Problems with ID cards

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names. …

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse. …

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. …

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.

The widespread corruption at the heart of Greek culture

From Michael Lewis’s “Beware of Greeks Bearing Bonds” (Vanity Fair: 1 October 2010):

In just the past decade the wage bill of the Greek public sector has doubled, in real terms—and that number doesn’t take into account the bribes collected by public officials. The average government job pays almost three times the average private-sector job. The national railroad has annual revenues of 100 million euros against an annual wage bill of 400 million, plus 300 million euros in other expenses. The average state railroad employee earns 65,000 euros a year. Twenty years ago a successful businessman turned minister of finance named Stefanos Manos pointed out that it would be cheaper to put all Greece’s rail passengers into taxicabs: it’s still true. “We have a railroad company which is bankrupt beyond comprehension,” Manos put it to me. “And yet there isn’t a single private company in Greece with that kind of average pay.” The Greek public-school system is the site of breathtaking inefficiency: one of the lowest-ranked systems in Europe, it nonetheless employs four times as many teachers per pupil as the highest-ranked, Finland’s. Greeks who send their children to public schools simply assume that they will need to hire private tutors to make sure they actually learn something. There are three government-owned defense companies: together they have billions of euros in debts, and mounting losses. The retirement age for Greek jobs classified as “arduous” is as early as 55 for men and 50 for women. As this is also the moment when the state begins to shovel out generous pensions, more than 600 Greek professions somehow managed to get themselves classified as arduous: hairdressers, radio announcers, waiters, musicians, and on and on and on. The Greek public health-care system spends far more on supplies than the European average—and it is not uncommon, several Greeks tell me, to see nurses and doctors leaving the job with their arms filled with paper towels and diapers and whatever else they can plunder from the supply closets.

A handful of the tax collectors, however, were outraged by the systematic corruption of their business; it further emerged that two of them were willing to meet with me. The problem was that, for reasons neither wished to discuss, they couldn’t stand the sight of each other. This, I’d be told many times by other Greeks, was very Greek.

Tax Collector No. 1—early 60s, business suit, tightly wound but not obviously nervous—arrived with a notebook filled with ideas for fixing the Greek tax-collection agency. He just took it for granted that I knew that the only Greeks who paid their taxes were the ones who could not avoid doing so—the salaried employees of corporations, who had their taxes withheld from their paychecks. The vast economy of self-employed workers—everyone from doctors to the guys who ran the kiosks that sold the International Herald Tribune—cheated (one big reason why Greece has the highest percentage of self-employed workers of any European country). “It’s become a cultural trait,” he said. “The Greek people never learned to pay their taxes. And they never did because no one is punished. No one has ever been punished. It’s a cavalier offense—like a gentleman not opening a door for a lady.”

The scale of Greek tax cheating was at least as incredible as its scope: an estimated two-thirds of Greek doctors reported incomes under 12,000 euros a year—which meant, because incomes below that amount weren’t taxable, that even plastic surgeons making millions a year paid no tax at all. The problem wasn’t the law—there was a law on the books that made it a jailable offense to cheat the government out of more than 150,000 euros—but its enforcement. “If the law was enforced,” the tax collector said, “every doctor in Greece would be in jail.” I laughed, and he gave me a stare. “I am completely serious.” One reason no one is ever prosecuted—apart from the fact that prosecution would seem arbitrary, as everyone is doing it—is that the Greek courts take up to 15 years to resolve tax cases. “The one who does not want to pay, and who gets caught, just goes to court,” he says. Somewhere between 30 and 40 percent of the activity in the Greek economy that might be subject to the income tax goes officially unrecorded, he says, compared with an average of about 18 percent in the rest of Europe.

The easiest way to cheat on one’s taxes was to insist on being paid in cash, and fail to provide a receipt for services. The easiest way to launder cash was to buy real estate. Conveniently for the black market—and alone among European countries—Greece has no working national land registry. “You have to know where the guy bought the land—the address—to trace it back to him,” says the collector. “And even then it’s all handwritten and hard to decipher.”

On he went, describing a system that was, in its way, a thing of beauty. It mimicked the tax-collecting systems of an advanced economy—and employed a huge number of tax collectors—while it was in fact rigged to enable an entire society to cheat on their taxes.

Tax Collector No. 2—casual in manner and dress, beer-drinking, but terrified that others might discover he had spoken to me—also arrived with a binder full of papers, only his was stuffed with real-world examples not of Greek people but Greek companies that had cheated on their taxes. He then started to rattle off examples (“only the ones I personally witnessed”). The first was an Athenian construction company that had built seven giant apartment buildings and sold off nearly 1,000 condominiums in the heart of the city. Its corporate tax bill honestly computed came to 15 million euros, but the company had paid nothing at all. Zero. To evade taxes it had done several things. First, it never declared itself a corporation; second, it employed one of the dozens of companies that do nothing but create fraudulent receipts for expenses never incurred and then, when the tax collector stumbled upon the situation, offered him a bribe. The tax collector blew the whistle and referred the case to his bosses—whereupon he found himself being tailed by a private investigator, and his phones tapped. In the end the case was resolved, with the construction company paying 2,000 euros. “After that I was taken off all tax investigations,” said the tax collector, “because I was good at it.”

The Greek state was not just corrupt but also corrupting. Once you saw how it worked you could understand a phenomenon which otherwise made no sense at all: the difficulty Greek people have saying a kind word about one another. Individual Greeks are delightful: funny, warm, smart, and good company. I left two dozen interviews saying to myself, “What great people!” They do not share the sentiment about one another: the hardest thing to do in Greece is to get one Greek to compliment another behind his back. No success of any kind is regarded without suspicion. Everyone is pretty sure everyone is cheating on his taxes, or bribing politicians, or taking bribes, or lying about the value of his real estate. And this total absence of faith in one another is self-reinforcing. The epidemic of lying and cheating and stealing makes any sort of civic life impossible; the collapse of civic life only encourages more lying, cheating, and stealing. Lacking faith in one another, they fall back on themselves and their families.

The structure of the Greek economy is collectivist, but the country, in spirit, is the opposite of a collective. Its real structure is every man for himself. Into this system investors had poured hundreds of billions of dollars. And the credit boom had pushed the country over the edge, into total moral collapse.

The Vatopaidi monastery, along with 19 others, was built in the 10th century on a 37-mile-long-by-6-mile-wide peninsula in northeast Greece, called Mount Athos. Mount Athos now is severed from the mainland by a long fence, and so the only way onto it is by boat, which gives the peninsula the flavor of an island. And on this island no women are allowed—no female animals of any kind, in fact, except for cats. The official history ascribes the ban to the desire of the church to honor the Virgin; the unofficial one to the problem of monks hitting on female visitors. The ban has stood for 1,000 years.

The ferry chugs for three hours along a rocky, wooded, but otherwise barren coastline, stopping along the way to drop monks and pilgrims and guest workers at other monasteries. The sight of the first one just takes my breath away. It’s not a building but a spectacle: it’s as if someone had taken Assisi or Todi or one of the other old central-Italian hill towns and plopped it down on the beach, in the middle of nowhere. Unless you know what to expect on Mount Athos—it has been regarded by the Eastern Orthodox Church for more than a millennium as the holiest place on earth, and it enjoyed for much of that time a symbiotic relationship with Byzantine emperors—these places come as a shock. There’s nothing modest about them; they are grand and complicated and ornate and obviously in some sort of competition with one another. In the old days, pirates routinely plundered them, and you can see why: it would be almost shameful not to, for a pirate.

Otherwise the experience was sensational, to be recommended to anyone looking for a taste of 10th-century life. Beneath titanic polished golden chandeliers, and surrounded by freshly cleaned icons, the monks sang; the monks chanted; the monks vanished behind screens to utter strange incantations; the monks shook what sounded like sleigh bells; the monks floated by waving thuribles, leaving in their wake smoke and the ancient odor of incense. Every word that was said and sung and chanted was Biblical Greek (it seemed to have something to do with Jesus Christ), but I nodded right along anyway. I stood when they stood, and sat when they sat: up and down we went like pogos, for hours. The effect of the whole thing was heightened by the monks’ magnificently wild beards. Even when left to nature, beards do not all grow in the same way. There are types: the hopelessly porous mass of fuzz; the Osama bin Laden/Assyrian-king trowel; the Karl Marx bird’s nest. A surprising number of the monks resembled the Most Interesting Man in the World from the Dos Equis commercial. (“His beard alone has experienced more than a lesser man’s entire body.”)

For most of the 1980s and 1990s, Greek interest rates had run a full 10 percent higher than German ones, as Greeks were regarded as far less likely to repay a loan. There was no consumer credit in Greece: Greeks didn’t have credit cards. Greeks didn’t usually have mortgage loans either.

But this question of whether Greece will repay its debts is really a question of whether Greece will change its culture, and that will happen only if Greeks want to change. I am told 50 times if I am told once that what Greeks care about is “justice” and what really boils the Greek blood is the feeling of unfairness. Obviously this distinguishes them from no human being on the planet, and ignores what’s interesting: exactly what a Greek finds unfair. It’s clearly not the corruption of their political system. It’s not cheating on their taxes, or taking small bribes in their service to the state. No: what bothers them is when some outside party—someone clearly different from themselves, with motives apart from narrow and easily understood self-interest—comes in and exploits the corruption of their system.

Bernie Madoff & the 1st worldwide Ponzi scheme

From Diana B. Henrioques’s “Madoff Scheme Kept Rippling Outward, Across Borders” (The New York Times: 20 December 2008):

But whatever else Mr. Madoff’s game was, it was certainly this: The first worldwide Ponzi scheme — a fraud that lasted longer, reached wider and cut deeper than any similar scheme in history, entirely eclipsing the puny regional ambitions of Charles Ponzi, the Boston swindler who gave his name to the scheme nearly a century ago.

Regulators say Mr. Madoff himself estimated that $50 billion in personal and institutional wealth from around the world was gone. … Before it evaporated, it helped finance Mr. Madoff’s coddled lifestyle, with a Manhattan apartment, a beachfront mansion in the Hamptons, a small villa overlooking Cap d’Antibes on the French Riviera, a Mayfair office in London and yachts in New York, Florida and the Mediterranean.

In 1960, as Wall Street was just shaking off its postwar lethargy and starting to buzz again, Bernie Madoff (pronounced MAY-doff) set up his small trading firm. His plan was to make a business out of trading lesser-known over-the-counter stocks on the fringes of the traditional stock market. He was just 22, a graduate of Hofstra University on Long Island.

By 1989, Mr. Madoff ‘s firm was handling more than 5 percent of the trading volume on the august New York Stock Exchange …

And in 1990, he became the nonexecutive chairman of the Nasdaq market, which at the time was operated as a committee of the National Association of Securities Dealers.

His rise on Wall Street was built on his belief in a visionary notion that seemed bizarre to many at the time: That stocks could be traded by people who never saw each other but were connected only by electronics.

In the mid-1970s, he had spent over $250,000 to upgrade the computer equipment at the Cincinnati Stock Exchange, where he began offering to buy and sell stocks that were listed on the Big Board. The exchange, in effect, was transformed into the first all-electronic computerized stock exchange.

He also invested in new electronic trading technology for his firm, making it cheaper for brokerage firms to fill their stock orders. He eventually gained a large amount of business from big firms like A. G. Edwards & Sons, Charles Schwab & Company, Quick & Reilly and Fidelity Brokerage Services.

By the end of the technology bubble in 2000, his firm was the largest market maker on the Nasdaq electronic market, and he was a member of the Securities Industry Association, now known as the Securities Industry and Financial Markets Association, Wall Street’s principal lobbying arm.

Malware forges online bank statements to hide fraud

From Kim Zetter’s “New Malware Re-Writes Online Bank Statements to Cover Fraud” (Wired: 30 September 2009):

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

The victims’ computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal doesn’t exceed the victim’s balance.

The money gets transferred to the legitimate accounts of unsuspecting money mules who’ve been recruited online for work-at-home gigs, never suspecting that the money they’re allowing to flow through their account is being laundered. The mule transfers the money to the crook’s chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection.

The researchers also found statistics in the command tool showing that out of 90,000 visitors to the gang’s rogue and compromised websites, 6,400 were infected with the URLZone trojan. Most of the attacks Finjan observed affected people using Internet Explorer browsers …

Finjan provided law enforcement officials with details about the gang’s activities and says the hosting company for the Ukraine server has since suspended the domain for the command and control center. But Finjan estimates that a gang using the scheme unimpeded could rake in about $7.3 million annually.

Various confidence scams, tricks, & frauds

From “List of confidence tricks” (Wikipedia: 3 July 2009):

Get-rich-quick schemes

Get-rich-quick schemes are extremely varied. For example, fake franchises, real estate “sure things”, get-rich-quick books, wealth-building seminars, self-help gurus, sure-fire inventions, useless products, chain letters, fortune tellers, quack doctors, miracle pharmaceuticals, Nigerian money scams, charms and talismans are all used to separate the mark from his money. Variations include the pyramid scheme, Ponzi scheme and Matrix sale.

Count Victor Lustig sold the “money-printing machine” which could copy $100 bills. The client, sensing huge profits, would buy the machines for a high price (usually over $30,000). Over the next twelve hours, the machine would produce just two more $100 bills, but after that it produced only blank paper, as its supply of hidden $100 bills would have become exhausted. This type of scheme is also called the “money box” scheme.

The wire game, as depicted in the movie The Sting, trades on the promise of insider knowledge to beat a gamble, stock trade or other monetary action. In the wire game, a “mob” composed of dozens of grifters simulates a “wire store”, i.e., a place where results from horse races are received by telegram and posted on a large board, while also being read aloud by an announcer. The griftee is given secret foreknowledge of the race results minutes before the race is broadcast, and is therefore able to place a sure bet at the wire store. In reality, of course, the con artists who set up the wire store are the providers of the inside information, and the mark eventually is led to place a large bet, thinking it to be a sure win. At this point, some mistake is made, which actually makes the bet a loss. …

Salting or to salt the mine are terms for a scam in which gems or gold ore are planted in a mine or on the landscape, duping the greedy mark into purchasing shares in a worthless or non-existent mining company.[2] During the Gold Rush, scammers would load shotguns with gold dust and shoot into the sides of the mine to give the appearance of a rich ore, thus “salting the mine”. …

The Spanish Prisoner scam – and its modern variant, the advance fee fraud or Nigerian scam – take advantage of the victim’s greed. The basic premise involves enlisting the mark to aid in retrieving some stolen money from its hiding place. The victim sometimes believes he can cheat the con artists out of their money, but anyone trying this has already fallen for the essential con by believing that the money is there to steal (see also Black money scam). …

Many conmen employ extra tricks to keep the victim from going to the police. A common ploy of investment scammers is to encourage a mark to use money concealed from tax authorities. The mark cannot go to the authorities without revealing that he or she has committed tax fraud. Many swindles involve a minor element of crime or some other misdeed. The mark is made to think that he or she will gain money by helping fraudsters get huge sums out of a country (the classic Nigerian scam); hence marks cannot go to the police without revealing that they planned to commit a crime themselves.

Gold brick scams

Gold brick scams involve selling a tangible item for more than it is worth; named after selling the victim an allegedly golden ingot which turns out to be gold-coated lead.

Pig-in-a-poke originated in the late Middle Ages. The con entails a sale of a (suckling) “pig” in a “poke” (bag). The bag ostensibly contains a live healthy little pig, but actually contains a cat (not particularly prized as a source of meat, and at any rate, quite unlikely to grow to be a large hog). If one buys a “pig in a poke” without looking in the bag (a colloquial expression in the English language, meaning “to be a sucker”), the person has bought something of less value than was assumed, and has learned firsthand the lesson caveat emptor.

The Thai gem scam involves layers of con men and helpers who tell a tourist in Bangkok of an opportunity to earn money by buying duty-free jewelry and having it shipped back to the tourist’s home country. The mark is driven around the city in a tuk-tuk operated by one of the con men, who ensures that the mark meets one helper after another, until the mark is persuaded to buy the jewelry from a store also operated by the swindlers. The gems are real but significantly overpriced. This scam has been operating for 20 years in Bangkok, and is said to be protected by Thai police and politicians. A similar scam usually runs in parallel for custom-made suits.

Extortion or false-injury tricks

The badger game extortion is often perpetrated on married men. The mark is deliberately coerced into a compromising position, a supposed affair for example, then threatened with public exposure of his acts unless blackmail money is paid.

The Melon Drop is a scam in which the scammer will intentionally bump into the mark and drop a package containing (already broken) glass. He will blame the damage on the clumsiness of the mark, and demand money in compensation. This con arose when artists discovered that the Japanese paid large sums of money for watermelons. The scammer would go to a supermarket to buy a cheap watermelon, then bump into a Japanese tourist and set a high price.

Gambling tricks

Three-card Monte, ‘Find The Queen’, the “Three-card Trick”, or “Follow The Lady”, is (except for the props) essentially the same as the probably centuries-older shell game or thimblerig. The trickster shows three playing cards to the audience, one of which is a queen (the “lady”), then places the cards face-down, shuffles them around and invites the audience to bet on which one is the queen. At first the audience is skeptical, so the shill places a bet and the scammer allows him to win. In one variation of the game, the shill will (apparently surreptitiously) peek at the lady, ensuring that the mark also sees the card. This is sometimes enough to entice the audience to place bets, but the trickster uses sleight of hand to ensure that they always lose, unless the conman decides to let them win, hoping to lure them into betting much more. The mark loses whenever the dealer chooses to make him lose. This con appears in the Eric Garcia novel Matchstick Men and is featured in the movie Edmond.

A variation on this scam exists in Barcelona, Spain, but with the addition of a pickpocket. The dealer and shill behave in an overtly obvious manner, attracting a larger audience. When the pickpocket succeeds in stealing from a member of the audience, he signals the dealer. The dealer then shouts the word “aqua”, and the three split up. The audience is left believing that “aqua” is a code word indicating the police are coming, and that the performance was a failed scam.

In the Football Picks Scam the scammer sends out tip sheet stating a game will go one way to 100 potential victims and the other way to another 100. The next week, the 100 or so who received the correct answer are divided into two groups and fed another pick. This is repeated until a small population have (apparently) received a series of supernaturally perfect picks, then the final pick is offered for sale. Despite being well-known (it was even described completely on an episode of The Simpsons and used by Derren Brown in “The System”), this scam is run almost continuously in different forms by different operators. The sports picks can also be replaced with securities, or any other random process, in an alternative form. This scam has also been called the inverted pyramid scheme, because of the steadily decreasing population of victims at each stage.

Visitors to Las Vegas or other gambling towns often encounter the Barred Winner scam, a form of advance fee fraud performed in person. The artist will approach his mark outside a casino with a stack or bag of high-value casino chips and say that he just won big, but the casino accused him of cheating and threw him out without letting him redeem the chips. The artist asks the mark to go in and cash the chips for him. The artist will often offer a percentage of the winnings to the mark for his trouble. But, when the mark agrees, the artist feigns suspicion and asks the mark to put up something of value “for insurance”. The mark agrees, hands over jewelry, a credit card or their wallet, then goes in to cash the chips. When the mark arrives at the cashier, they are informed the chips are fake. The artist, by this time, is long gone with the mark’s valuables.

False reward tricks

The glim-dropper requires several accomplices, one of whom must be a one-eyed man. One grifter goes into a store and pretends he has lost his glass eye. Everyone looks around, but the eye cannot be found. He declares that he will pay a thousand-dollar reward for the return of his eye, leaving contact information. The next day, an accomplice enters the store and pretends to find the eye. The storekeeper (the intended griftee), thinking of the reward, offers to take it and return it to its owner. The finder insists he will return it himself, and demands the owner’s address. Thinking he will lose all chance of the reward, the storekeeper offers a hundred dollars for the eye. The finder bargains him up to $250, and departs.…

The fiddle game uses the pigeon drop technique. A pair of con men work together, one going into an expensive restaurant in shabby clothes, eating, and claiming to have left his wallet at home, which is nearby. As collateral, the con man leaves his only worldly possession, the violin that provides his livelihood. After he leaves, the second con man swoops in, offers an outrageously large amount (for example $50,000) for such a rare instrument, then looks at his watch and runs off to an appointment, leaving his card for the mark to call him when the fiddle-owner returns. The mark’s greed comes into play when the “poor man” comes back, having gotten the money to pay for his meal and redeem his violin. The mark, thinking he has an offer on the table, then buys the violin from the fiddle player (who “reluctantly” sells it eventually for, say, $5,000). The result is the two conmen are $5,000 richer (less the cost of the violin), and the mark is left with a cheap instrument.

Other confidence tricks and techniques

The Landlord Scam advertises an apartment for rent at an attractive price. The con artist, usually someone who is house-sitting or has a short-term sublet at the unit, takes a deposit and first/last month’s rent from every person who views the suite. When move-in day arrives, the con artist is of course gone, and the apartment belongs to none of the angry people carrying boxes.

Change raising is a common short con and involves an offer to change an amount of money with someone, while at the same time taking change or bills back and forth to confuse the person as to how much money is actually being changed. The most common form, “the Short Count”, has been featured prominently in several movies about grifting, notably Nueve Reinas, The Grifters and Paper Moon. A con artist shopping at, say a gas station, is given 80 cents in change because he lacks two dimes to complete the sale (say the sale cost is $19.20 and the con man has a 20 dollar bill). He goes out to his car and returns a short time later, with 20 cents. He returns them, saying that he found the rest of the change to make a dollar, and asking for a bill so he will not have to carry coins. The confused store clerk agrees, exchanging a dollar for the 20 cents the conman returned. In essence, the mark makes change twice.

Beijing tea scam is a famous scam in and around Beijing. The artists (usually female and working in pairs) will approach tourists and try to make friends. After chatting, they will suggest a trip to see a tea ceremony, claiming that they have never been to one before. The tourist is never shown a menu, but assumes that this is how things are done in China. After the ceremony, the bill is presented to the tourist, charging upwards of $100 per head. The artists will then hand over their bills, and the tourists are obliged to follow suit.

Stolen credit card data is cheaper than ever in the Underground

From Brian Krebs’ “Glut of Stolen Banking Data Trims Profits for Thieves” (The Washington Post: 15 April 2009):

A massive glut in the number of credit and debit cards stolen in data breaches at financial institutions last year has flooded criminal underground markets that trade in this material, driving prices for the illicit goods to the lowest levels seen in years, experts have found.

For a glimpse of just how many financial records were lost to hackers last year, consider the stats released this week by Verizon Business. The company said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of breached records from cases the company investigated from 2004 to 2007. Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon found.

As a result, the stolen identities and credit and debit cards for sale in the underground markets is outpacing demand for the product, said Bryan Sartin, director of investigative response at Verizon Business.

Verizon found that profit margins associated with selling stolen credit card data have dropped from $10 to $16 per record in mid-2007 to less than $0.50 per record today.

According to a study released last week by Symantec Corp., the price for each card can be sold for as low as 6 cents when they are purchased in bulk.

Lawrence Baldwin, a security consultant in Alpharetta, Ga., has been working with several financial institutions to help infiltrate illegal card-checking services. Baldwin estimates that at least 25,000 credit and debit cards are checked each day at three separate illegal card-checking Web sites he is monitoring. That translates to about 800,000 cards per month or nearly 10 million cards each year.

Baldwin said the checker sites take advantage of authentication weaknesses in the card processing system that allow merchants to conduct so-called “pre-authorization requests,” which merchants use to place a temporary charge on the account to make sure that the cardholder has sufficient funds to pay for the promised goods or services.

Pre-authorization requests are quite common. When a waiter at a restaurant swipes a customer’s card and brings the receipt to the table so the customer can add a tip, for example, that initial charge is essentially a pre-authorization.

With these card-checking services, however, in most cases the charge initiated by the pre-authorization check is never consummated. As a result, unless a consumer is monitoring their accounts online in real-time, they may never notice a pre-authorization initiated by a card-checking site against their card number, because that query won’t show up as a charge on the customer’s monthly statement.

The crooks have designed their card-checking sites so that each check is submitted into the card processing network using a legitimate, hijacked merchant account number combined with a completely unrelated merchant name, Baldwin discovered.

One of the many innocent companies caught up in one of these card-checking services is Wild Birds Unlimited, a franchise pet store outside of Buffalo, N.Y. Baldwin said a fraudulent card-checking service is running pre-authorization requests using Wild Bird’s store name and phone number in combination with another merchant’s ID number.

Danielle Pecoraro, the store’s manager, said the bogus charges started in January 2008. Since then, she said, her store has received an average of three to four phone calls each day from people who had never shopped there, wondering why small, $1-$10 charges from her store were showing up on their monthly statements. Some of the charges were for as little as 24 cents, and a few were for as much as $1,900.

The light bulb con job

From Bruce Schneier’s “The Psychology of Con Men” (Crypto-Gram: 15 November 2008):

Great story: “My all-time favourite [short con] only makes the con artist a few dollars every time he does it, but I absolutely love it. These guys used to go door-to-door in the 1970s selling lightbulbs and they would offer to replace every single lightbulb in your house, so all your old lightbulbs would be replaced with a brand new lightbulb, and it would cost you, say $5, so a fraction of the cost of what new lightbulbs would cost. So the man comes in, he replaces each lightbulb, every single one in the house, and does it, you can check, and they all work, and then he takes all the lightbulbs that he’s just taken from the person’s house, goes next door and then sells them the same lightbulbs again. So it’s really just moving lightbulbs from one house to another and charging people a fee to do it.”

Small charges on your credit card – why?

Too Much Credit
Creative Commons License photo credit: Andres Rueda

From Brian Kreb’s “An Odyssey of Fraud” (The Washington Post: 17 June 2009):

Andy Kordopatis is the proprietor of Odyssey Bar, a modest watering hole in Pocatello, Idaho, a few blocks away from Idaho State University. Most of his customers pay for their drinks with cash, but about three times a day he receives a phone call from someone he’s never served — in most cases someone who’s never even been to Idaho — asking why their credit or debit card has been charged a small amount by his establishment.

Kordopatis says he can usually tell what’s coming next when the caller immediately asks to speak with the manager or owner.

“That’s when I start telling them that I know why they’re calling, and about the Russian hackers who are using my business,” Kordopatis said.

The Odyssey Bar is but one of dozens of small establishments throughout the United States seemingly picked at random by organized cyber criminals to serve as unwitting pawns in a high-stakes game of chess against the U.S. financial system. This daily pattern of phone calls and complaints has been going on for more than a year now. Kordopatis said he has talked to the company that processes his bar’s credit card payments about fixing the problem, but says they can’t do anything because he hasn’t actually lost any money from the scam.

The Odyssey Bar’s merchant account is being abused by online services that cyber thieves built to help other crooks check the balances and limits on stolen credit and debit card account numbers.

The Uncanny Valley, art forgery, & love

Apply new wax to old wood
Creative Commons License photo credit: hans s

From Errol Morris’ “Bamboozling Ourselves (Part 2)” (The New York Times: 28 May 2009):

[Errol Morris:] The Uncanny Valley is a concept developed by the Japanese robot scientist Masahiro Mori. It concerns the design of humanoid robots. Mori’s theory is relatively simple. We tend to reject robots that look too much like people. Slight discrepancies and incongruities between what we look like and what they look like disturb us. The closer a robot resembles a human, the more critical we become, the more sensitive to slight discrepancies, variations, imperfections. However, if we go far enough away from the humanoid, then we much more readily accept the robot as being like us. This accounts for the success of so many movie robots — from R2-D2 to WALL-E. They act like humans but they don’t look like humans. There is a region of acceptability — the peaks around The Uncanny Valley, the zone of acceptability that includes completely human and sort of human but not too human. The existence of The Uncanny Valley also suggests that we are programmed by natural selection to scrutinize the behavior and appearance of others. Survival no doubt depends on such an innate ability.

EDWARD DOLNICK: [The art forger Van Meegeren] wants to avoid it. So his big challenge is he wants to paint a picture that other people are going to take as Vermeer, because Vermeer is a brand name, because Vermeer is going to bring him lots of money, if he can get away with it, but he can’t paint a Vermeer. He doesn’t have that skill. So how is he going to paint a picture that doesn’t look like a Vermeer, but that people are going to say, “Oh! It’s a Vermeer?” How’s he going to pull it off? It’s a tough challenge. Now here’s the point of The Uncanny Valley: as your imitation gets closer and closer to the real thing, people think, “Good, good, good!” — but then when it’s very close, when it’s within 1 percent or something, instead of focusing on the 99 percent that is done well, they focus on the 1 percent that you’re missing, and you’re in trouble. Big trouble.

Van Meegeren is trapped in the valley. If he tries for the close copy, an almost exact copy, he’s going to fall short. He’s going to look silly. So what he does instead is rely on the blanks in Vermeer’s career, because hardly anything is known about him; he’s like Shakespeare in that regard. He’ll take advantage of those blanks by inventing a whole new era in Vermeer’s career. No one knows what he was up to all this time. He’ll throw in some Vermeer touches, including a signature, so that people who look at it will be led to think, “Yes, this is a Vermeer.”

Van Meegeren was sometimes careful, other times astonishingly reckless. He could have passed certain tests. What was peculiar, and what was quite startling to me, is that it turned out that nobody ever did any scientific test on Van Meegeren, even the stuff that was available in his day, until after he confessed. And to this day, people hardly ever test pictures, even multi-million dollar ones. And I was so surprised by that that I kept asking, over and over again: why? Why would that be? Before you buy a house, you have someone go through it for termites and the rest. How could it be that when you’re going to lay out $10 million for a painting, you don’t test it beforehand? And the answer is that you don’t test it because, at the point of being about to buy it, you’re in love! You’ve found something. It’s going to be the high mark of your collection; it’s going to be the making of you as a collector. You finally found this great thing. It’s available, and you want it. You want it to be real. You don’t want to have someone let you down by telling you that the painting isn’t what you think it is. It’s like being newly in love. Everything is candlelight and wine. Nobody hires a private detective at that point. It’s only years down the road when things have gone wrong that you say, “What was I thinking? What’s going on here?” The collector and the forger are in cahoots. The forger wants the collector to snap it up, and the collector wants it to be real. You are on the same side. You think that it would be a game of chess or something, you against him. “Has he got the paint right?” “Has he got the canvas?” You’re going to make this checkmark and that checkmark to see if the painting measures up. But instead, both sides are rooting for this thing to be real. If it is real, then you’ve got a masterpiece. If it’s not real, then today is just like yesterday. You’re back where you started, still on the prowl.