Identity Theft Stories

Alabama State employee Natacia Webster pleaded guilty on Wednesday to stealing identity information from inmates while working for the state and to providing that information to a co-conspirator who used the identities to file false tax returns.

The Montgomery resident who worked for the Alabama Department of Corrections pleaded guilty to wire fraud, to aggravated identity theft, and to conspiring to defraud the United States by filing false claims, U.S. Attorney George Beck of the Middle District of Alabama announced in a news release Wednesday.

Webster, according to the indictment and other court documents, obtained identity information while working for the state in 2011 and provided the stolen prisoner identities to co-conspirator Melinda Clayton, who paid her for that information.

Clayton filed the false tax returns using the stolen identities and claimed the fraudulent tax refunds, which were directed to bank accounts and debit cards that the conspirators could access.

“These criminals need to be punished for the harm they cause to the person whose identity is stolen and the harm they cause to U.S. taxpayers,” Beck said in January when Webster was indicted.

Clayton, who pleaded guilty and was sentenced to 61 months in prison, and several others were indicted in April 2011.

A judge has not set a sentencing date for Webster. She faces a possible prison term of two years to 32 years in prison, three years of supervised release, and restitution and a fine of up to $750,000, which federal authorities said would be twice the loss caused by the offenses.

A federal jury on Thursday found a St. Louis Park man guilty for his role in a large, multi-state identity theft ring that operated from 2006 through 2011.

Joel Delano Powell, Jr, 46, was convicted of seven counts of bank fraud, five counts of aggravated identity theft and one count of conspiracy to commit bank fraud. Three other men were also convicted in the case.

According to a press release, the men conspired with each other and unnamed individuals to defraud banks, bank customers and businesses. Through their jobs, members of the theft ring stole the identification information of customers and others, providing it to co-conspirators who then used it to create false ID documents, such as driver’s licenses and ID cards, along with counterfeit checks.

Identification information was stolen in other ways, including mail theft, vehicle break-ins and business burglaries. Some was even purchased from other criminals.

Powell and the others would often use the counterfeit checks they created to buy expensive items, which they quickly returned for cash.

“Over the past several years, this office has demonstrated that it will vigorously pursue those who commit financial fraud and identity theft. Again, through the successful prosecution of this case, we put would-be fraudsters on notice that such action will not be tolerated in Minnesota,” said U.S. Attorney B. Todd Jones in the release. “Their victims—the hardworking, law-abiding citizens of this state—deserve no less.”

The four men face maximum potential penalties of 30 years in prison for conspiracy to commit bank fraud. Their sentences will be determined at later hearings.

A Putnam County woman has been charged with identity theft after authorities said she used the identity of an out-of-state veterinarian to run a mobile pet clinic.

Judy Grace Tabor, 40, was arrested on charges from Putnam and St. Johns counties, where she operated Pet Care A Van and Pet Caravan, according to the State Attorney’s Office.

Tabor advertised that she provided animal vaccinations and also employed technicians, said spokeswoman Klare Ly of the State Attorney’ Office. Tabor would need to be a licensed veterinarian to own the business, Ly said.

Ly said the veterinarian whose name was used on the license was not aware of the business.

Tabor was charged with 11 felonies in St. Johns and five in Putnam.

Read more at Jacksonville.com: http://jacksonville.com/news/crime/2012-02-29/story/putnam-woman-charged-identity-theft-run-pet-clinic

(Reuters) – Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts in what is one of the largest-ever Internet security break-ins.

Sony learned that user information had been stolen from its PlayStation Network seven days ago, prompting it to shut down the network immediately. But Sony did not tell the public until Tuesday.

The electronics conglomerate is the latest Japanese company to come under fire for not disclosing bad news quickly. Tokyo Electric Power Co was criticized for how it handled the nuclear crisis after the March earthquake. Last year, Toyota Motor Corp was slammed for being less than forthright about problems surrounding its massive vehicle recall.

The “illegal and unauthorized person” obtained people’s names, addresses, email address, birth dates, usernames, passwords, logins, security questions and more, Sony said on its U.S. PlayStation blog on Tuesday.

The shutdown of the PlayStation Network seven days ago prevented owners of Sony’s video game console from buying and downloading games, as well as playing with rivals over the Internet.

Alan Paller, research director of the SANS Institute, said the breach may be the largest theft of identity data information on record.

The breach is a major setback for the Japanese electronics maker. Although video game hardware and software sales have declined globally, the PlayStation franchise has been a steady seller and remains a flagship product for Sony.

Children with accounts established by their parents also might have had their data exposed, Sony said.

Sony said it saw no evidence credit card numbers were stolen, but warned users it could not rule out the possibility.

“Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” Sony said.

Analysts said that, while Sony has notified its customers of the breach, it still has not provided information on how user data might have been compromised.

“This is a huge data breach,” said Wedbush Securities analyst Michael Pachter, who estimated Sony generates $500 million in annual revenue from the service. “The bigger issue with Sony is how will the hacker use the info that has been illegally obtained?”

Sony said it has hired an “outside recognized security firm” to investigate.

The company said user account information for the PlayStation Network and its Qriocity service users was compromised between April 17 and April 19.

Paller said Sony probably did not pay enough attention to security when it was developing the software that runs its network. In the rush to get out innovative new products, security can sometimes take a back seat.

“They have to innovate rapidly. That’s the business model,” Paller said. “New software has errors in it. So they expose code with errors in it to large numbers of people, which is a catastrophe in the making.”

He suspected the hackers entered the network by taking over the PC of a system administrator, who had rights to access sensitive information about Sony’s customers. They likely did that by sending the administrator an email message that contained a piece of malicious software that got downloaded onto his or her PC.

Hackers have stolen personal data in the past from large companies. In 2009, Albert Gonzalez pleaded guilty to stealing tens of millions of payment card numbers by breaking into corporate computer systems at companies such as 7-Eleven Inc and Target Co.

Sony said its users could place fraud alerts on their credit card accounts through three U.S. credit card bureaus, which it recommended in its statement.

Sony, a unit of Sony Corp, said it could restore some of the network’s services within a week.

The company declined to comment on whether it was working with law enforcement or other parties in its investigation.

The online network was launched in the autumn of 2006 and offers games, music and movies to people with PlayStation consoles. It had 77 million registered users as of March 20, a Sony spokesman said.

Irina Malezhik was ending an assignment as a Russian-language translator at a law office in 2004 when she asked an innocent but fateful question: Could anyone offer a lift to Brooklyn?

The man who obliged by chance, authorities say, was a stranger named Dmitriy Yakovlev. He says she later began tutoring him in English and that he loaned her money.

Three years later, the Ukrainian-born Malezhik walked out of her apartment building and was never seen again.

The disappearance is central to a disturbing identity theft case that went to trial earlier this month in federal court in Brooklyn. With the trial entering its third week, a jury has heard about a surgically dismembered body, a Halloween mask discarded with the body parts and an extravagant shopping spree by Yakovlev and his wife that began only 48 hours after Malezhik vanished.

Yakovlev, a 43-year-old Russian immigrant, has pleaded not guilty to conspiracy, bank fraud, using stolen credit cards and other charges involving Malezhik and two other victims.

As part of the conspiracy, prosecutors allege Yakovlev murdered Malezhik, 47, and Viktor Alekseyev, a neighbor of Yakovlev in a seaside, gated community in Brooklyn. They say he also stole the identity of another acquaintance, a retired New York Police Department employee who disappeared in 2003 without a trace.

Yakovlev’s wife, Julia, avoided trial by pleading guilty last month to identity theft and credit card fraud. She faces at least two years in prison at sentencing in May.

Following Yakovlev’s arrest in 2009, federal agents claim he admitted making ATM withdrawals and purchases with the missing victims’ credit cards. But he “stated that in the past he had been given permission by others to use their credit cards in lieu of cash repayment for loans (he) had extended to them,” court papers say.

He claimed Malezhik owed him $20,000, Alekseyev $30,000.

Defense attorney Michael Gold also told jurors in opening statements the government can’t say how the two were killed or prove he did it.

“There is certainly no forensic evidence Mr. Yakovlev in any way, shape or manner or form contributed to (Malezhik’s) disappearance,” Gold said.

Alekseyev was last seen in 2005 on the eve of a planned trip to Moscow. About three weeks later, his body parts were found in plastic garbage bags — inexplicably, with a vampire mask — in a wooded area of New Jersey.

Prosecutors have shown the jury crime scene photos of the bags and mask, entered as evidence immigration papers saying Yakovlev once worked as a surgeon. A forensic pathologist testified how the victim’s limbs were removed without cutting through bone. Whoever did it, the witness said, “had anatomic knowledge.”

Acting on a tip in 2009, FBI agents using cadaver dogs dug up the basement of Yakovlev’s home in search of the translator’s remains. Agents “found a clump of long, brown-colored hair which appeared to them to be consistent with what was known of the length and color of the hair of (the victim),” court papers say, but no body parts turned up.

The spectacle of a failed search in a mysterious death ran counter to Malezhik’s simple life.

Born in Kiev, she settled in Brooklyn several years before she disappeared. She lived alone in a tidy, one-bedroom apartment in Brighton Beach — a longtime Eastern European enclave bordering Coney Island that’s sometimes called “Little Odessa” — with a view of the ocean and “a lot of orchids,” a close friend, Olga Fisher, testified.

Malezhik spent most days working as a translator in state and federal courts and for law firms. In the mornings, she would take long walks with Fisher on the boardwalk near their homes.

Her walking partner was “very intelligent, very intellectual and a very hard worker, a good friend,” Fisher said.

That’s why it was strange in the fall of 2007 when Fisher stopped hearing from Malezhik. She left a string of phone messages and got no reply.

Fisher finally reported Malezhik missing and went to her apartment to meet the police. The mailbox was full, the apartment was unoccupied.

An initial investigation turned up a security camera video showing Malezhik leaving her building for the last time on Oct. 15, 2007. That day, authorities say, the Yakolevs began depositing checks drawn on Malezhik’s bank account by forging her signature.

The following day, Julia Yakovlev purchased two Franck Muller watches for $16,200 using the victim’s Social Security card as identification, prosecutors say. The couple was later captured by a camera at a Century 21 department store in Westbury, N.Y. using the victim’s credit card.

After his arrest, Yakovlev appeared unfazed by the allegations, according to court papers. He told the FBI he had been trained as a doctor and served in the Russian Army before coming to the United States in the 1990s. He described himself as self-employed and an owner of rental properties.

After meeting Malezhik, she had tutored him in English — not at either of their homes, but “on the beach and places like that,” he said. He claimed he loaned her money so she could buy furniture, and the last time he saw her was when she gave him her credit cards as repayment as they sat in his Lexus SUV.

“He stated he did not find (her) disappearance concerning, and suggested that she returned to Russia,” according to an FBI report.

The report adds that when told he would have to appear in court that afternoon, “he expressed frustration that the court appearance would interfere with a scheduled motorcycle lesson.”

Internet marketing giant Epsilon suffered a major data breach over the weekend, as names and email addresses were stolen in a series of hacking attacks affecting at least 19 of its client companies.

In a statement to its clients, Epsilon assured that highly sensitive information had not been stolen by hackers.

“The information that was obtained was limited to email addresses and/or customer names only… A full investigation is currently underway,” the statement read.

But experts say that the stolen information may be enough for the hackers, according to Reuters:

…security experts said just having email addresses — plus knowing where someone shops — can help thieves write more sophisticated emails to steal financial data or spread malicious software, or malware.

That practice — using emails that appear to come from a trustworthy source to steal data — is sometimes known “spear-phishing” because such emails are more focused than traditional “phishing” emails.

Epsilon works with more than 2,500 clients and sends more than 40 billion emails annually. The company is the world’s largest permission-based email marketer.

So far, the following companies have confirmed a security breach, according to CNET – Kroger,TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens. The College Board, Disney Destinations, and Best Buy.

Stancy Nesby was pulled over for speeding, arrested and jailed for 3 days on mistaken identity. It happens that a judge issued a warrant for Stacy Nesby’s arrest after another woman arrested for cocaine possession gave Stacy’s name to the judge and then skipped her court date. The surprising issue with this mistaken identity case is that each time Ms. Nesby was mistakenly arrested the police eventually figured it out and told her that the warrant would be corrected. However nobody corrected this warrant and Stancy was arrested, jailed or detained 7 times by 5 police department for the same mistake. She had to sue the City of San Francisco and finally a judge required that the warrant be corrected after almost 4 years of the nightmare. It’s an amazing true story about how difficult it can be to get mistaken identity corrected. See the video below about her titled “Criminal Identity Theft” from CNN.

The New York Times reports that bogus and stolen accounts on Facebook are being sold in high volume on the black market.

During several weeks in February, VeriSign’s iDefense division tracked an effort to sell log-in data for 1.5 million Facebook accounts on several online criminal marketplaces, including one called Carder.su.

That hacker, who used the screen name “kirllos” tried to sell bundles of 1,000 accounts with 10 or fewer friends for $25 and with more than 10 friends for $45. This shows a significant expansion in the illicit market for social networking accounts, according to VeriSign.

Criminals steal log-in data for Facebook accounts, usually by using “phishing” techniques that trick users into disclosing their passwords or with malware that logs keystrokes. They then use the accounts to send spam, distribute malicious programs and run identity and other fraud.

In fewer than six months, some $900,000 in merchandise, gambling and telephone-services charges were siphoned out of his debit card. His attempts to salvage his finances have cost him nearly $100,000 and have bled dry his savings and retirement accounts. His credit score, once a strong 780, has been decimated. And his identity — Social Security number, address, phone numbers, even historical information — is still being used in attempts to open credit cards and bank accounts.

“I have no identity,” said Crouse, 56. “I have no legacy. My identity is public knowledge and even though it’s ruined, they’re still using it.

“It really ruined me,” he said. “It ruined me financially and emotionally.”

Crouse is among the 11.1 million adults — one in every 20 U.S. adults — last year who have the dubious distinction of breaking the record of the number of identity-fraud victims in the U.S., according to a recent study by Javelin Strategy and Research. That figure is up 12% over 2008 and is 37% ahead of 2007. The cost to the victims: a collective $54 billion.

“The odds have never been higher for becoming a fraud victim,” said James Van Dyke, Javelin president and founder. “It’s an easy crime to perpetrate, a crime that’s almost impossible to catch when done in a sophisticated manner and a crime in which enforcement is very limited.”
Endless paperwork

Crouse can attest to that. Once an avid fan of online shopping and banking, the Bowie, Md., resident would auction on eBay.com, download songs from iMesh.com and use his ATM card like a credit card.

He first noticed suspicious activity in his account in February of 2009 for small charges of $37 or $17.98. He had a full-time job then and was spending out of an account that generally held $30,000.

“All of a sudden it really got bad,” he said. “In August the charges hit big time — $600, $500, $100, $200 – all adding up from $2,800 to $3,200 in one day.”

He called his bank immediately and started what began a tiresome process of filling out what he said finally amounted to about 20 affidavits swearing that he was not responsible for the charges. He said one day he filled out an affidavit about a charge and the next day the bank had accepted similar charges approaching $4,000.

“At that point I was going to the bank every day and looking at everything,” he said. He had the time then. Five months before that he had been laid off his $180,000 a year construction-industry job.

Now he was in a double bind: His $2,300 a week net income had dwindled to $780 in unemployment checks every two weeks and his accounts were getting drained daily — even after he closed his debit account.

He opened a new account at a new bank and the next day both accounts got hit with a $1,100 charge. The new bank told him it was keystroke malware that had likely done him in. Someone had hacked into one of the sites he visited regularly, his computer got infected and picked up all his personal information by tracking every key he struck.

While much of the fraud came from online purchases and at gambling sites, there were new accounts opened in different names but linked to his bank account. There was one purchase of a plasma TV from a Best Buy in Florida that was shipped to a Brooklyn. N.Y., address. In another case a woman in North Carolina was writing out checks tied to his account.

“It was nasty,” he said, admitting that he even contemplated suicide. “I just couldn’t take it. I didn’t feel like a man anymore. I was violated and I didn’t know what to do.”
High-value targets

Identity thieves steal mostly through two means, according to Michael Stanfield, chief executive of Intersections Inc., a risk-management firm. They take an established address and phone number of an identity that “has some value,” he said, like a doctor or a lawyer. In many instances, they can go to the Internet and acquire the matching Social Security number for as little as $50. They then have enough information to get an address changed with your bank account or a credit card account. They apply for new accounts as you.

Others take over existing accounts, Stanfield said, through keystroke malware that you — and probably hundreds or even thousands simultaneously — have picked up through the Internet.

Listening software then sits on your computer, perking up when you go to a bank site. It copies all your key strokes — your user name, password, challenge question, account numbers, everything.

“You leave and the bad guy goes right back in behind you,” Stanfield said. “We’ve seen examples where that has occurred and its gets fixed and a month later the computer gets cleaned out again and he becomes a new victim, even with a new account.

“It’s a horrible event and it’s happening every minute of the day to someone,” Stanfield said.

According to Javelin, the number of fraudulent new credit-card accounts shot up to 39% of all identity-fraud victims in 2009 from 33% the year before. Fraud from existing credit-card accounts rose to 75%. New online accounts opened falsely more than doubled from 2008. The study also found that 29% of victims said new cell-phone accounts were opened deceptively.
No one is immune

Identity theft is indiscriminate, cutting across all age and income levels. But those most at risk are those who spend the most and that tends to be middle-income families. Those most likely to miss fraud are usually 18 years old to 24 years old, simply because they don’t pay enough attention to their accounts and — though most are technologically savvy — they’re not protecting themselves against the worst of technology through malware, viruses and Trojan horses.

“The more you transact, the more you’re at risk because you leave a trail behind,” Van Dyke said.

Criminals turn to in-store and online purchases to steal most often, accounting for four in 10 cases of fraud, according to Javelin. Some 20% of victims have had their information used to make phone or mail-order catalog purchases.

“A lot of these crimes are really a battle of who can get their hands on the most information,” Van Dyke said. Remember too that not all identity fraud is committed by strangers. Last year at least 13% of all ID crimes were committed by someone the victim knew, like a family member or friend.

As for Crouse, the trouble extended into other areas of his life. He fell behind on paying bills — though the mortgage on the house his ex-wife and two sons live in was kept current — and racked up myriad late fees, higher interest costs and penalties. One son dropped out of college and another is reconsidering where he’ll go because of costs.

In the meantime, he was having trouble finding work. With a doctorate degree in organizational psychology and a longtime veteran of contracting work at federal facilities like the FBI and the Secret Service, Crouse was getting high acclaim in interviews but no calls back. Finally one recruiter told him that companies were turning him away because his credit reports were so poor and his debt was mounting. As a result, his security clearance to work on government buildings was yanked.

“It affected me. It affected my livelihood. It affected my whole family,” he said.

He finally found a job, though he took a significant pay cut because he lost his clearance. He figures he’ll be 61 by the time he crawls out of the debt the fraud caused and is able to rebuild any kind of nest egg. He’s sold many of his prize possessions, including a 1993 Corvette and assorted pieces of gold and silver. He uses coupons now, shops food sales, even eating things he doesn’t like such as macaroni and cheese because they’re cheaper.

“It’s just like I’m back in college,” he said.

His advice to others: Don’t touch Web sites that offer free things or 30-day trials; never give out personal information; and always keep your receipts.
Don’t become a victim

Javelin has recommendations for what it calls “prevention, detection and resolution” of identity fraud:

• Keep sensitive information from prying eyes. Request electronic statements, use direct deposit, don’t put checks in unlocked mailboxes. Don’t give out your Social Security number and secure all personal and financial records in locked storage devices or behind a password. Shred all sensitive documents.
• Prevent high-tech criminal access. Install antivirus software on your computer and keep it updated. Never respond to requests for personal or account information online or over the phone. Watch out for convincing imitations of banks, card companies, charities and government agencies. Don’t divulge birth date, mother’s maiden name, pet’s name or other identifying and personal information on social media sites like Facebook, Twitter, LinkedIn, etc. Be creative with passwords and don’t access secure Web sites using public Wi-Fi.
• Keep close watch over activity in existing accounts. Monitor bank and credit-card accounts weekly, even daily. Sign up for alerts to your phone or e-mail accounts. Javelin found that 43% of reported identity-fraud cases are spotted through self-monitoring.

• Keep close watch on new accounts. Monitor your credit and public information to spot unauthorized activity. Get those free credit reports and consider fee-based services that monitor those things for you.

• Resolve identity fraud quickly. Report problems to you bank, credit union, protection services and the police immediately. Make sure your financial provider offers zero-liability protection for debit and credit cards.

Twitter reset passwords for an unknown number of users whose accounts appeared to have been compromised via phishing.

“As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite,” the company said in a statement.

Some Twitter users apparently “used their Twitter username and password to sign up for an untrusted third-party application which then posted Tweets to their account,” a spokeswoman said.

“While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety,” the statement said. “We’ll continue to provide updates as warranted at @safety and @spam.”

Users who want information on what to do if their accounts have been compromised can visit this page and learn how to use Twitter safely here.

In response to a reader e-mail suggesting that there may have been a breach at Twitter, Del Harvey, trust and safety director at Twitter, said there was no data breach at the company.

“We’ve noticed a high correlation of users with accounts on third-party Torrent sites and users’ accounts that we believe are compromised. It’s possible that this person falls into this category. It’s not a result of a data breach on Twitter.”