November 07, 2011
International Fraud Awareness Week is here
According to the Association of Certified Fraud Examiners (ACFE), organizations worldwide lose roughly 5 percent of annual revenues to fraud. That's huge. A theme that we return to again and again in Portals and Rails is the fact that technology is making our lives—including the ways we transact consumer payments—more efficient and secure. But these new technologies also offer fraudsters new and sometimes better ways to perpetrate crime.
In an effort to promote fraud awareness and education, starting November 7, the ACFE is sponsoring International Fraud Awareness Week, a "time dedicated to fraud awareness, detection, and prevention." So in keeping with this theme, we are using this space to refocus on some of the issues around payments fraud in the United States.
U.S. payments fraud is on the rise but hard to measure
Unlike other countries, the United States does not have a single, uniform repository for collecting fraud loss data. Industry analysts primarily base their concerns about the industry on anecdotes from law enforcement, financial intelligence agencies, and regulators. In addition, recent media accounts of check fraud, corporate account takeovers, payment card breaches, card payment terminal skimming, and the like leave no doubt that in the retail payments arena, leave no doubt that the problem of fraud is universal and growing.
Also validating the growing concern are proxies such as fraud surveys from organizations like the American Bankers Association (ABA), which measures deposit account fraud in banks, and the Association for Financial Professionals, which works with corporations to measure their fraud loss experience. However, more information may be needed as payment systems grow more complex, provide new alternative solutions and access new electronic channels.
Internal fraud is growing globally
The global economic downturn has led to an increased incidence of payments fraud. Sometimes financially distressed employees—rationalizing their behavior in light of dire circumstances—commit frauds within a business, effectively stealing from their employers. For example, employees in financial institutions who have access to large amounts of customer data may use their insider access to commit fraud. In one of our podcasts, an expert noted that internal fraud is more growing more common—and complex—as criminal rings increasingly place their people within legitimate organizations, where they can then steal data. Once they have the data, they can use it to commit a variety of frauds, including identity theft and payment crimes, such as card counterfeiting and counterfeit checks, to name just a few.
Fraud awareness week highlights old-school solutions
The International Fraud Week web page highlights resources for fraud prevention and education that businesses and consumers can tailor to their own particular needs. For example, the site offers a link to a Fraud Prevention Check-Up, which provides a framework for business to assess their risk and evaluate the strength of their fraud mitigation environment. Another anti-fraud resource is a presentation with tips to help organizations prevent and detect fraud.
To that same end, Portals and Rails in an earlier blog offered a recommendation for businesses to be proactive by adopting relatively simple control processes. For example, basic checklists like the one that follows can help organizations comply with ACH rules and regulations, avoid human error, and reduce fraud.
International Fraud Awareness Week activities
To help raise awareness around fraud, the ACFE recommends that businesses participate year round in its blog and in other social media initiatives, such as forums for dialoguing and sharing ideas on fraud detection and mitigation. It also suggests that organizations spread the word to colleagues and clients about International Fraud Awareness Week and the resources available to promote strong fraud risk management program development.
One thing we know for certain, and can't say enough, is that our payment systems are growing more and more complex, in terms both of sophisticated technologies and of multiple new nonbank service partners entering the mix. With this constant change and development, the payment distribution chain will undoubtedly contain more points of potential vulnerability to risk and fraud. Taking basic preventive measures and increasing industry awareness through the activities and resources highlighted during International Fraud Awareness Week can go a long way to combating payment-related risks and fraud.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
November 7, 2011 in crime, fraud, identity theft, payments risk, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015392dfd1e6970b
Listed below are links to blogs that reference International Fraud Awareness Week is here:
Comments
June 20, 2011
Is a national data breach notification law on the horizon?
Extensive privacy regulations exist that provide a framework for promoting identity theft prevention, data security, use of data limitations, requirements for data destruction, notice, user content, and accountability. Some of these laws are the Fair Credit Reporting Act, the Right to Financial Privacy Act, and the Gramm-Leach Bliley Act, among others. Each of these financial privacy laws has been amended several times since their enactment, but none have standardized data breach notification rules.
On the state level, some legislatures have tackled data breaches by stepping up privacy and encryption requirements for organizations that handle credit and debit card data. According to the National Conference of State Legislatures, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have passed laws that require some form of notification when security breaches involving personal information occur. Most of the state laws have common themes, yet several differences exist among them, making it difficult, costly, and burdensome to develop a consistent and effective security incident response plan.
A push for national data breach laws
In 2009, there were two federal data security laws pending that cleared the U.S. Senate Judiciary Committee. One even cleared the U.S. House of Representatives. However, neither became law. One was the Personal Data Privacy and Security Act of 2009 (Data Privacy Act), and the other was the Data Breach Notification Act. The Data Privacy Act sought to mitigate identity theft, ensure privacy, and require that breached individuals be notified. The Data Breach Notification Act also imposed notification requirements but provided a safe harbor whereby organizations were not required to report the breach if a risk assessment determined the incident would not harm consumers.
Other efforts were seen when the Federal Trade Commission (FTC) and the U.S. Department of Commerce (DoC) both released reports within days of each other with recommendations for protecting consumer privacy online. The FTC's report came out on December 2, 2010, and the DoC's report came out on December 16. The DoC report focuses on national consistency surrounding security breach notification rules. The DoC recommends the implementation of a "[f]ederal commercial data security breach notification (SBN) law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities."
Seeking exemption from the FTC and DoC recommendations
Not everyone is on board with the DoC and FTC recommendations. On January 31, 2011, the Securities Industry and Financial Markets Association (SIFMA), a consortium of financial firms, sent a letter to the FTC and DoC asking that their recommendations on privacy exclude industries—including the financial services industry—already subject to sector-specific regulations. SIFMA's letter expressed the view that existing national privacy laws like the Fair Credit Reporting Act, the Gramm-Leach Bliley Act, and the Electronic Communications Privacy Act are sufficiently addressing the management of consumers' personal data.
SIFMA did express support of the introduction of a uniform national breach notification law that would preempt state laws, but only by requiring that consumers be notified of a breach when there is a significant risk of identity theft. SIFMA pointed out that "requiring notification if there is no significant risk of identity theft could have the unanticipated effect of overwhelming consumers with notices that might cause confusion and likely desensitize them to future notices."
Finding common ground
The deadline for comments to the FTC report closed February 18, 2011. Both the FTC and DoC are expected to issue final reports and guidance this year. The coincident timing of the FTC's and DoC's reports seems to have renewed focus on online privacy and what best practices should be used to address perceived shortcomings.
Perhaps the FTC and DoC recommendations can shed some light on whether the need for a national data breach notification law is warranted or whether the existing national and state-level laws sufficiently address the management of consumers' personal data. For now, it appears that most industry watchdogs believe that consumers and businesses alike could benefit from a national standard for security breach obligations, mainly because the differences in form and substance between states make it increasingly complicated for effectively reporting data breaches to the public and present undue costs to business and burden streamline industry compliance.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
June 20, 2011 in consumer protection, cybercrime, identity theft, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e89435696970d
Listed below are links to blogs that reference Is a national data breach notification law on the horizon?:
Comments
November 29, 2010
Prepaid in the mobile channel: Balancing financial inclusion and risk management
Payment services are coming to your mobile device—even though consumer adoption remains low in the United States, as are near-term prospects in light of reports about security concerns. Financial institutions, carriers, and others are experimenting with trial products and services to try to understand and respond to consumer demand for mobile services. Here in the U.S., the mobile device is emerging as an access device for legacy payment mechanisms like credit and debit cards or deposit account transfers. A viable payment mechanism for consumers to access via the mobile channel may be stored value, using the cell phone instead of a plastic card as the form factor. With the recent economic downturn, prepaid is emerging as an alternative to paper-based payments, allowing some consumers with limited access to credit to continue to participate in the electronic economy.
Some prepaid products carry potential risks because of the anonymity associated with them. The question we face is, how will we balance the potential risks of identity theft and money laundering as prepaid services shift to the mobile channel?
Recent growth in prepaid
Prepaid cards are growing in popularity, especially with the advent of reloadable, open-loop payroll cards that are branded by the major card networks and accepted at ATMs and merchants' points-of-sale. (Open-loop cards are those that consumers can redeem at different establishments. Closed-loop cards are those that the consumer can redeem at a specific establishment, which is also the issuing provider.) Since many carriers have offered prepaid airtime plans for years, the transition to a prepaid "mobile wallet" may be a seamless one. The mobile wallet is expected to operate the same way as a prepaid card, with monetary value loaded and stored on it. Because stored-value cards allow unbanked and underbanked consumers to participate in the electronic economy, their use is growing.
|
|
|
|
Growing population of underbanked consumers
Financially mainstream consumers in the U.S. already have a multitude of safe, secure, and reliable payment choices, so they have little incentive to use their cell phones to access those payments. But a growing segment of the population is underserved by mainstream financial services. ("Underserved" individuals are those who may have a checking or savings account but rely on alternative financial services such as nonbank money orders, check-cashing services, payday loans, or pawn shops.) The increase of the underserved is in part a reflection of the weak economy, high unemployment, and reduced access to credit for many consumers. The FDIC estimates that 7.7 percent of U.S. households are unbanked and an additional 17.9 percent are underbanked.
It might be useful to compare the U.S. unbanked market to those in other countries where mobile payments and banking initiatives are in various stages of deployment.
|
|
|
|
Emerging markets, such as sub-Saharan countries and India, with higher populations of consumers without access to traditional financial services are experiencing rapid adoption of mobile financial services. For example, the success of M-PESA, a mobile phone-based financial service offered by Kenya's Safaricom, has become a business model for other developing countries. In the three years since its inception, M-PESA's customer base has reached 9 million users.
|
|
|
|
Improving security and risk management of prepaid mobile
A number of improvements have been made in recent years in the way some prepaid cards—like payroll cards, for example—can be monitored. Open-loop cards that are branded by the major networks allow the owner to contact the issuing payment service provider if the payment card or device is lost or stolen. And many prepaid issuers will provide periodic statements detailing balances and fees. Still, concerns remain with gift cards and other closed-loop products that may not include the security features of the open-loop cards. In response to these concerns, FinCEN's proposed rulemaking should provide the industry with guidance on how to exercise oversight and control in prepaid transactions.
With respect to the mobile handset, technology is changing rapidly and the potential for improved security in the handset for authentication and identity credentialing looks promising. Given the ability for prepaid issuers to tighten the controls in card registration processes, the mobile device may be a more secure channel than today's card-based prepaid alternatives. In that case, we may see the prepaid services driving consumer confidence for more mobile-based financial services going forward.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
November 29, 2010 in identity theft, mobile payments, money laundering, prepaid | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134899adc7c970c
Listed below are links to blogs that reference Prepaid in the mobile channel: Balancing financial inclusion and risk management:
Comments
November 01, 2010
Beware of cybercrashers to your social network party
According to the Nielsen Company, the overall global traffic to social network sites grew nearly 30 percent in one year, from 244.2 million users in February 2009 to 314.5 million users in February 2010. In the United States alone, the average active social network audience grew 22.8 percent, from 115 million to 149 million during that same time period. If social networks are expanding this rapidly, can the growth of associated risks—specifically, data privacy—be far behind?
|
|
|
|
Establishing privacy parameters
Privacy is perhaps the most significant concern surrounding the use of online social networking sites. Recently, BBC Mobile reported that consumer confidence in social networking sites has been shaken as issues over privacy concerns have come to light. Results of an RSA 2010 Global Online Consumer Security Survey show that, even as thousands of individuals join social networking websites each day, nearly 65 percent of survey respondents indicated that they are less likely to interact or share information due to growing security concerns. Although most online social networking sites have privacy protections in place that allow users to establish their own level of security settings, online social networks are inherently public, which makes it difficult to secure nonpublic information. But if users are shielding their personal information through security settings, how, then, are hackers able to extract this information and steal their identities? Could the simple act of sharing, friending, or posting make it easier for hackers to attack a social network site and impersonate its users?
Facing incoming threats to social network sites
Corporations that use social networks as communication tools (or corporations whose employees use them without IT's authorization) are faced with significant security and compliance risks. In a survey that FaceTime conducted of IT groups, 14 percent of respondents reported that they've seen data leak through social networks. According to this study, Web 2.0 applications like instant messaging, Skype, and the chat functions within social networks can travel undetected through an organization's network, thus posing the risk that confidential information such as credit card details will leave the organization's control without authorization. Hackers use various means to attack social network sites, including phishing, spam, and malware. Their success is in part due to the trust users place in their networks. The study also notes that users are far more likely to click on a link from a friend on a social network site than in an e-mail.
Using small bits of information to gain entry
Gateway data, a term coined by Herbert Thompson a professor at Columbia University, refers to the confidential information harvested by cybercriminals from social networking sites. According to Thompson and researchers at Carnegie Mellon University, hackers can use such confidential information as someone's mother's maiden name—discovered from a social network site—to answer a challenge question and gain access to the person's account or personal financial data. Users of gateway data can also use these single pieces of information to trick the user into revealing even more sensitive information.
In a 2009 study, researchers from Carnegie Mellon University were able to deduce the Social Security numbers of millions of individuals just by sifting through fragments of data typically shared on social networks and other publicly available sources. Another study, this one by Consumer Reports, found that 52 percent of social network users disclose information that could leave them vulnerable to cybercriminals. Pieces of information such as a mother's maiden name, home address, or home or mobile phone number can lead perpetrators to steal users' identities.
Deterring cybercrime with a healthy dose of skepticism
The global reach and public nature of social networking websites have made them a favored target for online criminals. While consumers enjoy the ease of communication and information sharing on these social networks, these online forums have introduced new and unanticipated risks. Users must take some crucial steps to deter thefts of their identities, included becoming educated in the types of online crime while avoiding such common pitfalls as weak security settings and compulsive information sharing.
A healthy dose of skepticism on what, how much, or with whom to share can go a long way in reducing the exposure of personal, confidential information, because what is shared on the Internet stays on the Internet.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
November 1, 2010 in cybercrime, identity theft, privacy, social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013488a0b457970c
Listed below are links to blogs that reference Beware of cybercrashers to your social network party:
Comments
August 09, 2010
Shopping at the Fraud Mall: Fictional fantasy or harsh reality?
One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.
Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.
In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.
|
|
Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.
I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.
Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.
Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.
The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."
Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
August 9, 2010 in consumer fraud, cybercrime, fraud, identity theft, malware, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348607ca64970c
Listed below are links to blogs that reference Shopping at the Fraud Mall: Fictional fantasy or harsh reality?:
Comments
July 12, 2010
The confluence of payments, social networks, and malware: Elements of a perfect storm?
Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?
More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.
|
|
| ENLARGE |
Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.
|
|
| ENLARGE |
Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.
Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.
Conclusion
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485620cfb970c
Listed below are links to blogs that reference The confluence of payments, social networks, and malware: Elements of a perfect storm?:
Comments
July 06, 2010
Identity thieves still using low-tech tactics to get into your wallet
If you make it easy for people to steal from you, they will.
-Frank W. Abagnale
Identity theft continues to be a major problem in the United States and, in most instances, does not involve a complex operation. Although the risks with online financial transactions receive a lot of focus, recent surveys have shown that identity thieves perpetrate their crimes using more traditional methods of access like stealing wallets or purses. In addition, too many victims are unfortunately serving as unwitting accomplices by giving personal information to the criminals over the phone.
According to Javelin's 2009 Identity Fraud Survey Report, the number of U.S. identity fraud victims increased 22 percent in 2008 to 9.9 million adults. Among the reasons cited for this upsurge in incidents are the economic downturn, the secondary market for financial information, and the availability of fraud toolkits online.
Although how-to guides on defrauding consumers are readily available on the Internet, identity thieves are taking a decidedly low-tech approach. Javelin also reported that of the 35 percent of identity theft victims surveyed who knew how their information was accessed, only 11 percent had their information stolen by an online hacker. In fact, 43 percent of identity theft was perpetrated via a lost or stolen wallet, checkbook, or credit card.
Convicted fraudster able to steal identities from behind bars
A recent FBI case involving a massive, two-year identity theft and bribery scheme provides an example of how fairly unsophisticated tactics are used to perpetrate fraud. The already-convicted fraudster who orchestrated the crime received a 309-year prison sentence, which is reportedly the fourth-longest in the history of white collar crime in the United States.
According to the FBI press release, the crime started in a Louisiana prison, where the perpetrator was serving time for a previous fraud conviction. A joint FBI-Department of Justice (DOJ) investigation revealed that he used the personal and financial information (such as dates of birth, Social Security numbers, and bank account numbers) of 61 individuals, churches, financial institutions, and businesses to attempt to steal more than $20 million. How was a prisoner able to get this information? Good question. Apparently, as the saying goes, he did it with the help of his friends (or co-conspirators) and a few phone calls.
One typical ruse involved the perpetrator calling a bank and pretending to be an elderly stroke victim who had been hospitalized. He would claim that he did not have his checkbook and needed access to his account. Most banks did not fall for it, but some did. He also called individual victims directly sometimes, saying he was a state trooper who needed to verify personal details after an identity theft arrest.
The perpetrator had several accomplices in the operation, including a corrections officer that he bribed with $10,000 to use his cell phone when prison officials put him on lockdown. Through the collaborative efforts of federal, local, and state law enforcement agencies, the perpetrator and at least eight coconspirators were charged in the investigation.
Common sense precautions key to avoid becoming a victim
The FBI case is a compelling reminder for people to be "crime smart" by not sharing personal information over the phone unless they can verify the identity of the caller. However, phone sense is just one of many ways that businesses and individuals must be vigilant in protecting themselves against becoming victims of identity theft. The DOJ has used the acronym "SCAM" to encapsulate four steps to reduce or minimize this risk. First, be stingy about giving personal information to others unless there is a reason to trust them. Second, check financial information regularly to monitor for unauthorized transactions. Third, ask periodically for a copy of your credit report to determine whether someone has wrongfully opened accounts in your name. Fourth, maintain careful records of banking and financial accounts in case you need to dispute a transaction.
It is possible to follow these steps and still become an identity theft victim. However, an added benefit of taking these proactive measures is that victims are typically faster at detecting fraud against themselves than are entities such as law enforcement, lenders, and creditors. In fact, Javelin's 2009 identity theft report found that the detection time of fraud through police or law enforcement was 264 days compared to eight days when the victims were monitoring their accounts electronically (that is, via the Internet or ATM). Ultimately, customers who actively monitor their accounts not only reduce the risk of fraud but also minimize their losses if they are victimized.
By Jennifer Grier, senior payments risk analyst in the Atlanta Fed's Retail Payment Risk Forum
July 6, 2010 in fraud, identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348525445e970c
Listed below are links to blogs that reference Identity thieves still using low-tech tactics to get into your wallet:
Comments
November 23, 2009
Banks run more than just security risk with single-factor authentication
As described in a previous Portals and Rails post, various reports have indicated that business customers' online banking credentials are being compromised and the fraudsters are performing unauthorized EFT transactions using either the ACH or wire transfers to move money out of these accounts.
This recent phenomenon could be seen as part of a larger issue for security on the Web, prompting some to consider whether online banking security standards are adequate.
While a lot has been written on how this fraud happens, not much has focused on what happens next. The criminal side of this is fairly cut and dry. Law enforcement tries to track down the fraudsters and bring them to justice. If the FBI, Secret Service, or other agencies are able to track them down, apprehend them, and a conviction is made, the fraudsters spend some time in jail. The civil side of this is a little more complicated.
One civil case that has gotten some recent attention is the Shames-Yeakel case filed in federal court in Illinois. Marsha and Michael Shames-Yeakel had $26,500 stolen when an unknown person gained online access to the Shames-Yeakels' bank accounts by using Ms. Shames-Yeakel's username and password. The thief manipulated a line of credit and subsequently wired the funds out of the Shames-Yeakel's business account to Hawaii and then off to a bank in Austria. While there is probably a good joke about yodeling while playing the ukulele buried in all of this, the Shames-Yeakels are not laughing. In fact, the hills are alive with litigation.
The plaintiffs first turned to their bank, who indicated that under the bank's online banking agreement, the plaintiffs were responsible for the lost funds. They next turned to the Office of Thrift Supervision (OTS), the bank's primary regulator, seeking protections under Regulation E and Regulation Z. The OTS found that these regulations did not apply as they were applicable to consumer loans and lines of credit.
Ultimately, the Shames-Yeakels sued their bank. The legal viability of their claims was considered by the Court in its Aug. 21, 2009, ruling on the bank's motion for summary judgment.
While the court's opinion addressed a number of legal claims, it is the court’s ruling on the plaintiff’s negligence claim that bankers should pay close attention to. The basis of this claim is that the bank and its third-party Internet banking service provider did not follow the Federal Financial Institutions Examinations Council (FFIEC's) updated 2005 guidance on authentication in an Internet banking environment. At the time of the incident, the bank had user name and password access to their online banking system. The FFIEC's guidance does not require banks to use dual-factor or multi-factor authentication for these accounts, but it does state that the federal regulatory agencies consider single-factor authentication, like user name and password, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. In essence, the court indicated that while the facts must still be weighed by a jury, it declined to dismiss a negligence claim that the bank had breached a duty under Indiana law to protect the confidential information of its customers by failing to implement more robust security systems. The court stated: "In light of [the bank's] apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."
Enlarge |
Another case to keep an eye on was filed in Maine this past September. The case involves a Maine based construction company, Patco, who is suing its bank for $588,000; the same amount of money that was stolen from Patco's account over the course of an eight day period in May. Similar to the Shames-Yeakel case, Patco is claiming that the bank failed to provide commercially reasonable protection because only a single-factor authentication system for its online banking system was in place. While no action has been taken as of yet, it will be interesting to see if the state court in Maine agrees that with the U.S. District Court in Illinois, allowing this negligence claim to move forward.
By guest blogger Michael T. Stewart, assistant vice president at the Boston Fed
November 23, 2009 in ACH, fraud, identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a6c9a4b3970b
Listed below are links to blogs that reference Banks run more than just security risk with single-factor authentication:
Comments
July 13, 2009
Consumer complaints may be “canary in a coal mine” for payments risk
For many years in the coal mining industry, a caged canary would be brought into the mines to detect whether toxic gases were present. The canary served as an early warning system of potential danger for the miners. Similarly, consumer complaints data could serve as a harbinger of potential risks in payments for law enforcement and other industry professionals.
Several regulatory agencies receive fraud-related complaints from consumers, including those involving financial institutions. Some of the consumer complaint databases are shared among agencies to help better facilitate fraud investigations and to track trends and developments in consumer fraud activity.
One example is the Federal Trade Commission’s (FTC) Consumer Sentinel Network (Sentinel), a secure online database of consumer complaints that is only available to law enforcement. In addition to storing FTC complaints, the Sentinel also includes complaints filed with more than 100 different U.S. and Canadian federal, state, and nongovernmental organizations. Among the leading partners and data contributors are the Internet Crime Complaint Center, Better Business Bureaus, Canada’s Phone Busters, the U.S. Postal Inspection Service, the Identity Theft Assistance Center, and the National Fraud Information Center.
Established in 1997 to collect fraud and identity theft complaints, the Sentinel database was expanded in 2008 to include complaints about credit reports, debt collection, mortgages, and lending, among other subjects. According to the 2008 Consumer Sentinel Network Data Book, the database has more than 7.2 million complaints.
FTC complaints provide insight into consumer fraud trends
The Sentinel received a total of 1.2 million complaints during calendar year 2008. Of the 30 complaint categories, identity theft ranked first with 26 percent of the overall complaints. Credit card fraud (20 percent) was the most common form of reported identity theft, the majority of which involved new accounts (12.3 percent). Another significant category of identity theft reported by consumers was bank fraud (11 percent). Although identity theft bank fraud, which includes fraud involving checking and savings accounts and electronic fund transfers, has declined since 2006, the most common type continues to be electronic fund transfers.
| January 1 - December 31, 2008 Top 10 Consumer Sentinel Network Complaint Categories |
|||
| Rank | Category | # Complaints | Percentages |
| 1 | Identity Theft | 313,982 | 26% |
| 2 | Third Party and Creditor Debt Collection | 104,642 | 9% |
| 3 | Shop-at-Home and Catalog Sales | 52,615 | 4% |
| 4 | Internet Services | 52,102 | 4% |
| 5 | Foreign Money Offers and Counterfeit Check Scams | 38,505 | 3% |
| 6 | Credit Bureaus, Information Furnishers, and Report Users | 34,940 | 3% |
| 7 | Prizes, Sweepstakes, and Lotteries | 33,340 | 3% |
| 8 | Television and Electronic Media | 25,930 | 2% |
| 9 | Banks and Lenders | 22,890 | 2% |
| 10 | Telecom Equipment and Mobile Services | 22,387 | 2% |
| Source: Federal Trade Commission | |||
The data also give some indication of the preferred payment channel for consumer fraud. In 2008, for those fraud complaints where the consumer reported the method of payment, credit cards was the most common (35 percent) followed by wire transfer (24 percent), bank account debit (19 percent), and check (10 percent). The rankings have been consistent over the past two years, but credit cards have increased from 30 percent and 33 percent for 2006 and 2007, respectively.
Consumer complaint databases can be an important resource in detecting fraud issues
FTC Sentinel data only gives a snapshot of the consumer fraud and risk issues occurring in the payments system. A consumer who has a problem involving an account held at a financial institution may file a complaint with the appropriate bank regulator. The Retail Payments Risk Forum is currently analyzing consumer complaints filed with the Federal Reserve Consumer Help over a four-year period to track whether there are trends that may indicate underlying payments risks. At the very least, the consumer complaints data may provide leading indicators of areas where we may need to focus our attention with research and/or education.
By Jennifer Grier, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 13, 2009 in fraud, identity theft, law enforcement | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c011571fedc6f970b
Listed below are links to blogs that reference Consumer complaints may be “canary in a coal mine” for payments risk:
Comments
June 22, 2009
Payments fraud no longer just a white collar crime
Definition: white collar crime - a crime committed by a person of respectability and high social status in the course of his occupation. — Edwin Sutherland, 1949
I recently ran across a news article that was a shocking reminder of the widening criminal network involved in payments fraud. On May 13, the district attorney in San Diego announced the arrest of 60 people on felony charges in connection with an elaborate bank fraud scheme. It was the culmination of a 10-month-long investigation of a $500,000 check cashing scam at Navy Federal Credit Union. Not an unusual story until I read who masterminded the scheme—a San Diego street gang.
According to the press release, this was the first time a violent street gang was targeted for its involvement in complex bank fraud in California. The gang members worked in cooperation with existing account holders to deposit counterfeit checks into their accounts and then withdraw the cash before the credit union could determine the check was fraudulent. In return, the account holder would receive a commission of up to several hundred dollars on checks ranging from several thousand to tens of thousands. The District Attorney concluded that the size, scope, and sophistication of the operation indicated that the criminal street gangs in San Diego are expanding their criminal enterprise into white collar crime.
A similar case of check fraud and gang activity occurred in Phoenix last year. "Operation Blank Check" was a year-long investigation that uncovered a check fraud scheme totaling nearly $3 million. Postal inspectors initially contacted the Phoenix Police Gang Enforcement Unit about gang members being involved in mail theft and fraudulent schemes. Further investigation revealed that the suspects had been involved in violent gang activity and transitioned to white collar crime. A broad partnership of local, state and federal law enforcement agencies worked on the case and was able to arrest more than 100 individuals, 77 of whom were "hard core gang members" representing 22 local gangs.
There have also been several cases of identity theft involving street gangs in recent years. An April 2007 report by the President's Identity Theft Task Force noted that law enforcement agencies across the country have observed a steady increase in the involvement of groups and organizations of repeat offenders or career criminals in identity theft. Some of these groups are formally organized and well-known to law enforcement because of their longstanding involvement in other major crimes, such as drug trafficking. Others may be more loosely organized but are able to connect and coordinate their activities through the internet.
The comparative ease of committing financial crimes has made it more appealing to street gangs as a way to support other criminal activities. The investigators in the Navy federal case speculated that the gang members used the half-million dollars to help fund illegal gang activities and pay for a lavish lifestyle.
Multiagency collaboration key to combating fraud
The key to apprehending the defendants in this case was a coordinated operation involving the U.S. Secret Service, San Diego Regional Fraud Task Force, San Diego Police Department Gang Detectives, San Diego District Attorney Investigators, U.S. Postal Inspection Service, Naval Criminal Investigative Service, Navy Federal Credit Union, and the California attorney general's office.
Each agency played a significant role in the investigation that was initiated when the Naval Credit Union investigators noticed suspicious activity in 2005 and reported it to the Secret Service. For example, the San Diego Police gang detectives helped to identify and interview the suspects. The U.S. Postal Inspection Service helped locate suspects and investigate the counterfeit checks. The San Diego Regional Fraud Task Force, district attorney's office, and attorney general's office became involved due to their experience handling complex fraud investigations.
This case is just one example of the importance of cooperation between local, state, and federal law enforcement in effectively combating payments fraud. By forming interagency task forces that allow for expertise and intelligence sharing, law enforcement can be in a better position to prosecute and, hopefully, deter fraudsters.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
June 22, 2009 in checks, fraud, identity theft, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c011570392182970c
Listed below are links to blogs that reference Payments fraud no longer just a white collar crime:
Comments
Posted by:
Benjamin Wright |
July 06, 2009 at 11:02 AM
Watch this trend: Electronic records like e-mail and text messages are revolutionizing white collar investigations. http://legal-beagle.typepad.com/wrights_legal_beagle/2009/07/edd-analytics-and-interpretation-tools.html --Ben