Online banking hit by thieves

A new Trojan dubbed "OddJob" is stealing people's money by taking over their online banking sessions after they think they've logged off.

The Trojan, which targets Windows-based computers, is being used by criminals in Eastern Europe to steal money from accounts in the United States, Poland, and Denmark, Amit Klein, chief technology officer of Trusteer, writes in a blog post today.

Klein said in an e-mail that he could not identify the banks being targeted or provide an estimate on the number of victims.

"It is early days for this malware," he said. "It appears to be a work in progress, so we expect the code to become more sophisticated over time."

The Trojan intercepts communications that customers have with banking sites via Internet Explorer or Firefox, stealing or interjecting information and terminating user browser sessions when done, Trusteer said.

When a bank customer is on the bank site, the Trojan takes advantage of the session IT token to impersonate the customer, riding the coattails of the existing authenticated session. It then bypasses the logout request of the customer so that the session is not actually terminated when the customer thinks he or she is logging out.

To avoid triggering security software, the malware's configuration is not saved to disk, but a fresh copy is fetched from the command and control server each time a new browser session is opened.

Web surfers can protect themselves by installing software security updates, refraining from clicking on URLs in e-mail messages, and using software that secures Web access, like Trusteer's Rapport product, the company said.

Seven practical steps to avoid Idenity Fraud

1. Pick up your mail daily
The worst thing you can do is let important documents sit in an unlocked mailbox overnight, Mr. Levin says. If you’re planning to be away from home for an extended period, have Canada Post hold your mail or have a trusted neighbour collect it as it arrives.

2. Keep track of important documents
Write down every piece of information-rich mail you anticipate receiving and mark it off when it arrives. If important documents such as your tax-filing package or financial statements don’t arrive, contact the sender immediately. CRA spokesman Philippe Brideau said tax-filing packages have already been mailed and most Canadians should have received them by now.

3. Choose electronic delivery
If possible, have financial documents sent by e-mail. As long as your computer has adequate security, electronic delivery is usually safer than a mailbox, Mr. Levin says.

4. Monitor your financial transactions
Don’t wait until the end of month to see your financial statements. Go online every day and check your bank and credit card accounts to ensure all of the listed transactions are legitimate. “That’s really important,” Mr. Levin says. “You can save yourself an enormous amount of time and agony.”

5. Check your credit report
By February or March, order your credit reports from TransUnion and Equifax so you can see whether there are any new accounts that you didn’t apply for. If there are, that’s a red flag for fraud.

6. Get a paper shredder
Recycling bins are another place identity thieves can easily steal your personal information. To be on the safe side, shred any documents that contain your name and address before you dispose of them.

7. Consider doing some damage control
There are many companies that offer identity theft insurance or credit fraud monitoring. Also, some insurance companies and banks offer complimentary protection services to customers, so shop around, Mr. Levin says.

Idenity Theft

Roughly 20,000 people who reported identity theft and identity fraud crimes to the Canadian Anti-Fraud Centre last year represented an increase of about 5,000 complainants over the previous year.
"And only a fraction of these crimes are reported,"

Here are tips from the RCMP on how to avoid identity theft and fraud:

* Be wary of unsolicited emails, telephone calls or mail seeking personal or financial information from you;
* Regularly check your credit reports, bank and credit card statements and report any irregularities promptly  to the relevant financial institution or to the credit bureaus;
* During transactions, swipe your cards yourself rather than let a cashier do it for you. If you must hand over your card, never lose sight of it;
* Always shield your personal identification number when using an ATM or a pin pad;
* Memorize all personal identification numbers for payment cards and telephone calling cards;
* Trash bins are a gold mine for identity thieves. Make sure you shred personal and financial documents before putting them in the garbage;
* And when you change your address, notify the post office and all relevant financial institutions.

Private Investigator Training Course

I just wanted to let you know that Chris Pierre of Evince Services is now offering training to individuals seeking to become licensed as Private Investigators under the Private Security and Investigative Services Act.

There is a course scheduled for March 1, 2011.

For more info, give Neill Bailey a call at 613-233-8509 x 101 or email nbailey@evincesvc.com

Knowing Chris, this is going to be a good course.

Holiday Charity Scams

The holiday season is a traditional time of giving for many Canadians. Unfortunately, fraudsters know that and take advantage of our generosity. Before you give anything to a charity, you should perform your due diligence.

The following is a list of things to watch for when considering donating to a charity:

• Never give out your personal / financial information out over the phone, or           at the door.

• Don’t donate cash if you can help it. Write the cheque to the charity – not   to the person standing in front of you. This also helps you document the donation for your records and for your tax return.

• Carefully check the name of the company. Charity scams often use similar to original names to cause confusion and obtain your donations. Example: National Cancer Society (SCAM) instead of Canadian Cancer Society (REAL).

• Ask the charity to send you printed material via mail. If the material does not contain details on exactly how the money is used and the percent of donations which actually reach the given cause, do not contribute.

• Call the charity. Legitimate charities withstand scrutiny and never hesitate to prove who they are, what they do and how they do it.

• Don't give in to pressure. If the charity representative pressures you to give money immediately or as soon as possible, get suspicious.

• Be careful if the "charity" accepts an online payment. It is easy to open up a fake online payment account.

• Reputable charities will have a street address and a phone number.

• Get a receipt with the name of the charity on it.

• Ask for the charitable registration number.

• Check the company with the Better Business Bureau.