Identity Theft on the Rise…Again

CaptureAccording to a report released by Javelin Strategy and Research and another by the FTC, the incidence of identity fraud increased in 2012 for the second consecutive year, affecting 5.26 percent of U.S. adults. This increase was driven by dramatic jumps in the two most severe fraud types, new account fraud (NAF) and account takeover fraud (ATF).

Key findings from the FTC’s report:

  • Over one million complaints were fraud-related. Consumers reported paying over $1.4 billion in those fraud complaints; the median amount paid was $535.
  • Fifty-seven percent of all fraud-related complaints reported the method of initial contact. Of those complaints, 38 percent said e-mail, while another 34 percent said the telephone. Only 9 percent of those consumers reported mail as the initial point of contact.

Key findings from Javelin’s report:

  • Identity fraud incidents and amounts stolen have increased. The number of identity fraud incidents increased by one million more consumers over the past year, and the dollar amount stolen increased to $21 billion—a three-year high, but still significantly lower than the all-time high of $47 billion in 2004. This equates to one incident of identity fraud every three seconds.
  • One in four recipients of a data breach notification became a victim of identity fraud. This year, almost 25 percent of consumers that received a data breach letter became a victim of identity fraud, which is the highest rate since 2010. The study found consumers who had their Social Security number compromised in a data breach were five times more likely to be a fraud victim than an average consumer.
  • Small retailers are losing out. Fraud victims are more selective where they shop after an incident, and small businesses were the most dramatically impacted. The study found that 15 percent of all fraud victims decided to change behaviors and avoid smaller online merchants. This is a much greater percentage than those that avoid gaming sites or larger retailers.

With iovation’s services, when computers or mobile devices with fraudulent histories connect to a retailer’s website, the business is alerted in real time. If velocity or geolocation alerts are triggered, the retailer knows that too, also in real time. The company maintains a living database of device intelligence, sharings the data across its global base of finance, gaming, travel, shipping, dating, and retail clients. Information is shared in order to detect fraudulent activity as soon as possible—before a product is shipped and chargebacks and fees are incurred. iovation calls it device reputation; I call it another bit of common sense for retailers.

Robert is a personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Europol: Credit Card Fraud Spells Low Risk and High Profits

Capture 1report from Europol states that payment card fraud is a low-risk and highly profitable criminal activity that brings EU-based organized crime groups a yearly income of around 1.5 billion euros. These criminal assets can be invested in further developing criminal techniques, used to finance other criminal activities, or even facilitate the start-up of legal businesses.

Payment card data is the ideal illicit Internet commodity, as it is internationally transferable. Europol, in its report on Internet-facilitated organized crime (iOCTA), concluded that organized crime groups (OCGs) clearly benefit from globalization, using foreign payment card data to purchase goods and services online. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers; according to Europol’s intelligence, around 60 percent of payment card fraud losses, totaling 900 million euros, were caused by card-not-present (CNP) fraud in 2011.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases, the quantity of compromised card details was substantial, reaching hundreds of thousands or millions, and enabling criminals to sell the data in bulk on tonline.

In the US, the FFIEC updated the security requirements recommended for banks. One of the recommendations encourages financial institutions to employ complex device identification. Oregon-based security firm iovation goes a step further by offering device reputation technology, which builds on device identification by offering real-time risk assessments. The technology exposes any history of fraud associated with a particular device or group of devices, and investigates relationships between devices and accounts that have been associated with fraud to expose fraudsters working in cahoots to steal from online businesses.

Robert is a personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Phony Identities Result in $200 Million Fraud

Recently, the FBI arrested 13 people in four states. Their crime? Allegedly creating thousands of phony identities with which to steal at least $200 million in one of the largest credit card fraud schemes ever charged by the Department of Justice.

Bloomberg reports that after using 7,000 false identities to obtain 25,000 credit cards, the conspirators ran the scam through real businesses such as jewelry stores, and at least 80 sham companies under more than 1,800 addresses. Capture

The defendants charged in the complaint allegedly used fake Social Security numbers to fabricate identities and obtain credit cards, doctoring credit reports to pump up the cards’ spending and borrowing power. They would then borrow or spend as much as they could (based on their fraudulently-obtained credit history) and proceed to default on the debts, robbing businesses and financial institutions of more than $200 million in confirmed losses. When the credit card balances went unpaid, there was no one to hold responsible. In the end, however, retailers, merchants, banks, and credit card companies paid the bills.

According to a statement by the FBI, “This elaborate network utilized thousands of false identities, fraudulent bank accounts, fake companies, and collusive merchants to defraud financial institutions of hundreds of millions of dollars in order to facilitate extravagant lifestyles they could otherwise not afford.”

It appears that this scam was particularly lucrative for the criminals because there were no actual flesh-and-blood victims of identity theft to take notice.  One device may be opening a new credit card account—then going to an online retailer and applying for instant credit—all within minutes. Frauds like this, while highly sophisticated in nature, can be detected early with the right tool in place. Through velocity triggers and shared experience across multiple businesses, iovation can proactively detect the activity, alert affected businesses, and thwart the attacks. This is great news for the protected businesses, and also great news for the consumers who would otherwise be dealing with fraudulent charges made under their identities.

Robert is a personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

10,000+ Identity Theft Rings In The U.S.

Identity theft is the easiest crime to commit and the hardest crime to get caught for. It has been said numerous times that identity theft is the closest we’ve ever come to the perfect crime.  This explains why a recent study by ID Analytics found more than 10,000 identity fraud rings in the U.S.  An identity fraud ring is a group of people actively collaborating to commit identity fraud. This study is the first to investigate the interconnections of identity manipulators and identity fraudsters to identify rings of criminals working in collaboration.

In a press release, ID Analytics states that many of these fraud rings are made up of two or more career criminals, surprisingly, others are family members or groups of friends. The ring members may be either stealing victims’ identities or improperly sharing and manipulating personal identifying information such as dates-of-birth (DOB) and Social Security numbers (SSNs) on applications for credit and services.

Other findings of the study include:

Hotbeds for Fraud Rings—States with the highest numbers of fraud rings include Alabama, the Carolinas, Delaware, Georgia, Mississippi and Texas. The three-digit ZIP codes with the most fraud rings observed are areas around Washington DC; Tampa, Fla.; Greenville, Miss.; Macon, Ga.; Detroit; and Montgomery, Ala.

Fraud in the Countryside—While many fraud rings occur in cities, a surprisingly high number were also found in rural areas of the country.

Consumers’ best protection against identity theft begins with a credit freeze or identity theft protection. But businesses can do more to protect the public by not allowing stolen credentials to be used for fraud in the first place.

Identity thieves carry out their attacks in very short-time windows to exploit their newly stolen credentials.  For businesses, what might typically look like a single transaction can often be calculated attacks across multiple businesses, according Oregon-based iovation Inc. and the businesses that it protects. One computer (or a group of related Internet-enabled devices including smartphones) may open new credit card accounts, make online retail purchases, and schedule shipment of stolen goods — yet iovation’s view of device-related activity can connect these relationships across multiple businesses, geographies and industries — in order to detect and stop cybercrime, and make the Internet a safer place to interact and do business.

Why Elderly Are Targeted By Scammers

It has long been believed that elderly, which depending on your definition, are people over the age of 60 years old, are targeted by scammers due to their generations naïve upbringing. But from my perspective, a 65 year old grew up in the 60’s and there’s nothing naïve about the Vietnam war/Woodstock generation. My dad’s one of them, and we have this ongoing conversation about how there isn’t a day that goes by when someone isn’t trying to pick our pocket.

Apparently based on a recent UCLA study, a potential reason why the elderly are scammed is because of “a particular region of the brain that influences the ability to discern who is honest and who is trying to deceive us.

Older people, more than younger adults, may fail to interpret an untrustworthy face as potentially dishonest, the study shows. The reason for this, the UCLA life scientists found, seems to be that a brain region called the anterior insula, which is linked to disgust and is important for discerning untrustworthy faces, is less active in older adults.”

So the anterior insula disseminates good verses evil and as we age it doesn’t work so well. Worse, the study states, “It looks like their skills for making good financial decisions may be deteriorating as early as their early-to-mid-50s.” Which means a lame anterior insula coupled with deteriorating financial decision capabilities leads to a diminished ability to connect the gut to the head.
With this study, if I was a scammer, I’d be hyper focusing my market with the baby-boomer generation in mind.

Protect yourself.  Like mom said, if it’s too good to be true it is.

Scammers use incoming communications including phone, email, text and snail mail to fleece their victims. Just hang up, or delete the email or text. Responding only means engaging in their activities and cannot lead to a good outcome.

When participating in online communities, it is not necessary to disclose so many personal details. Disclosing your street address, date of birth, and identifying your relatives is unnecessary. Remember, if a cybercriminal targeting you is missing certain details needed to steal your identity, they just might ask one of your “specified” relatives. Don’t make it easy for them.

Many social networks, dating sites, gaming sites and online auctions are one step ahead of such bad actors.  By employing identity, credit and device reputation checks provided by online fraud prevention companies, these layered approaches proactively detect and thwart cyber scammers in their tracks.

“Operation Game Over” Purges Sex Offenders From Online Gaming

Over 2,100 accounts of registered sex offenders have been purged from online gaming platforms as part of “Operation: Game Over,” a first-of-its-kind initiative to protect children from predators on online gaming networks.

An additional 3,500 accounts of registered sex offenders purged from major online gaming companies earlier this year.

“The Internet is the crime scene of the 21st century, and we must ensure that online video game platforms do not become a digital playground for dangerous predators. That means doing everything possible to block sex offenders from using gaming systems as a vehicle to prey on underage victims,” said Attorney General Schneiderman. “I applaud the online gaming companies that have purged registered sex offenders from their networks in time for the holiday season.

Together, we are making the online community a safer place for the children of New York.”
Under New York State’s Electronic Securing and Targeting of Online Predators Act (e-STOP) law, convicted sex offenders must register all of their e-mail addresses, screen names, and other Internet identifiers with the state. That information is then made available to certain websites so that they have the option to purge potential predators from their online worlds.

Gaming sites use multiple layers of defense in their fight against cybercriminals, predators and other bad actors. One of the more effective layers is the use of device reputation by iovation. By identifying the devices being used for chat spam, gold farming, account compromise and other abuses, gaming sites can stop them from opening new accounts under stolen identities to further cause damage to their brands and customers. In one particular case, a gaming publisher using iovation ReputationManager 360 took action against 1,000 fraudulent accounts shortly after implementing the fraud prevention service. In addition to keeping repeat offenders out, clients of iovation share fraud intelligence so that when a bad actor comes in from another global gaming site, the new site knows upfront that it’s dealing with high risk activity from the start.

Online gaming has come a long way.  I’m pleased to see that most of the major gaming publishers are taking a serious stand against cybercriminals, predators, and the like, to keep honest consumers, players, and in many cases—our children—safe.

Country Overrun By Identity Theft Ring

A week’s worth of news reports shows law enforcement all over the country are battling identity thieves who are stealing our personal information and opening various accounts under our names or taking over existing accounts. From every corner of the U.S. from Ft Lauderdale to Anchorage and San Diego to Queens, busts are happening but more work needs to be done.

Queens NYCBS New York reports: A South Ozone Park man who portrayed himself as a Harvard graduate with plans to open a medical facility has pleaded guilty to identity theft, the Queens District Attorney’s office announced.

San Diego CAImperial Beach Patch reports: Authorities said the defendants ran the ID theft and mail theft ring out of their home. Most of the personal information is believed to have come from stolen real estate files. Investigators found numerous items involved in the ID theft ring at the defendants’ home, including computers, printers, dozens of stolen credit cards and lists describing how to make counterfeit IDs.

Ft Lauderdale FLSun Sentential reports: The scheme unraveled after Erskine met with a confidential informant in March to discuss filing for fraudulent income tax refunds. She said Johnson could get a person’s Social Security number, date of birth, and driver’s license information for $150, according to court documents.

Anchorage reports: An Anchorage man is facing 36 federal charges, including aggravated identity theft, in a case involving more than $150,000 in losses to individuals and businesses he allegedly defrauded. Rogers allegedly created fake documents for nearly two years, from late 2007 until mid-2009, which federal authorities say he then used to make fraudulent purchases.

Consumers must:

  • Protect themselves from account takeover by monitoring their accounts closely, protect their passwords, and refute unauthorized charges.
  • Protect themselves from new account fraud by locking down their credit with a credit freeze or identity theft prevention services.
  • Protect their devices with antivirus, antispyware, antiphishing and a firewall.

Identity theft will continue to plague citizens until smart systems are put in place to mitigate new account fraud and account takeover. Businesses are engaging an emerging device identification technology by Oregon-based iovation Inc. that spots cybercriminals by analyzing the reputation of computers and mobile devices used to connect to online businesses. They proactively investigate for suspicious activity and check for characteristics consistent with fraudulent users.

In one major case, iovation helped bust a fraud ring that victimized over 15 people where tens of thousands of fraudulent charges were racked up. The case started when a report of $5,000 in fraudulent credit card charges at a large electronics store and two department stores was reported. It just so happens that the credit issuer was using iovation to flag fraudulent credit card applications and tracking that back to the specific computers and mobile devices used. This information, combined with surveillance photos and other offline detective work, provided the perfect blend of digital and physical data that law enforcement needed to bust the crime ring.

1 in 4 Report Being a Victim of Card Fraud

The 2012 Global Card Fraud Survey by ACI Worldwide represents the insights and opinions of more than 5200 card holders from 17 countries and focuses exclusively on the impact to the card holder and their state of mind. Residents of Mexico and the United States reported the highest rate of card fraud experience. Some of the survey’s other key findings include:

  • Financial Institutions are running the risk of losing customers due to fraud, either directly, or through a decreased use of their cards.
  • Consumers report they fear identity theft most and would like to be notified immediately by banks of any potential fraud. They would like to be kept informed of the progress of any fraud disputes.
  • While fearing identity theft consumers are also demonstrating continued risky behaviors such as writing down personal identification numbers (PIN), failing to destroy personal documents and sharing credit card data on electronic devices lacking security software.
  • Consumers also shared their thoughts regarding what types of transactions they trust most and who they most trust in the event of fraud happening.

Financial Institutions have to comply with additional regulations including recommendation from the Federal Financial Institutions Examination Council (FFIEC). That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website.

Protect yourself from card fraud by paying attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Many Die in World of WarCraft Hack

In a war like event thousands of players avatars dropped dead for no apparent reason. Hackers, or players using some form of exploit hacked the game and something went wrong. World of WarCraft is a massive multiplayer online game (MMO)where people from all over the world can ply online.

In a forum post a Community Manager wrote “Earlier today, certain realms were affected by an in-game exploit, resulting in the deaths of player characters and non-player characters in some of the major cities. This exploit has already been hotfixed, so it should not be repeatable. It’s safe to continue playing and adventuring in major cities and elsewhere in Azeroth. As with any exploit, we are taking this disruptive action very seriously and conducting a thorough investigation. If you have information relating to this incident, please email We apologize for the inconvenience some of you experienced as a result of this and appreciate your understanding.”

iovation’s ReputationManager 360 is a proven service that helps protect MMOs against chargebacks, virtual asset theft, gold farming, code hacking, and account takeovers. The service identifies devices being used to play and examines their history and reputation as they are interacting with the game – setting off alerts that could relate to velocity triggers, geolocation, device anomalies, past gold farming abuse, financial fraud, chat abuse, and more.

For years, leading game publishers have prevented game abuse and ensured a safe and fun experience for players with the help of iovation’s device reputation service. These publishers (along with iovation’s network of more than 2,000 fraud analysts from other online businesses) share information, trends, and best practices with iovation and with each other in order to stay one step ahead of cheaters and criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Breach Means More Retailer Card Fraud

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have figured out how to skim customer cards.

In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted for card skimming.

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar card skimming scam was pulled off at the Stop and Shop Supermarket chain.


The most recent large card data breach was from Barnes & Noble.   “Barnes & Noble has detected tampering with PIN pad devices used in 63 of its stores. Upon detecting evidence of tampering, which was limited to one compromised PIN pad in each of the affected stores, Barnes & Noble discontinued use of all PIN pads in its nearly 700 stores nationwide. The company also notified federal law enforcement authorities, and has been supporting a federal government investigation into the matter. Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store.  The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases.  This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”

When the use of these stolen credit cards go online, iovation’s ReputationManager 360 helps banks and online merchants avoid fraud losses by detecting high-risk behavior and stopping cybercriminals in their tracks. iovation’s device identification and device reputation technology assesses risk on activities taking place at various points within an online site such as account creation, logging in, updating account information, attempting a purchase, or transferring funds. These checks can be customized and fine-tuned to suit the needs of a particular business, detecting fraudulent and risky behavior in order to identify and block cybercriminals for good.

Consumers must pay close attention to their statements and refute unauthorized charges within 60 days. I recommend going online at least weekly and looking closely at all your charges no matter how small they are.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.