May 6, 2008
If you're new here, you may want to subscribe to my RSS feed or get new posts via email. Thanks for visiting!
Anyone who has used Facebook knows all about the non-stop deluge of crazy applications that your “friends” have installed and were nice enough to invite you to install. But what do those applications actually do?
We’ve written about identity theft and Facebook before, as well as new Facebook privacy controls. The BBC’s show Click has an interesting new segment on how easy it is to have your data stolen on Facebook by a maliciously coded app. In fact, they built one!
The Miner Strikes
The Beeb created an application called The Miner in less than three hours. If you installed this app, it would go through yours and your friends’ profiles:
But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.
I added the italics - note that your friends, even if they never installed the application themselves, would be victims.
Now, you might be thinking “why would I be stupid enough to install an application called The Miner?”. Fair enough, but there is absolutely nothing to stop putting similar code to this inside some other “fun” application like a game, photo app, quiz, whatever.
Facebook’s Response
Facebook’s response to this was predictably weak.
It told us that it has an entire investigations team watching the site, and removing applications that violate its terms of use which would include our Miner application.
It also advises users to use the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop.
As the BBC mentions, compounding this problem is that applications do not actually run on Facebook’s servers, so the company really has very little idea what is going on.
A Little Protection Goes A Long Way
How can you protect yourself? First things first - when you get an application think to yourself “do I really need to install this?”.
Assuming you do need, it, watch the window that comes up when you install the application. Uncheck this setting unless it really really needs it:
Aside from that, it is time to take a trip to the Facebook privacy settings and tighten things up there to control who can see what.
The BBC’s Click segment is here, and they have a video about it here (why do you not let us embed BBC, why oh why).
Posted in Identity Theft, Social Networks 
No Comments »
May 5, 2008
There were a lot of interesting cases this month that were captured in ID Thief Thursday. Of course, being tax time, we hit some tax identity theft topics too. Here are some of the best posts from April (in my opinion):
Given that this is such a new identity theft blog, I’d love any and all feedback. What sort of information would you like? Do you prefer the “how-to” articles or more current events. Are you interested in videos? A podcast? Please leave a comment or email me at bd@identitythoughts.com.
Thank you!
Posted in Uncategorized No Comments »
May 4, 2008
If you are not familiar with LendingTree, it is a website where you request a quote for a loan and they will provide you with up to 4 loan offers from different vendors. Of course to do that, it is expected that LendingTree will share your information with its partner companies.
Well, according to a letter received by LendingTree customers, some former employees had a nice little side business going. From 2006 to 2008(!), employees have been providing unauthorized companies with access to customer information so that those companies can send loan offers directly.
LendingTree said that this information, which includes name, Social Security Numbers, income and employment info, wasn’t used for identity theft but just for loan marketing purposes. But how do they know?
Customers are understandably upset about the whole thing, but what makes them more upset is the company’s response to the identity theft risk:
In its letter, LendingTree includes a pamphlet called “Guide to Protecting Your Credit and Identity.” Consumers who obtain their credit report and see anything suspicious are told to “contact the credit bureau.”
“We suggest that you remain vigilant by reviewing account statements and monitoring your credit reports for the next 24 months,” the letter says.
The least the company could do is provide a year or two of credit monitoring or something like LifeLock, LoudSiren, or TrustedID. Asking clients to use up one of their “free” credit reports is a little weak.
Does this change your perspective on using vendors that “get offers” on your behalf?
UPDATE: Looks like the lawsuits have started. A Bronx man is suing LendingTree and is trying to get class action status. Also, LendingTree is suing the “unauthorized companies” mentioned above: Newport Lending Group, Sage Credit Company, and Home Loan Consultants.
Source: Red Tape Chronicles
(Note: this post contains affiliate links)
Posted in Data Breach Sunday, Identity Theft 2 Comments »
May 1, 2008
You know how it goes.. you steal some credit cards, go on a buying spree, but just can’t resist those designer cowboy boots. That’ll always get you in the end.
That’s what happened to a charming pair in Bibb County, Georgia. John Fravel and Sebastian Wooley were arrested at a Hampton Inn in Macon, having racked up warrants in Florida and Texas.
Fravel in particular has been under investigation since July 2007 and has at least 40 known aliases.
The pair had previously used one of their victims’ identities to buy a Chrysler 300 in West Palm Beach, Florida. However, it was their trip to Circle Western Wear in Bibb County that was their downfall.
Clerks there reported “suspicious card activity” after Fravel & Wooley walked out of there with $300 custom cowboy boots.
The police tracked them down to the Hampton Inn via the credit card. They raided a hotel room and found Woolley (who is 18 and a minor by the way) with a bunch of fake drivers licenses, a laptop, and booze.
The cops then went for the room next door:
Fravel, who attempted to prevent deputies from opening the door to an adjacent hotel room, was found in possession of a laptop computer, multiple credit cards in various names, a credit card reader and the wallet of a theft victim from Michigan whose car was stolen in Helen, according to the release
.Fravel is now charged with “financial transaction card fraud, identity theft, theft by receiving stolen property, contributing to the delinquency of a minor and felony obstruction”. Wooley can look forward to “possession of alcohol by a minor and financial transaction card fraud”.
I guess the lesson in all of this is that you can buy cars with stolen identities no problem, but resist the cowboy boots. You’ll never get away with it.
Source: Macon Telegraph
Posted in Cases, ID Thief Thursday 1 Comment »
April 27, 2008
Workers at the World Trade Centre in New York, or “Ground Zero”, have had to put up with a lot - difficult work conditions, bad air, and now exposure to identity theft.
Some binners found a bunch of payroll documents in a garbage can behind 115 Broadway. The union attendance sheets listed names and Social Security Numbers for workers who cleared the debris from Ground Zero back in 2003.
Luckily, the people who found these particular documents didn’t do anything nefarious (that we know of), but instead turned them over to the New York Post. Who knows how long this trashing of documents has gone on though.
Needless to say, WTC workers are not impressed. Here is a quote from the paper:
“The documents should have been shredded. They shouldn’t have been put in the Dumpster like that,” said a worker for the Dockbuilders Union who helped shore up the retaining wall that holds back the Hudson River.
“I’m not happy that my Social Security [number] was in the garbage,” he said, asking that his name not be printed. “At the very least, they have companies that come to do the job of shredding documents.”
Identity theft is not the only threat that the documents posed:
Included in the stash were blueprints for World Trade Center 4 and the temporary PATH station, construction specifications for World Trade Center 7 and plans for the PA Police headquarters.
Needless to say, there is an “ongoing investigation” into who threw this away and how long it has been going on. This isn’t the first time we have posted about sensitive documents in the garbage, and I am sure it won’t be the last.
Source: New York Post
Posted in Data Breach Sunday, Identity Theft No Comments »
April 24, 2008
Here is another case of a police officer charged with identity theft.
We wrote about Brian Coble before, but this time it is Sgt. Mark Warf - an officer from Rutherford County, Tennessee.
Warf is no ordinary beat cop. He was the lead detective on a number of very high-profile murder cases. He had 23 years on the force and there was shock in the community when he abruptly resigned in July 2007.
Today however, Warf plead guilty to aggravated identity theft and now faces 2 years in prison.
The former sheriff’s office employee stole names and Social Security Numbers and charged $23,000 worth of stuff to 17 credit cards.
It seems amazing that a police officer of that standing would throw away everything for $23,000. I wonder what the story is there.
Source: NewsChannel5 & Bad Cop News
Posted in Cases, ID Thief Thursday, Identity Theft No Comments »
April 22, 2008
We’ve talked about house theft before, but this is a new twist. Red Tape Chronicles has a post about “house identity theft” via Craigslist.
The post gives a few examples:
- The con artist makes a Craiglist ad with pictures of the outside of an apartment for rent. The ad says something like “I’m out of town for a year, send a deposit and I will send the keys”
- In Oregon, a man came home to find his house being ransacked and people walking outside with all his stuff. Someone had posted an ad to Craigslist saying that everything in the house was free to take, and take people did.
You might think that no one would be dumb enough to believe that someone would give away their whole house or mail money to someone for keys to a place they have never set foot in, but the for the victims of these scams it is a nightmare and some of them are quite elaborate.
From the post:
“They send an application. It talks about the owner being a good Christian woman. There’s an online questionnaire. It’s very thorough,” Siddons said. By the time she contacted msnbc.com, she said she had already tried the police, the FBI, and Craigslist to no avail. “Results: My house is still listed for rent with Craigslist. … I’m concerned that someone will send eventually send money.”
Have you ever seen any Craigslist ads that would qualify as “identity theft” to you?
Posted in Identity Theft 2 Comments »
April 20, 2008
Do you use a notebook computer at work? What is on it’s hard drive? Any data on there that could be considered sensitive, either to your customers or employees? A University of Virginia laptop sure did.
Laptops are one of the most popular things to steal because they are portable, easy to conceal, and fetch a relatively high amount of money. Unfortunately for organizations, too often there is confidential data that goes with it.
That is exactly what happened to UVa. A laptop was stolen that had personal information (at least names and Social Security Numbers) of about 7,000 employees and students.
The police doesn’t think the confidential information was the target of the theft, and I agree (without knowing the details it was probably some crackhead looking for a quick buck), but still this type of breach is unacceptable, but unfortunately all too common.
The University sent out a letter to everyone affected by the breach, but I haven’t been able to find out if they are paying for any sort of identity theft protection. I would hope so.
Victims are understandably upset, like this education student Brian Reed:
Reed said he was “frustrated” that a UVa employee would keep his personal information on a laptop. Too many similar incidents have occurred at other universities and government agencies, he said, for UVa to store sensitive data anywhere other than on secure servers.
“This has happened many times before,” he said.
The University says they are “constantly reviewing and renewing its security procedures” (whatever that means).
Do you have any examples of scary stuff that you have heard stored on employee laptops?
Source: Dailyprogress.com via The Breach Blog
Posted in Data Breach Sunday 1 Comment »
April 17, 2008
Given that it tax time, and I’ve written recently about how tax time increases identity theft threat and the dangers of tax fraud, I thought it would be timely to have some tax fraudsters for ID Thief Thursday.
Last summer, 13 Kenyan nationals and 4 Americans were indicted as part of a $13.1 million (!) tax fraud and identity theft ring in Kansas City.
This week two of the accused, Vincent Ogega and Rashira Lewis, plead guilty to the crimes.
Nursing Home Racket
The ring would take the identities of seniors in the nursing homes where they worked and then filed fake tax refund claims.
Apparently already $2 million of claims had already been paid out, while the rest of the scam was caught before the check was cut.
The money was either wired back to Kenya or routed through Kansas City businesses and banks.
Local Business Involved
Rashira Lewis, 20, created a company called Montina Share Vacations which had as its sole purpose receiving fake tax returns and cashing the checks.
Plea Bargain
Vincent Ogega, 23, faced one of the highest penalties: reportedly up to 65 years in prison and a $1 million fine.
As part of the plea deal, they now face up to 20 years and up to $250,000 in fines, but sentencing has not happened yet.
The other members of the ring have not been indicted yet so we will see what happens.
Go Visit Grannie
If you have or know people in these nursing homes, it’s important to recognize how vulnerable they may be to unscrupulous employees. Make sure to stay involved in their lives and their finances (and visit them once in a while, will you??).
Source: Kansas City Business Journal and AllAfrica.com
Posted in Identity Theft 1 Comment »
April 16, 2008
When an identity thief steals your credit and racks up charges, that is bad enough. It’s a hassle to fight the card companies and credit bureaus to prove that it’s not your charge. But what do you do when your debit or ATM card has been stolen/cloned? That’s cold hard cash coming out of your account.
You’re Covered
Enter the Electronic Fund Transfer Act. This handy piece of legislation is designed to protect you against, surprisingly enough, fraudulent electronic fund transfers.
The coverage that is provided depends on how quickly you report it:
- Within 2 business days, you are limited to $50
- Between 2 and 60 business days, you are limited to $500
- After 60 days, you are on your own
But Wait, There’s More
If your card has a logo with a Visa or Mastercard symbol on it such as a Visa Check Card or a Debit Mastercard, they limit the liability to $50 instead of what is outlined in the EFTA. If the cards are used in stores (not at an ATM), they even have Zero Liability, which as the name implies means you’d have no liability for fraudulent charges.
Monitor, Monitor, Monitor
As with many things, the key to this is to be on top of your finance. Check your bank account regularly via online banking so that you can act on any discrepancies as quickly as possible.
When you find a incorrect transaction, call the bank and then send them a registered letter so that you can prove when you reported it. They are obligated to investigate it within 10 days, and if they find an error it must be fixed 1 business day after they discover it.
Do you ever get nervous using a Check Card or other type of debit card?
Posted in Identity Theft No Comments »
content rss
Recent Comments