Thursday, March 29, 2007


Tim Logan, CEO of KnightsBridge Castle spoke to NBC television today about the risks of fraud and impersonation crimes resulting from the loss of over 45 million credit card and debit card records by the retail company TJ Maxx. NBC wanted to know what consumers can do to protect themselves from this criminal attack.

“The TJ Maxx threat is serious,” said Tim Logan. “The loss of credit card numbers, debit card numbers, PINS, security features and drivers’ license number, to organized crime groups, presents a very real threat to consumers,” he continued. “This was not lost tape, or misplaced data. Organized criminals targeted TJ Maxx and systematically looted their databases over a six year period. This stolen information will be used to commit frauds and impersonation crimes for years and years,” said Tim Logan.

What can consumers do to protect themselves if they shopped at TJ Maxx? Mr. Logan provided NBC with the following general advice:

-- Take this threat seriously.

-- Remember commercial credit monitoring services will not protect you against this fraud. Credit monitoring will capture these frauds 60 to 90 days after they occur and have gone to collections. “Its like a fire alarm that goes off after the house has burned to the ground,” commented Logan.

-- Place a 90 day fraud alert on your credit records with the credit bureaus. Then lock down your credit records with a Credit Freeze in 25 states.

--Monitor your credit card accounts by checking statements immediately upon receipt – better yet, check using internet account tools once a week.

-- Debit Card holders are at the greatest risk. If you debit card has been compromised, cancel the card and have a new one issued. Debit cards do not provide adequate protection against fraud. They are not regulated by federal credit regulations as are credit cards with which your actual out of pocket loss is limited.

-- Subscribe to a service which monitors the dark web, where criminals buy and sell stolen information such as that taken in the TJ Maxx incident.

-- If fraud occurs:
o Notify the credit card company, or the debit card issuer immediately by phone. Then notify the credit rating companies. Failure to notify both the credit issuer and the credit rating companies may result in the loss of critical consumer rights under federal law.
o Always follow up in a written letter – keep copies and send a postal return receipt requested form.
o File a police report – without a report no crime has been committed and without a police report you cannot exercise your full rights to legal protection including permanent “fraud alerts” no-cost credit freezes, and lessened probability of later collection demands by creditors.
o Watch carefully for any suspicious activity involving your Drivers License information, such as unrecognized traffic violations, or auto insurance increases which may result from DMV or insurance fraud.

Tim Logan concluded “This is a serious breach of confidential financial and personal data. Consumers who take action to protect themselves now will avoid enormous grief and trouble later if they just take some simple precautions. No one will protect you. You must rely upon yourself to prevent and recover from this crime.”

Tuesday, March 20, 2007


Symantec, the internet security company and key provider of internet anti-virus software, released its annual Internet Security Threat Report volume XI this month. The Symantec report, similar to the Gartner report issued last week are in sharp contrast to studies issued by both the Federal Trade Commission and research sponsored by the credit card companies. While the FTC and credit card companies report declines in “identity theft”, both Gartner and Symantec describe a crime wave of unprecedented proportions growing rapidly and adapting to the weak preventative measures provided by government and business.

At KnightsBridge Castle we not surprised by the findings of growth in identity theft and frauds facilitated through the theft of personal information. However, we were surprised by the quantity of this activity originating in the USA. In recent years many analysts had assumed that the systems in which phishing scams, spam scams, internet initiated fraud, and the criminal resale of stolen and breached information had moved to safe havens offshore. The Symantec report indicates that up to one third of all this illegal activity still resides in the United States and therefore subject to the our law enforcement.

Here are some of the surprising findings of the Symantec report:

The Unites States was the top country of attack origin, accounting for 33% of worldwide attack activity.

86% of the credit card and debit cards advertised for sale on underground and illegal economy servers were issued by banks in the US

The government accounted for 25% of all identity theft related data breaches, more than any other sector.

51% of all underground economy servers were located in the USA.

46% of all known phishing web sites were located in the USA

The US has the largest proportion of spam zombies.

These findings are alarming, in that government regulatory agencies and law enforcement have within their reach the many of these illegal activities, yet they do little or nothing to shut them down. A phishing site in Moldavia or Beijing presents great challenges for American law enforcement, however a criminal server offering stolen banking information for sale located in Detroit is an entirely different matter. In our opinion its time for the Federal Trade Commission and US law enforcement to get focused on this crime wave and recognize that much of the threat lies in the USA and is therefore within the reach of the long arm of the law.

The full report is available on Symantec’s website at:

Thursday, March 15, 2007


At KnightsBridge Castle we often advise clients to not use debit cards for payments. In our opinion the legal protections against fraud provided by “credit cards” are significantly superior to those protections against fraud found in “debit cards.”

Credit card use and fraud is protected under federal fair credit laws which limit your exposure to $50 per fraudulent charge. Most credit card issuers (but not all) will wave this fee in the event of fraud. However debit cards have fewer protections and losses are generally limited to $50 if the bank is notified within business two days. Losses reported after two days are limited at $500. If the loss is reported following a 60 day delay, the bank is under no obligation to reimburse you. While some banks offer added protections for debit cards, consumers are often ill prepared to follow the complex provisions of these additional debit card protections. For example, the added protections against fraud provided by VISA and MasterCard require that the debit card be authorized by a signature rather than a PIN. In a recent Wall Street Journal article the author commented:” The reason: Banks get higher fees from merchants when consumers use debit cards with signatures, rather than PINs.”

Whatever the risk, consumer protections against fraudulent use of cards is best provided by credit cards regulated under the federal fair credit laws. At KnightsBridge Castle we do not advocate either debit or credit payments. However, in our opinion, and based on our experiences in assisting fraud victims, you are far far safer using credit cards. If you don’t like debt, then pay off the card fully when you receive the bill.

Monday, March 12, 2007


The CEO of an Identity Theft company which provides “fraud alerts” placed on your credit records with the credit reporting companies recently advised fraud alerts as a preventative technique for the prevention of identity theft. The CEO said “Placing a fraud alert with the major credit Bureaus … is a great frontline for defense.” By doing this the CEO explains any time someone tries to change the information on your credit report or open up a new account, the credit card company has to call you first for verbal authorization.”

While this sounds like good advice "fraud alerts" are a very poor defense against identity theft. Why?

The fraud alert is not statutory – it is advisory. New credit issuers are not required to notify you of a new account. The law advises them to do so and in our experience less than half provide notice – often little more than a message on your answering machine or voicemail.

Secondly, fraud alerts are easily manipulated by credit thieves and they can be changed, removed, or worse modified by credit thieves. For example, the security measures of the credit bureaus are so poor, that credit thieves with a minimum of personal information can and will either remove the alert, or change the phone number to themselves.

Most important is that a fraud alert is applicable only to credit theft. Credit theft is less than 25% of identity theft. The single greatest form of identity theft is Social Security Number hijacking often for purposes of illegal employment. Fraud alerts do nothing to prevent or detect from the common identity frauds of IRS fraud, Medical Benefits Fraud, Drivers License fraud or over 70 other frauds facilitated by the theft of identity information.

Lastly, the CEO of this company charges $99 per person per year to assist you with this free service.

If you think that the small benefit of fraud alerts are of value, save yourself some money. Buy 12 envelopes and $4.68 of stamps. Address each envelope four times with the addresses of the credit reporting companies. Write a letter demanding a fraud alert. Place a copy in each letter. Then once a quarter mail three letters – one each to each credit reporting company. Save yourself $93.

Even better take a really effective measure to protect yourself against credit fraud – lock down your credit history with a credit freeze. New applications for credit cannot be processed without your permission to access your report.

Friday, March 09, 2007


15 million Americans were victimized by some sort of identity-theft related fraud in the 12 months ending in mid-2006, according to a survey by Gartner, Inc. Gartner’s survey is contradictory to the credit card company funded surveys indicating a 10% decrease in the crime for a similar period. The new survey revealed more than a 50 percent increase since 2003 when the Federal Trade Commission (FTC) reported 9.9 million American adult identity theft victims.

“Hackers are exploiting Internet auctions, nonregulated money transmittal systems, the ability to impersonate lottery and sweepstake contests, and other types of imaginative scams,” said Avivah Litan, analyst at Gartner. “The thieves have also discovered the weakest links in the U.S. payments systems. Typically, the weak links are found among the five or more million businesses that accept electronic payments from consumers, and the consumers themselves.”

In the past two years KnightsBridge Castle has seen enormous inconsistency in surveys attempting to characterize identity theft crime growth. The FTC has indicated that the crime is diminishing. The credit card company sponsored surveys have also indicated a small decline in the crime. On the other hand Federal Banking officials have completed a study indicating a 103% increase in mortgage fraud facilitated by identity theft for the same time period. Now we have Gartner’s report of a 50% increase.

These survey inconsistencies can sometimes be explained through examining the survey firms definition of identity theft. The FTC survey exclusively focuses on credit card crimes, thus ignoring identity crimes in false employment, IRS fraud, medical benefits fraud, and more than 70 other frauds facilitated through identity theft. The credit card company sponsored surveys are in our opinion biased and are funded to allow the credit companies to assure the public that new security measures are working to stem this crime wave.

While we lack the survey facilities of the FTC, Gartner, and the credit card companies, we do feel that we have a good feel for the state of identity theft in the USA. In our opinion this crime wave continues unabated, and if anything the Gartner survey may understate the real rate of growth both in the US and through out the world.

Monday, March 05, 2007


Two recent articles hit our desk at the same time and got the staff at KnightsBridge Castle thinking about the future of Identity Theft. The Economist Magazine featured an article announcing the end of the “cash era”. Electronic commerce, including the credit cards, debit cards, pay pal, and electronic payments from bank accounts has greatly diminished the need for notes and coins in the cash economy. The Economist noted “Notes and coins are already a small fraction of the money in most rich countries.” The article predicted that the within a few years cash as we understand it would cease to exist.

The second article was a series of comments by the President of the Association of Certified Fraud Analysts. In these comments the president of the association commented that the crime of the new century would be fraud. New technologies and new systems were actively creating new opportunities for criminals engaged in fraud and theft. Clearly the proliferation of frauds and identity theft confirm his views

As we enter a cashless society many classes of crime may diminish. For example when a bank contains no cash, or a store has no cash, certain types of robbery will disappear. However they are most certain to be replaced by new types of robbery and fraud.

Therefore we at KnightsBridge Castle believe that Identity Theft, and the frauds that are committed using personal information, are a crime wave that will not diminish. Reluctantly and sadly we find ourselves watching the unprecedented growth of identity theft and fraud as we exit the age of cash and enter the age of fraud.

Blog tracker