Identity Theft Stories

The New York Times reports that bogus and stolen accounts on Facebook are being sold in high volume on the black market.

During several weeks in February, VeriSign’s iDefense division tracked an effort to sell log-in data for 1.5 million Facebook accounts on several online criminal marketplaces, including one called Carder.su.

That hacker, who used the screen name “kirllos” tried to sell bundles of 1,000 accounts with 10 or fewer friends for $25 and with more than 10 friends for $45. This shows a significant expansion in the illicit market for social networking accounts, according to VeriSign.

Criminals steal log-in data for Facebook accounts, usually by using “phishing” techniques that trick users into disclosing their passwords or with malware that logs keystrokes. They then use the accounts to send spam, distribute malicious programs and run identity and other fraud.

Tweet This Post Buzz This Post Delicious Stumble This Post

In fewer than six months, some $900,000 in merchandise, gambling and telephone-services charges were siphoned out of his debit card. His attempts to salvage his finances have cost him nearly $100,000 and have bled dry his savings and retirement accounts. His credit score, once a strong 780, has been decimated. And his identity — Social Security number, address, phone numbers, even historical information — is still being used in attempts to open credit cards and bank accounts.

“I have no identity,” said Crouse, 56. “I have no legacy. My identity is public knowledge and even though it’s ruined, they’re still using it.

“It really ruined me,” he said. “It ruined me financially and emotionally.”

Crouse is among the 11.1 million adults — one in every 20 U.S. adults — last year who have the dubious distinction of breaking the record of the number of identity-fraud victims in the U.S., according to a recent study by Javelin Strategy and Research. That figure is up 12% over 2008 and is 37% ahead of 2007. The cost to the victims: a collective $54 billion.

“The odds have never been higher for becoming a fraud victim,” said James Van Dyke, Javelin president and founder. “It’s an easy crime to perpetrate, a crime that’s almost impossible to catch when done in a sophisticated manner and a crime in which enforcement is very limited.”
Endless paperwork

Crouse can attest to that. Once an avid fan of online shopping and banking, the Bowie, Md., resident would auction on eBay.com, download songs from iMesh.com and use his ATM card like a credit card.

He first noticed suspicious activity in his account in February of 2009 for small charges of $37 or $17.98. He had a full-time job then and was spending out of an account that generally held $30,000.

“All of a sudden it really got bad,” he said. “In August the charges hit big time — $600, $500, $100, $200 – all adding up from $2,800 to $3,200 in one day.”

He called his bank immediately and started what began a tiresome process of filling out what he said finally amounted to about 20 affidavits swearing that he was not responsible for the charges. He said one day he filled out an affidavit about a charge and the next day the bank had accepted similar charges approaching $4,000.

“At that point I was going to the bank every day and looking at everything,” he said. He had the time then. Five months before that he had been laid off his $180,000 a year construction-industry job.

Now he was in a double bind: His $2,300 a week net income had dwindled to $780 in unemployment checks every two weeks and his accounts were getting drained daily — even after he closed his debit account.

He opened a new account at a new bank and the next day both accounts got hit with a $1,100 charge. The new bank told him it was keystroke malware that had likely done him in. Someone had hacked into one of the sites he visited regularly, his computer got infected and picked up all his personal information by tracking every key he struck.

While much of the fraud came from online purchases and at gambling sites, there were new accounts opened in different names but linked to his bank account. There was one purchase of a plasma TV from a Best Buy in Florida that was shipped to a Brooklyn. N.Y., address. In another case a woman in North Carolina was writing out checks tied to his account.

“It was nasty,” he said, admitting that he even contemplated suicide. “I just couldn’t take it. I didn’t feel like a man anymore. I was violated and I didn’t know what to do.”
High-value targets

Identity thieves steal mostly through two means, according to Michael Stanfield, chief executive of Intersections Inc., a risk-management firm. They take an established address and phone number of an identity that “has some value,” he said, like a doctor or a lawyer. In many instances, they can go to the Internet and acquire the matching Social Security number for as little as $50. They then have enough information to get an address changed with your bank account or a credit card account. They apply for new accounts as you.

Others take over existing accounts, Stanfield said, through keystroke malware that you — and probably hundreds or even thousands simultaneously — have picked up through the Internet.

Listening software then sits on your computer, perking up when you go to a bank site. It copies all your key strokes — your user name, password, challenge question, account numbers, everything.

“You leave and the bad guy goes right back in behind you,” Stanfield said. “We’ve seen examples where that has occurred and its gets fixed and a month later the computer gets cleaned out again and he becomes a new victim, even with a new account.

“It’s a horrible event and it’s happening every minute of the day to someone,” Stanfield said.

According to Javelin, the number of fraudulent new credit-card accounts shot up to 39% of all identity-fraud victims in 2009 from 33% the year before. Fraud from existing credit-card accounts rose to 75%. New online accounts opened falsely more than doubled from 2008. The study also found that 29% of victims said new cell-phone accounts were opened deceptively.
No one is immune

Identity theft is indiscriminate, cutting across all age and income levels. But those most at risk are those who spend the most and that tends to be middle-income families. Those most likely to miss fraud are usually 18 years old to 24 years old, simply because they don’t pay enough attention to their accounts and — though most are technologically savvy — they’re not protecting themselves against the worst of technology through malware, viruses and Trojan horses.

“The more you transact, the more you’re at risk because you leave a trail behind,” Van Dyke said.

Criminals turn to in-store and online purchases to steal most often, accounting for four in 10 cases of fraud, according to Javelin. Some 20% of victims have had their information used to make phone or mail-order catalog purchases.

“A lot of these crimes are really a battle of who can get their hands on the most information,” Van Dyke said. Remember too that not all identity fraud is committed by strangers. Last year at least 13% of all ID crimes were committed by someone the victim knew, like a family member or friend.

As for Crouse, the trouble extended into other areas of his life. He fell behind on paying bills — though the mortgage on the house his ex-wife and two sons live in was kept current — and racked up myriad late fees, higher interest costs and penalties. One son dropped out of college and another is reconsidering where he’ll go because of costs.

In the meantime, he was having trouble finding work. With a doctorate degree in organizational psychology and a longtime veteran of contracting work at federal facilities like the FBI and the Secret Service, Crouse was getting high acclaim in interviews but no calls back. Finally one recruiter told him that companies were turning him away because his credit reports were so poor and his debt was mounting. As a result, his security clearance to work on government buildings was yanked.

“It affected me. It affected my livelihood. It affected my whole family,” he said.

He finally found a job, though he took a significant pay cut because he lost his clearance. He figures he’ll be 61 by the time he crawls out of the debt the fraud caused and is able to rebuild any kind of nest egg. He’s sold many of his prize possessions, including a 1993 Corvette and assorted pieces of gold and silver. He uses coupons now, shops food sales, even eating things he doesn’t like such as macaroni and cheese because they’re cheaper.

“It’s just like I’m back in college,” he said.

His advice to others: Don’t touch Web sites that offer free things or 30-day trials; never give out personal information; and always keep your receipts.
Don’t become a victim

Javelin has recommendations for what it calls “prevention, detection and resolution” of identity fraud:

• Keep sensitive information from prying eyes. Request electronic statements, use direct deposit, don’t put checks in unlocked mailboxes. Don’t give out your Social Security number and secure all personal and financial records in locked storage devices or behind a password. Shred all sensitive documents.
• Prevent high-tech criminal access. Install antivirus software on your computer and keep it updated. Never respond to requests for personal or account information online or over the phone. Watch out for convincing imitations of banks, card companies, charities and government agencies. Don’t divulge birth date, mother’s maiden name, pet’s name or other identifying and personal information on social media sites like Facebook, Twitter, LinkedIn, etc. Be creative with passwords and don’t access secure Web sites using public Wi-Fi.
• Keep close watch over activity in existing accounts. Monitor bank and credit-card accounts weekly, even daily. Sign up for alerts to your phone or e-mail accounts. Javelin found that 43% of reported identity-fraud cases are spotted through self-monitoring.

• Keep close watch on new accounts. Monitor your credit and public information to spot unauthorized activity. Get those free credit reports and consider fee-based services that monitor those things for you.

• Resolve identity fraud quickly. Report problems to you bank, credit union, protection services and the police immediately. Make sure your financial provider offers zero-liability protection for debit and credit cards.

Tweet This Post Buzz This Post Delicious Stumble This Post

Twitter reset passwords for an unknown number of users whose accounts appeared to have been compromised via phishing.

“As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite,” the company said in a statement.

Some Twitter users apparently “used their Twitter username and password to sign up for an untrusted third-party application which then posted Tweets to their account,” a spokeswoman said.

“While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety,” the statement said. “We’ll continue to provide updates as warranted at @safety and @spam.”

Users who want information on what to do if their accounts have been compromised can visit this page and learn how to use Twitter safely here.

In response to a reader e-mail suggesting that there may have been a breach at Twitter, Del Harvey, trust and safety director at Twitter, said there was no data breach at the company.

“We’ve noticed a high correlation of users with accounts on third-party Torrent sites and users’ accounts that we believe are compromised. It’s possible that this person falls into this category. It’s not a result of a data breach on Twitter.”

Tweet This Post Buzz This Post Delicious Stumble This Post

Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing.

The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut.
Dramatically Reduce WAN Costs with Adaptive Private Networking: View now

The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release.

Law enforcement has been notified. “ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation,” it said in a statement.

ECMC will send a written notification to affected borrowers “as soon as possible” and offer them free services from Experian, a credit monitoring agency.

Data loss can occur in a variety of ways, including by remote hacking or employee theft. ECMC didn’t say whether the data taken was encrypted.

The information could be useful for data thieves, who use personal information to apply for loans and credit cards or to assemble portfolios for larger identity theft schemes.

ECMC’s data loss is significant but far short of some of the largest incidents.

More than 130 million credit card numbers were stolen around 2008 from Heartland Payment Systems, an attack ranked as the largest to date by DataLossDB, which tracks incidents. One of the hackers, Albert Gonzalez , was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.

In 2006, a laptop and hard drive containing personal information of 26.5 million military veterans and their spouses was stolen from the home of a U.S. Department of Veterans Affairs employee.

Tweet This Post Buzz This Post Delicious Stumble This Post

Not too long ago, I made a disturbing discovery. I received a statement in the mail for a department store credit card that I hadn’t authorized, and noticed a shipping address that was not my own. My name was listed on the bill, and my home address was recorded as the billing address – but the shipping address was for a location in an entirely different state.

I immediately called the credit card company to find out what was happening, thinking there must be some kind of mistake. I was connected with a helpful customer service representative who was able to quickly determine that I was a victim of fraud. Thankfully, she believed me when I insisted I had not authorized this card to be opened.

Once the customer service representative had notified her company’s fraud department, I asked if she might be able to give me any further information. She was very helpful and gave me the name of the person who had opened the account.

After hanging up with the credit card company, I immediately did a quick Internet search. Having the name of the women who opened the account, and knowing the state where the products were sent made my search rather easy. Soon I was able to locate a telephone number for the person who had opened this credit card in my name, without my permission.

I dialed the number and was a little surprised to hear an older woman’s voice on the phone. She was clearly unnerved when I told her my name and asked why she had opened an account using my identity. Out spilled her story of meeting a man with my name in an Internet chat room.

Nervously she shared how he had convinced her to open a few credit card accounts on his behalf. He gave her the necessary information and directed her to make store credit purchases at a major department store, a clothing store, and a toy store. I was a bit alarmed – the major department store was not the only place where an unauthorized credit card had been issued.

The woman continued to tell me that the impostor had convinced her he wasn’t able to purchase products from the United States on his own and needed her help. He told her she would be doing him a big favor if she would order items on his behalf, and have them sent to her address. Then, she was directed to ship the items to him at an address outside the country.

After kindly assuring this lady that I, in fact, had never authorized these purchases, she became filled with remorse, and stopped sharing any information with me. It was clear she feared some kind of punishment or revenge. I tried to calm her by informing her that she was also a victim of fraud, and ended our call by encouraging her to report this matter to her local police.

I then made calls to the other stores where the woman had opened credit accounts in my name. Fortunately, the fraud departments at each of the stores were able to successfully reverse the charges and close the accounts.

It did take a few weeks and some follow-up phone calls for the matter to be completely resolved with all the stores. However, it took longer to shake the feeling of being violated. It was unnerving to know that someone else had used my name and information to open a line of credit without my knowledge. It could happen again, and it could happen to anyone.

Tweet This Post Buzz This Post Delicious Stumble This Post

I’ve been a victim of identity theft not once, but twice. So, you can be sure that I’m always aware my identity can be stolen.

The first incident happened a few years ago. I was checking my bank account balance online when I noticed a problem. The bank showed I had $900 less in my account than I expected to have. I immediately called my wife to see if she might have made a purchase without telling me. Of course, she hadn’t. When I checked into where the money might have gone, I found out that purchases were being made on eBay—using my money!

My next step was to check my email to see if I could learn anything about these eBay transactions and get the problem resolved. When I tried to access my account, my email password wouldn’t work. The identity thief had not only taken my money, he had also changed my email account password!

By changing my password and gaining access to my email, he had been able to utilize my Pay Pal account on eBay, since Pay Pal was linked to my email. Without my knowledge, the thief had been making eBay purchases for sporting equipment in my name and having the items shipped outside the United States.

Once I figured out the scam and was able to regain access to my email, I could see messages the identity thief had written to the eBay sellers who had sold him products. One seller, upon seeing the account holder was a U.S. resident, had already questioned the thief about his request to ship items out of the country. Fortunately, now that I had control of my email account again, I was able to contact the eBay sellers myself and warn them about the scam so they would not ship any product.

My next step was to file a police report. Unfortunately, the police were not able to help me because the fraud had happened outside the United States. Sadly, this was out of their jurisdiction and there was nothing they could do for me.

I then contacted my bank where immediate action was taken. Next I contacted Pay Pal. They immediately froze my account so they could investigate further.

Although Pay Pal money returned my money in less than two weeks, my account with them is still frozen to this day. I’ve been told I could have my Pay Pal account restored if I will simply send them my original marriage certificate and social security card. Unfortunately, I won’t be doing this since it could compromise the safety of my identity in the future.

I had to exchange a number of emails with eBay in order to restore my account with them. The identity thief had won 10 bids with my username, and there were a number of forms I had to fill out to cancel the purchases. I also changed my eBay user id and password to further protect myself.

My identity was stolen through no fault of my own. Pay Pal had recently been hacked into and most likely this is how the thief got access to my password. However, this hasn’t kept me from taking extra steps to protect myself. I now have longer, more difficult to remember passwords on my accounts—and I never share them with anyone. I also check my credit report regularly to confirm everything looks as it should. Although this situation ended well, it was a hassle to get it resolved and I wouldn’t want to go through this again.

Tweet This Post Buzz This Post Delicious Stumble This Post

Federal prosecutors this week charged a Southern California woman with aggravated identity theft and other crimes for allegedly using a popular genealogy research website to locate people who had recently died, and then taking over their credit cards.

Tracy June Kirkland, 42, allegedly used Rootsweb.com to find the names, Social Security numbers and birth dates of people who, shall we say, had no further need for their consumer credit lines. She then “would randomly call various credit card companies to determine if the deceased individual had an … account,” according to the 15-count indictment (.pdf) filed in federal court in Los Angeles Tuesday.

She’d then persuade the issuer to change the mailing address for the dead victim to one of her many rented mail drops in Orange and Riverside counties, and in some cases she’d add her own name as an authorized user of the card, prosecutors say. The lenders included Nordstrom Federal Savings Bank, Macy’s and GE Money Bank.

At least 100 of the dearly departed were allegedly used in the scheme, which prosecutors say began in October 2005 and continued until last month. The indictment charges that Kirkland obtained various unspecified goods and cash advances.

Rootsweb, run by Provo, Utah-based The Generations Network, is a genealogical research site offering a wealth of resources. One of them is free, up-to-date access to the Social Security Administration’s Death Index, a list of people who have died, along with their birth dates and Social Security numbers.

Ironically, the government produces the monthly Death Index so that banks and other lenders can prevent people from applying for credit using a dead person’s information — the index is made public by the Department of Commerce under the Freedom of Information Act. The caper Kirkland’s accused of mastering apparently exploits a loophole, by taking over accounts that are already open.

Dorothy Clark, spokeswoman for the Social Security Administration, says she’s not aware of any prior cases of the index being used to perpetrate fraud, instead of prevent it. “None that I can attest to,” she says. “Nothing that I can say concrete.”

Rootsweb spokesman Mike Ward says the company hears rumors or speculation once or twice a year about people using the Death Index for identity theft, but that this is the first prosecution he’s aware of.

“The reason the Social Security Administration has it out there is to prevent fraud, and when it’s used to perpetrate fraud it’s because not all the checks and balances were in place on the financial institution’s end,” says Ward.

“Genealogists use it was one of many tools, like the census records or birth and death records, to fill in their family tree,” Ward adds.

Kirkland is also charged with unauthorized access to a computer, for allegedly hacking into Gallagher Bassett Services, and using the claims management company’s Citicorp bank account number to plunder $47,500 in cash.

Tweet This Post Buzz This Post Delicious Stumble This Post

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank’s systems, experts say.

“We’ve never heard of PINs coming out of the bank environment,” says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.

Credit card and ATM PIN numbers show up often enough in underground trading, but they’re invariably linked to social engineering tricks like phishing attacks, “shoulder surfing” and fake PIN pads affixed to gas station pay-at-the-pump terminals.

But if federal prosecutors are correct, the Citibank intrusion is an indication that even savvy consumers who guard their ATM cards and PIN codes can fall prey to the growing global cyber-crime trade.

“That’s really the gold, the debit cards and the PINs,” says Clements.

Citibank denied to Wired.com’s Threat Level that its systems were hacked. But the bank’s representatives warned the FBI on February 1 that “a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached,” according to a sworn affidavit (.pdf) by FBI cyber-crime agent Albert Murray.

Federal prosecutors in New York have charged 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, with access device fraud for allegedly using the stolen information to go on a cash-withdrawal spree. Ryabinin, who is allegedly an active member of underground credit card fraud forums, is not charged with the intrusion itself. He and a co-defendant “received over the internet information related to Citibank customers, which information had previously been stolen from Citibank,” according to an indictment (.pdf) in the case.

Also charged is 30-year-old Ivan Biltse, who allegedly made some of the withdrawals, and Angelina Kitaeva. Ryabinin’s wife is charged with obstruction of justice in the investigation.

In addition to looting Citibank accounts, Ryabinin is accused of participating in a global cyber crime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines “around the world,” according to Murray’s affidavit, resulting in a staggering $5 million in losses.

Ryabinin was allegedly responsible for more than $100,000 of the stolen iWire cash, which he pulled from Brooklyn ATMs. St. Louis-based First Bank, which issued the cards, declined to comment on the matter, citing the ongoing prosecution.

At the time of the ATM capers, FBI and U.S. Secret Service agents had already been investigating Ryabinin for his alleged activities on eastern European carder forums.

Ryabinin allegedly used the same ICQ chat account to conduct criminal business, and to participate in amateur radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by ATM cameras in the New York Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.

When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.

Notwithstanding the court documents, Citibank said in an e-mailed statement that it was not the source of the breach. “There is no evidence that Citi servers were compromised in connection with this fraud,” the company wrote.

Asked about Citibank’s denial, a spokeswoman for the United States Attorneys Office for the Southern District of New York, which filed one of the criminal complaints in the case, said the office would not comment beyond what was in court documents.

Citibank added that it does not hold customers responsible for fraudulent withdrawals, but would not disclose how many customers were affected. Spokesman Robert Julavits did say in an e-mail that “Citibank has complied with all applicable notification requirements.” Under New York’s Information Security Breach And Notification Act, companies must generally warn consumers of data breaches in the “most expedient time possible.”

The timing of the caper — which prosecutors say began in October — overlaps Citibank’s previously-unexplained lowering of ATM withdrawal limits in New York last December.

Citibank was taciturn at the time, when New Yorkers began noticing that their ATM withdrawal limits had been slashed in half. The bank told the New York Daily News that the move was a response to “isolated fraudulent activity” in New York.

In an earlier incident in 2006, Citibank put transaction holds on some Citi-branded MasterCard debit cards. In that case, the action was later linked to a breach at office-supply retailer OfficeMax. That intrusion remains unsolved.

In the new case, the FBI affidavit says that Citibank knew by February 1 which accounts were leaked, but it left those accounts open while the fraud unfolded.

“Citibank identified all of the account numbers involved in ATM withdrawals during the period that the server was compromised … and established a fraud alert system that notifies Citibank each time one of the compromised Citibank account numbers is used,” the affidavit reads.

That language suggests that the attackers may not have had access to stored account numbers and PINs, but instead were tapping into transactions in real time to vacuum up PIN codes as they flew past.

Tweet This Post Buzz This Post Delicious Stumble This Post

When you hear stories that involve identity theft between a woman and her nanny, one would normally draw the conclusion that the nanny is stealing from the mother. Most likely visions of Rebecca De Mornay and scenes from Hand that Rocks the Cradle flash through your head. This time it was the nanny who was victimized.

Ramie Marston, the mother in this case, is awaiting sentencing for stealing her nanny’s information and making fraudulent purchases while using her name. Shortly after offering the nanny a rent-free stay in Marston’s previous house, Marston began using the nanny’s name and credit with six different creditors and a luxury car agency. Final tally in the nanny’s name? Nearly $62,000.

Marston pled guilty to the charges but filed for bankruptcy to try and avoid paying back the money. The judge in her case still ordered her to pay back the $62k at $500 a month (that’s a 124 months — or ten years and four months of repayment). That would be the end to a typical identity theft case, but Marston isn’t a traditionalist. Instead, while sentencing is still pending for the nanny’s theft, Marston decided to steal a businessman’s identity and charge up $8,000 of debt. What were some of Marston’s (sure to be) pre-jail spending spree purchases? $1,179 worth of fine eating at area restaurants, $945 for furniture, a hotel stay to the tune of $485.33, $171.61 worth of iTunes to rock out to, $1,509 in groceries (she sure likes to eat!), $500 to a childrens camp, $312 to buy a puppy from the SPCA and an unknown amount to pay a criminal fine owed by her newlywed husband.

What a catch!

Tweet This Post Buzz This Post Delicious Stumble This Post

Tweet This Post Buzz This Post Delicious Stumble This Post