Friday, December 29, 2006


We often talk with businesses about protecting their customers after their business data has been stolen, lost, hacked, or compromised. Consumers are required by law to be notified when their personal information such as name, address, and social security number (SSN) have been compromised and failure to provide timely notification caries heavy fines and penalties.

The responses by businesses vary from simple notification of a breach containing minimal information to advanced protective services provided by the business for the “at risk” consumer

What should a business do when faced with a breach of consumer data? Complying with the law is one thing, but retaining valued customers is another thing entirely. If customers are valued, then minimal protection will undoubtedly result in the loss of those customers. A fully formed protection program, while challenging, may actually bond the business closer to its customers as the business demonstrates care and competence in managing this very real crisis.

Here is a list of things that will ensure that customers lose confidence in a business which is sending a breach notice:

A simple notice of breach, without explanation and with no remediation

To assure customers that you care about the breach you must explain in simple terms what happened, what you have done to correct the breach, and if the breach was intentional or inadvertent. Most breach notices, written by lawyers afraid of litigation, will say nothing about corrective action, your competence to deal with the crisis, and your loyalty to customers. A business that sends a minimal breach notice will undoubtedly scare their customers and who may well take their business elsewhere. Customers often need someone to talk to who can assure them that competent and speedy action has been taken to provide protection.

A simple notice of breach with minimal explanation and a free credit monitoring service.

Credit monitoring provides no meaningful protection to customers if their information has been compromised. Customer information is stolen for many types of crime. For example false employment crimes, IRS fraud, Medical Benefits Fraud and over 75 other types of identity theft related fraud are undetected by credit monitoring. In other words more than 75% of all identity fraud cannot be protected by credit monitoring. Further credit monitoring services detect credit card fraud only after the fraud has occurred and the consumer is left to clean up the mess. Think of a fire alarm that goes off after the house has burned down – that’s the value of credit monitoring. Consumers are lulled into thinking they are protected by these services, but as recent press coverage (see comments on press coverage in our other blog entries) has shown, consumers become very very angry when the identity thieves strike and their imagined protection proves worthless.

Here is a program that will work and will demonstrate competence and care of valued customers.

-- A brief and timely explanation of details of the breach without providing information of value to thieves. When did the breach occur? What have you done to keep breaches from happening again (e.g., new security measures, fired a sub-contractor, employee training programs, etc.) Was the breach intentional – was the information targeted for theft or simply lost or misplaced. A missing back up tape presents on set of challenges to a consumer, but a broken window and a smashed file case with selected records missing is something entirely different. Even worse is a targeted and hacked computer database.

-- Consumers need assurance that you are competently protecting their interests. They need a human to talk to about the breach. Both at the company whose data was breached and at a company which provides protective services. Consumers need to know that the business cares, and that identity theft prevention, detection and recovery experts are available to discuss their concerns and to take action. Disembodied phone trees with endless recorded messages are certain to make the customer more angry that they were when the received the breach notice.

-- A program that addresses all the avenues of crime that the loss of customer data enables is required. In addition to credit crimes, these include false employment fraud (the most common form of identity theft and devastating to consumers in the long run), medical benefits fraud, IRS fraud, bank theft and forgery, Drivers License fraud, immigration frauds, and many many others. While it may prove impossible to protect customers entirely following a breach, systems which prevent, detect, and have recovery procedures in place for these crimes is critical in keeping valued customers.

-- Rapid reaction and response, if a consumer is defrauded, is a major requirement and is missing from almost every program available today – such as credit monitoring programs. The customer needs a hot line and a trained identity theft expert available in a timely fashion to respond to hints of fraud or to actual fraud. If a business values its customers it will not leave them in the cold when the identity thieves strike.

Acquiring and keeping satisfied customers is a high priority for almost every business. Business managers should treat breaches of customer data using the golden rule. How do you want to be treated as a business person if another business looses control of your personal information? How would you feel if you were essentially told you were on your own, or given security tools which simply were unable to provide any meaningful safety to you or your family? A business data breach is ugly, but it provides an opportunity for the business to demonstrate that it values its customers and that it is competent in protecting them in the future. In other words it is a business that is worthy of continued patronage.

Thursday, December 28, 2006


A recent study by a leading internet security vendor reports a 300% increase in phishing attacks in the last week. It seems that not only does credit fraud peak during the holidays but also phishing and spam attacks.

The report points out that the significant increase is primarily due to a massive jump in phishing messages being sent from South Korea and China. China is now the biggest generator of phishing emails in the world, jumping from 10th position last week.

The significant increase is primarily due to a massive jump in phishing messages being sent from South Korea and China. In addition to the rise in phishing, the report commented that Christmas spam rates have exploded over November. At the end of October there was almost zero Christmas Spam distributed, but it now represents 10.9 per cent of spam overall

Wednesday, December 27, 2006


Today’s phishing variant is one in which you receive an invoice on a paypal account that you clearly did not authorize. The phishing scam provides an instant and highlighted link to dispute the bill. The “dispute transaction” link goes to a UK address and to a domain name that is not properly registered. In other words it goes into the ether and straight to criminals.

This email confirms that you have paid PALMTREOSTORE
( $419.95 USD using PayPal.
This credit card transaction will appear on your bill as
PayPal Shopping Cart Contents I
tem Name: Palm Treo 700p smartphone
go-anywhere, Palm OS device
uantity: 1
Total: $399.95 USD
Cart Subtotal: $399.95
USDShipping Charge: $20.00 USD

Cart Total: $419.95 USD
Shipping Information
Shipping info: Andy Crouse
202 N Magnolia Dr.
Saco, ME 04072
United States Address Status: Unconfirmed
If you haven't authorized this charge, click the link below to cancel the payment and get a full refound.

Wednesday, December 20, 2006


In the news this week has been the INS raid on the meat packing houses of Swift in which over 1500 employed illegal immigrants were arrested. All the illegal’s had qualified for employment at Swift by presenting one or more of the 10 documents required by the federal I-9 form for Employment Eligibility Verification. Among these is a passport, driver’s license, social security number (SSN), Certificate of Naturalization, foreign passport with US employment authorization, permanent resident card, alien resident card, temporary resident card, employment authorization card, temporary resident card, refugee travel document, or employment authorization from the Department of Homeland Security.

At KnightsBridge Castle we are continually seeing cases where identity theft is facilitated by making up a number in the SSN format and using it with another name. Credit reporting companies and other information companies see this all the time and never report a mismatch. Thus if you have credit under your SSN and name, another person can easily get credit using your SSN and their name. Yes, its sounds impossible, but it happens every day.

Until recently the same inability to match names to SSN’s was preventing employers from checking the validity of the name SSN match. Recent federal legislation now provides employers with the ability to validate these names and SSN for a proper match.

This legislation was intended to prevent illegal immigrants from seeking employment.

Like so many other efforts to block identity theft, this one is doomed to failure. Why?

Because, as reported in a recent Wall Street Journal article about the Swift raid, illegal immigrants seeking employment are already beginning to use valid name and SSN combinations. Name and SSN combinations can be stolen, rented, donated by other legal family members, purchased on the street, or acquired in many different ways.

SSN and Name matching are no protection against identity theft. This well intentioned effort at curbing illegal employment will actually accelerate identity theft by encouraging others to use valid name and SSN combinations, rather than simply making up a valid number.

Monday, December 18, 2006


(illustration from the Wall Street Journal)
Two years ago the ability of a consumer to lock down their credit information from unauthorized prying eyes as nearly doomed as the previous congress, under heavy pressure from banks and credit reporting companies moved forward to eliminate 24 state laws which provided for this important protection.

The attorneys general of 49 states had argued that consumers should be allowed to block access to their credit records thus closing a major vector of fraud and identity theft. The credit rating companies, facing the significant loss of revenues from the widespread selling of your personal information opposed state laws and sought to eliminate “credit freezes” in the congress. Under the guise of providing for a national program, the congressional committee responsible for such legislation reported a bill which effectively eliminated “credit freezes” in all states and replaced it with a federal law which provided no such protection.

Fortunately the “do nothing congress” did nothing and the bill languished amid partisan cat calling and inaction.

We have urged our clients to contract congress to allow the states to pass their own laws in this area. And if a national law were needed then the law must provide similar protections to the 24 states currently with these laws, rather than eliminating the protection all together. Fortunately our congressional representatives have been listening. The Wall Street Journal reported this weekend that the new congressional leaders intend to bolster privacy rights in the next congress. Among these improved protections against identity theft and fraud will be provisions to allow states to continue their protections or to adopt strict federal legislation allowing consumer to lock down their credit information from unauthorized prying eyes.

Friday, December 15, 2006


KnightsBridge Castle has been critical of credit monitoring from its inception for a number of reasons. It reports new credit lines after the credit line has been looted by criminals, many institutions will grant credit without checking a credit report, and lastly notifications that someone has recently purchased your credit report is a poor indicator of pending theft. Lastly we don’t like credit monitoring because it creates a false sense of protection against the over 80 crimes of identity theft – of which credit fraud is only one.

Now the New York Times has published a stinging criticism of credit monitoring. We quote briefly from the article by Ed Zugra below:

“Melody Millett was shocked when her car loan company asked her if she was the wife of Abundio Perez, who had applied for 26 credit cards, financed several cars and taken out a home mortgage using a Social Security number belonging to her actual husband. . . Melody Millett found that the Social Security number of her husband, Steven, was being used to apply for financing under another name. Beyond her shock, Mrs. Millett was angry. Five months earlier, the Milletts had subscribed to a $79.99-a-year service from Equifax, a big financial data warehouse, that promised to monitor any access to her credit records. But it never reported the credit activity that might have signaled that they were victims of identity theft. “

The incident describe in the article is common. This is not the result of a glitch in some system. It is the result of a failed system of reporting by the credit reporting companies. The New York Times article continues:

“At the same time, credit monitoring may fail to detect that a credit request was even made. For example, a fraud artist may use someone else’s personal identification information — like a Social Security number — but take out a loan in his or her own name. The data mismatch can cause the bureau’s computer systems to route the loan request to a separate file so that a credit-monitoring service never picks it up.”

At KnightsBridge Castle we believe that only a credit freeze, allowed now in 26 states, is the best way to prevent credit fraud. We also believe that a comprehensive program of protection is required that provides protection against credit fraud, bank forgery, wire transfer fraud, employment fraud, medical benefits fraud, and over 70 other form of identity theft.

We also object to credit monitoring on the basis that it is similar to extortion rackets. The credit rating companies sell information to anyone. Now they want to sell it to you to protect yourself against the others they sell the same information to. There is something fundamentally wrong with this picture,

The New York Times article was published on December 12, 2006 and for subscribers to the times the article may be found at the link below:

Thursday, December 14, 2006


In our continuing effort to fight the many crimes of identity theft, KnightsBridge Castle’s CEO has been admitted to the national CyberCop program. The CyberCop program is part of the InfraGard National Members Alliance (INMA or “InfraGard”), the largest national network of private sector, FBI- vetted subject matter experts (SMEs) for critical infrastructure protection. KnightsBridge Castle will begin using its CyberCop portal beginning today to facilitate secure communication with other InfraGard members, local chapters and local, state and Federal government agencies.

InfraGard’s goal is to promote ongoing dialogue and timely communication between its members and local, state and federal government and law enforcement agencies, including the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS). InfraGard members provide subject matter expertise to federal agencies that enhances their ability to secure and protect our nation’s critical infrastructures from terrorism and other crimes.

“Identity theft is a major threat to our personal welfare and to our national security” said Tim Logan CEO of KinightsBridge Castle. “Not only do common criminals steal identities, but so do international drug cartels, organized crime groups, and terrorists. We are proud to participate in this program and to extend our protective service to cover a wider range of crimes” he concluded.

The CyberCop portal was designed to provide a secure, Web-based environment to promote and facilitate the communication of sensitive information among a cohesive network of law enforcement, homeland defense and first responder professionals from all levels of government - including international, federal, state and local - and the private sector. InfraGard uses the CyberCop portal to facilitate communications with its approximately 12,000 active members while also providing dedicated portal space for InfraGard partners like KnightsBridge Castle and affiliated organizations as well as for each of InfraGard’s 84 local chapters. Through CyberCop, InfraGard participants can control access to their information down to the chapter and individual level.

CyberCop, an ESP-coined term, refers to computer forensic experts, law enforcement and emergency responders that use the Internet to collaborate and share information with one another. Due to various geographic, system, political and monetary barriers, these individuals are rarely able to securely engage one another to share case information and to exchange best practices and lessons learned. As a result, The ESP Group created this secure portal which is committed to providing a safe and secure environment where ideas can be freely exchanged to aid individual efforts and to foster cooperative efforts in the fight against crime, terrorism and the security of the nation.


Founded in 1996 in the Cleveland, Ohio field office of the Federal Bureau of Investigation, the InfraGard National Members Alliance (INMA or “InfraGard”) is the largest national network of government-vetted private sector experts. With more than 11,000 active members across the organization’s 84 local chapters, InfraGard provides a vital link in protecting the nation’s infrastructure by serving as subject matter resources to local, state and Federal government and law enforcement agencies. InfraGard National Members Alliance is a volunteer non-profit 501(c)3 corporation.

Tuesday, December 12, 2006


This week we received a distress call from a new victim on the Nigerian Scam. The victim was local so we had the opportunity to talk directly with the victim.

The victim had fallen for the classic Nigerian scam and had used a bank transfer to send everything they had to obtain the huge returns promised by the criminals. Needless to say the money disappeared.

We interviewed the victim who brought family members for support. The victim was in tears. The family distressed.

The victim kept asking why our government allowed these scams to occur. At KinghtsBridge Castle we have no answer to this question.

Many of us know of this scam and its variants, and some are surprised when a victim appears. “Everyone knows about this scam. Why did she fall for it,” commented one of the staff. The answer is that everyone does not know. And in a moment of weakness any one of us may be tested by a scam where the returns are too good to be true.

Unfortunately this scam had the traditional additional elements that made the crime more horrific.

The Nigerian criminals pressured the victim to come to Nigeria and deliver the money. The victim wisely declined. People traveling to Nigeria responding to this scam have been killed or kidnapped.

The criminals attempted to perpetrate a second scam by offering to fix the problem for additional payments.

And lastly they began threatening the victim with violence if the victim did not pay more.

At the time we met the victim had not contacted the police, FBI, or Secret Service.

After examining her documents we immediately contacted the authorities. The Secret Service has jurisdiction over this matter and they took critical banking information and are trying to trace the flow of the funds. Local police have been contacted as well. Banking authorities were also notified.

The threats of violence should end with the police reports and notification. The criminals are relying on shame and fear to keep extorting money from the victims.

This scam and its variants are real. We have seen two victims and stopped several people from becoming victims. Not everyone knows about the Nigerian scam and now we have another victim of what the Financial Times of London calls an $800,000,000 crime wave.

Friday, December 08, 2006


One of the first clients of KnightsBridge Castle informed us today that the identity thief we were able to identify in her case is to be sentenced this week.

Our client came to us after 5 years of continuing check forgery and identity theft. The local police had lost interest and considered the client a nuisance. With the help of our case specialist we gathered the facts, performed research, and presented all of her information to the police fraud department in an organized manner. We also used our contracts within the regional fraud detective’s network to bring attention to the matter.

Within days of presenting a complete case to the police an arrest warrant was issued in another state. An arrest followed and then a conviction.

This week a sentencing. Our client is overjoyed to end five years of fear and to have the culprit convicted. We are very happy to have served our client in making a difference.

(Note: the facts of this paticular case have been jumbled a bit to esnure client protection)

Wednesday, December 06, 2006


We are now receiving at KnightsBridge Castle no less than four separate PayPal phishing attempts every day. It’s starting to look like phishing and spam. To think that anyone would fall for these scams is amazing. But they must continue to work.

In one case today when you click on the PayPal link you actually are clicking on a link that looks something like this: (we changed the URL slightly to protect our readers)


EXP=1138544186 /**http%3a//61.57.2nn.209/%20/.
confirm/index.php?MfcISAPI Command=SignInFPP

If you can read this URL you know its trouble. We know its theft.

We used to have fun tracing the origin of the sites to Uruguay, Moldavia, and Chechnya. But the fun is gone.

Never communicate with PayPay or any vendor by clicking a link included in an email or web page attached to an email. NEVER.


In an unending stream of lottery frauds we noticed today’s fraud with some interest. It seems that Wall Mart and Publisher’s Clearing House are sending out checks to international lottery sweepstakes winners by the hundreds. All the recipient need do is cash the check and wire money to pay fees to receive the remainder of the winnings.

The checks are bogus. The wire transfer pays the fraudsters cash from your account and then opens the account for wire transfer draining of all that is left in the account. If you win a contest you did not enter it’s the start of theft. If you are asked to pay fees directly to the person claiming you won something its theft.

Tuesday, December 05, 2006


It’s the holiday season and you’re probably seeing racks of gift cards at stores for everything from hamburgers to electronics. The value of these cards varies but the larger amounts are considerable.

A new scam has been reported that we have as yet been unable to confirm. However caution is warranted when buying gift cards off a rack in a store. We have received reports that fraudsters are using cell phones to photograph bar codes and other information on the back of gift cards. Upon returning to the store the fraudster can see that a specific card or group of cards has been sold. Using information on the card the card is activated and the account drained. Fraudsters are fully aware that in most cases these gift cards will sit under a Christmas tree until the end of the holiday given the thief plenty of time to act.

Caution is warranted when buying gift cards from a rack in a store.

Monday, December 04, 2006


In the past few days in the UK a new ATM connectivity scam has been uncovered. The scam involves placing an MP3 recorder between the ATM machine and the telephone line linking the ATM to the home bank. The MP3 recorded the data carried down the line from the ATM. This data was then transferred to a PC and subsequently decoded by a fraudster with previous experience of cards, using software from Eastern Europe.

An estimated £200,000 ( $360,000) of goods were obtained using counterfeit cards produced from the de-encrypted information. Fortuitously, the gang using the cards in the UK was arrested as a result of a traffic violation before further fraud could be committed.


Consumers often don’t realize what it takes to run a scam on the internet. The amount of equipment needed is very little and the costs of setting up a scam can be less.

A recent report in the Financial Times commented that Verisign, the internet security company, believes that virtually 100% of all the on-line transactions originating in the Former Yugoslav Republic of Macedonia are “suspicious”.

Macedonia has in recent years built an advanced internet infrastructure with 100% of the population covered by high speed internet links. In a country like Macedonia a simple PC or a slightly more expensive server can send out hundreds of thousands of phishing scams every day. Junk email by the millions is possible as well as targeted hacking attacks. Needless to say, law enforcement for fraud occurring in the US, but originating in Macedonia is non-existent. These websites often purchase security certificates and https links providing full security. The website transaction may be secure, but the persons operating the websites are completely criminal.

In parts of the former Soviet Union, such as Moldavia, it’s as simple. A generator to provide power, a cheap server, a satellite link, and an unemployed computer scientist are all that is needed to engage in fraud without any recourse to police authorities. In fact in some of these countries the police are providing protection to criminals in their activity.

Blog tracker