Risk
7/12/2007
05:43 PM
Connect Directly
RSS
E-Mail
50%
50%

Who's Fighting Identity Theft? You'd Be Surprised

I love a good scrap, and one of the more interesting ones I've been following this year involves the U.S. Justice Department and E-Gold, an organization that provides a payment system for online transactions. The government says that E-Gold facilitates cybercrime by allowing the criminal element to pay online for stolen goo

I love a good scrap, and one of the more interesting ones I've been following this year involves the U.S. Justice Department and E-Gold, an organization that provides a payment system for online transactions. The government says that E-Gold facilitates cybercrime by allowing the criminal element to pay online for stolen goods. Yet E-Gold portrays itself as a fellow cybercrime fighter and asserts the government ignores its offers for assistance and is taking credit for E-Gold's investigative work.A federal grand jury in late April indicted E Gold Ltd, Gold & Silver Reserve Inc., and the owners of these related digital currency businesses on charges of money laundering, conspiracy, and operating an unlicensed money transmitting business.

However, E-Gold chairman Douglas Jackson disputes these charges and asserts that the U.S. Secret Service's recent announcement that it has arrested and indicted four members of an organized fraud ring in south Florida was helped by E-Gold's own investigative efforts. "The recent USSS press release is the second instance in three weeks where the USSS is claiming credit for work that was actually initiated and performed last year by e-gold's own in-house investigators," Jackson told me in an e-mail exchange today.

Why is all of this squabbling important to you? As you'll see in InformationWeek's upcoming 10th Annual Global Security Survey, which hits InformationWeek.com this weekend, often companies don't know when their IT systems have been breached and their customer data stolen and sold on the black cyber market. In the 2006 Annual Global Security Survey, only 8% of U.S. respondents said that identity theft had occurred within their organization. You'll be surprised to see where that percentage is in this year's survey results. Anecdotal evidence (including the TJX and Polo cases), suggests that companies should be more worried.

It also suggests that law enforcement should be using every tool at its disposal to crack down on crooks looking to ruin your credit and, worse, the credit of your customers.

The Secret Service's south Florida bust resulted in the recovery of about 200,000 stolen credit-card account numbers responsible for fraud losses roughly calculated to be more than $75 million. One of the keys to the arrests was information that the Secret Service obtained after earlier this year arresting a 30-year-old Florida man--who used the online handle "Blinky"--and his girlfriend. Blinky is accused of trafficking counterfeit credit cards and identifications for years over the Internet. His arrest turned up evidence of an organized fraud ring involving Cuban nationals operating in south Florida and led to the four arrests and indictments announced this week.

The four fraudsters were sending large amounts of money via E-Gold accounts to known cyber criminals in Eastern Europe in return for tens of thousands of stolen credit card account numbers. The stolen credit card account numbers were then used to counterfeit credit cards in "plants" throughout southern Florida, the Secret Service said in a statement.

But Douglas says it was his company that first brought Blinky to the attention of law enforcement in March 2006. Jackson told InformationWeek that investigators working for E-Gold began monitoring Blinky pursuant to an undercover operation it was conducting with law-enforcement agents from the U.S., U.K., and Russia.

"In May 2006, working with records supplied by an exchange service that had sold [Blinky] some e-gold, we were able to supply general location (Miami), three confirmed phone numbers he used, and the usual IP/timestamp combos that even in this day and age are often useful," Jackson said. "In September 2006 we were able to set up a quasi-ambush where the guy was sent a Fed Ex package such that we were able to supply law enforcement with a specific physical location (a garage in Miami) and a time to nab him."

Jackson sent me a copy of an e-mail exchange he claims to have had with a Secret Service contact in January 2006. In an e-mail Jackson ostensibly sent to the agency, he requested the Secret Service use information gathered by E-Gold investigators to crack down on a card-counterfeiting ring. An enthusiastic-sounding response from the agency informed Jackson his Secret Service liaison had made contact with "our guys at HQ and they will be in contact with you or your staff concerning this matter." Jackson told me that E-Gold was later "rebuffed" by the Secret Service and doesn't know if they followed up on the information he says he sent them.

If you're curious about the Justice Department's side of this story, so am I. While I've reached out to them several times as the TJX case has unfolded, I rarely hear back from them.

The TJX data breach has cost that company more than $20 million, and counting. For that company, law enforcement's successes are probably bittersweet. On the one hand, crooks are being put away. On the other hand, the evidence is mounting that their customers have become victims of identity theft. Still wondering whether law enforcement should be working with, rather than against, E-Gold?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Best of the Web
Dark Reading Radio