Internet Articles (2015)
hen MasterCard International reported that hackers exposed over 40 million credit card holders to the same type of panic witnessed during the Crash of '29 was seen everywhere in the financial world from the Ivory Towers at Wall & Broad Streets in New York and the Sears Tower in Chicago to the halls of Congress in the nation's capital. Of the 40 million credit card records now at risk, 13.9 million of them were for MasterCard holders. Twenty-two million of the records were for Visa. The balance, approximately 4.1 million belonged to Discover and American Express card holders.
The announcement by MasterCard International was the second potential identity theft scandal in as many weeks. If you recall, UPS lost the credit information on about 3.9 million Citigroup customers on June 6 while transferring computer tapes to a credit-reporting company. The computer tapes were not encrypted which means anyone who got them had immediate access to a ton of information about Citibank's customers.
Identity theft is now the most prevalent crime committed in America. Criminals like it because the victims don't realize they've been victimized until the bills start arriving in the mail. By that time, the thieves have vanished into cyberspace and are victimizing someone else. In the five years since identity theft was defined as the most major threat facing retail stores and financial establishments, over 27 million Americans have had their identities stolen. The average theft is $1,851.58 although some victims have experienced losses of $100 thousand or more. Stephanie Holmquist Johnson of Plant City, Florida (a suburb of Tampa) lost $60,000 to identity thieves. Her life changed for the worse the day after her wedding. No, we can't blame her husband. We'll blame the mailman since he brought her the bad news. Checks she never wrote began to bounce. Stores she never did business with wanted to arrest her. By the time Johnson realized what she initially thought was a simple error was, in fact, a crime that cleaned out her savings, it was too late to implement measures to protect herself. Today, some two years after the fact, Johnson is still trying to get her credit records cleared and retailers in her area to take her checks.
To make matters worse for Johnson, the local Plant City or Tampa police nor the Hillsborough County Sheriff's Department didn't seem concerned enough to help. Granted, she was the victim of a crime; but they weren't equipped to help her. Identity theft was a crime that usually leaves no fingerprints behind. They wrote a report.
Two years later Hernando County Sheriff's detective Harold Varel was given a day planner that a good Samaritan turned in to the Sheriff's Department. A man had left his day planner (complete with an assortment of counterfeit ID cards) on the roof of his car, and drove off. The planner fell on the ground. When the Sheriff's Department looked for ID to call the owner of the planner to tell him he could pick his property up at the Sheriff's Office, they weren't quite sure which "person" to call. So they called Varel and turned the problem over to him. Starting with the 23 pieces of ID in the planner, Varel uncovered 100 bogus identities (some real, some phony) before Varel tracked down and arrested the identity thief2 years and a couple hundred thousand dollars later.
As Deputy Sheriff Varel was putting an end to Johnson's nightmare, Jody Bernet, a 43-year old disabled woman who lives in Palm Harbor, Florida was just preparing to embark on her own nightmare. She opened her emails one evening and found one from PayPal, which she uses to purchase items she needs over the Internet. The email warned her of suspicious activity on her PayPal account and asked her to verify her account information. She did. She became one of the suckers who got hooked on a phishing scheme as Internet spammers trolling for victims found one that took the bait. When Bernet received her bank statements, she discovered her savings account had been cleaned out and her checking account was overdrawn. In the State of Florida, identity theft is a crime worth 30-years in the State penitentiary.
However, so few identity thieves are actually caught that most feel the risk is worth the reward. In Bernet's case, even after PayPal learned that thieves had raided Bernet's checking and savings accounts through PayPal, they would not cooperate with efforts by revealing the name or address of the person who raided her account. You might keep that in mind the next time you think about using PayPal. PayPal's own internal computer security system should have at least detected an anomaly in the buying pattern on Bernet's account and raised a red flag.
The scammers who use these ploys take care to clone facsimile websites of the companies they claim to be representing so when the victim visits the site to update their personal information, they are none the wiser. Anytime you receive an email from someone purporting to be your bank, your credit card company, or a retail store with which you do business on a regular basis and/or have a credit account with them, do not respond to them by email. Pick up your landline telephone and physically call them. Direct your inquiries to the accounting department of that bank, credit card company or department store.
It would be wise for eBay, PayPal and all other online merchants and banks to prominently display a SUSPICIOUS ACTIVITY NUMBER on the front page of their website for their existing customers to use in the event they receive an email or a letter from a suspected identity thief purporting to be them, and asking for confidential information about the account holder. (Note to the reader. You might pass this information long to your bank, credit card company, eBay, PayPal or any online retailer you regularly do business with.)
Everyday, hundreds of thousands of American consumers receive emails purporting to be from PayPal, eBay, and an assortment of banks from all over America warning you that "suspicious activity" is taking place within your account. Of course when the email is from a bank you don't use, you know its a scam since you don't have an account that could be having "suspicious activity." But for some strange reasoneven after receiving scores of phishing expedition scam emails (which hopefully you forwarded to the FBI or your State police agency)when the identity thief's score by correctly naming your bank, your credit card company, or one of the retailers you do business with, you accept it at face value and, without a second thought, send them confidential information about your account with that bank, credit card company or retail establishment. You have just been hacked; and your nightmare has just begun.
But you don't even have to do that to have your identity stolen. All you have to be slow in picking up your mail from your roadside mailbox; or forget to visit your local post office and ask them not to deliver any mail to your address when you are on vacation. Also, never mail anything from your roadside mailbox. When you put up the flag for the mailman to see, the passing opportunists sees it, too. If you are paying your mortgage, your credit card bills or your department store charge accounts, you've just given an identity thief more information than he could get in a month of trash pickup days. You just gave him [a] your checking account number, [b] your credit card or department store credit account numbers, [c] the billing address on your credit cards, [d] the amount of available credit on your credit cards, [e] the name of the bank or mortgage company carrying your mortgage, and [f] all the information an identity thief need to refinance your home. Jesse James never had it this easy.
When Anthony Brannon of Inverness, Florida left for work early one morning last year, he did what he'd been doing for years. He placed all of the bills he'd written out the night before in the mailbox for the mailman to pick up. He put up the flag. He drove off to work. Because he didn't get any "incoming" mail that day, the mailman never even glanced at his box for "outgoing." But someone else did.
When Brannon arrived back home from work that evening, he stopped to get the mail. The flag was still up, telling him that the mailman had not stopped. Believing the mailman had simply not picked up the mail that day, he went into the house. The Brannons did not know it yet, but their identity had been stolenor would be stolen during the night. Their nightmare was just about to beginbut it didn't start with a cyberthief.
Lee Brannon, Anthony's wife, was stil not suspicious at the end of the month when she got statements from her creditors and several of them showed past due balances when she knew they had been paid.
When her checking account statement arrived, she simply checked the statement for the missing payments, confident they would be there. What she found, instead, was a suspicious amount charged to her account. She went to the bank. They pulled up a "check by phone" transaction. When she convinced the bank that neither she nor her husband had authorized the check, the bank issued a creditand placed an alert on her checking account. As a result, the Brannons did not lose any money. The bank provided Lee Brannon with a copy of the draft that triggered the withdrawal of funds from her checking account. On the draft was an 800-number for the online business which accepted a draw on her checking account as payment for services. The thief had used her checking account to pay for membership to an Internet porn chat room.
Since the porn site was apparently accustomed to plausible deniability when wives found out what their husbands were doing behind their backs, the online chat room wisely made an audio tape of all sales transactions. When Lee Brannon insisted her husband didn't join a chat room, the company played the recording of the man was claimed to be Anthony Brannon when he set his chat room account. (Brannon was lucky they recorded the voice of the person claiming to be him. I expect it kept him out of divorce court.) I guess the thief was afraid that if he used either his own checking account or credit cards to join an online porn chat room he'd have a tough time explaining it to his wife. He'd rather risk 30-years in prison for identity theft. Makes sense to me. But the fact that the identity thief did not try to open credit accounts in Brannon's name suggests to me that the thief who "hit" Brannon's mailbox was someone who knew himor was, at least, someone living within a 3 or 4 mile radius of his home.
While it is a federal crime to steal maileven billsfrom anyone's mail box, or opening someone else's mail that was inadvertently delivered to you by mistake is also a crime. You might keep in mind that the next time the mailman delivers your neighbor's mail to your house. Be a good samaritantake it to him. Hey, the neighbor might make a good cup of coffeeor have a cold one in the frig.
Sen. Patrick Leahy [D-VT] one of several lawmakers who are frantically working on identity-theft legislation noted that it's "...like the Wild West out there." Leahy commented that the problem, as he saw it, was that "...the handling of electronic data is weighed heavily to the convenience of the corporate world at the expense of consumers."
To make "instant credit" instantaneous, the information America's retail community needs to make credit decisionsyour credit history and the current balances on your credit cardshas to be readily available to the merchants who offer consumers the convenience of buying by credit card. But, what is convenient is also going to be problematic since data that is not shielded by an impenetrable firewall is available to any computer hacker who knows how to farm this data from the weakest link in the datastream.
In this case, the weakest link was CardSystems Solutions, Inc. of Atlanta, Georgia. CardSystems is a credit card processing company who acts as clerical middleman between MasterCard, Visa, Discover, and American Express and the retailer. While they process credit card payments for several banks, CardSystems is the processing agent for Merrick Bank Corporation of South Jordan, Utah and Provident Bank of Cincinnati, Ohio. CardSystem's job is to make sure the correct bank is charged for the money that is then transferred electronically to the retailer who sold the goods. What companies like CardSystems do are simple routing transactions. One, two, three. Done. Gone.
Not only was there no logical reason for CardSystems to have a database of the credit card transactions they processed, under their contractual agreements with credit card companies, processors are not allowed to retain any cardholder information after processing the transactions. Joshua Peirez, an official for MasterCard told the New York Times that "...CardSystems provided services, and is supposed to pass that information on the banks and not keep it. They were keeping it."
On May 23 when CardSystems Solutions learned their firewalls had been breached over the previous weekend, and data from 40 million credit card accounts had been hacked, they called the FBI, which is now investigating the theft. What is most interesting about the theft from CardSystems Solutions is that there was no logical reason for hackers to penetrate their firewalls since credit card processing companies aren't allowed to possess a database of the transactions they process. Cyberthieves, who risk a 20-year prison term just for hacking the firewalls of a financial institution, would very likely know that, and wouldn't waste their time. The fact that they did suggests the hackers knew CardSystems had a database it wasn't supposed to have and perhaps thought they wouldn't report the theft.
John Perry, CEO of CardSystems said they had the database for "research purposes" to determine why some transactions registered as either "unauthorized" or "uncompleted." But, he admitted, his company should not have had the database.
Credit card users using MasterCard or Visa cards issued by Provident or Merrick Bank should demand that their credit be frozen to prevent identity theft until the FBI gets to the bottom of the theft at CardSystems. A credit freeze prevents lenders and other interested parties from reviewing a person's credit history for any reason. Since lenders need to see credit histories before issuing new credit, identity thieves can't open fraudulent accounts using the names of people whose identity they stole over the Internet.
By January of this year only three StatesCalifornia, Louisiana, and Texashad adopted credit-freeze laws that allow consumers to freeze their own credit to prevent identity theft. On July 1, Vermont will be the fourth State to have a credit-freeze law. Three weeks later Washington State will become the 5th. And, on Feb. 1, 2006, Maine will become the 6th State. Twenty other States have bills pending in their legislatures that will allow victims of identity theft to freeze their own credit to prevent identity thieves from profiting from the theft of their identities.
On the last day of Utah's legislature, a credit-freeze bill was defeated because car dealers opposed it, arguing that such legislation would hurt their business since, they said, most car buyers want to drive their new car off the lot the same day they pick it out. If the sale is delayed because an extra day is required to obtain credit information, the dealers claim they would lose a percentage of the sales they would otherwise get.
Clearly, it doesn't matter to the car dealers that having easy access to the customer's credit history means identity thieves can get the information just as quickly as they do. Clearly, the ability to freeze your credit benefits only the consumer. It doesn't help the business ownerwho really couldn't care less if someone steals your identity an hour after he sells you a car. He got his sale. Some States, mindful of the demands of the business interests that fill the campaign coffers of the State politicians, balance the need for privacy of the consumer with the need of the business owner to gain quick access to your credit informationeven if you have not signed a release authorizing them access to that information. Just for the sake of example, within the last two week I received three "preapproved" money offers from mortgage companies (including my own) to refinance my home.
One of them, Willy-Wonka Finance, (I changed the name of the real company since I don't want to give them a free plug) contained a printout that showed my current mortgage less escrow payments and the total amount my wife and I owe on our credit cardsand the amounts we paid on those credit cards two months ago. The information was providedor rather, soldto that mortgage company by Equifax. Willy-Wonka Finance had no conceivable right to confidential information about my credit historyeven if it was obtained to make sure it would be a prudent investment on their part. Period.
That is what's wrong with the system today and why identity theft has become so rampant. The safeguardour signaturesthat allowed them access to our credit history is no longer required because we are no longer people to the banks and finance companies of America. We have been reclassified as human capitala commodityto those who now profit from us twice. They profit from us first when we do business with them. They profit again when they sell the database that contain confidential information about us to companies like Equifax that sell our credit history to direct marketers with whom we've never done business and likely never would under normal circumstances.
The data Willy-Wonka Finance purchased to make their sales pitch to me was information they should not have been allowed access to. They got it because they paid Equifax or someone like Equifax for it. Credit agencies profit by selling your credit historygood or badto any merchant willing to pay for it. Unfortunately, the more times those databases are sold, the less secure that information becomes. Thus, because of the greed of bankers, merchants and the purveyors of electronic data, we are at risk from identity thieves. The legislation that Leahy and other members of Congress should be sponsoring is not a law to regulate how this "product" (information about us) is sold, but rather, it should be a law to repeal all of the laws enacted by previous Congresses that gave profiteers access to our credit histories without our authorization. Particularly since that "confidential information" is so secretive that we pretty much have to retain a lawyer to access our own files at the local credit bureau. What's wrong with this picture?
As a result, the faster growing online industry today is selling "dumps." Black marketers like ZoOmer sell dumps. A dump is a stolen credit card number. Dumpsters operate in the cybershadows (the online equivalent to "back alley) all over the world,using sophisticated electronic cloaking devises to conceal where their websites transmit from. For $100 ZoOmer will sell you a Gold or Platinum Visa or MasterCard credit card number. (You can buy them as cheap as $50.00.) With it, you get the card owner's name, billing address, phone number and even the card's expiration date. When you get caughtas most amateur identity thieves do since even though they want the credit card bills to go to the real card owner, they want to the merchandise they purchase to come to them, and have it shipped to their homes or PO boxesyou are facing a stiff prison sentence. The dumpster simply moves on, continuing to hack the most vulnerable data centers to steal even more credit information. According to the Federal Trade Commission, approximately 10 million Americans have their identities stolen each yearand the number is growing.
The hottest commodity on the black market todayand the most lucrative for the identity thief is the COB Dump. COB is an acronym for "change of billing." COB dumps are those in which the illicit buyer can change the billing address through the PIN number that is sometimes linked to the confidential information about the card holder. Usually the COB will be a PO Box that is opened under the cardholder's name in another city or State. This allows the person who has assumed your identity to receive the merchandise he or she is buying with your creditand, at least until either the fraud is discovered or suspected, or the bank cuts off the cardholder's credit due to nonpaymentavoid apprehension. If he or she can secure enough of your credit and personal history, many times the identity thief will simply assume the complete identity of his or her victim, virtually becoming that person in another Stateeven to the point of borrowing the victim's scholastic records and work history to get a job and buy a home or car. When they become tired of being their victim (usually when they are being devoured by unpaid debt, they simply pack up and resume their former identity leaving their victim to face the debts they created.
As society becomes more cybermobile, and consumers learn they can buy anything they want on the Internet without ever leaving the sanctuary of their homeincluding a new caronline commerce will slowly begin to encroach on onsite consumer sales and the purveyors of identity theft will become even more emboldened as the opportunity for profit soars.
Tragically, the efforts by online companies to improve web security by building even more complex firewalls is more an illusion than fact since a good hacker can usually find his or her way around any firewalleven those in the US Justice Department or the Department of Defense.
It is important for any online business who transacts business with credit or debit cardswhich is virtually every online business in the worldto make consumers feel "safe." While most online businesses have fairly secure firewalls and have never been hacked, it is only because they aren't worth the effort of a good hacker.
Hackers who have the talent to crack the firewalls of America's Fortune 500 companies are looking for bonanza web sites with enough data to make the visit profitable. Generally the hacker wholesales the data he steals for pennies per name. Hackers will theoretically go to prison just as long for hacking a mom and pop website as they will for hacking someone like Citigroup or CardSystems Solution. The tough new identity theft lawsand stiffer penalties for cybercrimescombined with encryption devises that are supposed to be uncrackable offer the consumer a false sense of security because, it seems, the more laws that are created to punish the law breaker, the greater the demand from greedy bankers and merchants to provide easier and swifter access to confidential credit information to accommodate impatient customers who want their new car yesterday.
Add to that the purveyors of electronic data who will sell your credit information to anyoneeven to identity thieves themselves who have learned how to move about in the highly structured world of electronic data sales. The online sale of credit history and raw consumer data is a complex world of buyers, sellers and intermediaries offering temporary visas to the power players. The players come from all over the world. Most of today's cybercriminals are headquartered in Russia, the Middle East, Africa or China since these are the safest portals from which to operate. There is less risk of being caught, and more of an opportunity to buy yourself out of trouble if you are arrested.
Generally, buyers and sellers of stolen identities meet online. Both become invisible the moment the sale is made. Spammers are the fuel that speed the trafficking of identities between buyers and sellers. Scam spamming can also be very dangerous for the recipient of the spam since some of the most prolific "phishers" of data use seemingly harmless emails."What was your mama's maiden name?" is one of those innocuous questions that most of us would answer without a second thought. Yet, how many of us use our mother's maiden name as the secret question we answer to regain a forgotten password? What information did you provide the spammer the first time you learned that Bill Gates wanted to give you a new computer for a "marketing test?" How many people sent in their social security number to spammers purporting to be the Rockefeller Foundation or the Carnegie Trust to get $100 they prepared to give to every American for completing a simple survey? Most of these phishing expeditions will net the spammer hundreds, if not thousands, of names, addresses, phone numbers and, yes, even social security numbers. Hard to believe, isn't it? We're all supposed to be intelligent adults (since we know how to use computers), but apparently once we loose all of our teeth, we start believing in the tooth fairy. "You are the lucky winner of the Irish Sweepstakes. (Stop and think...did you ever buy a ticket?) As soon as we receive your social security number so we can notify the federal government that you just won $10,000,000.00, we will send a cashier's check in that amount, less taxes, to MR. JOE STUPID (of course, that's where you name fits).
We just don't realize it but, that black hole known as the cyberworld is just as dangerous as any back alley in New York, Chicago or Washington, DC after midnight. It's a place where we get held up without evening knowing we've been robbed, or sexually assasulted without knowing it until a friend or neighbor calls us and directs us to some obscure URL where embarrassing photos or informationsometimes true, sometimes falseabout us or members of our family, is displayed. This is now the world in which we live. We need to learn how to protect ourselves from it.