Creative Commons License


» Visa Drops Global Payments Following Data Breach

Visa has dropped Global Payments from its list of companies that are deemed compliant with security policies following a data breach that may have compromised as many as 1.5 million Visa and MasterCard accounts.

Visa’s decision to drop Global Payments from its registry of service providers that meet the credit card company’s data security standards came April 1, two days after the breach became public. During a conference call April 2 to discuss the situation, Global Payments CEO Paul Garcia talked about Visa’s move, and reportedly said he expects his company to be returned to the list after it comes back into compliance with the Visa policies. However, Garcia didn’t say when that may be.

Officials with Visa and MasterCard announced last week that data from credit card accounts was stolen following a data breach at a third-party processor, and stressed that their own servers had not been compromised. The credit card companies initially did not say which transaction processing company was attacked, but it soon leaked out that it was Global Payments.


Posted on April 3, 2012 at 11:57 AM | Permalink | Comments (0)

» Mail carrier convicted in massive identity fraud case

A jury in federal district court returned a guilty verdict late yesterday against OPEOLUWA ADIGUN, age unknown, and CHUKWUKA ONYEKABA a/k/a Gabriel Onyekaba, 34, both of Marietta, Georgia on charges of stealing the identities of more than 85 individuals in the Atlanta area and opening credit cards, loans, and bank accounts in their names.  ADIGUN was also convicted of immigration, social security, and passport fraud.

United States Attorney Sally Quillian Yates said of the case, “Identity theft is a growing problem that destroys the lives of innocent citizens, resulting in years of victimization as they try to clear their good names and credit of the damage done by the criminals.  These defendants ran a sophisticated identity theft scheme that included opening multiple accounts in victims’ names, moving the criminal proceeds among different banks in victim names, using fake identifications, and buying ordinary gift cards with stolen credit cards to conceal the source of the proceeds.  The jury’s verdict brings some measure of justice to the many victims of these two defendants’ crimes.”

According to Paul Bowman, Area Special Agent in Charge of the United States Postal Service, Office of Inspector General, “Opeoluwa Adigun reflects just a very small percentage of employees who failed to uphold the trust and integrity placed in them.  The U.S. Postal Service, Office of Inspector General takes these cases very serious and investigates them to the fullest extent of the law.”

“The U.S. Postal Inspection Service is pleased with the jury’s verdict. Identity theft continues to plague the American public. As long as thieves target the U.S. Mail, Postal Inspectors will continue to target those responsible,” said Keith Morris, Postal Inspector in Charge of the Atlanta Division.

“The Paulding County Sheriff's Office, the investigating officer and I are all very happy with the verdict rendered by this jury,” said Paulding County Sheriff Gary Gulledge.  “It is always rewarding to see our justice system work as intended - to hold the guilty accountable and protect the innocent public from further harm. It is also satisfying to see resolution brought to the 85+ victims of the crimes committed by Opeoluwa Adigun and Chukwuka Onyekaba. This case is the perfect example of good police work, inter-agency cooperation, careful prosecuting and an intelligent jury. I commend all involved for the great work and great result.”

“This type of crime is even more egregious when it is conducted by a government employee using his or her position of trust for fraudulent purposes and financial gains,”  said  Brock D. Nicholson, Special Agent in Charge of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) Atlanta, “HSI will continue to vigilantly investigate any individual who engages in activities that  jeopardize public safety and national security.” Nicholson oversees all HSI activities in Georgia and the Carolinas.

According to United States Attorney Yates, the charges and other information presented at trial:  Between May 2006 and March 2010, ADIGUN and ONYEKABA stole mail, credit cards, and other personal information from individuals in the Atlanta area, and then opened a variety of financial accounts under the victims’ names.  As part of the scheme, ADIGUN obtained a job as a mail carrier in the Hiram Post Office under the name “Mary Afolabi,” an identity she had stolen from another person from Nigeria before ADIGUN entered the United States in 2004.  During ADIGUN’s time with the Hiram Post Office, over 85 victims on her mail route reported that their identities were stolen and used to open multiple financial accounts in their names.

Using the information stolen from the mail route customers, ADIGUN and ONYEKABA applied for credit cards and bank loans in their victims’ names.  They deposited the fraudulent loan proceeds into bank accounts opened under yet other victims’ names and then wrote checks from those accounts to their two fraudulent businesses, GMO Auto Services in Douglasville and Gabmike Limousine Service in Smyrna.  They also used the fraudulent credit cards at their businesses. 

Further, ADIGUN and ONYEKABA purchased gift cards and thousands of dollars of merchandise with the fraudulent credit cards.  In March 2010, law enforcement officers stopped the defendants driving a Lincoln Navigator and found dozens of American Express, Walmart, and Target gift cards that were purchased with stolen credit cards issued to individuals residing on ADIGUN’s mail route in Hiram.

ADIGUN obtained a social security card and a U.S. passport and, in March 2009, was naturalized as a U.S. citizen – all under the assumed name of “Mary Afolabi.”

After a seven day trial, the jury returned guilty verdicts on all 44 counts it considered, including conspiracy, access device or credit card fraud, aggravated identity theft, bank fraud, mail theft, immigration fraud, social security fraud, and passport fraud.  The charges carry maximum sentences that range from five to 30 years in prison each, and fines of up to $1,000,000 per count.  The aggravated identity theft charges require a mandatory minimum sentence of 2 years in addition to any other sentence imposed.  Sentencing has not yet been scheduled before United States District Judge Richard W. Story.  In determining the actual sentence, the Court will consider the United States Sentencing Guidelines, which are not binding but provide appropriate sentencing ranges for most offenders.

This case was investigated by the United States Postal Service, Office of Inspector General; United States Postal Inspection Service; United States Immigration and Customs Enforcement’s Homeland Security Investigations; United States Secret Service; Social Security Administration; Paulding County Sheriff’s Office; Douglas County Sheriff’s Office; Cobb County Sheriff’s Office; Hiram Police Department; and Cobb County Police Department.

Assistant United States Attorneys Stephen H. McClain and Shanya J. Dingle are prosecuting the case.


Posted on April 2, 2012 at 03:36 PM | Permalink | Comments (0)

» How to protect personal data on old devices you sell

Thinking of selling or giving away your smartphone or laptop computer? If you have a BlackBerry or an iPhone, go right ahead. But if you have an Android phone or a computer running Windows XP, you may want to hold off.

It turns out that it's almost impossible to get rid of personal information from some devices, even if you follow the manufacturer's directions for wiping the device clean.

Robert Siciliano, identity theft expert for the technology security firm McAfee, found this out in an experiment he conducted over the fall and winter. He bought 30 electronic devices from Craigslist — mostly smartphones and laptops — to see how effective people were at removing personal information from their gadgets before selling them.


Posted on April 2, 2012 at 03:21 PM | Permalink | Comments (0)

» MasterCard, Visa Report Data Breach of Card Processor

VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.

More from Krebs

Posted on March 30, 2012 at 09:42 AM | Permalink | Comments (0)

» Microsoft Founder Paul Allen Victim of Identity Theft

Microsoft co-founder Paul Allen has become the victim of identity theft, with an AWOL U.S. soldier in Pittsburgh charged with changing the address on a Seattle bank account owned by Allen and attempting to redirect funds to a personal account.

Brandon Lee Price allegedly changed the address on a Citibank account owned by Allen from Seattle to Pittsburgh, and then had a debit card sent to his home in Pittsburgh. According to a report by the AP, Price attempted to wire $15,000 to the new account and to make a $658.81 payment on an Armed Forces Bank loan. He then allegedly attempted to make purchases at a GameStop and Family Dollar store.

One of the stupider headlines or memes around this news is that if a billionaire's identity isn't safe, then how can anyone elses be? There is nothing about a billionaire that makes his or her identity any more protected than anyone elses. If you think there is than by all means name it. Just being rich doesn't inherently give you protections against ID theft.

Posted on March 27, 2012 at 03:51 PM | Permalink | Comments (0)

» Debit card fraud up, while check fraud declines

No surprise here. The use of debt cards are way up, so of course fraud increased. The opposite is true for paper checks.

During a year that saw a record rise in financial crime reports, one scam that has plagued banks and consumers for decades is fading away: check fraud.

Reports of suspected counterfeiting, check fraud, and check kiting were among the financial crimes that saw declines during 2011, dropping 7.5 percent from 2010.

The drop in check fraud came as the Financial Crime Enforcement Network (FinCEN) had a record number of suspicious activity reports (SARs) in 2011 throughout the financial industry.

The number of check-related suspected crimes peaked in 2008, with banks sending 152,874 suspicious activity reports to FinCEN. From there, the cases are investigated by federal, state, or local authorities, depending on the amount of money involved in the crime.

Since 2008, the number of check-related crimes has dropped to 107,041.

The drop in check fraud numbers points to a trend many Americans are familiar with, the slow disappearance of checks.

The use of checks as a form of payment has been declining in recent years. Personal check use has dropped by 12 percent among consumers between 2008 and 2010, according to the American Bankers Association.

Meanwhile, the use of debit cards has increased, and with it, debit card-related crime.

From 2006 to 2009, the use of debit cards as a form of payment rose 14 percent among Americans, while debit card crimes rose 41 percent, according to data from the Federal Reserve and FinCEN.

Posted on March 27, 2012 at 09:31 AM | Permalink

» Children 51 times more likely to be ID theft victim

Why are kids so vulnerable? Because they have unused, unblemished credit profiles. Richard Power, Distinguished Fellow, Carnegie Mellon CyLab, recently published the first ever child identity theft report based on identity protection scans of over 40,000 U.S. children. It is extremely alarming that 10.2% of the children in the report had someone else using their Social Security numbers. That figure is 51 times higher than the rate for adults of the same population.

Most people can't imagine a child's identity would be valuable. That comes from a lack of understanding of how the credit system works in the US.

Because children have untouched and unblemished credit records, they are highly attractive targets. More importantly, their credit reports are usually never looked at for years and years, so the thief can get away with the crime for longer. Child identity theft is profitable, hard to detect and a nightmare to recover. Thieves steal a child’s identity early on, nurture it until they have a solid credit score, and then abuse and discard it. If it’s not discovered in time, fraudulent use of your child’s identity could mean the loss of educational and job opportunities and starting off adulthood at a serious disadvantage with someone else’s bad credit in her name. All an identity thief needs to ruin your child’s bright financial future is her name and Social Security Number.

Posted on March 27, 2012 at 09:27 AM | Permalink

» Social media use leads to increase in identity theft

Big users of social networks and smartphones have a higher risk of ID theft.

About 12 million Americans got hit by identity fraud in 2011, a 13% increase from a year earlier, thanks to consumers' growing use of social-media websites and smartphones, plus a sharp jump in security breaches, according to a recent report from Javelin Strategy & Research.

"The new ways in which people can communicate with each other create new risks," says Joel Winston, chief privacy officer at ID Analytics, a consumer risk-management company.
Some 7% of smartphone owners became identity-fraud victims in 2011, the Javelin survey of 5,000 consumers found. Smartphone users are about one-third more likely to fall prey to identity fraud than the general public, the report found.

Why? Because smartphones are minicomputers that store vast quantities of personal information, yet many users don't protect their smartphones the way they do laptops and PCs.


Posted on March 25, 2012 at 04:00 PM | Permalink

» Facebook pushes back against employers demanding passwords

Is it legal or even fair for prospective employers to request -- or in some cases demand -- your Facebook password?

Facebook, perhaps anxious to avoid public controversy as it prepares for a much-publicized initial public offering, is moving to squelch a widely reported practice of employers asking job applicants for their Facebook passwords.

“If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends,” Erin Egan, Facebook’s chief privacy officer, wrote in a March 23 note. “As a user, you shouldn’t be forced to share your private information and communications just to get a job.”

Egan also hinted at the legal repercussions: “If an employer sees on Facebook that someone is a member of a protected group [e.g., over a certain age, etc.], that employer may open themselves up to claims of discrimination if they don’t hire that person.”

Employers also may not “have the proper policies and training for reviewers to handle private information,” Egan added. “If they don’t—and actually, even if they do—the employer may assume liability for the protection of the information they have seen.” That information may also incur certain responsibilities, such as reporting the possible commission of a crime.


Posted on March 25, 2012 at 03:23 PM | Permalink

» FTC report says credit bureaus upsell ID theft victims

A new report by the Federal Trade Commission slams the nation's credit bureaus for upselling identity theft prevention services when victims call looking for help.

The report found that consumers face frustrating voice mail systems that often make it hard to reach a live operator, are confused about their rights and face unnecessary hurdles fixing credit report errors caused by identity thieves. It also pointedly raises the possibility that the new Consumer Financial Protection Bureau could initiate enforcement actions against the bureaus -- Equifax, Experian and TransUnion.

The report comes as that new agency is about to take on regulation of the credit bureaus, a major shift in the way they are policed. The bureau’s new powers will kick in this summer.

More from MSNBC

Posted on March 23, 2012 at 10:46 AM | Permalink

» Armenian Mobsters Convicted in LA for Identity Theft

WASHINGTON – After a five week trial, four defendants have been convicted for their roles in one of the largest bank fraud and identity theft schemes in California history, with dozens of victims in four states and millions of dollars in losses.

The convictions were announced by Assistant Attorney General Lanny A. Breuer of the Justice Department’s Criminal Division, U.S. Attorney Andre Birotte Jr. of the Central District of California, Assistant Director in Charge of the FBI’s Los Angeles Field Office Steven Martinez and Special Agent in Charge of the U.S. Secret Service (USSS) Joseph Beaty.

Arman Sharopetrosian, Karen Markosian, Artush Margaryan and Kristine Ogandzhanyan were found guilty of conspiring to commit bank fraud, attempted bank fraud and various counts of aggravated identity theft.  Sharopetrosian, Markosian and Ogandzhanyan waived a jury trial and consented to trial by the judge, and Margaryan proceeded with a jury trial.  

Yesterday, U.S. District Judge David O. Carter found Ogandzhanyan, 28, of Burbank, Calif., guilty of one count of bank fraud conspiracy, two counts of attempted bank fraud and four counts of aggravated identity theft.  On March 16, 2012, the judge found Sharopetrosian, 33, of Burbank, guilty of one count of bank fraud conspiracy, four counts of bank fraud and seven counts of aggravated identify theft.  On March 16, 2012, the judge also found Markosian, 39, of Glendale, Calif., guilty of one count of bank fraud conspiracy, one count of attempted bank fraud and two counts of aggravated identity theft.  A jury convicted the fourth defendant, Artush Margaryan, 28, of Van Nuys, Calif., on March 16, 2012, of one count of bank fraud conspiracy, one count of attempted bank fraud and three counts of aggravated identity theft. 

Evidence was presented at trial that Sharopetrosian is a member of the Armenian Power organized crime group, and Margaryan, Markosian and Ogandzhanyan are Armenian Power associates.

According to evidence presented at trial, Sharopetrosian directed the massive fraud scheme along with co-defendant Angus Brown, while the two were incarcerated at Avenal State Prison.  Using cellular telephones that were smuggled into the prison, Sharopetrosian and Brown worked from behind bars to coordinate with others, including Ogandzhanyn, Markosian and Margaryan, to obtain confidential bank profile information and steal money from victim account holders.  Often targeting high-value bank accounts, the defendants used account holders’ personal identifying information – including names, Social Security numbers and dates of birth – to impersonate victims in phone calls to the bank.  The defendants gathered account information, transferred funds between victims’ accounts and placed unauthorized check orders for the accounts.  They then stole the checks, obtained the victims’ signatures from public documents and paid conspirators to cash the forged checks.  Over the course of the six-year conspiracy, the defendants and their co-conspirators caused more than $10 million dollars in losses to victims in Southern California, Nevada, Arizona and Texas.

“These defendants, including two individuals who were operating from a prison cell, perpetrated a massive fraudulent scheme on behalf of a dangerous criminal enterprise,” said Assistant Attorney General Breuer.  “As members and associates of Armenian Power, they stole sensitive personal and financial information from innocent consumers and caused millions of dollars in losses.  Whether organized criminal groups traffic in drugs, commit financial fraud or wreak other havoc to keep themselves going, they must be stopped.  We are doing everything possible to shut down dangerous gangs like Armenian Power.”

“The safety and sanctity of confidential financial information is paramount in today’s society,” said U.S. Attorney Birotte.  “Identity theft is a fundamental invasion of consumer privacy that cannot be tolerated.  These convictions demonstrate that violators, whoever and wherever they may be, will be caught and will be prosecuted to the fullest extent of the federal law.”

“The defendants were convicted in a trial that uncovered a sophisticated and lengthy scheme that targeted victims in multiple states, and included disturbing details, such as orders made from within prison walls and assistance from bank insiders enlisted by the defendants,” said FBI Assistant Director Martinez.  “This case is also indicative of the growing trend of gang or organized crime-affiliated groups now engaging in identity theft and other financial crimes in furtherance of their enterprise.”    


These defendants are four of 20 defendants who were charged with operating the bank fraud and identity theft scheme in one of a series of federal indictments unsealed on Feb. 16, 2011.  The indictments allege various federal crimes against members and associates of the Armenian Power criminal organization.  To date, 19 of the 20 defendants charged in the bank fraud indictment have been convicted, including Brown.  One defendant, Faye Bell, was arrested earlier this year and is still awaiting trial.

Sharopetrosian, Margaryan, Markosian and Ogandzhanyan face maximum sentences of 30 years in federal prison for each count of bank fraud, 30 years for each count of conspiracy to commit bank fraud and additional mandatory two year sentences for each count of aggravated identity theft.

 Sentencing for all four defendants is scheduled for Aug. 6, 2012, before Judge Carter.

The case is being prosecuted by Assistant U.S. Attorneys Martin Estrada and Joseph McNally of the Central District of California and Trial Attorney Cristina Moreno of the Organized Crime and Gang Section in the Justice Department’s Criminal Division.  The case was investigated by the Eurasian Organized Crime Task Force, which includes the FBI, the USSS, the Los Angeles Police Department, the Glendale Police Department, the Burbank Police Department, the Internal Revenue Service and the U.S. Immigration and Customs Enforcement.

Posted on March 23, 2012 at 10:44 AM | Permalink

» University of Tampa Data Breach

A breach at the University of Tampa may have exposed the sensitive information of thousands of students, faculty and staff members, including their names, identification numbers, social security numbers and birth dates, according to a press release posted to their the University's Web site over the weekend.

The information of approximately 6,800 students from fall semester 2011 was discovered online by students in a UT class who were searching online. A subsequent investigation turned up two more files containing roughly 30,000 more records from between January 2000 and July 2011.

More from ThreatPost

Posted on March 22, 2012 at 06:04 PM | Permalink

» Unidentified hackers behind Stuxnet and Duqu still at work

The still-unidentified group of attackers behind Stuxnet and Duqu have drawn quite a bit of attention to themselves in the last couple of years with their creations. Researchers, law enforcement and some particularly angry governments all would like to have a long talk with the crew. But that attention apparently hasn't persuaded the group that it's time to tone down their pursuits, as evidenced by the fact that researchers have discovered a newly compiled driver for Duqu within the last couple of days.

One of the unique things about Duqu is that the malware appears to be specifically tailored to each new victim. Rather than writing one piece of malware and spreading it out to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted components and drivers. Researchers say that the number of known victims of Duqu is quite small, perhaps fewer than 50.

More from ThreatPost

Posted on March 22, 2012 at 06:02 PM | Permalink

» NASA Data Breach Discovered by Hackers

Members of two hacker collectives, Team r00tw0rm and Team inj3ct0r, identified an SQL injection vulnerability on one of the subdomains owned by NASA and hosted on the By leveraging the security hole, the hackers obtained a 6 gigabyte database, but refused to disclose the name of the flawed subdomain to give the agency time to patch it up.

A sample of the database reveals information such as usernames, email addresses, names, IDs, login dates, passwords, and other data.“Complete Database is in GB’s, well we aren’t leaking it. We may keep all parts in our private home! Yet only little bit dump or few columns data is released just to inform NASA that being National Aeronautics and Space Administration you must also keep your servers up to date!”the hackers said.

They claim they informed NASA a few days ago, but since the organization failed to respond, they leaked part of the database to attract the agency’s attention.

More from ITN

Posted on March 22, 2012 at 05:59 PM | Permalink

» When to Consider Bankruptcy

Filing for bankruptcy is a process that many debtors turn to once they realize that they need help with a large debt load. Bankruptcy is a legal procedure that you can use to have your debt discharged right away. While there are some times that bankruptcy is not your best option, there are a few times where bankruptcy is definitely the best option to pursue. Read more...

Posted on March 8, 2012 at 06:10 PM | Permalink

» Data breaches take months or years to be discovered

Over 90 percent of data breaches are the result of external attacks and almost 60 percent of organizations discovered them months or years later, Verizon said in a report released at the RSA security conference on Wednesday.

Called the Verizon 2011 Investigative Response Caseload Review, it compiles statistics from 90 data breach cases investigated by the company's incident response team last year, and provides a preview of Verizon's larger annual report that will contain data collected from additional sources like national CERTs and law enforcement agencies.

The report concludes that 92 percent of data breach incidents have had an external cause, which conflicts with the findings of other security vendors, according to whom most data breaches are the result of internal threats.

More from IDG

Posted on March 8, 2012 at 05:48 PM | Permalink | Comments (0)

» Business Identity Theft A Growing Concern

You've heard of identity theft — someone using a person's credit information or a Social Security number for ill-gotten gains. Well, experts say similar crimes are also affecting businesses.

Business identity theft involves posing as a legitimate business in order to get access to credit lines or steal customers. Experts believe that the practice has become more prevalent in the past two years.

"Business identity theft is incredibly underreported," says Hugh Thompson, who teaches at Columbia University and chairs an annual conference on security. No federal or state statistics track the problem. And Thompson says few victims are willing to report it.

"There's a big stigma attached with it," he says. "Imagine you're a company trying to portray an image of being solid and reliable out to your customers. It's not something that you want to readily admit to."

Business identity theft takes many forms. Posing as a look-alike or sound-alike business to lure customers is one of them. But in many cases, shady operators go after information to tap into business' credit and reputation. They change a business's contact information, for example, then use it to obtain credit cards or order goods, skipping town before bills arrive.

More from NPR

Posted on March 8, 2012 at 05:45 PM | Permalink | Comments (0)

» EU May Propose 24-Hour Breach Notification, Data Privacy Rules

Companies operating in the European Union may be required to disclose data breaches within 24 hours if proposed new rules are approved.

The European Commission will propose several changes to the data protection and privacy rules to protect individual rights and ensure a high level of data protection on Jan. 25. The proposed changes will simultaneously simplify and toughen the current mishmash of rules and policies currently used by the European Union's 27 member countries.

Along with the data breach notification rule, the commission's proposal includes stricter sanctions and would provide national data-protection officials with authority to levy administrative sanctions and fines, such as fining companies a percentage of their global revenue for violating the rules. The proposed changes would overhaul the EU's 17-year-old data protection policies addressing online advertising and social networking sites.

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," EU Justice Commissioner Viviane Reding said at a conference in Munich on Jan. 22, according to Bloomberg.


Posted on January 27, 2012 at 09:32 AM | Permalink

» Symantec Warns pcAnywhere Users Due to Source Code Theft

Symantec has confirmed that pcAnywhere users are at "increased risk" because attackers have stolen source code to the remote control tool.

The saga over Symantec's stolen code took another twist as the company acknowledged that pcAnywhere customers are at risk for man-in-the-middle attacks and new exploits.

The breach actually occurred on Symantec servers in 2006, and attackers stole source code to several Norton security products and the pcAnywhere remote access tool, Symantec confirmed last week. At the time, the company assured customers that there was no risk to the products because the source code was so old and the company had made security improvements over the past six years.

However, upon further investigation, it appears that pcAnywhere customers are at risk, especially if they are not following "general security best practices" to protect the endpoint, network and remote access, as well as properly configuring the remote access tool, Christine Ewing, director of product marketing in the endpoint management group, wrote on the Endpoint Management Community blog Jan. 24. Those customers are susceptible to man-in-the-middle attacks, which can reveal authentication and session information.

"Customers of Symantec's pcAnywhere have increased risk as a result of this incident," Ewing wrote.

The encoding and encryption elements within pcAnywhere are vulnerable to being intercepted in man-in-the-middle attacks, according to a whitepaper addressing the issues in the remote access tool released by Symantec Jan. 25. If attacker manage to obtain the cryptographic key, they would be able to launch unauthorized remote control sessions and access other systems and sensitive data. If the key is using Active Directory credentials, the attackers would be able to access other parts of the network.

The company released a patch fixing three vulnerabilities in the latest version of pcAnywhere, version 12.5, for Windows on Jan. 23. Symantec plans to release additional patches during the week for older versions of pcAnywhere, including versions 12.0 and 12.1. Symantec is also expected to patch more issues in version 12.5. Symantec will keep updating the software until "a new version of pcAnywhere that addresses all currently known vulnerabilities" is released, Ewing said.

Customers should disable pcAnywhere because malicious developers would be able to identify vulnerabilities within the source code and launch new exploits, Symantec said in the whitepaper. The remote access tool should be disabled unless it is vitally needed for business use, and in those situations customers should use the latest version of pcAnywhere with all the relevant patches and "follow the general security best practices," Symantec said.

"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," the company said.

Since pcAnywhere is available as a stand-alone product, bundled with other Symantec products and also as part of Altiris-based packages, customers should check to see if the tool is enabled. A remote access component called pcAnywhere Thin Host is also bundled with several backup and security products from Symantec.

The company again asserted that its antivirus and endpoint security products are not at risk. "Our analysis shows that due to the age of the exposed source Symantec antivirus or endpoint security customers, including those running Norton products, should not be in any increased danger of cyber-attacks resulting from this incident," Symantec said in a statement.

The theft was limited to the code for the 2006 versions of Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks, which includes Norton Utilities and Norton GoBack; and pcAnywhere, Symantec said. The Norton Antivirus Corporate Edition code "represents a small percentage" of the code that appeared in the prerelease source for Symantec Antivirus 10.2, which was discontinued in 2007. Symantec Endpoint Protection 11, which replaced Symantec Antivirus Corporate Edition, was based on a separate code branch "that we do not believe was exposed," Symantec said. Customers running Symantec Endpoint Protection 11.x are at "no increased security risk" due to the code theft.

Customers should follow recommended best practices, such as making sure antivirus definitions are up to date and running the latest version of the software. If it makes sense for the organization, Symantec recommends upgrading to the latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1, but there is no rush.

"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," Symantec said.

Posted on January 27, 2012 at 09:29 AM | Permalink

» McAllen insurance agent indicted on charges of mail fraud and ID theft

From a Jan. 26 news release issued by the U.S. Attorney's Office for the Southern District of Texas:

McALLEN, Texas – A McAllen area insurance agent has been indicted on multiple counts of mail fraud and aggravated identity theft arising from a scheme to defraud several private insurance companies offering Medicare Advantage plans and other insurance products, United States Attorney Kenneth Magidson announced today.
San Juana Lopez, 59, of Edinburg, Texas, was charged with five counts of mail fraud and three counts of aggravated identity theft in a federal indictment, returned under seal Tuesday, Jan. 24, 2012. The indictment was unsealed this morning upon her arrest by federal agents at her residence and she is expected to make an initial appearance in federal court later this morning before U.S. Magistrate Judge Dorina Ramos.
According to the indictment, from 2007 through 2008, Lopez worked for a San Antonio, Texas, insurance agency, selling Medicare Advantage insurance plans. These plans provide Medicare beneficiaries with the option to receive their benefits through a wide variety of private managed care plans, rather than through the traditional Medicare program. The indictment alleges Lopez obtained identifiers of beneficiaries through a variety of illegal means and used the identifiers to enroll the beneficiaries in a Medicare Advantage plan offered by Care Improvement Plus - a Baltimore, Md., insurance company - without the authorization or knowledge of the beneficiaries. Lopez received thousands in commissions as a result of the false enrollments. 
The indictment further alleges that only a few days after being suspended by Care Improvement Plus, Lopez entered into a sales agent agreement with United Funeral Directors Benefit Life Insurance Company (United), of Richardson, Texas, which offered pre-need funeral contracts allowing insured individuals to pre-plan and pre-fund funeral expenses. According to the indictment, soon after becoming an agent for United, Lopez began enrolling numerous individuals in United’s pre-need funeral insurance policy without their authorization or knowledge. The indictment alleges Lopez used bank account information belonging to unsuspecting United clients, whom she had previously enrolled, to make premium payments on the false policies. Lopez received thousands of dollars in commissions from United in connection with the alleged fraud.
Each count of mail fraud carries a sentence of up to 20 years in federal prison without parole and a $250,000 fine upon conviction. Lopez also faces a mandatory two-year prison term for each count of aggravated identity theft which must be served consecutive to any prison sentence imposed on the underlying charges. 
The investigation leading to the charges was conducted by the U.S. Department of Health and Human Services–Office of Inspector General and the U.S. Secret Service. Assistant United States Attorney Greg Saikin is prosecuting the case.
An indictment is a formal accusation of criminal conduct, not evidence.
A defendant is presumed innocent unless convicted through due process of law.



Posted on January 27, 2012 at 09:25 AM | Permalink

» Malware Poses as Google+ Plug-In

Spammers are cashing in on the popularity of Google+ by sending out fake emails inviting users to try out Google+ Hangouts by downloading a malicious file posing as a Google+ Hangout plug-in.

The fraudulent email advertises Google+ Hangouts as “the most popular online meeting service,” which is apparently true, according to a recent article from Lifehacker.

The fake Google+ plug-in promises to make you “look and sound your best with high quality audio and video,” apparently an effort to fool G+ users into believing that the free Web conferencing feature can be juiced. Malware City reports that clicking the link won’t install a Google+ plug-in but downloads an executable file instead.

Despite concerns about privacy, there have been few threats that specifically target the Google+ network since its launch. The company has promised to prevent brand squatting and other nuisance behaviors, but G+ specific malware and attacks have been far and few between. That may change, however, as the size of the nascent social network continues to grow.

Posted on January 27, 2012 at 09:23 AM | Permalink

» ID theft scam in NY has victims in 30 states

Two New York women are accused of scamming $75,000 from victims in 30 states by posting phony Craigslist ads for nonexistent jobs and apartments.

A Long Island prosecutor has announced identity theft charges against the woman and her niece.
Nassau County District Attorney Kathleen Rice said Thursday a grand jury filed grand larceny and other charges against the pair earlier this week. Her spokesman said the women will be arraigned at a later date. Defense attorneys did not immediately respond to calls for comment.

Prosecutors say the pair posted online ads and then asked responders to provide personal information, including Social Security numbers.

The women then allegedly used the information to file more than 250 phony tax returns, obtain bank loans and credit cards in the victims’ names.

From AP

Posted on January 27, 2012 at 09:18 AM | Permalink

» Timeshare Marketing Scams

Timeshare owners across the country are being scammed out of millions of dollars by unscrupulous companies that promise to sell or rent the unsuspecting victims’ timeshares. In the typical scam, timeshare owners receive unexpected or uninvited telephone calls or e-mails from criminals posing as sales representatives for a timeshare resale company. The representative promises a quick sale, often within 60-90 days. The sales representatives often use high-pressure sales tactics to add a sense of urgency to the deal. Some victims have reported that sales representatives pressured them by claiming there was a buyer waiting in the wings, either on the other line or even present in the office.

Timeshare owners who agree to sell are told that they must pay an upfront fee to cover anything from listing and advertising fees to closing costs. Many victims have provided credit cards to pay the fees ranging from a few hundred to a few thousand dollars. Once the fee is paid, timeshare owners report that the company becomes evasive—calls go unanswered, numbers are disconnected, and websites are inaccessible.

In some cases, timeshare owners who have been defrauded by a timeshare sales scheme have been subsequently contacted by an unscrupulous timeshare fraud recovery company as well. The representative from the recovery company promises assistance in recovering money lost in the sales scam. Some recovery companies require an up-front fee for services rendered, while others promise no fees will be paid unless a refund is obtained for the timeshare owner. The IC3 has identified some instances where people involved with the recovery company also have a connection to the resale company, raising the possibility that timeshare owners are being scammed twice by the same people.

If you are contacted by someone offering to sell or rent your timeshare, the IC3 recommends using caution. Listed below are tips you can use to avoid becoming a victim of a timeshare scheme:

  • Be wary if a company asks you for up-front fees to sell or rent your timeshare.
  • Read the fine print of any sales contract or rental agreement provided.
  • Check with the Better Business Bureau to ensure the company is reputable.

To obtain more information on Internet schemes, visit

Anyone who believes they have been a victim of this type of scam should promptly report it to the IC3’s website at The IC3’s complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.

Posted on January 26, 2012 at 02:47 PM | Permalink

» Six Charged in Scheme to Use Identities of Dead People to Get Tax Refunds

A 10-count indictment was unsealed today charging six people with various offenses related to a scheme to defraud the Internal Revenue Service (IRS) of at least $1.7 million in fraudulently obtained tax returns, often filed in the names of recently deceased taxpayers, the Justice Department and IRS announced today.

According to the indictment, between April 15, 2009, to at least August 2011, Muaad Salem, Fahim Sulieman, Hanan Widdi, Najeh Widdi, Hazem Woodi and Daxesj Patel and other unknown co-conspirators allegedly defrauded the United States by filing false and fraudulent tax returns, many in the names of recently deceased taxpayers, and directing refunds to controlled locations in the state of Florida.

The indictment further alleges that the U.S. Treasury checks generated by the false and fraudulent returns would then be sent by the U.S. mail to co-conspirators in Ohio who would sell and distribute the checks for negotiation at various businesses and banking institutions.

“The theft of anyone’s identity is a serious offense, but stealing the identities of the recently departed to defraud all the other taxpayers is particularly egregious,” said Steven M. Dettelbach, the U.S. Attorney for the Northern District of Ohio.

“Identity theft that leads to tax fraud threatens both individual U.S. citizens and the U.S. government,” said John A. DiCicco, Principal Deputy Assistant Attorney General of the Justice Department's Tax Division. “The Justice Department and the IRS will continue to cooperate in investigating and prosecuting these crimes to the fullest extent of the law. In our technology-driven society, this simply must be a top priority.”

  The following individuals were charged with conspiracies to defraud the United States and to commit mail fraud:

Muaad Salem, age 33, of Akron, Ohio;  

Hazem Woodi, age 31, of North Olmsted, Ohio;

Najeh Widdi, age 45, of Cleveland;

Fahim Suleiman, age 46, of Lutz, Fla.;

Daxesj Patel, age 35, of Canton, Ohio; and

Hanan Widdi, age 38, of Cleveland.

The six are also charged with three counts of mail fraud and two counts of aggravated identity theft. In addition to the other charges, Patel is separately charged with two counts of making a false claim against the United States and with making a false statement to law enforcement officials investigating the crimes.

“The IRS is aggressively pursuing those who steal others’ identities in order to file false returns,” said Steven Miller, IRS Deputy Commissioner for Services and Enforcement. “Our cooperative work with the U.S. Attorney’s Office will help protect taxpayers in Northern Ohio from being victimized by identity theft. The IRS is taking additional steps this tax season to further prevent, detect and resolve identity theft cases as soon as possible.”

“This case is an example of the FBI and IRS working together to aggressively pursue and investigate those organized criminal enterprises that commit identity theft and fraudulent activities in the United States costing the taxpayers of this country millions of dollars,” said Stephen D. Anthony, Special Agent in Charge of the FBI’s Cleveland office.

“IRS Criminal Investigation has made investigating refund fraud and identity theft a top priority,” stated Darryl Williams, Special Agent in Charge, IRS-Criminal Investigation, Cincinnati Field Office. “Filing fraudulent tax returns in the names of other individuals may result in significant harm to those individuals whose identities were stolen, as well as a monetary loss against the U.S. Treasury.”

Mail fraud is punishable by a maximum sentence of 20 years in prison; conspiracy to defraud the United States is punishable by a maximum sentence of 10 years; conspiracy to commit mail fraud, making a false claim against the United States and making a false statement are each punishable by a maximum sentence of five years in prison; aggravated identity theft is punishable by a mandatory sentence of two years incarceration to follow conviction on any other offense.

Defendants also face a fine of up to $250,000 for each count of conviction.

The case was presented to the grand jury by Assistant U.S. Attorney Gary D. Arbeznik following investigation by the Cleveland Division of the FBI, the IRS – Criminal Investigation, and the U.S. Postal Service.           

An indictment is only a charge and is not evidence of guilt. The defendants are entitled to a fair trial in which it will be the government’s burden to prove guilt beyond a reasonable doubt

From DOJ

Posted on January 26, 2012 at 02:46 PM | Permalink

» appears to be a scam

Watch out for 

Many complaints online for this company. My credit card company told me they are located in Great Birtain, although they clearly operate in the United States. 

I noticed that a lot of complaints online about filmlush are from people that enter in credit card information for a trial and then they cancel before the end of the trial, or never in click "submit" to finalize the offer but are still charged $39.95. 

Posted on January 25, 2012 at 11:29 AM | Permalink

» Top Data Breaches in 2011

2011 was a significant year for data security, with some of the biggest data breaches in our history reported. In 2011, 535 breaches involving 30.4 million sensitive records. This brings the total reported records breached in the U.S. since 2005 to the alarming number of 543 million.

Data breaches of sensitive information, especially Social Security and credit card numbers, make consumers vulnerable to identity theft. According to a 2009 report by Javelin Research & Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter. But even breaches that contain data as seemingly innocuous as names and email address can be used by fraudsters to trick consumers into revealing information that can lead to identity theft.

The following half dozen are the most significant data breaches in 2011:

  1. Sony PlayStation (April 27) – Sony discovered an external intrusion on PlayStation Network (PSN) and its Qriocity music service around April 19. Sony blocked users from playing online games or accessing services like Netflix and Hulu Plus on April 22. The blockage lasted for seven days. Sony believes criminal hacker(s) obtained names, addresses, email addresses, dates of birth, PSN/Qriocity password and login, and online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. Over the course of the next several months, Sony discovered that the hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.    

    The Sony breach highlights the importance of password hygiene. Passwords are frequently the only thing protecting our private information from prying eyes.  Many websites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection. Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites.  One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In this case, the stolen passwords were unencrypted, meaning the criminal could potentially "break in" to other sites if the victims used the same password more than once.

  2. Epsilon (April 2) – Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices from a growing list of companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million.  The number of customer emails exposed may have reached 250 million.

    Compromised email addresses and names may seem innocuous to some, but victims may fall prey to spear phishing. Spear phishing occurs when a criminal sends an email that sounds and looks like it’s from a company the recipient has an account with because it addresses him or her by name. A spear-phishing message might say,  "Hello Mr. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website [URL provided] and update your security settings.” The email tries to convince trusting readers to “bite” on the bait and go to that website, and then divulge other information like Social Security numbers and credit card numbers. The result could be as serious as identity theft. 

    The Epsilon breach is also significant because it highlights the risk of cloud-based computing systems and the need for greater cloud security measures.

  3. Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed.  An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients.   At least two lawsuits have been filed against Sutter Health.  One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law.  

    The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.

  4. Texas Comptroller's Office (April 11) – Information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, unencrypted data was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.

    A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed.  Some employees were fired for their roles in the incident. Approximately two million of the 3.5 million individuals possibly affected were unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed.  The birth dates and driver's license numbers of some of these people were also exposed. Two class action lawsuits have been filed on behalf of the 3.5 million Texans affected by the breach. One such lawsuit seeks a $1,000 statutory penalty for each individual.

    Although all breaches of sensitive personal information are serious, the Texas Comptroller breach is particularly significant because individuals generally do not have a choice when providing personal information to a government agency. It is therefore vitally important that government agencies act as responsible stewards of personal data.

  5. Health Net (March 15) - Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California.  The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.

    Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification. 

  6. Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) - The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics.  Uniformed Service members, retirees and their families were affected.  Patient data from the military health system dating from 1992 to September 2011 could have been compromised.  It included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information.  Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data.  The lawsuit would give $1000 to each of the affected individuals. SAIC reported that 5,117,799 people were affected by the breach.

    The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted? This breach also illustrates the triple impact of medical breaches. Victims not only suffer the exposure of their sensitive health information; they also are vulnerable to financial identity theft as well as medical identity theft.

    It is also significant that two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report. Medical breaches are particularly significant and harmful because of the sensitivity of personal information exposed, in addition to, often, Social Security numbers and dates of birth. 


Posted on January 25, 2012 at 10:11 AM | Permalink

» Hackers steal $6.7 million from South African bank

A perfectly planned and coordinated bank robbery was executed during the first three days of the new year in Johannesburg, and left the targeted South African Postbank - part of the nation's Post Office service - with a loss of some $6.7 million.

Unfortunately, the Postbank's fraud detection system hasn't performed as it should, and the crime was discovered only after everyone returned to work after the holiday break. Apparently, it should not come as a surprise - according to a banking security expert, "the Postbank network and security systems are shocking and in desperate need of an overhaul."

The post office and the police have confirmed that the breach happened and that the National Intelligence Agency (NIA) is involved in the investigation. The bank has issued a statement saying that none of its customers' bank accounts were affected by the heist.


Posted on January 17, 2012 at 07:24 PM | Permalink

» Opt-Out of online behavioral advertising

The Network Advertising Initiative Opt-Out Tool was developed for the express purpose of allowing consumers to "opt out" of the behavioral advertising delivered by NAI member companies.

The companies that provide advertising for Websites typically gather data about consumers who view their ads. Often, that data is anonymous - linked only to a numbered "cookie" on a user's computer (a cookie is a small file of data that is stored by websites on your computer through your web browser). Advertising networks collect and analyze this data to make a variety of inferences about each consumer's interests and preferences. The result is a profile that attempts to predict the individual consumer's tastes, needs, and purchasing habits. That profile enables the advertising companies' computers to make split-second decisions about how to deliver ads directly targeted to the consumer's specific interests. The Network Advertising Initiative (NAI) refers to this practice as "Online Behavioral Advertising" or "OBA."

These third-party advertising companies employ cookie and 1x1 pixel.gif (web beacon) technology to measure and improve the effectiveness of ads for their clients. To do so, these companies may use anonymous information about your visits to many websites. This information can include: date/time of banner ad shown, their cookie, and IP address among the data that is collected. This information can also be used for online preference marketing purposes. Information about your visits to such Web sites may be used to provide ads about goods and services of interest to you (or that they think are of interest to you based on your past web browsing).

Using the Opt-Out Tool, you can examine your computer to identify those member companies that have placed an advertising cookie file on your computer. To opt out of an NAI member's behavioral advertising program, simply check the box that corresponds to the company from which you wish to opt out. Alternatively, you can check the box labeled "Select All" and each member's opt-out box will be checked for you. Next click the "Submit" button. The Tool will automatically replace the specified advertising cookie(s) and verify your opt-out status.

Opting out of a network does not mean you will no longer receive online advertising. It does mean that the network from which you opted out will no longer deliver ads tailored to your Web preferences and usage patterns.

The opt-outs are specific to every browser so you must run the tool for every browser you use. The opt-outs will only remain in effect as long as the opt-out cookies it places into your browser's storage still exist. So if you get a new computer, uninstall your browser or delete all the browser cookies, you will have to run the Opt-Out Tool again.

Network Advertising Initiative Opt-Out Tool |  FAQ

Posted on January 12, 2012 at 09:33 AM | Permalink

» EFF Raises Privacy Concerns About AOL Instant Messenger

The new preview version of AOL Instant Messenger raised privacy concerns for us when it was first introduced, first because it started storing more logs of communications and second, because it apparently scanned all private IMs for URLs and pre-fetched any URLs found in them. We met with AOL to discuss how these features work and why the company should take greater care with your data, and we’re happy to say that AOL is promising to make some important changes as a result, especially in response to our second concern.

However, we still recommend that AIM users do not switch to the new version, as it introduces important privacy-unfriendly features. Unfortunately, AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat.  


We appreciate AOL's willingness to discuss these changes with us and we're extremely pleased to see AOL taking some steps to safeguard their users' privacy and give better notice, which only becomes more important as the company moves toward providing more cloud-based services. Nevertheless, we think there’s more AOL should do to respect its customers' privacy and to fully inform them about, and get opt-in agreement to, these significant changes.

Bottom line: Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade. As always, we recommend users stay safer online by using chat clients that are compatible with OTR.

More at

Posted on January 5, 2012 at 10:42 AM | Permalink

» BBB Top Ten Scams of 2011

Better Business Bureau investigates thousands of scams every year, from the latest gimmicks to schemes as old as the hills. Our new Scam Source ( is a comprehensive resource on scam investigations from BBBs around the country, with tips from BBB, law enforcement and others. You can sign up to receive our Scam Alerts by email, and you can also be a scam detective yourself by reporting scams you’ve discovered. We’ve divided scams up into nine major categories and picked the top scam in each, plus our Scam of the Year. 

Top Job Scam 
BBB sees lots of secret shopper schemes, work-from-home scams, and other phony job offers, but the worst job-related scam can dash your hopes and steal your identity. Emails, websites and online applications all look very professional, and the candidate is even interviewed for the job (usually over the phone) and then receives an offer. In order to start the job, however, the candidate has to fill out a “credit report” or provide bank information for direct deposit of their “paychecks.” The online forms are nothing more than a way to capture sensitive personal data – Social Security number, bank accounts, etc. – that can easily be used for identity theft. And, of course, there is no job, either. 

Top Sweepstakes and Lottery Scam 
Sweepstakes and lottery scams come in all shapes and sizes, but the bottom line is almost always this: You’ve won a whole lot of money, and in order to claim it you have to send us a smaller amount of money. Oh, and keep this confidential until we’re ready to announce your big winnings. This year’s top sweepstakes scam was undoubtedly the email claiming to be from Facebook founder Mark Zuckerberg announcing that the recipient was the winner of $1 million from the popular social networking site. These kinds of scams often use celebrities or other famous names to make their offer seem more genuine. If you aren’t sure, don’t click on the link but instead go directly to the homepage of the company mentioned. If they are really giving away $1 million, there will be some kind of announcement on their website. But don’t waste too much time looking. 

Top Social Media/Online Dating Scam 
On the Internet, it’s easy to pretend to be someone you are not. Are you really friends with all of your “Friends” on Facebook? Do you have a lot of personal information on a dating site? With so much information about us online, a scammer can sound like they know you. There are tons of ways to use social media for scams, but one this year really stands out because it appeals to our natural curiosity…and it sounds like it’s coming from a friend. Viral videos claiming to show everything from grisly footage of Osama bin Laden’s death to the latest celebrity hijinks have shown up on social media sites, often looking as if they have been shared by a friend. When you click on the link, you are prompted to “upgrade your Flash player,” but the file you end up downloading contains a worm that logs into your social media account, sends similar messages to your friends, and searches for your personal data. The next time you see a sensational headline for the latest viral video, resist the urge to peek. 

Top Home Improvement Scam 
Always near the top of BBB complaint data are home improvement contractors who often leave your home worse than they found it. They usually knock on your door with a story or a deal – the roofer who can spot some missing shingles on your roof, the paver with some leftover asphalt who can give you a great deal on driveway resealing. Itinerant contractors move around, keeping a step ahead of the law…and angry consumers. The worst are those who move in after a natural disaster, taking advantage of desperate homeowners who need immediate help and may not be as suspicious as they would be under normal circumstances. A large percentage of BBB’s Accredited Businesses are home contractors who want to make sure you know they are legitimate, trustworthy and dependable. Find one at 

Top Check Cashing Scam 
Two legitimate companies – Craig’s List and Western Union – are used for an inordinate amount of scamming these days, and especially check cashing scams. Here’s how it works: Someone contacts you via a Craig’s List posting, maybe for a legitimate reason like buying your old couch or perhaps through a scam like hiring you as a secret shopper. Either way, they send you a check for more than the amount they owe you, and they ask you to deposit it into your bank account and then send them the difference via Western Union. A deposited check takes a couple of days to clear, whereas wired money is gone instantly. When the original check bounces, you are out whatever money you wired…and you’re still stuck with the old couch. 

Top Phishing Scam 
“Phishing” is when you receive a suspicious phone call asking for personal information or an email that puts a virus on your computer to hunt for your data. It’s almost impossible to avoid them if you have a telephone or an email account. But the most pernicious phishing scam this year disguised itself as official communication from NACHA – the National Automated Clearing House Association – which facilitates the secure transfer of billions of electronic transactions every year. The email claims one of your transactions did not go through, and it hopes you react quickly and click on the link before thinking it through. It may take you to a fake banking site “verify” you account information, or it may download malware to infiltrate your computer. 

Top Identity Theft Scam 
There are a million ways to steal someone’s identity. This one has gotten so prevalent that many hotels are posting warnings in their lobby. Here’s how it works: You get a call in your hotel room in the middle of the night. It’s the front desk clerk, very apologetic, saying their computer has crashed and they need to get your credit card number again, or they must have gotten the number wrong because the transaction won’t go through, and could you please read the number back so they can fix the problem? Scammers are counting on you being too sleepy to catch on that the call isn’t from the hotel at all, but from someone outside who knows the direct-dial numbers for the guest rooms. By the time morning rolls around and you are clear-headed, your credit card has been on a major shopping spree. 

Top Financial Scam 
In challenging economic times, many people are looking for help getting out of debt or hanging on to their home, and almost as many scammers appear to take advantage of desperate situations. Because the federal government announced or expanded several mortgage relief programs this year, all kinds of sound-alike websites have popped up to try to fool consumers into parting with their money. Some sound like a government agency, or even part of BBB or other nonprofit consumer organization. Most ask for an upfront fee to help you deal with your mortgage company or the government (services you could easily do yourself for free), and almost all leave you in more debt than when you started. 

Top Sales Scam 
Sales scams are as old as humanity, but the Internet has introduced a whole new way to rip people off. Penny auctions are very popular because it seems like you can get something useful - cameras, computers, etc. – for way below retail. But you pay a small fee for each bid (usually 50₵ to $1.00) and if you aren’t the winner, you lose that bid money. Winners often are not even the top bidder, just the last bidder when time runs out. Although not all penny auction sites are scams, some are being investigated as online gambling. BBB recommends you treat them the same way you would legal gambling in a casino – know exactly how the bidding works, set a limit for yourself, and be prepared to walk away before you go over that limit. 

Scam of the Year 
Yep, it’s us – the BBB phishing scam. Hundreds of thousands, perhaps millions, of people have gotten emails that very much look like an official notice from BBB. The subject line says something like “Complaint Against Your Business,” and the instructions tell the recipient to either click on a link or open an attachment to get the details. If the recipient does either, a malicious virus is launched on their computer…a virus that can steal banking information, passwords and other critical pieces of information needed for cyber-theft. BBB is working with security consultants and federal law enforcement to track down the source of these emails, and has already shut down dozens of hijacked websites. Anyone who has opened an attachment or clicked on a link should run a complete system scan using reputable anti-virus software. If your computer is networked with others, all machines on the network should be scanned, as well

Posted on January 5, 2012 at 10:38 AM | Permalink

» Hacking group releases 75,000 names of Stratfor subscribers

Hackers released another batch of data on Thursday pilfered from Stratfor Global Intelligence, a widely used research and analysis company whose website was attacked last weekend. The data purports to be the names and credit-card numbers of people who have purchased research from Stratfor plus hundreds of thousands of user names and e-mail addresses used to register with the website.

The hackers, believed to be part of the Anonymous movement, described the data on Pastebin, then provided several links to websites hosting the information. They noted that some 50,000 of the e-mail addresses released end in ".mil" or ".gov." The data comprises 75,000 names, credit card numbers and MD5 hashes, or cryptographic representations, of passwords for people who have paid Stratfor for research.

The group also said the data contains 860,000 user names, e-mail addresses and MD5 hashes for passwords for anyone who has registered on Stratfor's website.

From IDG News Service

Posted on January 3, 2012 at 05:42 PM | Permalink

» Privacy Rights Clearinghouse Launches Online Complaint Center

The Privacy Rights Clearinghouse (PRC) is proud to announce the launch of an interactive online complaint center designed to serve as a clearinghouse for consumer privacy complaints.  This builds upon our 19-year history of troubleshooting consumers’ complaints and questions regarding a wide variety of information privacy issues, including background checks, debt collection, data breaches, financial information, and online data brokers. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem.

The impetus for the development of the online complaint center was the 2009 KnowPrivacy study, conducted by graduate students in the Masters program at the UC-Berkeley School of Information as well as the Law School at UC-Berkeley. The study found that consumers are concerned about data collection and want greater control over their personal information, but don't know whom to complain to. This presents a significant challenge given the important role that consumer complaints can play regarding the shaping of public policy.

The new online complaint center acts as a clearinghouse for privacy-related complaints by offering consumers a central point of contact. Complaints submitted to the PRC will be forwarded upon the consumer’s request to the appropriate governing body. Further, by acting as a magnet for privacy complaints, our goals are to:

  1. Empower Consumers. There are many avenues for consumers to voice complaints, but few that actually respond with personalized information. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem. We also offer individuals the opportunity to escalate the complaint to the media, public authorities, and, if appropriate, attorneys.

  2. Educate the Public Policy Process. As an education and advocacy organization, the PRC understands the important role consumer complaints play in fostering regulatory and legislative change. The online complaint center will enable us to identify trends and publish reports on key privacy-related issues that are of concern to individuals. By sharing this information with the Federal Trade Commission and other regulators at the state and federal level, public authorities can gain a richer understanding of the consumer privacy landscape. 

The online complaint center, available at, simplifies the complaint process into four main sections:

  1. Who are you? Consumers can choose to remain anonymous or provide their name and contact information. The only information we require is the consumer's email address and state so that we can properly respond to the complaint. Contact information will not be shared unless the individual chooses to share the complaint with government agencies, lawyers or the media.

  2. Whom/what are you complaining about? We ask the consumer to identify whom/what the complaint is about: a company or organization, a government agency or a person. If the complaint is about a company or organization, the site has an interactive “smart” feature that can auto-fill company information.

  3. What is your complaint? Consumers have the ability to describe their complaint in detail, attach supporting documents and add "tags" to categorize the complaint.

  4. Review and submit your complaint. Before submitting the complaint, consumers have an opportunity to review the entire complaint and make any necessary changes. There is also an option to print or email a copy of the complaint.

The PRC staff review all complaints and email a personalized response to the consumer within one to two business days. If the individual chooses to share the complaint with government agencies, we forward the complaint to the appropriate governing body.

The online complaint center also offers a registration feature. Those users who wish to register can login at anytime to update contact information, access previously submitted complaints, see staff responses to each complaint, and add new information to a complaint. Registration is completely optional and can be pseudonymous.

We invite you to celebrate a new year for privacy by exploring the online complaint center and sharing the site with your friends and family.  Any feedback can be emailed to



Posted on January 3, 2012 at 11:58 AM | Permalink | Comments (0)

» Bank of America data leak destroys customer trust

A BofA employee apparently leaked confidential information about his and hundreds of other customers' accounts to scammers, resulting in more than $10 million in losses. A BofA employee apparently leaked confidential information about his and hundreds of other customers' accounts to scammers, resulting in more than $10 million in losses.

More from

Posted on May 26, 2011 at 09:08 AM | Permalink

» Health Net loses sensitive data for 2M people

A health insurance company that provides coverage to 6 million people nationwide said Monday it is missing data servers containing the health records, financial information and Social Security numbers for nearly 2 million current and past clients.

Health Net Inc. said Monday it cannot account for several hard drives from a data center in the Sacramento suburb of Rancho Cordova.

The Woodland Hills-based managed care company would not disclose how many people could be affected, but the California Department of Managed Health Care placed the number at 1.9 million. In a news release, the department said nine server drives are missing and that it is conducting its own investigation into the company's security practices.


Posted on March 17, 2011 at 02:47 PM | Permalink

» Monitor your credit report

Federal law gives you the right to one free credit report from each of the three credit bureaus on an annual basis. Requesting your free credit reports on a regular basis can help you spot problems early, such as identity theft or erroneous debts. Don’t fall prey to the confusing ads for free credit reports that you see on TV. The official site for your free yearly credit report is Learn more

Posted on March 12, 2011 at 10:35 AM | Permalink | Comments (1)

» Don’t share sensitive information on social networking sites

People store massive amounts of personal information on such sites, including birth dates, place of birth, phone numbers, vacation plans and more. Not only is this information a gold mine for marketers and unscrupulous individuals, but it may also be used against you by current and future employers. Learn more

Posted on March 10, 2011 at 10:34 AM | Permalink | Comments (0)

» Request a copy of your medical records

The federal rule HIPAA gives you the right to access your medical records. Health care providers must give you a copy of their privacy notice. This includes doctors, pharmacies, dentists, and other healthcare professionals. It’s important to request copies of your medical records because you never know when your doctor or dentist might retire or close up shop. And it's prudent to watch for signs of medical identity theft. Learn more

Posted on March 9, 2011 at 10:33 AM | Permalink | Comments (0)

» Don't let debt collectors push you around: you have rights

The federal Fair Debt Collection Practices Act gives you rights when debt collectors call. We’ve heard of debt collectors contacting family members, neighbors, and employers, as well as threatening jail time. A collector should not discuss your account with third parties or use the phone to harass you. Request debt collectors contact you in writing. Learn more

Posted on March 8, 2011 at 10:32 AM | Permalink | Comments (0)

» When applying for a job, request copy of your background check

If you are applying for a job, potential employers must obtain your written permission before performing a background check. Under the federal Fair Credit Reporting Act, companies must tell you if they didn’t hire you because of the background check and give you information on how to request a copy of the report. Learn more

Posted on March 7, 2011 at 10:31 AM | Permalink | Comments (0)

» Cord Blood Registry Data Theft [UPDATED 3-7-11]

(Update below)

ScamSafe appears to be the first to report a serious data breach at Cord Blood Registry ( No mention has been found of this breach in the news or the Data Loss database.

The author received a notification letter as a customer of CBR dated February 14 2011.

A CBR computer and data backup tapes were stolen from an employee's locked automobile. The stolen tapes contained customer names, Social Security numbers, driver's licenses and/or credit card numbers. This is the "mother load" of personal identifying information for identity thieves.

CBR said in their letter to those effected: "CBR hired computer security experts to investigate the incident and they determined that there is no indication that the person information has been accessed or misused." This is a typical PR spin statement that companies who have suffered a breach use to make their customers feel better. Unfortunately it is, at best, meaningless. How could they really know whether the information was used to commit identity fraud? If they have a method, we're all ears.

There is no mention of the stolen computer and data tapes on the company web site or blog.

Cord Blood Registry® (CBR®) is the world's largest stem cell bank. The company is entrusted with storing more than 350,000 cord blood collections for individuals and their families. Headquarters are in San Bruno, California, and laboratory and storage facility is located in Tucson, Arizona.

UPDATE 3/3/11: Read the police report. The theft happened on December 13 2010. The CBR employee had the computer and data tapes in a backpack in the trunk of his car. He left it unattended at 11:35pm and returned around 15 minutes later and it had been broken into. The location of the theft is actually a large data center at 365 Main St in San Francisco.

UPDATE #2 3/3/11: This breach appears to effect virtually EVERY CBR customer (over 300,000). You can read the breach notification letter. For help call CBR at (888) 578-4480.

UPDATE #3 3/7/11: Read more about the breach at Network World and on

Posted on March 2, 2011 at 10:32 AM | Permalink | Comments (7) | TrackBack (0)

» Better Business Bureau Warns of Identity Theft on Facebook

The Better Business Bureau is asking local residents to be more careful about placing their age, birthday or other information on Facebook. They warn that users of the popular social networking site could become victims of identity theft.

The Metro Atlanta Better Business Bureau says identity thieves can guess the social security numbers of Facebook users with very little information. Fred Elsberry is president and CEO of the organization.

"The first three digits of your social security number is the zip code of where you live, or a code that says this is your hometown, so if you put your hometown in there they're going to be able to identify the first three digits."

Elsberry says identity thieves can also guess the next two digits, because they are determined by where you applied for your social security number. He says the last four digits are supposed to be random, but they tend to be in sequential order. Elsberry says those born after 1989 are especially at risk.

"The pattern is much more predictable there."

Elsberry says the good news is starting this year social security numbers will be more random. But he says if you already have one, your only option is to protect the one you've been given.


Posted on February 21, 2011 at 10:35 AM | Permalink

» Protect Your Credit Card from Being Compromised by These Cons

Credit card con-artists can be extremely crafty, something you know first hand if you've found yourself entangled in one of their scams. It's not just people on the news; many Americans find themselves scammed each year.

On this site below, you can find four examples of some disturbingly compelling credit card fraud.


Posted on February 21, 2011 at 10:33 AM | Permalink

» BBB warns of tax-time scams

The Better Business Bureau is warning taxpayers to beware of tax scams during this return-filing season.

If you get an email that claims to be from the IRS, telling you that you need to submit information for your W-2, it is a scam, the BBB advised.

The email tells the taxpayer to click on a link to input the information as part of an identity theft scam.

There are several IRS scams that make their rounds at this time of the year. Sometimes the email comes from the "Treasury Department" stating a refund or tax inheritance is waiting and the taxpayer needs to provide personal information.

Here are tips from the BBB to help you recognize a tax scam:

- If the IRS needs information, it will send a letter. You will not be asked to send information through email.

- Do not click on any links in unknown emails. It could infect your computer with viruses and spyware.

- Do not give out personal information, including Social Security number, home address and birth date to anyone who emails or calls you.

- If the email has a lot of punctuation and spelling errors, that's a "red flag" that it is probably not an official letter.


Posted on February 21, 2011 at 10:31 AM | Permalink

» FTC Offers Businesses Tips for Dealing with Medical Identity Theft

 The Federal Trade Commission, the nation’s consumer protection agency, has information for health care providers and insurers about how to help patients minimize the risk of medical identity theft and deal with the consequences if they become victims of it.  Here are the highlights of the FTC’s new publication, Medical Identity Theft FAQs for Health Care Providers and Health Plans: 

  • How would people know if they’re victims of medical identity theft?  They could be billed for medical services they didn’t receive, contacted by a debt collector about a medical debt they don’t owe, see medical collection notices on their credit report that they don’t recognize, be told by their health plan that they’ve reached their limit on benefits, or be denied insurance because their medical records show a condition they don’t have.
  • What should health care providers and insurers do if they learn that a patient may be the victim of medical identity theft?  They should conduct an investigation, understand their obligations under the Fair Credit Reporting Act, review their data security practices, and provide any necessary notifications that a data breach has occurred.
  • What should health care providers and insurers tell a patient who is the victim of medical identity theft?  They should:
    • advise victims to take advantage of their rights under the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.
    •  encourage victims or potential victims to notify their health plans.
    • tell victims to file a complaint with the FTC at or by phone at 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261; and to check out the information at
    • encourage victims to file a report with local police, and send copies of the report to their health plan’s fraud department, their health care provider(s), and the three nationwide credit reporting companies – Equifax, Experian, and TransUnion.  Information on how to file a police report and reach the credit reporting companies is at
    • encourage patients to look for signs of other misuses of their personal information by reviewing their credit reports.  The law requires each of three major nationwide credit reporting companies to give people a free copy of their credit report each year if they ask for it at or 1-877-322-8228.  If they find inaccurate or fraudulent information, they can visit to learn how to get it corrected or removed.
    • via

Posted on February 21, 2011 at 10:31 AM | Permalink

» Students' Personal Data Posted Online

Team 5 Investigates has learned that the personal information of as many as 1,300 current and former students at the Wentworth Institute of Technology was inadvertently put online.

School officials notified all affected students of the data breach, which was reported to WIT on Dec. 22.

The letter said that an "electronic file was accessible on the Institute's website that contained personal information for a group of current and former students, including full name, social security number, and date of birth. The file also included information such as allergies, medications, medical conditions and disabilities."


Posted on February 21, 2011 at 10:29 AM | Permalink

» Univ. of Iowa Hospital discloses potential data breach

The University of Iowa Hospitals has disclosed a potential data breach involving the EMRs of several University of Iowa football players. The University of Iowa Hospitals issued a statement on Jan. 28.

"Officials at University of Iowa [UI] Hospitals and Clinics in Iowa City [are] conducting an investigation after a proactive screening of the electronic medical records of 13 University of Iowa football players indicated that some of those records may have been accessed inappropriately,” according to the statement.


Posted on February 21, 2011 at 10:29 AM | Permalink

» Breach Hits 2,400 MediCal Beneficiaries

The San Francisco Human Services Agency has notified approximately 2,400 MediCal beneficiaries and the federal government about a breach of protected health information, including Social Security numbers.


Posted on February 21, 2011 at 10:26 AM | Permalink

» Viruses on smartphones: security's new frontier

Mobile phones are the new frontier for cyber criminals, according to the latest research from McAfee. That may sound like a scary headline, but as phones have become more sophisticated, so this new development became inevitable.

Traditionally, cyber criminals have concentrated on the biggest targets, too: so for computers Microsoft has always attracted far more attention than Apple, and on mobile phones Nokia’s Symbian OS was hacked most often. Now as Android has finally begun to take Symbian’s place and the iPhone’s dominance is well established, that operating system too is being examined more closely.


Posted on February 21, 2011 at 10:24 AM | Permalink

» ID Fraud: New Accounts Most at Risk

The latest consumer fraud trends suggest that financial institutions must provide increasing leadership in the fight against identity-related fraud.

According to new findings from Javelin Strategy & Research, consumers and law enforcement alike now turn to banks and credit unions for more sophisticated detection and prevention when it comes to the misuse of stolen identities to open new accounts.

In its annual Identity Fraud Survey report, Javelin finds that losses from new account fraud far exceed those associated with other types of ID fraud. Moreover, new account fraud is harder to detect.

"I think the weight of solving the problem will ultimately fall on the banks, because the criminals go where the money is. Criminals don't make money in identity fraud unless they turn it into cash," says James Van Dyke, president and founder of Javelin. "That's why it's important for banks to keep up-to-date on all of the types of fraud that are out there."


Posted on February 21, 2011 at 10:24 AM | Permalink

» Reading the Junk Mail Could Prevent Credit Card Fraud

Don’t throw out that junk mail after your daily trip to the mailbox – a quick check could reveal an identity theft crime committed against you.

One way thieves can hit you is by using credit card confirmations with your card number – but somebody else’s name. ID criminals are counting on the fact that you won’t check your junk mail, which is exactly why you should take a closer look.

One Texas man almost learned that lesson the hard way. Don Sickel, a resident of Grayson County, Tex., told KTEN News recently that he was about to throw away his junk mail when he had second thoughts. Opening his mail, Sickel noticed that a credit card had been opened in another person’s name – but with his credit card number.


Posted on February 2, 2011 at 09:31 AM | Permalink