August 28, 2017: Costa Rican Defendant Appears in Federal Court to Face Fraud Charges

OCI Small Clear Seal 

 

Food and Drug Administration 
Office of Criminal Investigations

 

PITTSBURGH – A resident of Costa Rica made his initial appearance in U.S. District Court in Pittsburgh this afternoon to face multiple charges involving conspiracy to import prescription drugs from India for distribution, without prescriptions, to consumers throughout the United States, Acting United States Attorney Soo C. Song announced today. 

The five-count indictment, returned on October 13, 2015, charged Costa Rican Ramiro Navarro Quesada, 42, with three counts of mail fraud and one count each of conspiracy to misbrand and smuggle Schedule II and Schedule IV and erectile dysfunction drugs and money laundering. Quesada was arrested in Madrid, Spain, earlier this year. He was extradited to the United States yesterday.

 

According to the indictment, Quesada used a Costa Rican website to advertise the Internet sale of Schedule II and IV controlled substances and erectile dysfunction drugs, which were exported from India and received in the United States by co-defendants Sylvia and Miguel Cruz. The latter two then mailed the drugs to U.S. consumers who had ordered them through the Costa Rican website. The consumers were falsely led to believe that the drugs were “FDA approved,” that the counterfeit drugs were genuine Adderall and Viagra, and that it was legitimate to distribute such drugs without prescriptions.

 

“Ordering prescription drugs online from illegal websites can lead to dangerous consequences for U.S. consumers. Such websites, while they may look professional and legitimate, often sell drugs that have not been checked for safety or effectiveness,” said Mark S. McCormack, Special Agent in Charge, FDA Office of Criminal Investigations’ Metro Washington Field Office. “We will continue to pursue and bring to justice criminals who operate outside of FDA’s oversight and place the public’s health at risk.”

 

The law provides for a maximum total sentence of 20 years in prison on each of the mail fraud and money laundering counts, and 5 years on the conspiracy count; as well as a $250,000 fine on each count except money laundering, which carries a potential fine of $500,000. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.

 

Assistant United States Attorney Shardul Desai is prosecuting this case on behalf of the government.

 

The Food and Drug Administration, Office of Criminal Investigations, the Postal Inspection Service, Homeland Security Investigations, the Pennsylvania State Police and the Internal Revenue Service – Criminal Investigation conducted the investigation leading to the indictment in this case.

 

An indictment is an accusation. A defendant is presumed innocent unless and until proven guilty.

 

Component(s): 

USAO – Pennsylvania, Western

 

 

 

 

Posted in Security | Leave a comment

Updated Investor Bulletin: Trading in Cash Accounts

The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to help educate investors regarding the rules that apply to trading securities in cash accounts and to highlight the 90-day account freeze which may arise with certain trading activities in these type of accounts.

What is a cash account?

A cash account is a type of brokerage account in which the investor must pay the full amount for securities purchased.  An investor using a cash account is not allowed to borrow funds from his or her broker-dealer in order to pay for transactions in the account (trading on margin).

The credit extension provisions of the Federal Reserve Board’s Regulation T govern an investor’s use of a cash account to purchase securities.  In particular, Regulation T authorizes a broker-dealer to use a cash account to purchase a security for an investor if:

  • There are “sufficient funds” in the account; or
  • The broker-dealer accepts in good faith the investor’s agreement that the investor will promptly make “full cash payment” for the security before selling it and does not contemplate selling the security prior to making such payment.

What type of trading is permitted in a cash account?

Some examples of trading that would be permitted in a cash account include:

  1. An investor has $10,000 in cash and no securities in a cash account.The investor buys $10,000 worth of ABC stock on Monday and sells it the same day.

    These transactions are permissible since the investor purchased the ABC stock on Monday with the $10,000 in cash that the investor had in the cash account.  Since the investor purchased the ABC stock with cash, the investor may sell this stock at anytime.
     

  2. An investor holds $10,000 of fully paid for and settled ABC stock in a cash account.The investor does not hold any additional cash or securities in the cash account. The investor sells all the ABC stock on Monday.On Friday, the investor buys $10,000 worth of XYZ stock.

    These transactions are permissible because an investor can sell a fully-paid for and settled security held in a cash account.  The $10,000 proceeds from the sale of the ABC stock would have settled on Wednesday.  Therefore the investor would have “sufficient funds” in the cash account on Friday to purchase the XYZ stock.
     

  3. An investor holds $10,000 of fully paid for and settled ABC stock in a cash account.The investor does not hold any additional cash or securities in the cash account. The investor sells all the ABC stock on Monday and buys $10,000 worth of XYZ stock the same day.The investor sells the XYZ stock on Friday.

    The sale of the ABC stock is permissible because an investor can sell a fully-paid for and settled security held in a cash account.  The purchase of the XYZ stock is also permissible. The investor may purchase the XYZ stock with the proceeds from the sale of the ABC stock as long as the investor does not sell the XYZ stock prior to the settlement of the ABC stock sale, which is Wednesday.  By doing this, the investor will have made full cash payment for the XYZ stock before selling it on Friday.

What are freeriding and freezes?

As noted above, in a cash account, an investor must pay for the purchase of a security before selling it.  If an investor buys and sells a security before paying for it, the investor is “freeriding.” 

The following example illustrates “freeriding:”

An investor holds $10,000 of fully paid for and settled ABC stock in a cash account.  The investor does not hold any additional cash or securities in the cash account. The investor sells all the ABC stock on Monday and buys $10,000 worth of XYZ stock on the same day.  On Tuesday, the investor sells all of the XYZ stock without adding any additional cash to the account.

The settlement date on the sale of the ABC stock that the investor used to pay for the purchase of the XYZ stock would be Wednesday (two business days after the date of the sale).  Since the investor used the proceeds from a sale of securities that has not settled yet, to purchase the XYZ stock, the investor cannot not sell the XYZ stock prior to Wednesday without adding additional cash to the account to cover the purchase price of the XYZ stock.  Since the investor sold the XYZ stock on Tuesday without adding any additional cash to the account, the investor’s actions constitute freeriding.

“Freeriding” is not permitted under Regulation T, and may require the investor’s broker to “freeze” the investor’s account for 90 days.  During this 90-day period, an investor may still purchase securities with the cash account, but the investor must fully pay for any purchase on the date of the trade.  An investor may avoid having a “freeze” placed on his cash account by fully paying for the securities by the settlement date with funds that do not come from the sale of the securities.

Related Information

For additional educational information for investors, see the SEC’s Office of Investor Education and Advocacy’s homepage.  For additional information relating to cash accounts, also see:

The Office of Investor Education and Advocacy has provided this information as a service to investors. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule, please consult with an attorney who specializes in securities law.

Posted in Security | Leave a comment

September 11, 2017: Three Florida Residents Arrested After Law Enforcement Discover Steroid and Fake Prescription Drug Lab

OCI Small Clear Seal 

 

Food and Drug Administration 
Office of Criminal Investigations

 

Montgomery, Alabama — Three people have been arrested for their involvement in a steroid and fake prescription pill lab in North-West Florida, announced A. Clark Morris, Acting U.S. Attorney for the Middle District of Alabama.

Ryan Anthony Sikora (25), John Joseph Bush, II, (26), Ariel Anna Murphy (28), all of Chipley, Florida, were indicted in August by a federal grand jury for conspiracy to import, manufacture, and distribute anabolic steroids and fake prescription drugs across the United States.  On Friday, September 8, 2017, the last of the three defendants made their initial appearance before a federal judge in Montgomery, Alabama.

 

According to court documents, United States Postal Inspectors determined that large amounts of steroid and fake prescription drug ingredients were being shipped from China to various locations in South Alabama and North Florida.  It is alleged that Sikora, Bush, and Murphy were  using these raw materials and two large scale presses to mass-produce pills in an illegal drug lab discovered near Chipley, Florida.  In the lab, law enforcement found a large amount of steroids in the form of vials, finished pills, and raw powder.  Four types of fake prescription drugs were also discovered that were falsely labeled as Viagra, Cialis, Accutane, and Clomid.  Each of those four drugs are regulated by the U.S. Food and Drug Administration (FDA) and are exclusively produced by major pharmaceutical companies.  They also require a prescription to be legally dispensed.  Sikora, Bush, and Murphy were allegedly advertising the drugs for sale online.

 

If convicted, Sikora, Bush, and Murphy each face a maximum prison sentence of 15 years as well as significant fines and restitution.  There is no parole in the federal system.

 

An indictment is merely a method of alleging that a crime has been committed.  All defendants are presumed innocent until proven guilty beyond a reasonable doubt.

Acting U.S. Attorney A. Clark Morris would like to thank the following agencies for their assistance with this case: The United States Postal Inspector’s Office, The FDA Office of Criminal Investigations, the Florida Department of Law Enforcement (FDLE), the Washington County (Florida) Sheriff’s Office, and the Chipley, Florida Police Department. This case is being prosecuted by Assistant United States Attorney Bradley Bodiford.

 

Posted in Security | Leave a comment

Equifax Breach Response Turns Dumpster Fire

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.

WEB SITE WOES

As noted in yesterday’s breaking story on this breach, the Web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach — equifaxsecurity2017.com
is completely broken at best, and little more than a stalling tactic or sham at worst.

In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.

phonelaptopequifax

Others (myself included) received not a yes or no answer to the question of whether we were impacted, but instead a message that credit monitoring services we were eligible for was not available and to check back later in the month. The site asked users to enter their last name and last six digits of their SSN, but at the prompting of a reader’s comment I confirmed that just entering gibberish names and numbers produced the same result as the one I saw when I entered my real information: Come back on Sept. 13.

Who’s responsible for this debacle? Well, Equifax of course. But most large companies that can afford to do so hire outside public relations or disaster response firms to walk them through the safest ways to notify affected consumers. In this case, Equifax appears to have hired global PR firm Edelman PR.

What gives me this idea? Until just a couple of hours ago, the copy of WordPress installed at equifaxsecurity2017.com included a publicly accessible user database entry showing a user named “Edelman” was the first (and only?) user registered on the site.

Code that was publicly available on equifaxsecurity2017.com until very recently showed account information for an outside PR firm.

I reached out to Edelman for more information and will update this story when I hear from them.

EARLY WARNING?

In its breach disclosure Thursday, Equifax said it hired an outside computer security forensic firm to investigate as soon as it discovered unauthorized access to its Web site. ZDNet published a story Thursday saying that the outside firm was Alexandria, Va.-based Mandiant — a security firm bought by FireEye in 2014.

Interestingly, anyone who happened to have been monitoring look-alike domains for Equifax.com prior to yesterday’s breach announcement may have had an early clue about the upcoming announcement. One interesting domain that was registered on Sept. 5, 2017 is “equihax.com,” which according to domain registration records was purchased by an Alexandria, Va. resident named Brandan Schondorfer.

A quick Google search shows that Schondorfer works for Mandiant. Ray Watson, a cybersecurity researcher who messaged me this morning on Twitter about this curiosity, said it is likely that Mandiant has been registering domains that might be attractive to phishers hoping to take advantage of public attention to the breach and spoof Equifax’s domain.

Watson said it’s equally likely the equihax.com domain was registered to keep it out of the hands of people who may be looking for domain names they can use to lampoon Equifax for its breach. Schondorfer has not yet returned calls seeking comment.

EQUIFAX EXECS PULL GOLDEN PARACHUTES?

Bloomberg moved a story yesterday indicating that three top executives at Equifax sold millions of dollars worth of stock during the time between when the company says it discovered the breach and when it notified the public and investors.

Shares of Equifax’s stock on the New York Stock Exchange [NSYE:EFX] were down more than 13 percent at time of publication versus yesterday’s price.

The executives reportedly told Bloomberg they didn’t know about the breach when they sold their shares. A law firm in New York has already announced it is investigating potential insider trading claims against Equifax.

CLASS ACTION WAIVER?

Yesterday’s story here pointed out the gross conflict of interest in Equifax’s consumer remedy for this breach: Offering a year’s worth of free credit monitoring services to all Americans via its own in-house credit monitoring service.

This is particularly rich because a) why should anyone trust Equifax to do anything right security-wise after this debacle and b) these credit monitoring services typically hard-sell consumers to sign up for paid credit protection plans when the free coverage expires.

Verbiage from the terms of service from Equifax's credit monitoring service TrustID Premier.

Verbiage from the terms of service from Equifax’s credit monitoring service TrustID Premier.

I have repeatedly urged readers to consider putting a security freeze on their accounts in lieu of or in addition to accepting these free credit monitoring offers, noting that credit monitoring services don’t protect you against identity theft (the most you can hope for is they alert you when ID thieves do steal your identity), while security freezes can prevent thieves from taking out new lines of credit in your name.

Several readers have written in to point out some legalese in the terms of service the Equifax requires all users to acknowledge before signing up for the service seems to include legal verbiage suggesting that those who do sign up for the free service will waive their rights to participate in future class action lawsuits against the company.

KrebsOnSecurity is still awaiting word from an actual lawyer who’s looking at this contract, but let me offer my own two cents on this.

Update, 9:45 p.m. ET: Equifax has updated their breach alert page to include the following response in regard to the unclear legalese:

“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

Original story:

Equifax will almost certainly see itself the target of multiple class action lawsuits as a result of this breach, but there is no guarantee those lawsuits will go the distance and result in a monetary windfall for affected consumers.

Even when these cases do result in a win for the plaintiff class, it can take years. After KrebsOnSecurity broke the story in 2013 that Experian had given access to 200 million consumer records to Vietnamese man running an identity theft service, two different law firms filed class action suits against Experian.

That case was ultimately tossed out of federal court and remanded to state court, where it is ongoing. That case was filed in 2015.

To close out the subject of civil lawsuits as a way to hold companies accountable for sloppy security, class actions — even when successful — rarely result in much of a financial benefit for affected consumers (very often the “reward” is a gift card or two-digit dollar amount per victim), while greatly enriching law firms that file the suits.

It’s my view that these class action lawsuits serve principally to take the pressure off of lawmakers and regulators to do something that might actually prevent more sloppy security practices in the future for the victim culpable companies. And as I noted in yesterday’s story, the credit bureaus have shown themselves time and again to be terribly unreliable stewards of sensitive consumer data: This time, the intruders were able to get in because Equifax apparently fell behind in patching its Internet-facing Web applications.

In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services. In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers.

CAPITALIZING ON FEAR

Speaking of Experian, the company is now taking advantage of public fear over the breach — via hashtag #equifaxbreach, for example — to sign people up for their cleverly-named “CreditLock” subscription service (again, hat tip to @rayjwatson).

“When you have Experian Identity Theft Protection, you can instantly lock or unlock your Experian Credit File with the simple click of a button,” the ad enthuses. “Experian gives you instant access to your credit report.”

First off, all consumers have the legal right to instant access to their credit report via the Web site, annualcreditreport.com. This site, mandated by Congress, gives consumers the right to one free credit report from each of the three major bureaus (Equifax, Trans Union and Experian) every year.

Second, all consumers have a right to request that the bureaus “freeze” their credit files, which bars potential creditors or anyone else from viewing your credit history or credit file unless you thaw the freeze (temporarily or permanently).

I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.

Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.

My advice: Sign up for credit monitoring if you can (and you’re not holding out for a puny class action windfall) and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.

Whether you are considering a freeze, credit monitoring, or a fraud alert (another, far less restrictive third option), please take a moment to read this story in its entirety. It includes a great deal of information that cannot be shared in a short column here.

Tags: , , , ,

Posted in Security | Leave a comment

Breach at Equifax May Impact 143M Americans

Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.

In a press release today, Equifax [NYSE:EFX] said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing, but that the breach also jeopardized credit card numbers for roughly 209,000 U.S. consumers and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

[embedded content]

In addition, the company said it identified unauthorized access to “limited personal information for certain UK and Canadian residents,” and that it would work with regulators in those countries to determine next steps.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard F. Smith in a statement released to the media, along with a video message. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.

Equifax has set up a Web site — https://www.equifaxsecurity2017.com — that anyone concerned can visit to see if they may be impacted by the breach. The site also lets consumers enroll in TrustedID Premier, a 3-bureau credit monitoring service (Equifax, Experian and Trans Union) which also is operated by Equifax.

According to Equifax, when you begin, you will be asked to provide your last name and the last six digits of your Social Security number. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, the company says it will provide everyone the option to enroll in TrustedID Premier. The offer ends Nov. 21, 2017.

ANALYSIS

At time of publication, the Trustedid.com site Experian is promoting for free credit monitoring services was only intermittently available, likely because of the high volume of traffic following today’s announcement.

As many readers here have shared in the comments already, the site Equifax has available for people to see whether they were impacted by the breach may not actually tell you whether you were affected. When I entered the last six digits of my SSN and my last name, the site threw a “system unavailable” page, asking me to try again later.

equifaxtry

When I tried again later, I received a notice stating my enrollment date for TrustedID Premier is Sept. 13, 2017, but it asked me to return again on or after that date to enroll. The message implied but didn’t say I was impacted.

enrollmentequifax

Maybe the company simply isn’t ready to handle everyone in America asking for credit protection all at once, but this could be seen as a ploy by the company assuming that many people simply won’t return again after news of the breach slips off of the front page.

Several readers who have taken my advice and placed security freezes (also called a credit freeze) on their file with Equifax have written in asking whether this intrusion means cybercriminals could also be in possession of the unique PIN code needed to lift the freeze.

So far, the answer seems to be “no.” Equifax was clear that its investigation is ongoing. However, in a FAQ about the breach, Equifax said it has found no evidence to date of any unauthorized activity on the company’s core consumer or commercial credit reporting databases.

I have long urged consumers to assume that all of the personal information jeopardized in this breach is already compromised and for sale many times over in the cybercrime underground (because it demonstrably is for a significant portion of Americans). One step in acting on that assumption is placing a credit freeze on one’s file with the three major credit bureaus and with Innovis — a fourth bureau which runs credit checks for many businesses but is not as widely known as the big three.

More information on the difference between credit monitoring and a security freeze (and why consumers should take full advantage of both) can be found in this story.

I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.

Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.

My advice: Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.

The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich. Typically, the way these arrangements work is the credit monitoring is free for a period of time, and then consumers are pitched on purchasing additional protection when their free coverage expires. In the case of this offering, consumers are eligible for the free service for one year.

That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s Web site suggests Equifax may have fallen behind in applying security updates to its Internet-facing Web applications. Although the attackers could have exploited an unknown flaw in those applications, I would fully expect Equifax to highlight this fact if it were true — if for no other reason than doing so might make them less culpable and appear as though this was a crime which could have been perpetrated against any company running said Web applications.

This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers. Experian also for several months granted access to its databases to a Vietnamese man posing as a private investigator in the U.S. In reality, the guy was running an identity theft service that let cyber thieves look up personal and financial data on more than 200 million Americans.

My take on this: The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers.

In a statement released this evening, Sen. Mark Warner (D-Va.) called the Equifax breach “profoundly troubling.”

“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security Numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans,” said Warner, who heads the bipartisan Senate Cybersecurity Caucus. “It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”

It’s unclear why Web applications tied to so much sensitive consumer data were left unpatched, but a lack of security leadership at Equifax may have been a contributing factor. Until very recently, the company was searching for someone to fill the role of vice president of cybersecurity, which according to Equifax is akin to the role of a chief information security officer (CISO).

The company appears to have announced the breach after the close of the stock market on Thursday. Shares of Equifax closed trading on the NSYE at $142.72, up almost one percent over Wednesday’s price.

This is a developing story. Updates will be added as needed.

Further reading:

Are Credit Monitoring Services Really Worth It?

Report: Everyone Should Get a Security Freeze

How I Learned to Stop Worrying and Embrace the Security Freeze

Update: 8:38 p.m. ET: Added description of my experience trying to sign up for Equifax’s credit monitoring offer (it didn’t work).

Tags: , ,

Posted in Security | Leave a comment