Risk
7/12/2007
05:43 PM
Connect Directly
RSS
E-Mail
50%
50%

Who's Fighting Identity Theft? You'd Be Surprised

I love a good scrap, and one of the more interesting ones I've been following this year involves the U.S. Justice Department and E-Gold, an organization that provides a payment system for online transactions. The government says that E-Gold facilitates cybercrime by allowing the criminal element to pay online for stolen goo

I love a good scrap, and one of the more interesting ones I've been following this year involves the U.S. Justice Department and E-Gold, an organization that provides a payment system for online transactions. The government says that E-Gold facilitates cybercrime by allowing the criminal element to pay online for stolen goods. Yet E-Gold portrays itself as a fellow cybercrime fighter and asserts the government ignores its offers for assistance and is taking credit for E-Gold's investigative work.A federal grand jury in late April indicted E Gold Ltd, Gold & Silver Reserve Inc., and the owners of these related digital currency businesses on charges of money laundering, conspiracy, and operating an unlicensed money transmitting business.

However, E-Gold chairman Douglas Jackson disputes these charges and asserts that the U.S. Secret Service's recent announcement that it has arrested and indicted four members of an organized fraud ring in south Florida was helped by E-Gold's own investigative efforts. "The recent USSS press release is the second instance in three weeks where the USSS is claiming credit for work that was actually initiated and performed last year by e-gold's own in-house investigators," Jackson told me in an e-mail exchange today.

Why is all of this squabbling important to you? As you'll see in InformationWeek's upcoming 10th Annual Global Security Survey, which hits InformationWeek.com this weekend, often companies don't know when their IT systems have been breached and their customer data stolen and sold on the black cyber market. In the 2006 Annual Global Security Survey, only 8% of U.S. respondents said that identity theft had occurred within their organization. You'll be surprised to see where that percentage is in this year's survey results. Anecdotal evidence (including the TJX and Polo cases), suggests that companies should be more worried.

It also suggests that law enforcement should be using every tool at its disposal to crack down on crooks looking to ruin your credit and, worse, the credit of your customers.

The Secret Service's south Florida bust resulted in the recovery of about 200,000 stolen credit-card account numbers responsible for fraud losses roughly calculated to be more than $75 million. One of the keys to the arrests was information that the Secret Service obtained after earlier this year arresting a 30-year-old Florida man--who used the online handle "Blinky"--and his girlfriend. Blinky is accused of trafficking counterfeit credit cards and identifications for years over the Internet. His arrest turned up evidence of an organized fraud ring involving Cuban nationals operating in south Florida and led to the four arrests and indictments announced this week.

The four fraudsters were sending large amounts of money via E-Gold accounts to known cyber criminals in Eastern Europe in return for tens of thousands of stolen credit card account numbers. The stolen credit card account numbers were then used to counterfeit credit cards in "plants" throughout southern Florida, the Secret Service said in a statement.

But Douglas says it was his company that first brought Blinky to the attention of law enforcement in March 2006. Jackson told InformationWeek that investigators working for E-Gold began monitoring Blinky pursuant to an undercover operation it was conducting with law-enforcement agents from the U.S., U.K., and Russia.

"In May 2006, working with records supplied by an exchange service that had sold [Blinky] some e-gold, we were able to supply general location (Miami), three confirmed phone numbers he used, and the usual IP/timestamp combos that even in this day and age are often useful," Jackson said. "In September 2006 we were able to set up a quasi-ambush where the guy was sent a Fed Ex package such that we were able to supply law enforcement with a specific physical location (a garage in Miami) and a time to nab him."

Jackson sent me a copy of an e-mail exchange he claims to have had with a Secret Service contact in January 2006. In an e-mail Jackson ostensibly sent to the agency, he requested the Secret Service use information gathered by E-Gold investigators to crack down on a card-counterfeiting ring. An enthusiastic-sounding response from the agency informed Jackson his Secret Service liaison had made contact with "our guys at HQ and they will be in contact with you or your staff concerning this matter." Jackson told me that E-Gold was later "rebuffed" by the Secret Service and doesn't know if they followed up on the information he says he sent them.

If you're curious about the Justice Department's side of this story, so am I. While I've reached out to them several times as the TJX case has unfolded, I rarely hear back from them.

The TJX data breach has cost that company more than $20 million, and counting. For that company, law enforcement's successes are probably bittersweet. On the one hand, crooks are being put away. On the other hand, the evidence is mounting that their customers have become victims of identity theft. Still wondering whether law enforcement should be working with, rather than against, E-Gold?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant