Posts Tagged: FTC


25
Oct 16

Senator Prods Federal Agencies on IoT Mess

The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.

In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote to the agencies. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”

The letter continues:

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur” [link added].

As Warner’s letter notes, last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Continue reading →


20
Jan 16

The Lowdown on Freezing Your Kid’s Credit

A story in a national news source earlier this month about freezing your child’s credit file to preempt ID thieves prompted many readers to erroneously conclude that all states allow this as of 2016. The truth is that some states let parents create a file for their child and then freeze it, while many states have no laws on the matter. Here’s a short primer on the current situation, with the availability of credit freezes (a.k.a “security freeze”) for minors by state and by credit bureau.

The lighter-colored states have some type of law permitting parents and/or guardians to place a freeze or flag on a dependent's credit file.

The lighter-colored states have laws permitting parents and/or guardians to place a freeze or flag on a dependent’s credit file.

A child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live. Why would ID thieves wish to assume a child’s identity? Because that child is (likely) a clean slate, which translates to plenty of available credit down the road. In addition, minors generally aren’t in the habit of checking their credit reports or even the existence of one, and most parents don’t find out about the crime until the child approaches the age of 18 (or well after).

A 2012 report on child identity theft from the Carnegie Mellon University CyLab delves into the problem of identity thieves targeting children for unused Social Security numbers. The study looked at identity theft protection scans done on some 40,000 children, and found that roughly 10 percent of them were victims of ID theft.

The Protect Children from Identity Theft Act, introduced in the House of Representatives in March 2015, would give parents and guardians the ability to create a protected, frozen credit file for their children. However, GovTrack currently gives the bill a two percent chance of passage in this Congress.

So for now, there is no federal law for minors regarding credit freezes. This has left it up to the states to establish their own policies.

Credit bureau Equifax offers a free service that will allow parents to create a credit report for a minor and freeze it regardless of the state requirement. The minor also does not have to be a victim of identity theft. Equifax has more information on this offering here.

Experian told me that company policy is not to create a file for a minor upon request unless mandated by state law. “However, if a file exists for the minor we will provide a copy free to the parent or legal guardian and will freeze it,” said Experian spokesperson Susan Henson.

Henson added that depending on state law, there may be a fee ranging from $3 to $10 associated with the minor’s freeze. However, if the minor is a victim of identity theft and the applicant submits a copy of a valid police or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles (DMV), the fee will be waived.

Trans Union has a form on its site that lets parents and guardians check for the presence of a credit file on their dependents. But it also only allows freezes in states that reserve that right for minors and their parents or guardians, and applicable fees may apply.

Innovis, often referred to as the fourth major consumer credit bureau, allows parents or guardians to place a freeze on their dependent’s file regardless of state laws. Continue reading →


21
Dec 15

Oracle, LifeLock Settle FTC Deception Charges

The U.S. Federal Trade Commission this past week announced it reached settlements with software giant Oracle and identity protection firm LifeLock over separate charges of allegedly deceiving users and customers about security. LifeLock agreed to pay $100 million for violating a 2010 promise to cease deceptive advertising practices. Oracle’s legal troubles with the FTC stem from its failure to fully remove older, less secure versions of Java when consumers installed the latest Java software.

javamessThe FTC sued Oracle over years of failing to remove older, more vulnerable versions of Java SE when consumers updated their systems to the newest Java software.  Java is installed on more than 850 million computers, but only recently (in Aug. 2014) did the company change its updater software to reliably remove older versions of Java during the installation process.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The FTC charges that Oracle was aware of the insufficiency of its update process.

“Internal documents stated that the ‘Java update mechanism is not aggressive enough or simply not working,’ and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers,” the FTC said “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.” Continue reading →


26
Dec 14

Payday Loan Network Sold Info to Scammers

The Federal Trade Commission announced this week it is suing a consumer data broker that sold payday loan application data to scammers who used the information to pull money out of consumer bank accounts. The scam brings to mind an underground identity theft service I wrote about in 2012 that was gathering its data from a network of payday loan sites.

Usearching.info sold sensitive data taken from payday loan networks.

Usearching.info sold sensitive data taken from payday loan networks.

According to the FTC’s complaint, data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. “At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization,” the FTC said.

The FTC charges that the defendants sold approximately five percent of these loan applications to online lenders, who paid them between $10 and $150 per lead. But the defendants also allegedly sold the remaining 95 percent for approximately $0.50 each to third parties who were not online lenders and had no legitimate need for this financial information.

In Sept. 2012, I published a blog post about “Usearching[dot]info,” a now-defunct ID theft service that offered the ability to purchase personal information on countless Americans, including SSN, mother’s maiden name, date of birth, email address, and physical address, as well as and driver license data for approximately 75 million citizens in Florida, Idaho, Iowa, Minnesota, Mississippi, Ohio, Texas and Wisconsin.

That story noted that Usearching[dot]info also included data that appeared to come from another source — more than 330,000 consumer bank account records pulled from an archipelago of satellite Web sites that negotiate with a variety of lenders to offer payday loans. From that piece:

“I first began to suspect the information was coming from loan sites when I had a look at the data fields available in each record. A trusted source opened and funded an account at Usearching.info, and purchased 80 of these records, at a total cost of about $20. Each includes the following data: A record number, date of record acquisition, status of application (rejected/appproved/pending), applicant’s name, email address, physical address, phone number, Social Security number, date of birth, bank name, account and routing number, employer name, and the length of time at the current job. These records are sold in bulk, with per-record prices ranging from 16 to 25 cents depending on volume.”

“But it wasn’t until I started calling the people listed in the records that a clearer picture began to emerge. I spoke with more than a dozen individuals whose data was being sold, and found that all had applied for payday loans on or around the date in their respective records. The trouble was, the records my source obtained were all dated October 2011, and almost nobody I spoke with could recall the name of the site they’d used to apply for the loan. All said, however, that they’d initially provided their information to one site, and then were redirected to a number of different payday loan options.”

I have no idea whether LeapLab sold information to this identity theft service, or whether Ideal Financial was a customer of Usearching[dot]info. LeapLab is no longer in business, and Ideal’s assets are frozen and in receivership. But it’s clear Ideal obtained consumer data from multiple sources: The FTC says LeapLab provided Ideal Financial with financial account information for only about 16 percent of Ideal Financial’s victims.

In this, as with so many financial scams, the people least able to afford it get scammed and fleeced. The FTC charges that Ideal Financial purchased information on at least 2.2 million consumers from data brokers and used it to make more than $43 million in unauthorized debits and charges for purported financial products that the consumers never purchased. Sadly, these “financial products” were mostly about how consumers could manage their money better or get themselves out of debt. Continue reading →


1
Dec 10

FBI Identifies Russian ‘Mega-D’ Spam Kingpin

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.

According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.

Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.

As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.

Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.

According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.

Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

Continue reading →