Protect your identity

Your identity is perhaps the most valuable thing you possess. I don’t mean in some philosophical, existential way, I mean purely practically. Losing your identity could lose you every thebe you possess.

My wife, who is a banking expert, is understandably paranoid about her banking identity. While we’re both big believers in online banking, cellphone banking and, in fact, anything that means we don’t have to enter Hell itself (a bank at the end of the month) we’re aware of the risks associated with technology in banking.

Even the simplest form of banking technology, your bank card, is profoundly risky. Whether it’s a simple ATM card, a debit or a credit card, it offers crooks a great opportunity to steal all your money. Critically, you must understand that in most situations, if this happens, it’ll be all your fault. Most of the time your cards can only be used in conjunction with the PIN, the number that only YOU should ever know. A crook can’t do anything with a stolen card unless he knows the PIN. The bad news is that they often DO know your PIN.

I heard recently of a case where a bank customer stormed into his branch demanding to know why the bank had allowed a thief to withdraw a small fortune from his account using the ATM. They sat him down and showed him the pictures the ATM had taken at the time the withdrawals had been made. Oh, he had to say, that’s my daughter.

We’ve heard the same story many times. Children, siblings, nephews, nieces and friends all knew the PIN for the victim’s card. Most of them didn’t know that many ATMs take a picture every time the machine is used.

Other times it’s more conventional crooks, not a relative or friend. Quite often they place a secret camera on the ATM that watches and records the keys the victim presses on the key pad. Combine that with a simple card reader that they insert into the slot where you slide your card and the crooks can get both a copy of the magnetic strip on your card AND your PIN. Minutes later and they can have a replica card and your money will disappear as quick as a flash. And the bank will say it’s your fault.

Are they right to do that? Unfortunately they probably are. It wasn’t their fault that crooks stole your identity. You might argue that the banks should take more precautions to ensure that crooks can’t “skim” your card but that’s exactly what they ARE doing. Only a couple of weeks ago one of the biggest banks alerted customers to a slightly different way the ATM would behave to reduce the risk of skimming. I’m certainly no defender of banks but they ARE making some efforts to reduce the risk you and I face.

The simplest way to prevent all of this happening is to treat your PIN the way you would treat cash. Don’t let people you don’t trust look after it for you and, above all, don’t leave it lying around. Every single time you enter your PIN into an ATM or a point-of-sale device in a store or restaurant, cover your hand as you type in the number. Ideally you shouldn’t even be able to see your fingers yourself. If you can’t, then nobody else can and without your PIN a skimmed card is useless.

While my wife’s the big promoter of protecting your banking identity I’m the one paranoid about my online identity. I’ve seen too many friends lose their identity online to be complacent about it. Again, this isn’t some middle-aged, technophobic objection to new technologies of Facebook, Twitter and the web in general, I’m just very concerned about IDs and passwords and what can happen if they’re stolen.

Most of us will now have received an email from an acquaintance announcing that they suddenly left the country to attend a course or a conference, their wallet or purse was stolen and now they’re stranded in a foreign country and desperately need to borrow a few thousand. Can you assist?

Of course this is a scam. Your friend is at home watching TV, not stuck in a foreign hotel short of cash. What’s happened is that your friend’s email account password has been stolen. A crook persuaded your friend to disclose his email password and has now signed on, as him, changed the password and has now emailed everyone in his online address book with the story about the foreign trip and need for money.

This email is NOT really from Standard Chartered.

So how does a crook persuade you to disclose your password? That’s quite easy. He “phishes” for it. It’s really quite easy to do. Send an email to your victim, or perhaps a million of them at once, saying that the security of their email account has been compromised. Advise them to click on a link to reactivate their account. That link goes to a very cleverly crafted replica of the genuine email site, not the real one. Once there they’ll be asked to enter their user User ID, password and a whole range of other things including all the details often used to prove their identity like their address, date of birth and passport number. Not surprisingly many, many people naively enter these details, not realising that they’re giving away their online identity.

This is NOT really the Standard Chartered Online Banking web site.

Exactly the same thing happens with bank accounts. An email from “your bank” arrives with a similar story and including a link to a fake bank web site. Within moments people give away their online banking details to a total stranger. They often never realise that this is how a crook got their details and stole their savings. Yet again the bank is entirely within it’s rights to say that this wasn’t their fault, so they’re not going to compensate you. This was entirely your own fault.

Please, in 2013, make this your New Year Resolution, along with being more patient with your spouse and cutting back on the booze and pies. Protect your digital identity the way you would protect your real-life identity.

Serious crime

I have a confession to make. I’ve been lying.

Don’t feel too bad for me, I don’t actually feel that guilty. I’m not going to lose any sleep over it because of who’s been on the receiving end of my lies and fabrications.

A scammer.

And not just the ordinary level of scammer, this one is the real thing. A real, 100%, unadulterated criminal, thief and crook.

A few days ago I received an email from an organization calling itself “The Stellios Foundation”. It went like this:

“Hello, We are Stellios Foundation, engaging in human development and training and developing prospective leaders in the aspect of human development. We send our specialized trainers to different corners of the world to train upcoming human developers. We would be glad to co-operate with you in the aspect of travel arrangement for our team to different parts of the world. Please get back to us on your booking procedures and terms.

Best Regards, Alexander Stellios”

The usual clues were there that this wasn’t genuine. There was the rather poor English in their email and on their web site and the fact that their web site was only created on 23rd April this year, despite them claiming that it was “Copyright 2008”. Also, there was the clue that the person who registered the web site also registered a site for another “Foundation” in February but this has now disappeared. Should I be suspicious that he registered it from Lagos, Nigeria?

However I was curious. What was this one about? How were they planning to steal my money?

Using one of my many fake identities (OK, just a Gmail account with an assumed name) I responded. Within minutes they replied, without seeming to notice that I had replied using an identity different to the one they initially used. They said:

“We are in need of travel arrangements. The most pressing right now is International flight booking for our trainees. Please advise how you can assist with the flight booking.”

I won’t bore you with the dozen emails we exchanged but I do now know what the scam is. It’s credit card fraud and this is how it works.

This fictitious foundation recruits people to act on their behalf in booking flights for their entirely fictitious staff. All I have to do is open the right sort of bank account here, a “merchant’s account” and they can then pay me using a credit card. A stolen credit card. Here’s the clever bit. Let’s say the flights cost $1,500. Just before they tell me to charge the cost of the flights to their credit card they’ll call me and ask me to add additional money on top of the flight cost. They might say it’s to cover spending money for the employees, a hotel bill that will need to be paid in cash or car hire, it could be anything. They’ll tell me just to add it onto the credit card charge, making it $2,000 in total. I won’t mind of course, it’s not my money, I’m taking money from them.

Of course the credit card details are stolen. Sooner or later the bank that issued the card, wherever they are in the world, will notice that it’s been used and will instruct the charge to be reversed. But that could take several days, perhaps even weeks. In that intervening period the scammer will be in touch with me again breaking the bad news that the trip has been cancelled. Whether the tickets have been paid for yet doesn’t matter, that can probably all be reversed and after all, it’s not my money, is it? However what matters to the scammer is that extra amount, the cash we added on top of the flights, the extra $500. He’ll very politely ask for that back. He might even ease my disappointment by telling me that I can keep some of the cost of the flights as compensation. Most importantly he’ll want the $500 sent back to him using some method other than a credit card. He’ll say, apologetically, that although he has a credit card, he can’t receive payments to it. That’s when, you’ve guessed it, they ask for it back using Western Union. That reverse payment of the extra money is what this is all about. I don’t know exactly how much this will be, but if you consider that they’re certainly running many scams concurrently you can imagine how much they’re making, even if they only get a few hundred dollars from each victim. But why would they stop at a few hundred? As far as the victim is concerned he’s got thousands from the credit card payment. The sky’s the limit.

It’s also not particularly expensive to get stolen credit card details. If you have the right contacts online you can buy stolen credit card details for $25, maybe $50 for a high value card. The economics of this are simple. That’s all he needs.

If the scammer’s lucky all of this can happen in the period between the payment appearing in my account and it being reversed by the bank.

Luckily I suspect that most potential victims of this particular fraud are going to find it too difficult and complicated to operate. They won’t be able to open the necessary merchant account necessary to receive the credit card payment, either because their bank will ask too many questions or they only have a personal account, not a company one. The likely target market here is small. But, as I’ve observed before, scammers operate within a free market. The fact that they are trading and are constantly coming up with new ideas to separate us from our money suggests that the basic idea is working. Otherwise they’d get a real job, probably selling second-hand cars.

The Stellios Foundation - are they on the run?

The fake "Stellios Foundation" that I mentioned here, who appear to be running a credit card scam, know we're onto them.

A few days ago their web domain was registered as follows:

Create Date: 2012-04-23 12:29:14
Update Date: 2012-04-26 11:01:34
Expire Date: 2013-04-23 12:29:14

Registrant Contact Information
Abolaji Akindejoye
3840 W Hillsboro Ste3919
Deerfield Beach, Florida 33442
phone: +1.9543248016

Since publishing that last Thursday they seem to have reacted. Their registration now reads:

Create Date: 2012-04-23 12:29:14
Update Date: 2012-04-26 11:01:34
Expire Date: 2013-04-23 12:29:14

Registrant Contact Information
Derek Stellios
Stellios Foundation
135 Bridge Street
Newton, Massachusetts 02458
phone: +1.9543248016 fax: +1.8665218407

Maybe they didn't like using the name of a Nigerian? Curious though that the phone number remains with a "954" area code. That's a Florida code, not Massachusetts.

Coincidentally, as I typed this, another email came in from them, identical to the first but from "Derek Stellios". At least they're persistent!

Persistently criminal.