Posts

BillGuard: Grey Charges Equal Legal Fraud

Grey charge: When you buy something with your credit card and you get charged for something you didn’t want. Often a merchant will tack on additional products and services to a legitimate purchase you make, and you “sorta” know about the charge…but not really.

For example, you might be in the process of purchasing something and a pop-up windowreading “Get 25 percent off your order NOW! CLICK HERE!” comes up. And in the fine print below “CLICK HERE!” it says, “By getting 25 percent off, you are agreeing to get a free month of a one-year membership to our discount clubfor which you will be charged$19.95 per month after the first month. You may cancel at any time, but you are required to give us 30 days’ notice in writing.”

Or something stupid like that.

Then, a couple of months go by and you get your credit card statement and see this charge for $19.95 and wonder what it’s for. You call the number on the statement and someone answers and puts you on hold for an hour. By the time you are done yelling and pulling all your hair out of your head, you will probably end up gettingcharged for two or three months for something you never wanted.

And that’s IF you even pay attention you your credit card statements, because nine out of 10 people don’t check their bills, or merely skim them quickly for large purchases. This is what the scammy merchant bets on when initiating a grey charge.

Is it legal? Well, it’s not illegal…but it IS sneaky and deceptive.

According to BillGuard’s internal research, one in four users has incurred some type of erroneous or deceptive charge in the last 12 months. And among those users who have been affected, the average of these charges is about $350 a year.

So pay attention to your statements and refute unauthorized or grey charges ASAP. And don’t forget: Read the fine print—and remember that any offer that sounds too good to be true is.

Robert Siciliano is a personal security expert & adviser to BillGuard and is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.

Credit Card Fraud Really Isn’t Identity Theft

With the holiday shopping season and after holiday season sales over, it’s time to review our credit card statements and make sure that everything that is on there was something you purchased. With most of us using our card a lot more during this time, there’s more chance of fraud or identity theft.

When most of us think of identity theft and being a victim of identity theft, we are really referring to credit card fraud. This form of credit card fraud is called account takeover and it occurs when a thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or perhaps you simply hand it over when paying at a store or restaurant.

Another form of credit card fraud is called new account fraud. This occurs when someone gains access to your name, address and, in the US, your Social Security number. With this data, a thief can open a new account and have the card sent to a different address. This is true identity theft as the thief has access to your personally identifiable information.

Once the identity thief receives the new card, he or she maxes it out and doesn’t pay the bill. Over time, the creditors track you down, hold you accountable for the unpaid bills, and demand the owed funds. New account fraud destroys your credit and is a mess to clean up.

Victims of account takeover are likely to discover the fraud in numerous ways. They may notice suspicious charges on a credit card statement, or the credit card company may notice charges that seem unusual in the context of the victim’s established spending habits.

Credit card companies have anomaly detection software that monitors credit card transactions for red flags. For example, if you hand your credit card to a gas station attendant in Boston at noon, and then a card present purchase is made from a tiny village in Romania one hour later, a red flag is raised. Common sense says you can’t possibly get from Boston to Romania in one hour. The software knows this.

Victims of account takeover only wind up paying the fraudulent charges if they don’t detect and report the crime within 60 days. During that time, you are covered by a “zero liability policy,” which was invented by credit card companies to reduce fears of online fraud. Under this policy, the cardholder may be responsible for up to $50.00 in charges, but most banks extend the coverage to charges under $50.00.

After 60 days, though, you are out of luck. So pay attention to your statements. As long as you do, account takeover should not hurt you financially. Protecting yourself from account takeover credit card fraud is relatively easy. Simply make sure you pay attention to your statements every month and refute unauthorized charges for purchases you did not make.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

 

1 in 4 Report Being a Victim of Card Fraud

The 2012 Global Card Fraud Survey by ACI Worldwide represents the insights and opinions of more than 5200 card holders from 17 countries and focuses exclusively on the impact to the card holder and their state of mind. Residents of Mexico and the United States reported the highest rate of card fraud experience. Some of the survey’s other key findings include:

  • Financial Institutions are running the risk of losing customers due to fraud, either directly, or through a decreased use of their cards.
  • Consumers report they fear identity theft most and would like to be notified immediately by banks of any potential fraud. They would like to be kept informed of the progress of any fraud disputes.
  • While fearing identity theft consumers are also demonstrating continued risky behaviors such as writing down personal identification numbers (PIN), failing to destroy personal documents and sharing credit card data on electronic devices lacking security software.
  • Consumers also shared their thoughts regarding what types of transactions they trust most and who they most trust in the event of fraud happening.

Financial Institutions have to comply with additional regulations including recommendation from the Federal Financial Institutions Examination Council (FFIEC). That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website.

Protect yourself from card fraud by paying attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

ID Thief Gets 5 Years for Stealing Identities of More Than 50 People

In California, an identity thief was recently sentenced to five years in prison for committing what appears to be classic new account fraud. The thief reportedly used a victim’s identity to open a mailbox at a shipping store in Modesto, which he often used to have fraudulently issued credit cards and other financial and identity information mailed.

Typically, new account fraud refers to financial identity theft in which the victim’s personally identifying information ¾ generally a Social Security number ¾ is used to open new accounts on the strength of the victim’s name and good credit standing, which are then used to obtain products and services.

Since a thief typically provides an alternate mailing address, such as the shipping store mailbox used in this particular case, the victim never receives the bills accumulating in his or her name, and may remain entirely unaware of the accounts’ existence until the debts have gone unpaid long enough to prompt creditors to track down the victim.

This thief used victims’ information to create fake drivers licenses with his photo, which helped make the scam stick when he was asked for ID when using fraudulently obtained credit cards.

There are technologies that help credit issuers detect and stop new account fraud by providing real-time intelligence on the device being used to apply for online credit. This technology, called device reputation by iovation Inc., not only alerts businesses when velocity thresholds have been met, it also exposes whether financial fraud, identity theft and other frauds have attempted by the device or associated computers.

Credit issuers can set up and customize their own unique business rules, and iovation analyze each application and then return a recommendation to allow, deny, or review response for the transaction, along with an explanation of the factors involved.

By identifying new account fraud in real time, credit issuers can save millions of dollars in fraud losses annually. In one case, a Fortune 100 company used iovation to identify 43,000 fraudulent credit applications and save themselves $8 million in fraud loss over two years.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Vacation Rentals Are Scam Bait

Although it’s been a mild winter people still get itchy to head out for a ski vacation or a tropical one. Many people are searching online classifieds like Craigslist, eBay, newspapers and real estate listings for vacation rentals.

The most suspect site is Craigslist. I’m fully engaged in Craigslist and continually receive scammy communications from supposed buyers. This means scammers are on the site as buyers and sellers full time.

Certainly there are plenty of legitimate ads for vacation rentals however many are suspect. I rented out an apartment I own in the past and a Craigslist scammer set up a duplicate ad with my photos and everything and cut my price in half.

If you choose to engage in a rental and a security deposit is required it is best that you visit the property and hand deliver a check. If you request to visit the property and are denied then the ad is more than likely fraud.

If the property is hundreds or thousands of miles away and visiting isn’t an option then there is a much higher risk. In these circumstances never wire money as there is very little recourse. Using a credit card is a little safer, but no guarantees.  Here is where the honor system comes in. Otherwise your best bet is to deal with a real travel site with positive reviews.

Google the person, their email, the title of the ad and/or property you are considering renting. If something negative pops up, beware. If the property address doesn’t exist, beware.

Your best bet is to search listings on local real-estate sites. A licensed Realtor is 1000 times safer than blindly using Craigslist.

Robert Siciliano personal and home security specialist toHome Security Source discussing scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Holiday Headaches Coming for Consumers

Gearing up for the holidays, consumers are getting ready to pull a Wilma Flintstone and, “Charge it!” Many don’t realize that you cannot protect your credit card number. Every time you use a credit card, you increase the chances of that card number being used fraudulently.

  1. When handing your card to a clerk or cashier, pay close attention. The card should be swiped through a point of sale terminal or keyboard card reader once, maybe twice. If your card is swiped through an additional reader, the card number may have been stolen.
  2. Shop only at trusted sites. Phantom websites appear online all year round. They look legitimate, resembling well-known online retailers. But only do business those you recognize. Established online merchants are best.
  3. Unsolicited emails that request sensitive data such as credit card numbers or lead you to a too-good-to-be-true offer are most likely phishing emails. Don’t disclose your information, and don’t click unknown links.
  4. Check your credit card statements daily, if possible. Once a week is sufficient. Refute any unauthorized withdrawals or transactions within the time limit stipulated by your bank. For most credit cards, it’s 60 days, and for debit cards the limit can be 30 days or less.

Internet crime schemes steal millions of dollars annually from victims.  If you are looking for more helpful tips, the Internet Crime Complaint Center is a great resource. Their site provides preventative measures that help you be more informed prior to making purchases on the Internet.

Holiday schemes will be in full force this year.  Charge or purchase wisely.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Javelin Study Shows Increased Credit Card Fraud Risk

Consumers, businesses, retailers, and even the media are becoming numb to news about data breaches. Not a week goes by when we don’t hear of another major breach affecting thousands or even millions of customer accounts.

Criminal hackers are getting smarter and savvier all the time, and they often have better technology than the banks and retailers tasked with protecting your data.

Time reported on a recent Javelin Strategy and Research survey in which Javelin analyzed 23 of the biggest credit card issuers’ online security practices. When companies were graded on a 100-point scale, the average result was just 59. Javelin head of security and risk analyst Phil Blank, who authored the study, explained, “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do. Prevention is the hardest to do but it’s got the biggest payback.”

The report also found that for a full year after your bank account information has been hacked, there is a strong chance that you will be a victim of credit card fraud. So even though you may be getting a little hardened to data breach warnings, you still need to watch your credit card statements closely. As long as you dispute unauthorized credit card charges within 60 days, federal laws limit liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

One of the FFIEC’s recommendations for financial institutions involves using complex device identification. iovation, an Oregon-based security firm, offers an advanced device identification service that incorporates real-time risk assessments, the history of fraud on linked devices (such as chargebacks, identity theft and credit application fraud) and exposes fraudsters working together to steal from online businesses.

“Complex device identification” involves the creation of a digital fingerprint based on several characteristics of the device including hardware and software configuration, Internet protocol addresses, and geolocation. Unfortunately, complex device ID by itself only increases the strength of identification; it does little to increase the efficacy of an overall anti-fraud strategy.

“Device reputation” offers all of the security measures that complex device ID does, but it also strategically incorporates velocity, anomalies, proxy busting, webs of associations (linking devices and accounts), and fraud and abuse histories. Device reputation moves from a micro to a macro view of transactions which takes into account how particular devices behave or have behaved beyond its activities with a financial institution, its usage by a current user or other users, and/or its relationship to other devices.  This chart explains what is involved with each:

Leading financial institutions aren’t merely complying with the FFIEC’s security recommendations, but are going beyond it by incorporating device reputation and other authentication and anti-fraud tools into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

The Evolution Of Online Fraud Prevention

Around 1994, when I operated a small mail order catalog business, it was very difficult to obtain “merchant status,” or approval to accept Visa, MasterCard, Discover, and American Express cards. It was easier if you had a storefront, but payment processors made mail order businesses jump through more hoops.

Their main concern was that companies could set up shop, accept tons of credit card charges, and then vanish, leaving the banks short. Mail order fraud was also big. A stolen credit card could be used to place orders over the phone, and when the fraudulent charges were discovered, merchants would suffer from chargebacks.

At the time, it wasn’t even necessary to provide a correct expiration date, as long as the card wasn’t already expired. Then credit card companies began verifying billing addresses to authenticate mail orders. Eventually, an additional verification code was added to cards, referred to as a CVC or CVV. We still use these codes today, but they can be fraudulently obtained in a number of ways.

When merchants moved from catalogs to websites, IP addresses were used to track transactions. But bad guys figured out how to spoof them.

Now we have a number of new technologies designed to fight credit card fraud. The most effective and widely implemented is device reputation, an effective online fraud prevention method that helps protect retailers from fraudulent CNP transactions by examining the computer or other device for a history of unwanted behavior, plus any suspicious activity at the time of transaction.

If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, flagged 35 million online transactions as high-risk in the last year for its clients and will flag 50 million or more by the end of 2011.

Protect yourself from credit card fraud by checking your statements regularly. Set up your own email alerts so that at a minimum, you are notified of any transactions over your specified amount occur on your account.  Businesses set up triggers and alerts to protect themselves, shouldn’t you?

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Username and Passwords Are Facilitating Fraud

In 2005, the Federal Financial Institutions Examination Council stated:

“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.  Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”

Here we are in 2011, six years later, and well over half a billion records have been breached. And while it is true that not all of the compromised records were held by financial institutions, or were accounts considered “high-risk transactions,” many of those breached accounts have resulted in financial fraud or account takeover.

Back in 2005, you might have had two to five accounts that required you to create a username and password in order to log in. Today, you may have 20 to 30. Personally, I have over 700.

The biggest problem today is people most often use the same username and password combination for all 20 to 30 accounts. So if your username is name@emailaddress.com, and your password is abc123 for one website that ends up getting hacked, it will be easy enough for the bad guy to try those login credentials at other popular websites, just to see if the key fits.

The quick and simple solution is to use a different username and password combination for each account. The long-term solution is for website operators to require multifactor identification, which may include an ever-changing password generated by a text message, or a unique biometric identification.

Until that time, the three best tips to create an easy to remember but hard to guess string password are as follows:

Strong passwords are easy to remember but hard to guess. “Iam:)2b29!” consists of ten characters and says, “I am happy to be 29!” (I wish).

Use the keyboard as a palette to create shapes. “%tgbHU8*” forms a V if you look at the placement of the keys on your keyboard. To periodically refresh this password, you can move the V across the keyboard, or try a W if you’re feeling crazy.

Have fun with known short codes or sentences or phrases. “2B-or-Not_2b?” says, “To be or not to be?”

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Canadian Charged in Ticket Scams – Auction Sites Need to Step Up Fraud Prevention Techniques

Online classified advertising site scams are typically conducted by scammers in countries such as Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, or Malaysia, who spend their days targeting consumers in the developed world.

Scammer grammar and general awkwardness make these scams relatively easy to detect. But when a scammer is local, the ruse becomes more insidious and effective.

The Toronto Sun reports that a man in Hamilton, Ontario faces “60 charges for allegedly selling thousands of dollars worth of non-existent tickets to concerts and sporting events, mostly at venues in Toronto.” The suspect “allegedly used Craigslist to sell tickets to pop concerts like Lady Gaga, Taylor Swift and Justin Bieber, or sporting events like Wrestlemania.”

As in most Craigslist scams, the perpetrator had the victims wire money to him, and in this case it was to a local account, which reduced suspicions. He told victims they would get a shipping confirmation number once the money was received, but of course, this was entirely bogus.

At the top of every post, Craigslist reminds you, “Avoid scams and fraud by dealing locally!” But they may not consider that scammers can deal locally, too. My suggestion is to always meet the seller with cash in hand, or simply buy tickets directly from the venue or venue’s website.

Craigslist and auction sites could better protect end users and prevent the majority of these scams by using readily available and proven fraud detection tools on the market. They could easily round up accounts opened by scammers by tracking them back to the computers, tablets and smart phones that opened them up in the first place by using device reputation management. And when those computers try to open more accounts under more stolen identities, the accounts are automatically denied upfront—at the “account creation” stage.

Craigslist could easily employ customized business rules to identify high-risk activity such as those offered by iovation’s ReputationManager 360 anti-fraud service.  For example, if someone posted a local offer, iovation could expose to the business when users are hiding behind proxies to make them appear as if they were in the local region.  If they are selling a used car supposedly in Irvine, California and they are going through the work to mask their IP and make it “look” like they are in Irvine, but their real IP is exposing that they are in Ghana, wouldn’t that be a red flag?  When this happens, the business could automatically deny the attempt in a fraction of a second, or at a minimum send it to a review queue so that fraud analysts can take a closer look before exposing a scammers’ offer to the public.

In general, with today’s sophisticated fraud prevention technologies and techniques, scammer accounts could and should easily be stopped at the front door (while attempting to set up a new account) — before ads are placed, before ads are read by the public, and before tens to hundreds of visitors act on the ad by engaging in conversation with a cyber criminal who wants to steal their money.

Imagine the scale of bad accounts that could be shut down instantly.  Sophisticated fraud rings could be identified within the business’s network and thousands of fraudulent accounts shut down, making Craigslist and other auction sites a much safer place for the public to look for desired products and services.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scambaiting on Fox News. (Disclosures)