Information Security News mailing list archives
Electronic Fraud Newsletter #9
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Wed, 8 Sep 1999 16:48:43 -0600
From: Edentify2000 () aol com ELECTRONIC IDENTITY FRAUD NEWSLETTER Volume 2, Issue 5 July 14, 1999 From: e-DENTIFICATION, Inc. Voice: (717) 859-2430 Fax: (717) 627-5454 Email: Edent99 () aol com Web Site: www.e-dentification.com John F. Ellingson, Madison, WI - editor Principal in e-DENTIFICATION, Inc. Email Address: ellingson () e-dentification com IDENTITY FRAUD & PRIVACY CONCERNS Electronic commerce, or ".com", has tremendous currency in the investment community. It is spawning new business every day and capturing the imagination of investors, shoppers, bankers, and thieves. Two recent studies addressed the problem of credit card chargebacks (charges made on credit cards that are disputed by the card holder). In the normal point-of-sale world chargeback transactions are less than 1% of the volume. In the ".com "world chargebacks are from 15% to 37% of the volume. This is an indicator that there is something seriously wrong in the way we do business on the Internet and has serious implications for identity fraud and privacy concerns. Nearly every time you attempt to use a credit card to make a purchase on the Internet you are assured you are using a "secure server." There are secure sockets and digital certificates and there is weak and strong encryption. Yet with all of these technologies credit card transactions fail at rates that are more than an order of magnitude greater than transactions conducted outside of ".com". As the two stories reported in this newsletter indicate, personal information about anyone and everyone is available to anyone who knows how and where to ask for it. The security systems employed on the Internet are dependent on that same information. This dependency cannot help but result in a seriously flawed system. I would suggest that the paradigm that Internet security is based upon is the one of the postal service; and why not, we call our Internet communications email? Let's take a minute and examine that paradigm. The mission of the postal service is to deliver a package from sender to receiver as safely, promptly and accurately as possible. As far as it goes, this is a good paradigm. However, it does not go far enough. The postal service does nothing to check the identity of the sender and with rare exceptions even inquires about the identity of the recipient. The postal service delivers from place to place -- not person to person. The postal service delivers hate mail, birthday greetings, bills, junk mail and the occasional bomb all with the same efficiency. So does the Internet. Neither the security at the post office, nor the Internet concerns itself with content or the identity certainty of those sending and receiving the message. This is the heart of the problem. It is manifest in the very human behavior of lying. People lie to one another. Because the Internet is largely anonymous it promotes lying by making it easy. It is not surprising that the proliferation of lying results in transactions that fail because they are based on lies. In the chargeback situation there may be two kinds of lies. The first kind is someone who lies about their identity. They may be using a credit card that doesn't belong to them and lie to say they are the person it belongs to. The second lie is in some ways more insidious. This is the previous lie, but in reverse. The person whose credit card was used is the person who made the purchase, but because an identity is not verified at the time of purchase the person can now deny making the purchase and avoid paying for it. In a nonscientific survey conducted by a television station in Southern California 61% of those asked indicated that they would steal services from a utility or the phone company if they were sure they could get away with it. It would seem they are getting away with it on the Internet. Until we come up with a different paradigm that secures more than the transmission of messages and can confirm identities on the Internet, the ".com" dream will continue to be tainted with a bit of a nightmare. e-Dentification, Inc. assures identities and privacy on the Internet, Securing Business, Securing You. John F. Ellingson, Madison, WI - editor Principal in e-DENTIFICATION, Inc. Email Address: ellingson () e-dentification com NEWS ITEM INVESTIGATOR ARRESTS SPUR CONCERN The Associated Press AP-NY-07-06-99 0242EDT By Steven K. Paulson GOLDEN, Colo. (AP) - James and Regena Rapp were arrested and indited as the result of a sting operation by the Colorado Bureau of Investigation. Their company DBA "Dirty Deeds Done Cheap" and "Phantom Investigations", brokered information to private investigators and media companies investigating their competition. The sting was set up to recover detailed personal information, bank and telephone records and credit-card bills that James and Regena Rapp and their employees lied and schemed to get, in the JonBenet Ramsey murder investigation, for possible publication in the tabloids. According to a Jefferson County grand jury indictment, the Rapps and their employees telephoned companies to ask for copies of the Ramsey's personal records, claiming to be the Ramseys. The copies were faxed to a phone number that routed the documents to the Rapps, including court case file information. In the sting, an agent set herself up as a target to see what company could find out about her. "We thought we'd run it up the flagpole. She was surprised by the details they found,'' Brown said. "It came back exactly what her phone bill was and bank balance statement was.'' The Rapp's recent indictment for racketeering has again created concern over the ease in which personal information may be obtained. "It's a question of identity and privacy,'' said Tara Lemmey, president of the Electronic Frontier Foundation, a nonprofit organization that tracks the Internet and privacy issues. "In this case, it's a case of fraud. We already have good fraud laws on the books. The larger question is, should people have the right to get information on another person." Lemmey said " that with the proliferation of computers and databases, personal information given in confidence isn't always kept private people assume the information they provide will only be used for a driver's license or to buy a dishwasher they need to know that the information is now being used for other things.'' Pam Russell, a spokeswoman for Jefferson County prosecutors, said "There are certain things in our lives that are personal and private - our finances, who we call, who we talk to I can't even get this information without a warrant.'' NEWS ITEM Minnesota Attorney General Hatch Sues U.S. Bank for Disclosing Customers ST. PAUL, Minn., June 8 /PRNewswire/ -- Minnesota Attorney General Mike Hatch announced a lawsuit today against U.S. Bank for allegedly releasing customers' private banking information to a telemarketing company in exchange for a fee of $4 million plus commissions, some of which Hatch said were generated through bogus, unauthorized charges by the telemarketing company. Defendant US Bancorp (NYSE: USB) is a multistate bank holding company and the parent of U.S. Bank. Hatch alleges that U.S. Bank violated the federal Fair Credit Reporting Act and engaged in consumer fraud and deceptive advertising by providing the telemarketing vendor with such private information as Social Security numbers, account balances and transactions and credit limits. "People are appropriately careful about protecting their Social Security number, checking and credit card information," said Hatch. "When a bank hands out this information to the highest bidder, it has to answer to its customers and to the Attorney General's Office." Specifically, U.S. Bank provided Member Works Inc. with the following information for its customers: name, address, telephone numbers of the primary and secondary customer, gender, marital status, homeownership status, occupation, checking account number, credit card number, Social Security number, birth date, account open date, average account balance, account frequency information, credit limit, credit insurance status, year to date finance charges, automated transactions authorized, credit card type and brand, number of credit cards, cash advance amount, behavior score, bankruptcy score, date of last payment, amount of last payment, date of last statement, and statement balance. Since November 1996 U.S. Bank has received over $4 million plus commissions 3/4 commissions equal to 22 percent of each sale Member Works made 3/4 from the provision of its customers' private information to Member Works. Member Works used the U.S. Bank customer data to sell memberships in a health program that allowed members to get discounts on dental and health care visits. Hatch also alleges that in addition to providing confidential customer information, U.S. Bank approved telemarketing scripts that contained deceptive information. For example, if a customer asked a telemarketer if U.S. Bank had given the customer's credit card or checking account number to the telemarketer, the script instructed the telemarketer to answer "No, I personally do not have your account number." Hatch alleges that U.S. Bank violated federal law and banking rules by allowing the telemarketing company to automatically withdraw payments from a checking account without written authorization from the consumer. Federal and state regulatory agencies require banks to publish privacy policies telling consumers how their personal information will be used, who has access to the information and if the bank intends to give its personal information to non-affiliated third parties. U.S. Bank has a privacy policy printed in its U.S. Bank Customer Agreement that says "We share your concerns about the privacy of your personal information and strive to maintain its confidentiality." Nothing in the bank's agreement reveals that personal, confidential information is being sold to companies that are not affiliated with U.S. Bank. Hatch also said at the press conference that none of U.S. Bank's consumer brochures disclose to customers that their names and account information could be sold to a third party. Hatch is asking that the court prohibit the bank's exchange of customers' personal information and order the bank to pay civil penalties to consumers. Hatch also called upon Congress to enact legislation to protect consumers' rights to financial privacy. On Monday, U.S. Comptroller of the Currency John Hawke condemned practices like those described above as "seamy," unfair and deceptive. (Wall Street Journal, June 8, 1999.) PRESS RELEASE e-DENTIFICATION NAMES NEW CHIEF OPERATING OFFICER Madison, Wisconsin...July 9,1999 John Ellingson, president and founder of e-DENTIFICATION announced today, effective immediately the appointment of J. Rick Ingram as Chief Operating Officer. Mr. Ingram will be responsible for the day-to-day operations including research, finance, investment banking, sales, administration and will chair the Internal Operating Committee. "Rick Ingram is an outstanding manager who as Chief Operating Officer brings many years of experience and expertise to the company and can assist the company in reaching the next level of growth with without compromising our focus on quality and service." said John Ellingson, President and founder. Prior to joining e-DENTIFICATION, Ingram was a 20 year veteran of the software industry, formerly with Platinum Technology, in an Executive Sales position specializing in Fortune 500 Companies, with Boole & Babbage in Executive Operations dealing with Fortune 50 Outsourcers, and as a Senior Sales Executive for Fischer International. Email John Ellingson at: ellingson () e-dentification com Email Rick Ingram at: ingram () e-dentification com ABOUT THIS NEWSLETTER Free...OK to Copy or Remail Subscribe/Unsubscribe to: Edent99@ aol.com ISN is sponsored by Security-Focus.COM
Current thread:
- Electronic Fraud Newsletter #9 mea culpa (Sep 10)