Scammer Guilty of $2.7 Million Online Auction Fraud

/0 Comments/in /by

Auction scams are messy. Consumers who are new to the world of online auctions are more likely to fall victim to deals that are too good to be true. Victims either get stuck with inferior or counterfeit goods, or they are charged and never receive the purchased item at all.

My spouse used eBay to search for skin care products, and was pleasantly surprised by the low prices she found for the products she wanted. Since she doesn’t have much experience with eBay, she called me over to help her complete the transaction. I saw that the seller had no feedback from previous buyers, and suggested that my wife hold off on the purchase. She begrudgingly agreed with me, and the next day when she logged in, the seller had been suspended from eBay. (I told her I’m wicked smart!)

If it looks like it might be fraud, it probably is.

A Romanian man recently pled guilty to charges of wire fraud and conspiracy before a Chicago judge, after having acted as a money mule in a scheme that scammed eBay, Craigslist, and AutoTrader users out of $2.7 million. The man’s associates in Romania used auction websites to sell nonexistent cars, motorcycles, and RVs. Buyers paid by wiring money to the scammers’ accounts, but never received the expensive items they had supposedly purchased.

Online classified and auction websites could prevent fraud and protect their users by incorporating device reputation management. One anti-fraud service getting lots of attention for delivering fast and effective results is ReputationManager 360 by iovation Inc. This software-as-a-service incorporates device identification, device reputation and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and abuse in real time by analyzing the computer, smartphone, or tablet connecting to their online properties.

While iovation does not collect any personally identifiable information (PII) from their business clients, they have a very unique view into the connections between computers and the accounts they access. For example, what might typically look like one transaction to a single auction site is often a coordinated attack across multiple sites.  When a group of devices hits multiple sites, across various industries, iovation can detect the attacks through velocity triggers and shared experiences across their customer base to alert the affected business and thwart the attacks.

A device reputation check used on a scammer setting up a new account in an online action site would stop him at the front door, leaving no chance to post fake items for sale which would soon cause damage to the business and its customers.

eBay makes safety recommendations for users, and the first rule is to use eBay’s built in payment system, and not to use alternate payment methods, like wiring money.

Never provide sensitive personal information like your account password, a credit card or bank account number, or your Social Security number in an email.

Before you bid or buy on eBay, know your seller. Look at your seller’s feedback ratings, score, and comments to get an idea of their reputation within the eBay marketplace.

I generally recommend using PayPal to help prevent online identity theft. If you use your credit card, check your statements frequently and refute any unauthorized charges immediately.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.

10 Types of Criminal Social Media Impersonators

/0 Comments/in /by

Social media is the fifth form of mainstream media. At this point, most people know how to use social media, and how to navigate the various websites. But what most users don’t yet realize is how social media can be used against them.

Social media identity theft occurs for a number of reasons.

1.    An online impersonator may attempt to steal your clients or potential clients.

2.    Impersonators may squat on your name or brand, hoping to profit by selling it back to you or preventing you from using it.

3.    Impersonators who pose as legitimate individuals or businesses can post infected links that will infect the victim’s PC or network with a virus that gives hackers backdoor access.

4.    Impersonators sell products or services and offer deals with links to spoofed websites in order to extract credit card numbers.

5.    An impersonator poses as you, and even blogs as you, in order to damage your name or brand. Anything the impersonator writes that is libelous, defamatory, or just plain wrong hurts your reputation and can even make you the target of a lawsuit.

6.    Impersonators harass you or someone you know, perhaps as revenge over a perceived slight.

7.    An impersonator steals a name or brand that has leverage, such as an employee, celebrity, or Fortune 500 company, as a form of social engineering, in order to obtain privileged access.

8.    An impersonator may be obsessed with you or your brand and simply wants to be associated with you.

9. An impersonator might parody you or your brand by creating a tongue-in-cheek website that might be funny and obviously spoofed, but will most likely not be funny to you.

10. An impersonator poses as an attractive woman or man interested in a relationship in order to persuade potential victims to send naked photos, which can then be used for extortion.

Social media sites could go a long way in protecting their users by incorporating device reputation management.  Rather than looking at the information provided by the user (which in this case could be an impersonator), go deeper to identify the computer being used so that negative behaviors are exposed early and access to threatening accounts are denied before your business reputation is damaged and your users abused.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses social media Facebook scammers on CNN. Disclosures.

The Ever Present Credit Card Scam

/0 Comments/in /by

The Ever Present Credit Card Scam

When people ask me, “How do I protect myself from credit card fraud?” I tell them, “Cancel the card, or never use it.” Because that’s the only way. Otherwise, all you can do is hope the merchant has a sophisticated system in place to mitigate the fraud.

The FBI’s Internet Crime Complaint Center’s Annual Report determined that the total dollar loss from all cases of fraud in 2009 that were referred to law enforcement by IC3 was $559.7 million; that loss was greater than 2008 when a total loss of $264.6 million was reported. Some estimate identity fraud in total at over $50 billion.

Flaws in the system used to issue credit facilitate new account fraud, since creditors often neglect to fully vet credit applicants with technology as essential as device reputation. Account takeover requires nothing more than access to credit card numbers, which can be accessed by hacking into databases or skimming cards at a point of sale terminal, ATM, or gas pump.

You should be aware of these common scams:

Micro Charges: Micro charges are fraudulent charges ranging from twenty cents to ten dollars. The idea is to keep the amounts low enough to go unnoticed by cardholders.

ATM Skimmers: Criminals can place a card reader device on the face of an ATM to copy your card data. The device, which appears to be part of the machine, may use wireless technology to transmit the data to the criminals. In many cases, thieves will also hide a small pinhole camera somewhere around the ATM (in a brochure holder, mirror, or speaker, for example) in order to record PIN numbers as well. Always cover the keypad with your other hand when entering your PIN.

Dummy ATMs: ATMs can be purchased through eBay or Craigslist and installed anywhere. (I bought one from a guy at a bar for $750.) A dummy machine has been programmed to read and copy card data.

Phone Fraud: The phone rings and it’s a scammer claiming to be calling from your bank’s fraud department. The scammer may already have your entire card number, which could be stolen from another source. You might be asked about a fictional charge you supposedly made, and when you deny it, you’ll have to provide your three to four digit CVV number in order to have the charge removed. Never give out this type of information over the phone.

Phantom Charges: When searching for something on the web, you come across a great deal. In the process of ordering, the website informs you that a discount is available along with a free trial of another product. Thinking you’re saving money, you take the bait. The next thing you know, your card is being charged every month and the company makes it very difficult to cancel the charges.

Look for and do business with companies that have a comprehensive, defense-in-depth approach to protect consumers against identity and financial fraud. Check your credit and banking statements carefully. Scrutinize every charge and call your bank or credit card company immediately to refute any unauthorized transactions.

(Be sure to do it within 30 or 60 days at most, depending on the type of card.)

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses ATM skimming on Extra TV. Disclosures.

Are Internet Cookies Good or Bad?

/0 Comments/in /by

Neither, they are just a mechanism to how the Web works.  The bigger question is, are the uses thereof good or bad.

Microsoft, Google, and Firefox are implementing do-not-track features into their browsers, giving consumers the option to block cookies that may track their surfing for advertising purposes.

Most major websites now install cookies on your computer, which, over time, help develop a profile that serves as your digital fingerprint. This is why, after searching for a specific product, you may notice advertisements for that particular product or brand appearing on various other websites.

But not all cookies track you in order to sell you something. Many are there for security purposes. Merchant Risk Council considers “where the line is drawn between the proper and improper uses of this type of technology (protecting against online fraud vs. targeted online marketing).”

Several companies use cookies as well as other technologies, such as tokens, along with sophisticated and unique pattern matching that can only be derived from extensive and unique experiences with a shared reputation database, to identify and re-identify devices.

I don’t see any physical harm or identity theft ever happening as a result of of this refined marketing or especially device identification, especially when it comes to techniques meant to watch your back and protect you.

With privacy watchdogs addressing this kind of advertising as a major concern, and the Obama administration now stepping in, we will surely see the implementation of some standards in this kind of marketing practice over the next few years.

The MRC wonders, “As this issue gets more play, and consumers become more aware of this technology, will there be any effect on “good customer” behavior by potentially scaring people away from online shopping?”

I doubt it. But right now, government, industry, and consumers need to understand the difference between good cookies and bad cookies, before rash decisions designed to give us slightly more privacy make us more vulnerable to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Online Dating Sites a Haven For Criminals

/0 Comments/in /by

I’m weird. I know this because people tell me all the time. They tell me I’m weird because I like to do things that most people don’t. I like to do things that are different, and different usually means weird. One of my little weird things is posing as a woman. Yup. Read on.

I like to expose the flaws in our systems, to find what makes us vulnerable. Much of my “research” (or my “antics,” as some would say) is prompted by my desire to learn more about the scumbags of society, who prey on others.

So I sign up for online dating sites, create a profile as a woman, and wait for men to contact me. My research has led me to discover some particularly shady methods scammers use to target emotionally vulnerable victims. The most common is an advanced fee scam involving a wire transfer.

A divorced mother of three in Britain was taken for £80,000 by a scammer posing as a US soldier. It began when a man who called himself Sergeant Ray Smith introduced himself on a dating website. Soon they were chatting and emailing regularly, and then he was calling her on the phone and asking her to wire him money.

Twenty years ago, online dating wasn’t even a thought. Ten years ago, it was weird. Five years ago, it was new and exciting. Today, it’s as normal as milk and bread. If you are looking for a mate online, you will eventually find someone. Most of my friends who’ve tried it were successful. But by the time a new technology becomes normalized, scammers, who are usually ahead of the curve, are lying in wait. As online dating gradually gained popularity and acceptance, scammers were coming up with ways to take advantage and perfecting their craft. And now it’s a full-time job for them. They know all the new scams and come up with better ways of executing the old ones.

It blows me away that these scams are even possible. In many cases, the same scammers maintain multiple profiles on different dating sites, and the dating sites do almost nothing to prevent or police this.

We caught up with anti-fraud provider iovation to see what dating sites around the world were reporting about fraudster activities.

In the last 90 days, 230,000 fraud and abuse attempts were reported to iovation from dating sites alone, including:

•   Spamming – 90,000

•   Scams and solicitations – 30,000

•   Inappropriate content – 20,000

•   Chat abuse – 17,000

•   Profile misrepresentation – 15,000

•   Credit card fraud – 14,000

•   Identity mining / phishing attempts – 12,000

iovation has many more categories specific to dating, including bullying, account takeovers, under age members, and so on. What’s unique to their globally shared system is that their clients can choose what to take action on or not.  For example, a dating site may choose to not care about cheating in online gaming sites, but set up rules to trigger multiple account creations looking for profile misrepresentation.  Dating sites can specify which type of behavior to protect their users from.

If more sites incorporated device reputation checks for suspicious computer history and investigated for characteristics consistent with fraudulent use, they’d be able to deny criminals, often before the first time they tried to sign up.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Safe Personal Dating on Tyra. (Disclosures)

Online Credit Applications Ripe For Fraud

/0 Comments/in /by

We currently rely on easily counterfeited identification, and we transmit credit card applications using the phone, fax, Internet, or snail mail, all of which are relatively anonymous methods.

Fraudulent credit card applications are the most lucrative form of credit card fraud. Identity thieves love credit cards because they are the easiest accounts to open, and they allow thieves to quickly turn data into cash. Meanwhile, consumers don’t find out that credit cards have been opened in their names until they are denied credit or bill collectors start calling.

Identity thieves use any number of tricks to fool banks, retailers, and creditors into approving their online credit applications, extending credit that leaves the creditor on the line for losses.

It doesn’t need to be this way.

Instead of simply verifying the identification provided by fraudulent applicants, newer technologies allow creditors to verify the reputation of the computer or smartphone being used to submit the application. By instantly evaluating a device’s history for criminal activity, creditors can prevent fraudulent transactions.

“In addition to telling businesses that a single device has been involved in fraud, iovation can also determine if that device is associated with bad activity through its associations,” said, Jon Karl, VP of Corporate Development for iovation.  “Beyond fingerprinting and reputation, we provide our clients with early warnings about devices visiting their website in real-time, based on the behavior of devices and accounts associated with that device.”

Device fingerprinting and device reputation analysis help identify bad guys during the application process, allowing creditors to avoid more expensive solutions.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosure)

Survey Shows “Account Takeover Fraud” Drops

/1 Comment/in /by

Account takeover happens when your existing bank or credit card accounts are infiltrated and money is siphoned out. A hacked account or stolen credit card is often to blame.

The drop in account takeover may be due in part to a few different things.

Less breaches. There was a drop in data breaches from 221 million records in 604 breaches during 2009 to 26 million records breached in 404 reported breaches during 2010. Criminal hacker Albert Gonzalez and his gang were responsible for many of those hacked records and he and many of his cohorts are now in jail.

PCI standards. All those responsible for accepting credit cards are now under strict Payment Card Industry Standards rules and regulations that require a level of security that took about 5 years to implement. Today many of those merchants are doing a much better job of protecting data.

Device reputation management. Technology that checks an Internet transaction by looking at the PC, smartphone or tablet to see if it has a history of bad behavior or is high risk based on device characteristics and behavior. iovation is one such company that has blocked 35 million fraudulent transactions of this sort just last year.

Javelin reports “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

If device reputation was integrated at the “profile update / account update” website integration point, a flag would go up when:

– Too many devices are accessing the account (the business has a predetermined threshold)

– Too many countries are accessing the account (Ex: a United States account is being accessed from Ghana)

– A non-allowed country accesses the account (Your United States-only dating site just had devices from Russia and Romania trying to get into accounts, but it’s blocked automatically with customized business rules.)

It’s no secret that it’s often a few bad apples that upset the bunch. Here’s where the 90/10 rule applies. 90% of people are honest whereas maybe 10% aren’t. And it’s the 10% that do 90% of the stealing.  Device reputation knows who is good and who isn’t. Identity thieves are stopped cold and can’t use the hacked data to commit fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

What is New Account Fraud?

/0 Comments/in /by

As long as identity thieves continue to breach databases and steal Social Security numbers, new account fraud will plague the public.

New account fraud refers to financial identity theft in which the victim’s personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Since the thief typically submits a different mailing address when applying for new accounts, the victim never receives the bills and may remain unaware of their existence until creditors come seeking payment for debts the thief has accumulated in the victim’s name.

Variations on new account fraud include:

Utility fraud, in which the identity thief opens new utility accounts, such as gas, electric, phone, or cable, in the victim’s name, accounts for as much as 20% of all instances of identity theft.

Loan fraud accounts for approximately 10% of instances of identity theft. In order to obtain a loan of any kind, applicants are nearly always required to provide a Social Security number.

Credit card fraud is the most lucrative type of new account fraud, and the most prevalent, accounting for almost half of all identity theft cases. Simply put, identity thieves love credit cards because they are the easiest accounts to open, and they can quickly be turned into cash.

The availability of instant credit means instant identity theft. Identity thieves froth at the mouth when they obtain personal identification information and are in range of a major retailer.

An identity theft protection service can help mitigate the risk of new account fraud by monitoring your credit for new account activity, as well as by monitoring the Internet for your personal information.

One cool company that’s watching your back is iovation. iovation spots cyber criminals by analyzing the device reputation of the computers they use to connect to a website. They investigate for suspicious history and check for characteristics consistent with fraudulent users. And the best part is that iovation can prevent a criminal from using stolen data to open a new account in the first place.

According to Scott Waddell, Vice President of Technology at iovation Inc., “iovation sees identity thieves carry out their attacks in very short-time windows to exploit their newly stolen credentials.  What might typically look like one transaction to a single business is often a shotgun attack across our globally shared view.  One device may be opening a new credit card account, then going to an online retailer, then applying for instant credit all within minutes, and iovation can detect that through velocity triggers and shared experience across subscribers to alert the affected businesses and thwart the attacks. That’s great for the protected businesses and for the consumers who would otherwise be dealing with fraudulent charges made under their identities.”

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Social Security Numbers as National IDs on Fox News. (Disclosures)

How Does Device Reputation Protect Me?

/0 Comments/in /by

Device reputation spots online evildoers by examining the computer, smartphone, or tablet they are using to connect to any website. If a device is recognized as having previously committed some type of unwanted behavior, the website has the opportunity to reject the transaction, preventing damage before it occurs.

In the physical world, as the saying goes, “You are only as good as your word.” And when somebody says one thing and does another, we no longer trust them.

Online, people say and do things they never would in the real world. Internet anonymity fuels bad behavior. Websites’ comments sections are filled with vitriol that you’d never hear real people utter. Pedophiles who’d never approach a child on the street contact kids over the Internet. Sex offenders avoid the stigma of their label on dating sites and social media. Scammers create accounts in order to con people and businesses into forking over money. And identity thieves use your personal information to fill out online applications for credit.

All of this is made possible by the anonymity of the Internet.

As fraudsters develop more sophisticated schemes and collaborate in elaborate fraud rings, the threat of cybercrime increases. Online businesses are getting hit hard by fraud and abuse, and it’s critical that fraud protection solutions save them from significant losses and damaged reputations.

A device reputation service checks for suspect history, but also investigates for characteristics consistent with fraudulent users. And the best part is that it denies criminals, often even before their first attempt.

According to Greg Pierson, Founder and CEO of iovation, “Device reputation helps prevent identity thieves from monetizing the credentials that they have stolen.  At the same time we are protecting online businesses, we’re also protecting the consumer.”

Device-based fraud management and a shared device reputation infrastructure play a critical role in identifying online fraud and abuse. Neglecting to take advantage of these tools severely limits a business’s ability to prevent fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Scambaiting on Fox News. (Disclosures)

Big Game Scores Big For Scammers

/0 Comments/in /by

Internet criminals follow a similar editorial calendar as newspaper and magazine editors, coordinating their attacks around holidays, and the change in seasons. They further capitalize on significant events and natural disasters.

On Super Sunday weekend much of the scamming taking place is designed to separate the public from their money using the Big Game as the lure. People are seeking information on the Game and are being tackled by criminals who steal the ball.

The promise of cheerleader-filled videos along with downloadable player pictures or even Big Game memorabilia will dominate the scamverse.

Don’t get taken:

Ticket scams abound: Auction sites and Craigslist are ground zero for Scammers who buy up a few expensive tickets and, because many tickets are printed at home, the scammer just makes copies and resells the fakes to desperate buyers online or at the game.

Social media scamming: Bad guys who pose as legitimate individuals or businesses offering up Super Sunday media and post infected links that will infect the victim’s PC or network with a virus that gives hackers backdoor access.

Search poisoning: Scammers lure victims to their scam sites via search engines. When a website is created and uploaded to a server, search engines index the scam sites as they would any legitimate site. Doing a Google search can sometimes lead you to a website designed to steal your identity.

Zombie PCs: A botnet is a group of Internet-connected zombie personal computers that have been infected by a malicious application, which allows a hacker to control the infected computers without alerting the computer owners.

Scott Waddell, Vice President of Technology at iovation states, “Criminals will lure Internet users to malicious sites where malware can compromise their computers, making their systems ‘zombies’ in a global botnet. Identity data on these systems can be stolen and remote fraudsters can monitor the systems to compromise online accounts.”

Solutions like iovation’s ReputationManager 360 can identify fraudulent use of stolen accounts through geolocation rules, velocity indicators associated with identity thieves trying to quickly leverage stolen credentials, and the shared reputation view across more than 2,000 fraud fighting professionals strengthening the system every day.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another data breach on Fox News. Disclosures