October 10, 2011 – Tracy Kitten, Managing Editor
The biggest ID theft bust in history is the result of equally impressive international cooperation, observers say.
On Oct. 7, the District Attorney of Queens County, N.Y., and City of New York Police announced the results of a two-year investigation that resulted in the biggest identity theft takedown in U.S. history.
The elaborate scheme, which involved five organized crime rings with ties to Europe, Asia, Africa and the Middle East, resulted in financial losses exceeding $13 million over a 16-month period.
So far, 111 individuals have been indicted, and authorities say 86 are now in custody.
McAfee consultant Robert Siciliano says the bust is a reflection of more international cooperation. “Despite bad blood between countries and their politics, when it comes to fraud regarding economic systems, governments and their security forces are coming together like never before,” he says.
Dubbed “Operation Swiper,” the investigation involved physical surveillance, intelligence gathering and court-authorized electronic eavesdropping on dozens of telephone conversations, many of which required translation from Russian, Mandarin Chinese and Arabic.The fraudsters’ focus: credit card fraud, which exploited magnetic-stripe weaknesses the criminals could use to their buying advantage in the United States. Chip-and-PIN technology, known as the Europay, MasterCard, Visastandard in other parts of the world, is not widely deployed in U.S.More than 90 of the defendants have been charged with Enterprise Corruption under New York State’s Organized Crime Control Act. They are accused of being members and associates of organized criminal enterprises that operated in Queens County and elsewhere. Between May 2010 and September 2011, the defendants allegedly defrauded thousands of unsuspecting consumers, financial institutions and card brands, including American Express, Visa, MasterCard and Discover Card.
According to the indictments, the defendants fraudulently obtained credit card numbers that were used to create counterfeit credit and identification cards.
Card numbers are believed to have been sent to crime bosses from individuals in Russia, Libya, Lebanon and China. U.S. employees at restaurants, bars, retail stores and financial institutions also have been linked, using handheld skimming devices and illegal websites to collect consumers’ card details.
The counterfeit cards were supplied to hired shoppers who were instructed to purchase high-end electronics and other merchandise, items that could easily be fenced and re-sold, usually over the Internet. Some of the shoppers also have been accused of using counterfeit cards to stay in five-star hotels and rent luxury cars during their so-called shops. In one case, a shopper allegedly commissioned a private jet to travel from New York to Florida.
Fraud analyst and consultant Jerry Silva says the busts should serve as a wake-up call about the growing threat of insider fraud. The use of money mules at restaurants and bank branches is a particularly disturbing part of the case.
“For banks, this calls for renewed focus on employment policies, security measures at the point of customer contact and, at the legislative level, new and stiffer laws and penalties covering workers entrusted with sensitive information – and I would include waiters and merchants in the same breath as bank tellers and representatives – that are found to be misusing or collecting financial data.”
Some 20 defendants also have been linked to suspicions of burglaries and robberies throughout Queens County. Seven have been accused of stealing approximately $850,000 worth of computer equipment from the Citigroup Building in Long Island City.
“This is by far the largest – and certainly among the most sophisticated – identity theft/credit card fraud cases that law enforcement has come across,” said District Attorney Brown. “Credit card fraud and identity theft are two of the fastest growing crimes in the United States, afflicting millions of victims and costing billions of dollars in losses to consumers, businesses and financial institutions. … Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.”
EMV: Lessons for the Financial Industry
International cooperation among various law enforcement agencies and governments cannot be ignored. John Buzzard, who tracks card transaction anomalies for FICO’s Card Alert Service, says that level of global interaction is helping to bring down more crime rings than the average consumer realizes.But the case also highlights the need for a more global approach to payments security. The United States’ slow migration away from mag-stripe payments is definitely enabling a sweet spot for fraud.
“The move to chip cards will make an enormous difference in the way our industry manages risk, with the ultimate goal being a significant reduction [in fraud],” Buzzard says. “The U.S. has finally set its sights on chip cards, and over the course of the next three to four years we are going to see a tidal wave of work (and some critical debate) for getting this incredible milestone accomplished. The U.S. is a criminal’s playground right now, but this arrest is an excellent beginning.”
It’s clear the U.S. needs to move to EMV, many experts agree. And Visa’s recent announcement to support such a move will undoubtedly prove to be the catalyst U.S. card issuers need.
“MasterCard and the other card brands need to do the same thing, beyond the small ATM-Maestro-related announcement by MasterCard following the Visa one, in order for the global card industry to finally eliminate the Achilles heel of the card industry – magnetic stripes on the back of the cards,” says Gartner analyst Avivah Litan.
Enforcement and Global Cooperation
Litan says the international perspective of this bust is interesting. “I think this does point out that U.S. law enforcement has beefed up in multilingual capabilities in Russian, Mandarin and Arabic, which is critical to its activities, and is a big improvement over the situation pre- 9/11,” she says.
The bust also highlights the growing global nature of financial fraud. That said, organized crime rings are not localized, but their operations often are, says Aite analyst Julie McNelley. “While the operation spanned the five continents, the focus of this bust appears to be the hub of the operation in Queens,” she says.
Unfortunately, many more entities were likely involved and will never get charged.
Neal O’Farrell says scams like the one in Queens are taking place in most large cities, and most times go undetected, uninvestigated and unprosecuted.
“We know there are scams like this being run in almost every city, usually in the $500,000 to $1 million range. That usually makes them too big for local law enforcement to investigate and too small for federal agencies to pick up,” O’Farrell says. “The big problem we’re seeing is that because the low- to mid-level crooks and gangs are going unchallenged, they simply have more time to get better, perfect their art, steal more, and hide their tracks. By the time law enforcement uncovers them, there’s little left to prosecute.”
ank Account Details Revealed in Statement Mailing Mistake
October 24, 2011 – Tracy Kitten, Managing Editor
Wells Fargo Bank says a printer malfunction is at the root of a bank statement mix-up that resulted in the exposure of account details for what could turn out to be thousands of Wells customers.
Josh Dunn, corporate communications manager for Wells Fargo in Charlotte, N.C., says customers with accounts opened in South Carolina and Florida “may have received, in error, pages from other customer accounts,” though the printing malfunction only affected September statements.
The malfunctioning printer is no longer in service and is being analyzed, Wells says. The printing error is not believed to be connected to Wells Fargo & Company’s [$1.4 trillion in assets] merger with Wachovia Corp., a conversion that was completed in January 2009.
“Though we believe the risk of compromising a customer’s account is low, we are providing all customers whose statements were printed by the malfunctioning printer with one year’s worth of free ID theft protection,” Dunn says. “We don’t know how many accounts were affected, but even one is one too many.”
Corrected statements are being mailed to all potentially affected customers.
ID Theft: Concerns Mount
That scheme involved five organized crime rings with ties to Europe, Asia, Africa and the Middle East and resulted in financial losses exceeding $13 million over a 16-month period.
Phil Blank, managing director of security, risk and fraud for Javelin Strategy & Research, calls the Wells incident astonishing. “It represents a failure in basic ‘block and tackling,'” he says.
The cause of what Wells has defined as a printer malfunction is concerning. A system’s upgrade, such as the one Bank of America in recent weeks pointed to as the catalyst for online-banking interruptions its customers faced, could be to blame.
“It could have been some new piece of code that was introduced that obviously did not work as planned,” Blank says. “Another part of me can’t help but wonder if perhaps it is the result of a piece of malicious software introduced somehow into the Wells network. It could also have been as simple as human error not caught by a process check.”
It will likely take weeks before causes for the printing malfunction are discovered and revealed. For now, Wells must focus on the customers it has exposed to potential fraud. “They should immediately reach out to those affected, assuming that they can figure out exactly what happened here and who was affected, and set them up with new accounts,” Blank says.
Hackers expose Citibank CEO’s privates – Revenge strike against cuffing of Occupy Wall St protestersHackers expose Citibank CEO’s privates – Revenge strike against cuffing of Occupy Wall St protesters
The Register, By John Leyden, October 18, 2011
Hacktivists have published a dossier of personal information on the head of Citigroup in retaliation for the cuffing of protesters at an Occupy Wall Street demo. Members of a group called CabinCr3w, a hacking gang affiliated with Anonymous, revealed phone numbers, an address, email address and financial information on Vikram Pandit, Citigroup’s chief executive officer. The exposé follows the arrest of a group of anti-capitalist protesters who allegedly sparked a ruckus inside a Citibank branch while withdrawing funds and closing their accounts. About 24 people were detained and charged with criminal trespass on Saturday afternoon, The Wall Street Journal reports. In a statement, Citibank said only one of the protesters was actually trying to close an account, a request that it said was accommodated. The rest of the group were causing a nuisance and were repeatedly asked to leave before the New York City plod were called. Last week Citigroup supremo Pandit offered to meet protesters, telling Businessweek that their sentiments were “completely understandable”. CabinCr3w previously published the personal information on the chief executives of JP Morgan Chase and Goldman Sachs. It also published the details of an NYPD officer accused of pepper-spraying Occupy Wall Street protesters. http://www.theregister.co.uk/2011/10/18/citibank_boss_doxed/
New York Times, By JOHN MARKOFF, October 18, 2011
The designers of Stuxnet, the computer worm that was used to vandalize an Iranian nuclear site, may have struck again, security researchers say. Stuxnet, which infected tens of thousands of computers in 155 countries last year, created an international sensation when experts reported that it was designed as an American-Israeli project to sabotage Siemens Corporation computers used in uranium enrichment at the Natanz site. The researchers say the new malicious program, which they call Duqu, is intended to steal digital information that may be needed to mount another Stuxnet-like attack. The researchers, at Symantec, announced the discovery on the company’s Web site on Tuesday, saying they had determined that the new program was written by programmers who must have had access to Stuxnet’s source code, the original programming instructions. “Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” the Symantec researchers said. “The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.” They said the Duqu program was found in Europe in a narrowly limited group of organizations, “including those involved in the manufacturing of industrial control systems.” http://www.nytimes.com/2011/10/19/technology/stuxnet-computer-worms-creators-may-be-active-again.html?_r=1&nl=technology&emc=techupdateema3
Des Moines Register, October 19, 2011
A United Methodist congregation made up of inmates at the Iowa Correctional Institute for Women in Mitchellville said an Indianola woman and former inmate used its volunteers’ personal information to steal 40 identities. Women at the Well United Methodist Church said Shelley Bridges, 37, obtained victims’ personal information, including Social Security numbers and birth dates, while she worked for the organization as an administrative assistant in 2007. Volunteers are required to submit the information to the organization before they can be granted clearance by the prison. Bridges was originally charged with 40 counts of identity theft; those charges have been replaced with a felony count of ongoing criminal conduct. http://www.desmoinesregister.com/article/20111019/NEWS/111019005/-1/GETPUBLISHED03wp-rss2.php/Inmate-church-says-identities-were-stolen
The Korea Herald, October 17, 2011
SEOUL – A suspected hacker wanted on suspicion of stealing customer data earlier this year from Hyundai Capital, an affiliate of South Korea’s top automaker, has recently been arrested in the Philippines, police here said Monday. The 35-year-old man, identified only by his surname Shin, allegedly broke into the computer system of the financial firm several times between February and April this year to steal personal information of nearly 420,000 customers. Shin was hired by three South Korean men who masterminded the cyber attack and received some 35 million won (US$30,707), which was part of 100 million won the trio squeezed from the financial firm in exchange for not releasing the data, according to the police. “Shin was caught by the Philippine police earlier this month, and has been in their custody,” said an officer of the Seoul Metropolitan Police Agency (SMPA) which is in charge of the case. “The Philippine authorities are now checking whether he is involved in other crimes there.” Shin, known as a hacking expert, is expected to be either extradited to South Korea or deported for illegal stay from the Southeast Asian country where he has lived since 2007 after fleeing from several hacking crimes in South Korea, according to the investigator. http://www.koreaherald.com/national/Detail.jsp?newsMLId=20111017000845
InfoSecurity Magazine, October 14, 2011
The Social Security Administration (SSA) has failed to notify close to 32,000 people that their social security numbers were mistakenly disclosed on the SSA’s death master file, a public database that provides information on deceased US citizens as a death verification tool. The SSA is not required by federal law to inform individuals who are mistakenly placed on the death master file that their names, dates of birth, and social security numbers have been publicly disclosed through the file. SSA officials estimate that 14,000 living individuals are mistakenly placed in the file every year, according to a report by the Scripps Howard News Service. The news service reviewed the death master file for the past three years and found 31,931 living US citizens classified as dead. John Jared, a retired University of Tennessee professor who was listed in the file, said that the reports of his death are greatly exaggerated. “I certainly have never been warned about this. I totally object to that. That’s just not supposed to be public information, especially not my social security number. This needs to be corrected”, Jared told the news service. Reporters working for E.W. Scripps’ newspapers and TV stations interviewed dozens of people who experienced data breaches as the result of what SSA’s termed “inadvertent keying errors” by federal workers when entering what was supposed to be information only about the dead. None of those interviewed said that the agency warned them about the breach of their confidential information. Most said they only found out about the mistake when they experienced frozen bank accounts, canceled cellphones, declined credit-card applications, denied apartment leases, or refused loans, the report said. http://www.infosecurity-magazine.com/view/21383
Network World, By Andreas M. Antonopoulos, October 04, 2011
Failing an audit sounds like the last thing any company wants to happen. But that’s because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a “friendly” exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you’re not failing any audits there are two possible explanations: 1) You have perfect security. 2) You’re not trying hard enough. I’ve never met a security person who will claim they have perfect security. Nemertes research further illustrates this issue. In our most recent benchmark we found that in the past three years 36% of companies had suffered a breach and yet only 15% had failed an audit. I can’t emphasize this enough: Those numbers are *backward*. Companies should be failing audits, whether internal or external, far more often than they suffer breaches. The fact that few companies are failing any audits should be cause for concern, not celebration. I would celebrate if there were no companies suffering from actual security breaches because then we could assume that the audits were working: uncovering problems to fix them before they became breaches. But unfortunately, it seems that audits are not thorough enough, consistent enough or “hard” enough. If you accept that the purpose of internal or external audits is not just to “prove” security but to “improve” security, then the audit should subject the company to enough pressure to validate that it can withstand a security breach. http://www.networkworld.com/columnists/2011/100411-andreas.html
SC Magazine, By Angela Moscaritolo, October 12, 2011
Hacks targeting the retail sector have increased 43 percent since last year, largely due to an increase in SQL injection and the use of exploit toolkits, according to researchers at Dell SecureWorks. During the first nine months of 2011, Dell SecureWorks blocked an average of 91,500 attacks per retailer, compared to 63,651 during the final nine months of 2010. The rise is primarily due to an increase in SQL injection assaults against servers, as well as attacks stemming from web-based exploit kits, Ben Feinstein, director of operations and analysis with the Dell SecureWorks Counter Threat Unit, told SCMagazineUS.com on Tuesday. Other verticals have also experienced an increase in attacks, though not to the same degree as the retail sector, he said. Merchants are being more heavily targeted than those within other sectors, likely because they maintain vast amounts of information that attackers want, and often have less stringent security controls. Specifically, attackers have been hitting retailers hard with injection attacks, a technique for exploiting web application security flaws by inserting malicious SQL code in web requests. Though this type of attack has been well known for some time, it still proves successful for cybercriminals. http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
Wired, By Kim Zetter, October 7, 2011
More than a year after thousands of classified and sensitive U.S. government documents were leaked to the secret-spilling site WikiLeaks, the White House has issued an executive order designed to improve the security of classified networks and prevent further leaks. The so-called “WikiLeaks Order” (.pdf) was issued by President Obama on Friday and largely focuses on establishing committees, offices and task forces to work on implementing a balance between the needs of federal agencies to access classified data and the necessity of securing that data against improper usage and leaks. To the latter end, the order requires federal agencies to have built-in auditing systems to monitor access to data. It also establishes an interagency Insider Threat Task Force, led by the attorney general and the director of national intelligence, to establish policies and evaluate the efforts by agencies to spot and deal with discontented personnel who may be at risk of leaking classified information. The order also calls for minimum standards to be developed for securing information and systems. A steering committee will oversee the implementation of the orders and will be chaired by senior representatives of the Office of Management and Budget and the National Security Staff, but the secretary of defense and the director of the National Security Agency will be responsible for developing technical safeguards to protect classified information on networks. http://www.wired.com/threatlevel/2011/10/white-house-wikileaks-order/