Have any of you out there read the winter issue of 2600 (the hacker quarterly)? There's a pretty good article in there called "Facebook Applications Revealed" and it just serves to point out that many people just don't know what they're getting into when they click to add an application. In my opinion, it is irresponsible of Facebook to post assurances to its users that their data is just as secure when using Platform applications as they are when they are using the first party system. Of course, the most personal data still resides on Facebook servers, and one must be authenticated to get access to it; however, poorly-written applications can have numerous security holes that enable prankster "friends" or malicious hackers to gain access to other remotely stored information, e.g. mood histories, etc.
 
At any rate, it seems Facebook turns a blind eye to these applications that don't properly authenticate users for appropriate data access (e.g. Super Wall), and it seems developers don't really care to properly protect the information they are entrusted with. I have looked plenty of places, including the official Facebook Developers Wiki, and have found no mention of a set of best practices for identity/permission verification or data security for application developers. I am researching these particular vulnerabilities in order to make them more widely known and to help establish a set of suggestions to send or make available to developers that would assist them in properly identifying the user and only allowing said user to modify his/her data, as well as to assist them in verifying that a user has permission to view another user's application data (histories, etc.). At this point, I feel that there is not enough public awareness of these vulnerabilities or their implications. Many users don't know about them, and thus don't care. This provides no incentive for developers to modify their code and make their applications more secure.
 
Quite a few application developers fail to consider implementing adequate security measures in order to verify data ownership. The article I mentioned earlier points out particular vulnerabilities in the Moods, Free Gifts, and Super Wall as examples. In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea. The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
 
In fact, someone has posted a screencast of this hack being executed in under 60 seconds, including commentary, on YouTube. See this link: http://www.youtube.com/watch?v=w65s1iyXqLo
 
ASuper Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's. Same thing with Free Gifts: you change the uid in the form before it's submitted and you can send a gift anonymously to anyone. Not only is it poor form for these developers to continue to ignore the fact that users trust them to establish and maintain a certain level of security and privacy, but in my opinion it may also be against Facebook's own Platform Application Guidelines, where it is clearly stated that "Applications may not[...] contain functionality that permits any person to impersonate a user of the Facebook Site or obtain access to the Facebook Site without authorization [or] disregard or circumvent any technical measures instituted by Facebook to ensure that the application only provides users with access to Facebook Site content that they would otherwise be able to view on the Facebook Site in accordance with any user privacy settings" (Facebook Platform Application Guidelines, Section II, Subsections 3 and 4). All three of these applications, and perhaps many more, violate the principle established by these rules by disregarding privacy settings and not properly authenticating users to view or modify certain data. I'm sure if someone had their privacy settings set to block everybody but friends from viewing their profile, they wouldn't want somebody changing their mood or spoofing a comment to them through Super Wall. In fact, Facebook's first core privacy principle is that "You should have control over your personal information" (Facebook Privacy Policy, Facebook Principles, Section 1). These applications, by not adhering to basic principles of internet security, take this control right out of the hands of users. This thread on the Facebook Developer Forum has a bit of discussion on how to properly authenticate users: http://forum.developers.facebook.com/viewtopic.php?id=11668.
 
At any rate, something needs to be done about this. I'm not sure what exactly, but I am sure that users need to know exactly what they're getting into when they add apps like this. I know at first it seems inconsequential that hackers can gain access to someone's Super Wall or Mood History, but this information could be used to mount large scale social engineering attacks if automated and coupled with other information: for example, one would tend to be much more likely to fall for a scam if he or she were depressed. The Moods application freely gives out this information to anyone wanting to take a peek. Coupled with a list of email addresses cross-referenced to user id's, such an attack could be made extremely effective with that added information. Super Wall post spoofing could be used to instigate fights between two friends or lovers. The possibilities are only limited by a social engineer's mind, and since Moods and Super Wall together boast almost two million active users, these seemingly small holes are too large for malicious minds-or those that protect us against them-to ignore. I hope you can help me get the word out.
 
Sincerely, Gregory

RELATED
"Facebook Takes Letting The Whole World See Your Private Photos Seriously"
(Door photo: roblisameehan)

Dear Sir:

I have an e-mail telling me that I have an online banking account with Bank of America. We have never used or will use the internet for banking.The mailing requests information. Is this actually a mailing from your bank?

The email address of the sender is "Bank of America" The underline was put in by my computer. It appears that the email was sent from New Zealand. Is this true? Is the statement that we have an account with you true? I need to know if there has been a theft of our ID. None of the links at the bottom of the email work. Thank you your help. Please share what you know about phishing with your friends and family. Below are some links that will help educate them so that they don't have to rely on their instincts to spot a fraud.

Consumer Advice: How to Avoid Phishing Scams [Anti-Phishing Group]
Recognize phishing scams and fraudulent e-mails [Microsoft]
(Photo:The Joy Of The Mundane)

Their research revealed that most phishers use ready-made kits which made by a small group of people and then sold and traded online. All you have to do is fill in a few form fields, give it an email address to send people's bank account info to, and deploy it on a compromised server. Boom, insta-phishing scam. What's more is the kits, servers and programs all routinely have backdoors built in, so the phishers are phishing the phishers. It's amazing to think that the greatest threat to the modern banking system is being perpetuated by a network of average people whose only unique talent is their capacity for immorality.

Interview with Nitesh Dhanjani and Billy Rios, Spies in the Phishing Underground [Net Security]
(Photo: Getty)

Update: A lot of people were having trouble with the linked wma file, so we've got the full audio after the jump.

We love this call partly because of the war of accents, with Howard Beasley's slow Virginia drawl going head-to-head against what sounds like a young Indian man— we like to pretend Howard is a cartoon basset hound and the phisher is a cartoon weasel.

Howard Beasley told the caller he was being recorded, but the man didn't hang up.

The caller said, "I'm a representative of the United States Banking commission and by mistake we took $481 out of your checking account.", says Howard Beasley.

Howard Beasley started recording.

Howard: The government cannot take money out of your account. So I know this is nothing but a scam.

For ten minutes, an extremely persistent man tried everything he could think of to get Howard's account number, the man said to give back the money.

Caller: What's your bank account number?
Howard: If you got it out, you've got the number.
Caller: Please verify me your account number.
Howard: No way.
Caller: Please verify me your account number.
Howard: No way.
Caller: You don't want the money? You don't want your money?
Howard: I don't want to be scammed.
Caller: Sir, you are not a scam. You have no right to talk to me like that.
Howard: I can tell you to take the $480 dollars and shove it up your *** that's what I can tell you.

The tape continues to roll as the caller spits out Howard's address and threatens to pay him an unwelcome visit.

Caller: I'm just coming within two days with two FBI agents, OK.
Howard: Well, you come down here with two FBI agents.
Howard: I'll have them same two FBI agents on you.
Caller: OK, you just wait and watch. I'm coming within two days.
Howard: Well, you bring 'em here. I've got a 357. I'll put your name on it.

(Thanks to Nicole!)

"Scam Scanner" [WSLS]
(Photos: Weasel: graham; Hounds: Chrys Omori and C Maranon; Goose: ~Sage~)

The website has a lot of other useful resources as well, like how to detect and avoid phishing scams, what to do if you suspect your identity has been stolen, and a printable ID theft affidavit (PDF) to send to creditors.

"Deter, Detect, Defend" Brochure (PDF) [FTC]
Text-only version of brochure [FTC]

RELATED
www.ftc.gov/idtheft

First, here's Emily's original email from two days ago:

I am sitting here in amazement after reading your post "HSBC Won't Tell You Someone in Bulgaria is Stealing $2,000 From You" because the exact same thing happened to me today, just substitute Pasadena and Canada for Bulgaria. I logged in to my personal internet banking this afternoon to review my account so that I could pay some bills. I noticed that my bank balance was about $3600 while my available balance was $300. There were no transactions listed after Friday, 2/15. I knew I had used my debit/atm card all weekend, all around Manhattan and Brooklyn. I called customer service and encountered, almost to a script, the same spiel as your reader from someone named "Dar". There was some sort of hold, but he couldn't get information about it. Eventually he found that there were two withdrawals of $500 each at a Wachovia bank that seemed suspicious. I confirmed that I had not made those withdrawals. He was not able to tell me what state the withdrawals were made in. I asked if the best thing to do would be to go to an HSBC ATM and take out the last $300 in my account, so that I wouldn't lose that too- he agreed. So, I left work early to get to the ATM. Dar advised that because today is a national holiday in the US, none of this information would process in my account until at least 6 am Tuesday, but that I would not be able to file a fraud report until WEDNESDAY! He had no answer for me when I asked why I hadn't been alerted to suspicious activity when my card had been used on opposite coasts and in ANOTHER COUNTRY all during the same weekend.

The ATM did not allow me to make any withdrawals. I tried various amounts from $300 down to $60 and each time got an error message that the "Amount Requested Exceeded the Limit". I called customer service again and this time was luckily connected to someone named Maria (and I hate to say this, but Maria, unlike Dar, sounded like a native English speaker). Maria went through various fraudulent transactions- $800 withdrawal in Pasadena, $500 twice in Canada, another $62 in Pasadena, as well as $1000 in Santa Monica. She was able to process a fraud report today- interesting, since Dar said that couldn't be done until Wednesday! My account will not be credited for 10-11 business days and I should receive a new card in 7-10 days. I also was able to immediately change my PIN. I was told that I would be able to withdraw the remaining amount from the branch tomorrow morning. (let's hope).

On Tuesday morning, I went to a local branch to get additional information and withdraw the remaining balance in my account. The associate at the local branch was helpful and contacted the fraud department on my behalf. Eventually I was provided with the name of the Fraud Investigator handling my case. I tried calling her several times on Tuesday afternoon, but kept getting voicemail. I left a voicemail around 5 pm. I attempted to call her again this morning. When I got voicemail, I dialed a random extension, to try to get to speak to a person (there is no operator). I did get someone in the Internet Banking department, who was kind enough to get me connected to someone in the fraud department (after both he and I waited on hold for about 30 minutes- no exaggeration). I was connected to someone named Ella _____, who said that she only dealt with Fraud in applications, so therefore she wouldn't be able to help me. As I tried to explain the situation, Ms. _____ was hostile toward me and escalated the tone of the conversation unneccesarily. I attempted to deescalate the conversation by explaining that I was quite upset that almost my entire bank account had been drained, that I was having a very hard time reaching someone who could help me and that her tone was not exactly helpful. She was then able to connect me to the Investigator handling my case, Sharon _____.

Ms. _____ was kind and helpful and explained that the extent of this fraud was essentially unprecedented for HSBC. She said that their fraud department was so overwhelmed, it was "still in the developing stage of how we're going to handle" it. I asked if she knew how many customers were affected and she stated "we don't even know." I asked if the magnitude of the fraud would delay the bank's ability to get everyone's account credited. She assured me that the bank's first priority was to credit every affected customer within 10 days. She explained that the bank was "probably" going to forego its usual requirements of paperwork such as fraud affidavits for affected customers, because the fraud here was obvious.

Ms. _____ stated that HSBC was trying to contact its customers and would be sending a letter regarding the fraud, but that it was so widespread that it didn't have the manpower to make a phone call to each affected customer, particularly where the focus was on trying to get the accounts credited. She advised that I monitor my account daily to check for the credit, because I would likely not receive notification from HSBC about it.

I'm appreciative of the information that I was able to receive today, and the reassurance that HSBC's priority was to get accounts credited as quickly as possible. However, I am dumbfounded that it took me three days to get the "full story" from HSBC, due to no lack of effort on my part. I think that the media needs to be alerted of this fraud, as HSBC is not able to contact all of its customers. People may be affected and not even know it yet. I obviously plan to change banks after this debacle, but do want to see that this is made public.

"Stimulus" rebates have not yet been approved or signed by the president, but that's not stopping some scammers from taking advantage of consumers who are eagerly anticipating the cash.

If you have questions about your tax rebate or any other IRS-related issues... why not give them a call? Despite their reputation for being a bunch of psychos, they're actually helpful and nice. 1-800-829-1040

Or, if you prefer the internet, make sure you're visiting the real IRS page at IRS.gov.

If you do get some suspicious emails, help the IRS investigate the scammers by forwarding the messages to phishing@irs.gov

How to Contact the IRS [IRS]

Con artists turn to text messaging [News-Leader via Consumer World Blog]
(Photo: Joi)

While this is certainly unfair, we can't help but feel that it's probably true. The endless stream of phishing emails claiming to be from Bank of America make us feel irritated with Bank of America even though we don't have an account there and know perfectly well that they aren't sending us phishing emails. Irrational? Certainly.

Anyway, here's the (obligatory) part of the post where we remind you not to click links in emails. Type them in yourself.

Study: It might not be fair, but customers lose faith in phished brands [Ars Technica]
(Photo:meghannmarco)

From the IRS:

In an effort to appear legitimate, the bogus e-mails include text from an actual speech about the wildfires by a member of the California Assembly.

The scam e-mail urges recipients to click on a link, which then opens what appears to be the IRS Web site but which is, in fact, a fake. An item on the phony Web site urges donations and includes a link that opens a donation form which requests the recipient's personal and financial information.

The IRS asks you to forward this email and any other IRS-related phishing scams you get to phishing@irs.gov.

IRS Warns of E-mail Scam Soliciting Donations to California Wildfire Victims [IRS]
(Photo:Richard DS)

The Sipera website provides more details:

Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user's phone service with a "registration replay attack," then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of "ringing the phone off the hook" which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.

"Sipera VIPER Lab Reveals Vonage Users Vulnerable to VoIP Identity Theft, Eavesdropping and Other Exploits" [Sipera]

RELATED
"Hackers can divert Vonage calls: security firm" [Reuters]
Sipera Threat Advisories Page
(Photo: Getty)

PayPal is selling the security keys directly, although they're made and maintained by Verisign. According to this technology blog, the keys "will work with many banks in the future," but Verisign makes no mention of this anywhere on its site. However, if you have begun to use an OpenID on sites like Basecamp, Zooomr, LiveJournal, Technorati, and hundreds of others, then you can create an OpenID account through Verisign and use the security key with OpenID.

If you lose the security key, PayPal says there are ways to verify your account in order to regain access, but they don't provide details on their website. So, uh, don't lose it.

[Update: Ben says if you lose your security key, you can regain access to your account by answering a few additional security questions.]

PayPal Security Key [PayPal]
"PayPal's New Security Key Opens a World of Possibilities" [CaveMonkey50]

RELATED
Entry on OpenID [Wikipedia]
Verisign Identity Protection Token [Verisign]

2. Free Stuff - You already know the drill—free Xbox 360! Right after you jump through these six customer acquisition hurdles and agree to these trial offers and sign up four friends. If there's a free deal you feel you have to take advantage of, use a disposable secondary email account. Heck, that's what Google and Yahoo! are there for.

3. Bogus Payments - We've covered check fraud here and also here. Don't ever accept checks for larger than the amount, and make sure they clear before you proceed with the rest of the transaction.

The other three scams are Stealth Sign-Ups, Fake Sites, and Counterfeit and Gray-Market Goods—read the full article for details.

"Six Online Shopping Scams" [SmartMoney]

RELATED
"Mystery Shopper Scam Now Comes Bundled With Check Fraud Scam!"
"Beware Bank Check Fraud"
(Photo: Getty)

eBay assured users that no credit card or financial information was compromised.

"This fraudster found very old administrative functions that had not been deactivated several years ago when we changed the security of our internal systems. These functions were still accessible on public servers, while the rest of our functionality is now behind multiple layers of security. We immediately identified the functions that he accessed and deactivated, and we are undergoing an audit to ensure obsolete code that may still exist for other reasons is secure."

Hacker exploits forgotten eBay administrative system [Ars Technica]

The report isn't the prettiest or most exciting thing to read, and the section on how to spot a fake MySpace profile is hilarious. (Wait, you mean I'm not friends with all these sexy ladies?) But it's worth a read just to bring yourself up-to-speed on the current state of the art in badware.

Their closing advice is fairly obvious: install anti-virus software, keep your operating system up to date, and stay educated. We also suggest Ad-Aware 2007, a free program that helps monitor your Windows PC for unwanted programs, and AdBlock Plus, a free cross-platform Firefox add-on that lets you block specific third-party feeds from pages you visit.

"Trends in Badware 2007" (pdf) [stopbadware.org]
"'Trends in Badware 2007' released" [stopbadware.org]

RELATED
Ad-Aware 2007 [Lavasoft]
AdBlock Plus [Mozilla.org]
(Photo: Getty)

We know worthless is a strong word, but when paired with statistics that show most customers don't even pay attention to the feature—thinks are looking pretty bleak for B of A. (A study found that 58 of 60 consumers fell for an obviously fake B of A website.)

Chris explains that SiteKey is vulnerable to "man-in-the-middle" attacks in which the phisher contacts Bank of America's site and feeds the info to the target.

This news came to our attention back in April but now Chris is wondering (as we did) why Bank of America is (still) telling its customers that SiteKey is "certain" to work. Bank of America's website says that "you can be certain you're at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site." Are they simply lying to their customers?

From CNet:

Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?

False security: Is Bank of America lying to its customers? [CNet]

(Photo: Getty)

One thing is to ask the person to tell you your balance and due date: "They are allowed to give out that info, and it should be correct. If not, a red flag should go up." You should also call the number on the back of your card and speak to someone in their fraud or security department if you are suspicious.

We've had similar phone calls in the past, and we always tell the person that we'll call the number on the back of the card and navigate back to their department that way. It's earned us a few amused responses, but it's a relatively easy way to be safe.

What Do You Do If A Credit Card Employee Calls You? [bloggingawaydebt.com]
(Photo: Getty)

The email promises to pay you for your "valuable feedback." Know what? The IRS doesn't need your feedback. They're doing just fine. If they owe you money, they'll write you a letter. It's true. The IRS recently wrote us a letter and told us that they were going send us some money. Then they mailed us a check.

We did not have to put our credit card number into into a website. How cool is that?

IRS Warns Taxpayers of New E-mail Scams [IRS]
That e-mail from the IRS? It's not from the IRS [MSNBC]
(Photo:MSNBC)

From the Boston Herald:

"What we're talking about here is not a hack of Monster," Manzo said. "These criminals have gotten access to customer login user names and passwords. They've probably gotten this directly from our customers."

Symantec Corp. security analyst Amada Hidalgo uncovered the infiltration of Monster's site and posted his findings on the California network security company's Security Response blog on Friday.

What's known as a Trojan horse in computing terms - a program that installs malicious software - accessed Monster.com and uploaded information from it to a remote computer server.

"Such a large database of highly personal information is a spammer's dream," Hidalgo said.

Phishing e-mail sent to the addresses taken from Monster.com bore the company's logo and personal information about the recipients. The e-mails asked recipients to download a fake "Monster Job Seeker Tool," which is actually a copy of a Trojan horse.

"This Trojan will encrypt files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files," Hidalgo said.

Monster marauders: Attackers grab customer info, e-mail addresses [Boston Herald]

When researchers at Harvard University and the Massachusetts Institute of Technology studied the anti-fraud image system used by Bank of America, they found that 58 out of 60 users still logged on to a phony Web site that did not display the images that the users had selected. The system raises the bar for criminals, says Rachna Dhamija, one of the researchers who conducted the study, but "if users don't comply, it's entirely ineffective. They are going to be giving out their credentials to the wrong Web sites."

Passwords + Pictures = Security? [Kiplinger's]
(Photo: Meghann Marco)

From the IRS:

The e-mail purporting to be from IRS Criminal Investigation falsely states that the person is under a criminal probe for submitting a false tax return to the California Franchise Board. The e-mail seeks to entice people to click on a link or open an attachment to learn more information about the complaint against them. The IRS warned people that the e-mail link and attachment is a Trojan Horse that can take over the person's computer hard drive and allow someone to have remote access to the computer.

The IRS urged people not to click the link in the e-mail or open the attachment.

Similar e-mail variations suggest a customer has filed a complaint against a company and the IRS can act as an arbitrator. The latest versions appear aimed at business taxpayers as well as individual taxpayers.

The IRS does not send out unsolicited e-mails or ask for detailed personal and financial information. Additionally, the IRS never asks people for the PIN numbers, passwords or similar secret access information for their credit card, bank or other financial accounts.

"Everyone should beware of these scam artists," said Kevin M. Brown, Acting IRS Commissioner. "Always exercise caution when you receive unsolicited e-mails or e-mails from senders you don't know."

IRS Warns Taxpayers of New E-mail Scams [IRS]

But Christopher Soghoian, previously known for publicizing an NWA boarding pass generator, demonstrates how a variant on the "man in the middle" phishing attack can subvert SiteKey and still steal money from unaware consumers. He's got a movie, too.

While users need take steps to protect themselves, like never clicking banking links in emails, and verifying the URL they're visiting is correct, it's plain incorrect for Bank of America to say SiteKey is invulnerable. — BEN POPKEN

A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey Service [Slight Paranoia]

IS YOUR COMPUTER A CRIMINAL?
VIRUS GANG WARFARE SPILLS ONTO THE NET
WHO'S BEHIND CRIMINAL BOT NETWORKS?

You can help protect your computer from botnets by practicing safe surfing:
• Only install software you know to be safe
• Protect yourself with programs like ZoneAlarm (firewall, anti-virus), Spysweeper (anti-spyware, anti-virus), and Ad-Aware (anti-spyware, anti-malware).
• Remember that visiting "questionable" sites is a sure way to attract trojans.

— BEN POPKEN

(Photo: Dan Coulter)

Also, the IRS.gov site does have interactive features, but it asks for very little personal information. From IRS.gov:

Although the IRS Web site offers interactive features, the tax or private financial information that these features ask the taxpayer for is extremely limited. The IRS reminds consumers who access unfamiliar sites, or sites they have never dealt with before, that they should never reveal any personal or financial information, such as credit, bank account or PIN numbers, without verifying the validity of the site.

The IRS also reminds consumers to be alert to an on-going Internet scam in which consumers receive an e-mail informing them of a federal tax refund. The e-mail, which claims to be from the IRS, directs the consumer to a link — often a Web site resembling the IRS Web site — that requests personal and financial information, such as Social Security number and credit card information.

IRS Urges Caution about Internet Sites that Resemble the Official IRS Site [IRS.gov]

The amount of money taken typically is fairly small and will not dent a bank's bottom line. Further, bank robbers are apprehended in almost 58 percent of cases, according to Federal Bureau of Investigation statistics. Only murder has a higher rate of clearance by arrest.

That's a stark contrast to checking account fraud, which cost financial institutions $2.4 billion over one 12-month period that ended in 2004, according to a study by research firm Gartner Group. A portion of those losses was caused by "phishing," a scam in which crooks use fraudulent e-mails and Web sites in an effort to entice consumers to give up personal and account information. Since 2004, phishing attacks have grown exponentially.

Not only are the losses greater, it's also harder to catch a cyber thief; investigators often find themselves chasing a ghost who may have put up a fake Web site for just a couple of days.

The big catch: Phishing scams more costly than bank robberies [MSNBC]
(Photo: cmorran123)

A Romanian hacker posted this and 15 other people's profiles in the eBay Trust and Safety forum, taunting Americans with his identity thieving prowess. He said,

...what make the american and canadian boys at 14-15 years old ????? Eaet burgers at Mc Dolnalds and watched naked girls on internet porno webspages.... Romanian guys at 14-15 years old scam people...Is so easy to stolen your eBay account and your Paypal.....is just a funny game for us...

We have to agree with the fellow. Stop eating your cheeseburgers and watching your porno and protect your identities, fools.

How To Spot A PayPal Spoofer
12 Steps To Protect Yourself From Identity Theft
ORIGINAL VIDEO: PayPal Security Key First Look
What To Do When Your Identity Is Stolen
HOW TO: Get Through Having Your Identity Stolen

Full screencap of the nose-thumb, inside...

Click to enlarge.

— BEN POPKEN

(Thanks to Bud!)

The thing with account security is it's not the first thing that gets ya, it's like AIDS, it's all the other assholes the first asshole sells your account to that really rapes ya.

You can get yours from PayPal for $5 here. — BEN POPKEN

What's interesting is that the "dead parrot" they use is actually a metal duck. Once a scammer, always. — BEN POPKEN

[via BoingBoing]

"Consumers need to be prepared if they receive this type of phone call," said Madigan. "Do not provide any personal information over the telephone, and if you believe you have received such a call, please report the call to your phone company as well as to the Attorney General's consumer protection hotline."

"Customers of telecommunications services need to be cautious. Generally, customers can tell from the level of professionalism and grammar that it is a fraudulent call. The caller is speaking quickly and trying to confuse the customer with names and requests. And when pressed for more information such as a company Website or name they generally hang up," states Andrew Petersen, Director of Legislative Affairs and Public Relations for TDS.

MADIGAN, AT&T and TDS WARN CONSUMERS OF CONTINUED TELECOMMUNICATIONS FRAUD ATTEMPTS [IAG]

"So that left me in a moral dilemma. In effect, I was witnessing some bad stuff happening in real time. .... What to do? I downloaded the latest version of the harvested data and pondered.

I had already alerted BofA and the owners of the domains. The harvested data file contained no email addresses, so I couldn't alert the people downloading data by email. I couldn't delete or alter the source files or the data file.

I finally decided to simply write letters to all the people who had been duped into entering their street address, informing them of the scam and advising them to do all the sensible things necessary after your identity has been stolen."

A Cautionary Phish Tale [via CL&P]

The ID token generates a new, security code every 30 seconds. When you login to complete a PayPal transaction, you must enter the six-digit code. Your token is unique to your account.

The security keys are now available for $5 purchase at PayPal.

Even if you're a dumbass and get successfully phished and enter your email, password, and token id, that information will only be good for 30 seconds. The worst part of many account breaches isn't the first attack, it's the 100 other guys the info gets sold to. — BEN POPKEN

PayPal Security Key [Official Site]

A November e-mail signed by a Hong Kong-based Coca-Cola sales and marketing manager promised a Mercedes-Benz ML Jeep convertible and a chance at $800,000 cash for entries submitted to a link in the e-mail.Another one in March from McDonald's Corp. and JPMorgan Chase offered a 50% discount at McDonald's over 10 days, followed by a 30% discount thereafter if recipients signed up at a JPMorgan Chase-branded promotional site.

Phishers Switch Brand Bait to Coke and McDonald's [Ad Age]

It happens all the time, to the point that actual emails from PayPal are viewed with leery suspicion. But even if you can get your money back after being victim to a PayPal crime, you're still screwed. Take Jeff, for example, whose bank account was drained of thousands of dollars, leaving him with negative $760 and an extra $200 in overdraft fees, ticking upward by the minute.

PayPal's going to refund his money, of course. But it's going to take them 60 days. 60 days of being a pauper just because their system isn't secure. And they won't reimburse him for overdraft expenses.

Stories like this just give me the willies... I'm frickin' paid through PayPal. Thanks, Mat!

From Paypal to the Poorhouse in One Easy Hour

Every single veteran in America, from the Vietnam War and forward, received a letter yesterday from the office of Veterans Affairs, warning them of the theft in early May of a laptop containing personal data of many military personnel. In addition to an apology and acknowledging the loss affecting 26 million vets, the letter also contained a 1-800 number to report phishing or suspicious activity.

To cement its penitence, the office of Veteran Affairs should offer to go on latrine duty for the next month.

(Thanks to Joe and Jason!)

comment on this post

Here's one that the average user doesn't think is a fraud attempt, for example:

I get about a hundred of these in my inbox a day. There's some criticisms we could level at the site's methodology: to be honest, the only way we really know some emails are actually scams (we get paid by Paypal, for example, and some of those fake messages are extremely good forgeries) is by hovering over the links and carefully identifying where they lead. That may still be a bit savvier than the average email user, but SpamorHam.org doesn't let you figure out where links leave intuitively — they give a raw output of HTML, but most people don't know how to read it. Text alone really isn't enough anymore to detect phishing scams, if it ever was.

There's one born every minute: spam and phishing [JGC.org]

One group recently duplicated a bank's voicemail system and sent customers an email imploring them to call it. Those that did had their account info purloined.

What's more, is that the plastic phone tree was set up on a computer using VoIP to convert it into a PBX or Private Branch Exchange. Most likely, according to security analysts, the computers used were virus-infected allowing for remote control.

O'Donnell, a security expert at Cloudmark, said, "Through the economics of using VoIP, phishers reap the same benefits of any small business."

"Phishers snare victims with VoIP" [CMPnetAsia via MrConsumer]

• 90% of US bank account holders want their banks to strengthen security and scrutinize suspicious transactions. Hello, Citibank? This means you.

• 60% of account holders want their banks to contact them when they detect a suspicious transcation. Hello, Citibank? This means you.

• 75% of account holders believe a user name and password to be inefficient security. Hello, Citibank? This means you.

• Almost 80% of account holders won't respond to a bank email because of phishing scams. Given that one of The Consumerist's diumvirate lives in Ireland and routinely gets emails from Citibank, claiming a security breach on his nonexistent account... Hello, Citibank phishers? This means you.

The sample on the poll was only 402, so it might not be as bad as all that, nationwide. But one interesting thing to note was that the poll was conducted in November, 2005 — in other words, before some of the more recent mind-blowing security breaches at companies like, you guessed it, Citibank.

Consumers Want Better Online Banking Security [Consumer Affairs]