- Email: [email protected]
Bad Credit? No Credit?
real-life fraud were the surviving beneficiaries. The House of Lords held that as the £20 000 had been applied to make payment of 40% of the premiums, the victims were entitled to 40% of the policy monies more than £400 000. The Court accepted the argument that the victims were entitled to trace their money through the policy into the amount paid out by the insurers after the fraudster’s death and to claim a proportionate share of it from his children. The English Court of Appeal has recently held, in the case of Bank of Credit & Commerce International (Overseas) Ltd & Anor v Akindele, that to establish liability it had to be proved that the recipients state of knowledge was such as to make it unconscionable for him to retain the benefit of the receipt. In the context of a restitutionary claim based upon "knowing receipt", the Court was entitled to pierce the corporate veil
and recognise receipt by a company as that of the individual(s) in control of it if the company was used as a device or façade to conceal the true facts, thereby avoiding or concealing any liability to those individuals (Trustor AB v Smallbone & Ors3).
Conclusion Fraud losses are recoverable. Senior employees and non-executive directors are under increasing pressure to assist in the reporting and development of corporate governance to ensure that the company reacts promptly and appropriately to suspicions of fraud and to ensure that assets are protected and recovered. The days of sweeping fraud under the carpet are numbered and risk managers and directors across the board should be appraising themselves of the dangers of
Bad Credit? No Credit? Fred Cohen
Series Introduction In this series, we provide a monthly scenario of a computer-related fraud, complete with the story line and details — but with no specifics about organizations involved. Then we do a root cause analysis and identify the mitigation strategies actually applied or proposed.
Background Credit cards and the Internet are an amazing mix. They provide an unprecedented mechanism for buying and selling almost anything very quickly, inexpensively, and conveniently, from your own home. I do it, chances are your company does it, and odds are it will become increasingly important as a means of commerce. Unfortunately, not all E-commerce is legitimate. One of the classic cases broke just recently involving a 25-year-old Pakistani college dropout named Khurram Iftikhar. His story is not new, but it is a textbook case of how the two 10
oldest scams on the Internet were combined together to the tune of millions of dollars. To set the scene, I should tell you about a typical credit card scam before the Internet. Someone with physical access to credit card slips, perhaps a restaurant worker or department store clerk, takes copies of the customer credit card information required to make a purchase. They then order goods over the telephone with different shipping addresses to the credit card address, the goods are shipped, and they resell the goods. Some even have the goods
fraud and the methods of dealing with it once it has occurred. The prevalence of electronic fraud only makes a proactive approach more essential. A company must ensure that employees know exactly what to do, who to report to and the importance of acting quickly to minimise losses, preserve electronic evidence and ensure that the fraudster is never tipped off before steps can be taken. Failure to implement such procedures effectively could eventually lead to directors facing personal liability for breach of their duty of care to the company. Steven Philippsohn is a commercial & Internet fraud specialist at PCB solicitors. http://www.pcblitigation.com 1The Financial Times “Harsher Economic Climate prompts fraud surge” Nikki Tait 3 February 2003 2The Times 24 May 2000 3No.2 (2001) WLR
shipped to their own home, it doesn't matter, because for a few thousand dollars, it's not worth bringing in the witness from another state to testify at the trial. If the dollar amount is high enough in one case, they may pursue the perpetrator, but the amount has to be pretty high. The consumer is out a maximum of $50, the credit card company gets the money back in interest, and the ultimate payer is the average credit card user. It comes to 2/3 or more of the interest on credit card purchases.
The scheme In cyberspace, the process of taking a credit card number is greatly simplified because you don't need to be employed or have access to a retail outlet. You can create your own outlet, or if you like, use a convenient pre-existing outlet, like eBay. So you set up your online store (cost about $35/year) and arrange to take credit cards. To obtain the right to process credit cards, it is necessary to complete a series of steps including signing paper-
real-life fraud work and obtaining a bank account for direct deposit and so forth — too painful and slow for a good con. How do you tale credit cards? Easy. You set up a site that collects them from people placing orders. For example, you offer computers or gold coins for a good price (not too cheap — you will lose the trust of your customers and not earn as much). You take credit card numbers for these purchases and promise delivery when ever you decide — say 3-5 weeks. As the credit card numbers start to appear, you begin to make purchases with them. Buy something you want or something of high intrinsic value — like computers or gold coins — and arrange shipment to your current address. You already know the cards have a limit up to the value you charged the customer for. So, 10 sales a day at $1000 each brings in $10 000 a day, this runs for about 30 days, at which point you have $300 000 of sales, which you change into $200 000 of useful goods and gold, and you change it all over to the next location. Did I forget? You live on the other side of the world and do it all by email, a few phone calls, and with stolen credit cards not otherwise used.
Action Mr. Iftikhar is, of course, denying it all, but let's suppose it was actually Mr. Brian King who did all of this. That is at least one of the pseudonyms that was used in this case. You might have problems getting goods to Pakistan from Hewlett Packard in Texas or the Office Depot in Hoboken, but fear not. Call Mail Boxes Etc. in Ontario Canada as an option, and have it all shipped there. Then from there, have it FedEx transported to Dubai and collect the goods every few weeks. That's the scenario that occured under Brian's name and the names of other Americansounding people in this case. How do you get such names? Easy, when you sell this stuff, you can obtain a list of first and last names. Pick one from column A and one from column B, and you have an American sounding name.
It turns out it is not all that easy to get 10 orders per day even if you are selling PCs at a good price. I sell bootable CDs at a good price and I don't receive 10 orders a day... and neither did Brian King. That's why it took almost a year to steal a few million dollars. And he was far more determined to be quite slow and cautious to avoid any thresholds of detection. The perpetrator had over 100 mail boxes in different states. He paid FedEx in cash for deliveries, reducing traceability a little bit more. But they also boosted sales another way. They sold these computers on eBay! Yes, good old e-Bay — capitalism at its most brutal — auctions with minimums and clever tricks to get you to raise your bids in increments — e-Bay —home of reputation based on other supposed buyers, whose reviews are based on their other sellers and everything is lost in a frenzy. e-Bay — where buyer meets seller millions of times a day, and nobody sees the other party.
Aftermath But if Mr Iftikhar was good, the US customs service was better. After trying to trace the flow of goods back, after running into cash payment after recordless mailbox company, they finally hit upon the solution to their problems. The Internet Service Providers who had shielded Iftikhar now provided IP addresses, and those IP addresses traced back to others, and eventually, the trail led to Pakistan. Iftikhar, it seems, made the purchases from his home computer, and he made the follow-up calls for delivery and pickup from his home phone. Pakistani police make a raid on Iftikhar’s home on 19 December, 2002, and he now faces 7-10 years in a Pakistani prison. All told, he stole something like $3 million worth of stuff, and unless his claim that the evidence was planted holds sway, he is likely to be rather older upon his exit. The cost to you and I? Given that the costs are spread across the global credit card user base, this $3 million will hardly be noticed. But in the aggregate, this one
among other such efforts, costs a health sum to all those who share the risk.
Mitigation e-Bay now takes many more precautions than they did even a year ago, but they are still a hotbed of rip-offs — if only because they are a hotbed of free trade. e-Bay lost nothing and will do nothing. The companies like HP who sold the goods didn't lose anything either. They mostly received payment and shipped the goods. Their mitigation would require refusing to take orders from customers who insist on goods being shipped elsewhere, and this will lose them far more business than a few frauds here and there. They will do nothing. The credit card companies do what they reasonably can, but in the end unless the interest rates get so high that nobody uses the cards, they have no great motive to change the system that works so well. They will do nothing more. The customers lost as much as $50 each and failed to get the computers they ordered, many probably not receiving them in time for a holiday gift. In many cases, it didn't even cost them that much because of no-risk credit cards and other similar safety nets available in the the current climate. There is something they (you) can do to limit the risks of such things, but there is no perfect solution, and it's only worth $50 per rip-off. Don't buy from just anyone: As a rule, I don't buy anything worth more than a few hundred dollars from just anyone. I tend to investigate E-tailers before sending my hard earned cash out the door. On the other hand, a company credit card is no risk for many corporate users, so who worries? If it seems too good to be true, it probably is: It's an old adage and a good one. I just thought I would adage it in here. Get a zero-loss card: They cost nothing these days, and maybe you should demand it from your credit card company. Okay — this was the lamest set of advisories in my whole history of these articles. The fact is, risk management has been done, done well, and done over many years by all involved in these issues. 11
real-life fraud It comes down to this. Unless and until the risk equations change there may be slow progress toward less privacy in exchange for more risk reduction, but we are at the point where the privacy we must surrender is growing in leaps and bounds, while the reduction in risk is changing very little in the process.
Conclusions The perpetrator went over the limit, and was hunted down and sentenced. What more can you expect? Probably not much. Be careful what you ask for. Further reduction of your risk from this sort of rip-off will almost certainly sacrifice more
of your personal information and gain you nearly nothing. The best improvements to the risk profile for credit card purchases over the Internet will likely come in the form of increased awareness by consumers. On a final note, this is not the only case of its kind. Jerry Tan a.k.a.? Arbi Salas were just arrested on a similar scam out of The Philippines. And you can expect more to come...
About The Author: Fred Cohen is helping clients meet their information protection needs at Fred Cohen & Associates and Security
Spam — Out of Control Berni Dwan
Can you believe that the average email user in the United States receives 2200 spam messages every year and that this is set to rise to 3600 by 2007? Now that’s a lot of unsolicited email in any person’s language, perhaps making some of us wish that we could return to the old days of the friendly postman. We may have had to wait longer, but at least we only got our legitimate mail whether we wanted it or not. Now a major problem for organizations, Gartner’s corporate clients are reporting that 30-50% of inbound email is now spam, while CAUBE (Coalition Against Unsolicited Bulk Email) put Moore’s Law in the shade by suggesting that the amount of spam is doubling every four and a half months. AOL are already spending 15% of monthly fees fighting spam, but they have also incurred the wrath of a high profile customer by over zealous tagging. The client was Harvard University and AOL’s spam filters mistakenly tagged emails offering college places to students as spam and dumped it! But at least we know that AOL is no slouch when it comes to confronting the problem of spam, with 20 spam-related lawsuits already in its trophy cabinet. In the most recent case AOL was awarded $7 million in damages in a case against CN Productions for spamming AOL members with email advertising adult websites. In fact, on version 8.0 of their software AOL has a “Report Spam” but12
ton through which they are receiving millions of reports from clients on a daily basis. There are stalkers on the fibre optic wires promising to make us as beautiful as Julia Roberts, as rich as Bill Gates and as desirable as Pamela Anderson. While most of us realise that we are beyond help, there are still enough gullible surfers out there to buy into the deceit of spam, enough to make it worth the spammers efforts. In case you think that spam is an overrated problem, more of a nuisance than a threat, Clearswift does a simple calculation to impress upon us the “bigness” of it. Consider a 1000 user email network where each user receives 24 messages per day. 39% of received email is
Posture, doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program, and selling bootable CDs and consulting through Fred Cohen & Associates. He can be reached by sending email to [email protected] or visiting http://all.net/
Any similarity between the characters or events in this article and any real persons or situations is strictly coincidental... however... The story you have just read is true. Only the names have been changed to protect the innocent.
SPAM, so each user receives nine SPAM emails per day. 9 x 1000 = 9 000 messages per day. 9 000 x 240 (approx working days) = 160 000 messages per year. It takes around six seconds for a user to deal with a spam message in their inbox. I have brought the calculation a step further to tell you that the damage is 150 days worth of employee hours over the year. We all know the old cliché — cyberia is a land with no borders, and that means a land with no laws. Well, they may be written on paper and rubber stamped by parliaments, but who is even bothering to look over their shoulder when the laws cannot be implemented? “Aye, there’s the rub”, said some famous character in literature, as well as a lot of other people in Finland, Austria, Italy, Denmark, Switzerland and Germany where spam has been legally banned. The ban though, has been as effective as banning malaria carrying mosquitoes from crossing national borders. Never has it been so easy for the purveyors of junk mail, now spam, to propagate their wares throughout the known world, and this in turn has resulted in what is becoming an awesome challenge for those in the business of computer security. When it comes to ability, it is a case of
and recognise receipt by a company as that of the individual(s) in control of it if the company was used as a device or façade to conceal the true facts, thereby avoiding or concealing any liability to those individuals (Trustor AB v Smallbone & Ors3).
Conclusion Fraud losses are recoverable. Senior employees and non-executive directors are under increasing pressure to assist in the reporting and development of corporate governance to ensure that the company reacts promptly and appropriately to suspicions of fraud and to ensure that assets are protected and recovered. The days of sweeping fraud under the carpet are numbered and risk managers and directors across the board should be appraising themselves of the dangers of
Bad Credit? No Credit? Fred Cohen
Series Introduction In this series, we provide a monthly scenario of a computer-related fraud, complete with the story line and details — but with no specifics about organizations involved. Then we do a root cause analysis and identify the mitigation strategies actually applied or proposed.
Background Credit cards and the Internet are an amazing mix. They provide an unprecedented mechanism for buying and selling almost anything very quickly, inexpensively, and conveniently, from your own home. I do it, chances are your company does it, and odds are it will become increasingly important as a means of commerce. Unfortunately, not all E-commerce is legitimate. One of the classic cases broke just recently involving a 25-year-old Pakistani college dropout named Khurram Iftikhar. His story is not new, but it is a textbook case of how the two 10
oldest scams on the Internet were combined together to the tune of millions of dollars. To set the scene, I should tell you about a typical credit card scam before the Internet. Someone with physical access to credit card slips, perhaps a restaurant worker or department store clerk, takes copies of the customer credit card information required to make a purchase. They then order goods over the telephone with different shipping addresses to the credit card address, the goods are shipped, and they resell the goods. Some even have the goods
fraud and the methods of dealing with it once it has occurred. The prevalence of electronic fraud only makes a proactive approach more essential. A company must ensure that employees know exactly what to do, who to report to and the importance of acting quickly to minimise losses, preserve electronic evidence and ensure that the fraudster is never tipped off before steps can be taken. Failure to implement such procedures effectively could eventually lead to directors facing personal liability for breach of their duty of care to the company. Steven Philippsohn is a commercial & Internet fraud specialist at PCB solicitors. http://www.pcblitigation.com 1The Financial Times “Harsher Economic Climate prompts fraud surge” Nikki Tait 3 February 2003 2The Times 24 May 2000 3No.2 (2001) WLR
shipped to their own home, it doesn't matter, because for a few thousand dollars, it's not worth bringing in the witness from another state to testify at the trial. If the dollar amount is high enough in one case, they may pursue the perpetrator, but the amount has to be pretty high. The consumer is out a maximum of $50, the credit card company gets the money back in interest, and the ultimate payer is the average credit card user. It comes to 2/3 or more of the interest on credit card purchases.
The scheme In cyberspace, the process of taking a credit card number is greatly simplified because you don't need to be employed or have access to a retail outlet. You can create your own outlet, or if you like, use a convenient pre-existing outlet, like eBay. So you set up your online store (cost about $35/year) and arrange to take credit cards. To obtain the right to process credit cards, it is necessary to complete a series of steps including signing paper-
real-life fraud work and obtaining a bank account for direct deposit and so forth — too painful and slow for a good con. How do you tale credit cards? Easy. You set up a site that collects them from people placing orders. For example, you offer computers or gold coins for a good price (not too cheap — you will lose the trust of your customers and not earn as much). You take credit card numbers for these purchases and promise delivery when ever you decide — say 3-5 weeks. As the credit card numbers start to appear, you begin to make purchases with them. Buy something you want or something of high intrinsic value — like computers or gold coins — and arrange shipment to your current address. You already know the cards have a limit up to the value you charged the customer for. So, 10 sales a day at $1000 each brings in $10 000 a day, this runs for about 30 days, at which point you have $300 000 of sales, which you change into $200 000 of useful goods and gold, and you change it all over to the next location. Did I forget? You live on the other side of the world and do it all by email, a few phone calls, and with stolen credit cards not otherwise used.
Action Mr. Iftikhar is, of course, denying it all, but let's suppose it was actually Mr. Brian King who did all of this. That is at least one of the pseudonyms that was used in this case. You might have problems getting goods to Pakistan from Hewlett Packard in Texas or the Office Depot in Hoboken, but fear not. Call Mail Boxes Etc. in Ontario Canada as an option, and have it all shipped there. Then from there, have it FedEx transported to Dubai and collect the goods every few weeks. That's the scenario that occured under Brian's name and the names of other Americansounding people in this case. How do you get such names? Easy, when you sell this stuff, you can obtain a list of first and last names. Pick one from column A and one from column B, and you have an American sounding name.
It turns out it is not all that easy to get 10 orders per day even if you are selling PCs at a good price. I sell bootable CDs at a good price and I don't receive 10 orders a day... and neither did Brian King. That's why it took almost a year to steal a few million dollars. And he was far more determined to be quite slow and cautious to avoid any thresholds of detection. The perpetrator had over 100 mail boxes in different states. He paid FedEx in cash for deliveries, reducing traceability a little bit more. But they also boosted sales another way. They sold these computers on eBay! Yes, good old e-Bay — capitalism at its most brutal — auctions with minimums and clever tricks to get you to raise your bids in increments — e-Bay —home of reputation based on other supposed buyers, whose reviews are based on their other sellers and everything is lost in a frenzy. e-Bay — where buyer meets seller millions of times a day, and nobody sees the other party.
Aftermath But if Mr Iftikhar was good, the US customs service was better. After trying to trace the flow of goods back, after running into cash payment after recordless mailbox company, they finally hit upon the solution to their problems. The Internet Service Providers who had shielded Iftikhar now provided IP addresses, and those IP addresses traced back to others, and eventually, the trail led to Pakistan. Iftikhar, it seems, made the purchases from his home computer, and he made the follow-up calls for delivery and pickup from his home phone. Pakistani police make a raid on Iftikhar’s home on 19 December, 2002, and he now faces 7-10 years in a Pakistani prison. All told, he stole something like $3 million worth of stuff, and unless his claim that the evidence was planted holds sway, he is likely to be rather older upon his exit. The cost to you and I? Given that the costs are spread across the global credit card user base, this $3 million will hardly be noticed. But in the aggregate, this one
among other such efforts, costs a health sum to all those who share the risk.
Mitigation e-Bay now takes many more precautions than they did even a year ago, but they are still a hotbed of rip-offs — if only because they are a hotbed of free trade. e-Bay lost nothing and will do nothing. The companies like HP who sold the goods didn't lose anything either. They mostly received payment and shipped the goods. Their mitigation would require refusing to take orders from customers who insist on goods being shipped elsewhere, and this will lose them far more business than a few frauds here and there. They will do nothing. The credit card companies do what they reasonably can, but in the end unless the interest rates get so high that nobody uses the cards, they have no great motive to change the system that works so well. They will do nothing more. The customers lost as much as $50 each and failed to get the computers they ordered, many probably not receiving them in time for a holiday gift. In many cases, it didn't even cost them that much because of no-risk credit cards and other similar safety nets available in the the current climate. There is something they (you) can do to limit the risks of such things, but there is no perfect solution, and it's only worth $50 per rip-off. Don't buy from just anyone: As a rule, I don't buy anything worth more than a few hundred dollars from just anyone. I tend to investigate E-tailers before sending my hard earned cash out the door. On the other hand, a company credit card is no risk for many corporate users, so who worries? If it seems too good to be true, it probably is: It's an old adage and a good one. I just thought I would adage it in here. Get a zero-loss card: They cost nothing these days, and maybe you should demand it from your credit card company. Okay — this was the lamest set of advisories in my whole history of these articles. The fact is, risk management has been done, done well, and done over many years by all involved in these issues. 11
real-life fraud It comes down to this. Unless and until the risk equations change there may be slow progress toward less privacy in exchange for more risk reduction, but we are at the point where the privacy we must surrender is growing in leaps and bounds, while the reduction in risk is changing very little in the process.
Conclusions The perpetrator went over the limit, and was hunted down and sentenced. What more can you expect? Probably not much. Be careful what you ask for. Further reduction of your risk from this sort of rip-off will almost certainly sacrifice more
of your personal information and gain you nearly nothing. The best improvements to the risk profile for credit card purchases over the Internet will likely come in the form of increased awareness by consumers. On a final note, this is not the only case of its kind. Jerry Tan a.k.a.? Arbi Salas were just arrested on a similar scam out of The Philippines. And you can expect more to come...
About The Author: Fred Cohen is helping clients meet their information protection needs at Fred Cohen & Associates and Security
Spam — Out of Control Berni Dwan
Can you believe that the average email user in the United States receives 2200 spam messages every year and that this is set to rise to 3600 by 2007? Now that’s a lot of unsolicited email in any person’s language, perhaps making some of us wish that we could return to the old days of the friendly postman. We may have had to wait longer, but at least we only got our legitimate mail whether we wanted it or not. Now a major problem for organizations, Gartner’s corporate clients are reporting that 30-50% of inbound email is now spam, while CAUBE (Coalition Against Unsolicited Bulk Email) put Moore’s Law in the shade by suggesting that the amount of spam is doubling every four and a half months. AOL are already spending 15% of monthly fees fighting spam, but they have also incurred the wrath of a high profile customer by over zealous tagging. The client was Harvard University and AOL’s spam filters mistakenly tagged emails offering college places to students as spam and dumped it! But at least we know that AOL is no slouch when it comes to confronting the problem of spam, with 20 spam-related lawsuits already in its trophy cabinet. In the most recent case AOL was awarded $7 million in damages in a case against CN Productions for spamming AOL members with email advertising adult websites. In fact, on version 8.0 of their software AOL has a “Report Spam” but12
ton through which they are receiving millions of reports from clients on a daily basis. There are stalkers on the fibre optic wires promising to make us as beautiful as Julia Roberts, as rich as Bill Gates and as desirable as Pamela Anderson. While most of us realise that we are beyond help, there are still enough gullible surfers out there to buy into the deceit of spam, enough to make it worth the spammers efforts. In case you think that spam is an overrated problem, more of a nuisance than a threat, Clearswift does a simple calculation to impress upon us the “bigness” of it. Consider a 1000 user email network where each user receives 24 messages per day. 39% of received email is
Posture, doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program, and selling bootable CDs and consulting through Fred Cohen & Associates. He can be reached by sending email to [email protected] or visiting http://all.net/
Any similarity between the characters or events in this article and any real persons or situations is strictly coincidental... however... The story you have just read is true. Only the names have been changed to protect the innocent.
SPAM, so each user receives nine SPAM emails per day. 9 x 1000 = 9 000 messages per day. 9 000 x 240 (approx working days) = 160 000 messages per year. It takes around six seconds for a user to deal with a spam message in their inbox. I have brought the calculation a step further to tell you that the damage is 150 days worth of employee hours over the year. We all know the old cliché — cyberia is a land with no borders, and that means a land with no laws. Well, they may be written on paper and rubber stamped by parliaments, but who is even bothering to look over their shoulder when the laws cannot be implemented? “Aye, there’s the rub”, said some famous character in literature, as well as a lot of other people in Finland, Austria, Italy, Denmark, Switzerland and Germany where spam has been legally banned. The ban though, has been as effective as banning malaria carrying mosquitoes from crossing national borders. Never has it been so easy for the purveyors of junk mail, now spam, to propagate their wares throughout the known world, and this in turn has resulted in what is becoming an awesome challenge for those in the business of computer security. When it comes to ability, it is a case of