Bits and Bytes – Blurbs Concerning Information Security

Microsoft has released a fix for some of the flaws in Internet Explorer. The release originally scheduled for October 10 was pushed up due to the rash of computer takeovers. If you have not already updated your Microsoft system, doing so may avoid a nasty round of attacks similar to the ones mentioned above.



The Transportation Security Administration has announced it will charge a $30 frequent traveler’s fee for people interested in going through an express lane at airport security. The original fee was expected to be over $100. Information Security Education, LLC has been certified by Social Security Administration and Department of Homeland Security to check valid work statuses. We will also be pursuing the ability to provide expedited TSA screening. Watch for further announcements.



The U.S. Commerce Department has lost 1,137 laptop computers since 2001. Almost half of these computers were the responsibility of the Census Bureau. At least 246 of the machines contained personal information, but the Census Bureau was unable to determine the number of people affected. The government states that no personal information from these devices has been used improperly. Since, officials can’t even figure out whose data was lost, how can they assure the public’s safety.



Personal computer users should consider making a recovery partition. A partition is an area of your hard drive set aside as if it were a separate hard drive. This area will enable you to recover your PC in a short amount of time. Several software vendors have products available including Symantec's Norton PartitionMagic 8.0 and Norton Ghost. You should evaluate your need and make sure you have a proper recovery partition.

Credit Card Firms Fining Merchants

Mastercard, Visa, Dicover and American Express all require merchants to discard credit card information as soon as they receive an authorization for a charge. The company and authorization number are all that is required for a merchant to receive payment.



Last weekend ushered in a new era in the credit card industry, as Visa joined Mastercard in imposing penalties from $10,000 to $100,000 for failure to keep transactions secure. The credit providers are not assessing merchants directly, but invoking the penalties on the companies that process the transactions. It will be up to these middlemen to collect from the individual merchants.



At this point, the program is being aimed at large merchandisers who violate the terms of their credit cards agreements. Neither card company would comment as to who the biggest offenders were other than indicating that such vendors are responsible for more than six million deals a year. Visa noted that only twenty of 334 merchants were non-compliant. This pool of sellers represent almost half of all Visa’s transactions.



Mastercard would not detail how many merchants violated the card agreement. Chris Tom, chief risk officer would only say, “We are not levying fines for noncompliance. We are levying them for non-cooperation.”



In a related development, Visa has not met its own security deadlines. The company had set a goal of completion by January 1, 2006, but did gain auditor’s approval in September only nine months behind schedule.

Health Study Participant Info Stolen

Participants in a University of Iowa study on maternal and child health have had their Social Security Numbers exposed. The research program had over 14,500 contributors. The university has sent warnings to all involved.



The people concerned have been part of the study from 1995 to the present. The computers caught up in this mess were issued to professors in the psychology and psychiatry departments.



It appears that the attack was initiated outside the college campus and surveyed all campus computers looking for unlocked systems. Law enforcement likened the action to a person walking down a hallway and checking door knobs to see which if any were unlocked.



The operation apparently was intended to seek space to store illegally obtained copyrighted materials such as music and video.

New “Trojan Horse” Attacks Security Shield

Banks and other businesses accepting financial transactions over the web have developed a way for the user to simply use the mouse instead of keyboard to enter PINs or credit card information. This avoids the effect of any keystroke loggers that might be installed on the PC without the user’s knowledge.



A Spanish company called Hispasec Systems has now discovered a “Trojan Horse” that infiltrates the targeted computer and captures the screen images of computer users. This software can follow the mouse movements of a displayed keypad making it simple to steal both PINs and credit card numbers.



The clandestine software is downloaded unwittingly by surfers who do not realize they may pay dearly for that free software. They may also be downloaded when users respond to spam links.



Security software makers are not yet able to defend against this new threat. Hispasec tested more than 30 anti-virus programs with only six showing any protection against this threat.



Some banks and financial institutions are using these “virtual keyboards” as a solution to government requirements to secure their online systems. Unfortunately, this is another example of the criminal element working hard to learn how to pick the latest lock. It is a vicious circle, with the good guys only able to keep a step ahead of the bad, at best.

Hackers Attack Applications

Symantec Inc. the company which produces the Norton line of security products has determined that computer hackers are targeting the applications that are used on home computers in a larger proportion than other computer related attacks such as phishing. This means that programs like Internet Explorer, Firefox, Microsoft Office and other programs are being infiltrated to gain access to personal information (more in a later article).



The computer user goes about his business using his/her browser to surf the Internet. While cruising the Information Superhighway, one goes to a site that seems really cool, with great videos, music or interactive games. While downloading the special software to use these (usually free) items you also get a special present, an attachment to your browser, or productivity software that will log your keystrokes and look for items like online banking or credit card numbers.



It doesn’t matter which browser you use, you are at risk. A simple look at three of the most popular internet browsers shows that Mozilla’s Firefox contains 47 flaws that allow access to your system. Internet Explorer is no angel with 38 bugs. Even Apple’s Safari was documented as having 12 faults.



Security software manufacturers can only protect users from attacks they know about. This is usually done after the invasion has already caused damage. The door to your system is through the browser and it is those developers who need to partner more closely with security vendors to close the holes.



Most computer users can also protect themselves by not downloading items that they have not completely checked out as being safe. Symantec and other security software sites do offer help in understanding whether or not the sites you are interested in are legitimate. Another tip, simply Google the software you are interested in, and you will usually find both good and bad info. I suggest reading both.

More Fallout in H-P Case

The trials and tribulations of the actions in the boardroom at Hewlett-Packard have continued to escalate. Patricia Dunn moved up her exit from the board and was summoned to a Congressional hearing where she denied that she had knowledge of the escapades which occurred. The House of Representatives is now considering enhanced penalties for ‘pretexting.” Representative Edward Markey of Massachusetts is leading this effort.



Mark Hurd the current CEO is also being asked the question, “What did you know and when did you know it?” These questions seem to be obvious whenever scandal is involved. Mr. Hurd and his counsel’s responses seem to be shifting, both in when he was made of aware of the actions and his involvement in the process. It is unfortunate that one of America’s most respected companies (until now) has placed itself in this position.



In addition to company’s actions, Cingular is now suing CAS Agency of Atlanta and its primary Charles Kelly over gaining access to cell phone records. Dawn Kawamoto, a reporter for CNET, who reported the original story was one victim whose information had been purloined. Verizon and Vodaphone have also filed legal proceedings related to the case.



In a related action, the Federal Trade Commission has settled with Integrity Security & Investigation Services for marketing services that allow consumers to gather information on other’s phone records. The agreement provides for ISIS to cease its illegal activities as well as “disgorge ill-gotten gains derived from alleged violations.”



The big question here is whether additional legislation is required when laws already exist? It seems enforcement is lacking. Congress is considering new laws that place more responsibility on the telephone companies to protect customer data. We have seen enforcement responsibility pushed to the private sector in banking and now communications. What good does it do to continue to pass laws that are simply ignored? Let’s prosecute offenders even if they are corporate execs.



By the way, the phone companies, which have armies of lobbyists in Washington are opposed to accepting the enforcement provisions. Can you guess how this might end?

Bits and Bytes – Blurbs Concerning Information Security

Identity thieves used hundreds of stolen credit card numbers to buy tickets to Barbara Streisand’s latest concert tour. These tickets have been voided by the vendor, but that won’t help the people who will think the have purchased legitimate tickets. The winners here are the crooks and the losers are those who buy tickets for the performance through unauthorized sources.



A recent survey allowed some scary statistics to be released. Only 25% of companies report security breaches to law enforcement. Four of five businesses do security audits. More than half of IT shops surveyed spend two percent or less of their IT budget on security. Most companies still have to make an ROI case for expenditures. Most of the respondents, 71% do not carry cyber-security insurance.



Banks, the targets of phishing schemes are becoming a helpful partner in computer protection. Financial institutions are starting to offer security tools to their online users. Many organizations will subsidize the purchase price, encouraging customers to protect their digital assets. Depositories will be required to use two factor identification by the first of next year, which is another incentive to persuade patrons to use affiliated products. Large conglomerates are working with Internet Service Providers to develop secure access methods.



A new device can be used to test computer systems for vulnerability to hackers. The pen-sized tester can be slipped into your pocket as you walk through the target area. The object can be set to try 150 different computer exploits. This new tool is intended for corporate security teams to conduct audits, but it is available to others who are willing to pay $3,000 for it.



A second Veteran’s Administration computer containing personal information was stolen from Unisys, a contractor. The computer has been recovered and the temp who stole the unit has been charged. The government agency does not believe the thief intended to steal personal data.

Wireless Access Points Can Fool You

A recent test at O’Hare International Airport found that more than 90% of the wireless access points were not sponsored by the airport. Many of these sites advertised “Free Wi-Fi.”



The security group doing the study concluded that at least 80% were peer-to-peer networks. These are personal computers that are set up to allow Internet access to others. While you are using these portals to the information superhighway, your keystrokes can be monitored or collected.



Most of the disguised access points masked their own MAC address, so as to be more difficult to identify. A MAC address is the like a serial number on the networking device. It can be used to determine manufacturer and in some cases even the computer involved.



Most newer laptops are set up to connect to the strongest signal. The user can open its wireless LAN area and sometimes determine whether the connection is from a legitimate provider. Otherwise, the computer that resides between you and the authorized provider can collect any information that is transmitted in either direction.



Many of these operators are trying to collect usernames and passwords to gain access to the legitimate users resources. These resources may be e-mail, corporate networks or even online financial transactions.

Ten Steps to Protect Laptops

The following ten steps can help protect your laptops from falling into the wrong hands:



1. Use visual deterrents such as cable locks wrapped around a desk to discourage someone from taking the machine. You can even use these in hotel rooms and conference rooms.

2. Avoid leaving unsecured portable devices unattended. This rule applies to home as well as office.

3. Use simple inconspicuous carrying cases. Some cases scream “Laptop inside!”

4. Use complex alphanumeric passwords. Complex passwords usually use at least 3 of 4 tactics: Uppercase alpha, Lowercase alpha, Numbers, and Special characers.

5. Use anti-virus, anti-spyware, firewalls and encryption programs on all portable computers. Make sure any file that contains sensitive data is also encrypted. It makes no sense to have the software if it’s not used.

6. Back up all valuable data, especially before you take the machine out of the office. Sometimes it is expedient to make two copies and place them in separate buildings.

7. Understand the dangers of introducing pirated software or downloading files to your device. These items often carry malicious code and could be used to enlist your machine in a robot network.

8. Pay attention to news reports of changing theft schemes. By knowing how your enemy works, you can better protect yourself. This includes understanding phishing and SPAM attempts.

9. Use asset tracking and recovery software, which in some cases can locate your PC in a manner similar to having LoJack on an automobile.

10. Use advanced data protection tools, such as requiring a login to the company network before you can decrypt sensitive files. This way stolen computers would be denied the access needed to view important files.



By following these steps you will reduce your chances of becoming a headline.

Wireless Computers at High Risk

Placing a wireless card on your computer puts it at higher risk for downloaded malware. In most cases there is not a simple way to disable the device when in use.



The computer is turned on, and then signals are sent into the air seeking an Internet connection. Should there be a bad guy in the general vicinity, he would recognize a system making a connection. Should the culprit have the right software, he would be able to take total control of the box.



This vulnerability applies to both Windows and Apple computers. A demonstration was made by David Maynor and Jon Ellich on August 2. For purposes of effect they used an Apple MacBook.



The pair did not release into the public domain, the code showing everyone how to commit this act. They blamed the opening on wireless protocols called 802.11. Another item of concern are device drivers that tell the computer hardware how to communicate with the wireless card.



In a related press release Intel alerted users of Centrino mobile technology of the potential of attack. The Centrino problem allowed computers in the general wi-fi area to grab complete control of the operating system. A patch has been released.



I believe that any laptop used in the open should be used only for innocuous purposes and systems should be cleaned of sensitive data before allowed in public.

Personal Website Provider Dumps Service

Facebook, one of many sites that hosts personal websites, began a new service “News Feed” which tells people who are on your friends list about changes that occur in your online profile.



The new feature allows members to notify all of their contacts upon changes, so the user can invite friends to events, announce a birth, etc. Members immediately saw only the negative by protesting the service. Over 600,000 users complained to the host.



Facebook and other personal website providers offer a service that allows a person to tell the world anything they wish. Once a post is made, it is virtually open to anybody with internet access. Facebook is a little more secure since it limits membership to certain groups like students of a specific institution or employees of a company.



Whenever a person wants others to know more, they make a post. This is a change to the individual’s site. Usually, the site owner is proud of the items shown or they probably wouldn’t have placed it on the internet.



I offer a simple solution in response to the complaints. Do not put negative items on your personal website.

Actions Cause Resignations

Hewlett-Packard was concerned about leaks coming from its board meetings. The company’s non-executive chairman Patricia Dunn apparently directed an operation to find out the source of the leaks. The way the investigation was conducted may have been illegal.



The source of the problem is an outside investigation firm hired by H-P, Security Outsourcing Solutions, of Boston found out who was providing details of meetings by gathering telephone records of board members without their permission or knowledge. The process known as “pretexting” occurs when an investigator calls the phone provider and PRETENDS to be the person whose records are about to be viewed. The imposter is then given online access to phone records.



I have written numerous articles about this practice over the past year including stories about phone companies suing those who use this ploy. The latest was about A T & T suing to find out who was gaining permission without approval (Vol. II No. 6, September 6 , 2006).



Federal officials have started an investigation into the company’s actions, which could lead to three-year prison terms on each count as well as $10,000 in fines. The California Attorney General’s office has already stated they have enough evidence to file charges in that state.



A Hewlett-Packard attorney and outside counsel both assured the board members that the probe was legal. The outside counsel, now says he relied on the company’s legal counsel.



Ms. Dunn has since resigned from her chairmanship. Two other board members have left, one removed and the other resigned in protest. Mark Hurd, CEO of H-P, has assumed the chair in the interim.

Bits and Bytes – Blurbs Concerning Information Security

AT&T, Co. formerly known as Southwestern Bell, which also owns Cingular, revealed that 18,000 to 19,000 customers’ credit card and personal information were breached when a server was hacked by an outsider. The company is offering credit-monitoring services to those affected. The telephone giant is reviewing its security policy. A spokesperson claimed the organization stressed its commitment “to weeding out and punishing the violators.”



The Agriculture Department reported another data breach as a laptop computer and printed reports containing private data were stolen from a parked car of an employee in Kansas. It is just another example of lax treatment of government data. This is the third breach attributed to the Agriculture Department this year. The Veteran’s Administration is running a close second at two incidents.



A Dubuque, Iowa man will spend six months in prison for stealing mail that he was to deliver. Scott Meiner pled guilty to two counts of theft of U.S. Mail. He will also be required to pay a $2,000 fine and $1,202 in restitution. He was working as a highway contract rural mail carrier at the time of his offense.



AOL’s new software release 9.0 has been labeled “badware” by StopBadWare.org. The organization run by The Berkman Center and Oxford Internet Institute receives advise from the Consumers Union. It is funded by Google, Sun Microsystems and Lenovo (Formerly IBM PC division). The major problem is that software is loaded without the computer owner’s consent. The software could affect system performance.



It’s not a total victory, but anti-virus software producers have claimed that worms may be on the way out. Remember when we used worms for fishing and not phishing. We may soon be able to go back to the good old days. The good guys do keep getting better.

You Can Now Relakks!

A new service based in Sweden, intends to use the country’s privacy umbrella to prevent exposure of private information. The infant company was launched as a response to AOL’s recent exposure of searches of more than 650,000 clients.



Labs2 Group based in Lund, Sweden offers Relakks which costs five euros –about $6.50 a month. It provides encryption as well as legal protections to hide customer’s credit information. They delete credit card data as soon as the transaction is complete. This is totally in compliance with the service agreement of most plastic providers. The customer must resubmit their card information each month, but it is a very safe and effective method of protecting information.



People who are involved with promoting violence and child pornography will still be tracked as Sweden’s law is tight, but not absolute.



At least two-thirds of the current 21,000 customers are based in the United States. This is a reflection of the concern about exposure of personal data. It could also indicate the number of people who may have a reason to hide information.



Although many may feel this new service is a great way to regain peace of mind, it is my guess that few will use it in the long term.



I think the authorities in both countries will raise an eyebrow should traffic increase substantially. Global law enforcement compacts will probably be changed so that at least official investigating agencies will have greater access.

AT & T Goes After Data Brokers

AT & T has filed a suit to identify data brokers who used fraudulent means to gain access to customer phone records. The company claims that more than 25 different brokers used the ploy to dupe the phone giant into granting access.



These data brokers would then sell the information to clients. Many offered this service to check up on suspected cheating spouses and other investigative purposes without obtaining a court order. Unfortunately, it is illegal to engage in this sport.



Since no defendants were specifically named, the company can now use discovery powers to subpoena data sellers’ records. The plaintiff will use computer records to reconstruct the movements of those who violated the law.



AT & T froze online access to phone records which precluded web access not only to the perpetrators, but also some 2,500 customers. The court action seeks an injunction to cease the phone record mining. The Complainant also seeks monetary damages. We will keep an eye on this case.

Major Worldwide Dragnet Nets Scammers

Authorities busted 565 individuals responsible for scamming Americans out of more than $1 billion. Most of these scams played on our sense of greed.



Many of the culprits were in West Africa running variations on the Nigerian scam. The fraud claims to have money in another country, and tries to get the victim to work with a fictitious attorney. The counselor claims to be able to help spirit the money to the victim. There is never any money that comes toward the mark.



Another posse of criminals wrapped up in the sweep targeted non-English speakers who were promised credit cards for deposits. Needless to say the cards never arrived and the recent immigrants were unable to contact the source of the crime.



A third area of misdeed was international lotteries. In this scam, the injured party was conned into paying taxes for supposed winnings in a foreign lottery. Sometimes the unfortunates were even mailed fake cashier’s checks. This newsletter discussed these instruments on July 12, 2006 in Volume II, Number 2.



Operation Global Con took more than 14 months to culminate in arrests. This was “the largest enforcement operation of its kind.” The authorities have netted 61 convictions and 139 arrests in the United States. Another 426 people were arrested in Canada, Costa Rica, the Netherlands and Spain.



The action comes on the heels of another lottery scam broken up by U.S. and Costa Rican authorities.

Banks See Yet Another Rule Change

The FFIEC is a group of federal agencies that work together to regulate financial institutions. Last year the assembly decided that financial institutions must use additional means to confirm the identity of customers who use online banking systems. That rule goes into effect at the end of this year.



The set of regulators has taken further aim on identity theft by developing a list of activities that signal possible identity theft. The pattern of transactions, which I am reluctant to present in this format, raise so-called “red flags.”



Financial institutions will be required to verify the legitimacy of the acts. If the true ownership cannot be established the transaction should be terminated. This shifts some responsibility back to the banking organization, but can be quicker than calling in law enforcement.



Financial groups have 60 days to comment on this proposed rule before it can be enacted.



On the bright side, several software companies have developed systems that look for the questionable deeds and alert appropriate personnel. Hopefully, the cost is affordable for all sizes of providers.

What To Do About That Cellphone

Many people continue to upgrade to the latest and greatest cell phone technology. The newest models feature GPS, camera, MP3 and by the way you can make phone calls. How you dispose of the old phone is now causing some concern.



People are trying to recoup some of their investment by selling the old equipment on sites like e-bay. Unfortunately, the information on the unused devices can open a window into your past. A study of some recent purchases found the contact list in tact. In addition, text messages were available including discussions of love affairs.



In the most egregious error, a former corporate executive left the plans for a major business expansion on his portable communication device. Many credit card numbers and ATM PIN numbers were also discovered. This type of disposal could lead to more than embarrassment; it could lead to financial loss. In most cases the loss is self-inflicted.



The safest thing you can do is either destroy your old phone. Also, all features except dialing 911 are blocked if you donate it to a group that will set it up as an emergency device for someone who cannot afford a cell phone. You can also protect yourself by only saving data to a removable memory card and remove the card before selling the phone. Most current models have this feature. You can learn more by reading the owner’s manual.



Should you sell your cell phone to another party, you are putting your call list at risk as well as your personal information. You might even lose a few friends.

Bits and Bytes – Blurbs Concerning Information Security

Jayson Harris of Davenport, Iowa was sentenced to 21 months in prison for his phishing expedition. We have followed his case since his arrest. You may remember that he used a fake MSN e-mail to convince people to reveal their personal information. The scam was foiled when the mother of a Microsoft employee forwarded the e-mail to her son. Microsoft sued Harris and won a large financial judgment. This should be the last we hear from Harris for at least a while.



Old Mutual Capital, Inc. reported the theft of a laptop computer placing 6,500 investors’ personal information at risk. Account numbers and Social Security Numbers are included in the data on the equipment. Just another shining example of being able to learn from the unfortunate experiences of our competitors. In 2006, Ameriprise and Fidelity have both reported stolen units. Recommendations have been made, but companies are either not implementing or adhering to security policies.



Barely two months after the loss of computer equipment containing personal information on 26.5 million veterans, the Veteran’s Administration reported the loss of another portable device. Data in the latest event was not encrypted or password protected. The government agency did announce afterward that they will encrypt information in the future. This embarrassment is a glaring example of your tax dollars at work.



A new phone scam is making the rounds. The caller claims that Medicare is issuing new cards and the operator must confirm your personal information. The potential thief then asks for your Social Security Number, name and address. Should you receive such a call, simply hang up MEDICARE IS NOT ISSUING NEW CARDS!



Vanguard is implementing technology that is being used by some of the largest banks. The investment company is beginning to track the habits of its online customers to detect fraudulent or suspicious activity. Banks are required to implement such tactical measures by the end of the year, but no such demand is made of investment companies. I applaud Vanguard for its proactive action.

Social Engineers Biggest Threat

With all of the engineering fields in the professional world, you should be very aware of the one that poses the biggest threat to your finances. The job of social engineer is practiced by people intent on gaining your confidence. We used to call these people confidence men or simply con men.



These folks prey on our nature to trust. It is a normal reaction to believe the best in people and we really want to live in a world where people honestly deal with one another. Unfortunately, that basic trust is the key for a social engineer to ply his trade.



Many of these artists seem to take a special interest in you personally. They will ask about your family and try to gain specific knowledge. The best practitioners appear to be trustworthy enough to watch your children. Be very careful of strangers prying into your personal life. These sly people will convince you that they are helping you, when in fact you will be sorry for your kindness.



Among recent examples of social engineering that have surfaced are people who try to send excess payment for products or services you provide, and ask that you just refund the difference. Callers who try to help with jury duty problems, or Medicare issues should set off a red light. People who contact you through e-mail claiming to know long lost relatives who have left you a fortune are also suspect.



T assist you, these frauds may offer to do home repairs or run errands. They may also claim they have found a winning lotto ticket, or some other valuable item and invite you to split any reward.



Frank Abagnale was probably the best social engineer in history. Should you wish to learn more about this occupation I suggest you either read the book, Catch Me If You Can, or watch the movie of the same name. You should be able to find about 100 very good examples of this practice. You will also enjoy the irony of trusting a crook.

Colleges In Need of Remedial Education

Since January 2005, 76 schools have reported 109 computer breaches. Yes, some of the institutions have had more than one experience with this problem.



Employers depend on our higher education system to produce the future players in the U.S. economy. It is somewhat discouraging that they are also producing opportunities for the exposure of private personal information. It is estimate that as many as one-third of all data exposures occur on college-owned computer equipment.



In parallel, the Department of Education is requiring increased reporting of individual student progress, which requires the school to collect enhanced data. Some institutions still use Social Security Numbers as students’ ID. I have been touting a change from this procedure for more than five years. I have worked with colleges on strategies for change.



Some of the problem is attributed to decentralized responsibility for student data. Teachers carry laptops with student data. Department heads, admissions, recruitment and placement offices also handle personal information. There are usually no campus-wide security procedures, so the data may be exposed in a variety of ways. Donors, students, patrons of bookstores, recruits, and employee information has been exposed.

Is Web Search Data Private?

The federal government asked web search providers to save the information for a 90-day period as provided for in the 1986 Stored Communications Act. This request led to yet another uproar over privacy rights. The original request did not ask for names to be attached to the data, but were interested in mining the data for phrases that might be used by terrorism suspects, child pornographers and drug smugglers.



It was suggested by USA Today that AOL, Yahoo! and Microsoft provided limited information while Google loudly protested and refused to comply. This space is not large enough to debate the pros and cons of such requests, so I leave that discussion to those among you who wish to do so in private.



The administration wanted to extend the period to two years. Remember the law is on the books and has been for twenty years. As with fraud, forgery, and counterfeiting, law enforcement has shifted a part of the job to the private sector.



Then a funny thing happened on the way to the debate, AOL exposed data collected from searches of 650,000 users. The results are probably what you might expect, millions of searches, most in search of free stuff. The word “sex” was 17th on the list. Large scale searches for child porn, explosives, and drugs do not exist.



Everyone who uses a device connected to the Internet should know the following: Your searches are not private! (by law they have been saved for a 90-day period for the past 20 years) You are not anonymous! (every request on the Internet can be traced) If it is illegal in the physical world, it is probably illegal in the cyber world. (child porn, drug smuggling and gambling online within the United States)



Most people are decent and law abiding. That is the reason we don’t need more police than civilians. Just as computers have allowed business to increase volume at incredible speed, the same factors have been used by people who wish to break laws.

Laptops Offer More Security

Laptops manufactured by Dell, H-P, Lenovo (formerly IBM), Toshiba, and others are adding devices to protect laptops from losing their lode of information. These innovations allow employees to travel with laptops without the risk of losing valuable customer or employee data.



Gateway, Toshiba, and Lenovo have introduced fingerprint scanners that can be required to gain access to websites. These devices reside on the laptop themselves so no additional equipment is needed. The owner of the device can require a fingerprint to be scanned before the computer can even be used. This simple $50 addition can protect millions of dollars of data.



H-P introduced a smart card reader that prevents the use of the machine until the card, presumable carried by the user is inserted into the computer.



Some Toshiba devices require the mobile worker to insert a key and turn a switch before the power can be applied. This is an approach similar to putting a key in the ignition switch of an automobile.



Software developers have produced products which can remotely erase hard drives is a laptop is lost or stolen. Others have developed GPS tracking systems to search for lost or stolen devices.



Perhaps the simplest of solutions is to password protect files. Another easy solution is to encrypt data on transportable units, requiring the user to log onto the main network to access the key which makes the data readable. Had these two steps been implemented and followed over the past couple of years, 60 million records may not have been lost.

Employers Add Another Benefit

Employers are beginning to offer their staff identity theft protection services. Companies have learned that workers who have been victimized by this crime spend company time clearing their name. Several providers offer products to help personnel complete the many steps which have to be taken. Although some actions can only be done by the victim, these services can help speed the time to completion.



It is estimated that a person can spend up to 18 months and over $2,000 to clear their credit report after an incident of identity theft. By offering the services, a company may instill more loyalty from the employee. Of course, I might suggest providing employees with a copy of my book, Protect Your Good Name! (From IDentity Theft) for each employee or at least the opportunity to buy one. The book is an easy read and contains many suggestions to prevent the attack as well as resolving the problem should it occur. It is also a far less expensive tack.



My company, Information Security Education, LLC also offers training session for employees, and clients. The basic courses can be done in as little as two hours and cover protection around the home, personal computers and protecting your business. I have conducted these course for individuals, community groups, colleges and private companies. The rates are reasonable and the comments have been very good.



Information Security Education, LLC can also work with your business in the prevention of information theft. Identity thieves have exposed more than 60 million private personal records since February, 2005. Educating employees as the importance of privacy was cited by The Wall Street Journal as the single greatest item in prevention.



If you are an employer, you may consider this benefit as a way to promote goodwill. If you are an employee feel free to share this information with your employer. The more people who are informed about the issue the better chance we have to prevent it.

Bits and Bytes – Blurbs Concerning Information Security

Since February 2005, more than 90 million people have been the object of personal information exposure. The result of 243 data losses involving colleges, government agencies, private companies, investment firms and even auditors, have left one in three Americans potential victims of Identity Theft. Consumers should expect tighter controls from organizations that obtain private personal information in order to conduct business.



Online activities may benefit from a new service which verifies that a actually is who they say they are. The operation uses publicly available web databases such as Google, to confirm identities. This verification technique is also being used by some online stores, but the results may not be totally effective. People with common names may be confused with others unless unique identifiers are used. Better verification resources are background checks which delve into court records, sex offender registries and credit reports.



If you use McAfee Internet Suite, you should go to the McAfee site to make sure you have the latest version. McAfee software is known to have holes that can be compromised by hackers. McAfee has delivered a patch, but it does no good unless consumers put it on their PCs.



Authentium, a new company has developed software to secure transactions (mostly online financial) from hackers and spyware. The product called “VirtualATM” closes all other programs that are running on the user’s computer and creates a virtual private network in which to work.



CS Stars of Amarillo, Texas lost a computer containing records of more than half a million New York state workers. The state notified people whose information was lost by letter. The company handles New York Worker’s Compensation claims. The FBI is involved with the investigation.

Vacationing Tips

Vacations are a great time to explore new places, try new things and generally recharge your batteries. In this last part of Summer, I want to give you some tips if you consider taking your computer with you. The first and most vital tip is “DON’T.” We have become addicted to the electric appliance, but if there is any way to avoid taking it on the road, find it. You will be much more refreshed when you return.



However, not everyone can break the addiction. I want to pass along some suggestion if you must take along your inanimate friend. The first and most obvious is to have up-to-date firewalls, anti-virus and spyware protection. This should also be done at home at least once a week. On vacation you will most likely be seeking free or low cost internet access. These network hotspots have little or no security and might be a point of presence for computer hackers.



Make sure you have backed up your files. Place the back up in a safe, secure location at or near your home. In case of computer loss, damage, or sabotage, you will be able to recover your precious data. You will also want to remove critical personal files from your computer and any USB drives making the trip. Should you work for a company and have detailed customer information, eliminate it before your trip.



You should password protect your equipment. This will slow or stop a thief from accessing your files. Although it may seem obvious, please don’t put your equipment in a checked bag. Your checked bag will go through x-ray machines, be tossed around and handled by people who look for treasures. The risk of damage or theft increases whenever you are not in possession of your equipment.



In a separate place, keep a list of online sites to which you are registered. Should your computer be lost or stolen, call these organizations and cancel the accounts. Otherwise, the bad guy can simply log on to your machine and click into your accounts. Many online merchants keep you credit card on file for convenience, but a thief considers this point and click profit.



Enjoy the Summer, take up a new hobby, get a tan and by all means get away from the real ball and chain (your computer).

Fake Virus Notice Downloads Real Virus

An e-mail making the rounds recently claims to be from Microsoft, warning you to take action against a new virus. If you were to click on the link, you will actually download a virus on your computer allowing the hacker access to your computer.



The link actually looks like it goes to Microsoft, but it actually sends you to a site in Romania. Many computer problems are linked to Eastern Europe, but the originator could actually be located next door.



This particular attack requests you go to http://update.microsoft.go.ro. The last few letters give us insight as to the destination of a site. The letters “ro” indicate Romania.



If you are a Microsoft user, simply ask for automatic updates. This will require your computer to periodically check Microsoft’s database. If updates are available you will be notified by your web browser that the download is available. Microsoft does not send e-mails touting problems. In fact, Microsoft is very secretive about its software problems.

Cartoon Not So Funny

A comic strip called “Retail” recently ran a joke about Identity Theft. In the strip a customer tries to pay for a purchase with a credit card. The customer had not signed the card, and explained to the clerk he was taking steps to reduce identity theft.



The customer explained that by presenting an unsigned card the clerk would be prompted to ask for a photo ID to make sure he was indeed the cardholder. The points out that although the customer’s scheme may be good in theory, any thief with a pen could simply need to sign the back of the card in order to use it.



This comic caused me to chuckle at first, but then I realized the point is not publicized enough. If you are carrying credit cards that do not contain your signature, sign them immediately. Handwriting does vary among individuals and thieves would need painstaking hours to try and match your signature. You may wish to write “See Photo ID” on the card as well, but remember identity thieves are very good at making false credentials.



Sometimes the joke carries a point; don’t just laugh them off.

Are Empty E-Mails a Threat

A new phenomenon is occurring on the web. People are receiving e-mails from famous, but long dead authors. The interesting aspect is that the e-mails once opened are empty. This activity has most computer users scratching their heads.



Empty e-mails can be a forewarning of many types of scams. The first and most obvious use of these transactions is to gather legitimate e-mail addresses that are stored and sold to spamming operations. Each legitimate e-mail can be sold for two to ten cents.



A second reason for this e-mail storm could be a test of zombie networks. A zombie network is formed by a hacker or group of hackers that download programs on PCs without the authorization of the computer owner. The network is then placed into service by the network commander, mailing millions of bogus e-mails to unsuspecting users around the world through the captured PCs.



The third reason these empty e-mails may be to expand zombie networks. Programs may have been developed to automatically load malware when the empty e-mail is opened. This threat has been mentioned before, but not fully documented.



In any event, you should be very careful of items landing in you inbox. If you do not know the sender of a message or the subject line seems bogus, simply delete it without opening. Although some spam carries instructions to unsubscribe, my advice to not even respond. By answering in any manner you have verified a valid e-mail address. This action could simply increase the amount of unwanted e-mail received, or may even wreak more havoc with your PC.



Another important point is that the subject line often will show “Re:” or “Fwd:” in the subject line. If the e-mail is from someone you know and contains either of these items in the subject line, be sure that you know the original e-mail address which the reply references. In a forwarded e-mail, make sure the message is one you are expecting before opening.

Add Another Tool to Your PC

I have touted that personal computer users should have an arsenal of defense mechanisms on their desktops. Anti-Virus, Firewall and Anti-Spyware programs are available at nominal cost and provide excellent protection for PCs. Unfortunately, the threats continue to change as the bad guys change the ways they invade your computer. Major security vendors are trotting out new tools they claim will prevent you from unknowingly downloading fraudulent software.



Microsoft enters the mix by allowing computer users employing Internet Explorer 7 to set an option to turn off “Active X controls.” The Active X area allows commands which enable specialized web processes have also been proven vulnerable to hackers who download their spyware without the user’s knowledge. IE 7 is free.



Symantec is offering a product dubbed “Norton Confidential” which can be downloaded free during the test phase. One of the most respected names in computer security, Symantec maintains their software will actually prevent spyware from stealing your personal information. Symantec expcects the package to fetch from $40 to $50 when distributed for sale.



Another well-known security vendor, McAfee, approaches the problem from a different angle. Their software tracks websites which are known to download spyware and warns the user before a download from a questionable website. The package called “SiteAdvisor” is free to download.



Check Point Software Technologies the makers of ZoneAlarm are adding a feature to its “Internet Security Suite 6.5” which will monitor black market sites, and notify you if your personal information is listed for sale. The package sells for $69.



Given the rise of spyware which reports personal information back to crooks, you should consider adding one of these tools to your supply of protection software.

Bits and Bytes – Blurbs Concerning Information Security

McAfee recently announced it has made its 200,000th known patch for malware (software with an evil intent). McAfee, one of the top three providers of security software noted the threshold was passed 60% more quickly than when the 100,000th piece of code was discovered. This indicates the bad guys are working very hard to stay ahead of the good guys.



The government’s auditor, General Accounting Office (GAO), has conducted an audit on FEMA’s practices of assisting victims of natural disasters. The emergency organization issued $2,000 debit cards to most anyone who asked. The audit showed the records kept on the recipients included false addresses, invalid SSNs and fake names. The GAO has not put a final number on the losses.



Automatic Data Processing (ADP) claimed it was tricked into exposing thousands of investors’ personal information. Fidelity Investments, Merrill Lynch & Co. and Morgan Stanley all indicated customer data was affected. The details of the prank were not released. More than 150,000 individuals were put at risk for identity theft.



Microsoft has suggested users of Window’s popular Office software not download any Office type files from any source, even if the sender is known. A piece of malicious software called “zero-day attack” may be embedded into any of the Office application files including PowerPoint. Microsoft is working on the problem and expects a fix to be released by August 8. Examples of files that should be avoided are any Word documents, Excel spreadsheets, Access databases or PowerPoint presentations.



A recently discovered hole in McAfee’s software security programs could have allowed an attacker total access to a subscriber’s computer system. McAfee was beginning to work on a fix for the problem when it discovered the software had already been corrected through a normal update. It is great when we are smarter than we thought.

Be Careful About Personal Websites

Many people take on a whole new persona on the web. They create personal websites showing themselves to be party animals in search of hedonistic pleasures. Unfortunately, once the information is available on the Web, it is out for public consumption, even if the actions are not true.



Younger people like to pretend they are more gregarious than reality would indicate in order to impress members of the opposite sex. One thing most do not even consider is that potential employers can also find these braggadocios remarks that may not endear them to a positive hiring outcome.



Even more of a problem is the removal of these sites. A recent report in “The Wall Street Journal” followed the trials and tribulations of Craig Pratt as he attempted to correct his online image. The biggest problem he had to overcome was the removal of his MySpace account. Only after several attempts did that happen.



Personal site owners also need to monitor the sites for postings by others. Your friends may leave messages about the next rave which may also be read by a potential boss. You may even show up to work and co-workers might inquire as to why they weren’t invited. Remember everything you post is open to everyone and that you should always portray yourself in the most positive way.

Different Approaches to Protection

Every person who owns or uses a personal computer should take steps to avoid the heartbreak of being hacked. There are basically three tools that should be a first step toward defending your computer. These three pieces look at your system and remove or prevent bad acts from occurring. Required programs are firewalls, anti-virus protection and spyware removal tools.



Three different approaches can be taken to acquire the necessary tools. The first is to simply buy an all-in-one package which includes all three products from a single vendor. Among the advantages are the package may cost less than the individual components, you can load the entire suite of programs in one pass, the software works well together, and you only have one vendor to deal with should you have a problem.



Disadvantages of this strategy include a single-minded way of looking at the potential threats (sometimes hackers can skeak around this methodology), and should you find that you don’t like one piece of the product, you will then have to find a replacement that works with your existing parts.



The second approach is to buy what you consider to be the best product for each threat. The advantages of this approach include the ability to include some software that is free, and that you can have the best defense available at the time.



Disadvantages are: it is usually more expensive, it takes multiple installs, and some of the software may not run with other types of software (incompatibility).



The third line of attack is to load up on free software. The largest advantage is cost. Disadvantages are many in that tech support is often unavailable, many of the products will not work together (each thinks the other is a virus), and for-profit companies tend to update the freebie last leaving customers exposed in the mean time.


Great products are available, even in the free category, but the customer should be aware of the pitfalls before jumping head first into the installs. I’ve found that the adage: “You get what you pay for” can apply to protection software. The major players all sell packages and individual pieces so the customer has more choice.

New Software Detects Intruders

Spectraguard Enteprise 5.0 allows businesses to monitor their own airspace. Wireless networks are becoming necessary in our busy and mobile world. This software can find where the connection is originating from and send an alert to information security personnel.



The product allows the business to register legitimate wireless products, then monitors the networked area for devices that are not registered. If it sees such a connection attempt, the software uses a decision tree to decide whether the access is of a friendly nature.



The package may even send a signal to the offending computer confirming a network connection. At this point the network software simply denies any activity while the information security personnel is alerted of the location of the suspect device. This is intended to hold the perpetrator in a range that can be easily inspected by personnel.



Spectragaurd Enterprise 5.0 received a very good rating from “eWeek Labs.” The solution is probably a little expensive for small businesses, but it would be an asset to larger or large volume data processors.

Xerox Protects Copiers

Recent newsletters have addressed employee schemes to steal customer or confidential data. I haven’t touched on a very low tech manner of theft, where the employee simply copies the information on the office copier and walks out the door. This was how an administrative assistant at Coca-Cola was able to pilfer a secret formula that was later offered to rival Pepsi.



Xerox, one of the larger players in the copier, scanner, and fax world, announced it has implemented many security measures. The first enables the person who is making a copy to destroy data temporarily stored on a hard disk while the copying process continues. Thus, confidential information is rendered useless should an unauthorized person try to copy the machine’s memory.



A second feature, dubbed Internal Auditron, limits access to certain types of functions a client can use at the copier. For example, employee A may be allowed to fax documents under 5 pages twice a week, while employee B may not be able to fax at all, but is allowed copying access for 20 page documents that automatically shred after the task is completed. If an employee has a legitimate need for increased usage they must be granted permission from the administrator.



Since most Xerox machines are network enabled, a username and password may be required, and usage by each employee reported and monitored. Many of the machines have capability to log in at the copier for added convenience.



Xerox is also touting removable hard drives so employees can keep information in their possession throughout the copying process then removing the hard drive and storing it in a secure location (locked cabinet). PINs can be required before the machine can be used may be effective as well.



Even though we don’t often think of a copier as a tool for information theft, it is good to know the manufacturers are making product improvements with increased security measures.

Term of the Day: “Vishing”

Computer users are becoming very familiar with “phishing,” an act of receiving an e-mail that seems to be from a legitimate source. The recipient is lead to believe there is a problem with their bank account as represented by the fake document. The victim is then asked to click on a link which asks for personal or private information.



The anti-fraud command center reports it has shuttered more than 10,000 phishing attacks. This large number can be multiplied by $1,200 (the average amount lost to a phishing attack). You can see phishing is still a major though declining problem.



We aren’t safe for long, because of the introduction of “vishing.” Vishing shares some similarity to phishing in that is originates from an e-mail sent to the intended target. The e-mail claims there is a problem with the e-mail respondent’s account. Rather than responding by e-mail, the message directs the intended mark to call a telephone number. The caller is then sent through an automated voice prompted system that requests information such as card number, PIN number, and even Social Security Number.



People need to be aware that this next big identity theft problem exists and has been somewhat effective. Most banks will call you directly if there is a problem with your account rather than notifying you by e-mail. They will never ask for a PIN number or your Social Security Number unless you are initiating a new account.



Be careful and you will avoid being among the first to be swindled by this new twist on a very effective scam.

Bits and Bytes – Blurbs Concerning Information Security

In another breach of data entrusted to our government, personal private information on all fliers of the Navy and Marines for the past twenty years was posted on a website available to the general public. The release was blamed on human error (surprise). This is the fifth exposure of military personnel information in the last six months. Government often sets the rules; it is past time for them to play by the rules.



Speaking of government information exposure, employees at the IRS have been caught prying through personal tax records. Over the past eight years, the Treasury Department has investigated more than 3,700 cases of unauthorized access to personal tax records. Over 1,600 of these have resulted in “adverse personnel actions” and 126 IRS employees have been criminally prosecuted. Some of the breaches are simply financial voyeurism; some were used for personal financial gain. Given the current climate, I wonder if the IRS conducts pre-employment background checks.



A consortium of government agencies, corporations and universities started a research center to study Identity Fraud. After several years of billions of dollars in losses the center will begin its study based at Utica College. The Center for Identity Management and Information Protection (CIMIP) will be funded by grants and corporate donations of about $500,000. This amounts to about 1% of the annual loss. I visited the website, but as of yet they have not posted any announcement of any work being done.



The cost of a single data breach has reached $5 million. The costs include notification, legal fees and credit monitoring fees. Even though the costs are extreme, it seems we are observing as many major losses as we have in the recent past. I still think accountability has to be established and enforced. The VA employee who took home information on 26.5 million veterans is on paid leave pending dismissal hearings, along with one of his superiors, and another supervisor resigned. Company policies need to be explicit, upper management must be involved and accountability needs to be placed high in the organization before we will see significant reductions. We saw conformance with environmental laws and corporate governance only after legislation required accountability.



The recent arrest of three people trying to sell trade secrets developed at Coca-Cola to rival Pepsi revealed that two of the people involved had prior criminal records. This perhaps shows another reason to check out employees and potential employees, including personal web sites. Information Security Education, LLC can help you in this search.

Identity Theft Web Crew Jailed

The Shadowcrew website was shut down in October 2004. Members of this online gang were rounded up in one of the most synchronized raids in recorded history. Twenty-one people were arrested in the United States and dozens overseas. Prison sentences are now being handed down to these miscreants.



Eighteen participants have pled guilty for their roles. Among them was Andrew Montovani, who co-founded the group, entered a guilty plea in November, 2005. At 24 years of age, he was sentenced by U.S. District Judge William Martini to two years and eight months behind bars. He was also ordered to pay $5,000 in fines.



This seems like a small sentence for the leader of a group of online thieves responsible for the theft of personal data on more than 18 million people. The data was purloined mainly through phishing activities. Phishing receives the results of sending fraudulent e-mails to which unsuspecting victims reply, revealing private personal information.



In total, the sentences ranged from three years probation to two and a half years in prison for seven more members of this mob. Shadowcrew was responsible for more than $4 million in damages over a two year period prior to being shut down by the Secret Service.

Companies Place Responsibility on Employees

In the wake of huge increases in lost and stolen personal computers which contain personal private information of customers and employees, companies are updating policies concerning the use of laptop computers. The new rules include limiting who can remove data from the workplace as well as specialized training.



Information Security Education, LLC was conceived to help in this area. Having trained college students in the area of information security, I discovered that companies both large and small were not following even the most basic rules of data protection. It is heartening that some large organizations are beginning to pursue stiff policies.



Should employees be found in violation of the new policies, they will be disciplined up to and including termination of employment. I believe in a no tolerance policy and would recommend dismissal on the first offense. An employee who shows a reckless attitude toward sensitive data will show a callous disregard for other rules.



Some health care providers are even reconsidering the use of Palm Pilots and BlackBerrys. The companies are prohibiting employees from uploading and downloading data from the employer’s network. This is a first step, but companies should consider disabling USB ports on computers and even prohibitions on MP3 players in the workplace.



A single USB drive can store up to 2 gigabytes of information. The tiny “thumb” drive can be concealed in a pocket without detection. It only takes seconds to download files to the devices and out the door they go. Companies of all sizes need to be very careful about the way data is handled.



Companies should consider encryption of any sensitive data and require a connection to the owner’s network to decode any of the data. The process will require some costs and perhaps slow the process, but the value gained is far greater than the public mistrust created by a large data loss.


As an employee you should know your employer’s policies about working with confidential files outside the workplace. Take only the data needed, not entire files. It is your responsibility to make sure the information is encrypted and remains so. Do not use publicly accessible computers to peruse sensitive information, this includes copiers in public areas. Always log off and shut down your workstation before leaving your office for any length of time. Use locking and tracking devices on portable computing devices.

Can Buying T-Bills Online be Dangerous?

According to a recent study, the government website which sells Treasury Bills online failed to take basic computer security steps. The site www.treasurydirect.gov sold $8 billion of the securities in the first half of its fiscal year.



Online investment sites Morningstar and Savings-Bond-Advisor.com have complained about this lack of security. Addresses, usernames, and passwords can be changed without the knowledge of the investor. Currently, private financial investment firms are required to send address change information to both the old and new address. Transactions must be followed up by at least an e-mail to the original e-mail account of the owner. This move helps an investor verify that a transaction is indeed legitimate and was initiated by the proper person.



Given the vast increase of online fraud, the Treasury Department should follow the same requirements as the private sector. In the past year fraudulent online checking account transactions have increased a whopping 104%. By not automatically notifying accountholders of changes, the government site may become a favorite target. The treasury site is susceptible to large scale phishing operations or watch keystroke logger programs.



Investors may print copies of transactions at the time of purchase, but no e-mail confirmation is sent. By simply sending a confirmation, the chance of fraud is reduced. Investors would also feel more comfortable with this procedure.

Employees Sue over ID Numbers

Nine employees of Union Pacific Railroad have filed suit against their employer claiming the business put them at risk of Identity Theft. The employees claim the rail carrier, by using Social Security Number (SSN) as a computer search criteria, had exposed private personal information.



Many companies find it easier to use SSNs as an identifier, since it was already being used to file quarterly tax payments. Many insurance companies did the same, and many hospitals used the number for medical records. The health industry regulated by HIPAA is obligated to change this identifier. Most health insurance companies have complied by the January 1, 2006 deadline.



Even though Union Pacific does not use SSNs as an employee identification number, when an employee searches the company database for work schedules or insurance information, the number is required as a password to gain access.



The transportation company did disclose to its 30,000 employees the theft of personal computer from an employee’s home. The computer contained employee data including SSN. The company notified employees and retirees, offering to pay for one year of a credit monitoring service.



Social Security Number is considered by identity thieves to be the Holy Grail, as the crook can gain complete access to the victim’s financial history, and apply for new credit posing as the individual. The employees contend that the company should only use SSN for tax purposes.



This lawsuit may just be the beginning of many as some companies, schools, and health care facilities still use SSN as the primary identifier. Every consumer should review all identification material and ask any provider that uses SSN to find an alternative unique identifier.

Beware of Cashier’s Checks

There was a time when a bank’s cashier check was as good as cash. This may no longer be the case. Recent events of cashier check and money order fraud are on the rise. Consumers and small business owners should be wary of the scheme detailed below.



I have had a couple of specific cases brought to my attention in the past month. The first involved a person who was trying to sell a timeshare. The buyer claimed to have received a sum of money either from lawsuit or other means. That person was then just going to have the total amount deposited into a bank and a single cashier check cut for the amount of the settlement. The cashier check would be made out to the seller of the time share. Since the amount was more than the agreed purchase price, the seller would send the buyer a check for the balance.



Fortunately, the person offering the timeshare thought there might be something amiss and called me. I walked through the situation and discussed the possibility of cashier check fraud. I did some research and found that even though a bank may accept a cashier check as a deposit to your account, the bank can later reclaim funds from your account, leaving you with the loss of both the merchandise and the amount of the refund. The lone exception to this rule is if the cashier check is accepted by the bank it is drawn on.



I explained this to the vacation spot owner. Upon receiving the document he called the issuing bank which happened to have a branch in his hometown to make sure he could cash the check. After the financial institution verified that funds were available, the check recipient went to the bank to cash the check. The bank immediately identified the document as fraudulent and refused to honor the transaction. The good news was the person was prepared for the result before it happened and did not transfer title of the timeshare or write the check for the excess of the proceeds.



The second instanced occurred when a local professional received a money order for future services. Enclosed was a letter explaining that the individual was to be traveling to the area and wished to have services performed while in the area. Any excess funds could simply be forwarded to a third party by return mail. The professional had never heard of such a request, and decided to investigate. She found the money order was a forgery and contacted the FBI.



If you have a big ticket item you wish to sell, or services that you provide, you need to be skeptical of any person who offers to send you a money order or cashier check in excess of the amount of the purchase. You should also take great care when dealing with anyone through the Internet or e-mail. Make sure you can verify the person’s address or phone number. You can do that by looking up the person’s phone number on Google or the name through whitepages.com. This helps establish the individual has a permanent residence to which law enforcement can respond.



If you do obtain a cashier check in payment, request it to be in the amount of the transaction only. If the check can be cashed at a branch of the issuing bank, then the obligation falls on the bank, otherwise the cashing bank will come back to you if the instrument is false. You should expect to show two forms of ID and file a document that goes to federal officials. In the event of fraud, investigators will start their work with you. Keep all documentation including e-mails of such transactions. Computer forensic experts do an excellent job of tracing the origin of electronic communications.



Remember, if something sounds a little out of the normal, it probably is.