Canadian Charged in Ticket Scams – Auction Sites Need to Step Up Fraud Prevention Techniques

Online classified advertising site scams are typically conducted by scammers in countries such as Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, or Malaysia, who spend their days targeting consumers in the developed world.

Scammer grammar and general awkwardness make these scams relatively easy to detect. But when a scammer is local, the ruse becomes more insidious and effective.

The Toronto Sun reports that a man in Hamilton, Ontario faces “60 charges for allegedly selling thousands of dollars worth of non-existent tickets to concerts and sporting events, mostly at venues in Toronto.” The suspect “allegedly used Craigslist to sell tickets to pop concerts like Lady Gaga, Taylor Swift and Justin Bieber, or sporting events like Wrestlemania.”

As in most Craigslist scams, the perpetrator had the victims wire money to him, and in this case it was to a local account, which reduced suspicions. He told victims they would get a shipping confirmation number once the money was received, but of course, this was entirely bogus.

At the top of every post, Craigslist reminds you, “Avoid scams and fraud by dealing locally!” But they may not consider that scammers can deal locally, too. My suggestion is to always meet the seller with cash in hand, or simply buy tickets directly from the venue or venue’s website.

Craigslist and auction sites could better protect end users and prevent the majority of these scams by using readily available and proven fraud detection tools on the market. They could easily round up accounts opened by scammers by tracking them back to the computers, tablets and smart phones that opened them up in the first place by using device reputation management. And when those computers try to open more accounts under more stolen identities, the accounts are automatically denied upfront—at the “account creation” stage.

Craigslist could easily employ customized business rules to identify high-risk activity such as those offered by iovation’s ReputationManager 360 anti-fraud service.  For example, if someone posted a local offer, iovation could expose to the business when users are hiding behind proxies to make them appear as if they were in the local region.  If they are selling a used car supposedly in Irvine, California and they are going through the work to mask their IP and make it “look” like they are in Irvine, but their real IP is exposing that they are in Ghana, wouldn’t that be a red flag?  When this happens, the business could automatically deny the attempt in a fraction of a second, or at a minimum send it to a review queue so that fraud analysts can take a closer look before exposing a scammers’ offer to the public.

In general, with today’s sophisticated fraud prevention technologies and techniques, scammer accounts could and should easily be stopped at the front door (while attempting to set up a new account) — before ads are placed, before ads are read by the public, and before tens to hundreds of visitors act on the ad by engaging in conversation with a cyber criminal who wants to steal their money.

Imagine the scale of bad accounts that could be shut down instantly.  Sophisticated fraud rings could be identified within the business’s network and thousands of fraudulent accounts shut down, making Craigslist and other auction sites a much safer place for the public to look for desired products and services.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scambaiting on Fox News. (Disclosures)

3 Incredible Reasons Why Security Cameras Rock

Reason 1: In Pittsfield Massachusetts a minor league baseball team was reeling after continual theft from the team’s locker room. And to help solve the problem they I installed a single video surveillance camera.

The 42 year old thief was recently caught on camera and arrested for stealing cash from the lockers of the team during a ball game. He of course pleaded not guilty. The video states otherwise. Video doesn’t lie. In this scenario the team players should have locked the locker room up or at least locked their lockers.

Reason 2: A guy named Eddie was labeled a geek by his home invaders who believed he wouldn’t put up a fight. The where right, he is a geek and didn’t put up a fight. Geeks, in general, are smart though, so he installed a security camera. The thieves broke into his home and stole money and vowing to not let that happen again he went out and bought a surveillance camera.

The next day young teens came to his unlocked home and held him at knife and gun point and robbed him, all caught on tape. All 4 teens were caught and now face prosecution.

Eddie should lock his doors and get a home security system.

Reason 3: This story doesn’t have a happy ending, but hopefully it will. In Oakland California a woman was robbed but then sexually assaulted. Amazingly she caught the whole burglary part on tape on her mobile phone.

The video is clear and crisp and will hopefully bring this man to justice.

In the future I’d recommend NOT busting out your mobile video but instead using that same phone to call 911 as you run out of the home to safety. There are many things wrong with this situation but manly that the victim didn’t need to be a victim.

I’m a big fan of video, but a bigger fan of RUNNING.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse™ on Fox News. Disclosures

The Consequences of a Teacher’s Facebook Comments

We should all know by now that nothing you post on Facebook is private. You may have gone through all the privacy settings to thoroughly lock down your profile, but even so, you can never be sure that your posts will remain hidden. Facebook alters their privacy settings so frequently, you never know when or how the defaults will change. No matter how strict your privacy settings are, accepting a friend request from a stranger (who may be a human resource officer, for example) allows him or her to see your private comments, which can always be easily copied, pasted, and shared with the world.

The New York Post reported, that a Brooklyn NY teacher said some bad stuff regarding her fifth-graders referencing the death of a 12-year-old Harlem school girl who drowned on a class trip.

While on a field trip, the teacher used her Blackberry to post, “After today, I’m thinking the beach is a good trip for my class. I hate their guts.” When a Facebook friend asked, “Wouldn’t you throw a life jacket to little Kwami?” she wrote back, “No, I wouldn’t for a million dollars.”


Normally, this is when I would explain that it is never a good idea to announce to the world how much you hate your boss, neighbor, students’ teachers, or spouse, and that you’d like to boil a bunny on the stove to teach them a lesson. I guarantee that even if you are kidding, someone will be offended. Everything you do on the Internet lasts forever.

However, I’d rather encourage anyone with a position of authority and responsibility for others to please, go ahead and post your feelings, thoughts, and motivations as loudly and as clearly as possible. We want to know who you really are. It’s best that you come out of the closet now, so you can be removed from your position if necessary.

Robert Siciliano personal and home security specialist to Home Security Source discussing sharing too much information online on Fox News. Disclosures.

Fraudulent Credit Applications Starts with the Device

When Jim Smith opens a credit card account, he doesn’t have to pay the bill. That’s because Jim Smith is committing new account fraud by using Fred Jones’s name and Social Security number.

All Jim Smith needs is some basic information about Fred Jones, much of which is available in the phonebook, in his trash, in discarded files in the bank’s dumpster, or on social media sites. Maybe Fred also happens to work with Jim, and Jim has direct access to Fred’s files.

Once Jim has Fred’s information, all he has to do is go online with the PC in his cozy office, or head down to the local coffee shop and fire up his iPad, or even fill out a credit card application from his mobile phone.

Scenarios like this one happen all day long across the globe.  Credit issuers are constantly looking for new tools to identify fraudulent applications faster.

Since online credit applicants can fool you with any number of tricks to get approved for credit leaving you holding the bag for losses, instead of verifying identity information on fraudulent applicants, consider verifying the reputation of the device (or computer) being used to submit the application in the first place. When a fraudster connects to your business, the computer being used can be evaluated in a fraction of a second for its risky intentions.

If you know the device being used is a known fraudster, you don’t have to spend the time, resources, and money running other fraud checks such as verifying identity information.  You know the source is suspect and you can block the transaction upfront. Device fingerprinting coupled with the device’s reputation and risk profile helps identify the bad guys in the acquisition channel, so you don’t have to rely on other fraud detection tools that drive up the cost to decision an application.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

Three Dead and One Shot in Home Invasion

Not all home invaders invade to steal. Some are simply mentally ill and violent and seek a victim or in this case, victims. Here is an unfortunate example of why you should have a home alarm system and security cameras.

Imagine living into your 80’s only to be taken down by the neighbor from down the street in a fit of rage. With no signs of forced entry the 27 year old with a history of mental illness committed a random act of violence by stabbing a husband, wife and their son before being shot and killed by the son.

Apparently the son had come home to his parent’s home and walked in on the stabbing. He quickly ran upstairs and grabbed a gun and shot the suspect a bunch of times.

There were no signs of forced entry where the attack occurred. Investigators found one unlocked door between the garage entry and main house.

I’ve seen studies published declaring as much as 50% of all people suffer some form of mental illness. Not all are violent, but the ones who are, are all around us. For your own safety, develop a personal security mindset. This means thinking proactively by asking “what if” questions and visualizing possibilities. By predicting and then preventing bad things from happening, you are actively involved in your personal security and that of your families.

When you do this, develop a strategy to that ensures your families security. Lock your windows, bolt your doors and install a home security system.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse™ on Fox News Live. Disclosures

ATM Scammers’ New Tactic: Glue

You can almost hear the scammers’ “Eureka!” moment in their evil dungeon lair: “We don’t need no stinking $5000 high-tech remote access Russian-built skimmer – we just need Elmer’s!” And then a crime is committed and history is made.

The San Francisco Examiner reported, “thieves glued down the ‘enter,’ ‘cancel’ and ‘clear’ buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account. The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use the ATM touch screen to finish their transaction, or become nervous when the keypad isn’t working and react by leaving the ATM.”

Once the customer has gone into the bank to alert a manager or teller, the scammer walks up to the ATM and uses the touch screen to complete the transaction.

Amazing. Even more amazing is that if a criminal were caught gluing ATM keys, he would most likely only receive a misdemeanor vandalism charge, as opposed to a larceny, which would put him in jail. The law has yet to catch up with this new and brilliantly simple crime.

So if you happen upon a glued ATM remember that you can finish your transaction using the touch screen. Once you’ve done so, alert the bank manager as soon as possible so nobody else gets scammed!

When using an ATM, pay close attention to the machine and be alert for anything that seems out of place. Wires, double sided tape, odd configurations or skimming devices on the face of the ATM, or a card that gets stuck in the reader are all red flags.

Don’t necessarily use the first ATM you see. Choose ATMs in secure locations, and be on your guard, even when using an ATM at a bank branch.

Above all, check your bank statements at least once every two weeks, and refute unauthorized transactions within 30 days.

Robert Siciliano personal and home security specialist to Home Security Source discussing ATM skimming on Extra TV. Disclosures.

Clients Alert Banks to Fraud

In a perfect world there would be no sickness, nothing would ever break, everyone would get along, yummy food wouldn’t make you fat, and there’d be no crime. However, there are forces over which you and I have no control and we have to struggle simply to maintain balance.

In a perfect world, a bank wouldn’t need you or me to help detect fraud.

According to a survey of banks and credit unions, 23% learn of fraud through their own auditing processes. This means that more than three quarters of all bank fraud is detected either by customers or third parties. Just 32% of banks felt prepared to prevent online bank fraud.

That’s far from perfect, which means you, the customer, must pay close attention to your accounts.

Check your online statements frequently. I no longer receive paper statements and I don’t wait for my monthly online statement, either. Once a week, I check each individual account online. Check your investment accounts, credit cards, checking and savings account, and any other account that holds your money or grants you credit.

Create a bookmarks folder with links to all your accounts and set a consistent time to check each account, every week. Monday mornings, Wednesday afternoons, or Friday afternoons work for me.

Sign up for Mint. This service helps track activity on your bank and credit card accounts and sends notifications of any transactions involving any linked account.

The moment you spot a discrepancy, contact the institution and remedy the issue. Remember, as accommodating as a lender may be, they will often put up a fight before crediting your account for any losses. Persistence pays off.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses identity theft in front of the National Speakers Association. Disclosures


67% of Companies Fail Credit Card Security Compliance

All merchants who accept credit cards are now subject to strict Payment Card Industry standards, rules, and regulations, which require a level of security that took about five years to finally implement.


PCI exists to increase credit card security and, among other goals, to stave off government intervention. While significant effort has been made to improve the security of credit card data processing, adequate attention has yet to be given to the identification, authentication, and accountability of cardholders.


For consumers, the primary concern is account takeover. Account takeover occurs when your existing bank or credit card accounts are infiltrated and your money is siphoned out. A hacked account or stolen credit card is often to blame.


InformationWeek reports that according to a new Ponemon Institute survey, “50% of security professionals view PCI as a burden, and 59% don’t think it helps them improve security. Furthermore, comparing this study with the inaugural one conducted in 2009, the number of respondents who said they had sufficient resources to comply with PCI dropped from 40% to 38%. Ponemon also found that the number of organizations that had experienced a data breach in the past two years increased from 79% in 2009 to 85% in 2011.”


Retailers who invest in device fingerprinting and device reputation make it much easier to identify bad guys during purchases, making those stolen credit card numbers way less valuable to thieves. By instantly evaluating a device’s history for criminal activity and assessing risk on new devices within a fraction of a second, retailers can stop fraudulent transactions before the order is accepted and product shipped.


Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston.

5 Online Security Using PayPal

Sometimes home security begins online. Many millions use and rely on PayPal for convenient and secure ecommerce transactions. But is it safe? The short answer is “yes”. The longer answer is “it depends”.

PayPal has numerous redundant measures of protection in place to protect their user accounts. PayPal falls under many of the same rules and regulations as banks and retailers.  They don’t have a choice to be secure or not, they have to be.

But PayPal is just like everyone else, they are under constant attack.

Most security issues with PayPal aren’t actually with PayPal at all, but with its users.

1.    Don’t click links in emails that come from PayPal. The emails may not be from PayPal but from scammers trying to phish your information. Always directly log into PayPal to access your account.

2.    Don’t link your bank account to PayPal. If your PayPal account is compromised then the money stolen will be from your bank account opposed to your credit card account. There are many more layers of security in your credit card connected to PayPal.

3.    Keep your PC security updated. Your PC is a path to PayPal, your bank or any other online accounts you have. Many of those accounts are only as secure as your PC. Make sure you have updated anti-virus, firewall, spyware detection/removal etc.

4.    Use a trusted PC. I would never use anyone else’s computer to login to my bank or PayPal

5.    Use a trusted internet connection. Banking online or using PayPal from a free internet café invites trouble. Your best bet is a hard wired connection from home.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures

Scam Artists Sell Over $4 Million in Fake Tickets Every Month

Second-hand ticket retailer viagogo has revealed that scam artists that have been selling fake tickets are collectively reeling in just over $4 million a month, or $49 million a year.

Viagogo found that more than 67,000 fake music festival tickets were sold last year. In 2011, that number could reach 100,000. Most of this scamming occurs during the summer, the most popular season for concerts.

Ticket scams have been occurring for years. When a ticket is nothing but a piece of paper with a barcode that is scanned at the gate, counterfeiting is child’s play. Some events provide wristbands to ticketed attendees, and these wristbands can also be easily faked.

Watermarks and other security features make tickets a bit more difficult to recreate, but these low-tech methods of determining a ticket’s authenticity are often lost on the general public. The victim only realizes the scam when he’s denied entry to an event.

Avoid scalpers, period. Unless you know them personally, just buy tickets at the venue’s window. When purchasing tickets online, stick to legitimate websites. An online search will probably turn up plenty of options, but only buy from familiar, trusted brokers.

Scam artists often take advantage of online ticket companies by buying up blocks of tickets with stolen credit cards, either to counterfeit or simply to overcharge the public.

Fortunately, some ticket brokers have deployed device reputation, which allows them to uncover computers or other devices responsible for fraudulent activity or exhibiting suspicious behavior at the point of sale, and deny transactions from these devices. This kind of visibility gives ticketing services businesses a powerful advantage. More than ever, they can easily identify the scam artists where they’re coming from.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses yet another data breach on Good Morning America. (Disclosures)