If you’re still looking for a reason to get more serious about protecting against identity theft, then do it for your country. In a series of recent hacks on customers of AT&T, attackers were apparently able to steal more than $2 million by making fake calls to premium call services.
It now appears that the money made from the attack was funneled to a Saudi-based militant group that is also believed to have helped fund the deadly 2008 terror attacks in Mumbai India where the coordinated series of attacks claimed more than 160 lives.
Identity theft for terrorism is nothing new. According to a report by MSNBC as far back as 2004, the 911 Commission raised the troubling reality that stolen identities are aiding terrorists. The Millennium Plot, which consisted of a number of planned attacks around the world back in 2000, was organized by a terror cell that used credit card fraud to fund its activities, and there are even claims the terrorists planned to invest in a gas station to make it easier to steal multiple identities.
The MSNBC report also claimed that Ali Saleh Kahlah al-Marri, suspected of being connected to the 9/11 attacks, had a laptop in his possession that contained 1,000 stolen credit cards when he was arrested.
And an expert on identity theft at the University of Michigan claims that al Qaida manuals she has seen include instructions on how to commit fraud and steal identities, to live off stolen identities when in hiding, and even requires students to leave their training camps with at least five fake identities.
Yet another reason to take identity more seriously. It’s about much more than zero liability, and the impact the crime can have on you personally. If you’re careless with your identity and it makes it into the wrong hands, who knows what horrors could be committed in your good name.
In light of an increase in the number and sophistication of skimming scams around the country, the Identity Theft Council (www.identitytheftcouncil.org) is warning consumers and business owners to be especially careful and selective when using an ATM or debit card to make purchases.
While a credit card fraud can be an inconvenience, consumers should realize that it’s the bank’s money that is being stolen, and it should not affect the funds the consumer has in their bank or credit union account.
If an ATM or debit card is stolen however, the funds will be taken directly from the victim’s bank account. And while victims should get their money back eventually, it may not be in time to pay important bills like rent, mortgage, and even groceries. In the case of the recent skimming breach that affected 24 Lucky Supermarkets in Northern California, some victims are reporting that they’re unable to buy groceries because of delays with their bank either in replacing compromised debit cards or in accessing their accounts.
And the nation’s 27 million small businesses are also vulnerable because many are not aware that zero liability does not apply to business accounts. Which means that a small business owner’s cash reserves could be wiped out by a single card theft, and the money will not be reimbursed by their financial institution.
The Identity Theft Council recommends the following precautions:
- The easiest way to avoid skimming is to use cash, especially in places where it’s easy for thieves to tamper with a device.
- Be vigilant and do a cursory inspection of the card reader, ATM, or gas pump for anything that looks unusual. However, don’t rely on a visual inspection because many skimmers are hidden inside the card reader or gas pump where a consumer will never spot them.
- Use a credit card instead of a debit card. A debit or ATM card takes money directly from your bank account, and while you should get it all back, it may not be in time to pay important bills like rent. If you use a credit card (and pay it off fully each month) it’s the bank’s money that’s at risk.
- Resist offers by merchants, especially gas stations, to give a discount for using a debit card instead of a credit card. The small savings at the pump may not be worth the price of an emptied bank account.
- If you’re a small business owner, don’t use an ATM or debit card at all because if thieves do manage to steal from your account, you don’t have zero liability and will not be compensated.
- Always check your bank and credit card statements carefully each month for any unusual charges, and challenge them immediately.
- If account alerts are an option, use them. Many financial institutions offer free alerts by email or text if there are any transactions on your account, allowing you to challenge or dispute them quickly.
- If you do fall victim and money is removed from your account, contact your financial institution immediately, cancel the card, and have a new one issued with a new PIN. It shouldn’t be necessary to close your account completely, which can be a big inconvenience, but you should ask your bank for their advice on this.
- If you’re notified or suspect that your card has been compromised in a breach, and you don’t close the account, monitor your accounts closely for the next few months. Thieves often wait until media coverage of an incident blows over and guards are down before using stolen information.
- Don’t share ATM or debit cards with other family members or employees because it only increases the chances that someone will ignore your rules and expose you to theft.
- Be on the alert for bogus calls pretending to be from your bank, credit union, or credit card company, claiming to be in connection with a recent breach, and asking you to confirm account or personal information. If in doubt, contact your financial institution through the customer service or fraud number provided on the card or their web site.
Thieves are more determined than ever to attack point-of-sale systems because of the financial returns. In early December the Department of Justice announced the indictment of four Romanian nationals accused of compromising point-of-sale devices at more than 200 different businesses and stealing the card information of more than 80,000 customers. The losses are believed to be in the millions of dollars and the scam may have gone undetected for nearly three years.
In one of the most bizarre and creative identity thefts I’ve come across recently, a Florida car salesman was recently arrested and charged with a multi-million dollar identity theft scheme that helped fund his car business.
The alleged thief had somehow managed to steal the identities of hundreds and perhaps thousands of victims. According to authorities, the Florida man used information stolen from the State Department of Children and Families and Department of Juvenile Justice. How he got that information is unclear, although assistance from insiders in cases like this is not unusual.
Armed with the new identities, the alleged thief then filed more than 1,500 tax returns in the names of his victims, and had the money deposited in a network of bank accounts he had set up. But here’s the twist. Rather than pocket the money like most thieves, instead the suspect used the money to purchase cars which he then sold on his car lot.
Apart from being a very creative way to fund a business and buy stock, it’s also a great way to launder money and make the money look like it legitimately came through car sales. The scheme may have netted the thief more than $5 million, which has yet to be recovered. And once again, the scam was discovered only by the vigilance of a postal worker who reported an unusual amount of IRS-related mail going to the one address.
And it’s not the first time thieves in Florida have exploited huge holes in the tax refund system to make money. A few weeks ago I wrote about Operation Rainmaker, a Florida-wide law enforcement that took down a massive identity theft scam that netter local drug dealers an estimated $130 million by filing bogus tax refunds using stolen identities.
One of the reasons identity theft is such an epidemic is that there are so many ways to commit it – steal mail, blast out phishing emails, hack a database, or simply buy identities on a street corner. But for years, security experts have been suggesting, and maybe hoping, that at least you should never expect to get a phone call from the thief.
Time to start rewriting the manual. A security firm called Trusteer recently announced that it has discovered criminal support organizations that provide real people operating customer service-style phone banks to personally call targets and try to swindle them out of their identity.
Experts believe thieves are going to such new extremes because when they steal a victim’s identity online, they may not have quite enough information to maximize that theft. So they hire these criminal dialers to call selected victims, use the personal information they already have about the victim to build trust, and then trick the victim into handing over the last piece of the puzzle.
Here’s how Trusteer believes these calls might go. The scam would start when the criminals try to reset a password or initiate a transaction, and the bank sends a text message to the victim that includes a one-time password for verification.
Step 1: Caller Establishes Credibility
The caller would use data collected by malware to gain credibility, for example the caller will ask “Are you John Smith, living at their address, with credit card number ending in 2345?”
Step 2: Caller Collects Missing Data
Once the caller has established credibility, they will go on to collect:
a) The one-time password sent by their bank as a text message – for example “We have just sent you a one-time password so we can make sure you are John Smith, can you please read it for me?”
b) Collect any other additional authentication information, for example “For verification, can you please give me the last four digits of your SSN?”
c) They can even get the user to generate a transaction signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction signing reader so could you please enter the following details online and then tell us what happens.”
According to Trusteer “While everyone’s attention is focused on protecting themselves in the ‘virtual’ world, they’re still very much at risk back here in the ‘real’ world. Fraudsters are turning to phone call services in an endeavor to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organizations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realize.”
Trusteer offers the following advice:
- Make sure to use up-to-date anti-malware solutions, especially any recommended by their bank, to prevent data theft in the first instance
- Treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer.
- Use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.
The Identity Theft Council contributes to the FCC’s Small Biz Cyber Planner, launched today
The FCC is launching the Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans. This is the result of an unprecedented public-private partnership between government experts and private IT and security companies, including DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others. The online tool is available at www.fcc.gov/cyberplanner.
By almost any measure small businesses have an outsized impact on our economy and it is critically important that small businesses, a vibrant engine for job and idea creation, are secure using the many broadband enabled tools they need to efficiently run their businesses. According to a survey released in October, 2011 by Symantec and the National Cyber Security Alliance (NCSA), two-thirds of U.S. small businesses rely on broadband Internet for their day-to-day operations.
However, the Symantec survey also found that 85 percent of small businesses think their companies are cyber-secure, but barely half of these businesses actually have a cybersecurity strategy or plan in place and nearly 80 percent say they lack a written Internet security policy. With larger companies increasing their online defenses, small businesses are now the low hanging fruit for cyber criminals and many may have a false sense of security.
The Small Biz Cyber Planner will be of particular value for businesses that lack the resources to hire a dedicated staff member to protect themselves from cyber-threats. Even a business with one computer or one credit card terminal can benefit from this important guidance. The tool will walk users through a series of questions to determine what cybersecurity strategies should be included in the planning guide. Then a customized PDF is created that will serve as a cybersecurity strategy template for a small business.
This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure. Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies. The tip sheet is available at http://www.fcc.gov/cyberforsmallbiz.
Also this month, Hewlett Packard is distributing the FCC’s cybersecurity tip sheet through its HP.com Security Center, its small business newsletter, and via the HP Support Assistant, an application pre-installed on most HP PC’s. This distribution by Hewlett Packard will reach millions of small business owners.
The stakes are high so we all must heed the “Stop. Think. Connect.” message of the national cybersecurity awareness campaign. With government and the private sector working together we can overcome our cybersecurity challenges and help ensure that U.S. small businesses become an even more powerful engine of economic growth and job creation.
