U.S. Department of State Shares Red Flags to Identify Dating Scams

Online dating scams have become a worldwide issue. A study presented at the annual meeting of the British Psychological Society in London found that people with strong romantic beliefs who idealize their romantic partners are most likely to fall victim to online dating scams. Meanwhile, the U.S. Department of State has posted an advisory warning Americans to “be alert to attempts at fraud by persons claiming to live outside of the U.S., professing friendship, romantic interest, and /or marriage intentions over the Internet.”

According to the State Department, the following red flags can be used to identify a potential romance scam:

  • The scammer and the victim meet online – often through Internet dating or employment sites.
  • The scammer asks for money to get out of a bad situation or to provide a service.
  • Photographs that the scammer sends of “him/herself” show a very attractive person. The photo appears to have been taken at a professional modeling agency or photographic studio.
  • The scammer has incredibly bad luck– often getting into car crashes, arrested, mugged, beaten, or hospitalized — usually all within the course of a couple of months. They often claim that their key family members (parents and siblings) are dead. Sometimes, the scammer claims to have an accompanying child overseas who is very sick or has been in an accident.
  • The scammer claims to be a native-born American citizen, but uses poor grammar indicative of a non-native English speaker. Sometimes the scammer will use eloquent romantic language that is plagiarized from the Internet.

Many dating sites and online communities have turned to device identification leader iovation Inc. for help. iovation works with global dating websites and social networks to protect their members from behind the scenes by eliminating scammers before they’ve had a chance to case harm. iovation has already prevented more than 50 million online scams, spam, solicitations, fake profiles and phishing attacks in their attempt to make the Internet a safer place to do business and interact.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Story. (Disclosures.)

Federal Investigators Bust Credit Fraud Ring

A federal investigation dubbed “Operation Open Market” recently yielded 19 arrests in nine states, for crimes including identity theft and counterfeit credit card trafficking. The defendants allegedly participated in “Carder.su,” a Las Vegas-based transnational ring that bought and sold stolen personal and financial information and manufactured counterfeit IDs and credit and debit cards in order to commit fraud. This criminal organization has also been known to host online forums wherein members are encouraged to buy and sell counterfeit documents and stolen data.

Executive Director of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations James Dinkins commented, “The actions of computer hackers and identity thieves not only harm countless innocent Americans, but the threat they pose to our financial system and global commerce cannot be understated.”

According to the Federal Financial Institutions Examination Council’s latest update, “Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

The FFIEC recommends that financial institutions incorporate device identification into their layered security approach in order to thwart attacks like these, but smart financial institutions are going a step further by employing device reputation analysis approach.

iovation, an Oregon-based firm helping to fight cybercrime, offers device reputation, which builds on its complex device identification technology. It does this by offering real-time risk assessments which look at evidence of past fraud attacks, risk profiles, detects anomalies, and uncovers relationships between devices and accounts that have a history of working in collusion to stealing from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses the latest data breach on Good Morning America. (Disclosures.)

Gold Farming e-Guides Facilitate Banned Gaming Activities

Most MMO game operators ban the sale of in-game currency for real-world dollars. But that hasn’t stopped gold farming from flourishing into a full-fledged underground economy.

A Telecoms.com article entitled “Killing Cash” addresses the ways in which virtual currency may be pushing old fashioned cash out of circulation altogether. One point is the prevalence of gold farming, which, according to a 2011 report by the World Bank’s InfoDev unit in 2011, an estimated 75% of all virtual goods sales involve gold farmers.

“The vast majority of gold farms are based in developing countries like China, and the phenomenon has attracted the same kind of publicity as sweat shops, with imagery of banks of computers staffed by ill-paid workers who repeat the same in-game tasks in World of Warcraft for hours at a time to earn in game currency. These funds are then traded on illicit exchanges for real world money. The value comes from games players who support the system as an easy way to boost their in-game funds.”

Numerous guides are available online to help readers learn how to gold farm more effectively, whether you’re a casual gamer or part of an organized crime ring. A press release from Ereviewguide.com touts their gold farming guide, which warns that “there is really not much money to be made by players who play the conventional way or who play the game purely for enjoyment,” despite the promises of “e-book scams, scam online guides and other digital forms of snake oil that try to get would-be players excited about online game gold farming as a way of making money online.” Nevertheless, Ereviewguide.com offers “tips and strategies to maximize gold farming efficiency.”

Game operators lose profits due to forced labor gold farming, and while they certainly want to stem their losses, they also have a humanitarian responsibility to the victims of this crime.

iovation’s ReputationManager 360 is a proven service that helps protect MMOs against chargebacks, virtual asset theft, gold farming, code hacking, and account takeovers. The service identifies devices being used to play and examines their history and reputation as they are interacting with the game – setting off alerts that could relate to velocity triggers, geolocation, device anomalies, past gold farming abuse, financial fraud, chat abuse, and more.

For years, leading game publishers have prevented game abuse and ensured a safe and fun experience for players with the help of iovation’s device reputation service. These publishers (along with iovation’s network of more than 2,000 fraud analysts from other online businesses) share information, trends, and best practices with iovation and with each other in order to stay one step ahead of cheaters and criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures.)

Concert Season Coming: Don’t Get Scammed

As spring is in full swing, so are the advertisements for upcoming concerts. I, for one, look forward to getting on my Harley, snagging easy parking, and taking in a few shows this year. And, as with all seasonal activities and events, scammers are gearing up to take advantage of another opportunity to prey upon unsuspecting victims looking for a last-minute deal.

There are many options for purchasing tickets online, but not all are safe and secure. One Forbes blogger revealed how he was scammed when attempting to purchase NFL tickets. And how did he encounter these scammers? Through Craigslist.

“The seller had a Gmail account and a cell phone number and a plausible-ish explanation about why he couldn’t use them, and he was willing to meet her in person to hand them over, and they looked more or less like the last tickets I bought. So we bought them. And we went to the stadium gate, where the guy who scanned our bar codes told us we had to go to Will Call, and the lady at Will Call took one look at our tickets and pronounced them fakes.”

Ticket scams have been occurring for years. When a ticket is nothing but a piece of paper with a barcode that will be scanned at the event entrance, counterfeiting is child’s play. Some events provide wristbands to ticketed attendees, which can also be easily faked.

To avoid scams, buy tickets directly from the box office, the venue’s official ticket exchange, or any other popular website or major brand specializing in ticket sales. The blocks of tickets sold by resellers are generally legit, but have the reseller walk you to the gate and get confirmation from a ticketing agent before handing over any money.

Exercise extreme caution when using Craigslist. Do not trust watermarks, barcodes, and other low-tech security features that make tickets slightly more difficult to recreate, but are often lost on the general public when it comes to determining authenticity. A ticket may look real, until a ticket agent scans it and you are denied entry.
One way that online ticketing providers are fighting back is through the use of device reputation technology. This allows them to uncover computers and related devices that are responsible for fraudulent activity at the point of sale, and deny transactions from these devices. This kind of visibility gives ticketing services businesses a powerful advantage by allowing the to easily identify and block scam artists before the damage is done. One ticketing provider alone reduced total fraud losses by 98% with device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

POS Skimming—Bad News for Banks and Merchants

EFTPOS skimming has become increasingly prevalent over the past few years. EFTPOS skimming—which stands for “electronic funds transfers at the point of sale”—involves either replacing the self-swipe point of sale terminals at cash registers with devices that record credit and debit card data, or remotely hacking a retailer’s POS server.

In one such case, Romanian hackers are alleged to have remotely accessed hundreds of small businesses’ POS systems and stealing enough credit card data to rack up fraudulent charges totaling over $3 million. The hackers’ targets included more than 150 Subway restaurant franchises and at least 50 smaller retailers.

Officials report a wave of credit and debit card attacks, involving point of sale terminal swapping, data skimming, and hacking into payment processors. The U.S. Secret Service, for example, will not disclose details about specific cases, but confirmed, “they are conducting a multi-state, multi-country investigation into this string of crimes.”

Meanwhile, the Oklahoma Bankers Association has stated, “It is beyond apparent our bankers are taking great losses on these cards and we also need to explore creative ideas to mitigate these losses. It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment.”

When the use of these stolen credit cards go online, iovation’s ReputationManager 360 helps banks and online merchants avoid fraud losses by detecting high-risk behavior and stopping cybercriminals in their tracks. iovation’s device identification and device reputation technology assesses risk on activities taking place at various points within an online site such as account creation, logging in, updating account information, attempting a purchase, or transferring funds. These checks can be customized and fine-tuned to suit the needs of a particular business, detecting fraudulent and risky behavior in order to identify and block cybercriminals for good.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses POS skimming on CBS. Disclosures.

Fraud Perpetrated on Cybercriminal’s Clock

Contrary to popular belief, cybercriminals are hard workers. They work long hours, often through the night. In fact, many are “third-shifters”—up late at night, into the early morning hours.

For example, the number one online fraud offender does his best work at 1:00 am local time in Ghana, or 5:00 pm PST. For the number two fraud offender, it’s 6:00 am Nigerian local time, or 9:00 am PST. And for number three, it’s 3:00 am in the Philippines, 11:00 am PST. That’s just one of many times when “carders,” who steal credit card numbers, take over existing accounts. 

Account takeover occurs when your online bank or credit card accounts are infiltrated and money is siphoned out. A hacked account through phishing attempts or stolen credit cards is often to blame. Criminals use stolen credit card numbers to make unauthorized charges online. Unlike regular storefronts, which may open at 10am and close at 6pm, online retailers are open day and night—in many cases doubling or tripling opportunities for theft.

While cyber fraud is a 24×7 problem, many bad actors conduct their “business” while West Coasters are bright-eyed and bushytailed, from 11:00 am—right before lunch—through dinner at 5:00 pm, and right before many of us head off to bed around 9:00 pm (at least if you’re like me, 43 years old with small kids).

iovation is the company that released these top fraud times, using data gleaned from the billions of transactions protected by their online fraud prevention service, ReputationManager 360, in 2011. The complex device identification technology allows businesses to gain grater flexibility and control over the activity on their websites by incorporating deep intelligence about end-user devices, associated accounts, and shared history.

 

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

50 Million Fake Facebook Accounts

Just about anyone can set up a fake account on just about any website. Facebook and other social media sites are popular targets due to the amount of traffic they get and the variety of scams that can be perpetrated against legitimate users.

Facebook estimates that as of December 31, 2011, false or duplicate accounts represented approximately 5-6% of monthly active users, but also stated, “This estimate is based on an internal review of a limited sample of accounts and we apply significant judgment in making this determination, such as identifying names that appear to be fake or other behavior that appears inauthentic to the reviewers. As such, our estimation of false or duplicate accounts may not accurately represent the actual number of such accounts.”

Why would anyone set up a fake Facebook account?

To steal your clients or potential clients. To squat on your name or brand. To post infected links while posing as legitimate individuals or businesses. To offer deals with links to spoofed websites in order to extract credit card numbers. To damage your name or brand. To harass you or someone you know. To co-opt a name or brand that has leverage in order to obtain privileged access.

Social media websites could go a long way in protecting their users by incorporating device reputation management. Rather than relying solely on information provided by a user (who could be an impersonator), device reputation goes deeper, identifying the computer or other devices being used, so that known scammers and spammers are exposed immediately, and potentially threatening accounts are denied and users abused.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses social media Facebook scammers on CNN. Disclosures.

Identity Theft Still On the Rise

For the 12th year in a row, identity theft complaints top the list of consumer complaints [PDF] received by the Federal Trade Commission. 15% of more than 1.8 million total complaints filed in 2011 involved identity theft.

Javelin Strategy & Research estimates that nearly 12 million Americans were victims of identity theft in 2011—a 13% increase over 2010. Interestingly, but not surprisingly, Javelin attributes this increase to the proliferation of smartphones and the popularity of social media, in addition to several major data breaches resulting in tens of millions of records being leaked.

Websites like Facebook certainly provide a great deal of data that can be used to help criminals crack knowledge-based passwords, and websites like LinkedIn make it easy for criminals to gather additional intelligence in order to conduct social engineering scams. Meanwhile, smartphones have become the keys to many of our digital lives now that we use them for social media, online shopping, and online banking. Smartphone users are even more likely to be victimized if they neglect to password-protect their devices, which are often lost or stolen.

Access to so much sensitive data has allowed criminals to take over existing credit accounts and quickly turn that data into cash. The most popular strategies are for fraudsters to add their own names as registered account users, or changing the physical address for a stolen account.

Account takeover or hijacking could be detected and prevented if online banking and shopping websites integrate a real-time device reputation check at the point where profile or account information is being updated. The power of this check raises red flags when certain business rules are triggered, such as exceeding a business’s predetermined threshold.  Examples might be when an account is being accessed from a brand new country, or too many different devices are accessing an account, or even when the device making account updates has exceeded the number of accounts that it is associated with at that bank or retailer. By customizing and weighting real-time business rules to prevent bad actors from accessing your customer accounts, this early detection might mean the difference in keeping a good client’s account safe, keeping that good customer’s business, and keeping bad actors out.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Bad Drivers And Insurance Scams Uncovered Online

Some people can’t help bragging and babbling about themselves online. Whether in a blog post, tweet, Facebook status update, or YouTube video, chances are if it happened, it’s going to come out online.

The Internet is making it much easier for fraud investigators to learn everything they need to know about their subjects.

Teenagers and street racers regularly publish accounts and videos of their exploits on Facebook, attracting attention from viewers who forward these reports to police, resulting in fines and arrests.

Fox Business reports, “In one Texas trial, a jury will likely give large weight to a video pulled off YouTube. The video shows a $1.2 million Bugatti Veyron – a limited production French sports car – careering into a saltwater lagoon. The owner, an auto dealer who had increased his insurance to $2.2 million shortly before the incident, claimed he had swerved to avoid a pelican. But Philadelphia Indemnity Insurance Co. argues no pelican can be seen in the video.”

The old adage, “You can run, but you can’t hide,” rings truer than ever with the Internet. Not only can fraud investigators use Internet posts against unwitting criminals, they can also expose criminal activity based on the reputation of the very devices with which they are posting. Whether a person voluntarily shares information through social media, or is captured on video that winds up online, or if the digital device they use has acquired a reputation for cybercrime, it’s harder than ever to escape the truth.

Device reputation analysis examines computers, tablets, and smartphones for a history of suspicious behavior, investigating for characteristics consistent with fraudulent use. This allows online retailers, dating websites, gaming websites, and insurance companies to deny criminals access to their networks, often before their first attempt.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Another Way to Investigate Insurance Fraud

Insurance fraud has been around since the dawn of the insurance policy, largely due to its reliance on the honor system. It’s fairly easy to file and process a fabricated claim—just a matter of filling out paperwork online, really. While there are certainly some checks and balances in the claim investigation process, there are often too many variables to make a conclusive determination of a claim’s legitimacy, and with an ever increasing number of policies being created online, the insurance industry needs to take added precautions against fraudsters.

PostOnline.co.uk reports, “Insurers can use indicators and experience of fraud awareness techniques to identify patterns and they are more aware of the possibilities of fraud and exposure they have in the fleet side of the business, but we can’t be complacent.”

According to Damian Ward, head of the fraud team at law firm Halliwells, a more sophisticated variety of fraud involving criminal gangs has been a problem within the industry for quite a while. Ward says fraudsters take advantage of the ease with which motor insurance may be obtained. “With the internet, there is little underwriting control and it is easier for people to set up false policies and claims.”

Insurance fraud investigators may not know what many in the financial, retail and banking sectors are already aware of, which is that the digital devices being used to file claims can be identified as collaborators in a larger conspiracy. Once these PCs, laptops, Macs, tablets, or smartphone are “fingerprinted” and their reputations are established, investigators can begin putting together the pieces of the puzzle in order to take down a criminal enterprise.

ReputationManager 360, by iovation Inc., can re-recognize devices and share the reputation of those devices, plus assess transaction risk in real-time for insurance companies. Hundreds of online businesses use this software-as-service to detect fraud upfront, reduce financial losses and protect their brand reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)