Tuesday, November 3, 2009

Uncompetitive RFID Policy Leads to Cottage Industry

The race is on. With the near complete failure of authorities to recognize the security risks inherent in the prolific use of RFID chipping in everything from credit cards to passports, the private sector has found a cottage industry in making up the lapse in attention.

One firm leading the pack is DIFRWear. Founded in 2005, the Company's Mission is "Our mission is to give individuals the ability to maintain privacy and ensure security in a world of insecure contactless devices." Their products are designed to facilitate just that.

We invite other firms to share their approach to RFID protection as well.

Thursday, August 27, 2009

Fed chairman victim of identity fraud ring: Newsweek - Yahoo! News

No one is immune!

Yet another demonstration that ID theft is done at the document level, not so much in cyberspace. The most proficient of these criminal types have figured out that they can do all of this without even stealing the purse, by just cell-phone photographing the data needed in a few seconds.

Here's the latest victim:

Fed chairman victim of identity fraud ring: Newsweek - Yahoo! News

Be careful showing your ID to that cash register clerk - always at least cover your postal code.

Thursday, August 6, 2009

CARS.gov Site Accused of Government Takeover of Consumer PC's

This blog is edited as non-partisan as possible. For that reason we try to stay away from political editorials offered by either the left or the right, and I would normally not quote anything from such programs.

In this case, however, Glen Beck of Fox News did seem to break this story. The CARS.gov website, which facilitates the Cash for Klunkers federal government program, requires that dealers who use it literally allow it to take over the PC of the visiting user, and turn over ownership of all content of the PC to the federal government or its assignees.

Beck is alarmist, acting like this is what consumers agree to, rather than dealers, which is not the case. But if I was a dealer, I would be alarmed!

Consumers should be alarmed as well, however, as their own information is on the Dealer's computer, and therefore becomes the property of the federal government - right down to the credit report. As the consumer isn't the one who agrees to this, it is even more sneeky.


Where is the Privacy Czar? This would appear to be nothing but a scam to collect other monies owed. CARS.gov appears to be a ploy by the Treasury to find tax debt, and scoop it from the program. Let's hope we hear some inteligent explanation from the Administration.

US Falls Below Russia, Moldova, Belarus in reported corrupton rankings

Transparency.org has issue its lates Corruption Barometer, whereby citizens polled rate various categories of corruption in their countries.

In the categories of Political Parties, Legislature, and Private Sector the US rated worse then Russia, Moldova, Belarus, Azerbaijan and Armenia, among others.

See the entire report at:


Tuesday, August 4, 2009

Feds at DefCon Alarmed After RFID’s Scanned | Threat Level | Wired.com

Follow up to http://jonathan-warren.blogspot.com/2009/07/youtube-how-to-hack-rfid-enabled-credit.html:

Feds at DefCon Alarmed After RFID’s Scanned Threat Level Wired.com

The very proponents of RFID chip usage have had the tables turned on them, as one might expect, in Las Vegas.

At the DefCon hacker convention taking place now, attendees set up an RFID scanner which photographed chip carriers. These of course included various feds - under cover and not - in attendance.

The amiable scanner owners were kind enough to destroy the data in public view, after letting the "Meet the Fed" panel drop jaws when they heard the news. Lucky for the feds it was such a friendly environment. Is everyone else who scans for RFID's so friendly?

Sunday, August 2, 2009

False Alarm? - ‘Credit Hackers’ Win the Credit Card Game … Legally | Threat Level | Wired.com

This article in wired purports to expose a new form of "credit hacking". However, the activity described is NOT hacking, NOT illegal, NOT able to take undo advantage of creditors and NOT considered any threat by the banking industry.

The tone of the article seems to seek to create a buzz around nothing, and generate sympathy for the credit card industry. One has to wonder the true motives and backing of the person supposedly calling himself "anonymous". Could this be the credit card industry laying cover?

Read the article:

DefCon: ‘Credit Hackers’ Win the Credit Card Game … Legally Threat Level Wired.com

Thursday, July 16, 2009

YouTube - How to hack RFID-enabled Credit Cards for $8 (BBtv)

Hacker demonstrates exactly how easy it is to obtain RFID data.

Click here:

YouTube - How to hack RFID-enabled Credit Cards for $8 (BBtv)

Please comment.

Saturday, July 11, 2009

RFID Chips in New Forms of ID Facilitate Massive Scams, Security Breaches

Nightmare security issues with the new US Passport and e-Passport (Passport Card) call into question the compliance of these documents with even the most basic security issues.

Chips in official IDs raise privacy fears - Yahoo! News

The U.S. Dept. of Homeland Security did much to avoid risk of hackers getting in to the database, by making the number a mere pointer to their own files grounded in DHS computers. But the very function of the RFID chip, broadcasting an ID number, is easily co-opted by the private sector (retailers), and combined with the other information the retailer collects.

No need to obtain the government's data file, just about anyone can buy the data collected by the retailer, including your identity, all of your buying habits and payment options, demographics information, etc. The data then is neatly wrapped up and tied together with your RFID number, then sold, legally, to any number of buyers.

Now you walk through the mall, with your new drivers license, passport or passport card in your wallet, and that Israeli chick at the kiosk with the Dead Sea soap calls you by name - from 30 feet away.

Worse, some creepy guy likes what he sees when you pull up next to him in traffic. He inputs your RFID on his mobile, and gets everything about you, including address. He may even add your license plate number to the database app on his iphone.

Worse again, you can be completely watched on cameras which turn on only when you are within 30 feet, anywhere in the world. You might not be worried about that at home, but what about when you are at a foreign airport, or in a foreign city? How about when you are crossing between two foreign countries?

you can remedy the problem at http://jonathanwarren.wordpress.com/privacy-services/, but should you have to?

It seems that RFID has no redeeming value. Please comment.

Thursday, July 9, 2009

Hospital Billing Scam: Ignoring Health Insurance, Billing Taxpayer Instead

U.S. hospitals fraudulently writing off huge "losses" after inflating prices beyond insurance approval limits.

Health services networks collecting full retail prices from federal government by writing off bad debt of three to six times the billing amounts approved by health insurers.


You are injured in an auto accident. An ambulance takes you to a hospital, where you are admitted. The hospital collects your insurance data, and provides service.

Your auto insurance, and/or that of the other driver(s), is billed for it's medical coverage, typically in the range of $15,000 to $30,000.

Three months later you get a bill from the hospital for the remainder of your hospital costs, which may be in the hundreds of thousands of dollars. You tell them to bill your health insurance, but the hospital shows you that your health insurance finally declined your claim, 4 months later. They seek a statement from you that you can not pay the bill. They then write it off as bad debt, and assign it to collections.

You file a "medical bankruptcy", just like over half the consumer bankruptcies filed.


Your health insurer is tough for the hospital to deal with. The insurer holds down the price of services by not allowing the hospital and health care providers and suppliers to overcharge. The hospital would rather not deal with this.

Instead, the hospital bills the auto insurance for the limited medical coverage. This insurance does not fight the hospital on the overcharging. The hospital can therefore bill you 3-6 times what your health insurance would pay for the same services.

The hospital ignores the health insurance for (in most states) three months, beyond which time the health insurance will deny the claim by expiration clause.

The hospital then simply writes off the bill, at an average of 3-4 times the amount they would have collected from the insurer. The write-off credits back the hospital about 1/3 of the amount written off, in taxes.

The end result is that the hospital is paid 100% or more of the amount it could have collected from the insurers, and they do not have to invoice or negotiate. The government pays the bill. the debt is simply passed on to the tax payer.

800,000 personal bankruptcies were filed in 2007. Medical bankruptcy accounted for 62% of personal bankruptcies filed in 2007, with a national average of $26,971 included in bankruptcy filings, for each uninsured person, and $17,749 for each insured person.

If half of the filers were insured and half were not, then the total discharged debt is just under $25 Billion for 2007 alone, not including those who did NOT file bankruptcy and did not pay the medical bill.

Industry estimates are that 66-90% of charged-off medical bills are not included in any bankruptcy filings. This would bring the total to between $75 billion and $250 billion in medical receiveables written off by healthcare providers in the US, in 2007 alone.

These writeoffs gave $25 billion to $83.3 billion to the healthcare providers, directly from the federal government- no billing, no negotiating, no oversight, no customer service to have to bother with. The present system might be considered the wost government-paid health care system in the world.

This ripoff bilks everyone, in favor of the institutional health care provider and the insurance company which typically owns it.

Wednesday, July 8, 2009

Cyber Attacks Clobber USA

Sustained attack closes off many sites:


I noticed this when for the past few days the FTC website would not load. It is not much better as of this writing. Security professionals please comment.

Tuesday, July 7, 2009

Social Security Numbering System Is Vulnerable to Fraud, Researchers Say - NYTimes.com

The system has been cracked. This of course is nothing new. Those who manufacture false ID's, including false social security cards, have known this for years.

Social Security Numbering System Is Vulnerable to Fraud, Researchers Say - NYTimes.com

Monday, July 6, 2009

pissedconsumer.com, ripoffreport.com, complaintsboard.com Extort, Facilitate Identity Theft, Potential FTC violations

The new, for-profit model of consumer complaint websites have left the old BBB in the dust, generating tremendous profits with which they have successfully combated nearly every legal challenge to their bold-faced facilitation of slander and libel.

Complainsboard.com, ripoffreport.com and pissedconsumer.com (formerly pissedcustomer.com, before they lost their old domain) have all jumped to the top of the Google pile whenever a search is done on the name of a person or company who has been bashed on their servers. Their successful trade in advertising to all who search the web using the name of their mark has been second only to the thinly-veiled blackmail perpetrated by their offer of "Reputation Management" services to those who have suffered form the illegitimate complaints.

Hiding behind the Right to Freedom of Speech, these clowns openly refuse to remove any posting, true or not. Unlike the Better Business Bureau, this new model is closed, and offers no third-party arbitration. Rather, these new 'slander sites' allow you to post your rebuttal. This of course is of no use when the damage is done by the illegitimate initial report, which remains in the initial search results, which show that the mark is perhaps the next Charles Manson or Bernard Madoff.

The so-called "reputation management" services offered by these anonymous providers will charge the mark about $2,000. typically to remove the damage from the site of the "reputation manager". Sound familiar?

This is a protection racket. Pay up, or we 'facilitate' the first amendment rights of anonymous people to slander you. It easily crosses the line to organized conspiracy to extort; blackmail.

The perpetrators have weathered many lawsuits attempting, for the most part, to have the name of the mark removed from the URL generated by the services. These suits have failed due to the strength of the right to free speech.


It appears that these sites, do not well police their own postings. Many seeking vengeance simply slander individuals as best they can put a sentence together, and post anything they can which they feel will embarrass, humiliate or endanger the mark. Herein lies your ability to combat the scam.

Many complainants have posted personally identifiable information (PII) on their marks, in hopes of doing them damage. This could include combinations of name, address, birth date, telphone number, financial information, social security number, family member names and family member financial information. Slander sites gulp the information in, without regard for the liability of posting it, because they sell the ads viewed by the many who seek the information posted by the conspirators.

But The FTC may not like that. Personally identifiable information about you can't be traded in without your consent. By posting it on ad-supported sites and not allowing you to remove it, they are certainly trading in your PII. That's an FTC violation.

With enough complaints to the FTC, this practice may be quashed. Let's try it, shall we? If you or someone you know has been a victim of some one posting your personally identifiable information on any of these slander sites, post your complaint here: https://www.ftccomplaintassistant.gov/

If you would like help with the wording, I offer my assistance free of charge. It is critical to keep the complaint honest and accurate. Just email me the links to the PII posted, and I'll draft your complaint for you to post if it meets your approval. Again, free of charge.

Saturday, July 4, 2009

ID Theft: Corporate ID Theft, Case 1

If you think it's easy to steal some one's ID, you'll be really surprised how simple it is to steal the identity of a corporation. For this one, I'll bring in some personal experience.

One day, while in Washington, D.C. for an embassy party, I got a call from an FBI agent who said he needed some information on a borrower client of mine, from a few years earlier. The client had caused someone to wire my firm "some money", and he was investigating where it gone from there. I asked him to fax me his subpoena for my record, and to please give me the names by phone so I could begin the investigation.

The names associated did not sound familiar. "How much money was wired to us?" I asked.

"Nine hundred thousand dollars." His reply made no sense. I knew I would remember clients of such size. I told him I was suspicious.

The agent was quite seasoned, and knew enough to confirm the bank name bank account number of my operating account. I provided this, and he realized the account number had not matched. It was however, the a different branch of the same bank, in the same city as my branch. My company name and address had been used. I later double checked, to find I had no record of ever having received any such wire, and had no involvement with the named individuals.

So what happened?

Quite simply, someone had obtained a copy of the address articles of incorporation of my firm from public records, faked a list of officers, opened a bank account in the company name, pretended to be the company in offering like services, and got a client to wire them $900,000. for nothing. My corporate identity had been assumed. Their client (the mark) never saw the benefit of his $900,000. He thought he had been talking to the company, was made who-knows-what promises, wired money to the sammer when he thought he was wiring it to the real company, the rest is history.

Bank Fraud Scam: The "Who's Who"

This US-only, 3-victim scam is designed to allow the perpetrator to spend small amounts of money from one victim's checking account, while convincing him or her that it was done by another victim. The money is paid to a third victim who has to refund it.

Imagine you get a phone call from a vendor telling you your check bounced, and demanding payment. Only you never heard of the vendor. Or perhaps you see some small checks clearing your bank account that you didn't write. You might be a vendor who gets checks from a local company which don't clear, and the vendor seems to be playing dumb to the fact.

All of these could be victims of this scam.

  1. Scammer obtains banking ID numbers of an existing valid account of Victim 1. This is usually done just by seeing the check. Any cashier can easily obtain the data, especially if they are using a mobile phone camera. The information needed is only the account number and routing number at the bottom of the check. This information is of course also available to anyone to whom you write a check.
  2. The scammer obtains the name and address of a valid company, which will become Victim 2. This can be as easy as going to the phone book or the internet. Just about any company will do.
  3. Scammer prints checks (easily done on any computer, no special ink necessary) which shows the routing and bank numbers of Victim 1 at the bottom of the check, and the company name and information of victim 2 at the top left of the check.
  4. Scammer then goes pays for services or goods from just about any retailer (victim 3) using the checks he has created. He signs his own name, or the name of any fake or stolen ID he has. The amounts of each check are usually under $100.
  5. The check confirms, because the numbers read by the cash register at the bottom are valid, and the balance is sufficient. The ID matches perfectly and signatures are spot-on. The name of the account is usually a corporation, and no retailer has a way of verifying if the signer is a signatory to accounts for the corporation.
  6. The check clears the account of Victim 1, who may or may not notice the small amount missing. If Victim 1 catches the bogus check, they notify the bank, which then closes the account and returns the check to the retailer or payee's bank.
  7. Victim 3, The retailer or payee, then gets notice that the check is returned. Naturally they contact the Victim 2, the company who's name was used at the top of the check. The company denies all knowledge. If it is a small company, Victim 1 probably won't believe them, and will pursue them with bad check laws, only to find out they never wrote the check.
  8. Unkown perpetrator gets away with paying bills with other's names, addresses, bank accounts, etc.

How to Protect Yourself

  1. Write checks as seldom as you possibly can.
  2. Don't send checks bearing a signature to vendors you don't know. Use a credit card or online bill pay service instead.
  3. As soon as you hear something that sounds like any of the above, file a police report to protect yourself from further action done in your name.

Sunday, June 28, 2009

Double Factor Fraud

This scam is designed for a merchant to rip off its factor. Amazingly simple, incredibly effective.

  1. Merchant creates a factoring agreement to sell & its accounts receivable to a factoring house (a form of financing).
  2. The factor records a UCC-1 financing statement to secure its position as holding the primary claim on all accounts receivable of the Merchant.
  3. Merchant sells receivabes to factor, receiving cash up front. Factor bills the customers.
  4. Suddenly, the Factor stops receiving payments on the invoices.
  5. Factors contacts invoiced customers to attempt to collect, finding that they claim to have already paid.

What Happened?

  1. The Merchant set up a second company, with a similar or the same name as the Factor.
  2. Merchant has the new 'fake factor' company bill his customers immediately following the real Factor's bill, as an address correction. He might even offer a discount.
  3. Customers pay the new fake factor, thinking they have paid the correct party.


Merchant has received the advance from the first factor, and the payment from the customer, getting paid 75%-80% more for each invoice, until he is found out. This is often done when the Merchant is on his way out of business.


Contact each customer prior to purchase. Make sure they understand that there is to be no assignment without your involvement. If you learn of one customer paying an imposter factor, the rest are too. Contact authorities and file a criminal scam report. You will likely be told to file a civil action to get an injunction.

Saturday, June 27, 2009

Negotiated, Willful Blindness Scam

This is a commercial finance scam designed to either create a fall guy for an intentional default, or a fall guy for an exhorbitant amount of risk.

A retail lender seeks an investor to purchase or expand its business. The value of any retail lender depends on the its own credit. The more money the lender is able to move, the more valuable it is.

The retail lender locates a wholesale line of credit provider. This wholesale lender wants to issue the line of credit, as its value is determined by the amount of "assets" it has. Since each issued line of credit is considered an "asset" they are anxious to get the line of credit on the books. This is especially the case in hot market scenarios.

The wholesale lender requires that the retail lender provide audited financials from a CPA firm. These of course transfer liability to the CPA firm if the financial information provided is not accurate. However, most applicants can not provide financials substantial enough to qualify for the wholesale line of credit. This leads to a notorious game of willful blindness.

CPA firms make the bulk of their income by charging the fees for audited financial statements in situations like these. The younger, newer accountants are hungry for the new accounts of smaller companies getting their first sets of audited financials.

With all three parties motivated toward exactly the same result, the situation is ripe for a classic case of willful blindness. The result causes the CPA firm and the wholesale lender to begin direct communications. The result is negotiated financials and other qualifications, in which all three parties negotiate directly with eachother to produce qualifying documents, despite the lack of real qualification of the retail mortgage company.

Each party to the negotiation seeks to interject what it sees as necessary to provide for plausible deniability later. The CPA wants bank statements to read as they need them to read. The wholesale lender wants the CPA to produce audited financials which they can point to later as proof that the retail lender is financially qualified. The retail lender desperately wants the line of credit, and may create false documents to fulfill the requirements set forth by the CPA.

Finally, the retail lender produces false statements, so that the CPA can produce blindly audited financial statements, so that the wholesale line of credit provider can issue its line of credit to the unqualified retail lender.

When the line of credit goes into default, the wholesale lender attempts to collect from the retail lender, which often declares bankruptcy. This brings the audited financials into question, and the CPA firm. This brings into the arena the errors and omissions insurance of the CPA firm itself.

In some cases, even the institutions providing the bank or other statements used in the preparation of the audited financials, are accused by the wholesale lender of collusion.

The entire objective is to get an outside party to cover the debt. Either the errors & omissions insurance of the retail lender or the CPA firm, or the financial institution which provided statements, will have to pay up for the scam of the three in collusion.

Once the line of credit is provided by the wholesale lender to the retail lender, there is a great increase in market value of the retail lender. They then attempt to obtain an investor or sale of the firm before the resulting default takes place.

This is a method of conspiracy to defraud a lender or an investor, but it is seldom caught or prosecuted.

Friday, June 26, 2009

Overpayment-Refund Check Scam

Also known as the Cashier's Check Scam, the latest iteration is slightly more sophisticated than predecessors.

Here's how it happens:

  1. You advertise something for sale. It could be an item or a service. You advertise it on the internet, usually somewhere with no ID checking capacity, such as craigslist.
  2. A potential buyer contacts you and expresses interest in your offer.
  3. The buyer explains that they will provide a cashiers check or corporate check to pay in full.
  4. To put you at ease, the buyer gives you all of the details of the cashiers check, or of the corporation and its corporate check on the way.
  5. If you call the issuing bank to confirm the validity of the check, it may be validated. This only means that the check bears a real account number, routing number, and matching issuer name.
  6. The buyer then tells you they have sent, or are sending an amount greater than the price of your offering. The overpayment, and that they need you to send the difference back to them, or pay it to a person affiliated with them, such as a son or daughter in your local area.
  7. The check arrives as promised, for a larger amount than required.
  8. You deposit the check as expected.
  9. You wait for the check to clear. It does.
  10. You refund the overpayment to the buyer.
  11. The check later is returned by your bank, leaving your without the funds you sent to the buyer as overypayment.
  12. The buyer is nowhere to be found.

What happened?

  1. The "buyer" is a scammer, who had obtained the information on the check provided by copying it from an actual check, viewed by the scammer at sompoint.
  2. The scammer then goes fishing for anyone who will accept the check of an overpayment.
  3. With a "mark" in his sites, the scammer then forges the check or cashier's check. This is easily done with standard desktop publishing.
  4. When you deposit the check, it clears the account of the unsuspecting owner of the account.
  5. The company on who's bank account the check was drawn (the "maker") reports the fraudulend check to their bank.
  6. The maker's bank retracts the payment, charging your bank for the amount cashed. Your bank then charges you.