Posts

Country Overrun By Identity Theft Ring

/in /by

A week’s worth of news reports shows law enforcement all over the country are battling identity thieves who are stealing our personal information and opening various accounts under our names or taking over existing accounts. From every corner of the U.S. from Ft Lauderdale to Anchorage and San Diego to Queens, busts are happening but more work needs to be done.

Queens NYCBS New York reports: A South Ozone Park man who portrayed himself as a Harvard graduate with plans to open a medical facility has pleaded guilty to identity theft, the Queens District Attorney’s office announced.

San Diego CAImperial Beach Patch reports: Authorities said the defendants ran the ID theft and mail theft ring out of their home. Most of the personal information is believed to have come from stolen real estate files. Investigators found numerous items involved in the ID theft ring at the defendants’ home, including computers, printers, dozens of stolen credit cards and lists describing how to make counterfeit IDs.

Ft Lauderdale FLSun Sentential reports: The scheme unraveled after Erskine met with a confidential informant in March to discuss filing for fraudulent income tax refunds. She said Johnson could get a person’s Social Security number, date of birth, and driver’s license information for $150, according to court documents.

Anchorage AKKTUU.com reports: An Anchorage man is facing 36 federal charges, including aggravated identity theft, in a case involving more than $150,000 in losses to individuals and businesses he allegedly defrauded. Rogers allegedly created fake documents for nearly two years, from late 2007 until mid-2009, which federal authorities say he then used to make fraudulent purchases.

Consumers must:

  • Protect themselves from account takeover by monitoring their accounts closely, protect their passwords, and refute unauthorized charges.
  • Protect themselves from new account fraud by locking down their credit with a credit freeze or identity theft prevention services.
  • Protect their devices with antivirus, antispyware, antiphishing and a firewall.

Identity theft will continue to plague citizens until smart systems are put in place to mitigate new account fraud and account takeover. Businesses are engaging an emerging device identification technology by Oregon-based iovation Inc. that spots cybercriminals by analyzing the reputation of computers and mobile devices used to connect to online businesses. They proactively investigate for suspicious activity and check for characteristics consistent with fraudulent users.

In one major case, iovation helped bust a fraud ring that victimized over 15 people where tens of thousands of fraudulent charges were racked up. The case started when a report of $5,000 in fraudulent credit card charges at a large electronics store and two department stores was reported. It just so happens that the credit issuer was using iovation to flag fraudulent credit card applications and tracking that back to the specific computers and mobile devices used. This information, combined with surveillance photos and other offline detective work, provided the perfect blend of digital and physical data that law enforcement needed to bust the crime ring.

Identity Theft Crime Ring Leader Gets 25 Years

/in /by

The leader of a crime ring was sentenced to 25 years in state prison for stealing thousands of personal identities and counterfeiting credit cards to buy high-end goods to be resold on eBay and Craigslist. Christopher John Aragon, 52, Capistrano Beach, pleaded guilty March 26, 2012, to 50 felony counts including 33 counts of unauthorized use of personal identifying information, 13 counts of grand theft, two counts of counterfeiting access cards, and one count each of conspiracy to commit a crime and the sale or transport of a controlled substance. He also admitted to two sentencing enhancements for property damage over $1 million and aggravated white collar crime over $500,000.

Dude was a prolific identity thief.

Between March 29, 2004, and April 15, 2007, Christopher Aragon led a crime ring which included his wife Clara Aragon and six co-defendants. Co-defendant Shitrit was a hacker who obtained victims’ credit card numbers used to encode forged credit cards. Christopher Aragon and his co-defendants used credit profiles and personal identifying information of victims to make fraudulent California driver’s licenses, credit cards, and gift cards. The defendants encoded the magnetic strips of the credit and gift cards with stolen account information, and used the cards to purchase high-end merchandise, including designer handbags, jewelry, clothing, and electronics.

At Shirit’s Aliso Viejo apartment, investigators found a forgery lab designed to encode credit cards in the process of being set up, and credit card writers, and thumb drives with thousands of hacked and stolen credit card numbers.

In a similar bust, Kirkland Washington police detectives received a great deal of assistance from Portland-based iovation. iovation’s ReputationManager 360 service was used to track down the fraudulent credit applications at various retail chains, which originated from a group of computers that iovation linked together within their vast network of more than 950 million unique devices. In addition to nabbing the thief, they were able to help identify other victims within the state who were not yet aware they had been impacted.

Protect yourself:

Get a credit freeze

Monitor your credit card statements

Get a locking mailbox

Check your credit report at least every year.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Skimming, Identity Theft and How Online Business Defend Against Cybercrime

/in /by

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) or skimming has been prevalent. Consumers commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have been adept at coming up with ways to skim those customer cards.

In one such case, Romanian hackers were indicted when they were charged with remotely accessed hundreds of small businesses’ POS systems and stealing enough credit card data to rack up fraudulent charges totaling over $3 million. The hackers’ targets included more than 150 Subway restaurant franchises and at least 50 smaller retailers.

SCMagazine reports “An Eastern European criminal syndicate has hacked into a small Australian business and stolen details of half a million credit cards from the company’s network. In both cases, the syndicate captured credit card details using keyloggers installed within Point of Sale (POS) terminals and siphoned the data through an insecure open Microsoft’s Remote Desktop Protocol (RDP) connection. The syndicate found its victims by scanning the internet for vulnerable POS terminals.

Card skimming is just one of many ways that cybercriminals obtain access to stolen identities. And what happens once they have this information?  They begin hitting many of the major brand websites to purchase products that are commonly found in our homes and office.  How can retailers, ticketing companies, gaming sites and credit issuers protect their businesses and customers from fraudulent transactions?

Many start by identifying the device being used to access their website, through advanced device identification technology.  Is it a computer, laptop, tablet, mobile phone or another Internet-enabled device?  Is that a device that is already known to iovation’s cybercrime intelligence network? If so, has it been involved in fraudulent or abusive activities in the past? Often times, known bad devices have a history of credit card fraud, identity theft, account takeover attempts and other abuses. If the device comes back clean, is it related to other known bad devices?

iovation also helps its clients understand the web of associations between related devices, which helps businesses identify and shut down entire fraud rings. Lastly, online businesses run their highly-customized business rules as the transaction or activity is attempted. Many of iovation’s clients have more than 100 business rules on their site, that help them assess risk in real-time.  These business rules can trigger factors including velocity, device anomalies, proxy use, age of the device-to-account association, and more.

Last week at the Merchant Risk Council Platinum Meeting in Seattle, iovation demonstrated it’s ReputationManager 360 fraud prevention service, and showed in simple terms, what happens during a real-time device reputation check.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

14 Busted In Tax Fraud Identity Theft

/in /by

Calling all identity thieves, stop wasting your time trying to open new credit card accounts or taking over existing credit card accounts, the money is in IRS tax related identity theft.

The IRS is struggling to keep up with all the fraudulent income tax returns coming in via US postal and online filings. Criminals are obtaining millions of Social Security numbers and filing under the victims personal information and collecting their refunds at an alarming rate.

Reuters reports “Fourteen people were arrested on Wednesday and charged with operating a long-running U.S. identity theft ring that filed thousands of fraudulent federal income tax returns to claim $65 million in illegal refunds, according to the U.S. Attorney’s office in New Jersey.”

Criminals are filing thousands of fake returns using real peoples information and collecting millions. The U.S. Attorney was quoted saying “The defendants in this case allegedly tried to steal $65 million using stolen identities to obtain refunds to which they were not entitled.” But they still managed to get $11.3 million. Many of the refund checks were being sent to the same addresses.

The Treasury Inspector General for Tax Administration reports over 2 billion dollars lost annually to tax related identity theft with victims doubling on 2011 to over 641,000. The Treasury also stated that $26 billion dollars could be lost in the next 5 years if the IRS doesn’t fix the problem. The problem stems from the IRS not being able to effectively determine if a return is being filed in good faith or fraudulently.

One way to determine if an online filing is legitimate is to check the reputation of the device issuing the tax return. If the PC, Mac, tablet or smartphone has a history of online criminal behavior or is exhibiting real-time suspicious behavior, the transaction could be flagged for review before the return is accepted or processed. By using advanced device reputation as the first check in the fraud detection process, the IRS would be able to stop many more fraudulent tax returns as well as downstream fraudulent activities.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesidentity theft  in front of the National Speakers Association. (Disclosures)

Preventing Identity Theft of the Deceased

/in /by

Identity theft of the deceased is so wrong, and so easy, thanks in part to the availability of public records. In the 1990s, a provision in a federal welfare reform law created a loophole allowing swindlers to obtain Social Security numbers of the recently deceased.

Some states’ records and statistics registries include Social Security numbers on all certified death certificates. And for $18, you or anyone else can obtain a death certificate.

Experian, one of the three largest credit bureaus, was asked, “My wife has died. Should I give Experian the details, to prevent her name being used for identity fraud?”

Experian responded, “It is certainly a good idea to alert Experian and the other credit reference agencies to your wife’s passing. Remarkably, some fraudsters do target the identities of the recently deceased. We will check to make sure all her credit agreements have been closed down and also make it clear on our records that she has passed away.” For more details on how to report the death of a relative to prevent social security scams, lease read Experian’s advice HERE.

Deaths are generally reported to the Social Security administration in a relatively timely fashion, but not always. As far as I can tell, there is no IRS form designed specifically for this purpose, although the IRS does demand “a final accounting,” a responsibility that falls to the survivors or executor. When a taxpayer dies, a new taxpaying entity—the taxpayer’s estate——is born to ensure no taxable income falls through the cracks.

The three credit bureaus maintain a list of the deceased based on data from the Social Security Administration. But it can take months for these bureaus to update their databases with the latest social security information and prevent identity theft. By contacting the credit agencies directly, you can report a death with confidence that the information will be recorded immediately.

Robert Siciliano personal and home security specialist toHome Security Source discussing ADT Pulse on Fox News. Disclosures

How the Rich and Famous Prevent Identity Theft

/in /by

Despite what you may assume, most celebrities and other extremely wealthy individuals do not relish living in a fish bowl, with every move scrutinized. While some certainly do flaunt their wealth, the vast majority do not want you dropping by their home or following them into the bathroom.

The average people who post their whereabouts online, constantly update their status, or list themselves in the phone book generally have nothing to hide. But in a celebrity-obsessed culture, the rich and famous are frequently stalked or harassed, and, since their personal data is so readily available, their identities are more likely to be stolen.

Every seemingly innocuous personal detail available to a criminal can be used to obtain more information, until that criminal has developed a full profile of the potential victim. A series of little crumbs ultimately leads to a loaf of bread.

The solution is called “security through obscurity.” Now, that statement might mean something different in certain circles, but in this case it means that the best way to secure your identity is to hide, buried in the abyss of the Internet, under assumed names, behind a corporate identity. This doesn’t mean using a stolen identity, but rather creating a corporate alias.

Once you have established a corporation, which is not difficult, you can operate under the business’ name to apply for credit, set up utilities, purchase property, and execute most other transactions. Or you might continue using your own name, but obfuscate your role by listing yourself as a low-level employee instead of CEO.

Regardless of the methods you may use to obscure your identity, you cannot hide your device reputation. Unless you rely exclusively on cash for every transaction and never access the Internet, your computer, smartphone, or tablet has an established online reputation. This is a good thing because it validates your transactions without having to go into your personal details. For example, if you use a corporate credit card to make an online purchase, the retailer can use devicereputation technology to analyze the device’s level of risk and determine whether it has a history of fraudulent behavior.

If a retailer is using iovation’s ReputationManager 360, they will know immediately when a customer is attempting to make a purchase with a laptop masking its real location, and if it has been involved in fraud in the past at other iovation-protected businesses. This transaction can be routed to a manual review queue proactively in real-time, giving businesses a chance to prevent losses before they occur.

ID Thief Gets 5 Years for Stealing Identities of More Than 50 People

/in /by

In California, an identity thief was recently sentenced to five years in prison for committing what appears to be classic new account fraud. The thief reportedly used a victim’s identity to open a mailbox at a shipping store in Modesto, which he often used to have fraudulently issued credit cards and other financial and identity information mailed.

Typically, new account fraud refers to financial identity theft in which the victim’s personally identifying information ¾ generally a Social Security number ¾ is used to open new accounts on the strength of the victim’s name and good credit standing, which are then used to obtain products and services.

Since a thief typically provides an alternate mailing address, such as the shipping store mailbox used in this particular case, the victim never receives the bills accumulating in his or her name, and may remain entirely unaware of the accounts’ existence until the debts have gone unpaid long enough to prompt creditors to track down the victim.

This thief used victims’ information to create fake drivers licenses with his photo, which helped make the scam stick when he was asked for ID when using fraudulently obtained credit cards.

There are technologies that help credit issuers detect and stop new account fraud by providing real-time intelligence on the device being used to apply for online credit. This technology, called device reputation by iovation Inc., not only alerts businesses when velocity thresholds have been met, it also exposes whether financial fraud, identity theft and other frauds have attempted by the device or associated computers.

Credit issuers can set up and customize their own unique business rules, and iovation analyze each application and then return a recommendation to allow, deny, or review response for the transaction, along with an explanation of the factors involved.

By identifying new account fraud in real time, credit issuers can save millions of dollars in fraud losses annually. In one case, a Fortune 100 company used iovation to identify 43,000 fraudulent credit applications and save themselves $8 million in fraud loss over two years.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Identity Thief Gets 4 Years in Club Fed

/in /by

Four years and six months doesn’t seem like a particularly severe sentence for a thief in Washington state who stole 15 people’s identities, including four police officers, created fake driver’s licenses, washed checks, and used “mules” to steal sensitive documents, make purchases with stolen credit, and sell the merchandise. The thief’s attorneys described him as a “38-year-old drug addict who has had medical and mental setbacks and was living in a motel.” I don’t know what his mental setbacks are, but all the meth he was doing may have been a contributing factor.

I spoke about this very case at the Merchant Risk Council’s 2012 MRC Annual e-Commerce Payments & Risk Conference in Las Vegas. I shared the stage with Detective Adam Haas, who investigated the case, and Jon Karl, from device reputation leader iovation, to discuss was “How Device Associations Helped Law Enforcement Tie Multiple ID Theft Cases Together.”

The thief in this case stole tax records and Social Security numbers from mailboxes and used the stolen information to take over victim’s credit accounts and to create counterfeit checks and fake driver’s licenses, which he used to purchase expensive items as local stores. He sold many of the stolen items on eBay or Craigslist, or simply exchanged them directly for drugs. After being arrested and released pending trial, the thief fled, posted “catch me if you can” on his MySpace page, and continued committing the same crimes. In January, he pled guilty to bank fraud and aggravated identity theft.

Kirkland police detectives received a great deal of assistance from Portland-based iovation. iovation’s ReputationManager 360 service was used to track down the fraudulent credit applications at various retail chains, which originated from a group of computers that iovation linked together within their vast network of more than 950 million unique devices. In addition to nabbing the thief, they were able to help identify other victims within the state who were not yet aware they had been impacted.

In a statement, the Detective commented, “The online digital bread crumbs sniffed out by iovation were critical in tying everything together, leading to a much bigger crime ring than we originally suspected.”

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses organized criminal hackers on Good Morning America. (Disclosures.)

Identity Theft Still On the Rise

/in /by

For the 12th year in a row, identity theft complaints top the list of consumer complaints [PDF] received by the Federal Trade Commission. 15% of more than 1.8 million total complaints filed in 2011 involved identity theft.

Javelin Strategy & Research estimates that nearly 12 million Americans were victims of identity theft in 2011—a 13% increase over 2010. Interestingly, but not surprisingly, Javelin attributes this increase to the proliferation of smartphones and the popularity of social media, in addition to several major data breaches resulting in tens of millions of records being leaked.

Websites like Facebook certainly provide a great deal of data that can be used to help criminals crack knowledge-based passwords, and websites like LinkedIn make it easy for criminals to gather additional intelligence in order to conduct social engineering scams. Meanwhile, smartphones have become the keys to many of our digital lives now that we use them for social media, online shopping, and online banking. Smartphone users are even more likely to be victimized if they neglect to password-protect their devices, which are often lost or stolen.

Access to so much sensitive data has allowed criminals to take over existing credit accounts and quickly turn that data into cash. The most popular strategies are for fraudsters to add their own names as registered account users, or changing the physical address for a stolen account.

Account takeover or hijacking could be detected and prevented if online banking and shopping websites integrate a real-time device reputation check at the point where profile or account information is being updated. The power of this check raises red flags when certain business rules are triggered, such as exceeding a business’s predetermined threshold.  Examples might be when an account is being accessed from a brand new country, or too many different devices are accessing an account, or even when the device making account updates has exceeded the number of accounts that it is associated with at that bank or retailer. By customizing and weighting real-time business rules to prevent bad actors from accessing your customer accounts, this early detection might mean the difference in keeping a good client’s account safe, keeping that good customer’s business, and keeping bad actors out.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

How safe is my identity? What are the latest threats? How do I protect myself?

/in /by

The 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier, released by Javelin Strategy & Research reports that in 2011 identity fraud increased by 13 percent. More than 11.6 million adults became a victim of identity fraud in the United States, while the dollar amount stolen held steady.

Identity theft occurs when someone takes your personally identifiable information (PII), and misuses it, abuses it, and adapts it to his or her own life, often for financial gain.

From the report:

  • Approximately 1.4 million more adults were victimized by identity fraud in 2011, compared to 2010.
  • One of the key factors potentially contributing to the increase in incidents was the significant rise in data breaches. The survey found 15 percent of Americans, or about 36 million people, were notified of a data breach in 2011. Consumers receiving a data breach notification were 9.5 times more likely to become a victim of identify fraud.
  • Javelin examined social media and mobile phone behaviors and identified certain social and mobile behaviors that had higher incidence rates of fraud than all consumers. LinkedIn, Google+, Twitter and Facebook users had the highest incidence of fraud.
  • Consumers are still sharing a significant amount of personal information frequently used to authenticate a consumer’s identity
  • 68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet’s name—all are prime examples of personal information
  • Those with public profiles (those visible to everyone) were more likely to expose this personal information
  • Seven percent of smartphone owners were victims of identity fraud. 32 percent of smartphone owners do not update to a new operating system when it becomes available; 62 percent do not use a password on their home screen—enabling anyone to access their information if the phone is lost
  • 67 percent increase in the number of Americans impacted by data breaches compared to 2010

Protect yourself:

Lock down your PC with antivirus, antispyware and antiphishing. Update your computers operating systems critical security patches.

Keep social media professional. Once you start sharing every aspect of your life online, you begin to give away some answers to knowledge based questions to reset account passwords.

Watch your accounts closely. Look at your statements online weekly for unauthorized activity. Report fraud immediately.

Get identity theft protection and/or a credit freeze.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures