On Q Professional Investigations

A lawsuit filed in Cook County Court pits a losing applicant in the Illinois Medical Marijuana derby, against the State Department of Agriculture, and indirectly, the biggest winner in the sweepstakes for the coveted licenses.

“In my world, they changed the rules,” says Andy James, chairman of PMRX, the unsuccessful bidder on a cultivation license in District 21. “We had to file a lawsuit to get any information. Nobody’s talking.”

At issue, is the fact that PMRX lost out to Cresco Labs, a seeming marijuana juggernaut which received the three highest scores in the contest for what promise to be lucrative licenses to grow medical pot in Illinois.

The suit contends the state changed the security scoring rules at midstream, converting to pass/fail what had been a numerical score which could have spelled the difference between applicants with close ratings.

“We’re not sure the implementation of the process, i.e. the scoring, was done pursuant to the rules,” James said. And he said one of the reasons for his lawsuit, was to see his own scores, which so far, have been kept confidential.

“Can you imagine a history class, and the only person who gets a grade is the person with the highest score?” he asked. “No sour grapes here. Sure we would have loved to have won the license. But when you spend the money we spent, would just love to know that it was done correctly or fairly.”

James also alleges that someone from Cresco met with then-governor Pat Quinn while the application process was unfolding.

Read More

The Bureau of Justice Statistics (BJS) has a sobering new report finding identity theft cost Americans $10 billion more last year than all other property crimes measured by the National Crime Victimization Survey.

While identity theft cost Americans $24.7 billion in 2012, losses for household burglary, motor vehicle theft, and property theft totaled just $14 billion.

The BJS report measures both direct and indirect losses tied to identity theft. Direct losses, the majority of the $24.7 billion, consisted of the money thieves got by misusing a victim’s personal info or account information. Indirect losses included other costs associated with identity theft — like legal fees and bounced checks.

The BJS’s last report on identity theft, for the year 2010, measured just direct losses and put them at $13.1 billion. While that report didn’t measure indirect losses, a separate research firm called Javelin Strategy and Research found this year that identity thefts are indeed on the rise.

Here are some key points from the BJS report:

85% of theft incidents involved the fraudulent use of existing accounts, rather than the use of somebody’s name to open a new account.

People whose names were used to open new accounts were more likely to experience financial hardship, emotional distress, and even problems with their relationships, than people whose existing accounts were manipulated.

Half of identity theft victims lost $100 or more.

Americans who were in households making $75,000 or more were more likely to experience identity theft than lower-income households.

While the majority of victims spent a day or less resolving the issue, identity theft can also be a drawn-out nightmare. A dramatic instance of ID theft occurred after a man named David B. Dahlstrom lost his wallet in Utah back in 1985. For the next 17 years, a German immigrant named Yorck A. Rogge masqueraded as Dahlstrom, The New York Times in 2007.

The real Dahlstrom was denied a credit card and even received an insurance claim for an accident he had nothing to do with.

In more recent years, identity thieves have begun targeting smartphone users and people who use social media and aren’t cautious about that use, experts told Reuters in 2012.

Javelin Strategy & Research found that year that someone whose information is revealed as part of an online data breach becomes 9.5 times more likely to have their identity stolen.

View Source

ORANGE BEACH, Ala. (WALA) – Records show a former server who worked at Orange Beach restaurants was arrested and charged with 59 counts of identity theft, one count fraudulent use of a credit card, and one count third degree theft of property on Monday, November 25.

Orange Beach Police said Stephanie Marie Brown, 30, was manipulating tips as a server and taking money from unsuspecting customers between April and May.

Police said customers would not notice they were being over-billed until later receiving their credit card statements.

“Victims had contacted the restaurant and had complained to the restaurant about some charges on their credit card receipts were not authorized by them,” explained Greg Duck, Assistant Chief of Orange Beach Police.

Officials told FOX10 News she was a server at Hurricane Grill and Wings and also worked at Shipp’s Harbour Grill.

Managers at Hurricane Grill and Wings declined to talk on camera about Brown, but they did tell FOX10 she was a good employee; she just made some wrong decisions.

We also spoke with the owner of Shipp’s Harbour Grill who also declined to comment on camera, but told FOX10 that Brown stole some $500 from their cash register, and she had not padded any tips at their restaurant. They pressed the third degree theft of property charge against her.

Brown’s listed home address is an apartment in Fredricksburg, VA., but police said she was picked up in Pensacola, where she had been living.

She is being held on $5,000 bond for each identity theft charge and remains in the Baldwin County Jail, totaling to $301,000. Police said her case will go to a grand jury.

It is unclear how much money she stole during the scam.

In the meantime, Orange Beach police warn folks to stay aware of your credit.

“We just want people to understand that it can happen anywhere,” said Duck. “People really need to watch their bank accounts, and their credit card accounts on a daily basis. That helps law enforcement.”

View Source

Hanover VA Oct 20 2013 – Federal and state investigators are looking into alleged misuse of a highly confidential criminal background database used for gun purchases by a former vice president of Green Top Sporting Goods in Hanover County.

State police also have issued a summons charging the vice president, who was the alleged source of the misuse.Court documents and state police are confirming that Michael J. Lynch is facing a misdemeanor charge under criminal statutes that make it illegal to fraudulently seek or provide access to criminal background check information.

Lynch, whose Hanover Avenue home in Richmond has been sold and is empty, is facing an arraignment this month in Hanover General District Court on the misdemeanor, which carries a six-month jail sentence.

Todd Stone, Lynch’s lawyer, said Wednesday his client would not comment on the pending case. “I think we will be able to show that Mr. Lynch is not guilty of what he is charged with,” Stone said.

Green Top, which has been in business in Hanover County since 1947 and is one of the state’s largest retail weapons outlets, recently moved under new ownership and management to a sprawling location on Lakeridge Parkway west of Interstate 95.

State police said this week that Lynch was charged following a criminal investigation “into an unauthorized third party being granted access to the Virginia State Police V-Check program via an employee” of Green Top Sporting Goods.

Information obtained in the criminal investigation also has been referred by state police to the Federal Bureau of Investigation and to the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, which has jurisdiction over Green Top’s license to sell firearms.

A spokesman for ATF in Washington did not return calls seeking information about the status of Green Top’s license.

Lynch, 57, a former Circuit City executive, was charged Aug. 27 based on a summons obtained by state trooper D.M. Sottile. The summons says the charge stemmed from alleged illegal activity that occurred between Aug. 8 and Aug. 21.

The V-Check system is the database through which state police conduct criminal background checks of potential purchasers of firearms, usually at the point of sale, including licensed firearms dealers.

Lynch, according to a recording on the Green Top telephone system, is no longer with the company. Company president William C. Prout did not return calls for comment Wednesday.

Sources with knowledge of Green Top operations said Lynch allegedly provided privileged information about accessing the V-Check system to a software company that advertises programming that can facilitate storing and submitting documentation that is provided to law enforcement to gain approval for a gun sale.

But the access code is highly confidential and by law cannot be disseminated to any source outside the licensed dealer to which it is assigned. Calls to the software company were not returned Wednesday.

Hanover Commonwealth’s Attorney Ramon C. “Trip” Chalkley III was out of the office this week and unavailable for comment.

Green Top has been repeatedly cited as one of the state’s top retail outlets for firearms and a year ago moved from its longtime site on U.S. 1 north of

Virginia Center Commons to the former Gander Mountain facility on Lakeridge Parkway.

The V-Check system is the foundation of the state’s ability to carry out background checks of gun buyers; the system tracks criminal convictions, outstanding protective orders and individuals who have been diagnosed with severe mental disorders.

That sort of information is not passed along to retailers in the process of selling a weapon to a customer; the retailer merely learns if the potential buyer has been approved or disapproved as a buyer.

The system is closely monitored despite the number of checks that are run through the system annually by weapons retailers. In 2012, a record 432,387 gun transactions were recorded. In December that year, more than 5,000 transactions were recorded, the highest monthly total on record.

Richmond Dispatch

View Source

PRESS RELEASE
FBI OFFICE

PROVIDENCE, RI Oct 18 2013—Randolph Hurst, 50, of West Warwick Rhode Island, a former assistant district manager for the Social Security Administration in Rhode Island, pled guilty in U.S. District Court in Providence on October 9, 2013, to stealing the identity of a Coventry man and using the victim’s identity to fraudulently sell more than $160,000 worth of stock certificates belonging to the victim. Hurst also pled guilty to failing to pay $61,999 in taxes owed to the IRS.

Appearing before U.S. District Court Judge William E. Smith, Hurst pled guilty to one count each of aggravated identity theft, transportation of stolen securities, and tax evasion; two counts of mail fraud; and three counts of filing a false tax return. Hurst faces up to 45 years in federal prison and a fine of up to $1.4 million when he is sentenced on January 10, 2014.

A co-defendant in this matter, Justin Silveira, 29, of Coventry, pled guilty on October 9, 2013, to two counts of perjury and one count of obstruction of justice. Silveira admitted to the court that he lied to a grand jury that was investigating this matter. At sentencing on January, 10, 2014, Silveira faces up to 20 years in federal prison and a fine of up to $750,000.

The guilty pleas were announced by United States Attorney Peter F. Neronha; Vincent B. Lisi, Special Agent in Charge of the Boston Field Office of the FBI; Cheryl Garcia, Acting Special Agent in Charge of the New York region of the U.S. Department of Labor, Office of Labor Racketeering and Fraud Investigations; John Collins, Acting Special Agent in Charge of the Boston Office of the Internal Revenue Service, Criminal Investigation; and Scott E. Antolik, Special Agent in Charge of the Boston Field Office of the Social Security Administration, Office of the Inspector General/Office of Investigations.

At the time of his guilty plea, Hurst admitted to the court that in September 2010, he stole personal identifying information belonging to the victim and used it to open a joint account at Summit Brokerage Services in Providence in his name and in the name of the victim, without the victim’s permission. Hurst admitted that two days after opening the account, he provided documentation to Summit purportedly authored and signed by the victim, requesting the deposit of two stock certificates owned by the victim. The victim never authorized the deposit of the stock certificates and was unaware that an account had been opened in his name.

Hurst admitted to the court that in October 2010, without the victim’s knowledge, he requested that Summit sell the stocks and issue a check in his name and in the victim’s name for $157,747.49, which represented a portion of the proceeds of the sale of the stocks. The check was sent by courier to the Coventry address of Justin Silveira. On October 22, 2010, the check was deposited into a bank account owned jointly by Hurst and his wife. Hurst admitted to the court that on the same date the check was deposited he requested a second check from Summit in the amount of $3,980.46, in his name and in the victim’s name, for the remaining proceeds from the sale of the stock and that it be sent to the same address in Coventry. On November 8, 2010, the check was deposited into a bank account owned jointly by Hurst and his wife.

Hurst admitted to the court that he and his wife spent the proceeds of the sale of the stock, $161,727.95, on personal items and expenses.
The cases are being prosecuted by Assistant U.S. Attorney Dulce Donovan.

The matter was investigated by federal agents from the FBI; U.S. Department of Labor Office of Labor Racketeering and Fraud Investigations; Internal Revenue Service-Criminal Investigation; and Social Security Administration, Office of the Inspector General/Office of Investigations.

This law enforcement action is part of efforts underway by President Obama’s Financial Fraud Enforcement Task Force (FFETF) which was created in November 2009 to wage an aggressive, coordinated, and proactive effort to investigate and prosecute financial crimes. With more than 20 federal agencies, 94 U.S. Attorneys’ offices, and state and local partners, it is the broadest coalition of law enforcement, investigatory, and regulatory agencies ever assembled to combat fraud.

Since its formation, the task force has made great strides in facilitating increased investigation and prosecution of financial crimes; enhancing coordination and cooperation among federal, state, and local authorities; addressing discrimination in the lending and financial markets; and conducting outreach to the public, victims, financial institutions, and other organizations. Over the past three fiscal years, the Justice Department has filed more than 10,000 financial fraud cases against nearly 15,000 defendants including more than 2,700 mortgage fraud defendants. For more information on the task force, visit www.stopfraud.gov.

View Source

The background check is often the last thing we think of when applying for a job, after the cover letter, the resume, the references, and what to wear to the interview. In fact, many of us don’t think about it until a potential employer asks for our social security number and written permission to run a check.

This can be a problem. Though it depends on the job and the state, many employers still run extensive background checks on potential hires. The idea is to gather as much information as possible, so they know what they’re getting. As Forbes puts it, “There’s absolutely no doubt that making a wrong hiring decision can haunt your company, your other employees, and your client base.”

If you’re in the job market, you might want to run one on yourself first to avoid surprises and make sure the information that is out there is correct. You can do this by paying a background check agency like Been Verified or Talent Shield. Or, if you want to save money, you can do a pretty thorough one on yourself for free. Here’s a guide:

Review your court records
This is a big one — employers often want to know if you’ve been arrested or charged with a crime. Clearly, you’re already privy to that information. But if you’re looking for a job, it’s still wise to find out how the records depict you. Go to National Center for State Courts, where you can research your records at the state and city level.

Also, if you do have a criminal history, take a look at the new guidelines issued by the Equal Employment Opportunity Commission to help protect those with criminal backgrounds from job discrimination.

Get your credit report
This is a controversial practice — in fact, nine states have already passed laws limiting it — but the reality is that about 47 percent of companies still check some or all job applicants’ credit reports, according to the The Society of Human Resource Management. It doesn’t hurt to get out ahead of them.

All consumers are legally entitled to three free credit reports a year from the three major reporting agencies — Equifax, Experian, and TransUnion. Get all three. If you find errors, call them quickly and ask them to be corrected. Additionally, if you see negative points, and it’s due to extenuating circumstances (like a layoff or illness), you’re allowed to contact the bureau and attach a 100-word explanation to the problem. It won’t help your score, but it will give your potential employer your side of the story.

Request your employment history
It’s no secret to you where you worked and when, but it’s not a bad idea to see what’s on record. Your future employer may or may not look to see if there are any discrepancies on your resume (i.e., to check if you lied to them), so make sure the public info is accurate. Go to The Work Number to request data.

Review your education records
The Family Educational Rights and Privacy Act of 1974 requires your school to let you access your education records within 45 days of anyone asking for your record — at any point after graduation. You’re also allowed to request an amendment if you think something’s inaccurate. So call your school and find out what they release.

Review your medical background
This is another controversial one, which also has legal restrictions. The laws vary from state to state, so you’ll have to do a little research on your state’s website. But here’s an example: In Minnesota, an employer can only give you a medical exam or request your records if an offer for employment has been made. The employer is only allowed to examine you for “essential, job-related abilities.” Any “information obtained is collected and maintained separately and is treated as a confidential medical record.”

Depending on your state’s laws, and what job you’re applying for, you might want to request a copy of your medical records from your health care provider. They are legally required to hand them over.

Request your driving record
Many background checks also include driving records. If your future job requires you to drive, your employer may want to pull yours. To find out what’s on public record, request your report from the DMV.

Once you have all this information, you’ll be in a much stronger position if a potential employer asks to do a background check, even if you know she’ll find some dirt on you. Take a moment to be upfront about anything you think could be a deal breaker — they’ll likely appreciate your honesty and give you a chance to explain yourself.

View Source

Richmond VA Sept 30 2013 Using Department of Motor Vehicles records as its core, the state government is quietly developing a master identity database of Virginia residents for use by state agencies.

The state enterprise record – the master electronic ID database – would help agencies ferret out fraud and help residents do business electronically with the state more easily, officials said.While officials say the e-ID initiative will be limited in scope and access, it comes at a time of growing public concern about electronic privacy, identity theft and government intrusion.

“It makes it easier to compromise your privacy,” said Claire Guthrie Gastañaga, executive director of the American Civil Liberties Union of Virginia. “They’re using DMV for some other purpose than driving.”

DMV points out that, in today’s world, state driver’s licenses are the fundamental identification documents used by most Americans.
State officials say participation in the e-ID system will be voluntary, but the reason that the state has been moving to offer “privacy-enhancing credentials” to Virginia residents is the increasing number of government services offered online.

However, “anything you make more accessible and efficient for the user, you potentially open up for opportunities for risk, for attack,” said Robby Demeria, executive director of RichTech, Richmond’s technology council.

The first state agency using the largely federally funded Commonwealth Authentication Service system will be the Department of Social Services, aiming to satisfy federal Medicaid requirements under the Affordable Care Act and to reduce eligibility fraud and errors. The system goes live Tuesday.

About 70 percent of Social Services’ clients are in DMV’s database, said David W. Burhop, the Department of Motor Vehicles’ deputy commissioner and chief information officer.

Four state agencies are now involved in Virginia’s e-ID initiative: DMV, the state’s “ID professionals”; the Virginia Information Technologies Agency, which runs the state’s IT systems; the Department of Social Services; and the Department of Medical Assistance Services.

DMV has the records of about 5.9 million licensed drivers and ID card holders. Some of that information – names, addresses, dates of birth, driver’s license numbers – will form the core of the state’s identity authentication system.

“To us, it is a tool that allows individuals to create online accounts,” said Craig C. Markva, communications director of the Department of Medical Assistance Services, speaking for Secretary of Health and Human Resources William A. Hazel Jr.

“When someone wants to do this, we need to be able to verify that the person trying to access the account is who he or she claims to be,” Markva said.

“This requires that they provide basic demographic information … that we can compare to what is known by DMV or by DSS (Department of Social Services) already.”

So far there’s been no public discussion in Virginia of the state’s electronic personal identity initiative or the use of the Internet for increasingly more transactions with the state government.

“When we allow governments to do that,” said Virginia ACLU’s Gastañaga, “it facilitates and empowers things that we might not want to have happen if the wrong people get into power.”

Decisions based on the convenience of using information technology are often done with a short-term perspective, said Rob S. Hegedus, chief executive officer of Sera-Brynn, a cybersecurity company in Suffolk.

“The privacy aspect catches up afterwards,” he said.

The state does not plan to hold public hearings on the Commonwealth Authentication Service system, officials said, but Demeria with RichTech contends “there’s plenty of reason for us to have a public discussion, debate, (and) consideration.”

“We want to make sure all the i’s are dotted and t’s are crossed before we execute,” he said.

For members of the public, Burhop said, e-ID would allow use of the Internet with security and privacy while needing only a single sign-on, providing faster service and lowering service costs.

“This is geared toward citizens who say, ‘Why do I have to fill out this again?’ ” DMV’s Burhop said.

Virginia is a leader in using online transactions, DMV said. But in order to move higher-risk transactions to the Internet, a more robust authentication method is needed, officials said.

For example, if a Virginian sells a car to another state resident, the deal requires a physical exchange of the registration card and the handwritten information on the card that is often hard for DMV representatives to read when the buyer registers the vehicle at the agency, noted Pam Goheen, DMV’s assistant commissioner for communications.

“If both parties had a high-assurance credential such as an e-ID,” Goheen said, “this transaction could be done entirely online which would include the registration and title updates eliminating the need to visit the DMV and speeding up the process.”

The Virginia Information Technologies Agency and contractor Northrop Grumman are responsible for state IT infrastructure, but state agencies are responsible for their business applications and the data they hold, said Sam Nixon Jr., the state’s chief information officer.

IT security is a shared responsibility between VITA and the state agencies it serves, Nixon said.

DMV says the $4.3 million Commonwealth Authentication Service system will be safe from abuse because agencies will control individuals’ files. Those files will not all be put into a single database open to other agencies.

Agencies using the service to verify a client’s identity will get only a yes-or-no reply from the Commonwealth Authentication Service system, DMV said.
And the DMV has not suffered a data breach, Burhop said.

Nonetheless, cyberhackers are always trying to break into the state’s IT system.

In 2012, VITA and Northrop Grumman blocked more than 110 million cyberattacks on the state’s data networks, Nixon said. “You can do the math, but that represents hundreds of thousands of blocked attacks each day.”

More than 47,000 viruses were blocked before they affected Virginia’s government IT assets, Nixon said, and the number of security incidents VITA detects and fixes has tripled since 2011.

But in 2009, before the Northrop Grumman took over the state’s IT system, hackers got into the Virginia Department of Health Professions’ prescription-monitoring database. Though it was unclear what records were actually taken, the database contained records of more than half a million people and more than 35 million prescriptions.

Also in 2009, the Department of Education sent a thumb drive to another agency that contained more than 103,000 sensitive records. It was later determined that the thumb drive was lost.

“When you ask a government entity to keep something like this safe, they really can’t,” Sera-Brynn’s Hegedus said. “Nobody can guarantee it.”
Times-Dispatch

View Source

A Russian-speaking man casually shows on camera how he can download a punter’s bank-card details and PIN from a hacked card reader.

In a video demonstrating a tampered sales terminal, a card is swiped through the handheld device and a PIN entered – just as any customer would in a restaurant or shop. Later, after a series of key-presses, the data is transferred to a laptop via a serial cable.

Account numbers and other sensitive information appear on the computer screen, ready to be exploited. And the data can be texted to a phone, if a SIM card is fitted to the handheld.

We’re told the footage, apparently shown on an underworld bazaar, is used to flog the compromised but otherwise working kit for $3,000 apiece – or a mere $2,000 if you’re willing to share 20 per cent of the ill-gotten gains with the sellers under a form of hired-purchase agreement.

Crucially, the gang selling this device offers a money-laundering service to drain victims’ bank accounts for newbie fraudsters: a network of corrupt merchants are given the harvested card data and extract the money typically by buying fake goods and then cashing out refunds. The loot eventually works its way back to the owner of the hacked card reader.

A copy of the web video was passed to The Reg, and is embedded below. We have rotated part of the footage so it’s easier to read the on-screen text.

Electronic security consultancy Group-IB said the modified Verifone VX670 point-of-sale terminal, shown above, retains in memory data hoovered from tracks 1 and 2 of the magnetic stripe on the back of swiped bank cards, as well as the PIN entered on the keypad – enough information for fraudsters to exploit.

The setup suggests the sellers are based in Russia. In the video, a credit card from Sberbank, the country’s largest bank and the third largest in Europe, is used to demonstrate the hacked terminal’s capabilities.

If a SIM card for a GSM mobile phone network is fitted to the doctored device, the information can be sent by SMS rather than transferred over a serial cable, explained Andrey Komarov, head of international projects at Group-IB.

He told us crooks tampering with point-of-sale (POS) terminals and selling them isn’t new – but the bundling of money-stealing support services, allowing fraud to be carried out more easily, is a new development in the digital underground.

“We have detected a new group that sells this modified model of POS terminals and provides services for illegal cash-outs of dumped PINs through their own ‘grey’ merchants: it seems they buy fake stuff, and then cash-out money,” Komarov said.

“It takes less than three hours. According to our information, this kind of service is really new, and it is also being used by different cyber-criminals against the Russian bank Sberbank.”

Komarov told El Reg that the emergence of hacked card readers is due to banks improving their security against criminals’ card-skimming hardware hidden in cash machines and similar scams. Planting data-swiping malware in POS handhelds out in the field is possible, but it is fairly tricky to find vulnerable terminals and infiltrate them reliably without being caught.

It’s a touch easier to buy a tampered device and get it installed in a shop or restaurant with the help of staff or bosses on the take. This creates a huge potential market for fraudsters, according to Komarov.

Scam warnings

Banking giant Visa has issued several alerts about this kind of fraud along with occasional warnings about device vulnerabilities – such as this warning from 2009 [PDF]. And social-engineering tricks [PDF] in which fraudsters pose as Visa employees carrying out adjustments to terminals – while actually compromising them – has been going on for years.

One alert [PDF] from Visa, dating from 2010, explains how thieves worked in the past and the steps merchants can take to defend against the fraud: anti-tampering advice from this year can be found here [PDF], an extract of which is below:

Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing.
The impact of this type of crime can be significant to all key parties involved in card acceptance. An attack can not only undermine the integrity of the payment system, but diminish consumer trust in a merchant’s business. In response to this emerging threat, acquirers, merchants and their processors need to proactively secure their POS terminals and make them less vulnerable to tampering.

A more recent advisory on combating this type of fraud, issued earlier this year by Visa, can be found here [PDF].

Avivah Litan, a Gartner Research vice-president and an expert in banking security and related topics, said that tampering with card readers has been going on for years. She agreed with Group-IB’s observation that since banks are investing more in securing cashpoints, penetrating point-of-sale terminals can be an easier way to make money for criminals.

“The bad guys will go after anything they can, but it can be easier to find dishonest merchants to cooperate in running tampered terminals [to harvest bank details] than going after ATMs,” Litan told El Reg, adding that this kind of fraud was rife in South America, particularly in countries such as Brazil.

But Group-IB’s Komarov believes the Russian-speaking fraudsters behind the black-market sale of hacked sales terminals are targeting the international market as well as crims in the motherland. “The example they showed for Sberbank was just because they also use it against Russian-speaking countries, as they have Russian-speaking roots,” he explained.

We passed on Group-IB’s research to Verifone at the start of this month, along with a request for comment on what could be done to frustrate the trade of tampered card readers through underground markets and similar scams. We have yet to hear back from the device manufacturer. We’ll update this story if we hear more. ®

View Source

Mobile identity theft is one of the fastest growing types of identity theft due to the prevalence of mobile devices such as smartphones and tablets. With over one billion smartphones being used globally and research predicting this number will double by 2015, the soaring sales of mobile devices come at a time when identity theft is at an all-time high.

There was one victim of identity theft every three seconds in the U.S. in 2012, totaling 12.6 million consumers—an increase of over one million victims compared to the previous year and accounting for more than $21 billion, according to Javelin Strategy & Research’s 2013 Identity Fraud Report. These numbers are expected to rise, especially as our use of mobile devices continues to increase.

Preventing Mobile Identity Theft

Whether it’s for email, instant messaging, surfing the web, shopping online, paying bills, or even banking, we store and share an immense amount of personal data on our mobile devices. Unless steps are taken to protect it, this data is vulnerable to identity thieves who want to use it to create fake identities and steal money.

Other than being convenient to use everywhere we go, it’s important to remember that smartphones are no different than desktops or laptop computers when it comes to hackers, viruses, malware, and spyware. Their apps and mobile browsers enable us to store personal information such as passwords, credit card numbers, and bank account data in addition to our contacts and other sensitive information. When this data is breached, however, the resulting identity theft can have severe and long-lasting consequences.

Tip:

Make sure you are shopping on secure websites by verifying that the “s” is in the “https://” in the address bar. Websites using “http://” at the beginning of the website address are unsecure.

Fortunately, there are many actions you can take to secure your hand-held devices and avoid mobile identity theft. Here are a few tips:

-Create a strong password that is required to unlock your phone and access data. Make sure to set up the phone to automatically lock when it has not been used for a specified period of time.
-Never share sensitive data such as passwords or credit card numbers over an unsecured Wi-Fi connection. Even something as simple as purchasing movie tickets on an iPhone using a public Wi-Fi network can give a nearby hacker the opportunity to steal your data and use it to create a fake identity.
-Carefully review your phone bills for sudden increases in data usage. You also want to be on the lookout for charges from third-party content providers for services and apps you haven’t authorized. These can be signs that your phone has been hacked and puts you at risk for mobile identity theft.
-Keep your operating system and apps up-to-date. These updates are important for keeping your smartphone or tablet current with all of the latest security enhancements.
-Make sure you are shopping on secure websites by verifying that the “s” is in the “https://” in the address bar. Websites using “http://” at the beginning of the website address are unsecure.

When trusted professionals or businesses use mobile devices to share information with clients, the same types of mobile identity theft are possible. Take, for example, healthcare professionals. Over 80 percent of physicians polled in an ABA Health survey revealed that they have used personal mobile devices to access the protected health information of their patients. This puts their patients at risk for mobile medical identity theft even when patients haven’t done anything to put their own identity in jeopardy.

Healthcare professionals can help secure medical records on mobile devices by creating passwords to authenticate access to patient information, and never sharing data over an unsecured Wi-Fi connection.

Mobile Identity Theft Protection Services

In spite of all the safeguards you put in place, hackers will always try to stay one step ahead of you and the available technology. Unfortunately, it’s not a matter of “if” but “when” your identity will be compromised. When it happens to you, don’t be caught without a mobile identity theft prevention plan.

There are a number of free mobile identity theft services, such as AVG, that offer anti-virus plans for mobile devices. Phones can be locked and located remotely, suspicious calls or text messages can be blocked, and widgets can detect questionable website activity.

The best identity theft protection service on the market is ID Theft Solutions. Managed by law enforcement professionals, ID Theft Solutions is the most comprehensive way to ensure your identity is recovered when it is stolen.

View Source

From late 2007 until March 2011, if you were an identity thief or credit card fraud artist in need of a fake ID, your best bet was “Celtic’s Novelty I.D. Service.” From its base in Las Vegas, the online storefront manufactured driver’s licenses for 13 states and shipped them to buyers around the world. No questions asked.

With a reputation for quality and the fastest turnaround in the industry, Celtic was a no-nonsense player in a global underworld benighted by drama and infighting. On the Russian-led criminal forum Carder.su, his primary home, he accumulated scores of glowing reviews from satisfied customers. “You can trust him,” wrote Oink Oink. “This guy doesn’t fuck around. Great shit, great communication and bends over backwards to help you out.”

“I agree Celtic is great,” wrote XXXSimone. “I placed an order, instantly he sent the order out did not bullshit around.”

A customer named Temp agreed. “Strongly recommended! Fast shipment, and very good discounts!”

Today Billy “Oink-Oink” Steffey, Maceo “XXXSimone” Boozer III, and Alexander “Temp” Kostyukov might not be so generous with their praise, as they await a November trial in the largest identity theft prosecution in U.S. history. Their mistake? In addition to being a talented ID forger, Celtic was a Secret Service agent.

The government calls it “Operation Open Market,” a four-year investigation resulting, so far, in four federal grand jury indictments against 55 defendants in 10 countries, facing a cumulative millennium of prison time. What many of those alleged scammers, carders, thieves, and racketeers have in common is one simple mistake: They bought their high-quality fake IDs from a sophisticated driver’s license counterfeiting factory secretly established, owned, and operated by the United States Secret Service.

The Secret Service announced Operation Open Market in a press release in March of last year when the first set of indictments dropped. But the agency hasn’t publicly disclosed how it made the busts. That story is told in internal agency documents seen by WIRED, correlated with archival posts from Carder.su and court records. It’s the story of how the Secret Service, in an operation as ironic as it was bold, stole the identity of a low-ranking member of the underground in May 2007, and, with top-level Justice Department approval, used it for years afterward to produce and sell some of the best fake IDs available anywhere.

In the process, the agency built dossiers on identity thieves around the world and discovered the underground’s extensive use of the online payment service Liberty Reserve, which spawned a parallel Secret Service and Treasury Department investigation with its own round of arrests in May.

“By selling the counterfeit identifications, it allowed the UCA [undercover agent] potential to identify individuals operating on the carding portals and develop an understanding of the internal workings of the organization,” reads an August 2011 memorandum produced by Immigrations and Customs Enforcement, which supported the Secret Service in the operation.

“The prosecutorial strategy centers on disrupting and dismantling the Carder.su organization while at the same time acting as a deterrent to similar organizations that may be operating under the belief that because they are outside U.S. territory they are safe from U.S. law enforcement,” the report continues, adding that U.S. Attorney General Eric Holder was personally briefed on the operation.

The Secret Service, DHS, and the U.S. Attorney’s Office for the District of Nevada declined to discuss the investigation.

Read More