Friday, September 29, 2006


Fort Belvoir Federal Credit Union
Central Credit Union of Florida
Permanent TSB
Antioch Community Federal Credit Union
Marine Federal Credit Union
Associated Credit Union
Trinity Bank
NIH Federal Credit Union
Tyndall Federal Credit Union


Police in San Francisco reported this month a variation of the “Nigerian 419 Scam” targeted at Asians. The email scam offers Asian recipients millions of dollars from the bank account of a deceased Iraqi army officer.

The e-mail is a variant of a scam in which the sender offers the recipient a share of a large sum of money but first requires the victim to send personal information and funds to obtain the full payout.

The sender of the email is “Peter Wong” who uses a Yahoo Hong Kong e-mail account, and says he is the director of operations for Hang Seng Bank, Ltd.Police say Wong tells the recipient that an Iraqi client, Major Fadi Basem, and his family have been killed, leaving $24,500,000 in a Hang Seng Bank account.Wong says that as the family has no beneficiaries, the money will go to the Chinese government if there is no claim.He then reportedly offers to have documents falsified to help the e-mail recipient pretend to be a member of Basem’s family and claim the money.According to police, Wong says he will take 60 percent of the money received, with the remaining 40 percent going to the e-mail recipient.

The Financial Times recently reported that the classic “Nigerian 419 Scam” continues to defraud thousands in the USA and the UK even though public knowledge of the scam is widespread.

Thursday, September 28, 2006


Federal and state officials in Virginia are investigating an elaborate identity theft and mortgage fraud ring that defrauded over 100 people in a small town. Unwitting people were enticed to allow a real estate investment company to use their “good credit” to purchase properties at inflated prices. The company then falsely sought loans in their names and then defaulted on the loans. The default left the investors with fraudulent real estate ownership and inflated loans.

The investors were asked to provide personal information which would confirm their good credit and were then paid for providing the information. They were told that the information was not for securing loans in their names, but rather to assist in establishing “corporate” credit.

The company then engaged in a set of identity theft crime known as “impersonation crimes” where they used the personal information of the investor to seek loans in the name of the investor to purchase homes from their inventory.

One defrauded investor discovered the crime when the attempted to purchase a first time home and the local bank told them that they already owned four homes.

Mortgage fraud is rapidly growing in the US and is frequently facilitated by identity theft and impersonation crimes. The Federal Bureau of Investigation reports that mortgage fraud led to over $1 billion in 2005, up from $429 million in 2004.

Like most identity theft crimes, mortgage fraud is lucrative for the thieves and often presents little real risk of injury, capture, or long jail sentence.

Wednesday, September 27, 2006


Here is a carefully worded quotation from “12 common questions” a brochure produced by the credit reporting company Experian.

“Our economy and job market depend on companies, large and small being able to reach consumers most likely to be interested in their product and services. Direct marketing is often the key to business success and to lower prices and better services to customers”

“Credit reporting companies (including Experian), under carefully controlled procedures, provide lists of credit worthy consumers to companies that offer credit.”

Here is section 604 of the Fair Credit Reporting Act covering the permissible use of credit reporting companies information purchased by “persons”.

§ 604. Permissible purposes of consumer reports [15 U.S.C. § 1681b]
(a) In general. Subject to subsection (c), any consumer reporting agency may furnish a consumer report under the following circumstances and no other:
(1) In response to the order of a court having jurisdiction to issue such an order, or a subpoena issued in connection with proceedings before a Federal grand jury.
(2) In accordance with the written instructions of the consumer to whom it relates.
(3) To a person which it has reason to believe
(A) intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer; or
(B) intends to use the information for employment purposes; or
(C) intends to use the information in connection with the underwriting of insurance involving the consumer; or
(D) intends to use the information in connection with a determination of the consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status; or
(E) intends to use the information, as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; or
(F) otherwise has a legitimate business need for the information
(i) in connection with a business transaction that is initiated by the consumer; or
(ii) to review an account to determine whether the consumer continues to meet the terms of the account.
(4) In response to a request by the head of a State or local child support enforcement agency (or a State or local government official authorized by the head of such an agency), if the person making the request certifies to the consumer reporting agency that
(A) the consumer report is needed for the purpose of establishing an individual’s capacity to make child support payments or determining the appropriate level of such payments;
(B) the paternity of the consumer for the child to which the obligation relates has been established or acknowledged by the consumer in accordance with State laws under which the obligation arises (if required by those laws);
(C) the person has provided at least 10 days’ prior notice to the consumer whose report is requested, by certified or registered mail to the last known address of the consumer, that the report will be requested; and
(D) the consumer report will be kept confidential, will be used solely for a purpose described in subparagraph (A), and will not be used in connection with any other civil, administrative, or criminal proceeding, or for any other purpose.
(5) To an agency administering a State plan under Section 454 of the Social Security Act (42 U.S.C. § 654) for use to set an initial or modified child support award.

Now you decide if Excperian’s selling of your credit information to direct marketing organizations without your prior authorization meets the requirements of section 604. Read carefully section 604a.3.A through F. Then you decide for yourself.


At KnightsBridge Castle our staff members, contrary to our consumer advice to avoid identity theft and scams, often answer phone calls without screening. We do this to stay ahead of new scams.

Today’s scam went something like this:

(Staff Member) Hello.
(Caller) –after 5 second pause- Hello, May I speak to Sally Smith?
(SM) May I ask who is calling?
(C) This is Consumer Assistance calling for Sally Smith.
(SM) Is this a sales call?
(C) No, this is not a sales call.
(SM) This phone number is on the Do Not Call telephone registry. Do we have a preexisting business relationship?
(C) Yes.
(SM) Can you tell me what this call is about?
(C) Yes, the credit reporting companies have informed us that Sally Smith has more than $10,000 in debt and we are here to help. We can assist with 0% financing and reduce her debt payments by more than 40%.
(SM) Can you tell me more?
(C) Yes. We are calling to assist Sally Smith in reducing her debts and in reducing her payments.

The call then proceeded for some while as the caller repeatedly assured the Staff Member that this was not a sales call and that all they wanted to do was help. We bit!

(SM) Why this sounds very good to me. Id like to sign up.
(C) Great, we can help you immediately to reduce your debt. But first I need some information…

The information required?
Credit Card Numbers
Mailing Addresses

Can you spot the tell tale indicators of fraud in this call?

Here they are:
They called on a registered do not call telephone number.
They lied about a pre-existing business relationship.
They implied they had authorization and had obtained credit records.
They revealed to a person whose identity they did not know that Sally Smith had at least $10,000 in debt.
They wanted credit card numbers and mailing address information.
“Consumer Assistance” is often a section or division of government, public interest, and private company activity. The name is so common as to loose all identifying qualities.

Well, that’s today’s phone scam.


At KnightsBridge Castle we have seen Voice Over IP (VoIP) used to facilitate credit fraud by spoofing caller ID’s. Many merchants use caller ID as one of several authentication techniques when purchases are made over a telephone. VoIP technologies are known to be used to spoof caller ID, or to present false caller ID’s when making a telephone call.

As VoIP technologies become more accepted additional risks have begun to emerge. Companies, such as banks and merchants, are switching their phone systems to VoIP. What they don’t realize is that they are making themselves vulnerable to phishing attacks for which there are currently no effective detection or prevention tools.

We have been experimenting with VoIP technologies in our lab and while the benefits of this new technology are clear, the lack of security technologies and protections are very serious. Until these security issues are resolved we advise extreme caution in using these systems.

There are many risks to companies with these technologies, however the personal risk is very clear. You cannot rely on caller ID as a verification that someone calling you is from your bank, credit union, or trusted business supplier.


With the introduction of unregulated information brokers on the internet, persons who want to protect their privacy have looked for “Opt Out” provisions on websites. Unfortunately the ethical and regulated information brokers generally do not provide opt out provisions within their databases. For the regulated brokers you have some protections on the distribution of this information through federal and state law. The unethical, unscrupulous, and perhaps illegal internet information brokers will sell your personal and sometimes private information to anyone – to you, to your boss, to stalkers, to abusive neighbors, and yes to identity thieves.

One of these unscrupulous brokers, Zabasearch, has been sending spam emails offering to allow you to opt out. These emails are actually attempts to verify information and if you respond you will not be removed from the database. Rather the information you provide will be used to update the records prior to the continued sale of your personal information.

We first discovered this unscrupulous broker while talking with the Menlo Park, California, Police Department about three years ago. At that time there were only a few of these unregulated internet information brokers on the net. Now there are dozens.

Tuesday, September 26, 2006


Note: We consider this Symantec Report to be critical to understing new identity theft trends. We have therefore posted links to the report on several of our blog sites.

Symantec, the internet security provider, will present its 10th edition of the Symantec Internet Security Threat report on a webcast on September 28, 2006, at 9am PDT.

We have reviewed the report issued on September 25 and find the threat assessment sobering. The latest trends and key findings relating to fraud and identity theft crimes are in stark contrast to those provided by the Federal Trade Commission in recent months. The FTC presents a picture of declining crime while the Symantec report indicates rapidly escalating cyber crime activity. While it is possible that crime activity is rapidly escalating, while crime reporting is falling, it is more likely that one of these two methodologies for studying crime trends is flawed.We see little reason to question Symantec’s findings.

You may view a flash presentation of Symantec’s finding at the following link:

Click on Flash Presentation.


We have been detecting increasing incidents of medical benefits fraud and we anticipate that this trend will significantly increase in the coming months. The ease with which this identity theft crime is committed, combined with the lack of any real law enforcement, and the increasing expense of medical care combined make this crime more attractive with each day.

The risks to you are not just the consumption of your time and financial confusion. Medical benefits fraud may result in inaccurate information being included in your medical records. The errors may serious threaten you future health and your cost of health insurance, life insurance, or even your ability to obtain a drivers license.

The World Privacy Forum, a non-profit public interest group published in May a report entitled “Medical Identity Theft: The Information Crime that Can Kill You”. We quote from that report.

“…medical identity theft is a serious information crime that has had substantial consequences on patient well being, often affects the accuracy of patient medical records, and can impact a victim’s finances.

There have been 19,428 complaints regarding medical identity theft to the Federal Trade Commission since January 1, 1992…”

The report continues to discuss the difficulty in uncovering medical identity theft and the depth to which the medical systems may be involved in vectoring this crime.

At KnightsBridge Castle we have watched these trends with some alarm. Medical records, and medical billing records are complex, prone to great numbers of errors, and extremely difficult for lay persons to interpret. Even some members of the medical community find these records incomprehensible. Fraud within these records is most difficult to detect and these record complexities allow this crime to be repeated over and over again.

For more information about the World Privacy Forum report please follow this link:


Spam filters have become common on home and office computers in the last few years and they have had a decided impact on reducing junk mail and exposure to phishing scams. Spam filters work in a variety of ways, but most analyze the text component of an email for tell-tale signs of spam.

However this technique of textual analysis does not work on images and spammers have been moving to sending messages as image files and not as text files. Text based spam filters cannot analyze these files and the spam is sent through to your mailbox.
A recent study by a leading software security provider saw an increase in image spam - phishers using multiple randomized images to bypass email filters. Symantec found 157,477 unique phishing messages during the first half of this year - an increase of 81 percent from the previous six months. During that time, spam made up 54 percent of all monitored email messages, a hike of 4 percent from the previous half-year.
For these new image spam messages and phishing attacks there is a technical solution – optical character recognition followed by textual analysis. Needless to say, more powerful computers are required for this detection and rejection mechanism.

The critical element to remember in Identity Theft prevention is do not open spam. If the message does not contain an understandable subject and if it does not come from an email address you recognize – then don’t open it. And if you do, NEVER, reply and NEVER buy anything from a spam source. Further always remember the fundamental rule for avoiding phishing – your financial and service providers will NEVER ask for personal information on the web, by email, or by phone. If they do, they are thieves.

Monday, September 25, 2006


Hewlett Packard admitted last week that it engaged in corporate dumpster diving by going through the garbage of those people it was investigating for board room leaks.

Unlike HP’s efforts at “pretexting”, dumpster diving is legal.

Remember your trash may be an identity thief’s gold mine. Destroy all documents with personal information before placing it in the trash. Pay close attention to bank statements, medical records, and prescription containers – these are the sources of identity theft gold.


The Presidents Identity Theft Task Force has released this week its summary of “Interim Recommendations”. The report contains specific recommendations for prevention, victim assistance, and law enforcement. The report fails to address the root causes of identity theft crimes and resorts to simple solutions for complex issues. The net result of these recommendations is simply allowing the crime wave of credit frauds, impersonation crimes, and criminal identity theft to continue unabated.

KnightsBridge Castle’s services are particularly effective in identity theft prevention and we awaited the Presidents Task Force recommendations with some hopeful expectation. Included within the recommendations for PREVENTION were the following elements:
--Guidelines to government agencies on when to provide breach notices and when to provide for free “credit monitoring.”
--Recommends that the Office of Management and Budget (OMB) and Homeland Security (HSD) help agencies identify and defend against threats.
--Limit the un-necessary use in the public sector of Social Security Numbers.
--Allow agencies to quickly respond to data breaches and to share information under a new “routine use” practice drafted by the Department of Justice.
--The government should hold a workshop to determine improved identity verification and authentication techniques.

With respect to VICTIM ASSISTANCE the report called for allowing victims to recover for the time lost in correcting the harm suffered. The report recommends that the federal laws be changed to allow for the recovery of money damages for time lost from the thief.

In the LAW ENFORCEMENT SECTION the report calls for a standardized police report form to ease the collection of data into a uniform database to be maintained by the Federal Trade Commission (FTC).

KnightsBridge Castle’s view of these recommendations is as follows:

Guidelines are always good, however they need teeth. Guidelines should be regulations not suggestions for handling a breach.
Credit monitoring is a sham solution to breach problems. This guideline clearly indicates that the Task Force misunderstood either Identity Theft crimes or the limited nature of credit monitoring. Another potential factor is that the recommendation included the economic interest of the credit reporting companies in promoting their deeply flawed credit monitoring solutions. (Note: we have covered the question of the value of credit monitoring in earlier posts).
OMB and HSD assistance in preventing and following up government breaches is positive. However, recent HSD expenditures and management deficiencies, have indicated that we can expect little real help from the agency in the near term.
Limiting the unnecessary use of SSN’s is a real positive recommendation. However this will require congressional action and will be opposed by the financial community and the credit reporting agencies. To implement this plan congress must act in the public interest rather than in the commercial interest of the financial community.
Sharing information and adopting the “routine use” provision in data breaches will have no material effect in preventing data breaches in government.
Holding a workshop on authentication and verification is laughable. Alternative methods, both technical and procedural, for authentication of identity have been understood for years. The intense debate in the security and financial community about the utility of “biometrics” continues and will not be resolved in a government “workshop”.

The single VICTIM ASSISTANCE recommendation of allowing victims to seek restitution from criminals for the value of “time lost” is also of no real value. How is time lost to be measured? How is the time to be valued and how will the value of the time be proven. If a victim takes time off from work what documentation is required? If the victim takes time on a weekend is this also to be valued? These very real limitations are today preventing victims with insurance from recovering any real costs.

However all these valuation issues are moot, because the cost recovery action is taken against a criminal. Will the criminal really pay restitution? Or will he just run from the law and continue his criminal acts? We continue to follow Eric Drew’s restitution case, covered elsewhere on this bolg, and we will keep you informed if this restitution effort is successful or not.

The LAW ENFORCEMENT recommendation is the most absurd of all these recommendations. The FTC currently collects identity theft information using their ID Theft Affidavit. While a uniform police form will greatly improve the collection of data, the “Sentinel” database into which this information is input has proven to be of no value to police departments in stemming this crime wave. (Note: we have covered the “Sentinel” database and its limitations elsewhere in this bolg)

The report of the Presidents Task force is of no real value in addressing the critical issues of identity theft reduction. It does nothing to provide police with the resources (e.g. Money and training) needed to catch and prosecute these criminals. The recommendation does nothing to lengthen prison sentences for these damaging criminal acts. The use of “credit monitoring” as a potential assistance to victims, does not benefit victims in any meaningful way, but rather it guarantees significant income to the credit reporting agencies that are often at the center of facilitation of this crime.

Link to Presidential Identity Theft Task Force Interim Report.

Friday, September 22, 2006


Vons Credit Union
Consumers Cooperative Credit Union
SAFE Federal Credit Union
First Premier Bank
Tempe Schools Credit Union
Professional FCU
Bremer Banking
Hanley Economic Building Society
Orchard Bank Credit Card
Brigtht Star Credit Union
Community Trust Credit Union
First National Community Bank
Gold Leaf – State National Bank
University of Deleware Federal Credit Union
First National Bank of Omaha
Hawaii State Federal Credit Union
GTE Federal Credit Union
Schools Financial Credit Union
Apple Bank for Savings
Samsung Telecom Site - Crimeware
University of California Federal Credit Union
Monster, Job Offer Fraud
Banco Santander Central Hispano


Organized efforts at identity theft is the most significant trend in identity theft crimes in the past few years. However one form of organized theft has been with us for years – methamphetamine addition and identity theft crimes. Addicts often gather in groups, organize their efforts, and use their restless energy in organizing seemingly random information into an identity theft vector.

KnightsBridge Castle works closely with law enforcement and this we learned of an all too typical tale. The Santa Clara County Specialized Enforcement Team announced the arrest of an identity theft group of five who had victimized at least 50 persons.

The identity theft ring stole mail and then used the information to obtain fake identification documents including driver’s licenses. The ring used the fake IDs to cash forged paychecks. Officers seized methamphetamine paraphernalia during the arrest.

The identity theft crime facilitated by this drug addicted group included classic “impersonation crimes” to engage in check forgery.

KnightsBridge Castle accesses several databases which report the identity information of those passing bad checks. If your name shows up on this list, you may well be the victim of identity theft.

Thursday, September 21, 2006


Today we received a junk fax from America e-Find with the heading “We Check People and Companies Out For You”. The service promises “SSN verification, full address history, real estate owned… state or national bank account searches” and a wide variety of data sets which are subject to Federal and State legislative restrictions.

This fax is the work of big time junk faxer Michael Jay. His business information points to an out of country location making federal law enforcement difficult.

Some of the data sets offered are highly restricted under FCRA, DIPPA, and other state and federal restrictions.

Is this solicitation a scam? Yes.


The Federal Court for the US District of Northern Georgia in an action brought by the Federal Trade Commission fined information broker Choice Point $10,000,000 for failure to protect the personal information of over 400,000 consumers. An additional fine of $5,000,000 for compensation to victims was also levied. The Choice Point data breach has become a classic tale of an intentional theft of personal identity information by organized crime groups.

The compensation fund was intended to compensate persons who had their stolen information used in criminal acts such as fraud and impersonation crimes. The fine was levied against Choice Point in January of 2006. To date, the FTC has yet to distribute any funds to victims identified in 2005.

The court ruling may be found at:

The FTC moved against Choice Point for its violation of the Fair Credit Reporting Act (FCRA) and included in the charges were allegations that the data broker had failed to adequately check the background information of a business that was a front for a criminal group. Inconsistencies within the application to the information broker, as well as simple business verification checks would have revealed that the new applicant was not a legitimate business.

The FTC complaint with the Federal Court may be found at:

(Note: KnightsBridge Castle's identity theft prevention and detection systems subscribe to many information broker services including those of ChoicePoint. All access of personal information from these suppliers is performed in compliance with FCRA and with the consent of our clients)


This is a personal family story. A loved family member, and a MD as well as PhD passed away almost ten years ago. He practiced medicine in our community, held a prestigious teaching position at Stanford University and was active in the US Public Health Service. He is sorely missed.

However, every year or so we are reminded of his medical practice, when the agency who handled his billing calls to confirm his death. Why? Because fraudsters keep submitting Medicare reimbursement requests for medical charges alleged to have been provided by him.

Wednesday, September 20, 2006


With rising health care costs KnightsBridge Castle has been tracking an alarming increase in medical benefits fraud. Recent trends in identity theft indicate that we are seeing a new and highly effective form of fraud.

Medical benefits fraud involves the use of your medical benefits and insurance by an identity thief. Stolen Social Security Numbers (SSN) and date of birth can facilitate the crime, however most hospitals, emergency rooms, or health care providers, need only a name and address. The insurance industry and the payment systems of these health care providers make it easy for them to locate your health coverage plan with a minimum of data.

Health care providers are primarily concerned with the immediate delivery of service. This is particularly true of emergency rooms and urgent care facilities. In an urgent care facility, treatment is primary, and billing is left to someone working a desk who needs only minimal information to satisfy the institution’s billing needs.

Detection of this crime is usually the arrival of a bill for co-payments and non-covered medical expenses. This is frequently followed by demands from collections. Eventually these false charges may show up on your credit records. Recovery from this identity crime is very complex and fraught with unique obstacles to remediation.

Under HIPPA (Health Insurance Portability and Accountability Act) medical service providers are under rigid procedures for the access to health records. Although the experiences of Eric Drew, founder of KnightsBridge Castle, show the ready availability of stolen health records within medical institutions, attempting to acquire health records to recover from identity theft is extremely difficult.

Although the medical records of victims of medical benefits fraud may contain your name, SSN, insurance information, and other identifying information about you, medical service providers will not give you a copy of the file if you claim medical benefits fraud. Why? HIPPA requires medical providers to protect the privacy of medical information, even if the medical service was provided to an imposter and identity thief.

Medical service providers do not have very efficient billing systems and their systems for correcting errors in their billing statements are primitive. Since the billing departments lack access to the medical file it takes extraordinary efforts to have a false bill reversed.

This has led to some absurd situations when victims confront medical billing systems. One example had the victim showing his scar-less knees to a billing clerk and demanding a reversal of a bill for knee replacement surgery. The demand fell upon deaf ears.

Medical insurance information brings top dollar on the street. Even identity thieves need health care, and rather than pay for it they choose to apply their impersonation tools to filling this critical need. However, medical benefits fraud now extends beyond urgent care and now has been detected in fraud for elective procedures and even cosmetic surgery.

As we so often repeat on this blog, identity theft is not just about credit theft. Its about 80 crimes of credit fraud, impersonation crimes, and criminal identity theft. Medical benefits fraud is just another example of how you can be defrauded, with ugly consequences, and is an example of a crime in which credit monitoring or credit card insurance will prove of no value.

Tuesday, September 19, 2006


(We rarely post material that is not original with KnightsBridge Castle. However this article which appeared in the San Jose Mercury News this week was simply too compelling. From the San Jose Mercury News Friday September 15, 2006)

NEW YORK (Dow Jones/AP) -- On a weekday afternoon in a chat room, hackers are busy exchanging credit-card numbers, cash, hacked servers, information and stolen identities.
A hacker called Pinokio logs on and posts six identities, known as "fulls.''

"Mesage (sic) for trade with me :)'' he writes.

A "full'' contains enough information to take a thief on a multiyear identity theft ride, as it will include someone's Social Security number, home phone number, e-mail account and password, debit card PINs, credit-card numbers, and mother's maiden name. Hackers like Pinokio sell them in bulk for $1 to $5 a pop in an international ring of credit ``carders,'' as sophisticated as it is blatant.

Welcome to the world of identity theft, a market that costs the U.S. economy $56.6 billion last year, according to a study by Javelin Strategy & Research using methodology developed by the Federal Trade Commission.

The problem's so prevalent that financial advisers guiding America's affluent through investment decisions now want training on how to deal with the crime. Indeed, Charles Schwab Corp. is holding a session at its upcoming Impact 2006 conference in November on how to teach clients about the problem. Vanguard Group Inc. added a ``Security Center'' section to its Web site to teach consumers about identity theft and other issues.

That's all the more significant given that the rich seem most at risk. While 4 percent of Americans fell victim to identity theft in 2005, 6.38 percent of households earning more than $150,000 reported fraud, the Javelin survey found.

``Ten years ago it was a bunch of frustrated teenagers who had something to prove,'' said Supervisory Special Agent Thomas Grasso Jr. of the FBI's cyber division. ``Now, it's all about the money.''

There are several reasons hackers like Pinokio post these identities: to show he has good data and there's more to be had, to raise his status in the underground or to muddy the waters of any potential investigation by getting others to use a card he's already used.

``The other 240 hackers can get it right now and hammer this credit card in the next 10 minutes, and there is no way for a law enforcement officer to see who ordered first,'' said Dan Clements, chief executive of CardCops Inc., an Internet-security company based in Malibu, Calif.
may have one more motive: bonding. The chat room's a community, said Clements. ``They're a brotherhood.''

One of the stolen identities Pinokio posted belongs to Brandee Sissom. Her trouble began about a year ago, when she began receiving letters about credit-card accounts for which she had never applied. Credit reporting agency Equifax Inc. told her that people had been trying to open accounts in her name.

She recently noticed three charges for $25.90 from AOL on her credit card, canceled them and filed a complaint with AOL. The day her stolen data had been posted in the chat room, an anonymous caller told her that her Social Security number was compromised. But she still hasn't been able to change it.

"I have cancer, and I'm extremely tired all the time,'' Sissom said. "And if you've ever been in a Social Security office; it's a long wait, and I don't have the time or energy to wait.''

She put 90-day and year-long alerts on her credit. She said she has no idea how her information got online. "I'm really careful with my credit information,'' Sissom said."I chop up everything.''

The 363 hackers in the chat room are gathered together under the aegis of the room's administrators, the top dogs of this particular group. The chat room is hosted on Internet Relay Chat, more commonly known as IRC. At any given time there are thousands of chat rooms open, about 30 to 40 discussing credit-card information. This is one of the more popular ones. Anyone who knows the name of the room can log in.

According to the Secret Service, most carders are based in the former Soviet Union or Southeast Asia. Some, Clements, the CEO from CardCops, said, claim to make $10,000 to $20,000 a month.

"We haven't really seen any (other) illegal activity, (such as) drugs,'' said Scott Johnson, Secret Service Criminal Investigative Division's acting special agent-in-charge. ``They're too busy rolling on their piles of money.''

The administrators are marked by an ``'' symbol next to their name. They have what the FBI's Grasso called channel ops, meaning they can kick people out of the room and set passwords, as well as load programs onto the page, allowing the hackers to check the validity of stolen credit cards in real time.

An administrator will use a hacked merchant credit-card account, check the information and post it in the room. Typically, they don't actually charge the cards; instead they run authorization transactions, which don't cost the cardholder anything but confirm whether a given card is valid. The merchant takes a hit for the minimum transaction fee, usually about 10 cents, and the consumer is none the wiser.

Though there is no agency tasked with culling chats for consumer data, the FBI and Secret Service do occasionally monitor the rooms.

Eric Zahren, a spokesman for the Secret Service, said that he couldn't ``discuss or confirm'' that the Secret Service monitors chat rooms, but did say that ``we've proved we can operate in the same environments'' as the hackers.

The Secret Service, which was empowered by Congress to combat computer fraud, has 24 electronic crimes task forces across the country and 20 foreign offices working with local law enforcement on the issue. Their strategy is to go after top-tier carders, people who have millions of individuals' information at their disposal.

The Secret Service said it recently brought agents from Latvia and Lithuania to the United States for training on cyber crimes, and currently it is now running a training program in Thailand.

Cathy Milhoan, an FBI spokeswoman, said the agency doesn't have "teams of people'' monitoring these rooms "24 hours.'' She said it monitors the rooms only when it has a ``legal reason for being there.''



The Energy and Commerce Committee has been investigating the activities of data brokers selling non-public telephone records over the Internet. In June 2006, 11 data brokers responded to subpoenas to appear before the committee.

"Did you and your company, Worldwide Investigations, obtain and sell consumer cell phone records and other non-public personal information that was obtained through pretext, lies, deceit or impersonation," Kentucky Republican Ed Whitfield asked John Strange of Denver.

Strange replied: "Mr. Chairman, at this time I'd like to invoke my Fifth Amendment right."

The other 10 data brokers proceed to invoke their own rights not to incriminate themselves.

"What we have found to date has been eye-opening to say the least," Kentucky Congressman Ed Whitfield said of the panel's four-month investigation. "There are hundreds of data broker companies operating on the Internet."

"They offer just about any non-public information under the sun -- cell phone, landline call records, bank account activity, post office boxes, credit card transaction histories -- it goes on and on."

"I doubt very many Americans know that their personal and professional lives are this vulnerable to casual examination by strangers, even in the age of the Internet," said Representative Joe Barton, chairman of the full Energy and Commerce Committee.

"Unfortunately, brokers routinely lie to get their hands on this information and then sell the records to buyers who evidently don't care. And right now, some of this, maybe even all of it, seems to be legal."

KnightsBridge Castle supports H.R. 4943 to restrict access to phone records. H.R. 4943 is currently pending before the full House as one way of slowing the trend toward uncontroled access of personal information capable of causing harm. Additional legislation to protect privacy is clearly needed. However, by restricting the distribution of personal information, data brokers will need to accept a fall in revenues.


In the past few years we have seen the emergence of internet based “data brokers” who will sell information about a person without any restrictions. These sites can readily be found on the internet and they offer records for fees ranging from $20 to $50. No restrictions are placed on the access of data. In other words, anyone can purchase data about an individual and use it for any purpose.

Traditional “data brokers”, have been providing access to public records for many years, and these traditional brokers have restrictions on the use and access of their data repositories. The restrictions of these traditional data brokers are twofold – compliance with federal and state laws on information access and use, and contractual restrictions on the use of data.

Among these restrictions are FCRA (Fair Credit Reporting Act), DPPA (Drivers Privacy and Protection Act), and the Federal Privacy Act of 1973, among others. In order for KnightsBridge Castle to obtain access to information provided by traditional information brokers the firm was “vetted”. KnightsBridge Castle completed a complex series of applications and our executives were interviewed by two of the largest firms. In addition our procedures and physical facilities were inspected prior to granting access to data. Further as policy, KnightsBridge Castle obtains “permissive use” from its clients prior to initiating a search.

Contractual restrictions require us to be engaged in a specific type of business such as fraud prevention, and the contracts forbid accessing data for such purposes as running a “dating service”.

When KnightsBridge Castle accesses these traditional brokers’ services, we must reaffirm our use of data as a business engaged in the “prevention of fraud, or the detection of fraud.” Further we must attest that we are seeking this information as part of the normal course of our business. The information provided by traditional brokers, while it sometimes contains errors, is reasonably comprehensive and very useful in fraud detection.

We recently ran a test to compare “traditional brokers” with the new unrestricted internet information sources. The comparisons were not surprising. Traditional brokers provided comprehensive 50 state resources and provided advanced search facilities needed in fraud prevention and risk reduction. The internet brokers had no records on several of our test subjects, and revealed very limited data on others. Most of the data provided by the new internet brokers was readily available from Yahoo or Google searches. Some of the data was obtained from public records such as property records.
At KnightsBridge Castle we do not use these new internet data brokers because they both fail to comply with the law and they add little to our identity theft management efforts. For now, these internet brokers, provide not only bad value for money, but may well be in violation of many provisions of federal and state law.

Monday, September 18, 2006


Clients of KnightsBridge Castle occasionally ask about the cost of establishing a false identity. Those unfamiliar with identity theft fraud often assume that the cost of critical identifying information, as well as the cost of quality forged documents is very high, and that the average identity thief cannot afford these costs.

A quick examination of our “Identity Theft Most Wanted” blog site will reveal that identity thieves can obtain very good documents for “proof” of their stolen identity. The documents can be obtained either from the issuing agency such as the DMV, or they can be forged. DMV documents are frequently obtained by simply filling out a form to replace a lost ID. Forged documents can be obtained from criminal websites located off shore. Documents produced off shore by forgery shops vary in quality from shabby to good enough to fool the DMV.

For less than $500 a complete set of “persona” information and a very good set of identity documents can be produced. The cost of entering this crime is very low, and this low cost is matched only by the low cost of being caught and convicted – parole for first time offenders, and rarely more than 6 months for habitual offenders.


In a marketing campaign to capture new customers a Florida bank, Fidelity Federal Bank & Trust, bought data containing the personal information of hundreds of thousands of drivers in Florida. Later the bank bought more than 650,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles. This purchase ran afoul of the law. Federal law includes a Drivers Privacy Protection Act (DPPA) which shields this information from marketing use.
The Bank has been fined $50,000,000 for its unlawful access and use of this data.

Here is the specific language of the DPPA.

TITLE 18 > PART I > CHAPTER 123 > § 2721
§ 2721. Prohibition on release and use of certain personal information from State motor vehicle records
(a) In General.— A State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity:
(1) personal information, as defined in 18 U.S.C. 2725 (3), about any individual obtained by the department in connection with a motor vehicle record, except as provided in subsection (b) of this section; or
(2) highly restricted personal information, as defined in 18 U.S.C. 2725 (4), about any individual obtained by the department in connection with a motor vehicle record, without the express consent of the person to whom such information applies, except uses permitted in subsections (b)(1), (b)(4), (b)(6), and (b)(9): Provided, That subsection (a)(2) shall not in any way affect the use of organ donation information on an individual’s driver’s license or affect the administration of organ donation initiatives in the States.
(b) Permissible Uses.— Personal information referred to in subsection (a) shall be disclosed for use in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers, and removal of non-owner records from the original owner records of motor vehicle manufacturers to carry out the purposes of titles I and IV of the Anti Car Theft Act of 1992, the Automobile Information Disclosure Act (15 U.S.C. 1231 et seq.), the Clean Air Act (42 U.S.C. 7401 et seq.), and chapters 301, 305, and 321–331 of title 49, and, subject to subsection (a)(2), may be disclosed as follows:
(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.
(2) For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.
(3) For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only—
(A) to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and
(B) if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.
(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.
(5) For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.
(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
(7) For use in providing notice to the owners of towed or impounded vehicles.
(8) For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver’s license that is required under chapter 313 of title 49.
(10) For use in connection with the operation of private toll transportation facilities.
(11) For any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains.
(12) For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains.
(13) For use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.
(14) For any other use specifically authorized under the law of the State that holds the record, if such use is related to the operation of a motor vehicle or public safety.
(c) Resale or Redisclosure.— An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(11) or (12)). An authorized recipient under subsection (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under subsection (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12). Any authorized recipient (except a recipient under subsection (b)(11)) that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request.
(d) Waiver Procedures.— A State motor vehicle department may establish and carry out procedures under which the department or its agents, upon receiving a request for personal information that does not fall within one of the exceptions in subsection (b), may mail a copy of the request to the individual about whom the information was requested, informing such individual of the request, together with a statement to the effect that the information will not be released unless the individual waives such individual’s right to privacy under this section.
(e) Prohibition on Conditions.— No State may condition or burden in any way the issuance of an individual’s motor vehicle record as defined in 18 U.S.C. 2725 (1) to obtain express consent. Nothing in this paragraph shall be construed to prohibit a State from charging an administrative fee for issuance of a motor vehicle record.

Friday, September 15, 2006


After decades of refusing to validate their Social Security Number (SSN) records with new employers, the Social Security Administration has revised its policies and will validate SSN’s. Validation will be performed only when a valid employment application has been completed and presented to a prospective employer.

The Social Security Administration describes the validation service as follows:

“SSNVS allows employers to use the Internet to match their record of employee names and Social Security numbers with Social Security records before preparing and submitting Forms W-2.
With SSNVS you can:

--Verify up to 10 names and Social Security numbers online (per screen) and receive immediate results. This option is ideal to verify new hires. OR
--Upload batch files of up to 250,000 names and Social Security numbers and usually receive results the next government business day. This option is ideal if you want to verify an entire payroll data base or if you hire a large number of workers at a time.

Using SSNVS is faster and easier to use than submitting your requests on magnetic media, paper listings, or even using Social Security's telephone verification option.

Making sure names and Social Security numbers on the W-2 match our records is important because unmatched records can result in additional processing costs for you and uncredited earnings for your employees. Uncredited earnings can affect future eligibility to (and amounts paid under) Social Security's retirement, disability and survivors program.”

Those who are seeking employment using false or forged identity documents often either make up a number or steal/purchase a valid number from another. Prior to the new SSA service the fraudster would use his own name and a stolen number to seek employment. With this new policy the name and number must match.

The Unintended Consequence – stolen SSN’s with valid names are readily available to those seeking false employment. They can be purchase on street corners where the undocumented gather. They are freely traded among criminals.

The result of this new process will be simply to drive up the price of valid SSN and name combinations. Street prices vary from $10 to $50. Future prices may be a bit higher. Unfortunately, the new SSA validation procedure will prove of little value, as identity thieves adjust to the new requirement for a SSN and name match.


At KnightsBridge Castle we advise clients to check the documentation of household employees, contractors, gardening help, health care workers, and others who visit your home, in order to reduce their exposure to identity theft. Theft of information and critical documentation in the home, by household employees or contractor labor is all too common.

In checking the documentation of permanent residents who are not citizens most of us know that we need to see a “Green Card”. Unfortunately most of us don’t know what a “Green Card” looks like and clients are usually very surprised to discover that there is not much “Green” on the card.

The “Green Card” is not easy to forge and some identity thieves have been known to use personal computers and digital printers to create their own original “Green Card”. These home brew cards are often given green backgrounds and look official although they do not resemble the real thing.

Attached is a slightly distorted image of a real “Green Card”. When checking a potential home employee or contractor/laborers you can compare their card with this fuzzy picture of a valid one.

A word of caution -- The US Government is revising its identity document stratigies in the face of 9/11. Future documents may appear different than the one pictured here. We will update this information when new images are available.

Thursday, September 14, 2006


A California resident and client of KnightsBridge Castle, who was the victim on a recurring and unending credit card fraud, took our advice and submitted credit freeze demands to the three credit rating companies – Experian, Equifax, and Trans Union.

As a victim of identity theft from an organized group, who continually attacked the client’s credit, the client exercised his legal rights under California law and demanded that the credit rating companies cease selling his credit information. KnightsBridge Castle assisted the client is completing and fileing a valid Police Report and the Identity Theft Affidavit. Using KBC’s standard demand letters forms and the required supporting documents the credit freeze demand were submitted to all three companies. Within 5 working days, both Trans Union and Equifax had completed the freeze and ceased selling the clients credit information and facilitating identity theft.

However Experian returned to the client a form letter describing services unrelated to a credit freeze. A search of the credit records revealed that two credit companies had complied with the freeze, but that Experian had not. The client submitted a second letter complete with documentation and this time posted it certified return receipt. The return receipt indicated that Experian had received the letter. Again a strange form letter unrelated to credit freezes was returned and again Experian had not frozen the records making them available in facilitating continuing identity theft.

Frustrated the client called Experian and after waiting some time spoke with a representative who demanded additional information not required by California law.

Our client is convinced that Experian was creating obstacles to his exercising his right to a credit freeze as the victim of an ongoing identity theft attack in order to preserve its profits in selling his information. Experian demanded new documents and forms which the client will send today.

The identity theft attack was detected 43 days ago and rapidly diagnosed by KBC. The only effective way of stopping these professional crooks was a credit freeze. Two agencies accepted his request and complied with the law. Experian as of this morning has still not frozen the credit records – some 38 days after the demand for a freeze was initially submitted.


A concerned professional wished to minimize their risk to identity theft by subscribing to KBC’s Protector program. Upon completing the initial eye-spy report, KBC uncovered that one of the leading professional background checking companies had listed our client as having been convicted of first degree murder in a distant state. KBC case specialists searched the criminal convictions database for that state and discovered that a murder conviction had been obtained by the state for a person of the same name and date of birth. However, the convicted criminal had died in prison.

KBC case specialists often find harmful information in these databases which was either entered in error or was inadequately confirmed. The false information concerning a murder conviction, if undiscovered could have had a disastrous effect on the client’s career and life.
Armed with this knowledge the client moved to correct the data. Since harmful errors in databases often re-occur, KBC continues to monitor the databases to ensure that this erroneous information does not reappear.

Wednesday, September 13, 2006


Surrounding the controversy at Hewlett Packard concerning obtaining telephone records of journalists through impersonation, the California Attorney General has made it very clear that this practice is against the law. The impersonation crime of “pretexting” is clearly an identity theft crime.

The office of the California Attorney General commented that state investigators “have sufficient evidence to bring criminal charges against individuals inside Hewlett Packard as well as outside the company.”

Tuesday, September 12, 2006



ATM machines provide for great convenience when traveling. However they also present very real identity theft risks. Skimmer systems and pin monitoring camera’s are well know to the police. Less well known is that some ATM machines are not valid machines, but rather machines planted by criminals for a short period of time. These fraudulent machines often dispense cash for a few days and the disappear together with all the account information put into them. ATM accounts are then immediately looted. This problem has been found in New York City, and is common in parts of Eastern Europe and Southern Europe.

Now a new problem with ATM’s has occurred. A few cases have recently arisen of fraudsters pretending to be ATM engineers in order to attempt unauthorised access to on-site cash machines.

The fraudster phones in to an ATM site or office to request the ATM safe access code in order to "update the machine". Typically, the caller uses two phones when he calls in, giving the impression of being busy, and adopting a business-like air. Some sophisticated fraudsters have been known to produce ID cards that have been prepared to support the crime they intend to commit. They may have accomplices who will answer the telephone number on the ID card.

These fraudsters are not only after money, but also after information about transactions.

At KnightsBridge Castle we urge our clients to use only trusted ATM machines – preferably those physically attached to your bank, and to exercise care to avoid skimming. In addition we urge the use of travelers checks when traveling in foreign countries especially mainland Asia and Eastern Europe.

Monday, September 11, 2006


KnightsBridge Castle announces today that it will augment its identity theft blog site with video blog capabilities. Consumer advocate, crime fighter, and founder of KnightsBridge Castle, Eric Drew, will host the video blog.

The blog will focus on new trends in identity theft. "Most identity theft criminals are not very smart, however a few are very creative", said Eric. "New innovations in identity theft occur each day as criminals outpace law enforcement by developing new techniques and methods for committing this heinous crime. The standard tips and precautions advised by the media, such as mail shredders and credit reports, provide some protection, however the criminals are using increasingly sophisticated techniques to commit crimes that these simple solutions will not prevent.” he continued.

Eric said "Our efforts will focus on new scams, revamped techniques, and new threats -- especially those of organized crime groups",

Stay tuned for our video blogs and keep yourself safe. "Stay safe, but live life!" commented Eric.


Among the most complex and disturbing of identity theft crimes are those committed by family members. We frequently work with clients who discover that a family member has stolen their identity, often with very serious consequences. This crime is frequently the result of divorce, but often occurs within seemingly stable family groups. The identity theft can be between parent and child, siblings, grandparents, and others and the consequences of this crime can be painful. Family members are often fearful that if a police report is filed then the family member responsible for the crime will be charged by the police.

Families facing identity theft within the family have only two options and either of these options can be painful. The options are: file a police report, or have the family member responsible for the crime formally acknowledge their responsibility for their actions.

To invoke your rights as an identity theft victim, and to begin the process of clearing your name and credit, you must file a police report. Without a police report no crime has been committed. If no crime was committed then the acts taken in your name are by definition valid. In other words, if a family member sold your property without your permission and used your identity to commit the crime, and you do not file a police report – then no crime has been committed and the sale stands. If a father steals a child’s name and buys a car on the child’s credit, and no police report is filed, the child has the debt. If an ex-spouse obtains bank financing using the former spouse’s identity, without a police report, then the debt stands.

A police report is critical. If the report is not filed, then the family member who is the victim of identity theft has no option but to make good on the results of the criminal act.

A second option is to have the family member who committed the fraud accept the consequences, and formally acknowledge responsibility for the crime.

These are the only two options.

More on having a family member accept the consequences and free the victim from the ill effects of the crime in a later post.

Sunday, September 10, 2006


Friday, September 08, 2006


Used smartphones and PDAs are loaded with sensitive personal information ranging from banking records to text messages. These records can be easily retrieved by identity thieves, according to a study by mobile security software provider Trust Digital.

Trust Digital engineers recovered nearly 27,000 pages of personal, corporate, and device data from nine of 10 resold mobile devices purchased online for the project, including a smartphone sold by an employee of a major corporation. The salvaged data included personal banking and tax information, corporate sales activity notes, corporate client records, product roadmaps, contact address books, phone and Web logs, calendar records, personal and business correspondence, computer passwords, user medication information, and other private, competitive or potentially damaging material.

The information was retained in the flash memory of the devices because of users’ failure to perform the advanced hard reset required to delete the data. The nine devices with retrievable data included those belonging to a former employee of a publicly traded security software company, an employee of a web services firm, and a corporate counsel of a multi-billion dollar technology company serving the legal market. The tenth device in the test was never used.


The State of Florida has an aggressive open public records policy. Florida actively works to put public records, such as driver’s license information, property records, tax records, and other public records on easily accessed public websites.

In its attempts to be as open as possible about public information Florida has been placing its citizens at great public risk.

A quick search of county records on public websites reveals the Social Security Numbers (SSN) of several notable citizens including, Miami Heat center Alonzo Mourning, Miami Herald publisher Jesús Díaz Jr. and Dolphins defensive end Jason Taylor.

Serious Identity Theft is rampant in Florida. For example property deed fraud is common. County records displayed on the Internet provide everything a criminal needs to steal a home. Thieves simply clip an image of an old signature and current notary seal from the Website and paste them into a fraudulent mortgage or deed. The fraudulent deed is then filed with the county by mail. Presto! – Your house is now owned by the thief who usually moves to refinance or sell the property.

KnightsBridge Castle accesses over 85,000 databases in providing its services. These include data sources in all states including Florida. Unlike Florida, many states, such as California, and many database suppliers, require an exhaustive application and vetting process prior to providing us with full access. KnightsBridge Castle facilities have been inspected on two occasions prior to allowing us access to public and private records.

While open records policies can be very good, providing too much information can be very bad – Florida is a timely example of how too much “openness” can cause real harm.


The Wall Street Journal today revealed that its reporters had been included in the identity theft efforts of HP in attempting to stop board room leaks. The impersonation crime committed by HP was directed not at just its directors, but at others outside the company including reporters.

Additional details were revealed by the major financial newspapers as well as by the local press. One surprising element was the apparent belief of HP Director and Silicon Valley power Broker Larry Sonsini (the lead partner in the lawfirm of Wilson. Sonsini) that the “pretexting” was proper. The full details of this regrettable error in corporate judgment can be found in other sources.

However, laws covering “pretexting” and the impersonation crime committed by HP are not as vague as HP’s defenders would have us believe. The legal restrictions are clear in both federal and California law. California Attorney General said today that state investigators now believe there was criminal activity involved in the methods used to search records. We will cover the details of these legal requirements as we continue to follow developments at HP.

Thursday, September 07, 2006


Supporters of HP’s new Chairperson Patricia Dunn have been denying that HP broke the law in seeking telephone records of a board member by impersonating that board member. In an attempt to stop “leaks” of board room discussions, the Chairperson appears to have hired outside investigators to determine who was leaking information. The outside investigators resorted to the usual tactics of “pretexting” in seeking the telephone records of a board member who has since resigned over these unethical practices.

“Pretexting” is another name for the illegal act of seeking information through impersonation. In order to release private information such as telephone numbers called, companies will require authentication information such as Social Security Number, mother's maiden name, and other information to ensure that they are not revealing the information to identity thieves. HP would have had this verification information readily available in its personnel files for all board members.

While defenders of HP equivocate as to the legality of the investigators action, the Financial Times provided the following information in this morning’s issue: “According to the consumer advisory issued by the Federal Trade Commission, pretexting is against the law”. In KnightsBridge Castle’s opinion “pretexting” is against both federal and California laws and is clearly illegal and constitutes identity theft.

Here in Silicon Valley, HP has a long and proud history and a record of unparalled ethical practices and community involvement. That the petty squabbles of board members would lead this catastrophe is unforgivable. In the words of the California Attorney General “I have no settled view as to whether or not the chairwoman’s acts were illegal, but I do think they were colossally stupid”.

Wednesday, September 06, 2006



Join Eric Drew and NBC11 for our second annual Living Well Expo at the San Jose McEnery Convention Center, Sept. 9 and 10, 2006; 10AM to 5PM both days.

Eric will be speaking on the prevention, detection, and recovery from the many crimes of identity theft. His presentation will be at 1:00 on Saturday.


Great Universal Stores (GUS) announced in March that it would divest itself of the credit rating company Experian. However to complete the “de-merger” holders of GUS debt must agree. Today’s Economist newspaper indicated that holders of GUS bonds, in the 2013 series worth over $630 million, did not agree to the terms.

The Economist wrote “Whether enough have refused to torpedo the offer remains to be seen, but market observes say they see no reason why anybody would accept when the bonds trade at a higher value than is being offered for them.”

In August 2005 Experian settled Federal Trade Commission charges that it deceptively marketed “free credit reports” by not adequately disclosing that consumers automatically would be signed up for a credit report monitoring service and charged $79.95 if they didn’t cancel within 30 days, in violation of federal law. The fine was $950,000.

Now their parent GUS wants to divest the company and buy back the bonds for less than their market value.


The Wall Street Journal and CNBC reported today that the Board of Directors of HP may have committed identity theft in attempting to oust managers at HP. Identity theft is composed of three general crime categories, (1) credit fraud, (2) criminal identity theft, and (3) impersonation crimes. Apparently the HP Board, in an ill-considered attempt to seek out leaks of board meetings, engaged in “pretexting”. “Pretexting” is an impersonation crime in which phone records are illegally obtained by impersonating the victim with the telephone company and seeking call records. This activity is illegal and constitutes identity theft.

Commentators on CNBC provided excuses for the HP Directors by indicating that the “pretexting” was probably the work of a sub-contractor of a private investigator and that the Board was unaware of the activity. This excuse is unacceptable. “Pretexting” is a common and illegal tool used by investigators and could have been easily predicted as following a request by a high powered Board.

HP, once a genuine paragon of virtue, seems to have descended into the kind of bickering and management conflict that leads to the self justification of a serious identity crime.

Tuesday, September 05, 2006


AT&T Inc. said its web site was hacked last weekend, and records and credit card information of up to 19,000 customers was compromised. The steps taken by AT&T to protect its customers are limited to only a small number of potential identity crimes leaving its customers exposed.

AT&T said that hackers targeted a store on the company's Web site where customers purchased DSL equipment. AT&T is providing a breach notification to its customers by e-mail, phone and letter as required by law. "We are committed to both protecting our customers' privacy and to weeding out and punishing the violators," said Priscilla Hill-Ardoin, chief privacy officer at AT&T. "We deeply regret this incident and we intend to pay for credit monitoring services for customers whose accounts have been impacted."

Once again a large corporation is substituting “credit monitoring” for increased protection following a successful hacking attack. Stolen information can and will be use in a wide variety of crimes including employment fraud, drivers license fraud, criminal identity theft, tax fraud, and over 80 identity crimes – not just credit fraud. AT&T’s failure to protect its customers from the full range of identity theft crimes is troublesome.


Here is a list of phishing alerts from a variety of public sources coverning the period of 8/25/06 to today.

University of California Federal Credit Union
Virtual Money
Fairwinds Credit Union
Monster, Job Offer Fraud
Banco Santander Central Hispano
Bumiputra Commerce Bank
Alternatives Federal Credit Union
HFS Federal Credit Union
First National Bank of Burleston
Veridian Credit Union
New alert subscription options
Microsoft Security Bulletin Scam
Service Credit Union
Caixa Geral de Depositos
Texas DPS Credit Union
Coosa Pines Federal Credit Union
United Heritage Credit Union
Machias Savings Bank

Friday, September 01, 2006


The Gartner Group recently reported that security fears of using the internet are resulting in fewer people logging on and accessing their accounts. A report commented that 46% responded they are changing their online behavior in response to these threats. Of this group half are shying away from on-line banking or on-line purchases.

At KnightsBridge Castle, when we assist clients in risk reduction strategies, one of our interview questions asks clients as to whether they use the internet to access banking and financial records. When asked, client often think we will advise that they not do so. They are wrong. We urge all of our clients to check banking and financial records online and frequently.

The risk trade-off is this. Frequent on-line checks can detect problems far faster than waiting 30 days for the statement to arrive. Further we consider the internet far, far safer than the mail. If you maintain good surfing habits with quality virus/spam/phishing software you will be reasonably safe. The mail is a very unsafe medium in which to receive confidential personal information such as financial statements.

We recently made a check of one of the on-line credit card systems and made a purchase at a store 100 yards from the office. We returned to the office and checked the account and there was the transaction.

KnightsBridge Castle advice on Internet or Mail? – Use the Internet and cancel the paper mailings of your account statements. Eliminate paper and mail theft of your critical data. Also check your account status frequently, perhaps every Sunday morning. Don’t wait for a paper statement every 30 days.


We had a visit this week from a database sales representative of a great data supplier who is an expert in searching their system. The rep was demonstrating their new system and using his own Social Security Number (SSN) to show the new features of their new system release. The rep gives this demo very frequently, but this time the result was different. Someone else showed up as using his SSN!

“What should I do he asked?” One of our team immediately responded with the procedure to determine if the SSN use constituted a threat, and if so how deep and dangerous was the attack. Within few moments, we had uncovered these facts.

The person using the SSN was using many others at the same time.
The person using the SSN lived at an address in a high crime area frequented by criminals.
The person using the SSN had a criminal history and had been convicted of crimes typical of identity thieves.
The person using the SSN lived in a household where other convicted criminals lived.

In addition we uncovered additional information which allowed us to inform the rep that they were at an extremely high risk of having a serious and immediate identity theft attack. A few moments later we had produced a risk reduction strategy and the rep left the office with the confidence that he knew the depth, seriousness, and potential direction of the attack.

The rep is a very good one, and her company outstanding. We were pleased to be able to help.

Blog tracker