Risk Factor iconRisk Factor

This Week in Cybercrime: Tax-related ID Thefts Hit 1.8M in 2012

IRS Tax Refund Fraud Epidemic

Monday, April 15, is the deadline for individual income tax returns to be filed. This year, the U.S. Internal Revenue Service is expecting more than 146 million individual tax returns to be sent in, of which some 121 million will be entitled to refunds totaling approximately US $333 billion. However, among those 146 million returns, the IRS is also expecting millions of tax returns to be filed using stolen social security numbers and other personal information in an attempt to fraudulently obtain refunds, Senator Susan Collins (R-ME) said at a Senate Special Committee on Aging hearing earlier this week that looked into tax-related ID theft.

According to Collins, tax-related ID theft has exploded over the past five years. In 2008, the IRS reportedly confirmed “only” 52 000 such cases, compared to the nearly 1.8 million incidents the Treasury Inspector General for Tax Administration said the IRS identified last year. Another 1.5 million tax-ID fraudulent returns apparently slipped through without being caught in 2011 as well, Collins said. The total cost of refund fraud in 2011 was estimated to be as high as $5 billion (which does not include the hundreds of millions of dollars the IRS spent in trying to identify all the tax-related identity theft).

Deputy Commissioner of the IRS Beth Tucker wrote in an editorial in USA Today yesterday that in 2011, the IRS blocked $14 billion in fraudulent refunds, while in 2012 she said $20 billion in fraudulent refunds were blocked. She also stated that already this tax season, 2 million suspicious returns have been blocked (a total of 5 million were blocked in 2012, and 3 million in 2011, but it should be noted that not all of these were ID-theft related).

ID thieves have figured out that if they file fraudulent tax returns early in the tax season, they have a good chance of getting a refund before the IRS is able to discover their scam because the taxpayer information the IRS needs to verify a taxpayer’s earnings and withholdings aren't available until the end of March. In one case, scammers successfully used a single address in Lansing, Michigan to file 2137 fraudulent returns, which netted a total of $3,316,051 in refunds.

Tucker claims that the IRS is making progress in its fight against tax ID-theft and other tax fraud by claiming, “We're also going after the bad guys. We've started 800 criminal investigations since October. And crooks are going to jail for up to 20 years.”

Somehow I don’t think the tens of thousands of tax refund scammers are too worried.

Read More

NTSB: Texting While Flying Contributed to 2011 Helicopter Crash

Yesterday, the U.S. National Transportation Safety Board (NTSB) reviewed the findings of its investigation into the crash of a Eurocopter AS350 B2 helicopter operated by Air Methods Corporation (and doing business under the name LifeNet). On Friday, 26 August 2011, at 1840 CDT the helicopter, which was on an emergency medical services (EMS) mission, crashed following a loss of engine power as a result of fuel exhaustion a mile from Midwest National Air Center (KGPH), Mosby, Mo. The pilot, flight nurse, flight paramedic and patient were fatally injuried.

At yesterday’s NTSB inquiry, the board cited (pdf) as the probable causes of the accident “the pilot's failure to confirm that the helicopter had adequate fuel onboard to complete the mission before making the first departure, his improper decision to continue the mission and make a second departure after he became aware of a critically low fuel level, and his failure to successfully enter an autorotation when the engine lost power due to fuel exhaustion.”

In the preliminary NTSB accident report, the pilot was thought to have successfully entered into autorotation mode before the crash. However, the full NTSB investigation found this not to be the case, and believed that he may have been unsuccessful because of “the lack of practice representative of an actual engine failure at cruise airspeed in the pilot's autorotation training" in the model and make of helicopter being flown. The pilot, the NTSB found, had not received any of his autorotation training in a simulator which, the NTSB stated, would have made him “better prepared” to deal with an emergency situation.

Also contributing to the accident, the NTSB said, were “(1) the pilot's distracted attention due to personal texting during safety-critical ground and flight operations, (2) his degraded performance due to fatigue, [and] (3) the operator's lack of a policy requiring that an operational control center specialist be notified of abnormal fuel situations.”

Read More

IT Hiccups of the Week: Computer Technology Upgrade Sours Small Michigan County

Last week saw a real hodgepodge of IT-related errors. While none of them could be called of major significance, they did serve to exemplify the daily annoyance and exasperation for those experiencing them, as well as the unexpected good fortune that sometimes results.  We start off with a story whose plotline is no doubt experienced with some regularity. This time it is set in Lenawee, Michigan (population 100 000), where a new computer system intended to make life easier and more productive for county employees has instead made it more difficult and highly stressful.

New Computer System “Overwhelms” Lenawee County Employees

Back in December 2011, Michigan’s Lenawee County Commission approved a US $1.45 million technology upgrade for outdated county computer systems and equipment, the Daily Telegram reported at the time. Poor economic conditions caused county tax revenue shortfalls, which in turn forced the county government to reduce its staff, yet the public was still expecting that “the same level of services” be provided. The Commissioners' expectation was that the new computer software and hardware would make county employees not only more productive but help avoid future staff lay-offs. The goal was to have all the system upgrades, which would affect every government Lenawee County agency and department, in place by the end of 2012.

The Daily Telegram reported last July that the upgrade had reached the half-way mark. While the county's IT staff were reported to be “under stress” from having to install the new system as well as maintain the legacy system (some county agencies had complained about the IT staff not responding quickly enough to on-going problems involving the legacy system),  the county administrator informed the County Commissioners that, “We’re actually on the downhill side for IT.” County staff members were beginning their training on the upgraded system, the installation of which looked to be generally within budget and on schedule.

Last week, however, the Daily Telegram published a story indicating that all was not well with the tech upgrade. The Telegram quotes the county treasurer at a County Commissioner hearing as saying, “Things with the new system, they’re going slow and there are things we haven’t conquered yet.” The county clerk stated, “It’s not just a learning process. It’s the system itself. There’s things we thought it would do but it doesn’t do.” One example is the new financial and payroll system, which has created “more work and stress” for county employees instead of making them more productive and efficient, the Telegram reported.

The Lenawee county sheriff is none too happy either. With apparent anger, the sheriff told the Commissioners that, “There is no way we should be in the position we are in right now…  We’ve got a system that’s supposed to save us time, but they’re overwhelmed over there.” He also complained that the technology contractor was unresponsive to the technical problems being raised, and that the “level of training” the contractor provided was less than expected.

In addition, the sheriff, as well as other county agency officials, said that the county’s IT staff, which was resource thin, was over in over its head and unable to cope with all the problems cropping up.  The Lenawee IT department head basically agreed, saying that “…we probably faltered along the way,” and added that “The stress level everywhere is up through the roof right now.”

Unfortunately, exactly what happened between last July’s “downhill side for IT” and today’s IT tar pit is not explained in any other Telegram or newspaper stories that I can find.  It makes one wonder whether upgrade progress was being reported as “green” up until the day it was reported as really instead being “red.”  The latest Telegram story indicates that the Commissioners are now thinking of allowing the county IT department to hire another person “to help with a logjam of computer problems.” Whether that will help much, at least in the short-term, is debatable.

Read More

This Week in Cybercrime: Companies Attacked Every Three Minutes

Hackers Are Nothing If Not Persistent

Pick a company, any company. Well before you finish reading this blog post, that firm will likely have faced at least one malware-related event—and perhaps several. That’s the main takeaway from a new report on advanced persistent threats [pdf] released by researchers at the FireEye Malware Intelligence Lab. The group, which examined 89 million global malware events that FireEye documented during the second half of 2012, found that some companies have to fend off attacks as often as once every three minutes. "This nearly continuous rate of attacks and activities is indicative of a fundamental reality: these attacks are working, yielding dividends," says the report. The most targeted types of companies are tech firms, because of the value of their intellectual property. Rounding out the top five most attacked industries, says a Kaspersky Threatpost article, are: telecom, logistics/transportation, manufacturing, and banking/finance. Who gets attacked the least? According to the report, government agencies, energy companies, and legal firms get comparatively little attention from hackers. The FireEye report also details the most common infiltration methods as well as the techniques attackers are now employing to evade security measures.

Read More

First Portable Telephone Call Made 40 years Ago Today

Forty years ago today, Motorola announced that Martin Cooper, director of system operations at its Communication’s Systems Division, made the world’s first public call (pdf) in Manhattan on its Dyna T-A-C (Dynamic Adaptive Total Area Coverage) Portable Radio Telephone System. The Motorola press release also credits the late John Mitchell, the division’s general manager and later president of Motorola from 1980 to 1995. The press release quotes Mitchell as saying, “What this means is that in a city where the Dyna T-A- C system is installed, it will be possible to make telephone calls while riding in a taxi, walking down the city's streets, sitting in a restaurant or anywhere else a radio signal can reach.”

Cooper made his call—which was as much as a well-thought out publicity stunt as an exhibition of a revolutionary technological (and societal) capability—on his “less than three pound” phone to the landline (of course) phone of his rival and counterpart Joel Engel, at AT&T’s Bell Labs. Cooper said the purpose of the call between the two engineers was to show not only AT&T and the public what Motorola had created, but more importantly to put U.S. government regulators on notice that there could and should be competition to AT&T.

Cooper told the Wall Street Journal that the demonstration, “… had little to do with making a phone call. The whole purpose of building that phone was to shut down AT&T.”

While Cooper and Mitchell told UPI in 1973 that they expected to install the first DynaTAC portable phone network in New York by 1976, it took nearly another decade before the U.S. Federal Communications Commission (FCC) approved the DynaTAC phones for general public use.  Motorola says it invested US $100 million between 1973 and 1983 to create its original cell network; its first cell phones would have set you back about $4000 in 1983 or about $9 000 in today’s currency.

Read More

IT Hiccups of the Week: Expect Problems with New Medicaid System New Hampshire Warns

Last week was a relatively quiet week on the IT-related snag, snarl and uff da front. But it seems no one can roll out a new Medicaid system without IT problems, as many of New Hampshire's 10 000 Medicaid providers are likely to unhappily learn, beginning today.

New Hampshire Government Officials Say Expect Problems Today With Its New Medicaid System

At least no one can say they weren’t warned.

“No one is under the illusion that we won't have problems… It's not going to be perfect. We know that there are a number of issues we have with this. We want to make sure we have a full understanding of what those issues are.”

Those presentiments come courtesy of New Hampshire’s Health and Human Services Commissioner Nick Toumpas, quoted in the New Hampshire Union Leader last week when he told the state’s Executive Council and the Union Leader on what to expect when the state's long-delayed new US $90 million Medicaid Management Information System (MMIS) goes live today, 1 April.

The new MMIS system contract was originally let in December 2005 to Affiliated Computer Services (which was acquired by Xerox in 2010). The total contract cost, New Hampshire Watchdog.org states, was for $60 million: “$26 million for the design phase, and $34 million for the full five-year operational phase.” The design phase was supposed to be complete by the end of 2007, and operations were scheduled to begin on 1 January 2008.

The Union Leader reports that the MMIS design “has been modified at least five times, with the Executive Council repeatedly voting to extend the contract after Xerox missed eight deadlines over the six-year period.” According to the paper, the reason for the design changes and delays were caused by both state and federal additional system requirements, as well as contractor implementation problems.

New Hampshire has been paying EDS (now owned by HP), the until-today current MMIS system developer and operator—and losing bidder to ACS—some $8 million a year to keep the legacy system operational.

Toumpas told the Executive Council to expect angry phone calls from many of the state's 10 000 Medicaid providers saying that they were having problems with the new MMIS since there were known defects that haven’t been corrected yet. He also said there may be “calls from people about a defect we haven't anticipated yet,” as well. Toumpas said that Xerox had beefed up its response team in anticipation of the expected complaints.

I’ll let you know next week whether the anticipated errors were minor or major. If the recent experiences of other states like Florida, Idaho and Ohio are any indication, the latter is more likely than the former.

Read More

Drone Manufacturers Whine That They Are Misunderstood

The AP published a story today about how drone manufacturers are worried about the growing “privacy backlash” in the United States concerning the prospect of swarms of government and private UAVs taking to the air once the U.S. Federal  Aviation Administration works out how to let them fly safely in U.S.  airspace. The agency  intends to have the rules worked out by 2015.

The manufacturers, says the AP, are worried that the FAA will dawdle in its rule making and thus allow politicians, privacy advocates, and others who worry that drones will be abused the time to place what they consider to be unnecessary barriers to their use.They are worried that their $6 billion in expected sales to law enforcement and public safety agencies might be negatively impacted, especially with military contracts shrinking.

Apparently, in the manufacturers’ mind, those who “fear … the technology will be misused” just need to be re-educated to their life-saving benefits. The AP story quotes a UAV support services supply company CEO as saying, “Our lack of success in educating the public about unmanned aircraft is coming back to bite us,” while a drone manufacturer is quotes as saying, “Any legislation that restricts the use of this kind of capability to serve the public is putting the public at risk.” The story also quotes the executive director of the Airborne Law Enforcement Association as saying that UAVs “clearly have so much potential for saving lives, and it’s a darn shame we’re having to go through this right now. It’s frustrating.”

Yep, we need drones everywhere for the children’s sake.

If it wasn’t for those loud, pesky politicians like Rep. Ed Markey, D‐Mass., co‐chairman of the House Bipartisan Congressional Privacy Caucus, who introduced updated legislation last week to among other things (pdf), require the FAA to “not issue drone licenses unless the application includes a data collection statement that explains who will operate the drone, where the drone will be flown, what kind of data will be collected, how that data will be used, whether the information will be sold to third parties, and the period for which the information will be retained” as well as require “law enforcement agencies and their contractors and subcontractors [to] include an additional data minimization statement that explains how they will minimize the collection and retention of data unrelated to the investigation of a crime,” those drones could be out saving lives right now.

Well, maybe once New York City’s Mayor Bloomberg term-ends, the drone manufacturers can hire him as their spokesperson to educate Americans on how, as one drone manufacturer told the AP, “the benefits of these solutions (drones) …  far outweigh the concerns.” Bloomberg said last week that drones are coming no matter what and, as a consequence, that Americans are just going to have to learn to live with “more visibility and less privacy.” Just think of them as merely roaming security cameras in the sky, he suggested.

There, don’t you feel safer already?

Photo: Erik Simonsen/Getty Images

This Week in Cybercrime: “Anonymized” Cellphone Tracking Data is Pure Fiction

Anonymizing Cellphone Tracking Data Doesn’t Work

Earlier this month, we highlighted a Data Center of China Internet (DCCI) report revealing that up-to-the-minute information on where people are is becoming a big quarry for cybercriminals. Though that report focused on thieves using malware-laced apps to acquire the location data, researchers from MIT and the Universite Catholique de Louvain in Belgium recently found that anonymized mobile phone location data—the kind that police and other legal authorities might demand from a wireless carrier—can easily be used to home in on the identity of a single cellphone user. The American and Belgian team, which looked at 15 months of anonymized mobile phone data for about 1.5 million European users, found that they could identify 95 percent of them from just four data points. The data points are generated when a handset periodically connects to nearby cell towers as they move and when they make and receive calls and text messages. What’s worse from a privacy standpoint? About half of the users could be identified using only two data points. In a paper published this week in Nature Scientific Reports, the researchers note that:

"We show that the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy. Indeed, this uniqueness means that little outside information is needed to re-identify the trace of a targeted individual even in a sparse, large-scale, and coarse mobility dataset. Given the amount of information that can be inferred from mobility data, as well as the potentially large number of simply anonymized mobility datasets available, this is a growing concern."

The concern is warranted because governments including the United States have radically increased their snooping activities. For example, the FBI has gone hog wild issuing so-called National Security Letters (NSLs), which compel businesses such as wireless carriers and Internet service providers to turn over information without a warrant. In 2011, the FBI sent out more than 16 000 NSLs.

The researchers conclude that, “Going forward, the importance of location data will only increase and knowing the bounds of individual's privacy will be crucial in the design of both future policies and information technologies.”

Read More

Divers Caught Cutting Internet Backbone Cable

What’s the least sophisticated, but probably the most foolproof, way to cut off a country’s Internet traffic? Literally cutting it by severing undersea Internet cables. That’s what the Egyptian navy caught three scuba divers doing in the waters 750 meters off the port city of Alexandria on Wednesday. The cable they were going after was the 18 000-kilometer-long South East Asia–Middle East–Western Europe 4 (SEA-ME-WE 4) line, the Internet backbone that carries data between Europe, Africa, the Indian subcontinent, and Malaysia and Singapore in southeast Asia.

Internet service in Egypt had already been off since 22 March, supposedly because a passing ship damaged a separate cable. The trio, who approached “hacking” from a different angle than usual, took to the water a day before repairs to the other cable were expected to be completed and service restored.

The effects of the ship taking out that cable were experienced as far away as Pakistan and India, Jim Cowie, chief technology officer at Renesys, a network security firm, told the Associated Press. Cowie noted that a severed cable can force wide scale data rerouting, with some of the packets traveling the long way around the world.

Ship anchors and propellers have been blamed for serious cable breakages in the Mediterranean that affected northern Africa. Perhaps this incident will cause investigators to cast a more jaundiced eye in future cases.

Illustration: TeleGeography

Internet Spam Fighter Weathers Massive Attack

Imagine this: a band of criminals imperils a city by putting its police precincts under siege to the point that the police are so busy protecting themselves that they are incapable of doing anything else. Something analogous was just narrowly avoided on the Internet, when anti-spam watchdog Spamhaus came under the largest denial-of-service attack ever recorded. Spamhaus, which helps keep e-mail inboxes free from come-ons hawking male enhancement pills, low-interest loans, and foreclosed properties, was reportedly in the crosshairs of spammers angry about being added to Spamhaus’ blacklists, which make it more challenging to ply their illicit trade.

The attacks, which threatened to knock the not-for-profit Web guardian’s site offline, were a bit of evil genius, using a quirk in the way the Internet works to water Spamhaus’ plants with a fire hose. On 18 March, the attackers began employing a distributed denial of service (DDoS) technique known as DNS reflection. It’s designed to overwhelm a site after the attacker sends simultaneous information requests to thousands of servers with source addresses spoofed so that responses to the DNS queries are all routed to the victim’s servers. In this case, Spamhaus’ servers were being force fed more than 300 gigabits per second, says San Francisco-based CloudFlare.

Spamhaus retained the services of CloudFlare, which specializes in deflecting unwanted Internet traffic away from companies’ servers, to keep its sites from being crushed under the weight of the incoming data deluge. For the sake of comparison, Dan Holden, director of security research at Arbor Networks, told the Wall Street Journal that, “Up until this, the largest attack we had seen was a 100-gigabit attack in 2010 [targeting a U.S. bank] and an 80-gigabit attack in 2012.”

“It is a small miracle that we're still online,” Spamhaus researcher Vincent Hanna told the Journal.

Holden also noted that the attack against Spamhaus caused collateral damage across the Web because some servers along the paths between Spamhaus and the servers that were queried to set off the data tsunami were overwhelmed by the volume of data they had to handle.

But as of this morning, reports are coming in that the attackers—probably frustrated that their best shots failed to put Spamhaus down for the count—have retreated to their corner, probably to plot some more. According to a BBC report, Spamhaus accused Cyberbunker, a Dutch Web-hosting company, of being the brains of the operation. Meanwhile, the BBC reports on the unverified claims of a man who said to be in contact with the attackers. Acting as their mouthpiece, he explained their rationale: "[Spamhaus abuses its] position not to stop spam but to exercise censorship without a court order."

Spamhaus’ Hanna disputed that claim, telling the Journal that, "We have 1.7 billion people who watch over our shoulder. If we start blocking emails that they want, they will obviously stop using us."


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More