Tag Archives: identity theft

Credit card breach at Dells resort imacts thousands of cards

State Journal Staff
Wisconsin State Journal
September 13, 2011
http://host.madison.com/wsj/business/article_6587df18-de00-11e0-96a4-001cc4c03286.html

A Wisconsin company that supplies arcade equipment and vending machines to businesses said hackers broke into its credit-card processing systems at resorts in Tennessee and Wisconsin.

Vacationland Vendors Inc. said Monday up to 40,000 credit and debit cards used in its arcades may have been affected.

Company spokesman Bill Bray said the resorts were Wilderness Waterpark Resort in Wisconsin Dells and the Smokies Resort in Sevierville, Tenn.

The company said it shut down its card-processing systems at both arcades when it discovered the March 22 breach. The company is issuing warnings to patrons who used a credit or debit card at either arcade between Dec. 12, 2008, and May 25, 2011, and is advising those patrons to be on the lookout for unauthorized activity on their bank statements and credit-card bills.

Advertisements

UWM computers hacked; data on 75,000 exposed

Stanley A Miller II
August 10, 2011
Milwaukee Journal Sentinel

A computer system at the University of Wisconsin-Milwaukee was hacked and bugged with malicious software, potentially exposing the names and Social Security numbers of about 75,000 students, faculty and staff, the school announced Wednesday.

UWM officials said, however, that investigators have no evidence that data was viewed or stolen, and the school is sending letters Wednesday to those potentially affected by the security breach.

“Talking to the forensic experts, we don’t believe the motive was identity theft,” said Tom Luljak, UWM’s vice chancellor for university relations. “We are a research institution with a significant number of projects under way. It is theorized that this may have been an attempt to look at work being done.”

The school’s technology staff discovered on May 25 that software allowing backdoor access into a UWM database was lurking on a system used for scanning and viewing documents. That system, Luljak said, is an image bank used by several departments for managing a variety of documents, including applications processing.

Luljak said the school isn’t sure how long the malicious software sat on the system before being discovered, but officials think it was for a “short period of time.” The malicious software was installed remotely, Luljack said, and the infected server was immediately shut down.

“We don’t believe anyone got access to the image bank,” Luljak said. “There is no evidence that the hackers actually looked at or retrieved any information.”

The school contacted local and federal law enforcement authorities soon afterward and discovered June 30 that a database had been exposed. Luljak said that although the data included names and Social Security numbers, it didn’t contain any financial data or academic information such as student grades.

“Because of the nature of the malware, our concern was it would provide access to other servers,” Luljak said. “We think it might have been more of a fishing operation.”

Luljak said it took time to determine the specifics of the security breach, noting the school’s experts worked “virtually around the clock.”

“Our responsibility, we believe, is to be completely transparent to those affected,” Luljack said.

The school has set up a website at www.computersecurity.uwm.edu with information about the security breach, as well as a hotline at (800) 349-8518.

Thieves Found Citigroup Site an Easy Entry

Nelson D. Schwartz and Eric Dash
New York Times
June 13, 2011
http://www.nytimes.com/2011/06/14/technology/14security.html?_r=1&src=recg&pagewanted=all

Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.

Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May.

That allowed them to capture the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers, security experts said, revealing for the first time details of one of the most brazen bank hacking attacks in recent years.

The case illustrates the threat posed by the rising demand for private financial information from the world of foreign hackers.

In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage.

The financial damage to Citigroup and its customers is not yet clear. Sean Kevelighan, a bank spokesman, declined to comment on the details of the breach, citing the ongoing criminal investigation. In a statement, he said that Citigroup discovered the breach in early May and the problem was “rectified immediately.” He added that the bank had initiated internal fraud alerts and stepped up its account monitoring.

The expertise behind the attack, according to law enforcement officials and security experts, is a sign of what is likely to be a wave of more and more sophisticated breaches by high-tech thieves hungry for credit card numbers and other confidential information.

That is because demand for the data is on the rise. In 2008, the underground market for the data was flooded with more than 360 million stolen personal records, most of them credit and debit files. That compared with 3.8 million records stolen in 2010, according to a report by Verizon and the Secret Service, which investigates credit card fraud along with other law enforcement agencies like the Federal Bureau of Investigation.

Now, as credit cards that were compromised in the vast 2008 thefts expire, thieves are stepping up efforts to find new accounts.

As a result, prices for basic credit card information could rise to several dollars from their current level of only pennies.

“If you think financially motivated breaches are huge now, just wait another year,” said Bryan Sartin, who conducts forensic investigations for Verizon’s consulting arm.

The kind of information the thieves are able to glean is shared in online forums that are a veritable marketplace for criminals. Networks that three years ago numbered several thousands users have expanded to include tens of thousands of hackers.

“These are online bazaars,” said Pablo Martinez, deputy special agent in charge of the Secret Service’s criminal investigation division. “They are growing exponentially and we have seen the entire process become more professional.”

For example, some hackers specialize in prying out customer names, account numbers and other confidential information, Mr. Martinez said. Brokers then sell that information in the Internet bazaars. Criminals use it to impersonate customers and buy merchandise. Finally, “money mules” wire home the profits through outlets like Western Union or MoneyGram.

“It’s like ‘Mission Impossible’ when they select the teams,” said Mark Rasch, a former prosecutor who is now with CSC, an information technology services firm. “And they don’t know each other, except by hacker handle and reputation.”

In the Citi attack, the hackers did not obtain expiration dates or the three-digit security code on the back of the card, which will make it harder for thieves to use the information to commit fraud.

Not every breach results in a crime. But identity theft has ranked first among complaints to the Federal Trade Commission for 11 consecutive years, with 1.34 million in 2010, twice as many as the next category, which is debt collection.

Many of these attacks have their origins in Eastern Europe, including Russia, Belarus, Ukraine and Romania. In fact, the security expert familiar with the Citi breach said it originated in the region, though he would not specify the country.

In Russia, Xakep.ru, is one of the larger forums for Eastern European hackers today, with nearly 13,300 registered members, according to Cyveillance. HackZone.ru is larger, and has more than 58,000 members. In addition, attacks by Romanian hackers have grown noticeably more advanced recently, according to security experts.

On HackZone, one seller who called himself “zoloto” promised “all cards valid 100%” and that they would be sold only one time.

Underscoring the multinational nature of these rings, American law-enforcement agencies have also been putting more investigators overseas.

“The only way to address a global issue is to address it globally with your partners,” said Gordon M. Snow, assistant director of the F.B.I.’s Cyber Division.

The Secret Service established a presence in Tallinn, Estonia, last month, and has embedded agents with Ukrainian authorities since the beginning of the year. The F.B.I. has embedded agents in the Netherlands, Estonia, Ukraine and Romania, and works closely with its counterparts in Australia, Germany and Britain.

But even officials at these agencies acknowledge that as fast as they move, the hackers’ strategies are evolving at Silicon Valley speed.

“With every takedown, they regroup,” said J. Keith Mularski, a supervisory special agent with the F.B.I.

Rep. Mary Bono Mack proposes data breach legislation

Tony Romm
POLITICO
June 13, 2011
http://www.politico.com/news/stories/0611/56860.html

Companies that are breached by hackers who steal consumer information would have to notify customers within 48 hours of assessing and identifying the intrusion under a new data security bill by Rep. Mary Bono Mack.

The proposal is called the Secure and Fortify Electronic Data Act and the California Republican plans to unveil a draft of the legislation Wednesday at a hearing before her Commerce, Manufacturing and Trade Subcommittee.

A version of the bill made public Monday shows it tracks closely with legislation that cleared the Energy and Commerce Committee on a bipartisan vote in 2010, but the proposal makes key tweaks to the bill’s scope.

Bono Mack’s plan would make clear that a broad range of entities — from companies to third-party data holders such as “contracted cloud providers” — are covered under her proposed data breach law. Those companies would have to put in place rules that ensure they only collect and store as much data as they need, according to a Republican memo circulated ahead of the hearing.

If those providers’ servers are breached, however, companies would be required to notify law enforcement within 48 hours of discovering the intrusion, “unless that breach is determined to be inadvertent,” according to the memo.

The affected firms would then have to inform consumers and the Federal Trade Commission, an agency with jurisdiction, within 48 hours of addressing, identifying and assessing the breach. The provision is meant to ensure companies promptly notify those affected, while still granting them the flexibility they may need to investigate the attack.

Companies that fail to conduct their own inquiries in a reasonable amount of time could face penalties by the FTC.

Those sorts of time targets were not as clearly spelled out in the data breach bill put forth by Rep. Bobby Rush (D-Ill.) in the previous Congress. That bill won bipartisan support but failed to clear a floor vote.

As expected, Bono Mack’s bill does not apply to companies that are covered by the security provisions in the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act.

Still, the chairwoman’s new legislation arrives in response to a torrent of data breaches this year — hacks that have affected previously little-known companies, like Epsilon, and household names, like Sony.

Last week, that pattern continued as hackers targeted Citigroup and the International Monetary Fund.

The hearing Wednesday will mark Bono Mack’s third foray on the issue. Set to testify on the first of two panels is FTC Commissioner Edith Ramirez. A second panel of witnesses will feature Jason Goldman, counsel for telecommunications and e-commerce at the U.S. Chamber of Commerce; Robert Holleyman, president and CEO of the Business Software Alliance; Stuart Pratt, president and CEO of the Consumer Data Industry Association; and Marc Rotenberg, executive director of the Electronic Privacy Information Center.

Thousands of Citi customers at risk after hacker attack

Reuters
msnbc.com
June 9, 2011
http://www.msnbc.msn.com/id/43335996/ns/business-personal_finance?GT1=43001

Citigroup Inc said computer hackers breached the bank’s network and accessed the data of about 200,000 bank card holders in North America, the latest of a string of cyber attacks on high-profile companies.

Citi said the names of customers, account numbers and contact information, including email addresses, were viewed in the breach, which the Financial Times (newspaper operates behind a paywall) said was discovered by the bank in early May.

However, Citi said other information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.

“We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” Sean Kevelighan, a U.S.-based spokesman, said by email.

“For the security of these customers, we are not disclosing further details.”

In the brief email statement, Citi did not say how the breach had occurred.

Another Citi spokesman, James Griffiths in Hong Kong, said the breach had affected 1 percent of North American card customers, which the bank’s annual report says total 21 million.

But like Japanese electronics and entertainment group Sony, which has declared several security breaches of its networks this year, Citi could come under fire for not telling customers sooner.

“It may be the bank’s business, but it’s the consumer’s personal information so consumers deserve to be told about security breaches immediately,” said Dan Simpson, a spokesman for Australia’s Consumer Action Law Centre, an advocacy group.

“It’s hard to see any reason why this sort of breach couldn’t have been disclosed much sooner.”

Growing concern
Citigroup joins a growing list of companies that have suffered cyber attacks.

Data storage firm EMC Ltd this week offered to replace millions of electronic keys after hackers used data from its RSA security division to break into the network of arms supplier and information technology provider Lockheed Martin.

Sony has reported several attacks, including one in which hackers accessed the personal information on 77 million PlayStation Network and Qriocity accounts.

Sony was criticized for a delay in telling account holders that their information had been stolen by hackers.

Google Inc last week revealed a major attack on its Gmail accounts targeting, among others, senior U.S. government officials that it said appeared to originate in China.

Washington has scrambled to assess if security had been compromised by the raid on Google’s Gmail system, reflecting increasing concerns among global policymakers about cyber security.

Citi said it had discovered the unauthorized access at Citi Account Online, an online banking service, through routine monitoring.

“It’s definitely a serious security breach when that amount of data’s been stolen from a bank,” said Sydney-based Ty Miller, chief technology officer of Pure Hacking, a network security company.

Citigroup global enterprise payments head Paul Galant, who previously ran the bank’s credit card unit, said in April that security breaches are a fact of life for financial institutions.

“Security breaches happen, they’re going to continue to happen … the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments,” he told Reuters in an interview.

DOT Sells Drivers’ Personal Information

Channel 3000
June 3, 2011
http://www.channel3000.com/technology/28115031/detail.html

There are about 4.5 million drivers in Wisconsin, and more than half may not know their personal information is being sold by the state Department of Transportation.

There are laws but almost no oversight to how the Wisconsin DOT uses drivers’ information.

In all, the state makes millions of dollars by selling drivers’ information, WISC-TV reported.

Before a person becomes an official Wisconsin driver and gets his or her license, there’s time to consider two decisions at the Department of Motor Vehicles.

One is whether that person wishes to be recorded as a potential organ donor.

But drivers are also asked to check a box if they wish to have their name and address “withheld from the list the department sells.”

About 2.5 million Wisconsin drivers didn’t check the box to withhold their information. By not doing so, those drivers allow the DOT to sell their information on a monthly basis.

Some may not have noticed the other inquiry.

“It was kind of small (on the form). I didn’t really notice it at first,” said Sierra Scott, a Madison resident.

But it’s not just a person’s name and addresses. The driver record file includes a person’s name, address, date of birth, gender, driver’s license number and driving status.

The entire driver record file containing information on 2.5 million drivers can be purchased for $250.

“We produce a CD containing the record file and then we send that. Those funds are sent to the registration fee trust,” said Taqwanya Smith, director for the DMV’s Bureau of Driver Services.

In 2010, the DOT made $22,250 selling driver record files.

“I think the cost is representative of the amount of effort it takes to produce the records,” Smith said.

Smith, who administers state and federal laws at the Wisconsin Department of Transportation, said that anyone can buy the driver record file, getting access to information for the drivers who haven’t opted out.

“Wisconsin is an open records state, and by that Wisconsin presumes that the public has a right to know about information contained within government records,” Smith said.

Federal law defines who can get the information and how they can use it.

“The (Drivers Privacy Protection Act) authorizes us to disclose to anyone meeting that criteria,” Smith said.

But no state or federal agency tracks who is buying drivers’ information or what they use it for. If people check the right box, they get the information, with no questions asked and no follow up, WISC-TV reported.

To read more click here.

Stop ID thieves from stealing your kid’s credit

By Bob Sullivan
msnbc.com
May 12, 2011
http://today.msnbc.msn.com/id/42997608

Parents struggling to keep track of their kids’ vaccinations, homework, dance classes and veggie intake have precious little time for other worries, but a serious new threat is demanding their attention: Identity thieves are increasingly targeting children, in some cases stealing their identities even before they are born.

As an investigation by NBC’s Jeff Rossen and TODAY revealed Thursday, criminals routinely use a child’s pristine credit record to their advantage and get away with it for years or decades — even if law enforcement knows exactly where the imposters live. TODAY showed this in dramatic fashion, hunting down two alleged child imposters and capturing their comments on camera.

Rossen’s story on TODAY also features a 9-year-old girl who is in default on utility bills, a teenager with $750,000 in debt, and a 2-year-old with a pile of credit card bills.

“You think this must be a joke, and then you realize, no this is actually incredibly serious,” said Allison, the baby’s mom, who asked that her last name be withheld. “Never in my wildest dreams had I thought to run a credit check on my son. And what parent would run a credit check on their child who’s in diapers, who’s crawling?”

TODAY’s story follows a piece on msnbc.com’s Red Tape Chronicles last month that unearthed research showing child ID theft is more common than previously believed. Hard data is difficult to find, because most cases of child ID theft aren’t discovered for years, but a recent check of 40,000 children by identity monitoring company Debix found more than 4,000 cases of tainted identities.

The issue for parents is this: What can I do to protect my child?

While the problem is clear, the solution is less so. The vast majority of kids don’t have a credit report, and they shouldn’t. In general, the Federal Trade Commission, the nonprofit Identity Theft Resource Center and the nation’s credit bureaus advise against frequently checking your kids’ credit unless there’s some reason to believe they’ve been victimized by identity theft. Repeated requests for a child’s report can actually do more harm than good. The Identity Theft Resource Center warns that it can lead to the premature creation of a credit file, which could make it easier for an ID thief to exploit the child’s identity.

Still, it’s understandable that parents might want to check on their kids identities occasionally, particularly after hearing TODAY’s story.  So here are a few helpful resources.

Getting a child credit report is different
Standard advice for getting a credit report doesn’t apply to children — kids’ reports cannot be obtained using the congressionally mandated free credit report website, http://AnnualCreditReport.com.  Requests for information on a juvenile from the site will be immediately rejected. There are legal reasons for this, according to Susan Henson of Experian, one of three major credit reporting bureaus  — the Children’s Online Protection Act restricts the collection of information about kids under 13 years old. Also, information about a third party can only be disclosed after the requester provides proof of legal guardianship, and that can’t be provided through the website. So all three bureaus require direct contact to get kids’ credit reports.

First stop: Trans Union
Trans Union has the most parent-friendly process, with the only online application specifically for child inquiries, so that bureau is the best place to start. Detailed instructions are included on its site.

Parents who use this online form will receive an initial e-mail, and then a follow-up letter, which will include a simple yes/no answer on the existence of a credit report.

If Trans Union says there is no report, odds are good that your child is in the clear. But if there is a report — or you have a specific reason to believe your child is a victim — you’ll want to follow up with the nation’s other two major credit bureaus — Experian and Equifax — and get a report from them, too.

The Identity Theft Resource Center offers a handy form that parents can use to send to any of the three bureaus. It can be accessed here.

For children between 14 to 18 years old, the process is different — if they have a report, it would be possible to get a credit report through http://AnnualCreditReport.com, but “the vast majority of consumers this age do not have a credit file,” Henson said. They generally receive a simple rejection message from the Web site, which might not be satisfying for a parent who fears their teen-ager’s identity has been stolen. In that case, follow the instructions above.

When should you check their credit, and what if there’s foul play?
Advice for concerned parents on this point is nuanced.  Both the FTC and the Identity Theft Resource Center say parents should not check their kids’ credit reports on an annual basis.

Both agree that parents should attempt to obtain a credit report on the child’s 16th birthday. Ideally, there won’t be one yet; but if there is and it’s full of errors, there should be ample time to deal with the problem before the child applies for college financial aid or their first loan. For kids under 16, under normal circumstances, an occasional check — perhaps every three or four years — is sufficient, said the FTC’s Steven Toporoff.

But if there is a reason to suspect foul play, parents should immediately contact all three credit bureaus and request a report, he said. They also should consider placing a credit freeze on the child’s records, following their state’s particular policies.

State-by-state rules on applying for credit freezes can be found here.

Signs of foul play would include: Surprising offers for credit or other offers mailed to the home, or trouble opening bank accounts for the children. Also, strange identity-related questions when applying for schools or outside activities could be a tipoff. A bank or school might find that there are other identities linked to your child’s SSN during a routine check. The bank probably won’t tell a parent directly, but often, tellers will hint that there’s a problem.

To continue reading click here.