Wahid Siddiqi - what a guy. Buying and selling his customer private data. You'd think these Countrywide guys are crooks or something.

-- MDT

Labels: Countrywide, identity theft, Wahid Siddiqi

You've seen the ads - with bozo CEO, Richard "Todd" Davis, touting that their product makes your personal info so secure, he's put his own social security number up in Times Square.

Actual Lifelock customers have found the results to be somewhat less than stellar, leading to a class action against the firm.

Oh, and the Lifelock CEO's social... (wait for it) ...is currently being misused by maybe 20 different identity thieves. Also, there is the small matter of a Lifelock co-founder siting in jail for unpaid gambling debts.

Get the sad skinny at The Consumerist.

-- MDT

Labels: identity theft, Lifelock, scam

That's about how much your identity is work, according to a new Symantec security threat report.

And, a little more color on the sound footing of cyber crime economies.

Check it out.

-- MDT

Labels: data brokers, hacking, identity theft

Interesting report from Chris Hoofnagle at Berkeley handicaps what institutions are most likely to bungle the handling of your private deets.

--MDT

Labels: Chris Hoofnagle, identity theft

No, it's not Courtney Love. But it is an interesting story.

NME has the details.

-- MDT

Labels: identity theft, Kurt Cobain, Nirvana

Sighs of relief all around, I'd imagine.

-- MDT

Labels: Choicepoint, identity theft, SEC

PI Newslink has the details.

-- MDT

Labels: bribery, business ethics, identity theft, private investigator

Techdirt does their usual bang-up job covering the FCC's new ruling that puts further restrictions on pretexting. Unlike the recent anti-pretexting law that was passed in the U.S., which was aimed squarely at the pretexters themselves the FCC action is designed to plug the holes on the other side of the conversation, establishing more secure practices within telecom companies to prevent the exposure of personal data. Better alert practices for consumers and law enforcement are also part of the package. Amongst the consequences of the FCC's new ruling are:

• Phone companies cannot release customer phone call records unless the customer provides a password. In the absence of a password, the company can only send the data to the customers' address of record or call the customer back at their phone number of record.

• Carriers must notify the customer immediately if their password changes.

• Telcos must get explicit consent from customers before sharing calling data with marketing partners and independent contractors.

• Carriers must submit an annual certification to the FCC that includes actions taken against pretexters and a summary of relevant complaints from consumers.

Check out the full pretexting piece from Techdirt, or go straight to the horses mouth and read the FCC's order (Look for date: 4/2/07).

-- MDT

Labels: FCC, identity theft, pretexting, Techdirt

Also missing, you might imagine, is a bit of the agency's dignity. But the 160 laptops lost or stolen over the last four years (including some from counter-terrorism and counter-intelligence divisions) is actually down by about HALF from the preceding audit period, when 317 laptops walked out the door or got lost behind the water cooler.

So, um, I guess good work guys...

Due to the recent Veterans Afffairs laptop disappearance and related identity theft concerns, the Federal government issued a directive back in June of '06 that within 45 days all civilian agencies would be required to institute laptop security measures. So far compliance is at about 10%.

You can get the full story (both the '07 and '02 audit reports) over Justice Department's Office of the Inspector General. The '07 report is only available as a PDF at present. There is an HTML version of the '02 report, found here.

-- MDT

Labels: audit, FBI, identity theft, laptop security

From the SacBee, one of those stories I meant to post late on Friday but has gotten held over until today. Last week, when the papers were hinting that HP subcontractor, Bryan Wagner would be testifying for the prosecution, here's why:

Bryan Wagner, who faces federal identity theft and conspiracy charges, is accused of posing as a journalist to access the reporter's private phone records as part of the computer and printer maker's ill-fated attempt to ferret out the source of boardroom leaks to the media. The way Wagner was charged Wednesday - he agreed to waive grand jury proceedings - suggests he's likely cooperating with investigators aiming for more high-profile targets, said Matthew Jacobs, a former federal prosecutor in San Francisco who is now in private practice.

"The government likes to start at the lowest point in the chain of responsibility and flip people," Jacobs said. "What it signals is that the government is trying to build the case against those more senior.

More on Wagner's fate via The Sacramento Bee.

-- MDT

Labels: Bryan Wagner, HP, identity theft, indictment, pretexting

Following Bryan Wagner's guilty plea. a date has been set for his sentencing - June 20th 2007. Wagner's lawyer has also, apparently, confirmed that Wagner will be testifying for the prosecution.

Labels: Bryan Wagner, HP, identity theft, pretexting

Bryan Wagner takes a fall.

This guy is not even 30...a cautionary tale for P.I.s who put saying "yes" to a client above the client's best interest - and their own...

Wagner's actions were undoubtably pursuant to the request and at the direction of someone. And we'll find out the who, because Wagner seems to be cooperating. Federal prosecutors are not going to settle for busting the chops of some subcontractor when he can give them HP top brass and, perhaps, a few names from Wilson Sonsini too.

Check out the typical great collection of links on the story from The Jurist.

-- MDT

Labels: Bryan Wagner, HP, identity theft, pretexting, Wilson Sonsini

This would not be the folks from the Boston-area firm, Security Outsourcing Solutions, that you've read about previously, but rather P.I. Bryan Wagner our of San Francisco.

Wagner has been indicted in California on charges of utilizing the social security number of a journalist to obtain that individual's telephone records. He apparently did so at the direction of HP execs, their legal team or other investigators working on HP's behalf as a part of their internal "Kona 2" investigation to identify the source of HP's persistent high-level media leaks.

Wagner is facing charges of conspiracy and identity theft, which could carry penalties of up to seven years in jail. That California AG's office had previously announced that they were going to go hard on this matter and it looks like they are following through on the threat. It is expected, though, that the Wagner indictment is just bait to catch bigger fix. He is expected to cooperate with authorities.

Read more on the Wagner indictment via the IHT.

-- MDT

Labels: Bryan Wagner, HP, identity theft, Joseph DePante, Patricia Dunn, pretexting, Ronald DeLia, Wilson Sonsini

Going back to the well, from earlier in the week... Here's another great post at The Consumerist, a pictorial history of the year's major breaches, a subject we've been following for quite a while now. Check it out here.

-- MDT

Labels: identity theft

From the press release:

Senior Criminal Justice Official for NYC Mayor's Office Joins Kroll

Press Release
August 1, 2006

Richard Plansky, formerly the Deputy Criminal Justice Coordinator for the Office of the Mayor of the City of New York, has joined Kroll, the global risk consulting company, as a managing director in its Business Intelligence & Investigations division.

Based in Kroll's head office in New York, Plansky is responsible for corporate investigations, fraud prevention and detection, and integrity due diligence.

Plansky, a 14-year veteran of the criminal justice system, has led complex investigations involving sex crimes, homicides, police shootings, larcenies, and other serious crimes. Most recently, as Deputy Criminal Justice Coordinator, he oversaw the development of multi-agency criminal justice initiatives, including a comprehensive program targeting the distribution and use of illegal guns. He also developed the John Doe Indictment project, a citywide effort to preserve unsolved sex crimes for later prosecution through the use of DNA technology.

Plansky began his career as an assistant district attorney in New York County where, from 1992 through 2001, he prosecuted 30 Supreme Court trials and conducted more than 150 grand jury presentations and investigations. He subsequently served as assistant general counsel at the City University of New York, where he led extensive investigations involving allegations of organized cheating and identity theft, as well as student and faculty misconduct.

In 2002, Plansky was appointed special counsel to the Mayor's Criminal Justice Coordinator, and was promoted the following year to general counsel and director of the Mayor's Office of Midtown Enforcement. In this role, he oversaw all legal affairs, formulated quality of life enforcement strategies, and developed and coordinated a wide spectrum of criminal justice programs, including an initiative to combat large-scale trademark counterfeiting establishments.

Plansky received his Juris Doctor, magna cum laude, from Harvard University.

More on Kroll, here.

-- MDT

Labels: identity theft, Kroll, New York AG

More than 8,000 New York City homeless have their personal data exposed via an errant email.

-- MDT

Labels: identity theft

Regular readers of this space will already be aware that I am, in general, a big fan of the GAO, the former General Accounting Office, recently given the un-sexy new backronym Government Accountability Office. Normally it is the GAO that lays down the law on government waste, fraud or incompentence, but this week it was their turn to take the credibility hit. Apparently the agency has inadvertently exposed personal information for some 1,000 people via its website, GAO.gov. The personal details were included on 1970s-era defense department travel vouchers. While there has been no indication that data (which included the identity theft rosetta stone, social security numbers) has been misused, the GAO has made a point of removing it from their website.

The Daily Caveat still loves ya guys.

-- MDT

Labels: GAO, identity theft

Direct from Davos and the ongoing World Economic Forum comes new rcommedations on how best to deal with the growing international dilemma of computer fraud. On the scene was FBI director Robert Muller who spoke up for greater information sharing and standardization of regulations to help law enforcement track, combat and prosecute fraud across national boundaries. Via the ever venerable Financial Times:

FBI chief urges exchange on computer fraud data

By Peter Thal Larsen in Davos
The Financial Times
January 26 2006

...Speaking at the World Economic Forum in Davos on Thursday, Mr Mueller said there was no need to create a global agency to battle computer fraud, but added: “There can be standardised regulations and rules relating to data retention and secondly a mechanism for the swift exchange of information.”

His comments come amid signs that computer security and the risk of online fraud are an increasing risk for both companies and consumers. A survey of large companies by Swiss Re shows computer-based risks as their main concern, ahead of other worries such as corporate governance and natural disasters. Meanwhile, research by Visa International, the credit card network, shows that identity theft and fraud is the main concern of consumers around the world...

...The FBI has worked together with other law enforcement agencies to track down hackers who co-ordinate attacks on US companies but are based in other countries. However, Mr Mueller stressed that common regulations in areas such as data retention would make it easier for investigators to track down the perpetrators...

The full article appears here.

-- MDT

Labels: identity theft

The Washington Post ran a story a few months back with a similar theme - that black market vendors of questionable legality are making available cell phone records to anyone with a credit card. A new Chicago Sun-Times article discusses the issue in more depth, describing how internet based vendors use inside sources, either conned or bribed, to surreptitiously snag telephone records. A private investigator is even quoted in the piece stating how he uses these types of tools month-in, month-out.

Frankly, I cannot believe that these stories haven't received wider attention given the recent explosion of identity theft-related stories in the news and Verizon's recent lawsuit against an illegitimate reseller of it's customer data. This type of questionable access to sensitive data is, potentially, the steroid abuse scandal of our industry and, just as in sports competition, a reliance on performances enhancing tools of questionable legality can only mean trouble in the long run.

While there is no doubt that investigators are always on the hunt for new sources of information, as our industry has grown to service a more sophisticated clientele, such as Caveat Research's client base of top-flight legal and financial firms, taking risks on questionable activities while on a client's dime is simply unacceptable. Caveat's work supports crucial business decisions and legal action and our activities have to mirror the best business practices of the clients we service.

Our clients look to us, in part, to recommend courses of action that adhere strictly to federal, state and local regulations. Fraudulently obtained telephone records are simply not a part of that equation. Anyway...enough of my rant. Here's the article:

Your phone records are for sale

January 5, 2006
BY FRANK MAIN
Crime Reporter

The Chicago Police Department is warning officers their cell phone records are available to anyone -- for a price. Dozens of online services are selling lists of cell phone calls, raising security concerns among law enforcement and privacy experts. Criminals can use such records to expose a government informant who regularly calls a law enforcement official.

Suspicious spouses can see if their husband or wife is calling a certain someone a bit too often. And employers can check whether a worker is regularly calling a psychologist -- or a competing company. Some online services might be skirting the law to obtain these phone lists, according to Sen. Charles Schumer (D-N.Y.), who has called for legislation to criminalize phone record theft and use.

In some cases, telephone company insiders secretly sell customers' phone-call lists to online brokers, despite strict telephone company rules against such deals, according to Schumer. And some online brokers have used deception to get the lists from the phone companies, he said.

"Though this problem is all too common, federal law is too narrow to include this type of crime," Schumer said last year in a prepared statement. The Chicago Police Department is looking into the sale of phone records, a source said. Late last month, the department sent a warning to officers about Locatecell.com, which sells lists of calls made on cell phones and land lines.

"Officers should be aware of this information when giving out their personal cell phone numbers to the general public," the bulletin said. "Undercover officers should also be aware of this information if they occasionally call personal numbers such as home or the office, from their [undercover] ones."

Test got FBI's calls in 3 hours

To test the service, the FBI paid Locatecell.com $160 to buy the records for an agent's cell phone and received the list within three hours, the police bulletin said. Representatives of Data Find Solutions Inc., the Tennessee-based operator of Locatecell.com, could not be reached for comment.

Frank Bochte, a spokesman for the FBI in Chicago, said he was aware of the Web site. "Not only in Chicago, but nationwide, the FBI notified its field offices of this potential threat to the security of our agents, and especially our undercover agents," Bochte said. "We need to educate our personnel about the dangers posed by individuals using this site and others like it. We are stressing that they should be careful in their cellular use."

How well do the services work? The Chicago Sun-Times paid $110 to Locatecell.com to purchase a one-month record of calls for this reporter's company cell phone. It was as simple as e-mailing the telephone number to the service along with a credit card number. The request was made Friday after the service was closed for the New Year's holiday.

'Most powerful investigative tool'

On Tuesday, when it reopened, Locatecell.com e-mailed a list of 78 telephone numbers this reporter called on his cell phone between Nov. 19 and Dec. 17. The list included calls to law enforcement sources, story subjects and other Sun-Times reporters and editors.

Ernie Rizzo, a Chicago private investigator, said he uses a similar cell phone record service to conduct research for his clients. On Friday, for instance, Rizzo said he ordered the cell phone records of a suburban police chief whose wife suspects he is cheating on her.

"I would say the most powerful investigative tool right now is cell records," Rizzo said. "I use it a couple times a week. A few hundred bucks a week is well worth the money."

Only financial info protected?

In July, the Electronic Privacy Information Center filed a petition with the Federal Communications Commission seeking an end to the sale of telephone records.
"We're very concerned about Locatecell," said Chris Jay Hoofnagle, senior counsel for the center. "This is the company that sold the phone records of a Canadian official to a reporter 'no questions asked.' "

Schumer has called for legislation to criminalize the "stealing and selling" of cell phone logs. He also urged the Federal Trade Commission to set up a unit to stop it. He said a common method for obtaining cell phone records is "pretexting," involving a data broker pretending to be a phone's owner and duping the phone company into providing the information.

"Pretexting for financial data is illegal, but it does not include phone records," Schumer said. "We already have protections for our financial information. We ought to have it for the very personal information that can be gleaned from telephone records."

The original article appears here.

-- MDT

Labels: identity theft

Interesting article forwarded to us by the National Council of Investigations and Security Services, our industry lobbying group:

Fears over identity theft overblown:

US study – From Yahoo News

Thu Dec 8,12:37 AM ET
A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft.

The analysis, released late on Wednesday, also found that even in the most dangerous data breaches -- where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted -- only about 1 in 1,000 victims had their identities stolen.

ID Analytics, the San Diego, California-based fraud detection company that performed the analysis, said it looked at four recent data breaches involving a total of 500,000 consumers. It declined to provide the names of the companies involved in the breaches, but Mike Cook, ID Analytics co-founder, said one of them was a top five U.S. bank.

After six months of study, comparing compromised information against credit applications, ID Analytics said it discovered something counterintuitive: The smaller the breach, the greater the likelihood the information was subsequently used by fraudsters to hijack the identity of victims.

"If you're in a breach of 100, 200 or 250 names, there's a pretty high probability that you're identity is going to be used," said Mike Cook, ID Analytics' co-founder.

"The reason for that is if you look at how long it takes a fraudster to use an identity, they can roughly use 100 to 250 in a year. But as the size of the breach grows, it drops off pretty drastically."

A study conducted earlier this year by Javelin Strategy and Research, which mirrored the methodology of an earlier Federal Trade Commission study, found that 9.3 million Americans said they had been victimized by identity thieves during the preceding 12 months.

ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders because the cards are usually quickly canceled -- and because piecing together an identity based on the information on the card is hard work. Not one of the card breaches it studied resulted in a subsequent identity takeover.

While the findings will provide some comfort to consumers whose credit cards are lost or lifted or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing Co.(NYSE:BA - news), some of ID Analytics' suggestions could be controversial.

The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.

That's likely to rankle consumer watchdogs, who are pushing Congress to enact a law, sponsored by Sen. Arlen Specter (news, bio, voting record), Republican of Pennsylvania, and Sen. Patrick Leahy (news, bio, voting record), Democrat of Vermont, that requires companies to implement tough data security standards and to notify consumers, law enforcement and credit-reporting agencies whenever there's a breach.

"As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them," said Cook.

"For instance, if they lose data, and they don't know where it is, we think too many notices may not be a good thing. They should probably monitor that and spend dollars on consumers who are actually harmed, rather than spending dollars on 10 million consumers" most of whom won't be affected.

Labels: data breech, identity theft

Over the summer the business boogey-man du jour was identity theft. Like many other blogs The Daily Caveat rode that wave in part because the giant data aggregators who were some of the prime offenders are the most prominent vendors in our industry. But the business pages have subsequently moved on and identity theft concerns have filtered down to local newscasts sandwiched between lost dog stories and local politics. Hedge fund shenanigans have now taken their turn in the finance pages as the monster in the closet.

Frankly, there is good reason to be wary of the hedge fund market place. As fund managers are wont to point out, the alternative investment strategies they employ are not for the average investor. Their clientele has traditionally been made up of financially sophisticated, wealthy individuals who were able - at least theoretically - understand and assess the strategies employed by their advisors. But the marketplace for hedge fund investors has been changing for several years and by all accounts will continue to do so, as more institutional investors such as pension funds get in on the game.

With this undeniable change comes a not unreasonable desire for hedge funds to work well for everyone. Part of that process is educational. As with any investment decision, caveat emptor must be the rule and fund managers are right to suggest that any investor who does not do their homework is asking for trouble. Consequently companies like Caveat Research are more and more often being asked to assist clients in vetting hedge fund investment opportunities in the same manner we have traditionally assisted other due diligence matters.

But what else can be done structurally to adapt funds to the changing marketplace for their services? Already funds have become more "domesticated" as larger institutions have gotten in on the game. But the occasional bad actor or business strategy gone awry has repeatedly forced the public flogging of hedge funds in the press. Unfortunately as in all areas of business, the bad actors often overshadow the good. The debate over what regulatory changes are necessary, desirable or undesirable continues. Even as the SEC readies itself to take on regulation of some funds early next year, at least one shareholder activist is seeking to block the enactment of the new rule:

Via the Financial Times:

SEC hedge funds rule is challenged

December 08, 2005
Financial Times (MSN Money)

A prominent shareholder activist will on Friday urge a court to strike down the chief US financial regulator's flagship rule to supervise the hedge fund industry. Lawyers for Phillip Goldstein, New York-based head of hedge fund Opportunity Partners, will ask a federal appeals court to declare invalid the hedge fund registration rule drawn up by the Securities and Exchange Commission.

It is the second legal challenge to SEC regulation masterminded by William Donaldson, the former chairman of the regulator, who stepped down in June. The US Chamber of Commerce is seeking to strike down the SEC rule that is supposed to improve mutual fund governance.

In a legal brief submitted to the court of appeals for the district of Columbia, lawyers for Mr Goldstein said the rule on hedge fund registration should be declared invalid "because the SEC does not have the statutory authority to extend its regulatory power to a hedge fund" under the 1940 investment advisers law.

The lawyers also claimed the SEC had acted in a "capricious and unreasonable" manner because it "vastly understated" the compliance costs stemming from the rule, which would be passed on to investors. The rule requires US-based hedge fund managers who control assets of more than $25m to register with the SEC by February 1 next year.

The 1940 law requires many investment advisers to register with the SEC, but it exempts those who have fewer than 15 clients and do not market themselves to the public. In 1985, the SEC said these private advisers could count each partnership into which investors put their money as a single client.

This decision enabled hedge funds, which typically operate as partnerships, to avoid registration even though they may have large numbers of clients. The new rule would require hedge funds to count each investor as a client and so most would have to register.

In its legal brief for the court case, the SEC said Mr Goldstein's challenge had "no merit". The SEC justified the rule by highlighting the rapid growth of hedge funds during the past five years, the rising interest of retail investors in them, and increasing instances of fraud in the industry. In its legal brief for the court case, the SEC said Mr Goldstein's legal challenge had "no merit".

The original article appears here.

Whether the SEC rule is adequate on its face is one thing. Whether they can muster the enforcement resources necessary to make it work is quite another. We shall see what the spring brings, or if these legal challenges gain traction enough to derail the new regulations before they start.

Meanwhile, if you were listening to drive-time NPR last night you probably heard a sympathetic piece on Marketplace, with fund managers decrying the overstated bad-rep their industry is getting. If you missed it, the story is worth a listen if only for a second opinion.

-- MDT

Labels: identity theft

Late last week the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection approved the Data Accountability and Trust Act (clever acronym alert - DATA). Amongst the elements in the bill, which is now headed towards a vote in the full committee, are:

* Direct the FTC to create rules requiring security for personal information. The FTC would have to take into account the size, nature, and scope of the person's activities, the current state of technology, and the cost of implementing security procedures.

* Require entities to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold.

* Require entities to appoint and identify a person in the organization that is responsible for information security.

* Require any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity's Web site is also required. The FTC must also be notified.

* Define "breach of security" as the unauthorized acquisition of personal information where it is reasonable to conclude there is significant risk of identity theft.

* Provide for an FTC or independent audit of an information broker's security practices following a breach of security. It permits the FTC to conduct or require audits for a period of five years after the breach, or until the commission determines security practices are in compliance with the act and are adequate to prevent further breaches.

* Prohibit costly and disruptive lawsuits by preempting state breach notification laws with private rights of action. It expressly preserves state consumer protection laws, as well as state trespass, contract, tort, and other state laws relating to fraud.

With the successful move out of the subcommittee has come another round of folks on both sides of the issue decrying the bill as going too far and alternatively, not going far enough. Meanwhile, Bob Sullivan at MSNBC's Red Tape Chronicles reminds us that 1 in 10 Americans received notification this year that their personal data could have been accessed illegally. And the Privacy Rights Clearinghouse cites eighty publicized data breaches since February. Heck just this morning. And, if you are a serious glutton for punishment, this story also received the Slashdot treatment over the weekend.

Of primary concern to your friendly neighborhood investigators at Caveat Research is the potential for the passage of this bill to impair ready access to the essential data we use in the course of serving our clients. The worry we face as an industry and as an individual company is that Congress, by seeking greater regulation of data aggregators, will impair the fundamental utility of the aggregators' legitimate services.

No one in our industry would seriously argue that the availability personal data should be and unregulated free-for-all. But rather, sensitive data should be restricted to those with proper licensing as well as an accountable and legitimate reason for requesting it. The National Council of Investigation & Security Services, the investigative community's congressional advocate describes the issue in this way:

...Social Security numbers should not be made accessible to everyone. We also believe that such personal data should only be made available for those with a legitimate need for it. We are asking members of the Energy and Commerce Committee to provide an exception from the limitation on the use of Social Security numbers for specific purposes as follows:

“to identify or locate missing or abducted persons, witnesses, criminals and fugitives, persons that are or may become parties to litigation, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries, missing heirs and persons material to due diligence inquiries.”

Our role is risk mitigation in a business transaction. Without access to personal identifiers, such as social security numbers, we would face the nearly impossible task of separating one John Smith from the next and our essential role in facilitating business transparency would be undercut. Moreover the suggesed restrictions would in no way actively combat security lapses that brought aggregators into the public cross-hairs in the first place.

You can download the current version of the DATA bill here (PDF). The Senate is also considering a similar measure, the Personal Data Privacy and Security Act (notably, without a clever acronym) which you can review here (PDF).

-- MDT

Labels: data breech, identity theft

When hackers infiltrate and unsuspecting user's PC and quietly beging using it as a basecamp for sending out malicious code - such as virus-laden emails, that PC is said to have been zombified. Creepy name for a really creapy practice. What makes it so pernicious, in part, is that the user may never know that their machine has been hacked.

According to this article from Computing.co.uk, authorities in the Netherlands have just cracked a hacker ring that has made zombies out of some 100,000 machines - the largest such pack zombies ever discoverd. And just in time for Halloween, too.

Cops smash 100,000 node botnet

Tom Sanders
October 10, 2005
vnunet.com

Dutch authorities arrested three individuals last week accused of running one of the largest ever hacker botnets comprising over 100,000 zombie PCs. The three men, aged 19, 22 and 27, were not named. Police confiscated computers, cash and a sports car during searches of the suspects' homes.

A botnet is a collection of hacked computers at the disposal of a hacker without the owner's knowledge. Botnets are commonly used to launch distributed denial of service (DDoS) attacks or to send spam. With over 100,000 infected systems, the network is one of the largest ever detected, prosecutors claimed.

The suspects will be charged with computer hacking, destructing automated networks, and installing adware and spyware. The trio used the W32.toxbot internet worm to recruit systems for their botnet army. The worm was first detected early this year and infected systems all over the world. Antivirus software to detect and remove the software is available, but the suspects kept changing their malware to avoid detection.

The authorities are also investigating the group's involvement in a blackmail attempt on an unnamed enterprise in the US. It is common practice among online crime gangs to extort the owners of websites, forcing them to pay to prevent a DDoS attack on their networks.

It is also suspected that the group was involved in crafting internet worms with keystroke logging software to gather login names to commit credit card fraud and identity theft.

The original article appears here.

-- MDT

Labels: identity theft

Via the SeattleTimes.com:

ChoicePoint tries to regain trust

October 3, 2005
By Brian Bergstein
The Associated Press

In August, the police in Corona, Calif., got a surprising phone call. The caller said an auditor needed to examine the department's facilities and take pictures inside. To the security-conscious police, the photo demand seemed ridiculous, especially given its source: the data broker ChoicePoint, one of the department's information suppliers. A Corona crime analyst refused the request and asked to speak to a ChoicePoint supervisor. She never heard back.

The episode reveals the delicate balance ChoicePoint is trying to strike as it recovers from a staggering identity-theft scandal in which con artists posing as customers accessed personal information on 145,000 Americans. As it seeks to show iron resolve against fraud, the data giant is struggling not to alienate key customers in the process.

Indeed, the Alpharetta, Ga.-based company has cut off some customers entirely, including debt collectors and other small businesses that once were able to obtain full background reports on people from ChoicePoint. Other customers — including news organizations such as The Associated Press — are finding the last four digits of Social Security numbers masked in ChoicePoint reports.

Such moves — which have won praise — are expected to trim company revenue by up to $20 million a year and earnings by up to 12 cents per share. (Overall, ChoicePoint earned $1.62 per share in 2004 on sales of $884 million.) Meanwhile, customers who still get access to the most sensitive data, including driver's license numbers, are being subjected to site visits and other audits to ensure they are who they say they are — even if those customers are the police.

In fact, the company recently discovered that an unauthorized Miami police officer had used someone else's log-in and password to mine ChoicePoint records. The officer was relieved of duty. Law enforcement accounts for 5 percent of ChoicePoint's revenue — most sales come from companies that use ChoicePoint to assess job, insurance or other consumer applications — but it is a high-profile segment, often touted by the company as proof that society benefits from its amassing of so much data on individuals. The FBI alone queried ChoicePoint files 1.2 million times last year.

Private investigators also are being subjected to new scrutiny. ChoicePoint stumbled early in the crackdown when representatives called many private eyes and asked them to fax over personal and professional information about themselves, according to Brian McGuinness, a Miami investigator who heads the National Council of Investigation and Security Services. "That was kind of ill-conceived," he said. "You're asking these investigators who are very aware of scams to send this sensitive information to some number," without first sending a letter or other confirmation the call was legitimate.

Some riled private eyes called for a ChoicePoint boycott. But ChoicePoint responded by clarifying the process, McGuinness said. Other investigators see the aggressive audits as an overreaction or a public-relations ploy. Cynthia Hetherington, a private investigator in New Jersey, had to send ChoicePoint a copy of her investigator's license twice. The company agent also wanted bank-account information "and stuff that has nothing to do with my credentials or the nature of my business." "It's absolutely intrusive," she said. Hetherington remains a ChoicePoint customer, but she and many other investigators are quick to note rival providers with fewer hassles.

Indeed, when ChoicePoint stopped selling detailed background reports to debt collectors, there were plenty of other options, said Ramona Featherby, who runs a San Diego collection firm and is president of the California Association of Judgment Professionals. She cited such names as Merlin Information Service, LexisNexis' Accurint, LocatePlus and Westlaw. "They have taken a sledgehammer to the ant ... [by] cutting off databases from one industry entirely, no matter how long they've been in business, no matter how pristine their record," Featherby said of ChoicePoint.

After ChoicePoint called for interior pictures of the Corona police department, discussion ensued in an online forum frequented by law-enforcement personnel. Carol DiBattiste, ChoicePoint's new privacy and compliance officer, responded to the group in a message that dismissed the story. "While the requirement for site visits is true, contrary to rumors, ChoicePoint is not performing site visits that require photographs or access to sensitive facilities," she wrote.

But the photo request was no mere rumor. DiBattiste acknowledged that ChoicePoint's checklist for site inspectors did include internal photos. But she said she ordered it not apply to customers in government and law enforcement because photos could endanger the offices' security. Apparently, she said, the Corona police got their call before the policy had been rescinded. She said she did not believe any police agencies actually had the inside of their offices photographed, though she added: "I can't guarantee that 100 percent."

ChoicePoint had inspected some customers who got personal data in the past, but stepped up the system after February's identity-theft disclosure, one of many high-profile data breaches to surface this year. That fraud — which resulted in at least 750 identity-theft cases — sent ChoicePoint's stock tumbling 24 percent in the ensuing weeks. About two-thirds of that lost value has been regained.

Many ChoicePoint customers now get inspections when they open a new account or re-sign a contract for sensitive data, DiBattiste said. Making the visits is necessary because "an identity thief could make believe he's the local sheriff in a town of 2,000 people," she said. The inspector does not access customers' computers or databases, she said. The auditor spends less than an hour confirming that the customer is legitimate and appears to have reasonable security practices.

DiBattiste wouldn't give specifics. But one thing the Corona police were told was that the inspector would need to ensure that workstations where ChoicePoint databases were accessed were not left unmonitored. Although ChoicePoint contends that few, if any, customers have defected rather than submit to inspections, DiBattiste acknowledged that the auditing is a work in progress. For one, ChoicePoint now lets customers apply for a waiver, which DiBattiste must approve, if they have a long relationship with ChoicePoint or already have been contacted recently by someone from the company.

As senior counsel with the Electronic Privacy Information Center, Chris Hoofnagle has been a ChoicePoint critic. He says the company deserves credit for its inspections, though he wants them to go further. "I think ChoicePoint should randomly audit users of the database," he said, "and make them show why they pulled a file of an individual."

The original article appears here.

-- MDT

Labels: database, identity theft

Recall this post from late last week, which discussed Verizon Wireless bringing legal action against Source Resources, an information broker and security firm that had reportedly tricked Verizon Wireless employees into turning over personal data on customers.

A Superior Court judge in New Jersey has granted Verizon's request for a court order enjoining Source Resources from continuing their practice of obtaining personal information on Verizon customers. According to a recent Eweek.com article:

...Verizon claimed that Source Resources used personal information obtained from other sources in order to pose as individual customers and trick its service representatives into divulging additional data, including their phone numbers and calling records....

As part of its claim, Verizon submitted online marketing materials reportedly offered by Source Resources that detailed the company's ability to garner the names, addresses and social security numbers of individual cellular subscribers for $85 apiece. For $150, the data broker offered additional information, including wireless calling records and billing information.

"Accessing a person's personal telephone records without a valid court order or the customer's permission is illegal," Steven Zipperstein, general counsel at Verizon Wireless, said in a statement. "We will protect our customers against these kinds of assaults on their privacy and use every weapon in our legal arsenal to shut down identity-theft operations"...

Sources familiar with the case said that a private investigator named in the suit, Richard Childs, first informed the carrier of Source Resources' data acquisition practices when one of his own clients had their information obtained by the firm. Childs did not return calls seeking comment on the case, but Verizon stated in its filing that private investigators are also among the most frequent buyers of the services involved in the Source Resources suit...

...Superior Court Judge Harriet Derman granted a court order on Tuesday barring data provider Source Resources Inc. from acquiring, possessing or selling confidential information about Verizon's 45 million wireless customers. According to Verizon's claim, which was filed in early July, Source Resources was able to dupe the carrier's customer service representatives into supplying much of the data...

Accessing data in this manner is to the investigative industry as steroids are to professional sports. It is a shortcut that narrowly skirts legality while providing performance enhancement. And just like steroids, the results can ultimately be destructive for the individuals involved as well as the entities they represent. It will be extremely interesting to see if this case is be beginning of a trend, with other telecoms taking similar steps.

The full E Week article appears here. Many thanks the excellent Law Librarian Blog for the link.

-- MDT

Labels: identity theft

Via TechnologyNewsDaily.com:

Verizon Wireless Halts Data Theft

Tech News Daily
September 15, 2005

Verizon Wireless has secured a court order to halt a Tennessee-based company’s practice of obtaining and selling telephone records of Verizon Wireless customers.

Earlier this summer, Verizon Wireless sued Cookeville, Tenn.-based Source Resources Inc., in New Jersey State Superior Court in Somerset County, N.J., seeking among other things an injunction barring Source Resources from acquiring, possessing or selling confidential Verizon Wireless customer account information without a valid court order or the customer’s express consent.

Superior Court Judge Harriet Derman ordered a permanent injunction against Source Resources Tuesday as part of a settlement between Verizon Wireless and the company. Source Resources also agreed to cooperate with Verizon Wireless by surrendering records of its transactions and information about how it previously obtained customer records.

“Accessing a person’s personal telephone records without a valid court order or the customer’s permission is illegal,” said Steven Zipperstein, General Counsel and Vice President of Legal and External Affairs at Verizon Wireless. “Verizon Wireless will protect our customers against these kinds of assaults on their privacy, and we will use every weapon in our legal arsenal to shut down identity-theft operations.”

The lawsuit was filed by Verizon Wireless July 8th against Source Resources, which advertised on its Internet site the capability to secure confidential wireless telephone records for a fee. Verizon Wireless brought the lawsuit after one of its customers reported that his confidential wireless phone records had been secured without his permission by Source Resources.

The original article appears here.

The Washington Post's Jonathan Krim has been reporting on this issue for several months. Here's a recent article illustrating the rampant availablity of cell phone data - not just phone numbers but whole customer bills - sold to third parties by internal telecom company employees.

-- MDT

Labels: identity theft

The National Council of Investigative and Security Services exists to represent and protect the interests of the investigative industry. NCISS's Chairman of the NCISS Legislative Committee, Bruce Hulme, sends out regular notices to their mailing list regarding the status of relevant bills being considered on the hill and in state legislatures from around the country.

In a recent mailing, he provided the text of a Congressional Quarterly article describing the recent trials and tribulations of our lobby in the wake of data piracy scandals at prime investigative vendors, Choicepoint and Lexis Nexis:

Private Eyes Try Getting Tough on Congress

By Shawn Zeller, CQ Staff
CQ WEEKLY - VANTAGE POINT
Aug. 1, 2005 Page 2089

In the popular imagination, American private investigators are the toughest of tough customers, impervious to saps, slipped Mickeys and seductresses. But private eyes now fear they may be meeting their match in Congress. The detective industry says legislation aimed at redressing identity theft and data breaches among companies collecting consumer data could put it out of business. The proposal, by Senate Judiciary Chairman Arlen Specter , R-Pa., would erect barriers to ready acquisition of Social Security numbers - and that, in turn, would enormously complicate missing-persons and witness-location work, mainstays of the detective trade.

The bill (S 1332), which Judiciary panel Democrats Patrick J. Leahy of Vermont and Russell D. Feingold of Wisconsin are cosponsoring, would bar the sale or purchase of any Social Security number without its holder's consent. Similar language is in a bill (S 1408) by Gordon H. Smith , R-Ore., that the Senate Commerce Committee approved last week. (Story, p.2125)

In May, representatives of the National Council of Investigation and Security Services - the private detectives "trade group" met with data brokers and agreed to lobby against provisions limiting investigators' ability to purchase the numbers. D.C. lobbyist Lawrence Sabbath is leading the charge. Sabbath singles out Rep. Pete Sessions , R-Texas, as the investigators' top ally. Sessions also helped bounty hunters and bail bondsmen to get business-friendly provisions in a House immigration bill this February - even though that language later died in conference.

Large database companies, such as LexisNexis Group and ChoicePoint, sell partial Social Security numbers to private investigators, but not to the general public. But the law surrounding their sale is murky, and some companies will sell full numbers to anyone.

Investigators also hired Washington PR man Joseph Ricci to boost their image in Washington. Last month, the investigators hosted an "ID Fraud Summit" at a hotel in Washington with representatives from the Secret Service and the Justice Department. Among the participants was John Stoll, who was convicted of child molestation in California and served 20 years in prison before a private investigator discovered information that exonerated him.

But consumer groups are mounting their own PR campaign in support of the Specter bill. They say uneven state licensing rules - some don?t require licenses at all - are reason enough to prevent the investigators from buying the numbers. They also point to cases such as that of Amy Boyer, a New Hampshire woman killed in 1999 by a stalker who obtained personal information about her from an Internet-based firm run by a P.I. in Florida.

Without a law closing off much of the traffic in identity data, advocates say the status quo will deteriorate. P.I.s "are virtually unregulated in too many states," says Edmund Mierzwinski of the U.S. Public Interest Research Group. "There's no question that there will be massive data misappropriations."

Another more recent article, which appeared in The Hill (and forward along by NCISS) provides further details about the investigative lobby's efforts to insert their voice into the valid and somewhat volatile debate over how best to address growing concerns about the security of sensitive data:

Data Protection turf war pleases lobbyists

By Elana Schor
The Hill
August 17, 2005

The many data-security bills wending their way around the Hill are sparking a turf war in the Senate but relief on K Street, where lobbyists in several industries welcome the crush of options as a much-needed drag on momentum.

While acknowledging the need to regulate trade in consumers' personal information to prevent identity theft, lobbyists say the universe of companies potentially affected by new data-security standards presents challenges that lawmakers have yet to address fully. By next month, two more congressional committees are likely to join the four already working on the issue.

''It's difficult to even define an industry here because you have so many different kinds of companies who have suffered breaches - data providers, banks, credit-card providers. It's difficult to decide who would have jurisdiction,'' said Abby Stewart, a lobbyist at Jefferson Consulting Group, which represents one of the businesses that recently has endured the public-relations nightmare of a personal-data breach.

The Senate Commerce Committee cleared the first hurdle just before the August recess, unanimously approving an anti-ID-theft bill that prevents the trading of Social Security numbers without their owners' consent and allows easy freezing of consumer-credit reports. But banking lobbyists, and Senate Banking Committee Chairman Richard Shelby (R-Ala.), were displeased with Commerce's quick movement.

"The Fair Credit Reporting Act is a Banking Committee issue, and Senate Commerce just ripped it out and put it in their bill," said one banking lobbyist who asked not to be identified. "his is the problem with all the bills; it's a huge jurisdictional fight."

Bob Davis, top lobbyist for America's Community Bankers, sent a letter to Commerce Chairman Ted Stevens (R-Alaska) and ranking member Daniel Inouye (D-Hawaii) urging them to withhold support for the bill over two provisions: credit freezing, which banks fear could inadvertently discourage consumers from signing up for new credit cards, and permitting state attorneys general to sue nationally regulated banks for noncompliance. Stevens and Inouye nonetheless endorsed the bill, which was introduced by Sens. Bill Nelson (D-Fla.) and Gordon Smith (R-Ore.).

Stewart echoed the banking lobbyist's sentiment when discussing the Senate Judiciary Committee, which postponed consideration of three separate data-security bills until the end of recess. "It's an intriguing concept that they would have jurisdiction at all," she said.

The lead Senate Judiciary bill, sponsored by Chairman Arlen Specter (R-Pa.) and ranking member Patrick Leahy (D-Vt.), attracts criticism from lobbyists because it could let states wriggle free from some aspects of new national data-security rules. Another Judiciary bill, written by Sen. Dianne Feinstein (D-Calif.), has a crucial cheerleader in ChoicePoint, the data broker that disclosed the first of this year's high-profile security breaches.

"We'd like to see a vehicle like that get through," said David Davis, vice president of government affairs at ChoicePoint, referring to Feinstein's bill. The company supports Feinstein's language about the definition of "real harm" posed to consumers, sometimes call the "California standard," which would trigger automatic notification of an ID-theft risk.

Davis praised Stevens's promise to hold up floor consideration of the Senate Commerce bill until chairmen can resolve their jurisdictional clashes but noted the realities of a legislative clock ticking down into] fall. "If all the stars were aligned, and Banking and Judiciary stepped back, then you would still have the House," he said.

ChoicePoint is one of only a few stakeholders actively pushing for a bill to pass this year. Most other lobbyists were not discouraged by the likelihood that Congress's crammed calendar would make consensus on data security unreachable before 2006.

So far only the House Financial Services Committee has tackled the question of who pays for consumer notification after a security breach, one of the most pressing priorities for banks and credit-card issuers. That committee's bill, introduced by Reps. Deborah Pryce (R-Ohio) and Mike Castle (R-Del.), requires the company responsible for the information exposure to foot the bill for "reasonable and actual costs."

One financial-services lobbyist said an accountability vacuum in the aftermath of a large-scale data compromise could be hazardous. "If there is a fear of liability, about what happened and who's paying, the flow of information gets severely restricted."

Giving too many concessions to banks and credit cards could alienate data brokers such as ChoicePoint and Lexis-Nexis, which was hacked by ID thieves in March in a breach the company first projected as one-tenth of its actual size.

In addition to requiring responsible companies to pay for notification, some lobbyists would like to see banks get reimbursed for the new credit cards that often must be issued after a breach.

In the House, the Energy and Commerce and Judiciary committees remain in the process of drafting their data-security bills. The former version will likely give blanket enforcement power to the Federal Trade Commission, an annoyance to banks that want their financial regulators to take on data-security duties to avoid creating new bureaucracy.

Yet another player in the game is the private-investigation community, which has formed a lobbying coalition and embarked on a vigorous publicity push to remind lawmakers that access to Social Security numbers does not solely affect public law enforcement.

Lawrence Sabbath, who lobbies for the National Council of Investigation & Security Services (NCISS), said the substitute amendment in Stevens's committee ironically could keep private eyes from tracking down the same fraudsters who perpetrate ID thefts. "They recognize that there are potential problems," Sabbath said. "There is some indication that that [Social Security] provision may not remain in the bill."

You can read more about the activities of NCISS and pending legislation of relevance to the investigative community here.

-- MDT

Labels: data breech, database, Department of Justice, identity theft

Scott Levine, the operator of the now defunct noted "Spam factory," Snipermail.com has been convicted on more that one hundred counts of illegally acccessing personal data via marketing vendor Acxiom Corp (and in what is undoubtedly a coincidence, read about Acxiom's escalated commitment to fraud prevention here).

The data access irregularities at Snipermail were first discovered two years ago. In total some 1.6 million records were accessed illegally by the company after Levine utilized a "security flaw" in Acxiom's FTP server to gain access to personal records held by the data company. After adding that data to Snipermail's existing database, Mr. Levine also approached credit bureau, Experian about buying the company.

Via the Washington Post:

Marketer Found Guilty Of Data Theft

Associated Press
Saturday, August 13, 2005; Page D02

LITTLE ROCK, Ark., Aug. 12 -- A Florida man was found guilty Friday of stealing information from data-management company Acxiom Corp. in what prosecutors said was the largest federal computer theft trial ever.

A jury convicted Scott Levine, the owner of defunct e-mail marketing contractor Snipermail.com, on 120 counts of unauthorized access to data, two counts of access device fraud and one count of obstruction of justice. Jurors cleared Levine of 13 counts of unauthorized access of a protected computer, one conspiracy count and one count of money laundering.

Statutory maximum sentences for his convictions total 640 years in prison and fines of $30.7 million, but his punishment likely will be much less under federal sentencing guidelines. Sentencing was set for Jan. 9.

Prosecutors said Levine and his company stole 1.6 billion customer records, including names, e-mail and postal addresses. The government did not charge anyone with identity theft.

Six Snipermail employees pleaded guilty to conspiracy charges and testified against Levine in the case.

"We're very pleased with the outcome," U.S. Attorney H.E. "Bud" Cummins said outside U.S. District Court. "These are very serious crimes, a huge amount of data that was stolen for monetary gain and he should be held accountable."

Levine's lawyer, David Garvin, said the verdicts were "compromised" because the jury found Levine guilty based on the same evidence jurors acquitted him on in the other counts.

Little Rock-based Acxiom, which serves large corporations by collecting and managing information for marketing purposes, said it has tightened its security since the unauthorized access was discovered two years ago.

Labels: database, identity theft, money laundering

Speaking of identity theft (see previous post), long-time friend of Caveat Research, Charlie Pinck (a former Mintz Group alum and currently Senior VP of Investigations for Global Options) recently had a letter published in the magazine of the American Society for Industrial Security. Charlie's letter (from their June issue) takes on some of the prevailing notions about allowing access to sensitive data.

Not only does Charlie do a nice job of provide some much needed explanation regarding the indispensibility of personal (but public) data to the work of investigators, but he also provides a vivid description of how this information is put to work in service to the goal of transparency, accuracy and integrity. While the ASIS publication is not iself available online (the horror), here's a clip:

...access to personal identifying information benefits our society in many ways. Before legislation is passed that severely restricts such access, we should first consider the negative impacts that such laws could have. As a professional investigator, I use this data in many different ways: to track down important witnesses and uncover critical information in complex litigation; to conduct criminal background checks; to find stolen assets; and to investigate white collar crime, fraud, and other forms of criminal activity--including identity theft; and in many other investigations.

One of the most important uses of this information is conducting criminal record searches, an important component in many investigations. Since there is no publicly available national criminal record database (the Justice Department maintains such a database known as NCIC, but provides access only to law enforcement agencies), investigators must first gather an address history for the subject, then conduct searches of each jurisdiction identified.

We need access to Social Security numbers or another form of identifying information. This is typically drawn from the top portion of a credit report (called the credit header)--which contains someone's name, Social Security number, and current and prior addresses--without that, such searches become close to impossible to thoroughly conduct, thereby exposing people to serious potential risks.

For instance, in a recent investigation of a client's household employee, I found a criminal record involving a minor. The offense occurred nearly 10 years earlier in a different state. Without the ability to construct an address history for the employee. I never would have found it, and the client and his family would be in jeopardy.

In another case that occurred some years ago. I was investigating an individual who was being considered for a senior-level position within a Fortune 500 company. Using similar techniques, I not only found a criminal record for assault and battery but discovered that this person attempted to expunge his criminal record within a few days of his interview with our client.

I was also retained to investigate a potential business partner and discovered a multimillion-dollar fraud that he had committed. The complaint listed a number of fraudulent claims that the subject person had made about his background; he had also given my client the same fraudulent claims practically verbatim. Armed with this knowledge, my client decided not to pursue a $ 7 million investment that most surely would have been lost. There are many more examples like these.

If I have learned anything from my 15 years of investigative experience, it is that people lie, especially when they are trying to hide past bad acts. Far too often, potential employers or partners do not ask the right questions (or any questions, for that matter) or check information supplied by business partners and others until it is too late and the damage has been done. Reagan's axiom "trust but verify" applies here as much as it does in arms control.

Another important use of personal identification information is to differentiate between people with common names. Imagine the difficulty in searching for criminal records for someone named John Smith absent any other information unique to this person, such as his Social Security number and date of birth. This is the daunting scenario we would face were current proposals to restrict access to such information enacted.

Identity theft is a real concern and needs to be dealt with in a serious manner. However, limiting access to such information in as draconian a manner as is now under consideration would limit the ability of private citizens to protect themselves against a variety of equally dangerous threats. It may also embolden those who commit crimes, because they will know that investigating them will be more difficult and expensive.

Professional investigators play an important role because law enforcement agencies are not in the business of checking out a person's background to assess the potential risk of hiring them or doing business with them. Thus, people hire professional investigators. In certain circumstances, the information they gather may eventually convince law enforcement to become involved.

For all of these reasons, investigators are needed, and they need access to information to do their jobs. They should not be hampered by the actions of information brokers who failed to check the credentials of new customers and allowed themselves to be victimized in the process.

Thanks Charlie.

-- MDT

Labels: background checks, database, Department of Justice, identity theft

You know, if folks would just switch to Macs...we could avoid this kind of thing.

Via ZDNet.com:

Identity theft ring affects at least 50 banks

Ingrid Marson
ZDNet UK
August 08, 2005

Customers from Bank of America, PayPal and other financial institutions have had their financial details stolen by a dangerous new Trojan. A major identity theft ring discovered last week has affected the customers of at least 50 banks, according to Sunbelt Software, the security firm that uncovered the operation.

The operation, which is thought to be under investigation by the FBI and Secret Service, is currently gathering personal data from compromised machines and sending them to a server where they are saved in a file.

Sunbelt Software said on Monday that in the two days it has been monitoring the file it has seen confidential financial details of the customers of the Bank of America, PayPal and up to 50 international banks, according to Eric Sites, the vice-president of research and development at Sunbelt.

"For almost every bank that is listed [in the file], it's possible to get into the person's account," Sites said. As well as passwords for online banking sites, information on credit cards has also been gathered. Sites said that Sunbelt had found one customer's credit card number, expiry date and security code as well as their name and address, which would allow anyone to use their credit card.

The data theft was initially reported to be carried out by a modified variant of a spyware application, called CoolWebSearch (CWS), but Sunbelt has now found that the activities are carried out by a separate Trojan, which is downloaded at the same time as CWS and a mail zombie.

The malicious code is hosted on a Web site that mainly hosts pornography, which Sites was unwilling to name. Users of Windows XP that have not installed SP2 are particularly vulnerable as the code will be automatically downloaded without the user's knowledge. Sunbelt is currently investigating whether users of earlier Windows versions, such as Windows 2000 and Windows ME, are also vulnerable.

"If you have an unpatched Windows machine, when you go to the URL it will automatically download everything from Web site, including the Trojan. All you have to do is type in the URL and you're hosed," said Sites.

The Trojan is a new variant, so antivirus and anti-spyware vendors do not yet block it, according to Sites. Sunbelt plans to send information on the Trojan to security firms as soon as possible.

The Trojan carries out keylogging, and also gathers information stored by Internet Explorer's auto-complete function. This data includes any information that has been typed into forms, including usernames and passwords.

Two variants of the data-stealing Trojan have been found, one of which sends data to a publicly available server, which is being monitored by both Sunbelt and the Secret Service, according to Sites. He claimed this server will not be shut down straight away so that the FBI and Secret Service can track down the perpetrators.

Sunbelt believes the operation has only been going on for a couple of weeks and has affected a "couple of thousand machines", according to Sites. An FBI spokesperson was unable to confirm whether or not an investigation was taking place.

Original article appears here.

-- MDT

Labels: identity theft

While Daily Caveat parent, Caveat Research is not a security-oriented enterprise, many investigative firms have found great success expanding this sector of their services, encompassing tasks such as personal protection, armored transport, facility security and country risk analysis. A recent article in the Ontario Business Edge focuses in on how this phenomenon has taken shape in the land of Molson, moose and and the one and only William Shatner:

Private security firms expanding services

By Mike Levin
Business Edge
07/21/2005

The line between public and private policing is blurring in Canada as government funding for security gets stretched tighter and tighter. Most of Canada's 1,400 private investigation and security firms are tapping this trend to find new business in areas traditionally patrolled by domestic police forces.

But it is no longer just a game for gumshoes. In Ottawa, Robin St. Martin has built Iron Horse Corp. from a one-man operation in 1994 to a multimillion-dollar business by filling security gaps left by the public sector. The demand is so great, he is predicting a 35-per-cent increase in revenue for 2005. "This business is all about investigation and protection, and as the economy grows so does the need for security services," St. Martin says. "People know they will have to pay for it either by increased taxes or by hiring a company like ours." Revenue reached $1.85 million last year. This year's increase is expected to come mostly from new operations in Toronto.

Since 1998, St. Martin has geared Iron Horse to meet what he calls a phenomenal demand for licensed security guards, which he says has increased guard numbers in Ontario to 40,000 in 2004 from 28,000 in 1999. Most of Iron Horse's 100 full-time and 300 part-time employees are involved in property protection, which accounts for 55 per cent of the company's business. The company also operates a training academy and graduates are all but guaranteed a job because of a backlog of demand. "Times have changed. There's a much stronger view of this need for security because of 9/11, but also because prominent businesses know they have to have protection or face serious liabilities," St. Martin says. He adds that the investigations side of his company is also becoming broader.

Like most security companies, Iron Horse offers diversified services and can investigate everything from insurance fraud to theft of intellectual property and marital infidelity.
The scope is becoming so wide that some agencies see their duties as risk-management consultants as much as private investigators. "Much of the investigation business is about getting information for police or lawyers to use in the legal system. But there's also a growing need within corporations to be able to protect themselves," says Bill Joynt, president of the Council of Private Investigators - Ontario. "Corporate clients today have all sorts of different requirements and you never know what will pop up next. PIs (private investigators) have to keep pace with crime sophistication," says Joynt, who owns the 110-employee Investigators Group agency in Toronto.

According to many security executives, breaking insurance scams, investigating workers' compensation claims, finding missing people and uncovering information for lawyers remain their core businesses. But they are susceptible to market forces. "There are parts of the business that come and go, like surveillance. It just shows that agencies have to be far more diversified today and flexible for when those slumps hit," says Geoff Frisby, owner of LCR Consulting Ltd., a two-person agency in Fort Saskatchewan, a suburb of Edmonton.

One effect has been increased co-operation in what was once a fiercely competitive industry. Security companies will now subcontract their expertise to other agencies. James Thomasen, president of the Private Investigators Association of British Columbia, calls it "service by affiliation" and says it allows smaller agencies to call themselves full-service companies. One area of investigations that is growing is background checks.

"I've seen a rise in the due-diligence part of employment, where companies want to make sure that prospective employees are who they say they are," says Thomasen, who owns the two'-person Pinnacle Investigations and Security Services Ltd. In Vancouver. "It's expanded into the international level and we're doing background checks in places like the Philippines and the United Kingdom."

Another area that is providing growth opportunities is combating the rapidly evolving styles of theft and fraud. New forms of loss protection often involve technology such as high-end audio-visual surveillance and cyber-tracking equipment. "The electronic side is new and getting bigger, especially when it deals with identity theft," says John Farinaccio, director of the Canadian Private Investigators' Resource Centre in Montreal. "The demand is being driven by the U.S., because what happens down there comes up to Canada."

A 2003 study on economic crime by PricewaterhouseCoopers found that one-third of companies in North America were victims of fraud and theft, and that the problem of cybercrime was increasing by double digits annually.

As the crimes become increasingly sophisticated, private investigators have to know how to dig deep for information. Accessing personal information also has become harder since investigators now must have investigative body status under the Personal Information Protection and Electronic Documents Act (PIPEDA) in order to be able to thoroughly examine someone's background.

That is a status that most PIs do not have. In fact, most PIs do not need any certification at all. They do need a licence from Industry Canada, but requirements (except in B.C. and Newfoundland, which have two-year supervisory conditions on licensing) are less stringent than for a driver's permit, says Iron Horse's St. Martin.

"It's the same thing for licensing security guards in Ontario, no minimum standards, and I think it's pretty bad because the business is now all about reputation. When PIPEDA came in it caused a bit of a slump, but I think it was necessary," he says. "This means as a full-service security company we absolutely must do our due diligence properly and provide top-quality customer service," St. Martin says.

St. Martin, who is about to expand Iron Horse into Quebec, believes there is a need for a national association to create adequate certification for an industry that is now starting to consolidate. "There used to be a lot of mom'-and-pop shops (in the security guard business) but they're getting bought up by the public multinationals like Securitas and Garda. This is a trend in the whole industry, becoming international because security issues go across borders," he says.

The original article can be found here. And for no other reason than never having experimented with Blogger's new image toolkit, here's a photo from a few years back of The Daily Caveat and spouse enjoying Canadian hospitality atop Grouse Mountain in beautiful Vancouver, BC.


-- MDT

Labels: background checks, identity theft

Via ComputerWorld:

Information sharing is expected to help police with cross-border investigations

By Grant Gross
JULY 11, 2005

WASHINGTON -- A U.S. center that helps victims of identity theft plans to share consumer complaint information with the Federal Trade Commission and law enforcement agencies to improve investigations.

The Identity Theft Assistance Center (ITAC) will begin sharing information such as the types of scams reported and suspected offenders identified by victims, the center announced last week. The ITAC is supported by 48 large financial services companies.

The center plans to provide the FTC with that information in about six weeks. The FTC, in turn, will share the data with law enforcement agencies across the U.S.

Full article appears here.

-- MDT

Labels: identity theft

Labels: database, identity theft

With all the hullabaloo regarding identity theft and the slew of stories highlighting the apparent inability of corporate American to safe-guard employee and customer information from thieving data-bandits a couple of recent stories have been overlooked that highlight questionable access to personal details from an other quarter - the federal government.

Today's New York Times has an interesting piece on the Internal revenue Service and Social Security Administration's willingness to relax their privacy guidelines at the request of the F.B.I. In a recently released report the federal agencies cite "life-threatening emergencies" in general and specifically the 9/11 investigation as the reason for complying with the F.B.I.'s requests.

"We ran thousands of Social Security numbers," said a former senior F.B.I. official who insisted on anonymity because the files involved internal cases. "We got very useful information, that's for sure," the former official said. "We recognized the value of having that information to track leads, and, to their credit, so did the Social Security Administration."

Some privacy advocates and members of Congress, although sympathetic to the extraordinary demands posed by the Sept. 11 investigation, said they were troubled by what they saw as a significant shift in privacy policies. Representative Carolyn B. Maloney, a New York Democrat who has sought information from the Social Security agency on the issue, said the new policy had "real civil liberties implications for abuse." Ms. Maloney questioned whether Congress was adequately informed. "If we don't know when the Social Security Administration decides to change its rules to disclose personal information," she said, "I think Americans have a right to be skeptical about their privacy."

The director of the Open Government Project at the Electronic Privacy Information Center, Marcia Hofmann, acknowledged the need for investigators to have access to vital information. "But an ad hoc policy like this is so broad that it allows law enforcement to obtain really sensitive information by merely claiming that the information is relevant to the 9/11 investigation," Ms. Hofmann said. "There appears to be very little oversight."

In addition to easing its rules, the Social Security agency agreed to waive normal privacy restrictions for information related to the F.B.I. investigation of the sniper shootings in the Washington region in 2002, the internal memorandums show. It does not appear that any information was ultimately turned over. The agency agreed two days after the Sept. 11 attacks to give the F.B.I. access to material from its files to obtain information on the hijackers, anyone with "relevant information" on the attacks and victims' relatives.

Under Social Security Administration policy, which goes beyond federal privacy law, such information cannot typically be shared with law enforcement officials unless the subject has been indicted or convicted of a crime. The loosening of the policy was updated and reauthorized last year, the internal documents show, and Social Security officials said Tuesday that it remained in place.

Read the full story.

Meanwhile on Monday, the Transportation Security Administration owned up to collecting information on airline passangers even thought Congress had previously instructed the agency to do no such thing. The TSA

A Transportation Security Administration contractor used three data brokers to collect detailed information about U.S. citizens who flew on commercial airlines in June 2004 in order to test a terrorist screening program called Secure Flight, according to documents that will be published in the Federal Register this week. The TSA had ordered the airlines to turn over data on those passengers, called passenger name records, in November.

The contractor, EagleForce Associates, then combined the passenger name records with commercial data from three contractors that included first, last and middle names, home address and phone number, birthdate, name suffix, second surname, spouse first name, gender, second address, third address, ZIP code and latitude and longitude of address.

Read the full article here.

-- MDT

Labels: HP, identity theft

We have met the enemy and it is public records.

At least according to Betty "BJ" Ostergren, that is. Betty, described in The Washington Post as "a feisty 56-year old" based near Richmond, is seeking to shame public figures into addressing what she sees as the all-too-ready access to public records enabled by commercial database, internet and document imaging technologies.

Encapsulating her fears in one favorite example, Betty lays it all out for Post's resident identity-theft reporter, Jonathan Krim:

"Don't you think if I can get Tom DeLay's Social Security number ... that some guy in an Internet cafe in Pakistan can, too?" she asks, her voice rising with indignation. "It's just ridiculous what we're doing in this country."

Utilizing such arguments, Betty, under the banner of The Virginia Watchdog is attempting to organize activists to beat back the tide of easy access to public records, particularly on the local level:

A wealth of documents -- including marriage and divorce records, property deeds, and military discharge papers -- containing Social Security numbers, dates of birth and other sensitive information is accessible from any computer anywhere. Many of the online records are images of original documents, which also display people's signatures.

Ostergren began organizing citizens and harassing officials on the issue in 2002, when a title examiner called to warn her that her county was about to put a slew of documents online, including pages with her signature.

A longtime activist in local politics, Ostergren swung into action, bringing enough pressure on Hanover County officials that they halted their plans. Then she broadened her attack, targeting other counties in Virginia and elsewhere.

Betty expounds a bit further (with copious use of exclamation) on her website:

No one has to fake an identity to get into ChoicePoint, no one has to break the law/hack into any website, no one has to dumpster dive, and no one has to dig into the neighbor's trash anymore to get SSNs. No, all it takes to find SSNs is getting into a Clerk's/Recorder's/Register of Deeds' website and ANYONE can since they are public records!

The Clerks etc. are spoon feeding criminals by putting these records online - the same records they took an oath to protect!!! Every Clerk/Recorder should pull the plug on this ONLINE RECORDS mess and get them offline! It will take the legislature (thru pressure from the citizens) to make them do it though. Tell your state legislators that if someone wants to see your records, make them take off from work and drive to the courthouse!

This, unfortunately, is the histrionic end of identity theft anxiety, fostered by content-starved local news and fueled good old fashioned black-helicopters-over-Kansas American paranoia. As a nation we are really, really good at frothing up over this kind of thing, but never did The Daily Caveat think to see the day when ready access to essential public records verges on initiating a moral panic.

While TDC disagrees with Betty's approach (and her rampant abuse of exclamation points), there is a vaild point in the potential need to redact sensitive data from internet versions of certain public records. However, perhaps rather than attempting to curtail access to public records, the ready availability of which has immense social benefits (Frankly, The Daily Caveat feels that Senator Delay is might bit shifty and bears a close eye.) one could consider addressing the other factors that actually serve to make access of these details potentially threatening to the average person.

Easy Access to Credit - I am looking at YOU...

The full Washington Post piece can be found here.

And to join The Movement, click here.

-- MDT

Labels: database, identity theft

Following is a chronology of recent data breaches courtesy BeSpacific.com and cataloged by the Privacy Rights Clearinghouse. One positive thing, at least for our industry, is that this list manages to put the recent thefts from data brokers such as Lexis Nexis or Choicepoint in the greater context of what is apparently the leaky sieve model of privacy found in corporate America and academia.

Last week the wonderfully named Orson Swindle, a commissioner at the Federal Trade Commission since 1997 provided his impromptu thoughts on the situation at a recent cyber-crime conference:

"Everybody's screaming, all the political figures up on Capitol Hill, about identity theft," he said. "It's not identity theft, it's the theft of information... While politicians raise hell about identity theft, what we're really talking about is the failure to protect valuable currency.... Corporate boards better start paying attention, because they haven't been."

Also, according to Swindle, the pattern of corporate data breaches "Indicates to me the industry has, to a great extent, been irresponsible, and somebody has got to pay." He suggested the first people to pay might be corporate lawyers. The lax data protection, according to Swindle, is being driven in part by those general counsels who sit around and say, "be careful about what you promise in privacy and information security because you might get sued for it."

DATE	NAME	TYPE OF BREACH	NUMBER
Feb. 15, 2005	ChoicePoint	ID thieves accessed	145,000
Feb. 25 , 2005	Bank of America	Lost backup tape	1,200,000
Feb. 25, 2005	PayMaxx	Exposed online	25,000
March 8, 2005	DSW/Retail Ventures	Hacking	100,000
March 10, 2005	LexisNexis	Passwords compromised	32,000
March 11, 2005	Univ. of CA, Berkeley	Stolen laptop	98,400
March 11, 2005	Boston College	Hacking	120,000
March 12, 2005	NV Dept. of Motor Vehicle	Stolen computer	8,900
March 20, 2005	Northwestern Univ.	Hacking	21,000
March 20, 2005	Univ. of NV., Las Vegas	Hacking	5,000
March 22, 2005	Calif. State Univ., Chico	Hacking	59,000
March 23, 2005	Univ. of CA, San Francisco	Hacking	7,000
April 8, 2005	San Jose Med. Group	Stolen computer	185,000
April 11, 2005	Tufts University	Hacking	106,000
April 12, 2005	LexisNexis	Passwords compromised	Additional 280,000
April 14, 2005	Polo Ralph Lauren/HSBC	Hacking	180,000
April 14, 2005	Calif. FasTrack	Dishonest Insider	4,500
April 18, 2005	DSW/ Retail Ventures	Hacking	Additional 1,300,000
April 20, 2005	Ameritrade	Lost backup tape	200,000
April 21, 2005	Carnegie Mellon Univ.	Hacking	19,000
April 26, 2005	Mich. State Univ's Wharton Center	Hacking	40,000
April 26, 2005	Christus St. Joseph's Hospital	Stolen computer	19,000
April 28, 2005	Georgia Southern Univ.	Hacking	"tens of thousands"
April 28, 2005	Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp	Dishonest insiders	680,000
April 29, 2005	Oklahoma State Univ.	Missing laptop	20,000
May 2, 2005	Time Warner	Lost backup tapes	600,000
May 4, 2005	CO. Health Dept.	Stolen laptop	1,600 (families)
May 16, 2005	Westborough Bank	Dishonest insider	750
May 18, 2005	Jackson Comm. College, Michigan	Hacker	8,000
May 20, 2005	Purdue Univ.	Hacker	11,000
TOTAL			5,476,150

Yikes. Bad times. Read the rest of the Swindle article here and for more on pending legislation relating to personal data theft, try privacyrights.org.

-- MDT

Labels: data breech, identity theft

At last count, nine had been arrested and the accounts of 670,000 customers of Bank of America and Wachovia had potentially been compromised. With somewhere around 100,000 customer notification letters sent out (been watching my mailbox closely), investigators in the Garden State are promising additional arrrests.

Via Reuters and iWon.com:

More arrests coming in US bank theft ring

Monday May 23, 11:41 AM EDT

By Jonathan Stempel

NEW YORK (Reuters) - At least two more bank employees will probably be arrested in the coming weeks over a scheme to steal data about customers at four major U.S. banks, a New Jersey police detective said on Monday.

Police in Hackensack, New Jersey, last month had charged nine people, including seven former bank employees, over the possible compromising of hundreds of thousands of accounts at Bank of America Corp., Wachovia Corp., PNC Financial Services Group Inc. and Commerce Bancorp Inc.

At least 60,000 Bank of America and 48,000 Wachovia customers were notified that their accounts might be at risk, spokeswomen for the banks said. More bank customers may also have been affected.

"Sifting through the massive amount of computer information is an arduous task," said Hackensack Detective Capt. Frank Lomia in an interview. "We believe there were at least 200,000 to 300,000 breaches, based on financial records we have seen on DRL's computers, and the number could be higher."

The police called the scheme an attempt to steal customer account data and sell the information to collection agencies. There is no sign the breached account data was used to open accounts or obtain loans, a practice known as identity theft.

The alleged leader was Orazio Lembo, who advertised his DRL Associates as a firm that could supply bank account, balance and employment information to debt collectors, police said. More than 40 collection agencies and law firms bought the data, which DRL obtained from bank employees, police said.

Lomia said police largely finished the first phase of the investigation, which involved shutting Lembo's operations and informing banks of the problem. The second phase involves examining firms that bought the data, according to Lomia. He said Bergen County prosecutors and federal authorities are involved in the matter.

"We expect at least two more banking people to be arrested," Lomia said.

More here.

-- MDT

Labels: identity theft

You don't know how long The Daily Caveat has been trying to find a way to work America's favorite blond, bubble-headed celebutante into our daily news. Finally the day has arrived. I don't think I can add much more to this crazy story beyond what you can read below:

Federal Investigators Remove PCs, Discs From Several Locations; LexisNexis Break-In Linked to Paris Hilton Phone Hacking

By Brian Krebs
Washingtonpost.com Staff Writer
Thursday, May 19, 2005

The federal investigation into the massive theft of sensitive personal records from database giant LexisNexis Inc. intensified this week with the execution of search warrants and seizure of evidence from several individuals across the country, according to federal law enforcement officials.

Three people targeted in the investigation confirmed that federal investigators had served warrants at their homes. The group included a minor who has been in contact with a washingtonpost.com reporter for three months and who said he was directly involved in the LexisNexis breach...

...The minor, whose identity is not being revealed because he is a juvenile crime suspect and because he communicated with a washingtonpost.com reporter on condition of anonymity, said federal officials "raided" his home this week and seized his computer. He said investigators "got everybody" involved in the digital break-in.

Nine people in all were served search warrants by investigators, according to a senior federal law enforcement official who asked not to be identified because of his role in this and other ongoing investigations. The official said several members of the group are also believed by investigators to be involved in the much-publicized hacking in February of hotel heiress Paris Hilton's T-Mobile cell phone account, but he did not specify which members...

...The link between the LexisNexis and Paris Hilton investigations is supported by online conversations that a washingtonpost.com reporter had with the minor whose home was searched. The minor said he was involved in both intrusions and provided an image of what he said was a Web page that only T-Mobile employees would have access to...

...According to an account provided by the teenaged member of the hacker group -- and confirmed by the law enforcement source who insisted on anonymity -- the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers, many of whom only knew each other through online communications, sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her computer keyboard.

According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. Other officers' login information may have been similarly stolen, the law enforcement source said.

The young hacker said the group members then created a series of sub-accounts using the police department's name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. washingtonpost.com has not been able to reach the young source to seek comment about the sale of personal information.

Much more intrigue at the WashingtonPost.com.

-- MDT

Labels: data breech, database, identity theft

Ahh, the good old days...

It used to be that the average person only had to maintain an irrational fear of being knocked unconscious and waking up on ice in the bathtub of a seedy motel missing a kidney. Currently identity theft is the bug-a-boo du jour helping fill space on local newscasts and outraged editorial pages.

Unfortunately, speaking as a recent victim, identity theft is definitely more than just an urban legend and properly insulating ones-self from its most common causes (buy a shredder, people) is certainly worth doing.

The need to balance transparence and privacy is a real and continuing concern not just for our industry but for society at large. The International Herald Tribune has an interesting article on that subject, which originally ran in the New York Times that discusses a systematic approach undertaken by The Johns Hopkins University to evaluate personal data security:

...Working with a budget of $50 and a strict requirement to use only legal, public sources of information, groups of three to four students set out to vacuum up not just tidbits on individuals, but whole databases - death records, property tax information, campaign donations, occupational license registries - on citizens of Baltimore. They then cleaned and linked the databases they had collected, making it possible to enter a single name and generate multiple layers of information on individuals...

...The Johns Hopkins project was conceived by Avi Rubin, a professor of computer science and the technical director of Johns Hopkins's Information Security Institute. Rubin has used his graduate courses in the past to expose weaknesses in electronic voting technology, digital car keys and other byproducts of a society that is increasingly dependent on computers, networks and software.

"My expectations were that they would be able to find a lot of information, and in fact they did," Rubin said.

In some instances, students visited local government offices and filed official requests for the data - or simply "asked nicely" - sometimes receiving whole databases burned onto a CD. In other cases, they wrote special computer scripts, which they used to slurp up whole databases from online sources like Maryland's registry of occupational licenses (barbers, architects, plumbers), or from free commercial address databases...

...David Bloys, a private investigator in Texas, has helped craft a bill now pending in the state legislature there that would prohibit the bulk transfer and display over the Internet of documents filed with local governments.

There are real dangers involved, Bloys said, when such information "migrates from practical obscurity inside the four walls of the courthouse to widespread dissemination, aggregation and export across the world via the Internet." However convenient online access made things for legitimate users, the information is equally convenient for "stalkers, terrorists and identity thieves," Bloys said...

(Read the rest of the article here.)

Lots to comment on in this piece, but it will have to wait until later today.

Duty calls.

-- MDT

Labels: identity theft

Regular readers know that The Daily Caveat has folowed the Choicepoint data-theft story very closely. Yesterday the Pittsburgh Post Gazzette had a good run down of exactly what happened and a detailed description of the info-aggregator's internal response to fears that their data had been accessed inappropriately.

"They said it was a huge task and they didn't have the staff to do it," says Lt. Robert Costa, head of the Los Angeles County sheriff's department identity-theft squad. "Apparently their technology wasn't built so you were able to find the electronic footsteps these guys left."

Months passed before ChoicePoint was able to estimate the number of people whose personal data had been compromised, which it pegged at--5,000. It couldn't say whether any of the data had been used to steal from the victims or get fraudulent loans. The sheriff's department, meanwhile, came to more alarming conclusions. It estimated that data had been downloaded on millions of people, and used to run up millions of dollars in fraudulent credit-card charges.

Much more to be found here.

And a tip of the hat to Legal Dockets Online for bringing the article to our attention.

-- MDT

Labels: identity theft

Via Reuters:

NY Attorney General Spitzer Targets Identity Theft

Apr 18, 2005

NEW YORK (Reuters) - New York Attorney General Eliot Spitzer on Monday said he is seeking stronger state laws against identity theft and computer hacking.

Spitzer's office, together with several consumer advocate groups and crime victim organizations, are asking legislators to give consumers better control over personal information, enhance the state's ability to prosecute crimes that lead to identity theft, and boost penalties.

Spitzer, known for his sweeping probes of Wall Street research, the mutual fund and insurance industries, said he submitted a package of bills to the state legislature.

Click here to read more about Sptizer's legislative agenda.

-- MDT

Labels: Eliot Spitzer, identity theft, New York AG

Here's a link to a New York Law Journal article on identity theft (via the fine folks at Law.com) and the crime's potential negative consequences for businesses that don't take the issue seriously. But the action is not really in the article itself, but rather in the excellent bibliography with links to all the reports and statistics cited.

Bookmark it. You might want to give it a look later.

-- MDT

Labels: identity theft

While big-time data brokers like Choicepoint and Lexis Nexis would prefer that expanded regulation of their industry come from the federal level, state governments are not exactly sitting on their hands.

The Washington Post is reporting that 28 states are considering bills of various types to provide increased consumer protection against data fraud. This comes in response to a a year (barely three months old) on which over 1 million social security numbers have already been reported stolen.

Read the rest here.

-- MDT

Labels: identity theft

Reed Elsevier, parent company of Lexis Nexis and Seisint is reporting that 59 security breaches over two years have resulted in some 310,00 personal records being accessed by illegitimate parties. The incidents were discovered in an audit of the firm's data services that was prompted by the recent discovery of unauthorized access of 30,000 or so personal records at RE data brokering subsidiary, Seisint.

While identity theft related losses cost consumers, business and financial institutions some $5 billion in 2003 according to the FTC, Reed Elsevier contends "that the financial implications of the unauthorized use of its databases are 'expected to be manageable within the context of LexisNexis' overall growth.'"

Confidence. I like that.

The company is planning notificiations for all 310,000 individuals effected and is also planning to offer "free support services, including credit bureau, credit monitoring for one year and fraud insurance." Reed Elsevier also pointed out that thus far there have been no identity theft issues with the initial pool of 30,000 who had their information accessed.

-- MDT

Labels: identity theft

We've been covering identity / data theft stories pretty heavily here at The Daily Caveat, primarily because several of the more notorious recent incidents have involved prime vendors in the corporate investigative arena. A secondary issue is the increasing probability that lack of proper data security could become a significant liability issue for companies across the business spectrum.

It is to that point that a recent article in Computer World (written by two Kroll Ontrack execs) speaks directly. The authors, Alan Brill (senior managing director) and Jason Paroff (director, computer forensic operations) discus guidelines that they believe will help companies reduce potential data theft exposure (and the attendant liability) by, among other things: reducing the data companies store, promptly disposing of data that is no longer necessary and encrypting essential information to protect it from outside access.

Many thanks to Mary Mack's new Sound Evidence blog (please check it out) for the link.

-- MDT

Labels: identity theft

Data aggregators are getting picked on a great deal these days for their security lapses, but the data thefts from Choicepoint and Lexis are only two have a half-dozen or so recent thefts, resulting either from fraudulent data purchase, physical theft of records or computer database hacking. Of all these potential avenues for mass theft of personal data, computer system security is arguable the most pervasive problem facing American industry.

Not only is this a basic security issue, but as we've seen in recent weeks, it is becoming a serious liability issue as well.

John Oltsik, the author of a January 2005 report on data security from the Enterprise Strategy Group. has summarized his findings in an article for ZDnet.com. Oltsik's report report includes data from a survey of security professionals at 229 U.S. firms and found that almost a quarter of these firms had experienced an internal security breach in the last year. An even larger number of respondants couldn't say one way or the other whether they had been breached or not.

From ZDnet.com:

Black Eye for Privacy

By Jon Oltsik, Special to ZDNet
Published on ZDNet News: April 4, 2005, 10:48 AM PT

First it was a security breach that left ChoicePoint's treasure chest of personal information (145,000 accounts) vulnerable to prying eyes. Less than a fortnight later, Bank of America backup tapes containing data on 1.2 million accounts went missing. More recently, someone hacked into a confidential database containing as many as 32,000 records at Seisint, a company owned by LexisNexis.

Bad guys are targeting corporate databases because, obviously, that's where the money is. But the bigger concern is that many of these confidential "bet the business" databases (and other critical systems) still remain woefully insecure.

The Enterprise Strategy Group recently surveyed 229 U.S.-based security professionals from organizations with more than 1,000 employees. The majority of respondents (52 percent) came from organizations with more than $1 billion in annual revenue. Our goal was to get an objective metric of just how bad the internal security threat really is.

The results paint a frightening picture. For example, 23 percent of respondents reported their organization had suffered an internal security breach in the past 12 months, while 27 percent didn't know if it had or not. Note to self: Make sure the people you do business with know whether they've been hacked or not.

Read the rest of the article.

Also an executive summary of the ESG research report can be found here.

-- MDT

Labels: data breech, database, identity theft

Identity theft liability - it's not just for data brokers anymore... Great piece from The Corporate Counsel online: running down the liability risks firms face from poor data security:

Identity Theft: The Next Corporate Liability Wave?

03-30-2005

Toby J.F. Bishop and John Warren
The Corporate Counsellor

Your phone rings. It's Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers.

Your mind begins to whirr. Are there other customers affected who haven't been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit?

You recall reading that each identity theft victim will on average spend $1,495, excluding attorneys' fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2000 per victim. Multiplying that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the victims' time and you get $11,000 per case or $110 million in total even before fines and punitive damages are considered. And that's on top of the potential impact on your company's future sales.

The nation's fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies.

For further handicapping of your liability from Messers Bishop and Warren as well as how past firms have fared under similar citcumstances, click here.

-- MDT

Labels: identity theft

Don Bodiker uses a popular file-sharing program to trade music and, frankly, who knows what else over the internet. Rather than judge him for that fact, lets instead laugh at Don, this future victim of identity theft, who inadvertently placed his tax return in his computer's shared folder thereby making the document and all the personal details therein accessible to anyone bothering to look.

Via WTOC News in beautiful Savannah, Georgia:

Local Man Finds His Tax Return on Internet

03/23/05

Charles Gray WTOC News

No doubt computers and the internet have made filing your taxes easier. But it can also be big trouble if your tax returns--and all the private information they contain--wind up online. We found one local man it happened to.

Don Bodiker uses a popular file sharing program to swap music and other information over the internet. He also uses his computer to prepare his taxes.

He never thought the two had anything to do with each other, until he got a call. "I had no idea who he was or what he was. I just thought he was a typical telemarketer," Bodiker said of the call. "And he wanted to inform me that my tax returns were being posted out on the internet. I was very skeptical but he then proceeded to tell me some very specific details about my tax return."

File sharing software allows you to download files stored in certain shared folders on other users' computers. The flipside is they can also download files from your shared folder. There's a folder on their computer the Bodikers use store the music files they wanted to share. What they didn't realize is that their tax return software saved their returns in the very same place.

"Oh my God, I thought everybody and anybody knows exactly what my social security number is, my address, you know, anything that I had that was pertinent on there that could be used as an identity theft process," said Bodiker.

And he's not alone. A simple search on the file sharing network for the word "tax" turned up hundreds of returns. "It's made me more aware of the possibilities of programs that you attach to your computer," said Bodiker. "Ultimately, if you don't have to keep it on your computer, make a hard copy, and file it away. And that's always the best thing."

That's some good, old-fashioned advice for the information age.

The good Samaritan who called Bodiker--he only wants to be identified as Jeff--says he's called dozens of others and has plenty more to go. He says if you use file sharing, just be careful your shared folder is not the one you save sensitive information to.

Fortunately it looks like Bodiker caught the problem before his information spread.

This is not the only trouble associated with file sharing software. People can also get into trouble for swapping copyrighted material. There is content out there that's free and meant to be shared. You just need to make sure your private information doesn't go with it.

The original article can be viewed here.

And that darn "Local Man"...always getting himself into trouble. Check out this recent article from The Washington Post regarding the previous adventures of "Local Man."

-- MDT

Labels: identity theft

LegalDockets.com has a link to an interesting article about the problems posed by the use of the social security number as an all-purpose personal identifyer:

Identity theft: The social security number is the root of all evil?

The ChoicePoint and other recent data thefts have been hot in the news but I had decided not to post anything concerning this because 1)It's nothing new, and 2) It's gotten more than its share of press. However, I will continue to post selectively chosen articles in this area of public records v. privacy concerns now and then. One such article, No Security in SSNs?, by Susan Kuchinskas and posted on the internetnews.com site is worth a look.

LegalDockets also has a link over to Tamara Thompson's P.I. News blog where she provides a run-down and review of the latest happenings in the continuing personal-privacy imbroglio touched off by the recent Choicepoint data leak.

-- MDT

Labels: identity theft

A great resource from background screener Deverus is their biweekly email newsletter Access Point. Headline highlights from the most recent edition include:

NC Bill Approved To Fix Rest Home Background Check Procedure

The NC General Assembly appoved a bill Monday to define how information in a background check should be distributed. Read the article here.

Bad Data Fouls Background Checks

While recent news has folks concerned about identity theft, inaccurate data is just as big a danger -- and individuals are left to police the problem themselves. Read the article here.

Data Merchants Have Got Your Numbers

Privacy advocates have long complained about scant regulation of the data-brokering companies that traffic in dossiers on almost every adult American. Read the article here.

Hiring Presents Tricky Areas for Employers

Employee background checks used to be a "hard sell" when Nadell started his Chatsworth-based employment screening firm in 1994. ... House Bill 1625, would shield employers from legal liability for giving information about a former or current employee's job performance to a prospective employer. Read the article here.

Background Checks Vary; Schools Fear Surprises

... and while local schools all recognize the need to be aware of improper activities by prospective athletes, none conducts a routine criminal background check. ... Read the article here.

There's lots more where this came from, so if it seems like yur cup of tea, navigate over here and sign yourself up.

-- MDY

Labels: background checks, identity theft

House of Butter has the details on how legal industry powerhouse, Westlaw, plans to amend its services to address the currend rising tide of concern about data security:

Westlaw will, we learn, sharply limit subscriber access to Social Security numbers in its database. This move was announced after the company's top executives met on Wednesday night with Sen. Charles Schumer, D.-N.Y., a sponsor of one of several bills before Congress addressing identity theft.

After the meeting Schumer characterized Westlaw's action as a model for the rest of the data-brokerage industry. "This is a victory for consumers and a big loss for criminals who want to steal your Social Security number and your identity,"

In an E-mail message to InformationWeek, Peter Warwick, CEO of Westlaw publisher Thomson West, said events of the past months in which personal information was stolen from competitors' databases illustrates the importance of tougher controls. "The ultimate test for us as a business is to do the right thing," he said.

According to Sen Schumer, Westlaw had now eliminated access to 85% of its clients, mostly lawyers and government agencies--including the U.S. Senate.

Westlaw will also no longer will sign contracts granting full access to Social Security numbers. Individual passwords will be given to law-enforcement officials deemed eligible to view full Social Security numbers.

House of Butter credits an InformationWeek.com article, which you can read here.

-- MDT

Labels: database, identity theft

From the L.A. Times:

Executives at besieged information broker ChoicePoint Inc. have said they had no idea how vulnerable the company was to the identity thieves who recently tapped into personal data on 145,000 Americans, igniting a national furor over privacy. Chairman Derek Smith told CNBC last week, for instance, that management "never realized the sophistication organized crime" would demonstrate in order to access ChoicePoint files.

It is disturbing that Choicepoint, one the biggest vendors in our industry and a company whose services are used to root out fraud and ensure transparency in countless business transactions would be caught flat-footed by fraudsters themselves. Smith's statement on CNBC seems especially thin considering that this is most certainly not the first time something like this has happened to the company.

More from the L.A. Times:

Court documents in the 2002 case of Bibiana and Adedayo Benson -- who were convicted and sentenced to federal prison -- shed light on what it took to steal data from ChoicePoint and open fraudulent credit card and bank accounts in the names of unknowing victims.

The case, which led to at least $1 million in losses, attracted no public attention at the time. Like the most recent security breach, it involved con artists using simple and time-tested methods to hoodwink the data broker.

According to the court records, Bibiana Benson applied for a ChoicePoint account in the name of Christine Lorraine Burton on April 2, 2000.

To get the account, Benson needed two things: Burton's Social Security number and a professional or business license. ChoicePoint requires a copy of "business or professional licensing," according to its current application form, because information obtained from its databases may be used only for "business reasons."

Benson had the Social Security number. (The documents don't say how she obtained it, but authorities say there was evidence her brother was involved in identity theft before the ChoicePoint infiltration.) The California real estate broker's license in Burton's name was a fake. Benson faxed the license to ChoicePoint along with the application form.

And the Bensons were off to the races and racking up about a million in fraudulent transactions. And the best bit...this went on for over TWO YEARS.

To read the rest, click here.

In fairness to Choicepoint and to LexisNexis as well, data aggregators are not the only firms who have faced these types of data leaks. Whether it be due to electronic security breaches, employee error or plain old con artistry many other firms have recently faced similar issues, including Bank of America, DSW shoes and online payroll service Paymaxx. But Choicepoint is a different deal. Americans have an innate suspicion a company that earns a profit by collecting and selling personal data.

No one was given a chance to "opt out" of Choicepoint's files. There is no national "Do Not Aggregate me" list to join. So, when a security breach happens the American public and their elected representatives are not going to concern themselves with how much Choicepoint aids in business transparency, they are simply going to seek a reckoning. Choicepoint by its own hand has opened the door to being judged not just for what they've done but for what they are.

The services provided by Choicepoint do a great deal of good in preventing fraud. It seems very clear however, that the company, in its great rush to commodify and product-ize personal data has let slip the basic "know your customer" protections and fundamental subscriber vetting that should be the bedrock of such services. In doing so the have put at risk all the positive benefits their services provide to the business community.

-- MDT

Labels: data breech, identity theft

Recently, the House Commerce and Energy Committee's Subcommittee on Commerce, Trade, and Consumer Protection held a four-hour session addressing identity theft and the recent infomation thefts that have befallen Choicepoint and LexisNexis. Rep. Joe Barton, the Texas Republican who chairs the House Commerce and Energy Committee said of their plans,

"There's a very good chance we're going to put together a bill that will make it illegal to sell the Social Security number without the permission of the individual unless there is a legitimate law-enforcement purpose.....There may be one or two other exceptions; I don't know what they would be. I have not heard anything that explains to me why we should allow that to go on."

It was also suggested by House members during the session that Congress should consider extending the rules in the Gramm-Leach-Bliley Act, which requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information to data aaggregators such as Choicepoint.

To read the rest which including the reactions of key players such as the CEOs of Choicepoint and LexisNexis, check out the full article at InfoWeek.

And for more on the House Subcommittee session, check here and here.

-- MDT

Labels: identity theft

This sometimes feels like "The Identity Theft Blog" but it really isn't meant to be. For the time being these seemingly rampant leaks of personal data, some of which have come from our industry's heaviest hitters, cast long shadow over the value and merit of the work we investigators do. The same information technolgies that we've recently seen misused are what enables a firm like ours to assist its clients in avoiding fraud and ensuring business transparency.

It is import that in taking appropriate legislative action to guard against future data thefts we don't allow the baby to be thrown out with the bathwater. To that end we'll continue to cover I.D. theft closely in this space, as well as the state and federal legislatives moves that are proposed to combat it. Daniel Solove, George Washington University Law professor has been all over the media coverage of the Choicepoint affair. Solove has published widely on the subject of electronic privacy concerns and has recently proffered this treatise entitled A Model Regime of Privacy Protection that is well worth a read. Another choice nugget from beSpacific.

Also, am I the last one to know about this amazing resource?

-- MDT

Labels: identity theft

FTC Chimes in:

Prepared Statement of the Federal Trade Commission On Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information, Presented by Chairman Deborah Platt Majoras Before the Committee on Banking, Housing, and Urban Affairs of the United States Senate (March 10, 2005)

From the most excellent beSpacific legal technology blog.

-- MDT

Labels: identity theft

Or so reports the Better Business Bureau, which in 2004 declared that a stolen purse or wallet was still the leading route to identity theft for American consumers. Most identity theft arises from stolen personal documents rather than data housed or transmitted electronically.

Sheila Gordon, director of victim services at the Identity Theft Resource Center suggests what and decent investigator knows implicitly - that dutiful use of a cross-cut shredder can keep one out of a great deal of trouble. Gordon also offers a number of other positives steps consumers can take both to ward off potential trouble as well as suggestions of how to act quickly to minimize the damage when a theft has occured.

Some states do a better job than others of protecting their residents. For example, as Choicepoint's incremental response to their own data theft showed, California has had an active law on the books since 2003 (SB 1386) requiring prompt notification of consumers in the event of a potential i.d. theft. This law has it's roots in a 2002 incident in which, hackers cracked the state payroll database and acquired personal information on over 250,000 state employees. At the time it took a month for for the theft to be discovered and another two weeks before the victims were informed.

For a run-down of the California law's requirements...see this link (PDF). In California, consumers can also lock down their credit reports, so that new accounts require a PIN number. Other states also have pending or are considering similar laws, including: Louisiana, Vermont, Texans, Oregon, Connecticut, Massachussets, Illinois and a half-dozen others.

-- MDT

Labels: database, identity theft, Louisiana

Thanks to House of Butter for the text:

DAYTON, OH, March 09, 2005 - Reed Elsevier today announced that LexisNexis, its global legal and business information business, has identified a number of incidents of potentially fraudulent access to information about U.S. individuals at its recently acquired Seisint unit. The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers. LexisNexis has notified law enforcement authorities and is proactively assisting in law enforcement investigations of these incidents. LexisNexis is also working with customers to enhance security procedures.

These incidents were identified as part of an ongoing extensive review of the verification, authorization and security procedures and policies across the risk management businesses. LexisNexis has accelerated this review to determine the extent of any other incidents.

Information on approximately 32,000 individuals may have been fraudulently accessed in these incidents. LexisNexis very much regrets this and will be notifying all the individuals concerned and providing them with ongoing credit monitoring and practical support to ensure that any identity theft is quickly detected and addressed. Any further instances that emerge from the ongoing review will likewise be handled as quickly and as sensitively as possible. The information accessed includes names, addresses, social security and drivers' license numbers, but not credit history, medical records or financial information.

LexisNexis has already taken, or will take actions to enhance security to enable it to maintain its position as an industry leader in the responsible use of data and the protection of individual privacy. These actions include: enhancing ID and password administration procedures and requirements for customers; dedicating additional resources to protection of consumer privacy; working with customers to reinforce the importance of consumers' privacy; and working with law enforcement for further insight and assistance on new practices and techniques for thwarting criminal activities.

The financial implications are expected to be manageable within the context of LexisNexis' overall growth. The demand for risk management solutions is expected to remain strong and the outlook for Seisint and the LexisNexis risk management business remains very positive. In relation to this, Reed Elsevier today reaffirmed its 2005 and longer term financial targets of at least 5% organic revenue growth and double digit adjusted earnings per share growth at constant rates of exchange.

LexisNexis products that use U.S. public and non-public records provide critical fraud detection and identity authentication solutions to law enforcement, homeland security, commercial and legal customers that help to safeguard citizens and reduce consumers' financial losses, such as credit card and insurance fraud. In addition, these services provide benefits for consumers in facilitating the conduct of transactions for goods and services.

Labels: data breech, identity theft

With regards to Kevin Drum over at Political Animal. He's got a run-down of recent identity theft scandals and the scoop from the L.A. Times on legislation in the works in the Senate Banking Committee to provide greater protections for personal data, legislation that will no doubt have inportant for our industry as a whole and specifically for big-time info-aggregators such as Lexis Nexis and Choicepoint (which have been tarred recently by their inadvertent hemmoraging of consumer data).

With the volume of recent stories on this issue some kind of action on the federal level was almost assured. Senator Jon Corzine has announced plans to introduce legislation to "improve the security of consumers' financial data." Of course, Corzine has more than a passing familiarity with our industry.

We'll be waiting to see what form the bill takes and how it will effect businesses such as ourselves - those who use the tools provided by Lexis Nexis and similar vendors to ensure business transparance and prevent fraud.

-- MDT

Labels: identity theft

This article in the Christian Science Monitor details how investigators can help consumers get their lives back on track after being victimized by identity theft. Please look beyond all the "gumshoe" and "Sam Spade" references.

Industry firms mentioned are Gavin de Becker & Associates and Kroll.

Also of note: Allstate now offering "Identity Theft Insuance."

-- MDt

Labels: identity theft

Courtesy CNET and reported everywhere else.... BOA says that a "'small' number of backup tapes with records detailing the financial information of government employees were lost in shipment to a backup center."

While thus far identity theft resolution has been a small apsect of Caveat's business anytime stories arise of massive thefts of personal information it places our industry in great jeopardy. The data aggregators we utilize every day to prevent fraud and ensure business transparency are prime targets for restrictive and reactionary legislation meant to protect what many Americans view as their eroding privacy. And it doesn't help when huge financial institutions go all butterfingers and leave data on 1.2 million customers lying around.

-- MDT

Labels: identity theft