Hotels present concerns for guests' security, technology

For many of us, hotels often become a second home. And relying on technology like we do, we carry all of our important devices with us. However, it's not always feasible to take your laptop with you to dinner or your cell phone to the pool. But to what extent should you worry about it?

Spying on the staff
Several months ago, I met Canadian privacy scholar Christopher Parsons at the Privacy Law Scholars Conference in D.C. He does a lot of interesting work in the privacy and surveillance area and also writes a blog on those interests.

I've never been a terribly paranoid person - that is until I met Christopher. I wouldn't define him as being paranoid, either. Rather, he is just smart and inquisitive. He travels a great deal and stays in many hotels. Over time, he has developed a survey of sorts concerning hotel security, testing the housekeeping staff. By carefully placing cell phones, laptops, and other items around the room, he is able to see where the staff checks for such things and what they do with them. One interesting bit of information he has learned is that a do not disturb sign often acts as an invitation to search the room.

"Most hotel staff are, of course, excellent and trustworthy. This said, having heard stories from family members who have worked in hotels - such as how their colleagues would routinely violate room occupants' privacy when rooms were unattended - and others who are well versed in contemporary fraud techniques, I try to take precautions to ensure that my data, and the data of others, is as safe and secure as it can be," said Christopher. "Just one of those precautions involves testing staff in hotels to ascertain - typically with 'dummy' or wiped equipment - whether they are activating devices, trying to log in to them, and so forth."

Since Christopher and I met, I have only stayed in one hotel, but I had no luck with his methods unfortunately. Do not disturb signs were honored, and none of my personal belongings were touched. Do any of you have similar approaches? Have you learned anything interesting? Please share in the comments.

Hotel employees not the only fear
Certainly one fear is that hotel employees will take our items or for some reason attempt to get our data. They can easily get key card access to our rooms. Another concern, as recently demonstrated by a hacker, is the ease in which others can obtain access to your room.

At the recent Black Hat conference, a software developer demonstrated how $50 of materials and a little programming make it possible to obtain access to over four million hotel rooms. He has since released how the hack works.

Unfortunately, the only way to fix the problem is to change each lock, and Onity, the developer, insists that the hotels foot the bill for the replacement.

Creating a workaround
The fact that your home-away-from-home is not quite as secure as you'd like can be terrifying. And certainly there are many issues beyond securing your technology at issue here. However, since this is a technology blog, let's address that issue. What ways do you use to secure your technology when traveling? Share your tips for our other readers.

Read More

FBI arrests 24 in international carding scheme

Graphic courtesy of FBI

The FBI announced yesterday 24 arrests in 8 countries for involvement in a carding scheme. They estimate that 400,000 potential victims and potential loss of $205 million were involved. Read more here.

Read More

Illinois appellate court remands identity theft case

In People v. Hernandez, 2012 IL App (1st) 92841, an Illinois appellate court has held that the state must prove that a defendant knowingly used personal identifying information belonging to another person in order to convict on identity theft. Because the "defendant's knowledge was contradicted and not overwhelming," the charge was vacated and remanded for a new trial.

The defendant had used another person's social security number to obtain credit to purchase a vehicle. On the credit application, the defendant used both her own and the victim's SSNs, but the victim's was used for the credit check. When asked where she got the victim's SSN, the defendant said "that she 'made it up.'" It just so happened that the number belonged to a woman with the same first name, living in the same city who was alive and had good credit.

However, because the circumstantial evidence does not overwhelmingly prove the defendant's knowledge, the error was not harmless, and the case must be retried.

Read More

Verizon Report: Data breaches rise 4,250% in 2011

According to Verizon's 2012 Data Breach Investigations Report, data breaches skyrocketed in 2011 to 174 million (up from only 4 million in 2010). The 80-page report provides a wealth of information about who is responsible for these acts and how they are committing them. It's definitely worth at least a quick skim.

Read More

Miss. lawyer scammed by corporate identity theft

We often hear about identity theft as it relates to individuals, and some recent attention has been drawn to child identity theft, but the theft of a corporation's identity remains a serious, though seldom-discussed topic. The Mississippi Secretary of State reported today on "an internet scheme with international ties that bilked a Mississippi attorney out of hundreds of thousands of dollars."

The Mississippi attorney received an email from someone purporting to be Robert Larsen of Larsen Fabrics located in the United Kingdom. “Mr. Larsen” claimed a Mississippi company owed money on a contract and was willing to settle. “Mr. Larsen” employed the Mississippi attorney to collect the debt. The attorney was then informed the Mississippi company was prepared to settle. 

A fraudulent settlement check was sent to the attorney, allegedly from the Mississippi company. The attorney deposited the check and wired funds to a Japanese account before the fraud was discovered. The Mississippi company had no knowledge of the scheme until contacted by investigators.

Here's a link to the basic scam e-mail as sent to an attorney in a different state (the comments to the post discuss the variations of the scam).

Few public resources discuss the topic specifically. Professor Susan Brenner wrote about corporate identity theft a few years ago on her blog, CYB3RCRIM3. Also, the Colorado SOS's office has some information about the issue on their website.

Read More

Court reverses identity theft conviction for stolen wallet

The Washington Court of Appeals has reversed a conviction of identity theft, finding that no evidence was presented to prove the defendant would use an identification card and credit card to commit a crime. State v. Williams, 2012 Wash. App. LEXIS 57 (2012).

The defendant had stolen a wallet containing a credit card, identification card, and over $200 cash. Subsequently, he was charged with identity theft and theft.

On appeal, the court iterated an important point: theft of such items alone is not sufficient to prove identity theft. As with the Washington statute, proof must be shown of intent to possess or use that information "in order to commit, aid, or abet a crime." Here, the defendant stole a wallet, not an identity.

Read More

Tracking computer usage, free credit monitoring, and digital forensics guides from corporations

I have collected several random stories recently that do not deserve their own post alone, but that I thought should be shared.

• From Lifehacker, this post shows you how to see if someone has been using your computer when you were not around. Using the Windows Event Viewer, users can see system logs detailing each time the computer boots or wakes from sleep or hibernation.
• This isn't an endorsement nor do I really know much about this service, but Lifehacker did an article about Credit Karma, a credit monitoring service that notifies you of changes via e-mail. The service once restricted its number of users, but it is now free to anyone who registers. WSJ, NYT, CNN, and others have also recommended the service.
• SANS's Computer Forensics website provides links to corporate handbooks for digital forensics investigators from companies like Microsoft, eBay, MySpace, and more. Some of the information is outdated, but it may give you an idea as to what is required and who to contact.

Read More

10th Circuit affirms conviction in Craigslist scam

The Tenth Circuit has affirmed a conviction of wire fraud and identity theft and various sentencing enhancements. The defendant, an Oklahoma citizen, had posted multiple ads on Craigslist soliciting people with a great deal of debt. He told them that if they paid him half the amount, the rest would be taken care of through a debt-assistance program. Once someone contacted them, the defendant used stolen credit cards and bank account numbers to pay the bills. When the payments were discovered to be fraudulent and were reversed, the victims contacted the defendant, whose number (a prepaid cell phone) had been disconnected.

While the defendant was not the one who posted all of the ads, others used his alias in relation to the act, supporting the aiding and abetting charge. Another ad was posted from a local library, but it was reasonably attributable to the defendant. The court also upheld the identity theft charge, finding that although the defendant did not actually steal the information, he knowingly used it to make payments.

Sentencing enhancements were also made for being the leader or organizer of the act and obstruction of justice.

The case is United States v. Lawrence, 449 Fed. Appx. 713 (9th Cir. 2011) (affirming United States v. Lawrence, 2010 WL 1875647 (W.D. Okla. 2010).

Craigslist is an online, classified advertising website. Typically, ads can be placed for free without creating an account - users simply provide contact information for those interested. Job posts, apartment rentals, and therapeutic services may have posting fees depending on location. The website has before run into several legal issues including alleged sex trafficking and prostitution. As a result, Craigslist closed its erotic services board in September 2010.

Read More