http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2012-04-14 02:19:14 - Fraud Phishing and Financial Misdeeds : Indentity thieves seem to like to target the government With April 15th, nearing, the news is awash with fraudsters using other people's identities to claim an earned income tax credit worth thousands of dollars Of course, we should feel sorry for the poor people, who had their identity stolen and used to file a bogus return After all, they will have to deal with IRS, and prove they didn't file the bogus return The saddest thing is that they will probably find out about it, when they file a legitimate tax return, and it is denied When this happens, they might have to prove, that they were not the person responsible for filing the faux fake return In most instances, proving this will be hours of work and cost a little money In all fairness, it is evident that the IRS is taking tax fraud much more seriously than in the past Because of this we are probably seeing more of it being reported The IRS has an excellent information page on their site to assist the people being victimized Please note that anyone paying taxes is a victim of all this, and the money being lost, adds to the ever growing deficit Another aspect of this fraud is that if the government can prove the refund was not negotitated for the right person, they can hold the financial institution paying out the money liable Frequently when the fraudulent refund is received a counterfeit ID is produced to negotiate the instrument In these cases, when the true person proves they did not file the bogus return, the loss is going to be charged right back to the financial institution that paid out the actual cash in the scheme Another good example of a government program being targeted is the recent disclosure that hackers compromised a State of Utah Medicaid database Given the quality of information stolen medical , it is prime to commit tax fraud or medical fraud against the government Current estimates put this data breach at 780,000 personal records compromised It has also come to light that the data was not encrypted and that less than complex passwords were used to protect it The Salt Lake City Tribune is also reporting that the manner in which this information was protected might be in violation of current federal regulations Hard to believe with the number of publicly disclosed breaches that the data was not encrypted You would think that this would be standard by now when protecting information that criminals can steal money with Pretty interesting that the World Privacy Forum is showing an interactive map on their site showing all the known occurences of medical identity theft in recent years While there are differing estimates on the costs of medical fraud, there is little doubt that it costs us billions of dollars, and the costs are passed on to all of us A recent by article by Jaikumar Vijayan at ComputerWorld makes a pretty good argument that most of the data breaches in 2011 were avoidable If this is the case, it should show us that this is an ever-growing problem and that we cannot afford to let our guard down If you think you might be a victim in the Utah breach, the State has set up a victim's assistance line at 1-855-238-3339 http://www.secuobs.com/revue/news/369959.shtmlhttp://www.secuobs.com/revue/news/369959.shtml Secuobs.com : 2010-07-08 05:23:54 - Fraud Phishing and Financial Misdeeds - About a week ago, I was made aware of a fraud group operating from a Tampa, Florida number, who were calling people and using some pretty heavy-handed tactics to collect steal money Interestingly enough, the person that let me know about this had never done business with the company being impersonated Please note, there might be a reason for alarm even if you don't think you owe a debt and a collector calls With more and more people becoming identity theft victims, a call from a collector could be the first notification a person gets that someone else is using their information Of course, in this instance, since the calls were bogus, it was not the case In fact, if you give these scammers any information they can use, you will likely become an identity theft victim yourself The person who provided me with this information also provided me with the number she was called from I called the number and, after a slight delay, I got a person with a Indian accent, who identified himself as William Scott from ACS, Inc Leading him on, I told him my wife was always getting us into trouble by borrowing money and that we had received a message to call them He asked me for my wife's name and I made one up He then told me to wait a minute, while he looked up the file After about a minute, he said he had located the file and that she owed 50000, and said this was a serious legal issue we needed to get cleared up right away He even offered to settle for 30000, if I paid that day with a debit credit card During my conversation with William, I could hear the chatter of other calls being made Listening carefully, I noted that all the people, chattering in the background seemed to have Southern Asian probably Indian accents This leads me to believe that the call was being forwarded, possibly overseas This is not hard to do and there are a lot of legitimate call centers where callers are forwarded from a local number, all over the world I gave him an e-mail address so he could send me a payment authorization form and he told me to fill it out, sign it and e-mail it back to him About an hour later I got the form coming from an e-mail address, acscorpusa gmailcom It asked for personal identifiers, the card number, billing address, zip code, expiration date and CVC number There is very little doubt in my mind if I had sent the form back to him the account I gave them would have been promptly cleaned out I ran the number 813-434-4611 on a site called PhoneValidatorcom, which tells you what company a number belongs to and if it is a cell phone or a landline This number belongs to a PaeTec Communications in Tampa, Florida PhoneValidatorcom offers two additional tools after you run the number One is primarily a paid search how they make money , but they offer Google results, also When I ran the Google results, it identified the same scam, I had run into One site, 800notescom, had quite a few comments about it The payment authorization letter listed a fax number of 646-786-4401 I ran that number and it went to a landline in New York Again, I ran the Google results, which revealed more people getting faux collection calls Besides the fax number on the authorization letter designed to clean out a payment card was another number 813-435-1963 to call them back Although, it was another Tampa number, it went to different telecom outfit By running the Google results, lo and behold, more complaints about phony collection calls were found, some of which stated that some pretty crude and disgusting comments were made by some of these fake collectors Based on the comments I found, it appeared that this activity had been going for a long time, and the Indian accents seems to be a common theme I did report this to the authorities but besides getting an initial call back I haven't heard anything from them since then It is not uncommon for scammers to set up legitimate sounding numbers, either As long as the bill gets paid, very little due diligence is conducted by telecom types to ensure a number actually belongs to what it says it does Sometimes the numbers are paid for with stolen financial instruments, and it is not uncommon to call one back a week later and find it has been disconnected I did more research on this activity and discovered that the BBB had an interesting write-up about similar if not the same fraudulent collection activity The report lists 67 complaints they had received Another write-up in August of 2009 from the BBB suggested that the scammers had so much personal information about the victims a data breach was suspected In this case, it was reported that the people behind this had social security numbers, addresses and knew how to contact their victim's relatives It also stated that people were being threatened with criminal prosecution, if they did not pay If you are called by a collector and you do not know anything about the debt they are talking about, you should always ask them to send you documentation proving that you owe the debt The Federal Trade Commission FTC has information on their site on what your rights are and the specific laws that legitimate collection agencies have to follow You can also file an online complaint highly recommended if you suspect abuse and even watch a video on how to do it properly They also provide a number 1-877-FTC-HELP 1-877-382-4357 TTY 1-866-653-4261 if you want to speak with a live human being The phenomenon of fraud by telephone is becoming more and more common Officially dubbed vishing, which is phishing by telephone, the people behind it spoof financial institutions to gather personal and financial details to commit identity theft and financial crimes Cheap long distance enabled by VoIP Voice over Internet Protocol and caller ID spoofing which is legal have made vishing pretty easy to accomplish If you get a phone call that doesn't make sense, take a deep breath and then make sure the person calling you is legitimate before proceeding http://www.secuobs.com/revue/news/238567.shtmlhttp://www.secuobs.com/revue/news/238567.shtml Secuobs.com : 2010-01-03 22:34:01 - Fraud Phishing and Financial Misdeeds - For the past six months or so, this blog was put on hold I could come up with a lot of excuses, such as increased workload and job responsibilities, but I probably just needed a break from writing Now that I am taking a look at getting back into blogging, it doesn't appear much has changed in the fraud arena or that the news is getting better Of course, I probably already knew that After all, I didn't get much of a break from all the fraud that is going on out there, only just from writing about it Most of the experts are pointing to an increase in the amount of fraud we will see occur in the next year For instance, Jay Foley at the Identity Theft Resource Center did a recent interview with Tom Field at Bank Info Security and is predicting some scary trends for 2010 Two of the predictions are that medical identity theft and too good to be true scams will be on the rise I can attest to the too good to be true schemes being on the increase They happen all over North America on a daily basis Strangely enough, the scams seem to recycle themselves and use the same bogus financial instruments, over and over, again Well, first and foremost we are going to see a lot more scams Because of the tough economic times, we are seeing a lot of scammers come out of the woodwork and try to suck you into this quick job, that quick job, here make a little extra money, and invariably what happens is you find yourself on the hook for greater debt and greater problems because you went to work with these scammers, according to Jay Foley Besides this, Jay is predicting an increase in medical identity theft, which struck me as interesting given all the media attention on health care legislation Apparently, he is seeing a lot of people, who are without insurance, use some else's name and social security number to piggyback on someone else's benefits In the article also a podcast , Jay points out that the medical industry has been plastering social security numbers on just about every document they create for years It should be noted -- especially as move towards digital medical records -- that in the wrong hands these records can be used for more than medical identity theft The same information can be used to commit a host of financial crimes, including scamming the government and the insurance companies There is no doubt that medical records have been identified as an easy place to steal information by the criminal element The trillion dollar question right now is if making these records digital is going to make the problem worse Only time will tell Estimates on medicare fraud vary greatly, but are as high as 80 billion a year Please note this is an estimate on medical fraud in the public sector and doesn't account for the fraud directed at the private sector The NHCAA National Healthcare Anti-Fraud Association is a good place to see all the different aspects of this growing problem The end result is a monetary loss that we all end up paying for, whether as a taxpayer or a consumer It's pretty hard to get an accurate estimate of how much fraud occurs, we can only guess what it might be based on the known incidents The reality is the more successful frauds are never discovered After all, most of the people committing fraud go to great lengths to keep their activities anonymous It is bad for business otherwise So far as industries that will be targeted, Jay predicts the payment services industry and medical industry will be the most attractive to information thieves Is this because the payment services industry is where there is instant access to money and the medical industry has an abundance of easily accesible information to steal Also predicted is that the scammers, hackers and identity thieves behind these schemes are going to be much younger Citing the recent conviction of Albert Gonzalez 28 , who has now been identified as being a member of the Shadow Crew and behind the TJX, Heartland and Dave and Buster's breaches The article mentions a trend where teenagers are being seen setting up fake websites to steal money and payment card information Jay also points out that most information theft is being done by insiders, or people who are given access to it I've always said that you can have the best security systems out there -- but if you give the wrong person access -- even the best systems can be redered useless With information being worth money, people can be recruited or even planted in organizations to steal it While the Albert Gonzalez types make good news stories, if an organized crime group wants to get in a system, it's a lot easier if they have an inside connection Perhaps we need to take a step back and realize that the human being is the most important part of any security equation Human beings are on both side of the equation, whether they are the victim or the victimizer As long as we continue to maintain information in easily accesible places to make money and send it electronically all over the place, we are going to have a problem You can read more about Jay Foley and the Identity Theft Resource Center highly recommended , here http://www.secuobs.com/revue/news/177694.shtmlhttp://www.secuobs.com/revue/news/177694.shtml Secuobs.com : 2009-07-20 01:24:33 - Fraud Phishing and Financial Misdeeds - A computer hard drive which contained huge amounts of personal and sensitive information from the Clinton administration is missing Some of this information includes Social Security numbers, personal addresses and even scarier, Secret Service and White House operational procedures Yesterday, government officials were briefed about the compromise, which was originally discovered in April The hard drive held a terabyte of computer data that could contain millions of individual records A terabyte of data would be enough to fill millions of books, according to this article published by the AP The media is reporting that the personal information of one of Al Gore's three daughters was one of the millions of records gone missing although it is not clear which daughter's information was compromised Given the amount of information stolen, it's likely a lot of other notable as well as ordinary people have been compromised, too According to articles I read, authorities are still trying to figure out exactly what was on the hard drive The drive was lost sometime between March 2008 and April 2009 from the National Archives and Administrations in College Park, MD, which is a Washington suburb near the University of Maryland The drive was left out, unsecured, in a room that is frequently left unlocked for ventilation According to an unidentified source, a researcher who was converting the information to a digital records system left the hard drive on a shelf for an unknown period of time When the researcher tried to resume work on the project, it was discovered to be missing According to Rep Edolphus Towns, Democrat-NY, chairman of the House Oversight and Government Reform Committee, they are seeking more information on the breach, and the FBI is investigating The FBI will have a lot of suspects in this case One hundred badge holders had access to the area Additionally,the point of compromise is an area where workers, interns and even visitors pass on their way to the restroom This information would normally be stored in a secure area Thus far, officials are quick to point out that it is unknown whether the hard drive was stolen or accidentally lost, and if any sensitive security information was lost At this time, either it isn't clear, or no one is saying, whether or not the data was encrypted Encrypting data is considered a safe and sane security practice when dealing with data in transit and has become a legal requirement in many situations The House Oversight and Government Reform Committee have pointed to a problem with government agencies being compromised in the past In a report released in 2006, the Committee came to the conclusion that the problem with agencies being compromised was government-wide Other findings in the report include agencies do not always know what was lost, physical security of data is essential and contractors are responsible for many of the breaches The report covers from 2003 to 2006 and, in light of this latest occurrence, it appears the problem still exists More recently, President Obama has pointed to another problem which does have national security implications and which involves protecting cyberspace from the threats that exist today Thus far, a study has been conducted, and is being reviewed Stories in the media have pointed to a concern with cyber warfare and with hackers from foreign countries notably China and Russia , who have been suspected of targeting government systems If you are interested in learning more about Chinese hackers, there is a well written blog on the subject titled The Dark Visitor Information on Chinese Hacking Another non-government source which covers data breaches in general is the Open Security Foundation While the implications of this latest issue have yet to be determined, it is not good news from the standpoint of how easily the information was compromised Of course, this is merely one incident, and if you follow the news, we get bad news about data compromises all the time Update 5 20 09 It has now been confirmed that the missing hard drive had no encryption and a 50,000 reward is being offered for information leading to it's recovery Source CNet IMAGE http://www.secuobs.com/revue/news/122377.shtmlhttp://www.secuobs.com/revue/news/122377.shtml