The somewhat slow response to the hacking of California.gov

With all the technology that California is famous for, you would think their government websites were state of the art, when it comes to security.

Apparently, this is NOT the case. The result has been a lot of misdirection to sites of a pornographic nature.

Alex Eckelberry, CEO of Sunbelt Software, has been blogging on this subject:

Yesterday, we reported on a federal shutdown of “ca.gov” sites to fix a hack.

Well, we have a little more information on this. It was the Marin County government website that started all of this — something we reported back in September 12th.

Does anyone besides me wonder if there wasn't much of a sense of urgency on this issue?

Bezhou Feng at Neowin.net reported that:

The shutdown, initiated by the General Services Administration (GSA), a US agency in charge of all top-level ".gov" domains, began at roughly 4:00PM (PST), quickly turning into such a problem that Gov. Arnold Schwarzenegger even considered calling the President himself.

While the porn aspect is either amusing, or disgusting (depending on your viewpoint) -- this clearly shows that .gov sites should wake up and listen when experts are trying to tell them something is wrong.

After all, this type of activity could have been something far more serious than something that is disgusting, or amusing!

Of note, as of this writing, I ran a search on Google and the Marin site (TAM) is still misdirecting users to a number of pretty nasty porn sites.

As I've written before -- exercise extreme caution when clicking on porn sites, they often make your computer come down with a virus (or worse)-- especially if "safe surfing practices" aren't being used.

Sunbelt blog post, here.

Neowin.net story, here.

Update 10/09/07: Alex Eckelberry (Sunbelt), who has covered this problem for over a month did (what I consider) an amusing post to follow-up on this one, here.

Alex and his team at Sunbelt are my favorite place to learn about computer security issues. They routinely help a lot of people free-of-charge and are experts in what they do.

MyTruston -- where you can see if someone is stealing your identity for free!

You won't get a million dollar guarantee and Tom Fragala's social security number if you decide to use myTruston identity theft prevention/recovery services. You also aren't going to get the paid endorsements for his product by Fred Thompson, Rush Limbaugh, Sean Hannity, or Howard Stern.

Tom, who is the CEO/Founder of MyTruston doesn't believe in buying endorsements, paying bloggers, or doing massive advertising campaigns to promote his service.

He trusts that once a prudent consumer looks at his product and the value it provides, the service sells itself.

Tom was an identity theft victim himself and has spent thousands of hours advocating for other victims. Many of the basic principles behind myTruston were based on both of these personal experiences.

What you get with myTruston is a "piece of mind" that if you have to protect yourself from identity theft -- your information isn't being exposed in another place -- where it might be compromised.

Preventing identity theft using myTruston is and always has been free, you only pay for the recovery services, if and when you need them.

Most identity theft services require that you provide them with all of your personal information, and in some instances, even your power of attorney.

With myTruston you can protect your identity, and if need be, recover from identity theft without giving up your information to a third-party.

With call centers being outsourced -- the possibility of insider theft, and hacking techniques that seem to routinely defeat current security technology -- this might be something to think about when protecting your identity and financial well-being.

All identity theft services bundle free services that theoretically could be done for free. It's a low overhead and immensely profitable business. The trick to it is making sure you do everything properly, and this is where a third-party service can add value.

The unique twist with Truston is that it's free to prevent identity theft and you only pay to recover from it. In other words, you don't pay for something that might never happen to you, which seems to be a common denominator with a lot of the services out there.

Many of the services out there charge $10.00 and up a month to protect you, which is free at myTruston. Many of them (also) do not cover you if you were compromised before you paid for their services (read the fine-print).

What Truston provides is an easy do-it-yourself (DIY) platform that makes it easy for the average person to ensure they are not being compromised, and take effective action if they have been.

Truston recently announced they were upgrading their service and lowering the cost of their paid (recovery) service. The paid portion of the service only needs to be used as long as the customer feels it is necessary.

Here is a portion of the announcement from their blog:

This week we released a new version of our award-winning myTruston service. The new features are FREE to current members for a 45–day free trial period. These four new prevention and privacy services are:

1. Credit bureau fraud alerts
2. Chexsystems fraud alerts
3. Stop pre-approved credit offers
4. Stop telemarketing calls

We updated our product names: we now have myTruston Free and myTruston Plus. myTruston Free has the same features since we first launched (inspecting your credit reports year round). myTruston Plus includes what you get with Free, the four new prevention/privacy features, and our ID theft recovery tools. Also, the price for the Plus service is reduced 50% to just $10 a month!

What I like about these new features is they begin to address the growing problem of synthetic identity theft. Synthetic identity theft occurs when different parts of people's identity are crafted to form another one. This is getting to be a big problem, which is expected to get worse.

In the near future, employers will have to take action when they have employees, who have social security numbers that don't match their names. In the past, this was never enforced, and social security numbers could be made up (literally).

With this new development, up to 20 million illegal immigrants are going to have to use social security numbers that match an identity. This could lead to an explosion in the already staggering amount of identity theft that is occurring.

Watching your identity carefully, is probably a better idea than ever before.

The Chexsystems alerts are a part of this new effort. Fraudulent checks that tie into identity assumptions do not always show up on credit reports.

In case you missed the Certegy data breach, where 8.5 million people's checking account information was compromised, this might be something that will help a few people out there. Please note this compromise was accomplished by a not very honest insider, therefore no amount of computer security could have stopped it.

Two other enhancements are the ability to put yourself on the no-call lists and stop all those pre-approved credit offers. Most privacy experts recommend we do this to avoid having our information sent all over the place.

Tom, whom I speak to on a semi-regular basis, has indicated that he and his team are working on even more enhancements to provide more value to his service in the future.

They are also working with industry partners to bundle their services and provide them as an option to a wider audience, who might want to a take a more private approach to preventing, or recovering from, identity theft.

I would highly recommend getting in touch with Truston if you are providing these services to your employees, or perhaps considering providing them to your customers.

Victims of identity theft are sometimes cautious about giving up their information after they've been victimized. MyTruston provides a viable solution for these customers, as well as, customers who are careful about protecting their privacy.

For the full announcement, which includes a free trial period for current customers on the paid services (you don't have to provide a credit card number, then remember to cancel)link, here.

I've noticed this is another neat marketing trick (requiring a credit card) employed by a lot of entities offering services for free lately. I suspect they count on busy and forgetful people like me, who forget to cancel the service.

PS: I got to know Tom from his blog and work as an advocate for identity theft victims. If you are interested in identity theft or privacy issues, I highly recommend you consider it as another free resource, he provides.

Retailers call for a level playing field on data security

The data breach at TJX, which compromised approximately 45 million people has spawned a looming battle between retailers and the financial industry. At stake is who will bear the future costs of data breaches, which are becoming more expensive than ever before.

Thus far, we've seen legislation introduced to hold retailers responsible and calls for PCI data security standards. Legislation has been passed in Minnesota and is awaiting Governor Schwarzenegger's signature in California.

In any disagreement, there are two sides to a story -- and now the National Retail Federation (NRF) is bringing up what I consider is a valid point -- which is if they weren't required to store all this information, it would be harder to steal.

Under current rules, they are required to maintain too much information for 18 months, or face what are known as chargebacks.

Chargebacks are when a customer requests a refund from their card issuer, normally because of fraud. Please note that some dishonest customers claim fraud, when it never occurred. Additionally, the payment card industry sets the due diligence standards when accepting their cards and actively promotes their use.

The bottom line is -- merchants can accept payments, follow all the rules, and if they can't provide the required information -- they get charged for it, anyway.

With all the fraud that results from payment cards, this could get pretty expensive for a retailer, if they fail to control it.

Saying all this, we need to consider the bigger picture, which is the best way to protect data is to limit how many places it is being stored. This principle should be considered in a lot of other places besides retailers, also.

Mark Jewell of the AP is reporting:

The National Retail Federation on Thursday urged a card industry organization to stop requiring retailers to keep customers' card numbers for up to 18 months.

The stored data helps track product returns and disputed or suspicious transactions. But retailers say the data would be more secure if only credit card companies and banks that issue the cards stored it.

"It makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," David Hogan, the retail federation's chief information officer, said in a strongly worded letter.

In the article, Mr. Hogan brings up the very reason that retailers have been holding on to what some consider, too much information:

Hogan said in an interview that retailers routinely hold onto information because credit card companies ask them to produce data from transactions as old as 18 months to verify product returns and protect against fraud. If retailers can't produce data showing the product was legitimately purchased, they can end up reimbursing banks and card companies, Hogan said.

Only 44 percent of large retailers are now PCI compliant. This month, the larger retailer's banks will start facing fines for failing to become compliant. Banks that service medium size retailers will start facing fines in January.

This doesn't even take into account smaller merchants, who often are victimized the most by fraud, and chargebacks.

In case you don't understand how chargebacks can be a burden to a merchant, I've included a YouTube video at the bottom of this post, where a small merchant rants about chargebacks from PayPal.

The frustration expressed in this video is the same one felt by a lot of merchants (retailers).

The basic issue in all this is who will end up paying for it. Since no business remains solvent if they are losing money, the costs are going to end up being passed on to the consumer.

So far as the NRF's point, I think it is entirely valid. If retailers didn't have to store all this data, it would be one less place, where criminals could access it.

After all, while data breaches at retailers have gotten a lot of attention recently, they are not the only place they are occurring.

If you are interested in seeing what I mean by this the Privacy Rights Clearinghouse, PogoWasRight and Attrition.org all try to keep track of as many of them as they can.

All of them will tell you that their efforts only document the known breaches. There are probably many more that no one knows about -- and the last I heard -- the criminals behind them keep this a closely guarded secret.

After all, disclosure of a data breach impacts their bottom lines, also.

My personal solution is for everyone to get together and go after the real people behind this problem, or the criminals. Everyone would benefit from this!

My guess is they (the criminals) could care less, who ends up paying for all the damage they are causing.

AP story, here.

National Retail Federation (NRF) press release, here.

Here is the YouTube video (mentioned above), which reflects a small merchant's frustrations with the chargeback process. Please note that smaller merchants are bound to have a stake in what becomes of this controversy, also.

(YouTube video courtesy of Terry)

How was Mayor Bloomberg's BofA account jacked?

Here is a clear case, which shows that just about anyone can have their financial identity compromised. In this case, the victim is none other than the mayor of New York City, Michael R. Bloomberg.

This story is getting a lot of coverage, but no one is saying (if they know) how Mayor Bloomberg's financial information was compromised.

The New York Times (Sewell Chan) reported:

One man, Odalis Bostic, was indicted for trying to steal $420,000 from the mayor. According to prosecutors, Mr. Bostic created the Laderman Development Company in Elizabeth, N.J., and set up accounts in the company’s name at two banks, PNC and Sovereign Bank.

In early June, Mr. Bostic deposited a $190,000 forged check into the Sovereign account and a $230,000 forged check into PNC account, according to prosecutors. Both of the forged checks were drawn on Mr. Bloomberg’s personal account at the Bank of America and were issued in the name of the mayor’s financial manager, Geller & Company.

Mr Bostic was probably hoping the bank would release the funds, at which time, he would have drained the accounts.

During the course of the investigation another fraud was discovered, where Mayor Bloomberg was the victim:

A second man, Charles Nelson, has been charged with stealing $10,000 from one of the mayor’s financial accounts on May 11. In an online transaction, Mr. Nelson transferred $10,000 from the mayor’s Bank of America account to an E*Trade account the defendant had set up, prosecutors said. They said he later used a debit card for cash advances and to make purchases from the E*Trade account.

The next question is how did Charles Nelson get Mayor Bloomberg's log on credentials to his Bank of America account? Getting a copy of a check and counterfeiting it is one thing, but online transactions normally require a log on ID and password.

I checked the press release from the Manhattan DA and it doesn't disclose how this happened, either.

None of the stories indicate that Bostic and Nelson knew each other. In fact, Robert Morgenthau, the DA was quoted as saying they were unrelated in the NY Times story. The DA's press release doesn't stipulate whether they knew each other, or not.

Mr. Nelson was arrested in New Jersey and is being charged with grand larceny and identity theft.

There are a lot of ways an account can be compromised (jacked). Phishing, where account owners are tricked into giving up their details and data breaches happen at an alarming rate these days. The sad thing is that there is so much of this going on, it's pretty hard to determine the original point-of-compromise.

Another sad thing is that, according to most statistics, over 99 percent of the criminals doing this are never brought to justice. In fact, most of the time, a victim can do little more than file a report, which never gets investigated.

This story is a testament to making sure you review your accounts on a regular basis. As long as unauthorized withdrawals are reported in a timely fashion, the owner of the account normally can't be held liable.

New York Times story, here.

Manhattan DA press release on this, here.

International task force led by U.S. Postal Inspectors stops $2.1 billion in counterfeit checks bound for the United States

(Picture courtesy of FakeChecks.org)

On September 7th, I did a post based off a story that circulated out of Nigeria about an International investigation that might lead to arrests, worldwide.

Apparently, it did and the U.S. Postal Inspection Service is now giving more details, including some arrest statistics.

Please note that a lot of other agencies were involved in this, including the Nigerian Economic and Financial Crimes Commission, and the United Kingdom Serious Organized Crimes Agency.

From the press release:

Investigators led by the U.S. Postal Inspection Service have arrested 77 people as part of a global fraud crackdown which has since January intercepted more than $2.1 billion in counterfeit checks bound for the United States.

The eight-month investigation involved schemes in Nigeria, the Netherlands, England and Canada, and has stopped more than half a million fake checks from being mailed to American victims.

At a press conference at the National Press Club, Postmaster General John Potter announced a consumer-awareness campaign to educate the American public. International scammers have found U.S. consumers easy prey and are increasingly targeting them, Potter said.

“All fake check scams have the same common pattern: Scammers contact victims online or through the mail and send them checks or money orders. They then ask that some portion of the money be wired back to them,” said Potter.

“The best thing our citizens can do to protect themselves is learn how to avoid these scams. The old adage still holds true: If someone offers you a deal that sounds too good to be true, it probably is.”

The press release is launching a new awareness campaign, which includes a website run by the National Consumers League (NCL) to protect people from this billion dollar problem.

Consumers can learn more and report fraudulent activity at the Alliance website, FakeChecks.org.

If consumers believe they have been defrauded by a scam, the Postal Inspection Service wants to hear from them. These crimes can be reported by calling 1-800-372-8347.

I've spent a little time taking a look at the site. The information on it is easy to understand, highly visual and is a definite asset in protecting the average person from becoming the victim of an Internet scam.

In fact, I liked it so much, I've put it on my links list.

The entire press release, which contains a lot of helpful information, can be viewed, here.

I recently did a pretty detailed post on how to verify if these items coming in the mail are fake, here.