fraud

I have used my PayPal account a fair bit these past months. Both receiving and making payments.

Thus, when I got this email with a payment that the PayPal Investigation had returned, I was on the alert. No, not the phishing alert - I was more worried about someone making a payment and me not getting it. The obvious victim for scams, I might add.

I did not recognize the payers name, and the amount of US$35 sounded a far bit strange to me. Puzzled, I started to read the fine prints, and decided that I needed to check my account to investigate further. I scrolled down the mail to find the link to the PayPal Log on page.

Need I say this was December 26? At the kitchen table, relaxing with my late breakfast. Oh, yes, it was a nice dinner last night!

Upon finding the link again, my mind kicked me in the back, and I decided to check the link before clicking. No surprise there - I was one click away from getting phished (phish, phishing, phisher, phished, - I have no clue of the correct phishing grammar, I must admit).

So Leo, Phishers do have a clue. They are getting better every single day. And if you let the guard down only a split second after a nice dinner party, you might find your account empty. As you note, some are still swearing to old tools and bad quality, but those who mean business adopts and research. And gets their rewards.

Take a good look at the images - they show the email I got. The first shows the standard PayPal template with the serious looking header.

This next picture shows the transaction information - the part of the email that made me believe the authenticity of the scam.

Terra Security closes all operations. So what, you may say, who are they?

Since you most likely do not know Norway and things going on here, a quick update is on its place. 

### 

A couple of weeks back, the news broke that four small municipalities had invested in a hedge fund brokered by a Norwegian investment broker, Terra Securities. Not only had they spent their cash on the investment, they had borrowed a large amount of cash to do so (10MUS$). 

Why? The Terra Security sales guy had showed they the prospect of a USA based high-risk investment opportunity. However, the translation removed some of the information - leaving high profit, not discussing high risk. So the municipalities claims that they only saw a great opportunity, not risky or even shady business.

So lets review this. A bank approaches you with a highly profitable investment opportunity. DING-DING! High profit means high risk. So be careful, right?

Next, the bank tells you that this opportunity is so good, and offers you a huge loan so that you can make a big investment. DING-DING!!! How is the bank making money? By lending money. By charging fees. By skimming your investment interests.

So - unless you are a vivid investor, and knows your way around gearing and other financial tools, you would back down and walk away, right? Most of us would.

But as always, some of us are dumber than others.  

And it may seems like the more stupid amongst the Norwegian population are located in the North. In four small municipalities who have lost some 100 M US$. And the number might double according to some reports. A large amount of cash. For most of us, and certainly for these municipalities. 

I am amazed. Ok, the bank most likely did break the law when marketing the hedge funds (as marketing hedge funds are illegal in Norway). And the sales guy most likely did push harder than he should have. But still, I bet the bell was ringing long and hard, and that he was the sales hero that year!

### 

So - for Terra Securities, this has gone from bad to worse.

What started as a pushy sale, has evolved into a nightmare. During the couple of weeks this has gone on in the media, the not so smart politicians turned the table and collected support from the media. You know:

"How could we know? We are poor, normal people. We do not know anything about investments!"

And media bought it. And kicked Terra Securities. And again, I am amused. The politicians clearly admits their error - making a stupid investment using borrowed cash. Still, they blame everything in Terra. 

"They should have known. They should have told us!"

Wrong. They are about making money. Not by making you a profit, but by making you buy their products. Which you did - both their lending services AND their investment services. A great sale, I would argue. 

You see, being a municipality means that you are responsible for your actions. It means you must accept that responsibility. You cannot invest millions of dollars one day, and then cry and blame your partner when you loose your money. That is just wrong. Stupid. Childish! 

One of the first principles of investment is to never invest more than you are willing to (or can afford to) loose. That is your responsibility - not your banks.

If I had done the same type of investment, I would have to accept the loss and move on. So should you.

###

This is it for now - I will keep sharing my opinion on this stupidity.

Bruce Schneier has a very nice post today which explains one of the challenges of the ever increasing speed of adopting new technology. 

This is a real challenge - behavior is one of the hardest things to change.

Oh, the TJX. No, I guess I never get tired of it!

This time, I will just point you to this important message from the president and CEO they made oct. 11.

There, Carol Meyrowitz, the President and CEO, says:

"To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below."

Sorry Carol, I do not think I trust TJX enough for your advices about CC information. At least not MY CC information.

Need I remind you that it never was your CUSTOMERS who messed up? Your customers decided to TRUST you and your companies to handle the CC information. I bet the customers did take necessary precautions and common sense - how could they be expected to be prepared for YOUR breach?

I advice you to do the right things - learn from your own mistakes and fix them - not divert the attention by teaching your customers how to do things they do much better than you ever did.

------------------------------------------------------------------------

Due to the nature of the document, I have pasted the text below too:

LETTER FROM TJX’S PRESIDENT AND CEO October 11, 2007 To Our Valued Customers: At TJX, our first priority always has been and continues to be, our customers. I want each of you to know how much I personally and, on behalf of the Company, regret any difficulties you may have experienced as a result of the criminal attacks on our computer systems announced earlier this year. Importantly, we truly appreciate that you have continued to place your trust in us with your loyalty and patronage. We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice. We have worked diligently to reach a settlement, which we believe would offer an excellent resolution for our customers, addressing the different ways that they have told us that they have been impacted by the computer intrusion(s). (Like all class action settlements, our settlement is subject to Court approval and other conditions, and therefore, customers cannot yet seek benefits.) We have provided a separate link, below, to additional information regarding the proposed settlement. To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below. Once again, we sincerely regret any inconvenience you may have experienced as a result of the attacks on our computer system. We are deeply grateful for your continued trust and patronage. Respectfully, Carol Meyrowitz President and Chief Executive Officer     INFORMATION ABOUT PROPOSED CUSTOMER CLASS ACTION SETTLEMENT Click here to view Additional Information about Proposed Customer Class Action Settlement; Subject to Court Approval and Other Conditions. INFORMATION ABOUT INTRUSION(S) View Frequently Asked Questions (FAQs) Click here to view the 2/21/07 Press Release Click here to view the 1/17/07 Press Release Helpful Information for Customers: TJX has special, toll-free helpline numbers in the U.S., Canada, the U.K., and Ireland, to assist customers with concerns about the computer intrusion(s) and to answer questions about the proposed customer class action settlement, which is subject to court approval and other conditions. In the United States: Toll-free help line: 866-484-6978 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps Click here to view Other Resources Haga clic aquí para obtener información en español. In Canada: Toll-free help line: 866-903-1408 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Cliquez ici pour des renseignements en français. In the United Kingdom and Ireland: Toll-free help line: Callers in the UK* should call 0800 779015 Callers in the Republic of Ireland should call 00 44 800 779015 * (England, Wales, Scotland, N Ireland) Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Any customers who would like to contact TJX Customer Service: Please email TJX Customer Service at: customerservice@tjx.com

Following my post asking about the SecurityNewsPortal, I have received information from Marq at Infosyssec.com - the owner of Securitynewsportal.com.

First, thank you Marq for taking the time and effort to resolve this issue, and baring over with this ignorant viking. Thanks to you, I now have access to your different services.

It turns out Marq has experienced problems with attackers and hackers using computers (botnets, perhaps?) originating from locations worldwide, including Norway. As a result, he made the decision to filter out IP-ranges of networks that seemed to be heavier on the attacks than others.

This is a very dramatic way of reducing the amount of problems. To Marq, this was a sound business solution, counting in the risk of keeping legitimate visitors out of the website. And of course the risk of ignorant vikings wondering about the quality of the services.

Another way to counter these kinds of attacks requires heavy investment in hardware, plus HA access solutions - the road I would suggest any business to take if they start experience the kind of targeted attacks. The only challenge taking this road is the potential heavy investment it takes.

Marq, thank you for your help. My readers, thank you kindly for helping out! Marcin, thank you for checking the URL yourself and reporting back. I hope you have access again, if not, let me know and I will relay you to Marq.

I am in need of your help now. Recently, I have got referring hits on Feedburner and Google Analytics from a couple of websites: www.securitynewsportal.com and www.snnx.com. 

It seems like they are republishing my RSS-stream. Which is all fine. I just get curious as to who they are. Thus, I have tried to visit their websites a couple of times, and all I get is a HTTP403 error (forbidden).

My question to you is simply - can you tell me what these sites are? Who are running them? Why do they not serve the info to the public?  

I may be paranoid - but I cannot help wondering if this is some kind of a fraud or harvesting system?

If you know anything about these services, please share with me! Use the comments below, or contact me using the contact page!

Your input is highly appreciated! Thanks! 

I have strong feelings against abuse. And when I see young people falling for simple tricks and ending up as victims, I have to speak up.

Internet has revolutionized the way we communicate and how we network between people. I should know, I use tools like LinkedIn, Xing and Facebook actively. In a market there will always be companies that pushes the line. In Norway, one such site is Camfight / Penest.no, which I have covered in the past.

Last week, a girl was featured on national TV. Her story is as follows:

When she was 14, she met a guy on Internet. The boy was a couple of years older, and convinced her to strip for him on webcam. The girl was in love, and believe him to be too. She obeyed his request.

As soon as the stripping was done, the boy ended all contact. Some time later, the video with the girl stripping shows up on Internet. Without her consent.

Her friend turned their back to her, and she ended up having to relocate and change her name.

As tragic as this is, this kind of stories are only starting to surface. When you are young, you do not have the experience, knowledge and understanding necessary to safely use the technology. He*k, many adults lack the very same requirements.

To add to experience, "Line" got no support from her school nor from the police.

I believe that this serves to show how vulnerable young people are, and how wrong things can end up. It never pays to be naive. And when in doubt, say NO!

Dear anonymous (I would much rather prefer to say Dear John),

First - I post this as a blogpost instead of a reply to your comment on my post about Jamparii. 

Thank you for your input. As I know you are not only claiming to do what you say, but actually are trying to build your own tool for business networking, I would much rather that you did enter your own name, John.

However, what you are pointing at is true in all new ventures. It does take capital to build success. And there are several different paths to choose from. Jim has chosen one path, and John, you took another path.

My experience tells me that the path of money alone is not enough. To build a successful networking site, you need quality. You need content. You need active users. And you need a value proposition to your users.

Linkedin, Xing and Facebook are three successful networking tools, but they are very different. Ecademy and Viadeo are others. Myspace and Orcut are there too. Just to name a few of your competitors. They offer value. Distinctive value. And they have success. 

You need to present a clear value to me before I will even consider your new tool. No matter how you choose to finance you venture. Scam or not.

This is about risk as well. Do you have what it takes to break the bank? Did you consider all options? Have you done your homework, so you know how to position yourself?

What if you fail? What if it takes twice the time to break even? Or three times the time? What if you only secure half the funds you need? What if only one tenth of the required users actually signs up? 

So the question to you two competitors - do you have the BUZZ?

Hoff at Rational Security blog is giving a helping hand - as long as it is not to someone fighting against the Norton Pop-ups. Must admit, I am willing to fight the Norton Pop-ups anytime - and replace them with something a little more subtle. Something that knows its place on the computer - and do not bother the user with messages that not even the best of security worker can understand. 

So - the Hoff story.  

I like the fact that it is possible to exchange a security lesson with bowling. 

But - the fact that even ATM vendors are neglecting security is not a good deed at all. They really should know better.  I mean, we are no longer in the 1980! No wonder why companies in not-so-secure industries are having a hard time understanding. 

I get many strange invitations in my email. Todays selection is from a that calls themselves Biztime Limited, based in the UK. They have a new Social Networking idea - called Jamparii. Sure we can use that (pun). Their plan is to let me make a profit as they become the next MySpace and Youtube. In other words, they want my money.

The invitation came by an Ecademy group. I quit Ecademy 18 month ago because back then I felt many users where only interested in MLM and promoting scams. Even though I have canceled my account, and no longer are available on Ecademy, they continue to send me emails from their forums. That is another post, I guess!

So back to Jamparii - they ask me to give them £1 000,- in exchange for a Founder Life Membership. And a potential revenue share:

Our strategy is to create a small group of just 250 Founder Life Members, who will be the centre pillars of Jamparii and will benefit both as life members but also financially as shareholders. We already have a number in place but there are still plenty of places left. Your investment will be under £1,000 and you will have the opportunity to earn and win more shares during the first year or so.

So - I will win more shares during the first year or so. Sounds like the MLM game that took Europe by storm a few years back - you played around with virtual stocks, and made a profit based upon how many people you recruited. World Game Inc. it was called, before it was called a bluff.  

Further fuel to my presumption is the fact that 3 750 Founder members are also invited. So - we have Founder Life members who will win shares, and Founder members who pay to enter. Then add regular, paying members - they will provide the profit up the lane. Or so it may sound.

They start their story like this:

When we hear of the huge sums of money that are being paid for these web platforms do you wish that you had thought them up or had a stake in them?

Well here is an opportunity for you to do just that! - Read on and see for yourself!

I am sorry. If I had such an idea, last thing I would do is to tell everyone. I would have people use it. Not try to sell it like a scam.

Thus, I suggest Jamparii is a scam, and time will show who is right. I will have to appologize if they actually end up like MySpace or Youtube - walking away with a huge lump of money.