A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty on Friday and agreed to forfeit more than $2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty () to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.
Gonzalez, along with 10 others from the U.S., Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.
He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster's restaurant chain. He was indicted on that charge in New York in May 2008.
Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.
Gonzalez and his alleged co-conspirators sold the numbers to others and encoded the data onto magnetic stripes of blank cards and used the new cards to withdraw tens of thousands of dollars at a time from ATMs, according to the indictments. They concealed and laundered their proceeds by using anonymous Internet-based currencies within the U.S. and abroad, and by channeling money through bank accounts in Eastern Europe, court documents indicate.
Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least $500,000.
As for restitution, Gonzalez has agreed to forfeit his Miami condo, a 2006 BMW 330i, a Tiffany diamond ring, Rolex watches, and more than $1 million in cash that was buried in his back yard.
Sentencing is scheduled for December 8. Gonzalez' attorney, Rene Palomino, did not immediately respond to a request for comment.
It's no secret that criminals are stealing credit card and bank account data and selling it underground. But most people would find it shocking to learn just how little their sensitive personal information costs.
Symantec on Thursday is launching its Norton Online Risk Calculator, a tool that people can use to see how much their online information is worth on the black market. The tool also offers a risk rating based on demographics, online activity, and estimated value of online information.
I tried the tool when I was initially briefed on it a few months ago and was surveyed about my gender and age range; online assets (including credit card and bank account data, brokerage accounts, e-mail accounts, and social network accounts) and an estimated value of all that information; whether I use security software; how cautious I am when online; and how much I think my information is worth.
I use security software (and do my financial transactions mostly on a Mac at home), am fairly cautious while Web surfing, and didn't put a high dollar figure on the value of my digital information. My security risk turned out to be 37 percent, or medium, and the black market worth of my online assets was calculated to be $11.29. Those figures didn't change when I modified the gender, age, and estimated value of the data.
A recent Microsoft Research report concludes that stolen data offered for sale in underground IRC channels is difficult to monetize because of all the--get this--con artists there.
Regardless of whether the underground revenue figures are overblown, the data is being harvested, sometimes in huge batches, during data breaches at large payment processors, and there is a market for it.
It's discomfiting to think a criminal could pay as little as $11 to get access to my sensitive personal data for identity fraud purposes, while I could end up spending lots of energy and time--years even--reporting the crime, trying to fix my credit rating, and getting my life back to normal.
Symantec isn't trying to scare consumers with the Norton Online Risk Calculator, but to raise awareness of the risks, said Marian Merritt, Internet safety advocate at Symantec.
"We still find consumers who think using just antivirus is sufficient," she said.
Merritt recommends that people use security suites that offer antivirus, firewall, and intrusion detection and prevention software, as well as keep their operating system and browsers updated.
The My ID Score site said I had a low risk of identity fraud.
(Credit: My ID Score)Like many people, I'm worried about identity fraud. Not paranoid, just generally curious what the chances are that I could be victimized by things like mail theft. Sure, I could sign up for one of the fee-based identity fraud monitoring services like LifeLock or Debix, or I can get a credit report that might give me some clue that a credit card has been taken out by someone else in my name.
Now there is a Web site that offers an assessment of a person's identity fraud risk for free.
The My ID Score site was recently launched by ID Analytics, which offers corporations and consumers services to protect them against identity fraud.
The site scans the company's ID Network, billed as the largest identity fraud database in the U.S., to see what types of activities and transactions have been made in your name. It looks at hundreds of variables and data points and then looks for anomalies, such as credit card applications on the same day with different addresses or pre-paid cell phone purchases in a short period of time, said Thomas Oscherwitz, chief privacy officer at ID Analytics.
The site focuses on transactions that use your personal data and does not look at account fraud in which someone uses your stolen credit card or in which your credit card data was stolen in a network breach at a payment processing company, for example.
"We look at events within the network, such as whether someone is using your information to apply for credit cards," he said.
I tried the site out and am happy to report that my score was 63, indicating low risk. Most people fall within the range of 1-450, which is considered moderate risk, according to Oscherwitz. A score of 600 and above is considered high risk, he said.
The site asks for basic information such as name, address, phone number, and date of birth. It also asks for Social Security number but does not require it (I passed on that as I avoid giving out that most sensitive piece of personal data if I can).
The site then asked a series of multiple choice questions that the legitimate Elinor Mills would know, things like identifying cities I've lived in, addresses, phone numbers, and middle initial.
Once the score is displayed, the site offers information for how to obtain free copies of a credit report and offers links to other sites with information about identity fraud and companies that offer monitoring services.
For consumers whose score is high the site partners with the nonprofit Identity Theft Resource Center to provide more information about what underlying data triggered the score, Oscherwitz said.
Women are more affected by identity fraud than men are, according to a new survey that also found that it takes women longer to restore their identities but they also tend to change their behavior afterward.
In a survey of 808 U.S. households, half of which reported fraud, 28 percent of women said they had been victims of identity fraud compared with 21 percent for men.
This corresponds with a report in February from Javelin Research that found that women were 26 percent more likely to be victims of identity fraud than men.
In the latest survey, from fraud protection service provider Affinion Security Center, 17 percent of women said they lost $1,000 or more from the fraud compared 10 percent for the men.
Women also are more concerned about identity theft than men, with about 80 percent saying they were "most concerned" with identity theft compared to less than 60 percent with for men, the survey found.
The disparity between the genders could have to do with the purchasing decisions women make in the household, said Tom Rusin, chief executive of Affinion Security Center.
"Also, men might see this crime as something that they can deal with on their own," he said. "It's no different than a man who waits three weeks to go to the dentist after experiencing a tooth ache, whereas a women might be more likely to address the ache much more quickly."
Annie Kim, a 29-year-old who works in advertising, said she got all her money back when someone cashed checks in her name and charged purchases to her accounts in 2005. But it took her nearly a year--and many hours of worry, frustration, and effort--to clear everything up.
It all started when she got phone calls one afternoon from two of her credit card companies informing her that someone tried to cash blank checks they had mailed to her for thousands of dollars. A few days later, she got her bank statement and saw that someone had paid bills with checks that used her bank account and routing information but a different name and address.
"At that point, I was pretty freaked out," Kim said in a phone interview on Thursday. "I ordered a credit report and that's how I found out that it was postal fraud."
Basically, someone had walked into a U.S. post office and filled out an address change request form in her name that forwarded her mail to a different address. The post office does not require people to show proof of identity when they do this in person, although it does charge people one cent on a payment card to verify identity when they do it online, according to Kim.
She quickly canceled her bank and credit cards, only to find that other accounts were getting hit too. For instance, she had $800 in charges for new cell phones and service on her Sprint bill that she had not authorized.
Kim said she tried to file a crime report but was told by police that she needed to name a perpetrator to do that. She also tried to hunt down the person responsible but that too was a dead end.
"I'm an 'A' type of person and I'm pretty aggressive, but you can imagine a lot of people wouldn't be able to handle all of this," she said. "If you are a victim of identity theft you are on your own. There is a lot of work and diligence that goes into it. You have to stay on top of it to get your money back and clear your name."
Kim has tips for consumers who want to protect themselves against identity fraud:
• Sign up proactively for credit monitoring services, which offer alerts if there is any change to bank and credit accounts. "The cost for me is totally worth it," she said.
• Request that special passwords be required for important activity with bank and credit accounts, as well as utilities.
• Cancel printed statements and get statements them online only. "It's better for the environment anyway," she said.
Every time I use my credit card online I suffer a momentary feeling of angst, even though I know that it's still safer than handing my card over to an unscrupulous waiter. The impersonal nature of the Internet and the perception that I lose control of my data after I hit "submit" contributes to this lack of sense of security.
Also contributing to this paranoid feeling are all the reports of phishing scams, including IRS and tax-related scams; data breaches at retailers like TJX, where more than 45 million accounts were exposed; and payment processors like RBS WorldPay, where stolen data led to cloned cards and ATM withdrawals last year.
This all got me to wondering exactly how the data gets from my credit card or keyboard ends up as money in the pockets of criminals.
How does the data get stolen from my computer?
There are many ways sensitive data can be pried out of computer users. In a typical social-engineering phishing attack, a consumer opens an e-mail that looks like it was sent by the consumer's bank, Amazon, PayPal, or some other trusted source. With a bogus excuse, such as suggesting there was a security incident and the user needs to verify his or her account details, the e-mail will prompt the recipient to provide username and password via a link to a Web site that looks legitimate but isn't. The consumer enters the information and continues on, not knowing that the data is now being sent to criminals.
In other cases, criminals create fake e-commerce Web sites where consumers provide their credit card information to pay for a product that will never arrive. Attackers also have ways of rendering legitimate Web sites risky by injecting malicious code into the Web sites with cross-site scripting, SQL injection, and clickjacking attacks. Such attacks, typically invisible to the consumer, can be used to steal data that a consumer types in.
Other attacks are accomplished by getting spyware onto a victim's computer. For instance, attackers can distribute a worm via an e-mail attachment that downloads a keystroke logger onto the recipient's computer when it is opened. Attackers also can create programs that exploit unpatched holes in Windows or holes in a browser that haven't been fixed and download keyloggers onto computers. The keyloggers can be written to send data to a remote server every time the computer user types a password or social security number, for example.
If I don't use my credit or debit card on the Internet, how does the data get stolen?
Attackers can steal data by planting a skimming device that reads the magnetic-stripe data from the card when a user slides it through a payment card reader at a register or using a skimmer on an ATM machine combined with a video camera that records the PIN when someone is making a transaction. The magnetic-stripe data includes name, credit card number, and expiration date.
Attackers can steal more people's payment card data at a time by hacking into a retail firm or payment processor's computer network. In the TJX incident, experts believe attackers made their way into the company's system by first gaining access through a wireless regional hub for the company's store controllers, which handle the point-of-sale system. Attackers also can grab unencrypted PINs from bank systems during the authorization process using specially crafted malware that scrapes the data from the memory of the bank's computer, according to Wired. Or attackers can trick a misconfigured hardware security module, which decrypts and re-encrypts PINs as they make their way across various bank networks, into revealing the encryption key.
What do the criminals do with the data when they get it?
Cybercriminals tend to have specialties. The data thieves, also called "harvesters," sell it to brokers who either use the data themselves, hire others to do the leg work to withdraw the money, or sell it to others via IRC channels, private peer-to-peer networks, carder sites, and other organized underground marketplaces.
Often, the data is sold with a money-back guarantee in the event that the cards are found to have been reported as stolen or if the data is incorrect. Brokers have a number of ways of verifying cards. They can break into an e-commerce Web site and process small transactions on the card with a payment processor to see if the transactions go through. Or they can use the card data to make a $1 donation to a charity.
Once the data is verified, the criminals can turn it into cash by either moving the money from the victim's account to an account they control, wiring themselves the money, creating counterfeit checks, or even just withdrawing small amounts (under $50) on a regular basis that may not get noticed by the cardholder.
Many of the criminals are located outside of the data's country of origin and will need to be able to either transfer funds or make international purchases without alerting the authorities. To do this, criminals have elaborate schemes using middlemen, also known as "drops." For instance, criminals will advertise work-from-home jobs in the U.S over the Internet and by e-mail. The drop is merely asked to provide a local address or bank account and when money or goods arrive, they are instructed to transfer it on to a foreign address. The criminal then takes over the bank or credit card account for which data was stolen, and changes the address or bank account to that of the middleman.
"The countries where re-shipping happens include Nigeria, where you can't easily buy consumer goods. This is a way for them to get goods," said Dave Ostertag, global investigations manager at Verizon Business who used to be a chief investigator at Discover Card. "This fraud stocks the shelves of a store in another country."
An estimated 70 percent of the online identity fraud activity is related to organized crime, Ostertag said. In the U.S., street gangs can make more money off mortgage fraud than they can selling drugs, he added.
The criminals also can make blank plastic cards that are encoded with the stolen magnetic-stripe data. Often, cards are produced in one country and shipped back to the country where the account is located. The cards then can be used by "runners" to make withdrawals from ATM machines if the PIN codes are known.
Criminals have been known to use private databases to get more complete information on victims, such as address, date of birth, and even social security number. For instance, the U.S. Postal Service says someone accessed LexisNexis and Investigative Professionals databases without authorization and used personally identifiable information from there to obtain fraudulent credit cards.
Screenshot of price list for stolen credit card numbers and available balance amounts discovered on the Web by McAfee Avert Labs.
(Credit: McAfee Avert Labs) How much is the data worth?
There is so much stolen magnetic-stripe data available on the underground markets that prices for it have dropped from between $10 and $16 per record in mid-2007 to less than 50 cents per record today, according to the 2009 Data Breach Investigations Report (PDF) from Verizon Business. Those price tags go up when the PIN is available and cash can be withdrawn directly from a victim's account.
The value of a card is determined by a combination of factors. Cards from the U.S. and Europe fetch higher prices, as do cards with more available credit or balance, those with additional information such as PIN or home address, and those that have been verified.
Credit card data can range in price from 6 cents for bulk quantities to $30, while bank account credentials range from $10 to $1,000, according to a Symantec Internet Security Threat Report released last month. Most of the stolen credit card data for sale is from the U.S., the report found.
Is the consumer liable for any fraudulent charges?
While credit card fraud typically has a zero-liability policy for consumers, the burden of proving fraud is on the consumer when it involves a debit card.
How big a problem is online identity fraud?
The latest Consumer Reports survey found that over the past two years 1 out of 13 Americans provided personal data to phishers, 1 in 12 had serious problems with spyware, 1 in 7 lost money to online fraud or had computer virus problems, and about 1.7 million were victims of identity fraud, the San Francisco Chronicle reported on Monday.
A report from Javelin Research (PDF) places the number of identity fraud victims in the U.S. at 10 million in 2008. Identity fraud rose 22 percent last year from the year before to the highest level since 2004, the report said. Meanwhile, online theft and data breaches each represented 11 percent of the known identity fraud incidents, compared to 43 percent for lost or stolen wallets and 19 percent that occurred during a transaction.
Payment card breaches represented 80 percent of the 90 reported breaches last year, and payment card data represented 98 percent of all records compromised, according to the report from Verizon Business.
Between January and December 2008, consumer complaint database Consumer Sentinel Network received more than 1.2 million consumer complaints, according to a report released by the U.S. Federal Trade Commission (PDF) in February. Of those, 52 percent were fraud complaints and 26 percent related specifically to identity theft.
Complaints of online crime hit a record high last year and total dollar loss linked to online fraud was $265 million, according to a report released in March by The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. The third most common fraud complaint was credit or debit card fraud, representing 9 percent, preceded by non-delivery of merchandise or payment at 33 percent, and Internet auction fraud, representing more than 25 percent.
What can consumers do to protect themselves?
To protect against online identity fraud, consumers (who use Windows) should sign up for regular automatic Microsoft software updates, use the latest browser versions with enhanced security features, and keep their antivirus and other security software up-to-date. To avoid phishing and other malicious sites when Web surfing, there are a number of programs, including McAfee Site Advisor and AVG LinkScanner.
McAfee also recently launched the McAfee Cybercrime Response Unit, where people can go if they suspect they have become a victim of cybercrime or identity fraud. The site has a free Windows-based scanner that can give an indication of how likely the consumer is to have been victimized, as well as specific steps to take in the case of identity fraud. These include changing account passwords and PINs, placing a fraud alert on credit reports, and reporting the crime to authorities.
The FTC's Identity Theft Site, the Identity Theft Resource Center, and The Privacy Rights Clearinghouse's Identity Theft Victim's Guide have more information.
This should come as no surprise to anyone, but people in the U.S. are worried that as the economy worsens, the chances for identity fraud, particularly with regard to credit card data theft, will increase.
Nearly 75 percent of Americans believe that the global financial crisis increases their risk of identity and related fraud, according to the Unisys Security Index due to be released on Monday.
More than two-thirds surveyed said they are extremely or very concerned about other people obtaining and using their credit and debit card data, with 90 percent at least somewhat concerned.
Credit and debit card fraud is the top security concern for people, with 68 percent saying they are extremely or very concerned. And 66 percent said they are seriously concerned about unauthorized access to or misuse of personal information.
More than 40 percent of respondents said they are extremely or very concerned about security related to viruses and unsolicited e-mail.
Overall, people are more worried about their financial security and less worried about national security than in previous surveys, according to the survey.
The survey of more than 1,000 respondents in the U.S. was conducted from February 20-22.
More than 10 million Internet users worldwide were hit with identity fraud-related malware last year, according to a new estimate from Panda Security.
The number of computers infected with active programs designed to steal personally identifiable or financial information that can be used for identity fraud, such as banker Trojans for stealing bank account information, rose by 800 percent from the first half of the year to the second half, the study found.
Of the 67 million computers that PandaLabs analyzed in 2008 for the study, 35 percent of those infected had up-to-date antivirus software installed. The number of users who have been actively exposed to identity fraud malware is about 1 percent of the worldwide population of Internet users, according to the study.
The researchers predict that the infection rate will increase by 336 percent per month throughout this year, based on the trend of the previous 14 months.
Researchers predict that the infection rate will increase by 336 percent per month throughout this year.
(Credit: Panda Security)A server at the U.S. Federal Aviation Administration was illegally accessed online and personal identity information of employees was stolen, the agency said.
Two of the nearly 50 files on the breached computer had personal data about more than 45,000 FAA employees and retirees who were on the FAA rolls as of three years ago, the FAA said in a statement released on Monday.
The server that was breached was not connected to the air traffic control system or other operational systems, according to the statement.
The agency is notifying all affected employees by mail and is investigating the data theft.
The statement did not say when the breach occurred or when the FAA learned of it. An FAA representative did not immediately return a call seeking comment on Tuesday.
The FAA is the latest in a recent string of data breaches that has included Kaiser Permanente and payment processors Heartland Payment Systems and RBS WorldPay.
Most people surveyed who knew the method of their identity fraud said they had lost or stolen wallets or cards.
(Credit: Javelin Research)Identity fraud rose 22 percent in 2008 from the year before, reaching the highest level since 2004, according to a report released on Monday by Javelin Research.
Of nearly 4,800 U.S. adults who were surveyed over the telephone, 482 said they had been victims of identity fraud, the report found.
"Almost 10 million Americans learned they were victims of identity fraud in 2008, up from 8.1 million victims in 2007," the report overview said. "More consumers are becoming victimized by this serious crime, reversing a previous trend in which identity fraud had been gradually decreasing. This makes sense because overall criminal activity tends to increase when there is a recession."
While the number of victims is up, the cost to consumers is down. The mean consumer cost of identity fraud dropped 31 percent from $718 to $496 per incident, the lowest level since 2005. The report attributes that decline to fraud being detected faster, lower fraud amounts accrued, and quicker resolution times as a result of industry efforts and consumer education.
Despite the headlines that phishing and hacking attacks get, most of the identity fraud still results from lost or stolen wallets, checkbooks, and credit cards, according to the report.
Lost or stolen wallets represented 43 percent of all incidents where the method of access was known. That compares with 19 percent that occurred during a transaction, 13 percent for theft by friends, employees, and family members, and 11 percent each for online theft and data breaches.
Also of note was that women were 26 percent more likely to be victims of identity fraud than men, Javelin Research said.
Kaiser Permanente is notifying its 29,500 Northern California employees that their data may have been exposed in a breach, the company said on Friday. It is unknown exactly how many workers have been affected, but a handful of workers have reported identity fraud as a result of the breach, Kaiser said.
The Oakland, Calif.-based company is offering one year of free credit monitoring for anyone who is affected, according to a statement from Kaiser.
One person, who is not a Kaiser employee, was arrested after law enforcement authorities seized a computer file with Kaiser human resources-type data in that person's possession, the statement said. A Kaiser representative said Friday that police in San Ramon, Calif., notified the company in late January about the arrest of the person with the file.
No Kaiser members or their medical information were accessed in the breach, the company said.
The news is the latest in a string of breaches at large corporations. Last month, payment processor Heartland Payment Systems reported a breach in its network that exposed consumer credit card data. Last year, RBS WorldPay, another payment processor, reported a breach that led to millions of dollars being withdrawn from consumer bank accounts with cloned debit cards.
