MasterCard, Visa Report Data Breach of Card Processor
VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.
In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.
More from Krebs
Microsoft Founder Paul Allen Victim of Identity Theft
Microsoft co-founder Paul Allen has become the victim of identity theft, with an AWOL U.S. soldier in Pittsburgh charged with changing the address on a Seattle bank account owned by Allen and attempting to redirect funds to a personal account.
Brandon Lee Price allegedly changed the address on a Citibank account owned by Allen from Seattle to Pittsburgh, and then had a debit card sent to his home in Pittsburgh. According to a report by the AP, Price attempted to wire $15,000 to the new account and to make a $658.81 payment on an Armed Forces Bank loan. He then allegedly attempted to make purchases at a GameStop and Family Dollar store.
One of the stupider headlines or memes around this news is that if a billionaire's identity isn't safe, then how can anyone elses be? There is nothing about a billionaire that makes his or her identity any more protected than anyone elses. If you think there is than by all means name it. Just being rich doesn't inherently give you protections against ID theft.
Debit card fraud up, while check fraud declines
No surprise here. The use of debt cards are way up, so of course fraud increased. The opposite is true for paper checks.
During a year that saw a record rise in financial crime reports, one scam that has plagued banks and consumers for decades is fading away: check fraud.
Reports of suspected counterfeiting, check fraud, and check kiting were among the financial crimes that saw declines during 2011, dropping 7.5 percent from 2010.
The drop in check fraud came as the Financial Crime Enforcement Network (FinCEN) had a record number of suspicious activity reports (SARs) in 2011 throughout the financial industry.
The number of check-related suspected crimes peaked in 2008, with banks sending 152,874 suspicious activity reports to FinCEN. From there, the cases are investigated by federal, state, or local authorities, depending on the amount of money involved in the crime.
Since 2008, the number of check-related crimes has dropped to 107,041.
The drop in check fraud numbers points to a trend many Americans are familiar with, the slow disappearance of checks.
The use of checks as a form of payment has been declining in recent years. Personal check use has dropped by 12 percent among consumers between 2008 and 2010, according to the American Bankers Association.
Meanwhile, the use of debit cards has increased, and with it, debit card-related crime.
From 2006 to 2009, the use of debit cards as a form of payment rose 14 percent among Americans, while debit card crimes rose 41 percent, according to data from the Federal Reserve and FinCEN.
Children 51 times more likely to be ID theft victim
Why are kids so vulnerable? Because they have unused, unblemished credit profiles. Richard Power, Distinguished Fellow, Carnegie Mellon CyLab, recently published the first ever child identity theft report based on identity protection scans of over 40,000 U.S. children. It is extremely alarming that 10.2% of the children in the report had someone else using their Social Security numbers. That figure is 51 times higher than the rate for adults of the same population.
Most people can't imagine a child's identity would be valuable. That comes from a lack of understanding of how the credit system works in the US.
Because children have untouched and unblemished credit records, they are highly attractive targets. More importantly, their credit reports are usually never looked at for years and years, so the thief can get away with the crime for longer. Child identity theft is profitable, hard to detect and a nightmare to recover. Thieves steal a child’s identity early on, nurture it until they have a solid credit score, and then abuse and discard it. If it’s not discovered in time, fraudulent use of your child’s identity could mean the loss of educational and job opportunities and starting off adulthood at a serious disadvantage with someone else’s bad credit in her name. All an identity thief needs to ruin your child’s bright financial future is her name and Social Security Number.
Social media use leads to increase in identity theft
Big users of social networks and smartphones have a higher risk of ID theft.
About 12 million Americans got hit by identity fraud in 2011, a 13% increase from a year earlier, thanks to consumers' growing use of social-media websites and smartphones, plus a sharp jump in security breaches, according to a recent report from Javelin Strategy & Research.
"The new ways in which people can communicate with each other create new risks," says Joel Winston, chief privacy officer at ID Analytics, a consumer risk-management company.
Some 7% of smartphone owners became identity-fraud victims in 2011, the Javelin survey of 5,000 consumers found. Smartphone users are about one-third more likely to fall prey to identity fraud than the general public, the report found.
Why? Because smartphones are minicomputers that store vast quantities of personal information, yet many users don't protect their smartphones the way they do laptops and PCs.
Facebook pushes back against employers demanding passwords
Is it legal or even fair for prospective employers to request -- or in some cases demand -- your Facebook password?
Facebook, perhaps anxious to avoid public controversy as it prepares for a much-publicized initial public offering, is moving to squelch a widely reported practice of employers asking job applicants for their Facebook passwords.
“If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends,” Erin Egan, Facebook’s chief privacy officer, wrote in a March 23 note. “As a user, you shouldn’t be forced to share your private information and communications just to get a job.”
Egan also hinted at the legal repercussions: “If an employer sees on Facebook that someone is a member of a protected group [e.g., over a certain age, etc.], that employer may open themselves up to claims of discrimination if they don’t hire that person.”
Employers also may not “have the proper policies and training for reviewers to handle private information,” Egan added. “If they don’t—and actually, even if they do—the employer may assume liability for the protection of the information they have seen.” That information may also incur certain responsibilities, such as reporting the possible commission of a crime.
FTC report says credit bureaus upsell ID theft victims
A new report by the Federal Trade Commission slams the nation's credit bureaus for upselling identity theft prevention services when victims call looking for help.
The report found that consumers face frustrating voice mail systems that often make it hard to reach a live operator, are confused about their rights and face unnecessary hurdles fixing credit report errors caused by identity thieves. It also pointedly raises the possibility that the new Consumer Financial Protection Bureau could initiate enforcement actions against the bureaus -- Equifax, Experian and TransUnion.
The report comes as that new agency is about to take on regulation of the credit bureaus, a major shift in the way they are policed. The bureau’s new powers will kick in this summer.
More from MSNBC
Armenian Mobsters Convicted in LA for Identity Theft
The convictions were announced by Assistant Attorney General Lanny A. Breuer of the Justice Department’s Criminal Division, U.S. Attorney Andre Birotte Jr. of the Central District of California, Assistant Director in Charge of the FBI’s Los Angeles Field Office Steven Martinez and Special Agent in Charge of the U.S. Secret Service (USSS) Joseph Beaty.
Arman Sharopetrosian, Karen Markosian, Artush Margaryan and Kristine Ogandzhanyan were found guilty of conspiring to commit bank fraud, attempted bank fraud and various counts of aggravated identity theft. Sharopetrosian, Markosian and Ogandzhanyan waived a jury trial and consented to trial by the judge, and Margaryan proceeded with a jury trial.
Yesterday, U.S. District Judge David O. Carter found Ogandzhanyan, 28, of Burbank, Calif., guilty of one count of bank fraud conspiracy, two counts of attempted bank fraud and four counts of aggravated identity theft. On March 16, 2012, the judge found Sharopetrosian, 33, of Burbank, guilty of one count of bank fraud conspiracy, four counts of bank fraud and seven counts of aggravated identify theft. On March 16, 2012, the judge also found Markosian, 39, of Glendale, Calif., guilty of one count of bank fraud conspiracy, one count of attempted bank fraud and two counts of aggravated identity theft. A jury convicted the fourth defendant, Artush Margaryan, 28, of Van Nuys, Calif., on March 16, 2012, of one count of bank fraud conspiracy, one count of attempted bank fraud and three counts of aggravated identity theft.
Evidence was presented at trial that Sharopetrosian is a member of the Armenian Power organized crime group, and Margaryan, Markosian and Ogandzhanyan are Armenian Power associates.
According to evidence presented at trial, Sharopetrosian directed the massive fraud scheme along with co-defendant Angus Brown, while the two were incarcerated at Avenal State Prison. Using cellular telephones that were smuggled into the prison, Sharopetrosian and Brown worked from behind bars to coordinate with others, including Ogandzhanyn, Markosian and Margaryan, to obtain confidential bank profile information and steal money from victim account holders. Often targeting high-value bank accounts, the defendants used account holders’ personal identifying information – including names, Social Security numbers and dates of birth – to impersonate victims in phone calls to the bank. The defendants gathered account information, transferred funds between victims’ accounts and placed unauthorized check orders for the accounts. They then stole the checks, obtained the victims’ signatures from public documents and paid conspirators to cash the forged checks. Over the course of the six-year conspiracy, the defendants and their co-conspirators caused more than $10 million dollars in losses to victims in Southern California, Nevada, Arizona and Texas.
“These defendants, including two individuals who were operating from a prison cell, perpetrated a massive fraudulent scheme on behalf of a dangerous criminal enterprise,” said Assistant Attorney General Breuer. “As members and associates of Armenian Power, they stole sensitive personal and financial information from innocent consumers and caused millions of dollars in losses. Whether organized criminal groups traffic in drugs, commit financial fraud or wreak other havoc to keep themselves going, they must be stopped. We are doing everything possible to shut down dangerous gangs like Armenian Power.”
“The safety and sanctity of confidential financial information is paramount in today’s society,” said U.S. Attorney Birotte. “Identity theft is a fundamental invasion of consumer privacy that cannot be tolerated. These convictions demonstrate that violators, whoever and wherever they may be, will be caught and will be prosecuted to the fullest extent of the federal law.”
“The defendants were convicted in a trial that uncovered a sophisticated and lengthy scheme that targeted victims in multiple states, and included disturbing details, such as orders made from within prison walls and assistance from bank insiders enlisted by the defendants,” said FBI Assistant Director Martinez. “This case is also indicative of the growing trend of gang or organized crime-affiliated groups now engaging in identity theft and other financial crimes in furtherance of their enterprise.”
These defendants are four of 20 defendants who were charged with operating the bank fraud and identity theft scheme in one of a series of federal indictments unsealed on Feb. 16, 2011. The indictments allege various federal crimes against members and associates of the Armenian Power criminal organization. To date, 19 of the 20 defendants charged in the bank fraud indictment have been convicted, including Brown. One defendant, Faye Bell, was arrested earlier this year and is still awaiting trial.
Sharopetrosian, Margaryan, Markosian and Ogandzhanyan face maximum sentences of 30 years in federal prison for each count of bank fraud, 30 years for each count of conspiracy to commit bank fraud and additional mandatory two year sentences for each count of aggravated identity theft.
Sentencing for all four defendants is scheduled for Aug. 6, 2012, before Judge Carter.
The case is being prosecuted by Assistant U.S. Attorneys Martin Estrada and Joseph McNally of the Central District of California and Trial Attorney Cristina Moreno of the Organized Crime and Gang Section in the Justice Department’s Criminal Division. The case was investigated by the Eurasian Organized Crime Task Force, which includes the FBI, the USSS, the Los Angeles Police Department, the Glendale Police Department, the Burbank Police Department, the Internal Revenue Service and the U.S. Immigration and Customs Enforcement.
University of Tampa Data Breach
A breach at the University of Tampa may have exposed the sensitive information of thousands of students, faculty and staff members, including their names, identification numbers, social security numbers and birth dates, according to a press release posted to their the University's Web site over the weekend.
The information of approximately 6,800 students from fall semester 2011 was discovered online by students in a UT class who were searching online. A subsequent investigation turned up two more files containing roughly 30,000 more records from between January 2000 and July 2011.
More from ThreatPost
Unidentified hackers behind Stuxnet and Duqu still at work
The still-unidentified group of attackers behind Stuxnet and Duqu have drawn quite a bit of attention to themselves in the last couple of years with their creations. Researchers, law enforcement and some particularly angry governments all would like to have a long talk with the crew. But that attention apparently hasn't persuaded the group that it's time to tone down their pursuits, as evidenced by the fact that researchers have discovered a newly compiled driver for Duqu within the last couple of days.
One of the unique things about Duqu is that the malware appears to be specifically tailored to each new victim. Rather than writing one piece of malware and spreading it out to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted components and drivers. Researchers say that the number of known victims of Duqu is quite small, perhaps fewer than 50.
More from ThreatPost
NASA Data Breach Discovered by Hackers
Members of two hacker collectives, Team r00tw0rm and Team inj3ct0r, identified an SQL injection vulnerability on one of the subdomains owned by NASA and hosted on the domainnasa.gov. By leveraging the security hole, the hackers obtained a 6 gigabyte database, but refused to disclose the name of the flawed subdomain to give the agency time to patch it up.
A sample of the database reveals information such as usernames, email addresses, names, IDs, login dates, passwords, and other data.“Complete Database is in GB’s, well we aren’t leaking it. We may keep all parts in our private home! Yet only little bit dump or few columns data is released just to inform NASA that being National Aeronautics and Space Administration you must also keep your servers up to date!”the hackers said.
They claim they informed NASA a few days ago, but since the organization failed to respond, they leaked part of the database to attract the agency’s attention.
More from ITN
When to Consider Bankruptcy
Filing for bankruptcy is a process that many debtors turn to once they realize that they need help with a large debt load. Bankruptcy is a legal procedure that you can use to have your debt discharged right away. While there are some times that bankruptcy is not your best option, there are a few times where bankruptcy is definitely the best option to pursue. Read more...
Data breaches take months or years to be discovered
Over 90 percent of data breaches are the result of external attacks and almost 60 percent of organizations discovered them months or years later, Verizon said in a report released at the RSA security conference on Wednesday.
Called the Verizon 2011 Investigative Response Caseload Review, it compiles statistics from 90 data breach cases investigated by the company's incident response team last year, and provides a preview of Verizon's larger annual report that will contain data collected from additional sources like national CERTs and law enforcement agencies.
The report concludes that 92 percent of data breach incidents have had an external cause, which conflicts with the findings of other security vendors, according to whom most data breaches are the result of internal threats.
More from IDG
Business Identity Theft A Growing Concern
You've heard of identity theft — someone using a person's credit information or a Social Security number for ill-gotten gains. Well, experts say similar crimes are also affecting businesses.
Business identity theft involves posing as a legitimate business in order to get access to credit lines or steal customers. Experts believe that the practice has become more prevalent in the past two years.
"Business identity theft is incredibly underreported," says Hugh Thompson, who teaches at Columbia University and chairs an annual conference on security. No federal or state statistics track the problem. And Thompson says few victims are willing to report it.
"There's a big stigma attached with it," he says. "Imagine you're a company trying to portray an image of being solid and reliable out to your customers. It's not something that you want to readily admit to."
Business identity theft takes many forms. Posing as a look-alike or sound-alike business to lure customers is one of them. But in many cases, shady operators go after information to tap into business' credit and reputation. They change a business's contact information, for example, then use it to obtain credit cards or order goods, skipping town before bills arrive.
More from NPR