Corporate Identity Theft on the Rise

prostoalex writes "As millions of Americans lose their identities to online and offline thieves, a new kind of crime has been cooked up by the criminals who are not bothering with doing pesky credit card charges. They steal entire companies, opening up merchant accounts for existing businesses and running up charges from aforementioned stolen credit card numbers. What's worse, is that the hole the criminals exploit seems to be built into the system. According to Bob Sullivan from MSNBC, "Many of the processing firms interviewed for this article claimed they caught on to the fraud after the transactions had cleared, but before the suspects had withdrawn the money from various checking accounts around the country. One did concede, however, that the scheme has real potential.""

Hmmmmm.....

[FatherKabral]

I wonder if Microsoft accepts credit cards.....

Re:Hmmmmm.....

[Faustust]

I don't know if they have in the past, but I made sure that they do now!

*strolls off singing "I'm in the money..."*

This happened to the TV show punk'd

[Fr05t]

Ashton was quoted saying, "Dude where's my company."

seems it would be

[Prince+Vegeta+SSJ4]

just as easy, and potentially more profitable.

All you would need is a legit FEIN, and real or forged Articles of Formation. Maybe an operating agreement. Open a bank account and VOILA!

Fraud != Theft

[Theseus192]

I hate it when the mass media call it "identify theft." If someone impersonates me, he's not taking away my identity, he's committing fraud.

Repeat after me... intangible and intellectual "property" cannot be "stolen." It can only be used in unauthorized ways.

Good Idea

[alarocca]

I love these articles that outline great ways to break the law. Like the one a while back about how to open a kryptonite U-Lock with a pen. It used to be hard to come up with great criminal schemes...now you just have to watch the news.

Re:Good Idea

[Rev.+DeFiLEZ]

Security through obscurity never works. The only thing putting on the news does is create outrage until the problem is fixed. "criminals" (and kryptonite) knew about the u-lock bic pen weakness for _years_ (2-3) now that it is on the news, kryptonite is replacing the defective ones.

now maybe the banks will ask the client for their goverment papers that proves they registered the bussiness.

Re:As long as...

[hype7]

on the subject of questionable ethics, does anyone else wonder about the guy who said "One did concede, however, that the scheme has real potential"? Potential? Potential? Maybe "potential for abuse" would be ok, but the way that's phrased at the moment... I can see the cogs turning over in this guys head for companies to target!

-- james

MP

And so - the Crimson Permanent Assurance was launched upon the high seas of international finance!

well documented type of theft , just not reported

[Anonymous+Chemist]

check out the link http://www.iwks.com/features/default.asp?pagetypei d=2&articleid=31496&subsectionid=655 this type of theft is well known; just not as reported as personal id theft. From other stories is seems the average is 30,000 or more per theft. Seems that perhaps the victum in this story came out lucky. However since you have to provide ID and would get captured on camera setting up a checking account, keeping your real ID does seem to be a challenge.

Theft via deception = Theft

[squiggleslash]

We're talking about a crime, as I understand it, that involves taking property from others by pretending to be someone you aren't. We don't talk about "Lock theft" (as in you pick a lock, get in, take what you want, and run out), but if it was unique enough for people to want to deal with it in special ways, I'm sure we would.

I'd say it's legitimate to call Identity Theft "theft" under the circumstances, whatever your opinions are on the "proper" wording for piracy.

Re:Theft via deception = Theft

[(void*)]

But deception is also fraud. The grandparent poster is NOT WRONG, and has a point. The point being that
even if the theft did not go through, one can still
prosecute it as fraud. Thus the credit card companies who repay the merchant but don't persecute
the fraudsters even with a lot of evidence are PART OF THE PROBLEM.

Re:As long as...

[ArsenneLupin]

They nail the AT&T's and Microsofts, and not the smalltown businesses owned by ma and pa (are there any left?), I don't have a problem with it at all. Go crooks go!

Problem is, they do target ma and pa businesses. Indeed, apparently their scheme only works if the victim does not yet have a merchant account on his own (or else the fraudulent account would be easily flagged as duplicate...). Thus the perfect victim is a company too small to be accepting credit cards. Sorry, Microsoft will unfortunately never be the target of these gentlemen;-(

Note: IRS has a new address

[perdu]

Dear Taxpayer, Your local IRS office address has changed. Please mail all taxes in the future to: Internal Revenue Service Box 1776 The Cayman Islands

Re:Note: IRS has a new address

[TykeClone]

That's why you should make out your checks to the "United States Treasury" instead of the "IRS".

This has actually been done before, and anyone can open an account for, as an example, "IsoRectal Spectroscopy" dba "IRS" and cash stolen tax checks.

How to article

[raider_red]

Does anyone else have a problem with the level of detail in the article? They not only report on the scam, but tell exactly how it was carried off. They've even provided the names of the merchant transaction companies which can be suckered.

Re:How to article

[Zak3056]

They not only report on the scam, but tell exactly how it was carried off. They've even provided the names of the merchant transaction companies which can be suckered.

To me that says one thing: honeypot.

Bring on those people who roll their eyes

[Featureless]

...every time some "paranoid" person starts talking about security. You know who I'm talking about.

They're everywhere. Nobody thinks worrying about security is cool or fun, it seems like a waste of money, a sign of mental instability, even a kind of obsessive behavior.

Everyone much prefers to be surprised and wave their hands when things go wrong. "It's out of control. You can't stop hackers/criminals/etc."

People have a terrible problem understanding scale. Nobody understood at Microsoft that the computer wasn't a little house in the country where you could leave the doors unlocked so occupants wouldn't have to fumble with the keys. When engineers there raised the problems they were scoffed at, disciplined. "Keep your priorities straight. Don't be paranoid." Nobody got it when the first spam was sent and we were all outraged... "What's wrong with a little spam?" How about what's wrong with 300 spam a day? It's just the "logical conclusion" - which is not logical anymore to people who don't like to be bothered thinking deeply about their responsibilities.

The many systems our financial institutions use for identifying and tracking "consumers" are ridiculously insecure. And although the victims wail and now are allowed a few minutes a month to tell their horrible tails on 60 minutes, we as a whole seem determined to close our eyes and race grinning into the brick wall of scale again. How many hundreds of thousands of people have to have their lives ruined before colleges stop making everyone spout their social security number like it's their first name, and the mother's maiden name loses its appeal? How long before companies stop letting $5 an hour employees handle "meaningless" data (with literally no background checks or security controls) that is worth millions when properly exploited?

This is a cultural change we need to kick off. We need to take security seriously. It needs to become uncool to roll your eyes and mock the security expert.

Re:Bring on those people who roll their eyes

[JimBobJoe]

How long before companies stop letting $5 an hour employees handle "meaningless" data (with literally no background checks or security controls) that is worth millions when properly exploited?

Or, alternatively, when will companies stop pretending that they can be trusted simply because of employee credit card verification checks, background checks and a piss test?

I like to look at it this way, here in Ohio (as in most states) you need to go through the most awewsome background check ever in order to take the state bar. Full multi level 10 finger fingerprint check (local, state, national) credit check, employer verification check for all jobs worked since you were 16, the list goes on and on and it may even go into your mental health history (one of the few jobs you hear of that occuring.)

In spite of all of this, the industry as a whole can be summarized as a convention of pricks.

There are limits to background checks.

Re:Bring on those people who roll their eyes

[infinite9]

Actually, we tried to have fraud alerts placed in all three credit reporting agencies. The problem is that credit reporting agencies are just as bad (if not worse) than the credit card companies themselves. Since the credit card companies are their customers, and not the people they're gathering information on, they won't actually talk to you. To get a fraud alert, you have to send them a request, in writing. One of the agencies did this immediately. Another did so after a lot of harrassment. The third never did put it on. This was after following all the correct procedures. Once the fraud alerts were on, we ran into them exactly one time while applying for instant credit. In this case, it was a home depot card. The people at the store put me on the phone with their credit department. The woman asked, "Do you know why I'm talking to you?" I mentioned the fraud alert and that was it. Here's your card. No other proof was required. I bought a car without a word from the bank who wrote the loan. Fraud alerts are a joke.

If someone gets your information, you're hosed. There's only one thing you can do. It was modded +5 funny, but another post hit the nail on the head. Burn your credit rating.

Re:Bring on those people who roll their eyes

[forkboy]

You could always find your mortgage broker and piss-pound him into giving back your file.

You're luckier than most people, you actually know the identity of the person who took yours.

FBI Not Interested?

Never mistake silence for disinterest (or assent, for that matter).

The FBI could be very interested in the Pakistan and Russian connections. However they are very unlikely to be discussing details of the case with regular civilians.

Or they could be disinterested.

mostly insider theft

[presmike]

Identity theft was covered at this years blackhat in vegas and it was stated the the vast majority of indentity theft is corporate insiders stealing the info and selling it on the web. Hackers/crackers only account for a small about of the current identity theft.

Re:Stolen?

[Saeed+al-Sahaf]

THIS IS NOT THEFT!!! Theft involves the physical taking of something!!

Like credit cards with SOMEONE ELSES name on them? Like SOMEONE ELSES money or "physical" merchandise? Theft is when you steal something of value. Websters gives examples of both tangible and intagible theft.

Besides, what's your point? Just trying to be argumentative, or perhaps justify something darker?

Damn right the problem is built-in to the system

[wowbagger]

You are damn right the problem is built-in to the system.

The scum create an account, and charge a bunch of crap to it from stolen cards. They then extract the money and run.

The people bilked bitch to the credit card companies.

The card companies attempt to reverse the charges.

The poor business who was impersonated gets stuck with the bill. At best, the company can establish its innocence, and the CC company writes the cost off its taxes.

If the *credit card companies* were the ones who had to suffer the costs of fraud, rather than shifting it to the companies or to the taxpayer, then they would be a HELL of a lot more motivated to add stronger authentication to the system.

As it stands now, if somebody is committing massive credit card fraud in the form of lots of small charges, and you try to bring this to the card company's attention, they blow you off because it just isn't worth their time - it is easier to just charge back to the merchants. A friend of mine who works in the order-processing chain for a large company ran into just that - he detected a fraud ring attempting to rack up a lot of charges, he called the card company and said "I'll give these guys to you with a ribbon tied around them - addresses, names, the works." "Not interested - bu-bye!"

Not Credit cards

[nurb432]

But they do accept souls..

The only way to stay protected...

[SomeoneGotMyNick]

...appears to be by trashing your own credit. This way your credentials will be rejected for new applications.

Re:Damn right the problem is built-in to the syste

[qbzzt]

If the *credit card companies* were the ones who had to suffer the costs of fraud, rather than shifting it to the companies or to the taxpayer, then they would be a HELL of a lot more motivated to add stronger authentication to the system.

Except they are the ones who pay for it. They get to deduct a business loss from their taxes, because those losses reduce their earnings.

What is particularly outrageous is ...

[Presence1]

... that the company whose identity is misused is seen as being responsible for the losses. It is the merchant service providers and banks that should be held fully responsible -- they are the gatekeepers who failed to mind the gate, never checking the imposters' identies or association with the company.

"For all of us, it's a tough business," Steinberg, of Merchant E Services, said. "It's a large, large problem."

No Shit, Sherlock. It may be a large, large problem, but it is your responsibility to solve it. If you can't solve it or handle the losses, you shouldn't be in the business. Period.

Any suggestions on how to keep the losses on the banks and service providers, instead of the businesses?

Re:why bother stealing a companies identity

[KatieL]

Actually, even if you rush off and buy an off the shelf company and a rename (for a hundred quid say). You still can't open a business account.

*I* own such a company, I use it, it trades, it files tax returns.... and the palaver I have to go through to open accounts and things is bonkers.

(Instead I have to turn up with massive piles of other documents.)

Because I don't have a passport. And in Britain, to open a company bank account, all the company officers have to turn up in person and present their passports.

So suddenly, you've got to get a fake passport as well.

And, bear in mind, you also have to somehow change the address of the company at companies house -- otherwise the trick of sending the mail to a duff address doesn't work; given the companies registration number it's trivial to find the registered address.

disinterested?

[brauwerman]

It's really annoying when a single word no longer means anything, and concise communication becomes impossible.

http://dictionary.reference.com/search?q=disinte re sted

Usage Note: In traditional usage, disinterested can only mean having no stake in an outcome, as in
Since the judge stands to profit from the sale of the company, she cannot be considered a disinterested party in the dispute.
But despite critical disapproval, disinterested has come to be widely used by many educated writers to mean uninterested or having lost interest as in Since she discovered skiing, she is disinterested in her schoolwork.

Oddly enough, not interested is the oldest sense of the word, going back to the 17th century. This sense became outmoded in the 18th century but underwent a revival in the first quarter of the early 20th. Despite its resuscitation, this usage is widely considered an error.

In a 1988 survey, 89 percent of the Usage Panel rejected the sentence
His unwillingness to give five minutes of his time proves that he is disinterested in finding a solution to the problem.
This is not a significantly different proportion from the 93 percent who disapproved of the same usage in 1980.