Nevada Steps up to the Plate to Protect Consumer Data

A hassle for businesses – but kudos to the State of Nevada for taking real steps to protect consumer data…..

New Data Privacy Laws Set For Firms
By BEN

Alicia Granstedt, a Las Vegas-based hair stylist who works for private clients and on movie sets, never worried about conducting most of her business through email.
Ms. Granstedt regularly receives emails from customers containing payment details, such as credit-card numbers and bank-account transfers. Since she travels frequently, she often stores the emails on her iPhone.

But a Nevada law that took effect this month requires all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.
After hearing about the new law, Ms. Granstedt started using email-encryption software, which requires her clients to enter a password to read her messages and send responses. It is a hassle, “but I can’t afford to be responsible for someone having their identity stolen,” she said.
Nevada is the first of several states adopting new laws that will force businesses — from hair stylists to hospitals — to revamp the way they protect customer data. Starting in January, Massachusetts will require businesses that collect information about that state’s residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations.
While just a few states have adopted such measures so far, the new patchwork of regulations is something many businesses will have to navigate, since the laws apply to out-of-state companies with operations or customers in those states.
That’s one reason the Massachusetts law has the attention of Andrew Speirs, information security officer for National Life Group, an insurance company based in Montpelier, Vt. “We do business in all 50 states so we’re definitely reviewing it,” he said. Mr. Speirs said that National Life has a program in place to protect data, but that the Massachusetts law “is a little more particular” than other state laws. He is checking his company’s program for any holes.
While it isn’t clear if state authorities intend to crack down on mom-and-pop businesses — the attorney general in Massachusetts is still developing an enforcement policy, a spokeswoman said — the laws establish a liability that could be used in civil suits against businesses following a data breach, privacy lawyers said.
In Nevada, companies that suffer a security breach but comply with the new law would cap their damages at $1,000 per customer for each occurrence. Those that don’t comply would be subject to unlimited civil penalties under the proposed enforcement plan, said James Earl, executive director of the state’s task force for technological crimes.

Some businesses have already started buying security technology in anticipation of the new laws. Papa Gino’s Inc., a Dedham, Mass.-based pizza and sandwich chain, began purchasing laptops with encrypted hard drives from Dell Inc. for its workers last year. Dell sells these computers for about $100 more than those with unencrypted drives. So far, the company has bought about 80 of the computers.
Papa Gino’s is also purchasing encryption software — which costs about $50 per computer — to protect files containing sensitive information on the 170 or so laptops that don’t have encrypted drives, said Chris Cahalin, manager of network operations for the company, which has 370 locations.
The new regulations mean “anybody in IT has to become a security guy,” he said.
Getting compliant with the new laws will require most businesses to open their wallets. According to Forrester Research, about 31% of large corporations and 22% of small- and medium-size firms currently have at least some laptops with encrypted hard drives, a way of protecting information on a computer if it is lost or stolen.
The Massachusetts government estimates that a business with 10 employees will need to spend $3,000 up front, plus an additional $500 a month in order to comply. Security executives at larger firms said they expect to spend a similar amount per employee.
Partners HealthCare System Inc., a Boston-based hospital operator, will have to spend more than $100,000 to comply with the new regulations, said Karen Grant, the company’s chief privacy officer. Partners is looking into encryption for laptops and technology that can trace lost or stolen devices.
The company may need to reprioritize its current projects in order to get the new technology in place by January, said Ms. Grant. “It’s a burden,” she added, “but it’s something you have to do.”
The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent, said Miriam Wugmeister, an attorney with Morrison & Foerster LLP.
The so-called breach-notification laws, which were enacted in more than 40 states, ended up doing little to tamp down security breaches.
So far this year, more than 500 organizations have publicly disclosed a breach, up from the 446 disclosed in all of 2007, according to the Identity Theft Resource Center, a San Diego nonprofit group. In a September study, researchers at Carnegie Mellon University found that notification laws only reduce identity theft by around 2%.
“Breach-notification laws deal with what happens after the horse leaves the barn,” said Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation. The new regulation in his state “is intended to prevent the horse from getting out of the barn in the first place.”
Write to Ben Worthen at ben.worthen@wsj.com

http://online.wsj.com/article/SB122411532152538495.html

Identity Theft – the terrorist connection??

I found this article from the Wall Street Journal profoundly disturbing, but not surprising.  I just wonder how much of the cash is being funnelled to the Hindu Kush and the terrorist hiding there?

European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case.

The device can be told to copy certain types of transactions — for example, five Visa platinum cards or every tenth transaction. It can also be instructed to go dormant to evade detection. On average, only five to 10 card numbers would be phoned in to Pakistan, the person close to British law enforcement said.

Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd.

The account data have been used to make repeated bank withdrawals and Internet purchases, such as airline tickets, in several countries including the U.S. Investigators haven’t pinpointed the culprits. Early estimates of the losses range of $50 million to $100 million, but the figure could grow, said the person close to British law enforcement.

The scheme uses untraceable devices inserted into credit-card readers that were made in China.

The devices selectively send account data by a wireless connection to computer servers in Lahore, Pakisan, and constantly change the pattern of theft so it is hard to detect, officials say.

“Pretty small but intelligent criminal organizations are pulling off transnational, multicontinent heists that only a foreign intelligence service would have been able to do a few years ago,” said Joel F. Brenner, the U.S. government’s top counterintelligence officer.

U.S. intelligence officials, including senior National Security Agency officials, are monitoring the case, in part because of its ties to Pakistan, which has become home to a resurgent al Qaeda.

The scheme comes on the heels of the August indictment of a fraud ring that stole more than 40 million credit-card numbers from U.S. companies, including TJX Cos., the parent company of TJ Maxx.

In March, security officials at MasterCard Inc. saw a pattern of potential fraud in northern England. Meanwhile, a security guard at a U.K. grocery store noticed suspicious static on his cellphone and alerted authorities. Scotland Yard learned of the report and eventually connected it with the warning from MasterCard, according to the person close to British law enforcement.

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug would read an individual’s card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

A MasterCard spokesman declined to discuss details of the case but said safeguarding financial information is a top priority for the company.

There is no obvious visual indication that a machine has been altered, but those with the bugs weigh about four ounces more. For the past several months, teams of investigators have been weighing thousands of machines across Europe with a precision scale.

So far, investigators have found hundreds of machines in at least five countries: Britain, Ireland, Belgium, the Netherlands and Denmark. They have turned up at European grocery chains including Asda, which is owned by Wal-Mart; Tesco; and J Sainsbury PLC, according to the person close to British law enforcement.

A spokeswoman for Asda said, “It’s subject to a police investigation, so we can’t comment.” A spokeswoman for Sainsbury denied its stores were hit by the scheme. A spokeswoman for Tesco said: “We’re aware that this was an issue for retailers.” She said Tesco tested its devices and is confident they are now secure.

http://online.wsj.com/article/SB122366999999723871.html

 

Data Breaches – 2008 update

The Identity Theft Resource Center (ITRC), a nonprofit organization that tracks data breaches in U.S., reported 516 incidents that resulted in a total of over 30 million personal records being compromised so far in 2008, out of which 97.5% were electronically stored.The ITRC gathers the reports from various media sources, several notification lists and state agencies. They are also working to confirm the breaches with several other specialized groups and websites. All the incidents that got included in the report resulted in loss of personal identifying information such as Social Security numbers, drivers’ license numbers, banking details, basically information that could favor identity theft.

The report defines five categories, banking/credit/financial, business, educational, government/military and medical/healthcare, based on the sectors where the incidents occurred. Incidents originating in the financial sector amount for almost 57% of the lost records, while the biggest number of incidents, 188 (36.4%), was recorded in the Business sector. This suggests that financial institutions in particular, which usually handle a lot of personal information, should adopt more solid security policies.

The report also sorts the incidents based on the breach type. According to the statistics, 47% of the records were lost while being moved in 95 incidents, while 36% were lost by subcontracted companies. In addition, almost 22% of the records were compromised as a result of hacking activities and 18% were stolen by employees. A surprise is the low percentage (3%) of records that were accidentally exposed.

Another classification concerns the protection level of the compromised data. This proves again the lack of data encrypting practices inside organizations, the information being protected in this way in only 1.1% of the incidents. In almost 10% of the cases, the data was password protected, while in 88% of the incidents, the lost personal details were unprotected and they amount for the vast majority (92%) of the total number of compromised records.

The report analyzed only data gathered in the first eight months of 2008 and the total number of incidents already exceeded the one registered for the entire year in 2007 (446). This could also be caused by the fact that many states have since introduced laws that require both public and private organizations to report such cases.

Even though in 2007 the number of compromised records was a lot bigger, 127 million, it is notable that in more than 40% of the breach events included in the 2008 report, such information was partially or completely unavailable. Because of this, ITRC advises that “the number of affected records is grossly incomplete and unusable for any statistic or research purpose.”

http://news.softpedia.com/news/Over-30-Million-Personal-Records-Exposed-in-2008-in-U-S-95124.shtml

Limiting damage during a data breach

CSO has an excellent article on how to limit damage during a data breach.  Included are these excellent steps:

Create a response plan or review your current one. Have a thought-out and actionable plan in place so your post-breach response can be as effective as possible. This is not time to play Russian roulette with the 31 percent of your customer base who is ready to walk away. For generations, the Boy Scouts have said it best with their motto: Be Prepared.

Deliver timely and forthright notification. Large delays in notification signal to your customers that you are hiding something and/or they are not important to you, despite some realities that it takes time to assess the impact of a breach. Although it may not be possible to notify customers within a week, or even several weeks following a breach, your goal should be to notify them as soon as possible, with what reasonable information you can divulge at that time.

Provide complete and believable information. For many of your customers, a breach itself will be enough reason for them to walk. But for others, the quality of information you provide will be the key determinate in their decision to stay. Within your notification, be sure to provide your customers with clear and concise information about the breach, including specific details on how the breach will affect them. Is their personal information in the hands of identity thieves? Do they have to close their credit card accounts?

Develop your messaging, then rethink it. And rethink it again. Many respondents in the Ponemon study found communications to be unbelievable or misleading, failing to reduce their fears about potential harms they faced because of a breach. Even if you are being factual, think of how you are stating those facts. Notification letters and public communication about the breach are crucial in determining customers’ reactions, and you must carefully teeter the fine line in your communications between being firm yet friendly, and concerned yet in control and taking responsibility.

Act as an educator. Although you are the barer of bad news, you also have the opportunity to be the barer of solutions. Lay out for your customers the next steps they can or need to take after they are notified. Include information, phone numbers and Web sites on freezing credit files, getting free credit reports and other tips customers might want to know and follow. At little or no cost to your organization, acting as an educator will not only help your customers recover from the incident, but maintain your organization as a trusted source.

Consider offering free or subsidized identity protection services. Offering identity protection services has proven to have a positive effect on customer retention, and in many cases, offering such services is more affordable than new customer acquisition strategies. Individuals who receive free or subsidized services, such as credit monitoring, identity theft insurance or identity recovery services, feel less concerned and worried about the breach after it happens. Similarly, customers who receive these services are also less likely to terminate, or consider terminating, their relationship with your company.

Hopefully – companies will take note……..

http://www.csoonline.com/article/451785/How_to_Minimize_the_Impact_of_a_Data_Breach?page=2

Good for Germany…..whistleblowers get results………..

I am applauding the German interior this morning for his response to information given to him by a whistleblower on the ease of trading consumer’s PII (personally identifiable data):

Germany’s Interior Minister, Wolfgang Schäuble, vowed today to tighten the laws governing how data on German consumers can be gathered, sold, and traded. Schäuble’s declaration comes after a call center whistleblower, Detlef Tiegel, handed a CD containing the banking details of some 17,000 German citizens over to the authorities. The information in question had been obtained (possibly purchased) by the unidentified company that employed Tiegel. The initial 17,000 records were only a fraction of the roughly 1.5 million records Tiegel claimed he could produce.

German officials took the man’s claims seriously enough to open their own investigation, and were dismayed when they were able to purchase 6 million records of personally identifiable information (PII) for a paltry €850 (~$1,220). Minister Schäuble called a meeting today in Berlin to address the situation and share his concerns with multiple ministers within the German government. Attendees included data protection commissioner Peter Schaar, Justice Minister Brigitte Zypries, Economy Minister Michael Glos, and Consumer Affairs Minister Horst Seehofer. Representatives from several German states were also in attendance. …

 I only wish the US would begin taking action such as this………….

http://arstechnica.com/news.ars/post/20080904-whistleblower-prompts-review-of-german-data-protection-laws.html

More and Bigger than last year – Oh Yeah

Sorry that I haven’t posted in a while, but my company is in the process of several audits – including PCI, and so, I’ve been a bit busy.  But I did run across this little tidbit in Informationweek…………….

With four months to go in 2008, the number of data breaches on the Identity Theft Resource Center’s 2008 breach list has already surpassed the 446 breaches reported by the organization for all of 2007.
As of the morning of Aug. 22, the number of data breaches reported had reached 449.
As to whether things are getting worse, ITRC founder Linda Foley is cautious. “This is a little frightening, knowing that we’re four months ahead of last year,” she said.  However, Foley also noted that her organization and others are finding out about more breaches now than they did in the past. Rather than indicating a deteriorating security situation, the rising number of reported data breaches may just mean corporate security auditors are better at finding compromised systems, she suggested.
The Identity Theft Resource Center points out that the actual number of breaches this year is probably higher than 449 so far because of underreporting and because breaches affecting multiple businesses tend to be reported as a single event. According to the ITRC, in 40% of breach events, the number of records affected is not reported or fully disclosed.
In June, following the release of a Verizon (NYSE: VZ) Business Security survey about data breaches, Bryan Sartin, VP of investigative response at Verizon, told InformationWeek that publicly reported breaches are “just the tip of iceberg.” He said that less than 5% of the more than 500 cases covered in the Verizon study involved some form of disclosure.
(Foley observed that Verizon’s study does not distinguish between breaches involving personal information, which can be used for identity theft, and breaches involving proprietary corporate data, which many not affect consumers.)
In any event, it appears that hard numbers about data breaches are hard to come by. According to survey of about 300 attendees at this year’s RSA Conference, more than 89% of security incidents went unreported in 2007.
Security incidents, as defined by the RSA study, represent “an unexpected activity that brought sudden risk to the organization and took one or more security personnel to address.” Clearly not all “security incidents” are data breaches, but certainly some underreporting of breaches is going on.
In addition to the underreporting of breaches, assessing the actual impact of a breach may be difficult because there’s disagreement about the number of data records involved. On Monday, for example, Glasgow’s The Sunday Herald reported that Best Western’s reservation system had been hacked and 8 million customer records had been stolen. Best Western disputes The Sunday Herald’s story, saying that only 13 customer records appear to have been compromised.
InformationWeek also recently published its 2008 Security Survey entitled “We’re Spending More, But Data’s No Safer Than Last Year.” Download the report here (registration required).
In short, numbers may be fuzzy. But those following the issue nonetheless believe action is warranted.
“The number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom around the world, while economies weaken,” said Avivah Litan, a VP at Gartner in a statement. “A more concerted effort is required among companies to secure and protect customer data, regardless of regulatory oversight.”
Foley is hopefully that before too long, more complete data about data breaches will lead to a better understanding of such incidents. Her goal, she said, is not to point fingers but to help organizations devise better data security regimes.

 http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210200622&subSection=News

Gangs and ID theft………..

And the risk to the consumer just keeps on growing………

AUGUST 15, 2008 | It’s not just Eastern European or Asian cyber gangs — gangs from the streets of L.A. and other cities better known for drugs and weapons violence are now turning to identity theft crimes as well, according to a published report .

Cases of identity theft reportedly involving a chapter of the ‘Crips’ from Long Beach, Calif., Armenian Power, and Mexican Mafia gangs, have demonstrated that ID theft is no longer the domain of international computer hackers, for instance. Gang-related ID theft was part of the 31 percent jump in ID theft complaints in California last year, according to a new report from Identity Theft 911.

California is a big fat target for ID theft: around 1.5 million Californians were victims of this crime last year, according to the report, and credit-card fraud is the main culprit. Next is employment fraud, including Social Security number (SSN) thefts for undocumented workers.

Experts say street gangs are finding ID theft an easy way to make a buck. In a recent case being investigated by California’s Department of Consumer Affairs, a former personnel specialist there, Rachel Dumbrique, sent names and SSNs of 5,000 people on the state’s payroll to a personal Yahoo email account on her last day at the agency. She says she didn’t know SSNs were in the file, but investigators are looking at the case closely because she’s the wife of an imprisoned gang member of Mexican Mafia.

Meanwhile, a group affiliated with the Long Beach Insane Crips gang allegedly sole nearly $90,000 from a local financial institution in a check-cashing scam.

http://www.darkreading.com/document.asp?doc_id=161687&f_src=drdaily

Why every detail is so important………..

I’m making sure the pc technicians where I work get this information………..

Insider used the one machine that hadn’t been ‘fixed’ to prevent use of external storage devices
AUGUST 13, 2008 | 5:45 PM
By Tim Wilson
Site Editor, Dark Reading

If your primary defense against portable storage devices is to seal up the USB ports on your users’ computers, you’d better be pretty darn good with a glue gun.

That’s the message that’s emerged from court documents surrounding the recently revealed security breach at Countrywide Home Loans, where an employee siphoned off about 20,000 customer records a week for more than two years and sold them to a third party. (See Ex-Countrywide Employee Charged With Selling Customer Data.)

An affidavit by an FBI special agent assigned to the case reveals exactly how the insider attack took place. It states that in an effort to prevent users from loading unauthorized data onto memory sticks or other portable storage media, Countrywide had sealed the USB ports on all of its employees’ machines — all, that is, except one.

Rene Rebollo Jr., 36, a former senior financial analyst with Countrywide Home Loan’s subprime mortgage division, found that one machine near his own workspace, according to the affidavit. And so, every Sunday night for about two years, Rebollo brought a memory stick over to that machine and downloaded personal information on approximately 20,000 customers.

Countrywide had not deployed any method for detecting or managing downloads to portable storage devices, since its policy was to block their use entirely on all employee machines. As a result, the downloads went undetected for years, leading to the compromise of some 2 million records, according to court documents.

A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales. Experts have said that Rebollo woefully underestimated the value of the mortgage data, which is difficult to get on the black market and can fetch several dollars per record.

Disabling USB ports — either logically through the registry or physically, by sealing them with glue or some other permanent substance — is a simple way to prevent users from accessing portable storage devices, experts said. But it can prove fallible.

“This is certainly a quick way to lower the risk of information transfer,” said Tom Olzak, director of information security at HCR Manor Care, in a recent blog. “It isn’t difficult, especially in a Windows environment. A simple registry hack on each workstation, easily deployed via login scripts, can completely shut down USB and Firewire ports.

“But this might cause a problem if you deploy USB or Firewire devices like keyboards, mice, displays, etc.,” Olzak noted. “A direct registry modification to achieve a security result is not my idea of a good time.” For many enterprises, encryption or granular control of USB ports may prove to be better options than disabling USB altogether, he suggested.

http://www.darkreading.com/document.asp?doc_id=161548&f_src=drweekly 

 

Make the cost to the bad guys higher than they can take??

In this article on Network World, a security expert makes the following statement:

Companies have too long focused on perimeter defenses and not on protecting data inside their networks, Curry said. Retailers and other companies need to “wake up and take these threats seriously,” Curry said. “Make the cost to the bad guys too high for them to do it.”

 Nicely stated, except there are far too many companies who have bad guys making bad decisions about securing consumer data who are never touched.  They really have the same attitude as the criminals i.e. “as long as I don’t get caught…………”  As long as there is no accountability on that end, we’re going to continue to see problems.

http://www.networkworld.com/news/2008/080608-id-theft-ring-attacked-retailers.html?page=2

Better late than never????

Well, the Justice Department made the announcement yesterday that arrests had been made in an international ring that was involved in the theft of 40 million credit card numbers.

According to the article in CNN details are murky – clearly there have been unreported breaches that have affected the consumer.

Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said.

The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said.

It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute.

Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.

The remaining individual is known only by an alias and authorities do not know where that person is.

Under the indictments, three Miami, Florida, men — Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey — are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed “sniffer” programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

“This has other personal numbers that could give them access to credit or debit cards that have already been issued and are active,” Sullivan told CNN.

The probe began in late 2006, Sullivan said. In addition to the Justice Department, the Secret Service has been conducting an undercover investigation for more than three years through the U.S. attorney’s office in San Diego, he said.

The three then concealed the data in encrypted computer servers they controlled in the United States and eastern Europe, the Justice Department said.

Some credit and debit card numbers were sold on the Internet, and were “cashed out” by encoding the numbers on the magnetic strips of blank cards. “The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs,” authorities said.

Gonzalez and the others used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in Eastern Europe, the department said.

“There are ties between all three districts and ties internationally that go all the way to the Ukraine and Latvia,” Sullivan said. “The 41 million credit and debit numbers were used internationally.”

Gonzalez was previously arrested in 2003 by the Secret Service on suspicion of access device fraud, the Department of Justice said, and was working as a confidential informant for the agency. However, the Secret Service discovered during the investigation that Gonzalez was involved in this case, authorities said.

The California indictment charged eight others with operating an international stolen credit and debit card distribution ring, selling stolen card information for personal gain — millions of dollars, in at least one case, authorities said.

Three of the defendants in the most recent case, among them Gonzalez, were also charged in May in a related indictment in New York, Justice said. Those charges allege the three were engaged in a scheme to hack into computer networks run by the Dave & Buster’s restaurant chain and steal credit and debit card numbers from at least 11 locations.

The three installed “sniffer” programs at the cash register terminals of the locations, capturing credit and debit card numbers, authorities said. At one location, the sniffer captured data for some 5,000 cards, causing some $600,000 in losses to the banks that issued the credit and debit cards.

Gonzalez is awaiting trial on the New York charges. The other two of the international defendants are also in custody, police said.

“Identity theft can involve a single criminal stealing the personal financial information of a single victim or, as it did here, it can involve a group of criminals stealing the credit card numbers of millions of people, many of whom may not even learn that they were victims for months or years,” said Attorney General Michael Mukasey.

“Identity theft victims suffer well beyond the immediate financial costs; they suffer lost confidence in their privacy and security, as well as the emotional strain and the time it can take to repair damaged financial lives and credit histories. In many cases, the effects of these crimes can be felt for years after they are committed.”

Mukasey and other officials said the case serves as a reminder that computer crimes can cross international borders.

“We have been working with countries around the world to identify and address technical vulnerabilities in computer networks, and to ensure that laws and procedures are adequate to deal with these kinds of crime,” Mukasey said. “And we have been working closely with our international partners to crack specific cases when they take us beyond our borders.”

http://www.cnn.com/2008/CRIME/08/05/card.fraud.charges/index.html#