A couple of years ago, I had posted on my former blog about ID Analytics survey of data breaches. They had studied four data breaches involving over half a million consumer identities and examined the scope of exploitation of the stolen data.

ID Analytics found that relatively few of the people whose identity data was stolen in data breach had the data exploited for financial fraud. The report is no longer online but copies can be found at archive.org. Although four data breaches is a rather small sample size, I found the ID Analytics report to be a good hint that stolen identity data imight not be actually exploited extensively.

Matthew Elvey commented on my posting and raised an interesting point:

Umm... when TD Ameritrade's customer database was breached, it appears that approximately all of the customers had their data abused. Exception to the rule? If so, it's a pretty big one - about 6.2 million exceptions big.

This 2007 incident, indeed, raises the question if the 2006 ID Analytics report's claims still hold. I was wondering aboiut the scope of the data exploitation.

I checked the Privacy Rights Clearinghouse's useful chronology of US data breaches. The big TD Ameritrade breach is listed under 15 September 2006. (They had a couple of smaller earlier data breaches also listed.) Yes, 6.3 million customers did have their contact information --- names, e-mail addresses, phone numbers & home addresses --- stolen. The PRC chronology entry notes that company customers afterwards received spam, a likely exploitation of the stolen email addresses.

TD Ameritrade's site carries a "Special Client Announcement" about the incident and the spam. TD Ameritrade claims, "At no time were clients' financial assets held at TD AMERITRADE touched as a result of this issue. UserIDs and passwords were not stored in this particular database." The announcement also mentioned that TD Ameritrade hired ID Analytics to monitor the affected customers' credit following the breach.

Looking further, I am seeing that the spam was "pump & dump" scam spam. According to an 18 September 2007 Security Focus article, the exposure of TD Ameritrade customers' email addresses to spammers may have been going on for a while before the big data breach. The article also mentions Mr. Elvey's experiences with the "pump & dump" spams. Now, I understand his comments a bit better.

So far, it doesn't look like financial exploitation of the stolen data in the form of stealing money from the customers' accounts or establishing fraudulent accounts in their names. Yes, the scam spams are abusive but they were not the form of exploitation ID Analytics was considering in its report.

Significant financial exploitation of stolen customer data may have occurred in a 2006 data breach involving TD Ameritrade Holding Corp. and E-Trade Financial Corp.

So far, I believe the ID Analytics reports' claim of low risks for actual financial exploitation (which takes more time and effort than spamming) still holds. But I am glad Mr. Elvey made his comment questioning the report. Things can change and current security notions need to periodically re-examined.

Finally, an excellent blog concerning fraud is the "Fraud, Phishing, and Financial Misdeeds" blog.

Still looking to fully exploit my own identity,
J.D. Abolins

Security risks can change and security training has to adapt. Yet, all too often advice that might have been once more useful is given even though it no longer reflects present risks. One such advice is that which warns people about "untrustworthy" sites and tell them to use mainly known, legitimate sites. (Whatever "legitimate" is taken to mean.) Years ago, this might have been helpful. Nowadays, legitimate sites are becoming a bigger source of malware than "illegitimate" sites. At least, this is what Websense Security Labs is reporting.

Websense researchers warn Internet users to be wary of what sites they click on and visit—even their favorite trusted sites. These sites pose a significant business risk because traditional security measures are not designed to handle the attacks, and the attackers are using sophisticated techniques such as spoofing search engine results to drive traffic to infected sites. Attackers know that compromising sites with generally good reputations – sites that have a built-in group of visitors – coupled with more effective and targeted e-mail lures, can increase the success rate of attacks.

The full report for the last part of 2007 is available from Websense after completing a form asking for contact information. The report has other interesting statistics, including ones for countries hosting "crimeware" (a class of malware designed specifically to automate financial crime). A particularly interesting section for me was the one about "Unique Attacks Methods" such as ransom encryption. The report also anticipates for 2008 things such as:

• Olympics – new cyber attacks, phishing and fraud
• Cross platform Web attacks – Mac, iPhone popularity spurs increase
• Rise in targeted Web 2.0 special-interest attacks—hackers targeting specific groups of people based on interests and profile
• Morphing JavaScript to evade antivirus scanners
• Data concealment methods increase in sophistication

J.D. Abolins

Most advance fee fraud scam spam purports to be from people one is not likely to every heard of.The one I got today uses a name I recognised from Middle Eastern news, Suha Tawil Arafat.

Some snippets from the email:

Dear Partner, This mail may not be surprising to you if you have been following current events in the
international media with reference to the Middle East and Palestine in particular.

I am Mrs. Suha Tawil Arafat, the wife of Yasser Arafat, the Palestinian leader who died recently in Paris France. Since his death and even prior to the announcement, I have been thrown into a state of antagonism, confusion, humiliation, frustration and hopelessness by the present leadership of the Palestinian Liberation Organization and the new Prime Minister. I have even been subjected to physical and psychological torture.

As a widow that is so traumatized, I have lost confidence with everybody in the country at the moment.You must have heard over the media reports and the Internet on the discovery of some fund in my husband secret bank account and companies and the allegations of some huge sums of money deposited by my husband in my name of which I have refuses to disclose or give up to the corrupt Palestine Government. In fact the total sum allegedly discovered by the Government so far is in the tune
of about $6.5 Billion Dollars. And they are not relenting on their effort to make me poor for life.As you know, the Moslem community has no regards for woman, hence my desire for a foreign assistance. You can visit the BBC news broadcast below for better understanding of what I am talking about;

<rest of the forged scam email snipped>

Although this the first time I saw this particular scam spam, it turns out it has been circulating for a few years.I found a report of it from December 2004.I was wondering why the scammers would use Mrs. Arafat's name now. But the 2004 date of the scam spam is closer to her husband's death being in the news.

Recycling is nice, but not advance fee fraud emails. The potential for some recipient to take the bait is there and, given the economics of spamming, is criminally lucrative.

Finally, although the advance fee fraud scams are called Nigerian Letter Scams, 419 scams (after a section of Nigerian law code), and similar names because of the origin of many of these scams, they are not all from Nigeria or Africa. Actually, the scammers have made things more difficult for innocent Nigerians doing legitimate business.

J.D. Abolins