229 posts categorized "Fraud" Feed

Consequences And New Threats From The Massive Equifax Breach

Equifax logo To protect themselves and their sensitive information, many victims of the massive Equifax data breach have signed up for the free credit monitoring and fraud resolution services Equifax arranged. That's a good start. Some victims have gone a step further and placed Fraud Alerts or Security Freezes on their credit reports at Equifax, Experian, and TransUnion. That's good, too. But, is that enough?

The answer to that question requires an understanding of what criminals can do with the sensitive information accessed stolen during the Equifax breach. Criminals can commit types of fraud which credit monitoring, credit report alerts, and freezes cannot stop. Consumer Reports (CR) explained:

"Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits. But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach."

Sadly, besides credit and loan fraud the Equifax breach exposed breach victims to tax refund fraud, health care fraud, and driver's license (identity) fraud. This is what makes the data breach particularly nasty. CR also listed the data elements criminals use with each type of fraud:

"With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service (IRS) as of last March... Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions... Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you...."

The CR article suggested several ways for consumers to protect themselves from each type of fraud: a) request an Identity Protection PIN number from the IRS; b) request copies of your medical file from your providers and review your MIB Consumer File each year; and c) request a copy of your driving license record and get your free annual consumer report from ChexSystemsCertegy, and TeleCheck -  the three major check verification companies.

Never considered reviewing your tax account with the IRS? You can. Never heard of a Consumer MIB File? I'm not surprised. Most people haven't. I encourage consumers to read the entire CR article. While at the CR site, read their review of TrustedID Premier service which Equifax arranged for breach victims. It's an eye-opener.

Do these solutions sound like a lot of preventative work? They are. You have Equifax to thank for that. Will Equifax help breach victims with the time and effort required to research and implement the solutions CR recommended? Will Equifax compensate breach victims for the costs incurred with these solutions? These are questions breach victims should ask Equifax and TrustedID Premier.

Consumers and breach victims are slowly learning the consequences of a data breach are extensive. The consequences include time, effort, money, and aggravation. You might say breach victims have been mugged. Worse, consumers are saddled the burden from the consequences. That isn't fair. The companies making money by selling consumers' credit reports and information should be responsible for the burdens. Things are out of balance.

What are your opinions?


Here Comes The Post-Equifax-Breach Spam From Scammers

If you haven't received them yet, you probably will soon. Here comes the spam - unwanted e-mail messages - from scammers, supposedly related to the massive Equifax data breach. The spam will likely include phishing attacks: attempts to trick consumers into disclosing sensitive bank account and payment data.

What might this spam look like? The spam filter by my e-mail provider recently trapped the message below in my spam folder:

Suspected spam email. Click to view larger version

The sender's intent is to clearly leverage consumers' anxieties and fears about the massive, horrific Equifax breach. The e-mail message also states:

Suspected spam email. Click to view larger version

The message offers both three free credit scores and free credit reports. The problems I see with this e-mail:

  1. The message doesn't list a price for its offer. The company name -- FreeCreditClick -- implies the offer is free.
  2. Key items in the e-mail don't match. The company name in the "From" field doesn't match the e-mail address. Nor does the company name in the "From" field match the company name in the body of the message.
  3. The sender's e-mail address in the "From" field includes a version of an e-mail address I've seen before in other spam.
  4. The Equifax site already directs consumers affected by the data breach to an Equifax site to learn how to get protection (e.g., credit monitoring and fraud resolution services) for free.
  5.  The e-mail offers credit reports from the three major credit reporting agencies: Experian, Equifax, and TransUnion. Informed consumers know that the official website for free credit reports is annualcreditreport.com.
  6. Informed consumers know that while there are several brands of credit scores, they probably need a single good one.
  7. The e-mail contains order and unsubscribe links with destinations that doesn't match either the company's name in "1" nor "2."

To understand #7, I reviewed the underlying HTML markup language used to create this e-mail message:

HTML markup of the suspected spam email. Click to view larger version

The destinations for both the order link (A) and the unsubscribe link (B) contain the "proffbuilder.com" site and embedded redirect commands. The redirect commands could take your web browser anywhere. Too risky, so I did not click on them.

As best I can tell, this definitely is spam. I don't trust it. What do you think?


Wells Fargo: 1.4 Million More Fake Accounts Found By Latest Investigation

Wells Fargo logo Just before the long holiday weekend, Wells Fargo Bank announced in an August 31 news release the latest results of a third-party investigation into its retail bank account practices since 2009:

"The original account analysis reviewed 93.5 million current and former customer accounts opened in an approximately four and half year time period – from May 2011 through mid-2015 – and identified approximately 2.1 million potentially unauthorized accounts. The expanded analysis reviewed more than 165 million retail banking accounts opened over a nearly eight-year period – from January 2009 through September 2016 – and identified a new total of approximately 3.5 million potentially unauthorized consumer and small business accounts... In connection with these 3.5 million potentially unauthorized accounts, approximately 190,000 accounts incurred fees and charges, up from 130,000 previously identified accounts that incurred fees and charges, and Wells Fargo will provide a total of $2.8 million in additional refunds and credits on top of the $3.3 million previously refunded as a result of the original account review... a review of online bill pay services, as required by the Sept. 8, 2016, consent orders... the analysis identified approximately 528,000 potentially unauthorized online bill pay enrollments and Wells Fargo will refund $910,000 to customers who incurred fees or charges. "

To summarize: the latest investigation went two years further back in time, found about 1.4 million more phony accounts, found more customers affected by unauthorized bank accounts, and found possibly more phony online bill-pay enrollments. In a settlement agreement last year with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with the number of phony accounts known then.

Of course, the bank tried a different spin in its news release about the investigation's findings:

"... the completion of its previously announced expanded third-party review of retail banking accounts dating back to the beginning of 2009. Combined with a recent class action settlement and ongoing broad customer outreach and complaint resolution, the completion of the analysis further paves the way for making things right for Wells Fargo customers who may have been harmed by unacceptable retail sales practices."

Yeah, right. That sounds like some wayward teenager wanting praise for providing a complete list of damage to the family car which they didn't have permission nor a license to drive in the first place.

Much of Wall Street has seen through the spin. Some financial experts advise investors to sell Well Fargo shares and buy other banks' shares instead. One of the world's largest fund managers withheld support for three of the bank's directors. Some news headlines focused on the growing estimate of phony accounts uncovered. MSN Money listed reasons why the bank may not survive the growing scandal.

There is plenty of bad news. The Los Angels Times reported a lawsuit by former bank executives who claimed they were scapegoated and fired earlier this year after reporting unethical sales practices. News reports broke earlier this month about alleged insurance abuses of the bank's auto-loan customers.

Well, we now know more about the bank's retail banking practices. The latest announcement makes one wonder, a) how much damage one bank can do, and b) how many more phony accounts would have been uncovered if the investigation started before 2009. What are your opinions?


Neighbor Spoofing: What It Is And The Best Way To Stop It

A friend recently posted on social media:

"I get five to seven phone calls daily from a 617-388-(random) number. I keep blocking them but new ones keep calling. My number is a 617-388- number. I've called a few back and they're actually people's personal mobile numbers. What is going on?! Anyone know how to stop it?"

This is neighbor spoofing... where robocallers pretend to be neighbors with familiar looking phone numbers. NPR explained neighbor spoofing is:

"... when callers disguise their real phone numbers with a fake phone number that has the same area code and prefix as yours. The idea is you might be more likely to pick up because maybe you're thinking, this call could be my neighbor or my kid's school, someone I know... Even the chairman of the Federal Communications Commission, Ajit Pai, cannot escape... The calls have gotten so aggravating to Pai, he is doubling down and making the fight against spoofers a top priority for the FCC. Robocalls and telemarketers are the No. 1 complaint the agency gets from the public. New technology has made spoofing easier to do and harder to detect. Last year, people received about 2.5 billion robocalls every month...this spring, the FCC started investigating ways to let phone carriers block calls from spoofers..."

The best solution is a system where phone companies authenticate callers. That would stop or block neighbor spoofing. Until then, the FCC is using deterrence. Back in June, the FCC proposed a $120 million fine against a habitual robocall scammer, Adrian Abramovich, based in Florida:

"Over the course of several years, Abramovich's companies disrupted emergency services, bilked vulnerable consumers out of thousands of dollars and hurt legitimate businesses, the FCC contends... TripAdvisor was deluged by consumer complaints about robocalls that the company had not initiated or authorized. After conducting an internal investigation, TripAdvisor determined that the offending calls were linked to a Mexican hotel and resort chain that had contracted with Abramovich for advertising services."

Consumers interested in something they could do might consider Nomorobo, which works (landline or mobile) with many service providers. Users of Apple and Andorid OS phones might investigate Hiya. Windows and BlackBerry phone users can check the CTIA Wireless Association's guide for free (or low-cost) mobile apps to block robocalls.

Robocalls from schools, physicians, airlines, and law enforcement are helpful, while robocalls from scammers aren't. The best solution -- true authentication -- can't come fast enough. Consumers and businesses are suffering.

While I don't wish anything bad on anyone, I am happy that FCC Chairmann Pai is also directly feeling the pain. Perhaps, now he knows how consumers feel. The loss of broadband privacy and Pai's push to kill net neutrality annoy consumers almost as much as neighbor spoofing.


Real Scams, Real Cons and Fake Law Enforcement

[Editor's Note: Today's guest post is by Arkady Bukh of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. Aware consumers know how to recognize scams.]

By Arkady Bukh, Esq.

A man in Nigeria died recently. When the coroner went to the home for the body, he found $25 BILLION dollars. Apparently, the decedent had been trying to give away his money for years, but no one answered his email.

If you've been on the Internet for over, say, one-hour, you recognize the source for that joke. The Nigerian email scam is so infamous it's been given its own, easily recognizable, name: The Nigerian Email Scam.

Despite scams and cons being popular online, they're not confined to the virtual world. They crop up in the real world, too. Often, in unexpected ways.

Pennsylvania Teen Tries to Scam and It Doesn’t Go Well at Home
Police in Westtown Township nabbed a teenage boy in March after linking the kid to a scam involving fake traffic tickets. The fraudulent fines were placed in mailboxes at four homes. Each fake ticket claimed the homeowners' vehicle was captured on camera speeding in nearby West Chester. An accompanying note asked for $96 to be left in the mailbox.

"It does look real," said Jackie McGlone, a West Chester resident.

Detectives have found the photographs of the vehicle's' plates were taken while the car was parked in their owner's' driveway and unoccupied.

Police tracked the 16-year old boy, who lives in the area, by a tip phoned in by the teenager's dad.

The teen's father found some notifications waiting to be mailed and called the police. Charges are pending.

Truckers Lose Big Money in Oregon
In 2013, an Oregon-based scam dug into the pockets of truck drivers with automated calls telling them to pay their unpaid traffic tickets using re-loadable debit cards — or face a penalty.

The caller identified himself as, "Alex James Murphy of the Oregon State Police," and informed drivers of a bench warrant for an outstanding speeding ticket. To pay, the drivers were told to buy re-loadable prepaid cards through Green Dot MoneyPak, put $154 on the card, and then call a second phone number to provide the card information.

If the driver does all that, they'll find out there was never an unpaid speeding ticket and their $154 has hit the road. The scam, which occasionally crops up in difference places, first appeared on the radar in November 2012 and had gone through a few variations since.

An offshoot which also relies on confusing the lines between a con artist and legitimate law enforcement agencies is the “Support Your Sheriff” sticker scam. The Federal Trade Commission's website has a page warning consumers about cons which play on citizens' desire to help support local law enforcement.

Fake Police
A vehicle which appears to be an unmarked police car pulls you over. The ‘officer' says you are about to be handed a large fine and see points added to your driver's license. "However," says the supposed-cop, "you can avoid this by paying a smaller fee, up front, in cash."

That's not a tactic used by legitimate law enforcement agencies anywhere. Real cops want to make sure the law is obeyed and not about a discount if a speeder pays on the front end. Legitimate cops will issue a real ticket that must be paid in person, or mail, at the department.

If in doubt, request another officer to come to the scene. It's your right.

Phishing Scam
Someone receives an e-mail message claiming them they are guilty of a traffic violation. A wise person will delete the email immediately. Any email saying you owe money for traffic tickets is a phishing scam.

Usually, the email says the person needs to pay for the traffic citation right now. The e-mail includes a link where the individual to find details. The link often contains a computer virus, and can redirect the user to a phishing page meant to request personal information from the user.

Buy a Sticker and Get Out of Jail Free
Scammers have called individuals at work and home at claiming the local Department of Public Safety (DPS) offers decals for autos with the DPS logo to waive their next traffic ticket.

The caller instructs the person to place the sticker next to the car's license plate. To get the sticker, the vehicle owner must pay $10. Many persons fall for the scam as $10 is smaller than any traffic ticket issued after 1946.

If you get a traffic citation, you broke the law. You will pay for that. There is no such thing as a law enforcement sticker which gets you one free traffic ticket.


Presidential Commission Demands Massive Amounts of State Voter Data

[Editor's Note: today's guest blog post, by the reporters at ProPublica, explores issues of alleged voter fraud, and the problems with analyses claiming multiple voter registrations across states. It is reprinted with permission.]

by Jessica Huseman, ProPublica

On June 28, all 50 states were sent letters from Kris Kobach -- vice chair for the Presidential Advisory Commission on Election Integrity -- requesting information on voter fraud, election security and copies of every state's voter roll data.

The letter asked state officials to deliver the data within two weeks, and says that all information turned over to the commission will be made public. The letter does not explain what the commission plans to do with voter roll data, which often includes the names, ages and addresses of registered voters. The commission also asked for information beyond what is typically contained in voter registration records, including Social Security numbers and military status, if the state election databases contain it.

President Donald Trump established the commission through an executive order on March 11. Its stated goal is to "promote fair and honest Federal elections" and it is chaired by Vice President Mike Pence. The commission plans to present a report to Trump that identifies vulnerabilities in the voting system that could lead to fraud and makes recommendations for enhancing voters' confidence in election integrity. No deadline has been set for completion of the work.

A number of experts, as well as at least one state official, reacted with a mix of alarm and bafflement. Some saw political motivations behind the requests, while others said making such information public would create a national voter registration list, a move that could create new election problems.

"You'd think there would want to be a lot of thought behind security and access protocols for a national voter file, before you up and created one," said Justin Levitt, a professor at Loyola University School of Law and former Department of Justice civil rights official. "This is asking to create a national voter file in two weeks."

David Becker, the executive director of the Center for Election Innovation & Research, also expressed serious concerns about the request. "It's probably a good idea not to make publicly available the name, address and military status of the people who are serving our armed forces to anyone who requests it," he said.

Kobach, the secretary of state in Kansas, has been concerned about voter fraud for years. His signature piece of legislation was a law requiring Kansans to show proof of citizenship when they register to vote, which is currently ensnarled in a fraught court battle with the American Civil Liberties Union. He has written that he believes people vote twice with "alarming regularity," and also that non-citizens frequently vote. Multiple studies have shown neither happens with any consistency.

Kobach also runs the Interstate Voter Registration Crosscheck Program, a proprietary piece of software started by Kansas Secretary of State Ron Thornburgh in 2005. Under the program, 30 states pool their voter information and attempt to identify people who are registered in more than one state.

Some expect the information Kobach has requested will be used to create a national system that would include data from all 50 states.

It is not uncommon for voters to be registered in more than one state. Many members of Trump's inner circle -- including his son-in-law Jared Kushner and daughter Tiffany Trump -- were registered to vote in two states. Given the frequency with which voters move across state lines and re-register, the act of holding two registrations is not in itself fraud. There is no evidence to suggest that voting twice is a widespread problem, though experts say removing duplicate registrations are a good practice if done carefully.

"In theory, I don't think we have a problem with that as an idea, but the devil is always in the details," said Dale Ho, the director of the ACLU's Voting Rights Project. While he believes voter registration list maintenance is important, he says Kobach's Crosscheck program has been repeatedly shown to be ineffective and to produce false matches. A study by a group of political scientists at Stanford published earlier this year found that Crosscheck highlighted 200 false matches for every one true double vote.

"I have every reason to think that given the shoddy work that Mr. Kobach has done in this area in the past that this is going to be yet another boondoggle and a propaganda tool that tries to inflate the problem of double registration beyond what it actually is," Ho said.

Some experts already see sloppy work in this request. On at least one occasion, the commission directed the letter to the incorrect entity. In North Carolina, it addressed and sent the letter to Secretary of State Elaine Marshall, who has no authority over elections or the voter rolls. In that state, the North Carolina Board of Elections manages both.

Charles Stewart, a professor at MIT and expert in election administration, said it was proof of "sloppy staff work," and questioned the speed at which the letter was sent. "It seems to me that the data aren't going anywhere. Doing database matching is hard work, and you need to plan it out carefully," he said. "It's a naïve first undertaking by the commission, and reflects that the commission may be getting ahead of itself."

Connecticut Secretary of State Denise Merrill, who oversees voting in the state, said she was dismayed about the commission's failure to be clearer about what its intentions are. In a statement, Merrill said her office would share publicly available information with the commission. But she said that "in the same spirit of transparency" her office would request the commission "share any memos, meeting minutes or additional information as state officials have not been told precisely what the Commission is looking for."

"This lack of openness is all the more concerning, considering that the Vice Chair of the Commission, Kris Kobach, has a lengthy record of illegally disenfranchising eligible voters in Kansas," she wrote.

Alabama's Republican Secretary of State John Merrill (no relation) also indicated he had questions for Kobach regarding how much of the data would be made public and how Alabamans' privacy would be protected, even while he expressed support for the commission. "Kobach is a close friend, and I have full confidence in him and his ability, but before we turn over data of this magnitude to anybody we're going to make sure our questions are answered," he said.

Colorado Secretary of State Republican Wayne Williams, for his part, said he was not concerned with what the commission planned to do with the data. "Just like when we get a [public-records] request, we don't demand to know what they are going to do with the data," he said. "There are important reasons why the voter roll is publicly available information."

The extent to which voter roll data is public varies across the country. While some states, like North Carolina, make their voter rolls available for free download, other states charge high fees. Alabama, for example, charges one cent per voter in the roll for a total cost of more than $30,000. The state law provides a waiver for government entities, so Merrill said the commission would receive the data for free. Other states, like Virginia, do not make this information public beyond sharing it with formal campaigns and political candidates. When ProPublica tried to purchase Illinois' voter roll, our request was denied because they only release it to government entities for privacy reasons. Illinois did not respond to a request regarding whether they would release this information to the PCEI, which 2014 while a government entity 2014 intends to make the information public.

The letter from the commission also asks quite broad questions of state elections officials.

"What changes, if any, to federal election laws would you recommend to enhance the integrity of federal elections?" asks the first question. The letter also asked for all information and convictions related to any instance of voter fraud or registration fraud, and it solicited recommendations "for preventing voter intimidation or disenfranchisement."

"The equivalent is, 'Hey, doctors, what changes would you suggest regarding healthcare? Let us know in two weeks,'" said Levitt, the Loyola professor. "If I were a state election official, I wouldn't know what to do with this."

While the commission is being chaired by Vice President Mike Pence, Kobach signed the letter alone. Jon Greenbaum, chief counsel for the Lawyers' Committee for Civil Rights Under Law, said this is an indication that Kobach -- not Pence -- "will be running the show," which he said should be a point of concern.

"As we know with Kobach, he's obsessed with trying to identify voter fraud and finds it in a lot of places where it doesn't exist," he said.

Vanita Gupta, the former acting head of the Department of Justice's civil rights division under President Barack Obama, said the commission's letter was an indication the commission was "laying the groundwork" to carry out changes to the National Voter Registration Act that might seek to restrict access to the polls.

The National Voter Registration Act -- sometimes called the Motor Voter Act -- was enacted in 1993. It allows the DOJ the authority to ensure states to keep voter registration lists, or voter rolls, accurate and up-to-date. It also requires states to offer opportunities for voter registration at all offices that provide public assistance (like the DMV). 

In November, Kobach was photographed holding a paper addressing national security issues and proposing changes to the voter registration law. It is not clear what these changes were. The ACLU is involved in a lawsuit against Kansas' state law requiring people to show proof of citizenship in order to register to vote. As part of the suit, ACLU lawyers requested access to the document reflecting the changes Kobach proposed.

Originally Kobach told the court the document was beyond the scope of the lawsuit, but last week the court found the documents were relevant and that Kobach had intentionally misled the court. He was fined $1,000 for the offense and required him to turn the document over. It has not yet been made public.

Gupta said her concern about the future of the voter registration act was deepened by the fact that, on June 29, the DOJ sent a letter to the 44 states covered by the act requesting information on the maintenance of their voter rolls. States were given 30 days to answer a set of detailed questions about their policies for list maintenance.

"The timing of the letters being issued on the same day is curious at the very least," she said.

The White House and the DOJ all did not respond to requests for comment about the letters.

The letter did not ask about compliance with the portions of the act that require states to attempt to expand the voter base, such as by offering voter registration forms and information in public offices.

Danielle Lang, deputy director of voting rights for The Campaign Legal Center, said the focus on list maintenance troubled her. While she said this might point to a new direction in enforcement for the DOJ's voting rights section, it was too early to tell how this information might be used.

Levitt said he did not recall a time when the DOJ has previously requested such broad information. While the information is public and not, on its face, troubling, Levitt said the only time he recalled requesting similar information was during targeted investigations when federal officials suspected a state was not complying with the law.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Minnesota Judge Signed Warrant For Users' Google Search Data About A Person's Name

A Minnesota court judge has signed what appears to be a stunningly broad search warrant to compel Google to provide search information to local law enforcement. The request for search data is part of an identity theft and fraud case.

The search warrant requests information about anyone searching for variations of the name "Douglas" between December 1, 2016 and January 7, 2017. Using a fake passport with the victim's photo and name, identified only as "Douglas" in the warrant, a fraudster fraudulently obtained $28,000 via a wire transfer from a credit union bank account. The credit union relied upon the passport as identification.

During their investigation, the Edina Police Department searched for images with the victim's name using several search engines (e.g., Yahoo, Bing, Google), and found images on all, but only Google's search results included an image of the photo used on the fake passport. Based upon these facts, Hennepin County Judge Gary Larson signed the warrant requiring Google to turn over information about anyone who searched for variations of Douglas's full name. The warrant requests the following information about search engine users: names, addresses, e-mail addresses, phone numbers, Social Security numbers, birth dates, IP (Internet protoccol) addresses, MAC addresses, and dates/times the searches were performed.

The search warrant also requests, "Information related to the content the user is viewing/using." What exactly is that? Does that refer to other information collected by Google in each user's Google account (e.g., passwords, Google Drive documents, Gmail messages, calendar appointments, Google Chat sessions, etc.)?

The Minneapolis Star-Tribune newspaper reported:

"Privacy law experts say that the warrant is based on an unusually broad definition of probable cause that could set a troubling precedent. "This kind of warrant is cause for concern because it’s closer to these dragnet searches that the Fourth Amendment is designed to prevent," said William McGeveran, a law professor at the University of Minnesota... McGeveran said it’s unusual for a judge to sign off on a warrant that bases probable cause on so few facts. "It’s much more usual for a search warrant to be used to gather evidence for a suspect that’s already identified, instead of using evidence to find a suspect... If the standards for getting a broad warrant like this are not strong, you can have a lot of police fishing expeditions." "

Judge Larson signed the warrant on February 1, 2017. Reportedly, Google will fight in court against the demands in the search warrant.

This warrant seems stunningly broad since it does not contain the name of a specific suspect, suspects, and/or criminal organization. There are many legitimate reasons for persons to search using the victim's name. Chiefly, many other people have the same name.

Other questions remain. The warrant did not state whether or not law enforcement searched social networking accounts for the victim's image. Many social networking accounts include profile photos of users. How certain are lawn enforcement officials that the fraudster didn't obtain the photo from a social networking account? Plus, many social networking users don't utilize the privacy controls available for their online accounts and photos.

What are your opinions?


4 Charged, Including Russian Government Agents, In Massive Yahoo Hack

Department of Justice logo The U.S. Department of Justice (DOJ) announced yesterday that a grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts. The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the Federal Bureau of Investigation (FBI), Acting Assistant Attorney General Mary McCord of the National Security Division, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

The announcement described how the defendants, beginning in January 2014:

"... unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign."

The four defendants are:

  1. Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident
  2. Igor Anatolyevich Sushchin, 43, a Russian national and resident,
  3. Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident, and
  4. Karim Baratov (a/k/a "Kay," "Karim Taloverov," and "Karim Akehmet Tokbergenov") 22, a Canadian and Kazakh national and a resident of Canada.

Several lawsuits have resulted from the Yahoo breach including a shareholder lawsuit alleging a breach of fiduciary duty by the directors of the tech company, and a class-action regarding stolen credit card payment information.

Attorney General Sessions said about the charges against four defendants:

"Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history... But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks..."

FBI Director said:

"... we continue to pierce the veil of anonymity surrounding cyber crimes... We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests."

Acting Assistant Attorney General McCord said:

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale... hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want..."


Western Union Admitted To Money-Laundering Charges. To Pay $586 Million Fine

Western Union Company logo A news item you may have missed during the run-up to the Presidential Inauguration. The U.S. Federal Trade Commission (FTC) announced settlement agreements with Western Union where the company admitted to money-laundering charges and agreed to pay $586 million in fines and restitution.

Western Union inked settlement agreements with the FTC, the Justice Department (DOJ), and with several U.S. Attorneys’ Offices: the Middle District of Pennsylvania, the Central District of California, the Eastern District of Pennsylvania and the Southern District of Florida. The FTC announcement stated:

"In its agreement with the Justice Department, Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud... According to admissions contained in the deferred prosecution agreement (DPA) with the Justice Department and the accompanying statement of facts, Western Union violated U.S. laws—the Bank Secrecy Act (BSA) and anti-fraud statutes—by processing hundreds of thousands of transactions for Western Union agents and others involved in an international consumer fraud scheme. As part of the scheme, fraudsters contacted victims in the U.S. and falsely posed as family members in need or promised prizes or job opportunities. The fraudsters directed the victims to send money through Western Union to help their relative or claim their prize. Various Western Union agents were complicit in these fraud schemes, often processing the fraud payments for the fraudsters in return for a cut of the fraud proceeds."

The FTC alleged in a complaint filed in U.S. District Court for the Middle District of Pennsylvania that the company’s conduct violated the FTC Act. The complaint alleged that fraudsters globally used Western Union’s money transfer system for many years, even after the company was aware of the problems. The complaint also alleged that some Western Union agents were complicit in fraud. Also, the FTC’s complaint alleged that Western Union failed to implement effective anti-fraud policies and procedures, and it failed to act promptly against problem agents (e.g., suspensions, terminations).

Also, the announcement described the extent and duration of the fraud:

"The BSA requires financial institutions, including money services businesses such as Western Union, to file currency transaction reports (CTRs) for transactions in currency greater than $10,000 in a single day. To evade the filing of a CTR and identification requirements, criminals will often structure their currency transactions so that no single transaction exceeds the $10,000 threshold. Financial institutions are required to report suspected structuring... Western Union knew that certain of its U.S. Agents were allowing or aiding and abetting structuring by their customers. Rather than taking corrective action to eliminate structuring at and by its agents, Western Union, among other things, allowed agents to continue sending transactions... Beginning in at least 2004, Western Union recorded customer complaints about fraudulently induced payments in what are known as consumer fraud reports (CFRs). In 2004, Western Union’s Corporate Security Department proposed global guidelines for discipline and suspension of Western Union agents that processed a materially elevated number of fraud transactions. In these guidelines, the Corporate Security Department effectively recommended automatically suspending any agent that paid 15 CFRs within 120 days. Had Western Union implemented these proposed guidelines, it would have prevented significant fraud losses to victims and would have resulted in corrective action against more than 2,000 agents worldwide between 2004 and 2012."

U.S. Attorney Eileen M. Decker of the Central District of California said:

"Our investigation uncovered hundreds of millions of dollars being sent to China in structured transactions designed to avoid the reporting requirements of the Bank Secrecy Act, and much of the money was sent to China by illegal immigrants to pay their human smugglers... In a case being prosecuted by my office, a Western Union agent has pleaded guilty to federal charges of structuring transactions – illegal conduct the company knew about for at least five years. Western Union documents indicate that its employees fought to keep this agent – as well as several other high-volume independent agents in New York City – working for Western Union because of the high volume of their activity. This action today will ensure that Western Union effectively controls its agents and prevents the use of its money transfer system for illegal purposes."

U.S. Attorney Bruce D. Brandler said:

"The U.S. Attorney’s Office for the Middle District of Pennsylvania has a long history of prosecuting corrupt Western Union Agents... Since 2001 our office, in conjunction with the U.S. Postal Inspection Service, has charged and convicted 26 Western Union Agents in the United States and Canada who conspired with international fraudsters to defraud tens of thousands of U.S. residents via various forms of mass marketing schemes. I am gratified that the deferred prosecution agreement reached today with Western Union ensures that $586 million will be available to compensate the many victims of these frauds."

Terms of the settlement agreements require Western union to:

  • Pay a monetary judgment of $586 million,
  • Implement and maintain a comprehensive anti-fraud program with training for its agents and their front line associates,
  • Monitor to detect and prevent fraud-induced money transfers,
  • Conduct due diligence on all new and renewing company agents, plus suspend or terminate non-compliant agents,
  • Stop transmitting money transfers it knows or reasonably should know are fraud-induced,
  • Block money transfers sent to any person who is the subject of a fraud report,
  • Provide clear and conspicuous consumer fraud warnings on its paper and electronic money transfer forms,
  • Increase the availability of websites and telephone numbers that enable consumers to file fraud complaints,
  • Refund fraudulent money transfers if it failed to comply with its anti-fraud procedures, and
  • Not process money transfers it knows or should know are payments for telemarketing transactions.

Western Union's compliance with these requirements will be monitored for three years by an independent compliance auditor. Western Union said in a January 19th press release:

"The Western Union Company (NYSE: WU) today announced agreements with the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) that resolve previously disclosed investigations focused primarily on the Company’s oversight of certain agents and whether its anti-fraud program, as well as its anti-money laundering controls, adequately prevented misconduct by those agents and third parties. The conduct at issue mainly occurred from 2004 to 2012."

"As part of this resolution, Western Union will enter into a deferred prosecution agreement with the DOJ and a consent order with the FTC. The Company will pay a total of $586 million to the federal government, which is to be used to reimburse consumers who were victims of fraud during the relevant period. Western Union also will take specific actions to further enhance its oversight of agents and its protection of customers... Over the past five years, Western Union increased overall compliance funding by more than 200 percent, and now spends approximately $200 million per year on compliance, with more than 20 percent of its workforce currently dedicated to compliance functions. The comprehensive improvements undertaken by the Company have added more employees with law enforcement and regulatory expertise, strengthened its consumer education and agent training, bolstered its technology-driven controls and changed its governance structure so that its Chief Compliance Officer is a direct report to the Compliance Committee of the Board of Directors."

"... [Western Union] will simultaneously resolve, without any additional payment or non-monetary obligations, potential claims by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) relating to conduct in the 2010 to 2012 period that FinCEN contended violated the Bank Secrecy Act. The Company received a notice of investigation from FinCEN in mid-December 2016. The separate agreement with FinCEN sets forth a civil penalty of $184 million, the full amount of which will be deemed satisfied by the $586 million compensation payment under the DOJ and FTC agreements."


Several Banks Fined Billions By Justice Department For Alleged Wrongdoing

Credit Suisse logo In case you missed it, the U.S. Department of Justice (DOJ) announced last week several settlement agreements and fines against several banks. First, for conduct with the packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities (RMBS) between 2005 and 2007, Credit Suisse will pay about $5.3 billion in fines and relief. That includes $2.48 billion as a civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), and $2.8 billion in:

"... relief to underwater homeowners, distressed borrowers and affected communities, in the form of loan forgiveness and financing for affordable housing. Investors, including federally-insured financial institutions, suffered billions of dollars in losses from investing in RMBS issued and underwritten by Credit Suisse between 2005 and 2007."

Principal Deputy Associate Attorney General Bill Baer said:

"Credit Suisse claimed its mortgage backed securities were sound, but in the settlement announced today the bank concedes that it knew it was peddling investments containing loans that were likely to fail... That behavior is unacceptable. Today's $5.3 billion resolution is another step towards holding financial institutions accountable for misleading investors and the American public."

Second, for conduct with the packaging, securitization, marketing, sale and issuance of residential mortgage-backed securities (RMBS) between 2006 and 2007, Deutsche Bank will pay $7.2 billion in fines and relief. That includes a $3.1 billion civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), and $4.1 billion in relief to underwater homeowners, distressed borrowers and affected communities.

Deutsche bank logo Principal Deputy Associate Attorney General Bill Baer said:

"This $7.2 billion resolution – the largest of its kind – recognizes the immense breadth of Deutsche Bank’s unlawful scheme by demanding a painful penalty from the bank, along with billions of dollars of relief to the communities and homeowners that continue to struggle because of Wall Street’s greed... The Department will remain relentless in holding financial institutions accountable for the harm their misconduct inflicted on investors, our economy and American consumers."

Principal Deputy Assistant Attorney General Benjamin C. Mizer, head of the Justice Department’s Civil Division, said:

"In the Statement of Facts accompanying this settlement, Deutsche Bank admits making false representations and omitting material information from disclosures to investors about the loans included in RMBS securities sold by the Bank. This misconduct, combined with that of the other banks we have already settled with, hurt our economy and threatened the banking system... To make matters worse, the Bank’s conduct encouraged shoddy mortgage underwriting and improvident lending that caused borrowers to lose their homes because they couldn’t pay their loans. Today’s settlement shows once again that the Department will aggressively pursue misconduct that hurts the American public."

State Street Corporation logo Third, State Street Corporation will pay more than $64 million to resolve fraud charges. State Street:

"... entered into a deferred prosecution agreement and agreed to pay a $32.3 million criminal penalty to resolve charges that it engaged in a scheme to defraud a number of the bank’s clients by secretly applying commissions to billions of dollars of securities trades. State Street also agreed to offer an equal amount as a civil penalty to the U.S. Securities and Exchange Commission (SEC)."

Acting Assistant Attorney General Bitkower said:

"State Street engaged in a concerted effort to fleece its clients by secretly charging unwarranted commissions... The bank fundamentally abused its clients’ trust and inflicted very real financial losses. The department will hold responsible those who engage in this type of criminal conduct."

Acting U.S. Attorney Weinreb said:

"State Street cheated its customers by agreeing to charge one price for its services and then secretly charging them something else... Banks that defraud their clients in this way must be held accountable, no matter how big they are."

Kudos to the DOJ for its enforcement actions. If this wrongdoing is ever going to stop, then jail time for executives needs to be applied.


Federal Reserve: Monitor Your Bank Accounts For Fraud And Know Where To Get Help

On Thursday, the Federal Reserve Board (FRB) issued a warning for consumers to do two things to protect themselves and their finances:

  1. Monitor online accounts for unauthorized transactions, and
  2. Learn where to find help should you find unauthorized transactions in your financial accounts

The FRB's warning also stated:

"Signs of potential problems may include a notice, bill, or debit card for an account that was not activated or authorized, as well as a notice of fees for unsolicited products or services tied to an existing account. Consumers who see questionable activity should contact their financial institution immediately. Consumers who continue to experience issues may also submit a complaint to the Federal Reserve. The Federal Reserve maintains the Federal Reserve Consumer Help (FRCH) website, which offers an online complaint form and information on filing complaints by fax and phone for consumers. The FRCH website also provides consumer alerts, frequently asked questions, and information about other government agencies. While the Federal Reserve does not have the authority to resolve every problem, it will refer complaints to the relevant federal or state agency. Consumers can contact FRCH at 1-888-851-1920, or at www.federalreserveconsumerhelp.gov."

Other relevant federal agencies may include the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities & Exchange Commission (SEC).


Federal Reserve Bars Two Bank Executives From Working Within Industry

The Federal Reserve Board announced this enforcement action:

"Richard Henderson and Philip Cooper, who held senior positions at Regions Equipment Finance Corporation (REFCO), Regions' subsidiary, were recently indicted for bank bribery, wire fraud, money laundering, and conspiracy. According to the indictment, Henderson and Cooper conspired to defraud Regions and REFCO by directing REFCO to purchase insurance policies from a shell company that paid kickbacks to Henderson and Cooper. The indictment further alleges that Henderson and Cooper attempted to conceal those kickbacks by establishing additional shell companies to receive the kickbacks.

In issuing today's enforcement actions, the Board found that, given the indictment, Henderson's and Cooper's continued participation in any depository institution may impair public confidence in that institution. The prohibition is effective until the criminal charges against Henderson and Cooper are resolved or disposed of, or until the Board terminates the prohibition."

REFCO was founded in 1972 and is based in Birmingham, Alabama. It is a subsidiary of Regions Bank.


Ashley Madison Operators Agree to Settlement With FTC And States

Ashley Madison home page image

The operators of the AshleyMadison.com dating site have agreed to settlement with the U.S. Federal Trade Commission (FTC) for security lapses in a massive 2015 data breach. 37 million subscribers were affected and site's poor handling of its password-reset mechanism made accounts discover-able while the site had promised otherwise. The site was know for helping married persons find extra-marital affairs.

The FTC complaint against Avid Life Media Inc. sought relief and refunds for subscribers. The complaint alleged that the dating site:

"... Defendants collect, maintain, and transmit a host of personal information including: full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats... Until August 2014, Defendants engaged in a practice of using “engager profiles” — that is, fake profiles created by Defendants’ staff who communicate with consumers in the same way that consumers would communicate with each other—as a way to engage or attract additional consumers to AshleyMadison.com. In 2014, there were 28,417 engager profiles on the website. All but 3 of the engager profiles were female. Defendants created these profiles using profile information, including photographs, from existing members who had not had any account activity within the preceding one or more years... Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real. To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members... When consumers signed up for AshleyMadison.com, Defendants explained that their system is “100% secure” because consumers can delete their “digital trail”.

More importantly, the complaint alleged that the operators of the site failed to protect subscribers' information in several key ways:

"a. failed to have a written organizational information security policy;
b. failed to implement reasonable access controls. For example, they: i) failed to regularly monitor unsuccessful login attempts; ii) failed to secure remote access; iii) failed to revoke passwords for ex-employees of their service providers; iv) failed to restrict access to systems based on employees’ job functions; v) failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendants’ network; and vi) allowed their employees to reuse passwords to access multiple servers and services;
c. failed to adequately train Defendants’ personnel to perform their data security- related duties and responsibilities;
d. failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security; and
e. failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures."

The above items read like a laundry list of everything not to do regarding information security. Several states also sued the site's operators. Toronto, Ontario-based Ruby Corporation (Formerly called Avid Life media), ADL Media Inc. (based in Delaware), and Ruby Life Inc. (d/b/a Ashley Madison) were named as defendants in the lawsuit. According to its website, Ruby Life operates several adult dating sites: Ashley Madison, Cougar Life, and Established Men.

The Ashley Madison site generated about $47 million in revenues in the United States during 2015. The site has members in 46 countries, and almost 19 million subscribers in the United States created profiles since 2002. About 16 million of those profiles were male.

Terms of the settlement agreement require the operators to pay $1.6 million to settle FTC and state actions, and to implement a comprehensive data-security program with third-party assessments. About $828,500 is payable directly to the FTC within seven days, with an equal amount divided among participating states. If the defendants fail to make that payment to the FTC, then the full judgment of $8.75 million becomes due.

The defendants must submit to the FTC a compliance report one year after the settlement agreement. The third-party assessment programs starts within 180 days of the settlement agreement and continues for 20 years with reports every two years. The terms prohibit the site's operators and defendants from misrepresenting to persons in the United States how their online site and mobile app operate. Clearly, the use of fake profiles is prohibited.

The JD Supra site discussed the fake profiles:

"AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” "

13 states worked on this case with the FTC: Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The State of Tennessee's share was about $57,000. Vermont Attorney General William H. Sorrell said:

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website... I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner reached their own separate settlements with the company. Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada said:

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Australian Privacy Commissioner Timothy Pilgrim stated:

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework... Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

Kudos to the FTC for holding a company's feet (and its officers' and executives' feet) to the fire to protect consumers' information.


Millions Of Android Smartphones And Apps Infected With New Malware, And Accounts Breached

Security researchers at Check Point Software Technologies have identified malware infecting an average of 13,000 Android phones daily. More than 1 million Android phones have already been infected. Researchers named the new malware "Gooligan." Check Point explained in a blog post:

"Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year... Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe... We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified... Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began..."

Check Point chart about Gooligan malware. Click to view larger version This Telegraph UK news story listed 24 device manufacturers affected: Archos, Broadcom, Bullitt, CloudProject, Gigaset, HTC, Huaqin, Huawei, Intel, Lenovo, Pantech, Positivio, Samsung, Unitech, and others.The Check Point announcement listed more than 80 fake mobile apps infected with the Gooligan malware: Billiards, Daily Racing, Fingerprint unlock, Hip Good, Hot Photo, Memory Booster, Multifunction Flashlight, Music Cloud, Perfect Cleaner, PornClub, Puzzle Bubble-Pet Paradise, Sex Photo, Slots Mania, StopWatch, Touch Beauty, WiFi Enhancer, WiFi Master, and many more.

Check Point is working closely with the security team at Google. Adrian Ludwig, Google’s director of Android security, issued a statement:

"Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware... Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point... to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps... Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected... We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push... We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future."

How the gooligan malware works by Check Point. Click to view larger version Android device users can also have their devices infected by phishing scams where criminals send text and email messages containing links to infected mobile apps. News about this latest malware comes at a time when some consumers are already worried about the security of Android devices.

Recently, there were reports of surveillance malware installed the firmware of some Android devices, and and the Quadrooter security flaw affecting 900 million Android phones and tablets. Last month, Google quietly dropped its ban on personally identifiable web tracking.

News about this latest malware also highlights the problems with Google's security model. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Hopefully, the introduction last month of the Pixel phone will address those problems. A better announcement would have also highlighted security improvements.

For the Gooligan malware, Check Point has develop a web site for consumers to determine if their Google account has already been compromised:  https://gooligan.checkpoint.com/. Check Point advised consumers with compromised accounts:

"1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”

2. Change your Google account passwords immediately after this process."

A word to the wise: a) shop for apps only at trustworthy, reputable sites; b) download and install all operating-system security patches to protect your devices and your information; and c) avoid buying cheap phones that lack operating system software updates and security patches.


There's No Evidence Our Election Was Rigged

[Editor's note: Given recent allegations of voter fraud and hacks into voting systems, today's guest post is by reporters at ProPublica. This news story was originally published on November 28, 2016. It is reprinted with permission.]

by Jessica Huseman and Scott Klein, ProPublica

President-elect Donald Trump took to Twitter on Sunday to claim that he would have won the popular vote "if you deduct the millions of people who voted illegally."

There is no evidence that millions of people voted illegally. If there were, we'd have seen some sign of it.

ProPublica was an organizing partner in Electionland, a project run by a coalition of organizations including Google News Lab, Univision, WNYC, the CUNY Graduate School of Journalism and the USA Today Network. We monitored the vote with a team of more than 1,000 people, including about 600 journalism school students poring over social media reports and more than 400 local journalists who signed up to receive tips on what we found. We had access to a database of thousands of calls made to a nonpartisan legal hotline. We had four of the nation's leading voting experts in the room with us and election sources across the country. Thousands of people texted us to tell us about their voting experience.

We had an unprecedented real-time understanding of voting in the United States, and while we saw many types of problems, we did not see mass voter fraud of any kind 2014 especially of the sort Donald Trump alleges.

Trump's claim tracks closely with an Infowars piece published less than a week after the election, claiming that 3 million votes were cast by illegal aliens. The website, run by conservative radio host and noted conspiracy theorist Alex Jones, attributed the number to an unsubstantiated tweet by Gregg Phillips, the founder of VoteStand, a voter fraud app. While Infowars attributed the number to VoteFraud.org, there has been no report on the number by VoteFraud.org and Phillips told Politifact he was not affiliated with the organization. He would not provide Politifact with any information about how he arrived at the number, saying he was still verifying its accuracy. As Politifact points out, there is no evidence to support the number.

On a call Monday morning with reporters, Trump transition spokesman Jason Miller cited two studies to back up the president-elect's claim of illegal voting. The research, he said, spoke to "issues of both voter fraud and illegal immigrants voting."

Experts say the studies did not speak to these issues. The first study Miller cited was published in 2014 and has been widely debunked by a number of researchers. While the study claimed that 14 percent of non-citizens were registered to vote, that turned out to be an error in self-reporting. The question pertaining to citizenship was confusing, leading citizens to regularly mark themselves as non-citizens.

Miller also cited a 2012 Pew Study which found that there were thousands of people on the rolls who had moved or died. David Becker, now the executive director of the Center for Election Innovation & Research, was the primary author of the study, and told us there was "no link" between this study and voter fraud.

"The rolls are out of date because people are moving or dying in the normal course of things, not because people go and intentionally register in two states," he said, adding that his two decades of experience has shown him that out-of-date rolls are not used for fraud. He added that now that 20 states are participating in the Electronic Registration Information Center Inc. 2014 or ERIC 2014 which allows states to share registration information, the voting rolls in 2016 were "far more up to date" than the rolls in 2012.

Beyond the study, Becker said the warning signs of millions of ineligible voters casting ballots are simply not present, nor were they on Election Day, which Becker spent in the Electionland newsroom. In fact, he said, it's likely Electionland 2014 and many other election observers 2014 would have known about this long before the election actually took place.

"There would have been an unprecedented number of new registrants that would not have had matched social security or driver's license numbers," Becker said. "There was no exceptional registration, there were no crazy long lines, there were no language difficulties, and there wasn't an exceptionally high number of mail-in ballots."

Tammy Patrick, another Electionland expert and a fellow at the Bipartisan Policy Center, said that no elections officials have raised flags related to tampering. Jurisdictions do regular audits to ensure that the number of sign-ins equals the number of votes being cast, and none of those audits have found problems. In fact, with the fervor raised in advance by the president-elect himself, Patrick said this election was the best monitored in her memory.

"People were watching," she said. "We had more international observers than ever before. Thousands of political party observers at the polls. Campaign observers in the polling places."

Third-party candidate Jill Stein has raised less sweeping doubts about the validity of the vote. These came on the heels of a Nov. 22 piece in New York Magazine, claiming that researchers had found "persuasive evidence that results in Wisconsin, Michigan, and Pennsylvania may have been manipulated or hacked." The story went on to say that "in Wisconsin, Clinton received 7 percent fewer votes in counties that relied on electronic-voting machines compared with counties that used optical scanners and paper ballots."

Stein has now used this study in her recount petitions in both Wisconsin and Pennsylvania.

However, the story did not seem to hold up under scrutiny. One of those researchers, J. Alex Halderman, writing in a Medium post, disagreed with New York Magazine's characterization of his research, saying only that systems were vulnerable, pointing to the hacks on the Democratic National Committee and the voter registration systems in Illinois and Arizona. He did, however, call for manually checking paper ballots.

Nate Silver at 538 and others rebutted the New York Magazine claims via Twitter and later in a longer story. Silver pointed out, among other things, that in Wisconsin, the disparity between counties that use paper ballots and ones that use electronic voting systems disappears when controlling for race and education.

Charles Stewart, elections expert and professor at MIT, noted in his blog, "virtually all" ballots in Wisconsin and Michigan were cast on paper, so the "core empirical claim" of the New York Magazine story "cannot be true."

But Stein, citing "very troubling news about the possibility of security breaches in voting results," created a crowdsourcing campaign to fund a recount effort in Wisconsin, Michigan and Pennsylvania. She first set a fundraising goal of $2 million, which was very quickly met, and raised it ultimately to $7 million, where it currently stands as we write this.

The Clinton campaign is participating in the Wisconsin recount process. Marc Elias, general counsel to the Clinton campaign, expressed skepticism, saying that the campaign had "not uncovered any actionable evidence of hacking or outside attempts to alter the voting technology," but that they would participate in the recount "in order to ensure the process proceeds in a manner that is fair to all sides."

Both Becker and Patrick say the idea that a hack could meaningfully impact an election is far-fetched. In Wisconsin alone, there are 1,800 jurisdictions, none of which have machines connected to the internet, said Becker. "It would have taken thousands of people working in concert without being discovered to hack the result, just in Wisconsin," he said.

And while some have asserted that malware could have been built into the software used to run electronic voting machines and optical scanners for paper ballots, Patrick said this would either require a lot of foresight or time travel.

"This software is years old. The voting machines are not new. Someone would have had to years ago decide they were going to hack this election, without knowing who the candidates are," she said.

While it's important to investigate voting irregularities, claims made without evidence about fraudulent voting and hacking may have costs that go beyond the expense of a recount. Studies suggest that voters especially low-information voters 2014 who fear that their vote may be tampered with might not vote at all.

Members of the losing party often blame defeats on flaws in the voting system, Becker said. He said it's "particularly difficult" this year, when all of the polls seemed to be lined up against the ultimate winner, "but it doesn't change the facts about the process."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


You Gave President Elect Donald Trump a Whale Of A Holiday Gift

Just before the long holiday weekend, the Attorney General (AG) for New York State announced a settlement agreement with President Elect Donald J. Trump regarding his now defunct, educational business Trump University. Reportedly, the $25 million settlement agreement resolves two class-action lawsuits and an action by the New York State AG.

About 7,000 students paid up to $35,000 in tuition and allegedly received little to no education. Terms of the settlement require Mr. Trump to pay $21 million to settle the two class-action lawsuits and $4 million to New York State. The New York Times reported:

"Trump University, which operated from 2004 to 2010, included free introductory seminars across the country, focusing largely on real estate investing and learning Mr. Trump’s secrets... Documents made public through the litigation revealed that some former Trump University managers had given testimony about its unscrupulous and exploitative business practices. One sales executive testified that the operation was “a facade, a total lie.” Another manager called it a “fraudulent scheme.” Other records showed how Mr. Trump had overstated the depth of his involvement in the programs. Despite claims that Mr. Trump had handpicked instructors, he acknowledged in testimony that he had not... the conclusion of the Trump University cases brings vindication to former students, mostly ordinary people across the country who felt they had been robbed of their savings by Mr. Trump..."

The settlement terms did not require Mr. Trump to admit any wrongdoing:

"At a hearing on the case in San Diego on Friday, [Trump's attorney] Daniel Petrocelli said Mr. Trump had settled the case “without an acknowledgment of fault or liability.” "

Why settle now? The Los Angeles Times reported:

"The law firm Zeldes, Haeggquist & Eck, which helped represent the plaintiffs, said in a statement Friday that it was “incredibly painful” to end the legal battle now. “We stand behind their claims 100%,” the firm said, “but there is always risk in taking a case to trial and that was particularly so here, when the defendant was poised to be the next president of the United States.” The lawsuits dogged Trump on the campaign trail, and he denied the allegations many times and said he would not settle the cases."

Some might conclude that not having to admit wrongdoing is a whale of gift. Reportedly, attorneys for the students waived their fees so the students would receive more compensation. Students would received 55 to 100 percent of the money they spent. Some might also say that settling 3 lawsuits for pennies on the dollar is also a whale of a holiday gift. Sadly, there is more.

Much more. Forbes Magazine explained:

"Of course, the real cost to Mr. Trump is after tax, not before it. And most business settlements are fully tax deductible. The only part that arguably may not be here is the $1 million in penalties. But barring express non-deductibility commitments, many penalties can be deducted, too. In general, fines and penalties paid to the government are not deductible. Section 162(f) of the tax code prohibits deducting "any fine or similar penalty paid to a government for the violation of any law."

Despite punitive sounding names, though, some fines and penalties are considered remedial and deductible. That allows some flexibility. Companies often deduct ‘compensatory penalties,’ a maneuver affirmed in a recent Circuit Court ruling. Some defendants insist that their settlement agreement confirms that the payments are not penalties and are remedial. Conversely, some government entities insist on the reverse.  Explicit provisions about taxes in settlement agreements are becoming more common."

You may remember the fines and payments paid by JPMorgan bank in a 2013 settlement agreement. Frobes explained that only $2 billion of the $13 billion was not tax-deductible. So, taxpayers nationwide have given Mr. Trump a whale of a holiday gift similar to gifts given repeatedly to big banks: tax-deductible payments in settlement agreements that allow them to pay less taxes. You'd think that the tax-deductible benefit would come with a price: having to admit wrongdoing.

Is this fair? Is it right? A 2014 survey by the U.S. Public Interest Research Group Education Fund found that most Americans disapprove of tax-deductible payments in settlement agreements, and want more transparency and disclosures about the contents of settlement agreements.

It is infuriating to this taxpayer. Hopefully it infuriates you, too. It seems that often payments and fines to resolve and penalize a defendant for wrongdoing are anything but. What are your opinions?


The List of Fake News Sites

New York Magazine reported:

"As Facebook and now Google face scrutiny for promoting fake news stories, Melissa Zimdars, a communication and media professor from Merrimack College in Massachusetts, has compiled a handy list of websites you should think twice about trusting. “Below is a list of fake, false, regularly misleading, and otherwise questionable ‘news’ organizations that are commonly shared on Facebook and other social media sites,” Zimdars explains. “Many of these websites rely on ‘outrage’ by using distorted headlines and decontextualized or dubious information in order to generate likes, shares, and profits.” (Click here to see the list.)

Be warned: Zimdars’s list is expansive in scope, and stretches beyond the bootleg sites (many of them headquartered in Macedonia) that write fake news for the sole reason of selling advertisements. Right-wing sources and conspiracy theorists like Breitbart and Infowars appear alongside pure (but often misinterpreted) satire like the Onion and The New Yorker’s Borowitz Report."

For consumers seeking "hard" news (e.g., the raw who, what, when, and where something happened), some sources: Associated Press (AP), Reuters, and United Press International (UPI). What sources do you use for "hard" news?


Wells Fargo Tries To Do The Right Thing For Its Customers

Wells Fargo logo After the massive $185 million fine for its phony accounts scam, Wells Fargo bank is trying to do right by its customers. The bank published this statement with promises:

"Steps we have taken to ensure our Community Bank sales culture is wholly aligned with our customers’ interests include: 1) Eliminating product sales goals for all retail bankers to make certain nothing gets in the way of doing what is right for our customers; 2) Sending customers a confirmation email within one hour of opening any deposit account and an acknowledgement letter after submitting a credit card application; 3) Contacting all deposit customers across the country to invite them to review their accounts with their banker and calling the credit card customers identified in the review to confirm whether they need or want their credit card; 4) Expanding the remediation review to 2009 and 2010; and 5) Conducting an independent, enterprise-wide review of our sales practices."

There is more. A September 27th news release by Wells Fargo stated:

"The Independent Directors of the Board of Directors of Wells Fargo & Company (NYSE: WFC) today announced that they have launched an independent investigation into the Company’s retail banking sales practices and related matters. A Special Committee of Independent Directors will lead the investigation, working with the Board’s Human Resources Committee and independent counsel Shearman & Sterling LLP. Chairman and CEO John Stumpf, a member of the Board, has recused himself from all matters related to the Independent Directors’ investigation and deliberations.

The Independent Directors have taken a number of initial steps they believe are appropriate to promote accountability at the Company. They have agreed with Mr. Stumpf that he will forfeit all of his outstanding unvested equity awards, valued at approximately $41 million based on today’s closing share price, and that he will forgo his salary during the pendency of the investigation. In addition, he will not receive a bonus for 2016. Carrie Tolstedt, until recently Head of Community Banking, has left the Company, and the Independent Directors have determined that she will forfeit all of her outstanding unvested equity awards, valued at approximately $19 million based on today’s closing share price. Ms. Tolstedt will not receive a bonus for 2016 and will not be paid severance or receive any retirement enhancements in connection with her separation from the Company. She has also agreed that she will not exercise her outstanding options during the pendency of the investigation. These initial actions will not preclude additional steps being taken with respect to Mr. Stumpf, Ms. Tolstedt or other executives as a consequence of the information developed in the investigation."

Conducting an investigation? That means the bank's senior executives still don't know what happened, or may still be happening -- or even worse, some executives know and haven't admitted important facts. Is this a bank to do business with? John Chiang, the Treasurer for the State of California announced on Wednesday that the State has suspended doing business with Wells Fargo for 12 months. Chiang issued this explanation:

"... the Treasurer oversees nearly $2 trillion in annual banking transactions, manages a $75 billion investment pool, and is the nation’s largest issuer of municipal debt... The Treasurer announced in a letter to Wells Fargo Chairman John G. Stumpf and board members that he has ordered the suspension of Wells Fargo’s participation in its most highly profitable business relationships with the State of California. Those sanctions include: i) Suspension of investments by the Treasurer’s Office in all Wells Fargo securities; ii) Suspension of the use of Wells Fargo as a broker-dealer for purchasing of investments by his office; and iii) Suspension of Wells Fargo as a managing underwriter on negotiated sales of California state bonds where the Treasurer appoints the underwriter... These sanctions take effect immediately and will remain in place for the next twelve months. Wells Fargo is expected to comply with all of the terms of the consent orders it has entered with the Consumer Financial Protection Bureau, the Los Angeles City Attorney, and the Office of the Comptroller of the Currency... The letter warns the bank that if it fails to demonstrate compliance with the Consent Orders or evidence surfaces that Wells Fargo has engaged in the same behavior it will face tougher sanctions up to and including complete and permanent severance of all ties between the Treasurer’s Office and Wells Fargo..."

Hopefully, the board will assess more penalties upon Stumpf, Tolstedt, and senior bank executives. The penalties mentioned above seem woefully insufficient, since they penalize the executives in 2016 for activities that perpetuated during the last five years.

The bank's statement was also silent about important issues: a) remedies for customers whose credit ratings were damaged by the phony new accounts, and b) compensation for customers for lost interest revenues when their money was withdrawn from interest-bearing accounts to set up the phony new accounts.

The bank's news release included this statement by Stephen Sanger, Lead Independent Director:

"... We will conduct this investigation with the diligence it deserves -- and will follow the facts wherever they lead. Our thousands of outstanding team members and millions of loyal customers and shareholders deserve no less. Based on the results of the investigation, the Independent Members of the Board will take such other actions as they collectively deem appropriate, which may include further compensation actions before any additional equity awards vest or bonus decisions are made early next year, clawbacks of compensation already paid out, and other employment-related actions. We will proceed with a sense of urgency but will take the time we need to conduct a thorough investigation. We will then take all appropriate actions to reinforce the right culture and ensure that lessons are learned, misconduct is addressed, and systems and processes are improved so there can be no repetition of similar conduct."

While clawbacks into executives' compensation during prior years sounds good, the key takeaway seems to be: the board still does not know what is happening in its bank, nor what corrective actions to implement beyond the promises listed above. And it can't rely on Stumpf to tell them. Stumpf should be fired immediately for not keeping the board informed. Same for Tolstedt. In a perfect world, both would be in prison. Fraud is fraud.

What are your opinions about Wells Fargo? Would you do business with the bank?


Tax Related Identity Theft And Fraud: Next Steps For Victims

This morning, a friend sent the following via e-mail:

"Just learned today that I was a victim of identity theft. My accountant tried to electronically file my income tax but it was rejected. The IRS told him I already filed. Since the early return is obviously fraudulent I was told I could not electronically file but had to file with paper. Spent the last couple hours notifying credit bureaus and the Federal Trade Commission. It doesn't appear they have applied for any new credit card yet. I wonder whether they got a refund in my name. I also have been involved in a couple big data breaches where the company who lost my data has provided free credit monitoring services. None of the services have detected fraudulent activities. It must've been through one of these that someone got hold my Social Security number. So far so good, but this is an extra headache I didn't need."

It was sad to read this e-mail message. Identity theft is always a major pain and inconvenience. I experienced this in 2007 after IBM, Inc. had its massive data breach. There's a lot to consider and to do. Most consumers have no idea what to do next. That’s why I started me blogging about identity theft, data breaches, and corporate responsibility. The blog has been a good tool for me to catalog what I've learned about what to do next.

Since my friend's sensitive information (e.g., name, address, phone, social number, and maybe more) are out in the wild, that means thieves will sell and resell it as long as they think the information is usable. The criminals now know enough about my friend that they will try to commit more fraud -- often by impersonating my friend to gain access to their financial accounts. Thieves may call the customer service departments at banks pretending to be my friend. While writing this blog the last 8+ years, I've learned that identity thieves are smart, persistent, and go where the money is.

I suggested that my friend do the following to protect their self:

  1. It seemed like my friend is already following the advice by Internet Revenue Service (IRS) for victims of tax-related identity theft and fraud. That’s a good start. Another good place to start is the Identify Theft site by the U.S. Federal Trade Commission (FTC). Follow the next steps recommended by the FTC.
  2. File a police report with the local police department. They’ll probably do nothing, but this will help my friend create a paper trail. Certain documents will be needed when filing claims with insurance companies.
  3. While my friend has already contacted the three major credit reporting agencies (TransUnion, Experian, and Equifax), don't stop with a Fraud Alert. That’s weak tea. Do a Security Freeze instead. That will prevent fraudsters from taking out new loans or getting credit in my friend's name. This will cost up to $10 for each.
  4. Call financial institutions and advise them of your identity theft. Follow any processes the banks have. Get new debit/credit card numbers if your card information (card name, account number, security code, etc.) was exposed in #6.
  5. Change online passwords for all financial accounts (e.g., checking, savings, mortgages, insurance, credit cards, 401-K, IRA’s, etc.). Notify them that your data has been stolen and used. Follow any procedures the banks have for reporting fraud. Don’t use the same password at multiple sites. Why? Thieves will use a stolen password at several websites, to see where else they can break in.
  6. Since one or more companies had data breaches that exposed my friend's sensitive information, my friend should notify each company that thieves have used their sensitive information for tax-related fraud. These companies will probably deny that their breach was the cause, but my friend is informing them of the consequences. If the breach was bad, there may be an upcoming class action, so I encouraged my friend to consider and join any class-action lawsuits. The financial rewards may be beneficial.
  7. Thieves will continue to use my friend's stolen information as long as they think it is useful. So, my friend will need to be vigilant. That means continuing to periodically monitor bank account statements and credit reports for fraudulent entries (if my uses only the Fraud Alert option). This sucks, but that is the reality in the digital information economy. When companies have data breaches, we consumers are usually left with the cleanup burden.
  8. If the companies in #6 offer free credit monitoring services, accept the offer and use it. Those monitoring services can help with #7. Plus, these monitoring services usually offer fraud resolution services: the detailed, time-consuming, and complicated process of cleaning up accounts and records muddled by thieves. If the corporate data breaches in #6 included my friend's spouse and/or dependents, be sure that any credit monitoring services cover these persons.
  9. Keep a solid paper trail. My friend will likely need some of this documentation later.
  10. Stay in touch with both the IRS and the Department of Revenue in the state where you live. The thieves may file fraudulent state tax returns, too. Both the federal and my friend's state tax agencies have fraud procedures. Respond to any notifications you receive from both; preferably in writing.
  11. If any of the companies in #6 was a health care provider and the breach included medical records, then my friend is at risk for both financial fraud and medical fraud. More steps apply for medical fraud and the resolution process is even more complicated. For example, the thief's blood type and other health data could be co-mingled with the victim's, introducing errors and other risks.
  12. Some criminals use stolen identity information to get bogus driver’s licenses. If my friend gets stopped by the police while driving, don’t panic. Explain to law enforcement the identity theft and and #2. My friend may have to get fingerprinted, since that is a good method to distinguish the fraudster from my friend.
  13. Some criminals sell stolen information to undocumented people to gain employment. So, my friend's stolen Social Security Number may be used by another person. When several persons use the same Social Security number for employment, there are plenty of consequences. (There's the infamous case of 81 persons using the same SSN.) The Identity Theft Resource Center recommends solutions for SSN fraud victims. See the Social Security Administration's process for reporting fraud. Check the contractual agreement for a credit monitoring service to see if its resolution services cover this.
  14. Keep the anti-virus software updated on all devices (e.g., desktop, laptop, phone, tablet) and run scans at least once monthly.

That was my advice to my friend. What might you advise?