223 posts categorized "Fraud" Feed

Minnesota Judge Signed Warrant For Users' Google Search Data About A Person's Name

A Minnesota court judge has signed what appears to be a stunningly broad search warrant to compel Google to provide search information to local law enforcement. The request for search data is part of an identity theft and fraud case.

The search warrant requests information about anyone searching for variations of the name "Douglas" between December 1, 2016 and January 7, 2017. Using a fake passport with the victim's photo and name, identified only as "Douglas" in the warrant, a fraudster fraudulently obtained $28,000 via a wire transfer from a credit union bank account. The credit union relied upon the passport as identification.

During their investigation, the Edina Police Department searched for images with the victim's name using several search engines (e.g., Yahoo, Bing, Google), and found images on all, but only Google's search results included an image of the photo used on the fake passport. Based upon these facts, Hennepin County Judge Gary Larson signed the warrant requiring Google to turn over information about anyone who searched for variations of Douglas's full name. The warrant requests the following information about search engine users: names, addresses, e-mail addresses, phone numbers, Social Security numbers, birth dates, IP (Internet protoccol) addresses, MAC addresses, and dates/times the searches were performed.

The search warrant also requests, "Information related to the content the user is viewing/using." What exactly is that? Does that refer to other information collected by Google in each user's Google account (e.g., passwords, Google Drive documents, Gmail messages, calendar appointments, Google Chat sessions, etc.)?

The Minneapolis Star-Tribune newspaper reported:

"Privacy law experts say that the warrant is based on an unusually broad definition of probable cause that could set a troubling precedent. "This kind of warrant is cause for concern because it’s closer to these dragnet searches that the Fourth Amendment is designed to prevent," said William McGeveran, a law professor at the University of Minnesota... McGeveran said it’s unusual for a judge to sign off on a warrant that bases probable cause on so few facts. "It’s much more usual for a search warrant to be used to gather evidence for a suspect that’s already identified, instead of using evidence to find a suspect... If the standards for getting a broad warrant like this are not strong, you can have a lot of police fishing expeditions." "

Judge Larson signed the warrant on February 1, 2017. Reportedly, Google will fight in court against the demands in the search warrant.

This warrant seems stunningly broad since it does not contain the name of a specific suspect, suspects, and/or criminal organization. There are many legitimate reasons for persons to search using the victim's name. Chiefly, many other people have the same name.

Other questions remain. The warrant did not state whether or not law enforcement searched social networking accounts for the victim's image. Many social networking accounts include profile photos of users. How certain are lawn enforcement officials that the fraudster didn't obtain the photo from a social networking account? Plus, many social networking users don't utilize the privacy controls available for their online accounts and photos.

What are your opinions?


4 Charged, Including Russian Government Agents, In Massive Yahoo Hack

Department of Justice logo The U.S. Department of Justice (DOJ) announced yesterday that a grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts. The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the Federal Bureau of Investigation (FBI), Acting Assistant Attorney General Mary McCord of the National Security Division, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

The announcement described how the defendants, beginning in January 2014:

"... unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign."

The four defendants are:

  1. Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident
  2. Igor Anatolyevich Sushchin, 43, a Russian national and resident,
  3. Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident, and
  4. Karim Baratov (a/k/a "Kay," "Karim Taloverov," and "Karim Akehmet Tokbergenov") 22, a Canadian and Kazakh national and a resident of Canada.

Several lawsuits have resulted from the Yahoo breach including a shareholder lawsuit alleging a breach of fiduciary duty by the directors of the tech company, and a class-action regarding stolen credit card payment information.

Attorney General Sessions said about the charges against four defendants:

"Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history... But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks..."

FBI Director said:

"... we continue to pierce the veil of anonymity surrounding cyber crimes... We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests."

Acting Assistant Attorney General McCord said:

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale... hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want..."


Western Union Admitted To Money-Laundering Charges. To Pay $586 Million Fine

Western Union Company logo A news item you may have missed during the run-up to the Presidential Inauguration. The U.S. Federal Trade Commission (FTC) announced settlement agreements with Western Union where the company admitted to money-laundering charges and agreed to pay $586 million in fines and restitution.

Western Union inked settlement agreements with the FTC, the Justice Department (DOJ), and with several U.S. Attorneys’ Offices: the Middle District of Pennsylvania, the Central District of California, the Eastern District of Pennsylvania and the Southern District of Florida. The FTC announcement stated:

"In its agreement with the Justice Department, Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud... According to admissions contained in the deferred prosecution agreement (DPA) with the Justice Department and the accompanying statement of facts, Western Union violated U.S. laws—the Bank Secrecy Act (BSA) and anti-fraud statutes—by processing hundreds of thousands of transactions for Western Union agents and others involved in an international consumer fraud scheme. As part of the scheme, fraudsters contacted victims in the U.S. and falsely posed as family members in need or promised prizes or job opportunities. The fraudsters directed the victims to send money through Western Union to help their relative or claim their prize. Various Western Union agents were complicit in these fraud schemes, often processing the fraud payments for the fraudsters in return for a cut of the fraud proceeds."

The FTC alleged in a complaint filed in U.S. District Court for the Middle District of Pennsylvania that the company’s conduct violated the FTC Act. The complaint alleged that fraudsters globally used Western Union’s money transfer system for many years, even after the company was aware of the problems. The complaint also alleged that some Western Union agents were complicit in fraud. Also, the FTC’s complaint alleged that Western Union failed to implement effective anti-fraud policies and procedures, and it failed to act promptly against problem agents (e.g., suspensions, terminations).

Also, the announcement described the extent and duration of the fraud:

"The BSA requires financial institutions, including money services businesses such as Western Union, to file currency transaction reports (CTRs) for transactions in currency greater than $10,000 in a single day. To evade the filing of a CTR and identification requirements, criminals will often structure their currency transactions so that no single transaction exceeds the $10,000 threshold. Financial institutions are required to report suspected structuring... Western Union knew that certain of its U.S. Agents were allowing or aiding and abetting structuring by their customers. Rather than taking corrective action to eliminate structuring at and by its agents, Western Union, among other things, allowed agents to continue sending transactions... Beginning in at least 2004, Western Union recorded customer complaints about fraudulently induced payments in what are known as consumer fraud reports (CFRs). In 2004, Western Union’s Corporate Security Department proposed global guidelines for discipline and suspension of Western Union agents that processed a materially elevated number of fraud transactions. In these guidelines, the Corporate Security Department effectively recommended automatically suspending any agent that paid 15 CFRs within 120 days. Had Western Union implemented these proposed guidelines, it would have prevented significant fraud losses to victims and would have resulted in corrective action against more than 2,000 agents worldwide between 2004 and 2012."

U.S. Attorney Eileen M. Decker of the Central District of California said:

"Our investigation uncovered hundreds of millions of dollars being sent to China in structured transactions designed to avoid the reporting requirements of the Bank Secrecy Act, and much of the money was sent to China by illegal immigrants to pay their human smugglers... In a case being prosecuted by my office, a Western Union agent has pleaded guilty to federal charges of structuring transactions – illegal conduct the company knew about for at least five years. Western Union documents indicate that its employees fought to keep this agent – as well as several other high-volume independent agents in New York City – working for Western Union because of the high volume of their activity. This action today will ensure that Western Union effectively controls its agents and prevents the use of its money transfer system for illegal purposes."

U.S. Attorney Bruce D. Brandler said:

"The U.S. Attorney’s Office for the Middle District of Pennsylvania has a long history of prosecuting corrupt Western Union Agents... Since 2001 our office, in conjunction with the U.S. Postal Inspection Service, has charged and convicted 26 Western Union Agents in the United States and Canada who conspired with international fraudsters to defraud tens of thousands of U.S. residents via various forms of mass marketing schemes. I am gratified that the deferred prosecution agreement reached today with Western Union ensures that $586 million will be available to compensate the many victims of these frauds."

Terms of the settlement agreements require Western union to:

  • Pay a monetary judgment of $586 million,
  • Implement and maintain a comprehensive anti-fraud program with training for its agents and their front line associates,
  • Monitor to detect and prevent fraud-induced money transfers,
  • Conduct due diligence on all new and renewing company agents, plus suspend or terminate non-compliant agents,
  • Stop transmitting money transfers it knows or reasonably should know are fraud-induced,
  • Block money transfers sent to any person who is the subject of a fraud report,
  • Provide clear and conspicuous consumer fraud warnings on its paper and electronic money transfer forms,
  • Increase the availability of websites and telephone numbers that enable consumers to file fraud complaints,
  • Refund fraudulent money transfers if it failed to comply with its anti-fraud procedures, and
  • Not process money transfers it knows or should know are payments for telemarketing transactions.

Western Union's compliance with these requirements will be monitored for three years by an independent compliance auditor. Western Union said in a January 19th press release:

"The Western Union Company (NYSE: WU) today announced agreements with the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) that resolve previously disclosed investigations focused primarily on the Company’s oversight of certain agents and whether its anti-fraud program, as well as its anti-money laundering controls, adequately prevented misconduct by those agents and third parties. The conduct at issue mainly occurred from 2004 to 2012."

"As part of this resolution, Western Union will enter into a deferred prosecution agreement with the DOJ and a consent order with the FTC. The Company will pay a total of $586 million to the federal government, which is to be used to reimburse consumers who were victims of fraud during the relevant period. Western Union also will take specific actions to further enhance its oversight of agents and its protection of customers... Over the past five years, Western Union increased overall compliance funding by more than 200 percent, and now spends approximately $200 million per year on compliance, with more than 20 percent of its workforce currently dedicated to compliance functions. The comprehensive improvements undertaken by the Company have added more employees with law enforcement and regulatory expertise, strengthened its consumer education and agent training, bolstered its technology-driven controls and changed its governance structure so that its Chief Compliance Officer is a direct report to the Compliance Committee of the Board of Directors."

"... [Western Union] will simultaneously resolve, without any additional payment or non-monetary obligations, potential claims by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) relating to conduct in the 2010 to 2012 period that FinCEN contended violated the Bank Secrecy Act. The Company received a notice of investigation from FinCEN in mid-December 2016. The separate agreement with FinCEN sets forth a civil penalty of $184 million, the full amount of which will be deemed satisfied by the $586 million compensation payment under the DOJ and FTC agreements."


Several Banks Fined Billions By Justice Department For Alleged Wrongdoing

Credit Suisse logo In case you missed it, the U.S. Department of Justice (DOJ) announced last week several settlement agreements and fines against several banks. First, for conduct with the packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities (RMBS) between 2005 and 2007, Credit Suisse will pay about $5.3 billion in fines and relief. That includes $2.48 billion as a civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), and $2.8 billion in:

"... relief to underwater homeowners, distressed borrowers and affected communities, in the form of loan forgiveness and financing for affordable housing. Investors, including federally-insured financial institutions, suffered billions of dollars in losses from investing in RMBS issued and underwritten by Credit Suisse between 2005 and 2007."

Principal Deputy Associate Attorney General Bill Baer said:

"Credit Suisse claimed its mortgage backed securities were sound, but in the settlement announced today the bank concedes that it knew it was peddling investments containing loans that were likely to fail... That behavior is unacceptable. Today's $5.3 billion resolution is another step towards holding financial institutions accountable for misleading investors and the American public."

Second, for conduct with the packaging, securitization, marketing, sale and issuance of residential mortgage-backed securities (RMBS) between 2006 and 2007, Deutsche Bank will pay $7.2 billion in fines and relief. That includes a $3.1 billion civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), and $4.1 billion in relief to underwater homeowners, distressed borrowers and affected communities.

Deutsche bank logo Principal Deputy Associate Attorney General Bill Baer said:

"This $7.2 billion resolution – the largest of its kind – recognizes the immense breadth of Deutsche Bank’s unlawful scheme by demanding a painful penalty from the bank, along with billions of dollars of relief to the communities and homeowners that continue to struggle because of Wall Street’s greed... The Department will remain relentless in holding financial institutions accountable for the harm their misconduct inflicted on investors, our economy and American consumers."

Principal Deputy Assistant Attorney General Benjamin C. Mizer, head of the Justice Department’s Civil Division, said:

"In the Statement of Facts accompanying this settlement, Deutsche Bank admits making false representations and omitting material information from disclosures to investors about the loans included in RMBS securities sold by the Bank. This misconduct, combined with that of the other banks we have already settled with, hurt our economy and threatened the banking system... To make matters worse, the Bank’s conduct encouraged shoddy mortgage underwriting and improvident lending that caused borrowers to lose their homes because they couldn’t pay their loans. Today’s settlement shows once again that the Department will aggressively pursue misconduct that hurts the American public."

State Street Corporation logo Third, State Street Corporation will pay more than $64 million to resolve fraud charges. State Street:

"... entered into a deferred prosecution agreement and agreed to pay a $32.3 million criminal penalty to resolve charges that it engaged in a scheme to defraud a number of the bank’s clients by secretly applying commissions to billions of dollars of securities trades. State Street also agreed to offer an equal amount as a civil penalty to the U.S. Securities and Exchange Commission (SEC)."

Acting Assistant Attorney General Bitkower said:

"State Street engaged in a concerted effort to fleece its clients by secretly charging unwarranted commissions... The bank fundamentally abused its clients’ trust and inflicted very real financial losses. The department will hold responsible those who engage in this type of criminal conduct."

Acting U.S. Attorney Weinreb said:

"State Street cheated its customers by agreeing to charge one price for its services and then secretly charging them something else... Banks that defraud their clients in this way must be held accountable, no matter how big they are."

Kudos to the DOJ for its enforcement actions. If this wrongdoing is ever going to stop, then jail time for executives needs to be applied.


Federal Reserve: Monitor Your Bank Accounts For Fraud And Know Where To Get Help

On Thursday, the Federal Reserve Board (FRB) issued a warning for consumers to do two things to protect themselves and their finances:

  1. Monitor online accounts for unauthorized transactions, and
  2. Learn where to find help should you find unauthorized transactions in your financial accounts

The FRB's warning also stated:

"Signs of potential problems may include a notice, bill, or debit card for an account that was not activated or authorized, as well as a notice of fees for unsolicited products or services tied to an existing account. Consumers who see questionable activity should contact their financial institution immediately. Consumers who continue to experience issues may also submit a complaint to the Federal Reserve. The Federal Reserve maintains the Federal Reserve Consumer Help (FRCH) website, which offers an online complaint form and information on filing complaints by fax and phone for consumers. The FRCH website also provides consumer alerts, frequently asked questions, and information about other government agencies. While the Federal Reserve does not have the authority to resolve every problem, it will refer complaints to the relevant federal or state agency. Consumers can contact FRCH at 1-888-851-1920, or at www.federalreserveconsumerhelp.gov."

Other relevant federal agencies may include the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities & Exchange Commission (SEC).


Federal Reserve Bars Two Bank Executives From Working Within Industry

The Federal Reserve Board announced this enforcement action:

"Richard Henderson and Philip Cooper, who held senior positions at Regions Equipment Finance Corporation (REFCO), Regions' subsidiary, were recently indicted for bank bribery, wire fraud, money laundering, and conspiracy. According to the indictment, Henderson and Cooper conspired to defraud Regions and REFCO by directing REFCO to purchase insurance policies from a shell company that paid kickbacks to Henderson and Cooper. The indictment further alleges that Henderson and Cooper attempted to conceal those kickbacks by establishing additional shell companies to receive the kickbacks.

In issuing today's enforcement actions, the Board found that, given the indictment, Henderson's and Cooper's continued participation in any depository institution may impair public confidence in that institution. The prohibition is effective until the criminal charges against Henderson and Cooper are resolved or disposed of, or until the Board terminates the prohibition."

REFCO was founded in 1972 and is based in Birmingham, Alabama. It is a subsidiary of Regions Bank.


Ashley Madison Operators Agree to Settlement With FTC And States

Ashley Madison home page image

The operators of the AshleyMadison.com dating site have agreed to settlement with the U.S. Federal Trade Commission (FTC) for security lapses in a massive 2015 data breach. 37 million subscribers were affected and site's poor handling of its password-reset mechanism made accounts discover-able while the site had promised otherwise. The site was know for helping married persons find extra-marital affairs.

The FTC complaint against Avid Life Media Inc. sought relief and refunds for subscribers. The complaint alleged that the dating site:

"... Defendants collect, maintain, and transmit a host of personal information including: full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats... Until August 2014, Defendants engaged in a practice of using “engager profiles” — that is, fake profiles created by Defendants’ staff who communicate with consumers in the same way that consumers would communicate with each other—as a way to engage or attract additional consumers to AshleyMadison.com. In 2014, there were 28,417 engager profiles on the website. All but 3 of the engager profiles were female. Defendants created these profiles using profile information, including photographs, from existing members who had not had any account activity within the preceding one or more years... Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real. To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members... When consumers signed up for AshleyMadison.com, Defendants explained that their system is “100% secure” because consumers can delete their “digital trail”.

More importantly, the complaint alleged that the operators of the site failed to protect subscribers' information in several key ways:

"a. failed to have a written organizational information security policy;
b. failed to implement reasonable access controls. For example, they: i) failed to regularly monitor unsuccessful login attempts; ii) failed to secure remote access; iii) failed to revoke passwords for ex-employees of their service providers; iv) failed to restrict access to systems based on employees’ job functions; v) failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendants’ network; and vi) allowed their employees to reuse passwords to access multiple servers and services;
c. failed to adequately train Defendants’ personnel to perform their data security- related duties and responsibilities;
d. failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security; and
e. failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures."

The above items read like a laundry list of everything not to do regarding information security. Several states also sued the site's operators. Toronto, Ontario-based Ruby Corporation (Formerly called Avid Life media), ADL Media Inc. (based in Delaware), and Ruby Life Inc. (d/b/a Ashley Madison) were named as defendants in the lawsuit. According to its website, Ruby Life operates several adult dating sites: Ashley Madison, Cougar Life, and Established Men.

The Ashley Madison site generated about $47 million in revenues in the United States during 2015. The site has members in 46 countries, and almost 19 million subscribers in the United States created profiles since 2002. About 16 million of those profiles were male.

Terms of the settlement agreement require the operators to pay $1.6 million to settle FTC and state actions, and to implement a comprehensive data-security program with third-party assessments. About $828,500 is payable directly to the FTC within seven days, with an equal amount divided among participating states. If the defendants fail to make that payment to the FTC, then the full judgment of $8.75 million becomes due.

The defendants must submit to the FTC a compliance report one year after the settlement agreement. The third-party assessment programs starts within 180 days of the settlement agreement and continues for 20 years with reports every two years. The terms prohibit the site's operators and defendants from misrepresenting to persons in the United States how their online site and mobile app operate. Clearly, the use of fake profiles is prohibited.

The JD Supra site discussed the fake profiles:

"AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” "

13 states worked on this case with the FTC: Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The State of Tennessee's share was about $57,000. Vermont Attorney General William H. Sorrell said:

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website... I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner reached their own separate settlements with the company. Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada said:

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Australian Privacy Commissioner Timothy Pilgrim stated:

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework... Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

Kudos to the FTC for holding a company's feet (and its officers' and executives' feet) to the fire to protect consumers' information.


Millions Of Android Smartphones And Apps Infected With New Malware, And Accounts Breached

Security researchers at Check Point Software Technologies have identified malware infecting an average of 13,000 Android phones daily. More than 1 million Android phones have already been infected. Researchers named the new malware "Gooligan." Check Point explained in a blog post:

"Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year... Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe... We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified... Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began..."

Check Point chart about Gooligan malware. Click to view larger version This Telegraph UK news story listed 24 device manufacturers affected: Archos, Broadcom, Bullitt, CloudProject, Gigaset, HTC, Huaqin, Huawei, Intel, Lenovo, Pantech, Positivio, Samsung, Unitech, and others.The Check Point announcement listed more than 80 fake mobile apps infected with the Gooligan malware: Billiards, Daily Racing, Fingerprint unlock, Hip Good, Hot Photo, Memory Booster, Multifunction Flashlight, Music Cloud, Perfect Cleaner, PornClub, Puzzle Bubble-Pet Paradise, Sex Photo, Slots Mania, StopWatch, Touch Beauty, WiFi Enhancer, WiFi Master, and many more.

Check Point is working closely with the security team at Google. Adrian Ludwig, Google’s director of Android security, issued a statement:

"Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware... Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point... to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps... Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected... We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push... We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future."

How the gooligan malware works by Check Point. Click to view larger version Android device users can also have their devices infected by phishing scams where criminals send text and email messages containing links to infected mobile apps. News about this latest malware comes at a time when some consumers are already worried about the security of Android devices.

Recently, there were reports of surveillance malware installed the firmware of some Android devices, and and the Quadrooter security flaw affecting 900 million Android phones and tablets. Last month, Google quietly dropped its ban on personally identifiable web tracking.

News about this latest malware also highlights the problems with Google's security model. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Hopefully, the introduction last month of the Pixel phone will address those problems. A better announcement would have also highlighted security improvements.

For the Gooligan malware, Check Point has develop a web site for consumers to determine if their Google account has already been compromised:  https://gooligan.checkpoint.com/. Check Point advised consumers with compromised accounts:

"1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”

2. Change your Google account passwords immediately after this process."

A word to the wise: a) shop for apps only at trustworthy, reputable sites; b) download and install all operating-system security patches to protect your devices and your information; and c) avoid buying cheap phones that lack operating system software updates and security patches.


There's No Evidence Our Election Was Rigged

[Editor's note: Given recent allegations of voter fraud and hacks into voting systems, today's guest post is by reporters at ProPublica. This news story was originally published on November 28, 2016. It is reprinted with permission.]

by Jessica Huseman and Scott Klein, ProPublica

President-elect Donald Trump took to Twitter on Sunday to claim that he would have won the popular vote "if you deduct the millions of people who voted illegally."

There is no evidence that millions of people voted illegally. If there were, we'd have seen some sign of it.

ProPublica was an organizing partner in Electionland, a project run by a coalition of organizations including Google News Lab, Univision, WNYC, the CUNY Graduate School of Journalism and the USA Today Network. We monitored the vote with a team of more than 1,000 people, including about 600 journalism school students poring over social media reports and more than 400 local journalists who signed up to receive tips on what we found. We had access to a database of thousands of calls made to a nonpartisan legal hotline. We had four of the nation's leading voting experts in the room with us and election sources across the country. Thousands of people texted us to tell us about their voting experience.

We had an unprecedented real-time understanding of voting in the United States, and while we saw many types of problems, we did not see mass voter fraud of any kind 2014 especially of the sort Donald Trump alleges.

Trump's claim tracks closely with an Infowars piece published less than a week after the election, claiming that 3 million votes were cast by illegal aliens. The website, run by conservative radio host and noted conspiracy theorist Alex Jones, attributed the number to an unsubstantiated tweet by Gregg Phillips, the founder of VoteStand, a voter fraud app. While Infowars attributed the number to VoteFraud.org, there has been no report on the number by VoteFraud.org and Phillips told Politifact he was not affiliated with the organization. He would not provide Politifact with any information about how he arrived at the number, saying he was still verifying its accuracy. As Politifact points out, there is no evidence to support the number.

On a call Monday morning with reporters, Trump transition spokesman Jason Miller cited two studies to back up the president-elect's claim of illegal voting. The research, he said, spoke to "issues of both voter fraud and illegal immigrants voting."

Experts say the studies did not speak to these issues. The first study Miller cited was published in 2014 and has been widely debunked by a number of researchers. While the study claimed that 14 percent of non-citizens were registered to vote, that turned out to be an error in self-reporting. The question pertaining to citizenship was confusing, leading citizens to regularly mark themselves as non-citizens.

Miller also cited a 2012 Pew Study which found that there were thousands of people on the rolls who had moved or died. David Becker, now the executive director of the Center for Election Innovation & Research, was the primary author of the study, and told us there was "no link" between this study and voter fraud.

"The rolls are out of date because people are moving or dying in the normal course of things, not because people go and intentionally register in two states," he said, adding that his two decades of experience has shown him that out-of-date rolls are not used for fraud. He added that now that 20 states are participating in the Electronic Registration Information Center Inc. 2014 or ERIC 2014 which allows states to share registration information, the voting rolls in 2016 were "far more up to date" than the rolls in 2012.

Beyond the study, Becker said the warning signs of millions of ineligible voters casting ballots are simply not present, nor were they on Election Day, which Becker spent in the Electionland newsroom. In fact, he said, it's likely Electionland 2014 and many other election observers 2014 would have known about this long before the election actually took place.

"There would have been an unprecedented number of new registrants that would not have had matched social security or driver's license numbers," Becker said. "There was no exceptional registration, there were no crazy long lines, there were no language difficulties, and there wasn't an exceptionally high number of mail-in ballots."

Tammy Patrick, another Electionland expert and a fellow at the Bipartisan Policy Center, said that no elections officials have raised flags related to tampering. Jurisdictions do regular audits to ensure that the number of sign-ins equals the number of votes being cast, and none of those audits have found problems. In fact, with the fervor raised in advance by the president-elect himself, Patrick said this election was the best monitored in her memory.

"People were watching," she said. "We had more international observers than ever before. Thousands of political party observers at the polls. Campaign observers in the polling places."

Third-party candidate Jill Stein has raised less sweeping doubts about the validity of the vote. These came on the heels of a Nov. 22 piece in New York Magazine, claiming that researchers had found "persuasive evidence that results in Wisconsin, Michigan, and Pennsylvania may have been manipulated or hacked." The story went on to say that "in Wisconsin, Clinton received 7 percent fewer votes in counties that relied on electronic-voting machines compared with counties that used optical scanners and paper ballots."

Stein has now used this study in her recount petitions in both Wisconsin and Pennsylvania.

However, the story did not seem to hold up under scrutiny. One of those researchers, J. Alex Halderman, writing in a Medium post, disagreed with New York Magazine's characterization of his research, saying only that systems were vulnerable, pointing to the hacks on the Democratic National Committee and the voter registration systems in Illinois and Arizona. He did, however, call for manually checking paper ballots.

Nate Silver at 538 and others rebutted the New York Magazine claims via Twitter and later in a longer story. Silver pointed out, among other things, that in Wisconsin, the disparity between counties that use paper ballots and ones that use electronic voting systems disappears when controlling for race and education.

Charles Stewart, elections expert and professor at MIT, noted in his blog, "virtually all" ballots in Wisconsin and Michigan were cast on paper, so the "core empirical claim" of the New York Magazine story "cannot be true."

But Stein, citing "very troubling news about the possibility of security breaches in voting results," created a crowdsourcing campaign to fund a recount effort in Wisconsin, Michigan and Pennsylvania. She first set a fundraising goal of $2 million, which was very quickly met, and raised it ultimately to $7 million, where it currently stands as we write this.

The Clinton campaign is participating in the Wisconsin recount process. Marc Elias, general counsel to the Clinton campaign, expressed skepticism, saying that the campaign had "not uncovered any actionable evidence of hacking or outside attempts to alter the voting technology," but that they would participate in the recount "in order to ensure the process proceeds in a manner that is fair to all sides."

Both Becker and Patrick say the idea that a hack could meaningfully impact an election is far-fetched. In Wisconsin alone, there are 1,800 jurisdictions, none of which have machines connected to the internet, said Becker. "It would have taken thousands of people working in concert without being discovered to hack the result, just in Wisconsin," he said.

And while some have asserted that malware could have been built into the software used to run electronic voting machines and optical scanners for paper ballots, Patrick said this would either require a lot of foresight or time travel.

"This software is years old. The voting machines are not new. Someone would have had to years ago decide they were going to hack this election, without knowing who the candidates are," she said.

While it's important to investigate voting irregularities, claims made without evidence about fraudulent voting and hacking may have costs that go beyond the expense of a recount. Studies suggest that voters especially low-information voters 2014 who fear that their vote may be tampered with might not vote at all.

Members of the losing party often blame defeats on flaws in the voting system, Becker said. He said it's "particularly difficult" this year, when all of the polls seemed to be lined up against the ultimate winner, "but it doesn't change the facts about the process."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


You Gave President Elect Donald Trump a Whale Of A Holiday Gift

Just before the long holiday weekend, the Attorney General (AG) for New York State announced a settlement agreement with President Elect Donald J. Trump regarding his now defunct, educational business Trump University. Reportedly, the $25 million settlement agreement resolves two class-action lawsuits and an action by the New York State AG.

About 7,000 students paid up to $35,000 in tuition and allegedly received little to no education. Terms of the settlement require Mr. Trump to pay $21 million to settle the two class-action lawsuits and $4 million to New York State. The New York Times reported:

"Trump University, which operated from 2004 to 2010, included free introductory seminars across the country, focusing largely on real estate investing and learning Mr. Trump’s secrets... Documents made public through the litigation revealed that some former Trump University managers had given testimony about its unscrupulous and exploitative business practices. One sales executive testified that the operation was “a facade, a total lie.” Another manager called it a “fraudulent scheme.” Other records showed how Mr. Trump had overstated the depth of his involvement in the programs. Despite claims that Mr. Trump had handpicked instructors, he acknowledged in testimony that he had not... the conclusion of the Trump University cases brings vindication to former students, mostly ordinary people across the country who felt they had been robbed of their savings by Mr. Trump..."

The settlement terms did not require Mr. Trump to admit any wrongdoing:

"At a hearing on the case in San Diego on Friday, [Trump's attorney] Daniel Petrocelli said Mr. Trump had settled the case “without an acknowledgment of fault or liability.” "

Why settle now? The Los Angeles Times reported:

"The law firm Zeldes, Haeggquist & Eck, which helped represent the plaintiffs, said in a statement Friday that it was “incredibly painful” to end the legal battle now. “We stand behind their claims 100%,” the firm said, “but there is always risk in taking a case to trial and that was particularly so here, when the defendant was poised to be the next president of the United States.” The lawsuits dogged Trump on the campaign trail, and he denied the allegations many times and said he would not settle the cases."

Some might conclude that not having to admit wrongdoing is a whale of gift. Reportedly, attorneys for the students waived their fees so the students would receive more compensation. Students would received 55 to 100 percent of the money they spent. Some might also say that settling 3 lawsuits for pennies on the dollar is also a whale of a holiday gift. Sadly, there is more.

Much more. Forbes Magazine explained:

"Of course, the real cost to Mr. Trump is after tax, not before it. And most business settlements are fully tax deductible. The only part that arguably may not be here is the $1 million in penalties. But barring express non-deductibility commitments, many penalties can be deducted, too. In general, fines and penalties paid to the government are not deductible. Section 162(f) of the tax code prohibits deducting "any fine or similar penalty paid to a government for the violation of any law."

Despite punitive sounding names, though, some fines and penalties are considered remedial and deductible. That allows some flexibility. Companies often deduct ‘compensatory penalties,’ a maneuver affirmed in a recent Circuit Court ruling. Some defendants insist that their settlement agreement confirms that the payments are not penalties and are remedial. Conversely, some government entities insist on the reverse.  Explicit provisions about taxes in settlement agreements are becoming more common."

You may remember the fines and payments paid by JPMorgan bank in a 2013 settlement agreement. Frobes explained that only $2 billion of the $13 billion was not tax-deductible. So, taxpayers nationwide have given Mr. Trump a whale of a holiday gift similar to gifts given repeatedly to big banks: tax-deductible payments in settlement agreements that allow them to pay less taxes. You'd think that the tax-deductible benefit would come with a price: having to admit wrongdoing.

Is this fair? Is it right? A 2014 survey by the U.S. Public Interest Research Group Education Fund found that most Americans disapprove of tax-deductible payments in settlement agreements, and want more transparency and disclosures about the contents of settlement agreements.

It is infuriating to this taxpayer. Hopefully it infuriates you, too. It seems that often payments and fines to resolve and penalize a defendant for wrongdoing are anything but. What are your opinions?


The List of Fake News Sites

New York Magazine reported:

"As Facebook and now Google face scrutiny for promoting fake news stories, Melissa Zimdars, a communication and media professor from Merrimack College in Massachusetts, has compiled a handy list of websites you should think twice about trusting. “Below is a list of fake, false, regularly misleading, and otherwise questionable ‘news’ organizations that are commonly shared on Facebook and other social media sites,” Zimdars explains. “Many of these websites rely on ‘outrage’ by using distorted headlines and decontextualized or dubious information in order to generate likes, shares, and profits.” (Click here to see the list.)

Be warned: Zimdars’s list is expansive in scope, and stretches beyond the bootleg sites (many of them headquartered in Macedonia) that write fake news for the sole reason of selling advertisements. Right-wing sources and conspiracy theorists like Breitbart and Infowars appear alongside pure (but often misinterpreted) satire like the Onion and The New Yorker’s Borowitz Report."

For consumers seeking "hard" news (e.g., the raw who, what, when, and where something happened), some sources: Associated Press (AP), Reuters, and United Press International (UPI). What sources do you use for "hard" news?


Wells Fargo Tries To Do The Right Thing For Its Customers

Wells Fargo logo After the massive $185 million fine for its phony accounts scam, Wells Fargo bank is trying to do right by its customers. The bank published this statement with promises:

"Steps we have taken to ensure our Community Bank sales culture is wholly aligned with our customers’ interests include: 1) Eliminating product sales goals for all retail bankers to make certain nothing gets in the way of doing what is right for our customers; 2) Sending customers a confirmation email within one hour of opening any deposit account and an acknowledgement letter after submitting a credit card application; 3) Contacting all deposit customers across the country to invite them to review their accounts with their banker and calling the credit card customers identified in the review to confirm whether they need or want their credit card; 4) Expanding the remediation review to 2009 and 2010; and 5) Conducting an independent, enterprise-wide review of our sales practices."

There is more. A September 27th news release by Wells Fargo stated:

"The Independent Directors of the Board of Directors of Wells Fargo & Company (NYSE: WFC) today announced that they have launched an independent investigation into the Company’s retail banking sales practices and related matters. A Special Committee of Independent Directors will lead the investigation, working with the Board’s Human Resources Committee and independent counsel Shearman & Sterling LLP. Chairman and CEO John Stumpf, a member of the Board, has recused himself from all matters related to the Independent Directors’ investigation and deliberations.

The Independent Directors have taken a number of initial steps they believe are appropriate to promote accountability at the Company. They have agreed with Mr. Stumpf that he will forfeit all of his outstanding unvested equity awards, valued at approximately $41 million based on today’s closing share price, and that he will forgo his salary during the pendency of the investigation. In addition, he will not receive a bonus for 2016. Carrie Tolstedt, until recently Head of Community Banking, has left the Company, and the Independent Directors have determined that she will forfeit all of her outstanding unvested equity awards, valued at approximately $19 million based on today’s closing share price. Ms. Tolstedt will not receive a bonus for 2016 and will not be paid severance or receive any retirement enhancements in connection with her separation from the Company. She has also agreed that she will not exercise her outstanding options during the pendency of the investigation. These initial actions will not preclude additional steps being taken with respect to Mr. Stumpf, Ms. Tolstedt or other executives as a consequence of the information developed in the investigation."

Conducting an investigation? That means the bank's senior executives still don't know what happened, or may still be happening -- or even worse, some executives know and haven't admitted important facts. Is this a bank to do business with? John Chiang, the Treasurer for the State of California announced on Wednesday that the State has suspended doing business with Wells Fargo for 12 months. Chiang issued this explanation:

"... the Treasurer oversees nearly $2 trillion in annual banking transactions, manages a $75 billion investment pool, and is the nation’s largest issuer of municipal debt... The Treasurer announced in a letter to Wells Fargo Chairman John G. Stumpf and board members that he has ordered the suspension of Wells Fargo’s participation in its most highly profitable business relationships with the State of California. Those sanctions include: i) Suspension of investments by the Treasurer’s Office in all Wells Fargo securities; ii) Suspension of the use of Wells Fargo as a broker-dealer for purchasing of investments by his office; and iii) Suspension of Wells Fargo as a managing underwriter on negotiated sales of California state bonds where the Treasurer appoints the underwriter... These sanctions take effect immediately and will remain in place for the next twelve months. Wells Fargo is expected to comply with all of the terms of the consent orders it has entered with the Consumer Financial Protection Bureau, the Los Angeles City Attorney, and the Office of the Comptroller of the Currency... The letter warns the bank that if it fails to demonstrate compliance with the Consent Orders or evidence surfaces that Wells Fargo has engaged in the same behavior it will face tougher sanctions up to and including complete and permanent severance of all ties between the Treasurer’s Office and Wells Fargo..."

Hopefully, the board will assess more penalties upon Stumpf, Tolstedt, and senior bank executives. The penalties mentioned above seem woefully insufficient, since they penalize the executives in 2016 for activities that perpetuated during the last five years.

The bank's statement was also silent about important issues: a) remedies for customers whose credit ratings were damaged by the phony new accounts, and b) compensation for customers for lost interest revenues when their money was withdrawn from interest-bearing accounts to set up the phony new accounts.

The bank's news release included this statement by Stephen Sanger, Lead Independent Director:

"... We will conduct this investigation with the diligence it deserves -- and will follow the facts wherever they lead. Our thousands of outstanding team members and millions of loyal customers and shareholders deserve no less. Based on the results of the investigation, the Independent Members of the Board will take such other actions as they collectively deem appropriate, which may include further compensation actions before any additional equity awards vest or bonus decisions are made early next year, clawbacks of compensation already paid out, and other employment-related actions. We will proceed with a sense of urgency but will take the time we need to conduct a thorough investigation. We will then take all appropriate actions to reinforce the right culture and ensure that lessons are learned, misconduct is addressed, and systems and processes are improved so there can be no repetition of similar conduct."

While clawbacks into executives' compensation during prior years sounds good, the key takeaway seems to be: the board still does not know what is happening in its bank, nor what corrective actions to implement beyond the promises listed above. And it can't rely on Stumpf to tell them. Stumpf should be fired immediately for not keeping the board informed. Same for Tolstedt. In a perfect world, both would be in prison. Fraud is fraud.

What are your opinions about Wells Fargo? Would you do business with the bank?


Tax Related Identity Theft And Fraud: Next Steps For Victims

This morning, a friend sent the following via e-mail:

"Just learned today that I was a victim of identity theft. My accountant tried to electronically file my income tax but it was rejected. The IRS told him I already filed. Since the early return is obviously fraudulent I was told I could not electronically file but had to file with paper. Spent the last couple hours notifying credit bureaus and the Federal Trade Commission. It doesn't appear they have applied for any new credit card yet. I wonder whether they got a refund in my name. I also have been involved in a couple big data breaches where the company who lost my data has provided free credit monitoring services. None of the services have detected fraudulent activities. It must've been through one of these that someone got hold my Social Security number. So far so good, but this is an extra headache I didn't need."

It was sad to read this e-mail message. Identity theft is always a major pain and inconvenience. I experienced this in 2007 after IBM, Inc. had its massive data breach. There's a lot to consider and to do. Most consumers have no idea what to do next. That’s why I started me blogging about identity theft, data breaches, and corporate responsibility. The blog has been a good tool for me to catalog what I've learned about what to do next.

Since my friend's sensitive information (e.g., name, address, phone, social number, and maybe more) are out in the wild, that means thieves will sell and resell it as long as they think the information is usable. The criminals now know enough about my friend that they will try to commit more fraud -- often by impersonating my friend to gain access to their financial accounts. Thieves may call the customer service departments at banks pretending to be my friend. While writing this blog the last 8+ years, I've learned that identity thieves are smart, persistent, and go where the money is.

I suggested that my friend do the following to protect their self:

  1. It seemed like my friend is already following the advice by Internet Revenue Service (IRS) for victims of tax-related identity theft and fraud. That’s a good start. Another good place to start is the Identify Theft site by the U.S. Federal Trade Commission (FTC). Follow the next steps recommended by the FTC.
  2. File a police report with the local police department. They’ll probably do nothing, but this will help my friend create a paper trail. Certain documents will be needed when filing claims with insurance companies.
  3. While my friend has already contacted the three major credit reporting agencies (TransUnion, Experian, and Equifax), don't stop with a Fraud Alert. That’s weak tea. Do a Security Freeze instead. That will prevent fraudsters from taking out new loans or getting credit in my friend's name. This will cost up to $10 for each.
  4. Call financial institutions and advise them of your identity theft. Follow any processes the banks have. Get new debit/credit card numbers if your card information (card name, account number, security code, etc.) was exposed in #6.
  5. Change online passwords for all financial accounts (e.g., checking, savings, mortgages, insurance, credit cards, 401-K, IRA’s, etc.). Notify them that your data has been stolen and used. Follow any procedures the banks have for reporting fraud. Don’t use the same password at multiple sites. Why? Thieves will use a stolen password at several websites, to see where else they can break in.
  6. Since one or more companies had data breaches that exposed my friend's sensitive information, my friend should notify each company that thieves have used their sensitive information for tax-related fraud. These companies will probably deny that their breach was the cause, but my friend is informing them of the consequences. If the breach was bad, there may be an upcoming class action, so I encouraged my friend to consider and join any class-action lawsuits. The financial rewards may be beneficial.
  7. Thieves will continue to use my friend's stolen information as long as they think it is useful. So, my friend will need to be vigilant. That means continuing to periodically monitor bank account statements and credit reports for fraudulent entries (if my uses only the Fraud Alert option). This sucks, but that is the reality in the digital information economy. When companies have data breaches, we consumers are usually left with the cleanup burden.
  8. If the companies in #6 offer free credit monitoring services, accept the offer and use it. Those monitoring services can help with #7. Plus, these monitoring services usually offer fraud resolution services: the detailed, time-consuming, and complicated process of cleaning up accounts and records muddled by thieves. If the corporate data breaches in #6 included my friend's spouse and/or dependents, be sure that any credit monitoring services cover these persons.
  9. Keep a solid paper trail. My friend will likely need some of this documentation later.
  10. Stay in touch with both the IRS and the Department of Revenue in the state where you live. The thieves may file fraudulent state tax returns, too. Both the federal and my friend's state tax agencies have fraud procedures. Respond to any notifications you receive from both; preferably in writing.
  11. If any of the companies in #6 was a health care provider and the breach included medical records, then my friend is at risk for both financial fraud and medical fraud. More steps apply for medical fraud and the resolution process is even more complicated. For example, the thief's blood type and other health data could be co-mingled with the victim's, introducing errors and other risks.
  12. Some criminals use stolen identity information to get bogus driver’s licenses. If my friend gets stopped by the police while driving, don’t panic. Explain to law enforcement the identity theft and and #2. My friend may have to get fingerprinted, since that is a good method to distinguish the fraudster from my friend.
  13. Some criminals sell stolen information to undocumented people to gain employment. So, my friend's stolen Social Security Number may be used by another person. When several persons use the same Social Security number for employment, there are plenty of consequences. (There's the infamous case of 81 persons using the same SSN.) The Identity Theft Resource Center recommends solutions for SSN fraud victims. See the Social Security Administration's process for reporting fraud. Check the contractual agreement for a credit monitoring service to see if its resolution services cover this.
  14. Keep the anti-virus software updated on all devices (e.g., desktop, laptop, phone, tablet) and run scans at least once monthly.

That was my advice to my friend. What might you advise?


Facts About Debt Collection Scams And Other Consumer Complaints

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

Companies with the most complaints. CFPB March 2016 Monthly Complaints Report. Click to view larger image

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.


Learn How To Spot These 5 Energy Scams So You Don't Get Duped

Eversource logo Maybe it was a visit by door-to-door sales person. Maybe it was a phone call; or a text or e-mail message. There are six energy scams you should be aware of, so you don't get duped and lose your hard-earned money. Eversource, the largest energy delivery service in New England, alerted its customers about common scams:

  1. Shut-off Threats: callers claim to represent the Billing or Disconnect Department, and state that your power will be shut off if you don't make a payment immediately.
  2. Pay immediately: callers instruct you to make a payment immediately to a third-party location, such as a grocery store, or to a "Green Dot" VISA card. Then, the scammer directs victims to call another phone number to report the card payment information, so the scammers can drain the card account online.
  3. Faulty meters: callers claim your electric (or gas) meter is broken and it overcharging you. Then, the scammer directs victims to buy a $200.00 prepaid card. The scammers calls again claiming the first payment hasn't posted, and the consumer should buy a $300.00 prepaid card. Of course, the scammer lies about the meter being fixed soon.
  4. Unsolicited technician: a door-to-door person, with a hard-to-read badge, claims he is there to check your usage since your neighbors reported have claimed about high monthly bills.
  5. Unsolicited salesperson: a door-to-door person claims there is a problem with your utilities, and you failed to respond to urgent notices. The scammers insisted that you could get a rebate, or savings, but needs to see a copy of your energy bill.

These are all scams because:

"Eversource would never ask you to purchase prepaid cards or make an immediate payment at a third-party location, like a grocery store. We have a very secure, protected billing system, and you have multiple, convenient options to pay your bills, including direct debit, check, credit card and cash. Customers who are scheduled for disconnection due to nonpayment receive written notice that includes the actions they can take to maintain service... All [Eversource] employees carry company-issued identification, and any electrical contractors working with us carry documentation explaining the nature and location of their work. Customers can always call us to verify this information. Eversource would never solicit door-to-door or over the phone on behalf of a specific competitive/alternate energy supplier."

The information on your monthly energy bill is sensitive information. Protect it. Eversource advises:

"Never provide personal financial or utility account information to any unsolicited individual, in person, on the phone, or online, even if the individual seems legitimate."

And Eversource advises its consumers to:

"Always verify whether these contacts are legitimate by asking for some basic information about your account. Our representatives will always be able to provide the name on the account, the account address, and the exact past due balance. If the caller cannot provide that information, the call is not from us."

If you use a different energy provider, check it's website for scams. For example, earlier this month PG&E warned its customers in California about similar scams.

I've received some of these robocalls from scammers. Long ago, I registered both my landline and mobile phone numbers in the National Do Not Call Registry. When I receive unwanted and un-requested robocalls, I hang up the call immediately and submit a complaint to the U.S. Federal Trade Commission (FTC). You should, too.


FCC Seeks $29.6 Million Fine Against Phone Carriers For Alleged Cramming And Slamming

Federal communications Commission logo The U.S. Federal Communications Commission (FCC) seeks $29.6 million in fines against three phone providers for allegedly switching (a/k/a "slamming") consumers' long distance service without their consent, applying (a/k/a "cramming") unauthorized charges on their monthly bills, and obstructing the FCC investigation. The FCC press release stated:

"... the Commission asserts that OneLink Communications, Inc., TeleDias Communications, Inc., TeleUno, Inc., and Cytel, Inc., “slammed” consumers by switching their long distance carriers without authorization and “crammed” unauthorized charges onto consumers’ bills. In addition, it is alleged the companies, which operate as a single enterprise, fabricated audio recordings that they then submitted to the FCC as “proof” the consumers authorized these changes and charges... The FCC found that the companies’ apparent unauthorized charges and deceptive marketing calls constituted “unjust and unreasonable” practices under the Communications Act. The FCC also determined that the companies apparently violated federal law by submitting fake consumer authorizations and providing false and misleading information to the FCC during its investigation..."

OneLink Communications logo The FCC action included a Notice of Apparent Liability for Forfeiture. More than 140 consumers filed complaints with the FCC. There was an FCC order in August 2009 against TeleDias Communications for slamming. The OnelInk website lists an office in Tamarac, Florida. The Cytel, Inc. website lists an office in Pompano Beach. Florida. A check of both the Cytel or OneLink sites couldn't find lists of their executives or corporate officers.

How the companies allegedly performed deceptive marketing:

"Some consumers alleged that the companies’ telemarketers pretended to be from the post office calling about a nonexistent package delivery to obtain information to create fake consumer authorization recordings. In other cases, it appears the companies impersonated individuals in the authorization recordings. The companies then allegedly provided the fake authorizations to the FCC in response to its investigation into the consumer complaints. Even after consumers repeatedly contacted the companies about the alleged unauthorized charges and carrier switches, the companies purportedly refused to provide refunds until consumers filed complaints with the FCC, Better Business Bureau, or state regulators."

Kudos to the FCC for investigating the complaints. Kudos to consumers for filing complaints with the FCC, BBB, and state regulators when a company fails to do the right thing.


Safe Shopping Tips For the Holidays

The holiday shopping season is here. Experts estimate that consumers will spend about $83 billion. Everyone wants to shop safely and avoid both identity theft and fraud. The California Attorney General's office issued several safe-shopping tips for consumers that are applicable everywhere and not only in California. Some of the items were already covered in this blog, so I added links.

Online

  • Shop at secure websites. Look for https in the website address, or for the yellow lock icon
  • Don't shop online at public WiFi hotspots, such as coffee shops. This can put at risk your payment information (e.g., bank account, credit/debit card numbers, etc.). If you must use a public WiFi hotspot, use encryption software on your mobile device.
  • Do not send personal and payment information in e-mail messages. Legitimate companies won't ask you to do this, since it is an insecure way of transmitting information. Learn to spot package delivery scams.
  • Use reputable websites when booking travel or lodging for trips. However, scammers also insert listings on vacation websites. If the price is too good to be true, it usually is. Learn to spot vacation payment scams.
  • Identity thieves and fraudsters use mobile apps. Before purchasing an app, find and read independent reviews. Also, read the terms of use and privacy policy for the app desired. Download and buy apps only at reputable websites. Use these tips to protect your phone from online crime.
  • If you receive text messages on your phone claiming you have won a prize or gift card, do not click on the link in the message. It probably is a scam and may install a virus on your phone. E-mail scams are common. Learn to spot phishing e-mails. Be wary of e-mails from persons claiming to be a shipping company. These e-mail message often contain attached files that contain computer viruses. Do not open attached files from strangers.
  • Consider using a two-step process to protect your email account and sensitive personal information. For example, after inputting your password, you will then receive a text on your phone, that provides a one-time-use code to sign into your e-mail account. Your e-mail provider has instructions about how to set this up.

In Stores

  • Thieves use handheld scanners and counterfeit credit cards to use gift cards that they do not actually have. Only buy gift cards that are kept behind the store’s customer service counter or activated upon checkout. Before buying the card ask for it to be scanned to show that it is fully valued.
  • Learn to spot and avoid prepaid gift card app fraud.
  • Package theft is happening more frequently. If you do not have a secure area for delivery companies to leave packages, consider requiring a signature for packages, or have your packages held for pickup at a nearby shipping center.

General

  • Review your bank and credit card statements frequently for fraudulent transactions. Contact your bank or card issuers immediately if you see unusual or suspicious transactions.
  • If you receive a phone call from somebody claiming to be your bank or credit card company, who asks you to verify your account information, don't. Instead, ask them for their phone number so you can call them back. Then, call the phone number listed on the back of your credit card.
  • Learn to spot and avoid prepaid card phone scams.
  • Parents and grandparents should be wary of phone calls, e-mails, and social networking posts by scam artists pretending to be a child, friend, or relative stuck in an emergency abroad and needing cash immediately. Scammers try to get the victim to wire cash or disclose sensitive personal and financial information. Don't do this. Before taking any action, verify the health or status of the child, friend, or relative abroad.
  • Use these ten tips for safe vacation travel.

Happy holidays!


Federal Prosecutors Pursue Criminal Charges Against Banking Executives

Department of Justice logo Reuters news service reported yesterday that federal prosecutors are pursuing criminal charges against executives at two banks for allegedly marketing mortgage-backed securities loaded with faulty loans after warnings by coworkers. If so, this would be the first cases of criminal charges against bankers.

Citing an article in the Wall Street Journal, Reuters reported possible criminal investigations at both JPMorgan Chase & Company (JPMorgan), and at the Royal Bank of Scotland (RBS):

"Prosecutors are scrutinizing a $2.2 billion deal that repackaged home mortgages into bonds in 2007 at RBS and two people who worked on a different residential-mortgage deal at JPMorgan, the Journal said. JPMorgan, RBS and Department of Justice declined to comment. JPMorgan said in a filing in November that it was responding to an investigation by the DoJ's criminal division.

It would seem that the news reports in May 2015 covered in this blog were largely accurate. At that time, news reports mentioned possible charges against five banks. Also in May, a federal court ruled that the Japanese bank Nomura Holdings and the Royal Bank of Scotland had misled Fannie Mae and Freddie Mac while selling them mortgage bonds that contained errors and misrepresentations.

J.P.Morgan logo JPMorgan has a colorful history, part of which is worth reviewing. In January 2015, it was one of four banks that settled illegal foreclosure charges with the Massachusetts Attorney General with a $2.7 million payment. In November 2014, both RBS and JPMorgan were part of a group of banks that paid $4.2 billion in fines to U.S., U.K., and Swiss regulators for rigging the foreign exchange, or FX, market. In December 2013, JPMorgan paid $515.4 million to the Federal Deposit Insurance Company (FDIC), $300 million to the California Attorney General, and $13 billion with the U.S. Justice Department to settle charges about the misrepresentation of offering documents for residential mortgage-backed securities (RMBS).

December 2013 was a big month. JPMorgan Chase announced a data breach that affected half a million prepaid card customers. U.S. taxpayers also learned that month that much of the huge fines JPMorgan paid were tax-deductible and reduced the bank's tax payments. in September 2013, the Consumer Financial Protection Bureau (CFPB) ordered both Chase Bank USA, N.A. and JPMorgan Chase Bank, N.A. to refund about $309 million to more than 2.1 million customers for illegal credit card practices, where customers were enrolled in credit monitoring services without their authorization and charged for services not delivered.


How The Teenager Hacked The CIA Director's Email Account

Central Intelligence Agency logo You've probably heard about it, or read some of the initial news reports. The New York Post broke the story about a teenager hacking into the e-mail account of John Brennan, Director of the Central Intelligence Agency (CIA). The methods the hacker used are a good example of pretexting: when a criminal pretends to be somebody they aren't in order to acquire sensitive information about the target(s).

Wired provided a detailed report about the incident, which I've distilled into seven steps:

  1. The hacker did a reverse number lookup of Brennan's mobile phone number. Several websites provide this feature. From that, the hacker learned that Verizon was Brennan's provider of phone services.
  2. Pretending to be a Verizon technician, the teenage hacker and his accomplices, called Verizon asking for details about Brennan's account. The Verizon phone rep asked for their Vcode, a unique number assigned to each Verizon technician. The hacker provided a fake Vcode which somehow passed Verizon's security. From that, the hacker learned Brennan’s account number, four-digit PIN, the backup mobile number on Brennan's account, Brennan’s AOL email address, and the last four digits on Brennan's bank card.
  3. The hacker accessed Brennan's AOL e-mail account on October 12, and read several e-mail messages including messages forwarded from his work e-mail account. From that, the hacker learned Brennan's secure White House e-mail address, his security clearance application, topics discussed by Brennan and other intelligence officials, and work-related documents attached to several e-mail messages. One attachment included a spreadsheet with names and Social Security numbers of several persons, including intelligence officials.
  4. The hackers posted photos of several documents online via a Twitter account they had set up. The hackers accessed Brennan's account for at least three days.
  5. On October 16, the hacker posted via Twitter that Brennan had deleted his AOL e-mail account supposedly because the hackers had accessed it.
  6. Brennan reset the password on his AOL account, which the hackers accessed again. This suggests that they called AOL customer service pretending to be Brennan and reset the password on his account so they could access it. Reportedly, the dueling password resets happened three times.
  7. The hackers called Brennan's mobile phone number and told him his account had been hacked. After asking them what they wanted, the hackers reportedly answered, "We just want Palestine to be free and for you to stop killing innocent people."

What should consumers make of this incident? First, the incident provides a window into the hassles and inconveniences when your e-mail account is hacked and taken over by a criminal. The hackers could have sent out spam messages from Brennan's account to his friends, family, and coworkers. Second, the incident highlights the necessity of not using the same password on multiple accounts. When consumers do this, it makes it easy for criminals to access several of your online and financial accounts. Hackers will try the same stolen password at other online accounts to see where else they access.

Third, the incident is a reminder for consumers never to disclose sensitive personal and financial information over the phone. Why? Simply, the caller's identity is unknown and unverified. We consumers frequently receive calls from identity thieves from fake computer support vendors or bogus cardholder services.

Verizon logo Fourth, Verizon should improve its security processes. A fake Vcode should not allow access to customers' sensitive information. There should be consequences for Verizon for this breach. Fifth, the hackers' techniques provide a tiny view of the activities spies and counter-intelligence agencies perform, and why these entities want to hack into government agencies' websites, such as the Office of Personnel Management breach earlier this year.

Sixth, adding your mobile phone number to your social networking and e-mail accounts is not a data security cure-all. Smart hackers will target your mobile phone number so that they receive any notifications  you've set up about changes to your account.

Seventh and perhaps most troubling, the Brennan and Clinton e-mail incidents suggest that many government officials highly value convenience (just as consumers do), by forwarding work-related e-mails and documents from secure work systems to less secure commercial systems. You could argue that this desire for convenience is a security weakness. Fifth, you can bet that spies will try to take advantage of this weakness by replicating pretexting attacks on other high-value executive targets, in both the public and private sectors. If a teenager can do it, then so can an experienced spy.

What are your opinions of the hacking incident? Of Verizon's role?