The Green Sheet Online Edition
October 24, 2011 • Issue 11:10:02
Fraud's twists and turns in 2011
2011 may go down as a pivotal year in the fight against fraud. The year has seen one of the biggest breaches in history, the development of organized fraud rings with members who exhibit rather unpredictable motivations, federal efforts to tighten up breach notification laws and a new type of Ponzi scheme involving online poker.
In April, the now infamous Sony Corp. network breaches were disclosed. The information of over 100 million gamers was reportedly compromised. One of several breaches forced Sony's popular PlayStation online game network to go dark for 23 days. The total amount of damages to Sony exceeds $170 million thus far.
On the upside, in just a few months after the hack, multiple suspects were arrested. The most recent arrest was of Cody Andrew Kretsinger, a 23 year-old network security student at the University of Advancing Technology in Tempe, Ariz. He is believed to be a member of computer hacker group Lulz Security, commonly called LulzSec. He is also said to be a former associate at another notorious hacking group, Anonymous.
According to the indictment, Kretsinger was involved in executing, and later, promoting the high-profile and costly attacks on Sony's networks. Oddly enough, he was named Student of the Month at UAT in July 2011.
In an interview originally published in the UAT Student of the Month newsletter, Kretsinger talked about his plans for the future.
After graduation Kretsinger hopes to work as a network security professional for the U.S. Department of Defense. "From what I hear, they're pretty good at what I want to do," Kretsinger said in the newsletter. More specifically, the enterprising hacker thinks it would be "fun" to build networks from the ground up and then secure them.
Perhaps Kretsinger represents the changing face of fraud. One day he's arrested for taking part in one of the most costly hacks in history. The next day he's a celebrity aiming for a cushy job in the public sector.
Tightening breach notifications
LulzSec claimed to have breached other networks, namely those of the CIA and the U.S. Senate. Such activity spurred Capitol Hill to prioritize data security on the legislative agenda; numerous bills focused on data security are now working their way through Congress.
In July, the House Subcommittee on Commerce, Manufacturing and Trade approved by voice vote a version of a data breach notification bill designed to enhance protection of consumers' personal information by establishing uniform national standards.
Then, in September, the Senate Judiciary Committee OK'd the Personal Data Privacy and Security Act, the Data Breach Notification Act and the Personal Data Protection and Breach Accountability Act. Of that last bill, key provisions would require businesses to:
- Maintain personally identifiable information on 10,000 or more U.S. consumers to develop a personal data privacy and security program to regularly assess, manage and control risks
- Provide employee training
- Conduct tests to identify system vulnerabilities
- Ensure that overseas service providers retained to handle personally identifiable information take reasonable steps to secure that data
- Periodically assess data privacy and security programs to ensure the programs address current threats
- Notify affected individuals of a breach by telephone or email within 60 days
Additionally, the bill would require breached organizations to post media notices and alert credit reporting agencies if individual hacks involve the information of 5,000 or more individuals. Exceptions to these provisions are provided in cases where notification could threaten criminal investigations.
The proposed federal law would also preempt state laws on breach notification, with the exception of state laws that provide consumers with information about victim protection assistance that may be available to consumers in a particular state.
Because the breach notification requirements in the bill do not apply to state and local governments, this provision would not preempt state or local laws regarding obligations by businesses in those jurisdictions to provide notice of data breaches to affected consumers.
There are 18 members on the Senate committee - 10 Democrats and 8 Republicans. Despite political differences, the committee's main goal is to strengthen privacy protection and nationalize breach notification practices. It seems each committee member understands the magnitude of the problem that confronts the nation.
A revealing hand of poker
When someone mentions online gambling, the first thing that comes to mind is poker and what happened to the popular online pastime this year. In September, Chicago's Daily Herald reported in "U.S.: Online gaming site is Ponzi, not poker" about the woes of online gambling site Full Tilt Poker, and how most online poker companies have been shut down.
According to the report, Full Tilt Poker and its operators built a global Ponzi scheme that cost its online poker players at least $390 million. Full Tilt Poker, PokerStars and Absolute Poker were shuttered in April, and a grand jury indicted Full Tilt Poker founder and Chief Executive Officer Raymond Bitar and 10 other executives on charges of bank fraud, money laundering and gambling law violations.
PokerStars returned proceeds to U.S. players in the wake of federal actions. Absolute Poker agreed to refund what it owed. But Full Tilt Poker, with only $60 million in its coffers, didn't have enough funds to pay back players, the report said.
In an interesting turn of events, Full Tilt Poker was reportedly scammed by a U.S. payment processing network that stole $42 million from the poker site, preventing it from pulling money from customers' bank accounts to fund online gambling credits.
Instead of disclosing the problem, Full Tilt maintained a false image of financial stability by crediting players' accounts with $130 million in "phantom funds," according to prosecutors quoted in the Daily Herald article. When players gambled with these funds and lost to other players, a "massive shortfall" developed, the prosecutors said.
And so it goes.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org .
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.