq=5209da99abcc4e7b8fa7af3303c5ca23&elqCampaignId=904

How free Wi-Fi can put you at risk

By Analisa Nazareno, CreditCards.com

Private data, including credit card numbers, can go public quickly from your corner coffee shop. Here's what you need to know to stay safe.

If you use a free Wi-Fi connection in an airport, cafe, hotel or some other public space, you may be taking a big risk with your credit card information and other important data. But the good news is there are steps you can take to secure your information.

About one in five people who surf the Internet have used free, public wireless Internet connections (or Wi-Fi), according to JiWire, a San Francisco company that directs advertising toward Wi-Fi users. In doing so, those Wi-Fi users were taking a chance -- whether they realized it or not -- that their computers wouldn't be hacked and their identities stolen by another person sharing the same connection. Experts say that's because anything you do while you're on a public connection is less secure than when you're logged in at your home or office.

To read the entire article, click here: http://money.msn.com/identity-theft/how-free-wi-fi-can-put-you-at-risk-credit-cards.aspx

Holiday fraud—How not to be scammed

Reprint from November 18, 2010

in Crime Prevention, Cybercrime, Fraud, identity theft, theft

Crime in America.Net

We passed around material from the US Department of Justice recently on the investigation of computer crimes. The documents are profoundly detailed and indicate that the justice system is taking the issue very seriously.

Throughout this site we have made an effort to warn consumers that computer based fraud is increasing. We’ve stated that 8 million households experience identity theft and noted a 31 percent increase in credit card theft, see http://crimeinamerica.net/2010/07/02/8-million-households-experience-identity-theft-31-percent-increase-in-credit-card-theft-prevention-resources-available/. We also posted methods and sources to protect you from computer crime. All of our previous cybercrime posts are at http://crimeinamerica.net/category/cybercrime/. We are deeply concerned that offenders are gravitating towards the internet in increasing numbers; it’s easy, there are endless targets and the risk of violence and apprehension is low.

Preventive information from the Federal Bureau of Investigation (FBI) is below as to what you can do to keep the scammers from scamming you during the holidays. We’re not suggesting we know more than the experts, but the bottom-line seem to be:

• Don’t give out personal or financial information on the internet;
• Deal directly with reputable websites and stores;
• What appears to be a huge bargain is a fraud.

To read the entire article, please click here: http://crimeinamerica.net/2010/11/18/holiday-fraud%E2%80%94how-not-to-be-scammed/

Medical Identity Theft

Credit to Insurance Fraud.org

Identity theft, the fastest-growing crime in America, has spawned a vicious new strain: medical identity theft. Thieves steal your personal information to line their own pockets with fraudulent claims against your own health policy.

Medical thieves can heist your health-insurance number, Social Security number and other personal information. Often the information is stolen by employees at medical facilities, and resold on the black market. Thieves also may hack into medical databases or break into medical facilities.

Medical ID theft can cost you thousands of dollars, constant stress, and even threaten your life and health. Unless you check your medical records closely, you may discover you were defrauded only after the damage has been done.

As many as 500,000 Americans have been victims of medical identify theft, says the World Privacy Forum. And this crime is spreading fast: The Federal Trade Commission received almost 19,500 reports of medical ID theft from January 1992 to April 2006. About one every four reports came in 2006 alone.

To read the entire article, click here - http://www.insurancefraud.org/medical_id_theft.htm

Protect Your Business From Identity Theft

By Barbara Weltman

Individuals aren’t the only targets of identity thieves. Businesses – small businesses in particular – can become victims of security breaches through their computers. According to the Internet Security Threat Report (ISTR) from Symantec for activities in the first half of 2005, phishing (a method of stealing confidential information such as passwords, credit card numbers and other financial information) grew by an average of 2.99 million messages a day to 5.70 million – a 40% increase over the second half of 2004.
 But you don’t have to remain exposed to identity thieves. You can take security measures to thwart their attempts to breach your systems.

Create a Security Plan

Take a long hard look at your business practices to see if you may be vulnerable to attack. Are customer information and your company financial data secure? To make certain of this, follow these steps (adapted from Symantec’s recommended security practices for small businesses at www.symantec.com/smallbiz)

To read the entire article, click here - http://www.smallbusinessadvocate.com/small-business-articles/protect-your-business-from-identity-theft-1529

Phishing Attacks Pose Heightened Threat

'Spear-Phishing,' Risky Behavior and Poor Protections To Blame

By Tracy Kitten

What's on tap for fraud in 2011? Quite a bit, unfortunately. The list of schemes and trends hasn't shortened from 2010.

The good news: most banking/security leaders are more aware of the risk management and security items they need to check off their to-do lists.

One area where they will inevitably spend investment dollars and time relates to the fight against phishing. Like most fraud, phishing attacks are increasing in number and sophistication. Banks know these are a problem, but fighting back is becoming increasingly difficult.

According to our own research, phishing and vishing rank among the top three fraud threats banks and credit unions currently face. About half of the respondents to our Faces of Fraud Survey say phishing and vishing are major concerns. Interestingly, only 20 percent say they feel prepped to fight and prevent those attacks against their customers and brands.

Part of the concern stems from emerging channels, such as mobile, which are more often used to access online banking.

To read the entire article, click here - http://blogs.bankinfosecurity.com/posts.php?postID=855&rf=2011-01-18-eb

The Faces of Fraud: Fighting Back

See How Financial Institutions Respond to the Latest Threats

From skimming and POS attacks to ACH fraud and payment card hacks, 2010 was "The Year of Fraud," and the year's incidents have left banking institutions and their customers anxious for new solutions to prevent fraud in all its forms.

In response to the growing fraud threats – and to the demand for new solutions – Information Security Media Group just concluded its latest survey, "The Faces of Fraud: Fighting Back."

This is the Executive Summary of the survey results and what they suggest for fighting fraud in 2011.

One of the most telling responses of the survey is to this question:

When is a fraud incident involving your organization usually detected?

To read the entire article, click here - http://www.bankinfosecurity.com/surveys.php?surveyID=9

Military Overuses PII Raises ID Theft Risk - MUST READ!!!

Report: Uninformed, Cavalier Culture Limits Efforts to Curb PII Use

By Eric Chabrow, Executive Editor, GovInfoSecurity.com

The military's use of Social Security numbers and other forms of personal identifiable information such as birth dates places service members at a higher risk of identity theft than the population at large, and efforts to limit their use are meeting resistance by an "uninformed, sometimes cavalier" military culture.

That's the thrust of a paper written by four senior Army officers and West Point faculty members, entitled The Military's Cultural Disregard for Personal Information, which appears on the website of Small Wars Journal.

"In an era when an individual's Social Security number and date of birth have become the keys to identity theft, the ubiquitous use of the Social Security number by the military services is reckless," the paper says. "The problem is compounded by an uninformed, sometimes cavalier, culture and attitude surrounding the protection of PII that is common in the military."

In an interview, one of the paper's authors addresses the ubiquitous of Social Security numbers in military life. "We use the Social Security number in every aspects, both mundane and sensitive," Lt. Col. Gregory Conti says. "We use the Social Security number as an identifier and as a password. Children 10 years old and up have a military ID card with their sponsor's Social Security number on it. It's in every facet of our lives. It's in our recycling bins. We shout it out in formation; we thumbtack it to bulletin boards. It's everywhere, so we're courting disaster in how we us it."

To read the entire article, click here - http://www.govinfosecurity.com/articles.php?art_id=3150&rf=2010-12-08-eg

WikiLeaks: Stronger Access Mgt. Needed

Was a Process Failure Preordained?

By Eric Chabrow

Not adequately implementing access management - deciding who should gain entry not only to an IT system but to specific data, as well - is a major process failure that led to the WikiLeaks leaks, the unauthorized access and downloading of 250,000 sensitive and classified diplomatic cables and other files.

Simply, if properly configured, an access-governance system might have prevented an Army private from extracting the diplomatic cables. The government alleges that Pfc. Bradley Manning, an Army intelligence analyst, illicitly downloaded the files through a Secret Internet Protocol Router and saved them to a disk, which he provided WikiLeaks. Though Manning had security clearance - his job was to route intelligence reports to his superiors - it's unclear why he would or should have authorization to access and download State Department reports.

To read the entire article, click here - http://blogs.govinfosecurity.com/posts.php?postID=806&rf=2010-12-02-eg



 

Courts: Using Another's SSN Not A Crime?

by Bob Sullivan

Is using a forged Social Security Number -- but your own name -- to obtain employment or buy a car an identity theft crime? Lately, U.S. courts are saying it's not.

The most recent judicial body to take on the issue, the Colorado Supreme Court, ruled last month that a man who used his real name but someone else's Social Security number to obtain a car loan was not guilty of "criminal impersonation," overturning convictions by lower courts.

That follows a ruling last year by the U.S. Supreme Court that a Mexican man who gave a false SSN to get a job at an Illinois steel plant could not be convicted under federal identity theft laws because he did not knowingly use another person's identifying number. The ruling overturned an opinion by a federal appeals court in St. Louis -- and contradicted earlier findings by circuit courts in the Southeast, upper Midwest and the Gulf states.

It hasn’t been a shutout for identity theft prosecutors, however. In July, an Iowa state appeals court came to the opposite conclusion, affirming a lower court decision that a man who used a California woman's SSN to obtain employment was guilty of breaking that state's identity theft law.

Identity theft can take many forms, but one of the most vexing is so-called "SSN-only" ID theft. In it, an imposter uses a victim's SSN --- sometimes purchased from a broker, sometimes nine digits pulled out of thin air -- to obtain credit or to provide necessary documentation to obtain work. In many cases, SSN "borrowing" is successful and the imposter goes undetected for years.

At the heart of all these cases is a simple question: Does the mere use of an anonymous victim's SSN break identity theft laws?

Mari Frank, a California-based lawyer and identity theft victim advocate, said courts are failing to recognize the real harm caused by imposters, even if imposters are unaware of that harm.

"You can't say there's no victim,” she said. “That Colorado ruling really aggravated me," she said. Courts are mis-applying impersonation laws, and that could really hurt victims. "(The judges) just don't get it."

To read the entire article, click here - http://redtape.msnbc.com/2010/11/courts-using-anothers-ssn-not-a-crime.html

PCI: Small Merchants Need to Catch Up

New Survey Finds Small Merchants Don't Invest in PCI Compliance

By Tracy Kitten

Why has industry-wide compliance with the Payment Card Industry Data Security Standard proved so challenging? PCI-DSS is not new -- the standard is six years old. And changes to the standard, though somewhat significant during the early days, have not, as of late, been so dramatic.

The PCI Security Standards Council has been very vocal about its decision this year to keep standards relatively stagnant. The council says the PCI-DSS is mature and inclusive. And it wants to give the payments community a chance to catch up on compliance.

To read the entire article, click here -
http://blogs.bankinfosecurity.com/posts.php?postID=775&rf=2010-11-19-eb

Phishing Attacks On The Rise

Global Effort is Only Way to Fight Threat to Banking Customers

Tracy Kitten, Managing Editor

A recent rash of targeted phishing schemes -- which included hits to military accountholders and their families at USAA and Navy Federal Credit Union, as well as a separate attack on officials at the World Bank -- has again brought the crime to the fore.

It's just the latest spree in a long line of phishing and vishing attacks that have grown to be more selective in their approaches, using malicious e-mails or phone calls that send unsuspecting users to spoofed websites, where malware hijacks banking credentials.

The schemes are more targeted than they were 18 months ago, says John Buzzard, client relations manager for FICO, which provides decision management and predictive analytics solutions. Those targeted launches, which hit customers and members at specific financial institutions, often reap more rewards for the fraudsters.

"For the criminal, you get more out of targeting a specific institution, because a lot of these folks are not used to getting scammed," Buzzard says. "Oftentimes, they are targeting people who are not quite so savvy and don't have a lot of experience with the Internet and banking online."

In the USAA and Navy FCU cases, Buzzard says, targeting military families has proven profitable. "It's not that military members and their spouses are less savvy; but when you have one parent overseas fighting and the other at home taking care of all of the finances, they can be stressed and distracted and may not be paying so much attention," he says. "Stressed-out military spouses are juggling many things, and they could be in a hurry to respond to something without thinking about it thoroughly."

To read the entire article, click here - http://www.bankinfosecurity.com/articles.php?art_id=3080&rf=2010-11-13-eb

ID Theft: SSN Is 'Key to the Kingdom'

Incidents Prove Link Between Social Security Numbers, ID Theft

Tracy Kitten, Managing Editor

The Colorado Supreme Court decision to reverse a conviction for criminal impersonation has stirred debate among identity theft protection advocates. In short, advocates say the Oct. 25 ruling sets a precedent that provides a loophole for those who impersonate others by stealing and/or misusing Social Security numbers.

"The Social Security number is the key to the kingdom of almost every type of identity theft," says attorney and certified information privacy expert Mari Frank. "It's the key to medical-benefit theft, government-benefit theft, you name it. This case, I think, sets a very bad precedent," she says, "because there are a number of people with bad credit or a criminal record or even illegal immigrants in this country that would use a stolen Social Security number to get a job, take out a car loan or get other benefits."

The Colorado Supreme Court overturned by a 4-3 decision the 2006 conviction of Felix Montes-Rodriguez for misusing another person's Social Security number to find work and apply for a car loan. Montes-Rodriguez' immigration status is not known; but the court found that because he used his own address, birth date and place of employment when he applied for the car loan, the use of the stolen Social Security number did not constitute false identity.

To read the entire article, click here -
http://www.bankinfosecurity.com/articles.php?art_id=3069&rf=2010-11-06-eb

ID Theft: SARs On The Rise

Identity Theft Reports Jump; Most Attributed to Family

Tracy Kitten, Managing Editor

The majority of identity theft incidents reported by U.S. financial institutions don't relate to phishing attacks and spoofed website pages. According to a new ID theft report from the Financial Crimes Enforcement Network, most cases of ID theft are linked to a victim's family members or coworkers. 

John Summers, a project officer at FinCEN and a lead in FinCEN's report, "Identity Theft: Trends, Patterns and Typologies Reported in Suspicious Activity Reports", says ID theft perpetrated by family, friends and business partners ranked No.1 among SARs filed by U.S. depository institutions in 2009. "In 27.5 percent of the filings, this was the highest," he says. "It basically means someone close to them was getting access to their files and using their information."


Summers says only 3.5 percent of the ID theft incidents reported in SARs related to computer viruses and Trojans, such as Zeus. For vishing and phishing, the incidents reported were even fewer. "The only ones I found were in new data, and it would only come out to .15 percent," he says. "That does not mean those types of attacks did not occur and account for theft and losses. It just means that the victim was not aware and did not report it as a phishing (or vishing) attack."

To read the entire article, click here - http://www.bankinfosecurity.com/articles.php?art_id=3031&rf=2010-10-26-eb

Guarding Your Good Name - Protect Your Identity Week Offers Classes, Info and Free Shredding

Posted by Donna Freedman on Friday, October 15, 2010

Almost 10 million Americans were victims of identity theft fraud in 2008, according to the Federal Trade Commission. Apparently you can't be too careful: 16% of the victims knew the person who had committed the crime -- and 6% of the time it was a family member.

How can you avoid being ripped off?

The third annual Protect Your Identity Week is a good start. Oct. 17-23, you can avail yourself of:
Document shredding. Cell phone recycling. Credit report reviews.

Short seminars such as "Avoid Scams and Fraud," "Protect Your Identity," "Keeping Your ID Safe on the Internet" and "Get Smart About Credit."

To read the entire article, click here - http://articles.moneycentral.msn.com/SmartSpending/blog/page.aspx?post=1816442&_blg=1,1816391

How Identity Theft Happens: Small Business is Big Profit

From Jerri Ledford, former About.com Guide

Jennifer and Rick took over the company that their father built from the ground up. In the years they’ve worked at and owned the company, they’ve grown it by offering compliance services in the transportation industry. On a daily basis, they struggle with Department of Transportation regulations, transportation tax issues, and myriad other details of owning the business. What they never dreamed they would have to deal with was identity theft.

Business identity theft is growing at an astounding rate. And many small and medium-sized businesses just don’t realize how at risk they are. Take Jennifer and Rick’s company for example. It’s a small company, with less than ten employees and a few hundred customers. Why would an identity thief be interested in them?

To read the entire article, click here - http://idtheft.about.com/od/businessidtheft/a/smallbizidtheft.htm

Zeus Arrests Won't End Fraud

Experts: Law Enforcement Won a Battle, Not the War

Linda McGlasson, Managing Editor

Authorities in the U.S. and Europe last week made a sweeping set of arrests, disrupting a large-scale, international cybercrime operation tied to the malware called "Zeus."

U.S. officials have charged 92 suspects believed to have been involved in cyber attacks that stole $70 million from bank accounts over the last four years. Meanwhile, authorities in London arrested 19 people who allegedly stole more than $9 million in just over three months using the same malware. Police in the Ukraine arrested five suspects on September 30.
But will 116 arrests make a dent into the international banking fraud being perpetrated via Zeus? Don't get your hopes up, say industry experts.

"While these arrests may make some think twice," says Robert Siciliano, an identity theft expert and McAfee consultant, "the vast majority of criminal enterprises will keep pursuing the millions to be made from flawed security systems."

To read the entire article, click here - http://www.bankinfosecurity.com/articles.php?art_id=2972&rf=2010-10-05-eb