2 years in federal prison for trash-searching student aid fraudster

Filed Under: Data loss, Featured, Law & order

A Florida man has been sentenced to two years in federal prison for defrauding student aid accounts, while his two fellow-conspirators have been given probation and community sentences.

The group's techniques should serve as a reminder that it's not just the information stored on our computers that we need to keep secure.

Christopher J. Wright of Fort Lauderdale in Florida was a student at Florida Agricultural and Mechanical University (FAMU) when he and two other Florida men hijacked financial aid accounts of a number of fellow-students, redirecting funds due to them into accounts controlled by the trio.

Wright was sentenced last week to two years prison time, and the two men who joined him in his frauds, Carl Coutard and Carliss Pereira, pleaded guilty earlier this year and have been given "home detention" and "community confinement" sentences, plus community service and restitution payments.

Most but not all of the money they defrauded has been retrieved by reversing transfers.

At the time of the initial indictments in the case, the offenses covered were said to carry sentences of up to ten years in some cases and five years in others, so it may seem that the three men have got off lightly, particularly those serving no actual jail time.

But the US Attorney announcing the sentences insisted that they send " a clear message that engaging in this type of criminal conduct will have serious consequences, including the real possibility of a felony conviction and a prison term".

Perhaps the most interesting feature of the case from a security viewpoint is how the three men went about gathering the information they needed to defraud their victims.

As well as using the standard techniques of social engineering, "tricking FAMU employees and the students themselves into providing this information", and researching their victims on the internet for useful PII, they also found data "by taking paperwork discarded in the trash bins near the FAMU computer help desk".

This should remind us of the importance of hard-copy data as well as the vast swathes of digital information on all of us swirling around the internet.

In the age of NSA snooping anxiety, the focus of our privacy worries has been very much on protecting our online data and communications, but it's important not to forget the potential value of old-school "dumpster diving" techniques.

Printed material we throw away can be very useful to identity thieves. Those pre-filled-in credit card application forms the banks seem to so enjoy sending out may be an obvious danger, but there are subtler indicators too, with data such as dates of birth and travel plans often easily deduced from discarded material.

Printing things out at work or college is especially dangerous, as we tend to feel safer among our peers and so are perhaps less wary of leaving bank statements or half-filled application forms lying around for prying eyes to see.

So be careful with your personal information in the real world, not just in the digital one - for example, I tear addresses off junk mail before it goes into the recycling, and I put anything at all personally identifiable straight onto the fire-lighting pile to be burned ASAP.

If you're not lucky enough to have a nice fireplace to keep you toasty and safely destroy documents, maybe invest in a good-quality shredder and use it on anything at all sensitive.

And if you're running a business, hospital, university or other institution handling sensitive internal or third-party data, consider a shred-by-default policy, and discourage your people from printing out anything that doesn't really need to be committed to paper.


Image of hands holding prison bars courtesy of Shutterstock.

, , , ,

You might like

2 Responses to 2 years in federal prison for trash-searching student aid fraudster

  1. Roger · 174 days ago

    Don't forget to,at some time in the future, to add a most missed, obvious vulnerability: removing the pre-labeled order form sandwiched within a sales magazine, which contains name, address, and account number.

  2. B. Kraus · 173 days ago

    It has come full circle, we used to be more aware of things like this. I do remember back in 1995 when I was stationed in the ROK, I was buying Mandu and potatoes from the street vendor's. After I got my snackies I looked at the paper cone they wrapped my food up in and noticed that is was personnel records from the base I was stationed at complete with full names and SSN's. Yeah I went straight to the base security office/OSI with that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.