Articles

Utah Faces Fallout Over Massive Breach

Wed, 16 May 2012 00:00:00 -0700

The recent data breach in which the personal records for more than 780,000 government healthcare benefit recipients in Utah were compromised continues to have serious effects.

Utah Gov. Gary Herbert recently gave a speech about the impact the breach has had on the state, noting that even one of his relatives was affected by the incident, according to a report from the Salt Lake Tribune. Further, he revealed that he had asked Stephen Fletcher, the state's director of the Department of Technology Services, to resign due to his lack of "oversight and leadership," and has hired an ombudsman to help develop strategies for protecting victims' information and credit.

"The people of Utah rightly believe that the government will protect them, their families, and their personal data. When they interface with us that is in fact our charge," Herbert said at the news conference, according to the newspaper. "As a state government we have failed to honor that commitment. For that, as your governor and as a Utahan, I am deeply sorry."

Herbert also gave details about how the breach happened, the report. Without revealing the protocols state officials failed to uphold that allowed the hackers to access the sensitive data for hundreds of thousands of state residents, Herbert disclosed that the attack likely originated in Romania, as part of a plot to steal Social Security numbers, which seem not to have been encrypted. Going forward, however, the state will encrypt all data on state servers. Previously, it had only been required to do so when data was in transit.

The ombudsman's official role will be "health data security ombudsman," the report said. Sheila Walsh-McDonald, an advocate for low-income Utah residents, will take that helm in a full-time role after being selected specially by the state's Department of Health. A hotline has been established for victims to reach her with concerns and questions they may have about their exposure as a result of the breach. Further, the state will provide free credit monitoring and enrollment in identity theft insurance programs worth up to $1 million for individuals and $2 million for families, as long as victims sign up by August 31.

Ondrej Krehel, chief information security officer for Identity Theft 911, has a blog about the dangers data breaches pose for consumers.

Old Computers Lead to Identity Theft?

Thu, 10 May 2012 00:00:00 -0700

In many cases, when consumers get rid of an old computer, they go to considerable efforts to wipe the hard drives to erase any kind of information that may be stored on it, but sometimes, that might not be enough to protect them.

Older computers running Windows-based operating systems, especially Windows XP, may pose a significant identity theft threat to consumers, according to a report from USA Today. The same is true of smartphones using Google's Android mobile operating system. These same problems are not faced by consumers who use Apple and Research in Motion devices, such as iPhones, iPads and various BlackBerry handsets.

In research conducted by McAfee data security expert Robert Siciliano, using 30 preowned devices purchased from Craigslist, he found that half still contained large amounts of sensitive data, including the previous owners' bank account and Social Security numbers, the report said. All this was found using simple electronic forensics tools.

These problems may become even more widespread later this year when Microsoft rolls out its new Windows 8 platform, and consumers scrap or sell their XP-based machines when they upgrade, the report said. XP makes it quite difficult for consumers to extract or wipe old data. Further, Android smartphones may still contain personally identifying information even after being "restored" to original factory settings.

Siciliano noted that it's particularly important for consumers to make sure they have sufficiently cleaned out their old data from their various devices before disposing of them, the report said. Mary Ann Miller, a financial fraud expert, stressed that companies should be doing more to give consumers guidance on wiping their hard drives clean on unwanted devices. This is especially true because these days, consumers are storing more of their personal and financial information on a number of devices, as well as data on friends, family and other contacts.

"Security should be a key consideration from the moment you acquire a device - and when you dispose (of) it," Miller told the newspaper.

Brian McGinley, senior vice president of data risk management for Identity Theft 911, has a blog about the ways consumers can make sure their information is secure both when they are using a device, and when they are getting rid of it.

Letter from the CEO

Wed, 09 May 2012 10:39:00 -0700

Way back in 2007 when a hacker named Geohot cracked the first iPhone, allowing users to run the phone on carriers other than AT&T, someone asked Steve Jobs what he thought about it.

“This is a constant cat-and-mouse game,” said the late, great sage of Silicon Valley. “People will try to break in, and it’s our job to keep them from breaking in.”

This is how we look at identity theft here at Identity Theft 911. The crooks won’t stop trying to break into your life, and we won’t stop fighting to prevent them from breaking in. This month, we’re highlighting some of the tools we’re seeing identity thieves using to force that break-in, including:

· Payday loan scams , where con artists call victims and demand money for imaginary loans. Often the victims are users of payday loan services, which offer quick money at a high rate of interest, compounding the confusion.

· Account takeover , a complicated and costly type of identity theft where criminals take over victims’ phone lines or redirect financial documents in hopes of a major payday. One victim tells the harrowing story of watching her $150,000 rainy day fund drain away. But we’ll also give you expert tips on how to avoid becoming a casualty.

Finally, we’d like to call your attention to a new and troubling trend: the shoddy background check . With little regulation and a lot of money to be made, more background check services are springing up. There is a demand, with more than 70 percent of U.S. businesses running background checks on potential hires. But often, these checks present inaccurate, misleading and downright dishonest information. We tell you how to avoid an awkward interview caused by a shoddy check. And what you can do if you think a bad background cost you a job.

As always, we hope you enjoy.

Matt Cullina
Chief Executive Officer
IDentity Theft 911

Hold the Line: That Debt Collector May Be a Crook

Fri, 04 May 2012 07:00:00 -0700

The thieves sounded like real debt collectors. They hectored Rick Varton* with phone calls and nearly convinced him he owed money on overdue payday loans.

Varton, who had never taken out a payday loan, changed his phone number but couldn’t escape the harassing calls from multiple companies.

All across the country, consumers like Varton are getting calls from scam artists posing as debt collectors. They often target people who are financially vulnerable, already burdened with debt and who have taken out payday loans to make ends meet.

Payday loans are high interest, short-term loans. They are designed to cover unexpected expenses until repayment is made with the next paycheck. Online sites promise “emergency cash” with instant approval. But interest rates can be outrageously high, and federal agencies have cracked down on predatory lending. In a few states, including Arizona, payday loans are now illegal.

Payday loan crooks often introduce themselves as law enforcement agents or attorneys and demand money for fake payday loans or for debts that have already been repaid. Victims often wire thousands of dollars before they realize they’ve been scammed.

“I’ve talked to victims who have spent their life savings before realizing this is a scam,” said Raul Vargas, a team manager in the Identity Theft 911 Fraud Resolution Center. “Unfortunately, there’s no recourse to get their money back.”

Fortunately for Varton, his insurance provider, Grinnell Mutual Reinsurance Company, offered LifeStages® identity management services with Identity Theft 911.

Over a six-month period, fraud investigator Mark Fullbright worked with Varton to protect his credit and restore his good name until the calls stopped. He:

• Interviewed Varton for a complete account of his experience to date
• Informed Varton of his consumer rights under the Fair Credit Reporting Act
• Placed a fraud alert on Varton’s file with a credit reporting agency
• Enrolled him in credit and fraud monitoring services
• Helped him file complaints with law enforcement and regulatory agencies
• Spoke directly with callers pretending to be debt collectors

If you think you’re on the phone with a phony debt collector, follow these four steps to protect yourself:

1. Ask for notice in writing. A legitimate creditor will send you a detailed report about your loan in the mail.
2. Stop speaking with the caller. If you have the caller’s address, send a letter demanding that the caller stop contacting you and keep a copy for your files. By law, real debt collectors must stop calling you if you ask them to do so in writing.
3. Contact your creditor. If the debt is legitimate—but you think the collector may not be—contact your creditor about the calls. Share the information you have about the suspicious calls and find out who, if anyone, the creditor has authorized to collect the debt.
4. Report the call. Contact the Federal Trade Commission and your state attorney general’s office with information about suspicious callers.

Consider contacting one of your existing providers—a bank, credit union, insurer, financial planner or attorney—for support. They may already offer excellent identity theft coverage.

* Name has been changed to protect customer’s privacy.

Mom Fights to Recover Stolen $150,000 Rainy Day Fund

Thu, 03 May 2012 07:00:00 -0700

Donna Alton* was scrupulous about maintaining her family’s rainy day fund of $150,000 in a home equity line of credit at her credit union.

So she was stunned when she discovered that someone had cleaned out the account in three separate electronic wire transfers. When her credit union refused to replace the funds because they believed the transfers were legitimate, Alton was at a loss.

“There were a lot of tears,” she said, “and many sleepless nights.”

Alton is among a growing number of victims of wire transfer fraud: Criminals use their victims’ personal information to initiate and execute the electronic transfer of funds. In 2011, half of all consumer complaints** to the Federal Trade Commission involved wire transfer as a method of payment, according to the FTC’s Consumer Sentinel Data Book. And losses totaled more than $442 million.

Wire transfer fraud is a perfect way for identity thieves to pilfer money from banks and credit unions. Criminals have found creative ways to hoodwink financial institutions into believing they’re real customers—and make off with big bucks.

In Alton’s case, thieves not only found a way to access her account and request the transfer, they also rerouted all incoming calls from her home phone to another line. When the credit union called Alton’s home to authorize the transfers, the calls went to the crooks instead, and they verified the requests. Read more about account takeover in this Q&A with our expert.

Alton filed a report at her local police department. “They looked at me like, ‘Lady, you’re watching too many Jack Bauers,’ ” she said, referring to the main character in the TV series 24 about a counterterrorist unit agent.

Fortunately, Alton’s homeowners insurance policy with Chubb Group of Insurance Companies offered free identity management services from Identity Theft 911. “You always think they fluff up your policy with services like that,” said Alton, who worked in insurance for 15 years. “You never think you’re going to have to use it. But it was a godsend.”

Alton was impressed with the seamless transfer from Chubb’s claim department to Identity Theft 911’s Fraud Resolution Center. From there, her case was given to Maria Valenzuela, a fraud investigator, who helped Alton until her case was resolved.

Valenzuela took steps to protect Alton’s other accounts and credit by placing a fraud alert on the Altons’ credit reports. Alerts let potential creditors know that you may be—or are at risk of being—an identity theft victim.

And over a period of several months, she helped the Altons with a lot of red tape in order to restore their funds and good credit, including the:

• coordination of letters, complaints and affidavits to law enforcement, regulatory agencies and the couple’s cable company and credit union
• communication with law enforcement and the couple’s credit union, which had grown tense
• removal of the unpaid home equity line of credit from the Altons’ credit report so they could secure a new line of credit.

Because this case of wire transfer fraud included such a large sum of money transferred in three different amounts to three different bank accounts (and then to a final account the thieves had set up), it was difficult to navigate and manage.

“Maria completely held my hand and walked me through the whole process,” Alton said. “She told me, ‘This is what you have to do, this is what you have to say, this is who you have to call.’ She was very thorough and compassionate.”

Alton was so pleased with Valenzuela’s work that she contacted her insurer, Chubb, to thank them for gifting Identity Theft 911’s services in her policy.

Now a year later, Alton and her family have recovered their savings and opened a new home equity line of credit. Although Alton still gets angry when she thinks about the ordeal, she said it opened her eyes.

“I learned so much from the experience,” Alton said. “I learned to really vet my bank and make sure the proper security protocols are in place. Maria taught me how to be more aware of protecting my privacy. And I learned that insurance is one of those things you don’t think you’re going to need but when you need it, you don’t want exclusions.”

* Name has been changed to protect customer’s privacy.
** The FTC reports that these numbers include figures from MoneyGram International and Western Union Money Transfer.

Ask the Expert: Account Takeover Artists Can Steal Your Identity—and Redirect Your Money

Wed, 02 May 2012 07:00:00 -0700

Q: What exactly is account takeover? What can consumers do to stop it?

A: Account takeover is a sophisticated form of identity theft. Essentially, it’s the unauthorized takeover by a third party of one or more accounts, such as those with credit issuers, banks and credit unions, utilities, and phone and cable companies.

Here’s how it works: Let’s say a criminal wants to steal your money by requesting a fraudulent wire transfer from one of your bank accounts.

To complete this transaction, financial institutions usually call their customers to confirm the amount and account numbers. To circumvent this security measure, the criminal would take over your phone number. He’d call your phone company and tell them a story. (These guys are great storytellers.) A common one is that you’re leaving town for a day and want your home number routed to a cell phone number—the criminal’s cell phone. Then the crook hacks the account and requests the transfer. When the bank calls your home number to confirm the money transfer, it rings the criminal’s cell phone instead.

But it’s not always a telephone line that is taken over. We see con artists calling credit reporting agencies such as Equifax and doing the same thing. By assuming the identity of their victims, they can request credit reports, which contain personal and account information. From there, they can contact your creditors to change your mailing address, request credit cards, or request money transfers out of your accounts.

Account takeover is a complicated kind of identity theft. It takes a lot of planning on the criminal’s part. But when the score is big, they’ll put in the work. Recently we’ve seen lot of account takeover cases associated with home equity lines of credit—claims ranging from $40,000 to $1 million that can be taken out against a home. When a fraudster has an opportunity for a big payday, they put in more effort.

But you can put some protections in place:

• Put passwords on your accounts. Banks and credit card companies will ask for your mother’s maiden name or last four of your social, but you can ask them to use a different password that’s harder for thieves to figure out. With Facebook it’s not hard to find out anyone’s mother’s maiden name.

• Be cautious about to whom you divulge information. These crooks can pretend to be your bank or even trick a caller ID system. If a financial institution calls to ask you for personal information, ask for a publicly available call-back number.

• Monitor your accounts and financial information. It’s not always enough to just look at a monthly statement. A fraudulent transaction could be 30 days old by the time you see it. Check your accounts periodically throughout the month with online banking services.

• Report anything out of the ordinary. Timing is important. Contact your insurance provider and financial institution and ask if they offer any type of assistance. Many provide identity theft protection services.

If you think you may be a victim of account takeover, call your bank, credit union, insurer or financial planner to see if they offer identity theft management services. Some financial institutions offer this service for free, as a perk for being a member or account holder.

Raul Vargas is a manager in the Identity Theft 911 Fraud Resolution Center.

Healthcare Data Breaches Pose Significant Concern

Wed, 02 May 2012 00:00:00 -0700

Since the end of 2009, as many as 20 million people have been affected by data breaches within the healthcare field alone.

Healthcare data breaches have become particularly widespread in recent years as organizations move toward digitizing patient records, and as a result, at least 19.2 million consumers have been exposed by about 410 major incidents since September 2009, according to a report from Gov Info Security. Those incidents, however, don't involve the three major breaches suffered in the last few months.

The Utah Department of Health, South Carolina Department of Health and Human Services and private company Emory Healthcare have all been hit with breaches that exposed the private personal and medical information for hundreds of thousands of consumers each, the report said. Other major breaches observed this year - of which there were just four - affected a total of 31,000 people, and that was included in the 19.2 million total.

Experts say that the majority of medical data breaches are caused by mistakes or misdeeds from employees at the organizations, the report said. For instance, the Utah breach involved employees not properly protecting a computer server containing the medical information for more than 780,000 people, and those systems were attacked by hackers. The Emory data breach was caused when an employee misplaced 10 computer disks. The South Carolina incident came because an employee was transferring patient data to his personal email account.

Experts say these problems are routinely caused because healthcare organizations just can't protect patient data effectively enough, according to a report from tech news site Dark Reading.

"It's not typically malicious - the bulk of the insider threat is lack of knowledge; users access data, leave data on systems, and it's not maliciously intended," Rick Dakin, CEO of the IT security consulting firm Coalfire Systems, told the site. "The insider threat follows the same vector: lack of access controls. A lack of monitoring. The lack of data loss prevention tools. There's a series of control breakdowns that allow insider threats to maliciously or just through human error and mistake access data and compromise the data."

Ondrej Krehel, chief information security officer for Identity Theft 911, has a blog about the issues consumers face when their personal or medical data is exposed in a breach.

Wireless Providers Oppose Geolocation Tracking Restrictions

Thu, 26 Apr 2012 00:00:00 -0700

A proposed law in the state of California would require that law enforcement officials obtain a search warrant before they are able to track a suspect's location via their cellphone signal.

However, the nation's largest wireless carriers have come out in opposition to the proposed bill, according to a report from CNET. Many consumer advocates have noted that this practice creates serious privacy concerns for Americans, but law enforcement officials and the Obama administration has defended the practice.

For their part, the wireless service providers say that such a law would cause their companies unnecessary confusion when it comes to responding to legitimate requests from law enforcement officials, the report said. A letter written by CTIA - The Wireless Association (a trade group comprised of major cellphone carriers like AT&T, Verizon Wireless, U.S. Cellular, Sprint Nextel and more) to the bill's sponsor also notes that the legislation would "unduly burden" the carriers and their employees.

However, critics note that opposition of this bill likely isn't even in the companies' best interests, the report said.

"Wireless companies should be working day and night for us, their customers, not law enforcement," Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California, told the tech news site. "This bill is good for consumers and it's good for business. [CTIA] shouldn't be opposing this bill. They shouldn't be opposing the warrant requirement. And they shouldn't be opposing the basic reporting requirements to make sure the law is being followed."

Some note the issue for companies isn't the burden, but rather that the bill requires them to disclose when they comply with these tracking requests from law enforcement officials, and that they are loath to do so, the report said. The companies already keep track of many of these efforts - which they claim would be additionally burdensome - because they are, in the end, paid to do it. For its part, though, AT&T, which is one of CTIA's largest members, supports tracking and location disclosure only when search warrants are filed.

Eduard Goodman, chief privacy officer for Identity Theft 911, has a blog about the concerns consumers may face as a result of this type of location tracking by cellphone service providers.

Domain Name Data Breach Poses Concern

Wed, 18 Apr 2012 00:00:00 -0700

ICANN - the Internet Corporation for Assigned Names and Numbers - is the organization that grants new domain names to websites, but it recently suffered a data breach, and that may pose significant problems for consumers.

Because ICANN was hit with the breach, it might allow hackers and phishers to "cybersquat" legitimate domain names, according to a report from MediaPost News. As a consequence, they may be able to create sites for top-level domain names - i.e. those ending with .com, .edu, and other well-known suffixes - that appear to be legitimate but are actually designed to aid in identity theft operations.

The organization recently stopped accepting applications for new domain names because of a data breach that allowed users to see other applicants' information, and will only begin accepting them again when it is ensured that the issue has been resolved, the report said. However, experts see the incident as a sign ICANN needs to reduce its operations to issue new domain names until it is able to generate a new and more secure system for doing so.

"It's another warning signal to go slower, and make sure you have worked out all the glitches before you roll out a new system," Dan Jaffe, executive vice president of the marketing group the Association of National Advertisers, told the news site, adding, "People have a lot of faith in the Internet right now. But if that gets undermined, there could be a very adverse effect."

Between January 12 and March 25, ICANN received applications for 839 top-level domain names, but it is unclear how many will be approved, the report said. Nonetheless, critics say that any significant increase would likely result in bogus sites. For its part, the online organization says that it has a number of protections in place to prevent cybersquatting and other trademark infringement, and that the price tag for a top-level domain - usually about $18,500 - is likely too large for fraudsters to afford.

Ondrej Krehel, chief information security officer for Identity Theft 911, has a blog about the ways hackers and other fraudsters can rip off consumers, and the warning signs Web users should look for to avoid being victimized by this type of fraud.

Lawmakers Introduce New Controversial Privacy Bill

Wed, 11 Apr 2012 00:00:00 -0700

A few months ago, the Internet was abuzz with anger over a pair of bills in Congress known as SOPA and PIPA, and though those were ultimately defeated largely as a result of that online outrage, a new, potentially more powerful bill has risen to take their place.

SOPA (the Stop Online Piracy Act) and PIPA (the Protect Intellectual Property Act) led to the infamous "Internet Blackout" in January, and lawmakers' support for those two bills shriveled almost immediately, according to a report from PC Magazine. But now critics say but the latest bill designed to be a spiritual successor to those laws, known as CISPA (the Cyber Intelligence Sharing and Protection Act), could be a whole lot worse.

This bill specifically is designed to protect companies from hacking attacks, which have grown quite popular in the hacktivist community in recent months, but allows for tech companies to more easily share data on those trying to steal information, the report said. Ostensibly, that could be good, but privacy advocates say it's also a slippery slope. The bill contains language that is, perhaps intentionally, quite broad. This means there would be no restriction to the type of information companies and the government could share as long as they could link it in some way to a type of cyber threat. Consequently, the government could, theoretically, ask for any information on any Internet user it wants, and the company could turn it over.

In fact, the wording of the bill is so broad that some experts say it could be used to take down sites that SOPA and PIPA were designed to stop, such as WikiLeaks and file-sharing site The Pirate Bay, the report said. However, advocates - and there are many of them - say that because the U.S. is now under such heavy attack from hackers acting either alone or at the behest of foreign governments, something needs to be in place to stop them.

"The broad base of support for this bill shows that Congress recognizes the urgent need to help our private sector better defend itself from these insidious attacks," said Rep. Mike Rodgers, the Michigan Republican who co-sponsored the bill, according to the news site.

Ondrej Krehel, chief information security officer for Identity Theft 911, has a blog about the threats companies face from hackers and can be done to stop them.

Letter from the CEO

Tue, 10 Apr 2012 07:00:00 -0700

This month news surfaced that customers of Visa and MasterCard may have had their private information exposed in a data security breach that compromised roughly 1.5 million accounts.

The twist in the by-now familiar tale: The breach occurred not at the credit card companies themselves but rather at a third-party payment processor called Global Payments Inc. Global Payments and other processors like it serve as conduits: They receive the account number and other data sent when a merchant swipes a credit card and then relay that data on to the credit card company. The credit card company in turn forwards the data to the bank that issued the card.

Many of the breach details remain unknown, including how the accounts were hacked. The incident does, however, make clear the often complicated and interconnected nature of business today. One weak link in the chain is all that an identity thief needs to break in and siphon off account information or other personally identifiable information (PII). If we are to make headway in the fight against identity theft, every business—no matter its size or where it falls in the transactional chain—must take responsibility for securing its systems.

If you’re concerned about the security of your business data, you can start by viewing this month’s slideshow on the top causes of data breaches—the most frequent of which comes from the inside, through employee negligence. Learn about these threats and their high cost to businesses and get tips for safeguarding your company’s data.

Next we look at how military personnel, especially those on extended assignments abroad, are prime targets for identity thieves. While strides have been made toward better protecting servicemembers’ Social Security Numbers, once woefully overexposed, other risks remain. Read up on active-duty alerts and other measures to protect yourself and your family.

Also, in light of a Federal Trade Commission report that showed that most consumers who call credit bureaus for help with identity theft don’t know their rights, we sat down for a Q&A with personal finance expert Gerri Detweiler. Gerri highlights key points for consumers to keep in mind should they find themselves hit by identity fraud.

Finally, if your prospective employer or college wants access to your Facebook profile, be sure to read up on your social networking rights in this infographic from Backgroundcheck.org.

As always, we hope you enjoy.

Matt Cullina
Chief Executive Officer
Identity Theft 911

5 Ways Military Families Can Protect Their Identities

Mon, 09 Apr 2012 07:00:00 -0700

In recent years, our country’s military personnel have joined the ranks of those who are considered most vulnerable to identity theft.

Transferred from one location to another, deployed in distant parts of the world for extended assignments, servicemen and women can find that practical routines—such as monitoring bank accounts or credit card statements—fall by the wayside. It all creates a situation where identity crimes are likely to go unnoticed for long periods of time.

Savvy thieves know this and are waiting to take advantage. Their methods may be the same as with any target: spear phishing, Dumpster-diving for discarded bills or submitting a change-of-address form to redirect mail, among other schemes. But often the crime isn’t revealed until the servicemember comes home to a pile of debt or a ruined personal credit rating. The problems can spiral, eventually affecting security clearance and opportunities for promotion.

In some ways our troops are in a better position than they used to be. Just 16 months ago, the military was drawing criticism for its widespread use of Social Security Numbers as a personal identifier. Everything from logging onto computers to filling out health forms to checking out basketballs at the gym required the nine-number combination—opening the door even wider to the possibility that it could be lifted and misused by thieves.

The military has since taken some steps to mitigate this risk. SSNs on military identification cards, for example, are being replaced by unique, 10-digit Department of Defense identification numbers. Because new cards are being issued as old ones expire, officials forecast it will take four years from the program’s launch in June 2011 for all cards to be replaced. (The effort is part of a larger identity protection program that began in 2008, when the DOD started removing SSNs from family member identification cards.)

Still, many of the other risk factors remain. If you’re in the military, consider the following advice to better protect yourself from identity theft:

• Place an active-duty alert on your credit report. These alerts are useful for servicemembers who are deployed or are away from their usual duty stations and who don’t expect to seek new credit for a while. Active-duty alerts require businesses to verify your identity before issuing credit in your name. They last for one year and may be cancelled before the end of the term or renewed for another period.

• Be careful about whom you trust. Some deployed troops grant a friend or family member power of attorney to help manage finances, but remember this also means allowing access to sensitive financial information. As much as possible, monitor your own accounts, inspect credit reports and review financial statements regularly to look for fraudulent charges.

• Keep personal information in a secure place, especially if you live in a barracks or with roommates.

• Don’t let mail pile up unattended. If you can’t collect it, use a mail stop or post office box or have someone you trust hold your mail while you’re away. Warning signs include bills that don’t arrive as expected, denials of credit for no apparent reason or calls or letters about purchases that were never made.

• Take immediate action. If you suspect you’ve been a victim of identity fraud, explain the situation to a commanding officer; file a police report with military law enforcement and the local police; and report the theft to the FTC.

Remember, if you suspect your identity has been stolen, call your insurer or bank, which might provide LifeStages™ Identity Management Services from Identity Theft 911. Or contact us directly. One of ourfraud specialists will guide you and provide practical support until your good name and credit are restored.

Learn more by reading our tips and downloading this brochure from the Federal Trade Commission.

Ask the Expert: Do I Have Any Rights If I'm a Victim of Identity Theft?

Wed, 04 Apr 2012 07:00:00 -0700

Question: I just found out that my identity was stolen. What are my rights as a consumer?

Answer: You have more protection than you think. The Fair and Accurate Credit Transactions Act (FACTA) gives consumers some powerful tools to combat identity theft. You need to act quickly to stop creditors from getting misinformation that can damage your reputation.

One of your providers—a bank, credit union, insurer, financial planner or attorney—may already offer you excellent identity theft coverage. You just may not be aware of it. Give your providers a call. If they do offer identity theft protection, don’t stop there. Get the name of the identity theft services company and call them up. Don’t be afraid to ask lots of questions. Use the Consumer Federation of America’s best practices recommendations and these tips from Identity Theft 911's CEO as your guide. Be proactive—don’t wait to become a victim of identity theft before finding a company you’re comfortable with.

If you believe you are a victim of identity theft, you have the right to:

1. Place a fraud alert on your accounts by contacting a consumer reporting agency (Experian.com, Equifax.com or Transunion.com). You only need to place an alert with one agency. Officials will tip off the other two of suspicious activity. After you add the fraud alert to your accounts, your file will be flagged. Creditors will be required to call you or otherwise verify your identity before extending credit. You can place an initial fraud alert for 90 days and extend it for up to seven years. Each credit bureau will mail you a notice of your rights as an identity theft victim.

2. Add an Active-Duty Alert on accounts, if you’re deployed overseas. This special notice for military personnel is valid for at least 12 months.

3. Request a free copy of your credit report from each of the three credit reporting agencies. These credit reports are separate from, and in addition to, the annual free credit report that all consumers are entitled to receive.

4. Dispute the accuracy of information on your reports, either with the credit reporting agency or the creditor. After you file the dispute, the agency or creditor is required to perform an investigation to determine whether the information is accurate. If the information in the report is the result of fraud, it must be corrected.

5. Block information from your file that is the result of the identity theft. The credit reporting agency is required to respond within four days of receiving a request to block information that is fraudulent. You must identify the information to be blocked, and provide the consumer reporting agency with proof of your identity and a copy of your identity theft report. Once a debt resulting from identity theft has been blocked, a person or business with notice of the block may not sell, transfer or place the debt for collection.

Remember, if you suspect your identity has been stolen, call your insurer or bank, which might provide LifeStages™ Identity Management Services from Identity Theft 911. Or contact them directly. One of their fraud specialists will guide you and provide practical support until your good name and credit are restored.

Gerri Detweiler — Credit.com's Director of Consumer Education, Gerri focuses on financial legislation, budgeting, debt recovery and consumer savings information. She is also the co-author of Debt Collection Answers: How to Use Debt Collection Laws to Protect Your Rights, and Reduce Stress: Real-Life Solutions for Solving Your Credit Crisis as well as host of the syndicated radio program TalkCreditRadio.com .

IRS May Share Information with Authorities

Wed, 04 Apr 2012 00:00:00 -0700

In the last several years, it seems instances of tax fraud have risen significantly, and now the problem is becoming so widespread that the Internal Revenue Service is now looking at ways to increase cooperation with law enforcement officials.

Current federal laws make it quite difficult for the IRS to share information on any taxpayer with another body legally, according to a report from Forbes. In many cases, disclosure of taxpayer information is authorized only in response to requests from federal agencies for use in criminal investigations.

But because tax identity theft has become so rampant all over the country - the IRS says it had already stopped some 215,000 bogus claims worth $1.15 billion as of March 9 through filters it set up to flag potential fraud - there are now efforts to look for ways around current laws, the report said. U.S. Senator Bill Nelson, a Democrat from Florida, where this type of fraud has been particularly rampant, recently proposed legislation that would share taxpayer information between the IRS and local law enforcement agencies. The bill, named the Identity Theft and Tax Fraud Prevention Act, is designed to limit the ways in which crooks could claim other people's returns with a bit of personal information.

However, some believe this may pose a privacy concern and are therefore advocating more practical ways that tax fraud as it is currently constituted can be stamped out, the report said. For example, the National Taxpayer Advocate believes in a slippery slope argument: that once law enforcement has access to this document, who else might be able to receive it in the future?

"[I]f we place a greater value on protecting taxpayers against identity theft and the Treasury against fraudulent refund claims, we may need to make a substantial shift in the way the IRS does business," said Nina Olson of the NTA, according to the news site. "Specifically, we may need to ask all taxpayers to wait longer to receive their tax refunds, or we may need to increase IRS staffing significantly."

Eduard Goodman, chief privacy officer for Identity Theft 911, maintains a blog about the ways consumers can better protect their information and the legal issues they may encounter when hit with tax fraud.

Apple Stops Allowing Developers Certain Information

Thu, 29 Mar 2012 00:00:00 -0700

In the past, developers that create iPhone applications have been able to have access to unique information about the unique identification numbers on users' devices. But now, that is changing.

App developers now no longer have access to consumers' UDID codes, and those apps that are submitted to the App Store using UDID access are being rejected outright, according to a report from Tech Crunch. These UDIDs are used to develop analytics, put targeted ads in games and create gaming networks, but some have previously expressed concern about the privacy violations some uses may cause.

Indeed, two members of the U.S. House of Representatives - Reps. Henry Waxman and G.K. Butterfield - recently sent letters to 34 iOS app developers asking how they collect and use consumers' data, the report said. Experts say UDIDs are more concerning than Web cookies because they cannot be deleted or cleared, and are tied to consumers' portable devices, which they often take with them everywhere.

The companies that develop apps aren't happy about the change, as many say that the UDID access is critical to development, the report said. In addition, some also believe that while removing UDID functionality in existing apps is occasionally relatively simple, it can also be complex and therefore difficult to do for many programs over the course of a few months.

"The UDID is essential for managing the conversion loop," Jim Payne, who runs a real-time bidding platform for mobile ads called MoPub, told the site. "All the performance dollars that are spent on mobile are going to impacted by this not being there."

Apple first began notifying app developers of the change six months ago, the report said. And while currently only two of the company's 10 app review teams are rejecting apps based on UDID use, it's expected that all 10 will do so in the near future. However, in some cases, companies may still be able to keep tabs on the UDIDs of those who download and install their apps as long as they ask for permission to do so first.

Eduard Goodman, chief privacy officer for Identity Theft 911, has a blog about the privacy concerns consumers face when using their mobile devices, and what they can do to protect themselves.

Employee Negligence Top Reason for Breaches

Wed, 21 Mar 2012 00:00:00 -0700

A number of reports in recent months have highlighted the threat posed by companies' employees when it comes to data breaches, and now a new study shows just how prevalent that concern is.

In all, 39 percent of data breaches suffered by various organizations last year were caused by employees' negligence, according to the 2011 Cost of Data Breach Study from the Ponemon Institute and Symantec Corp. Often, this negligence can come in the form of anything from misplacing a portable USB drive to having a computer stolen or even simply emailing the wrong files to unauthorized recipients accidentally.

"This year's report shows that insiders continue to pose a serious threat to the security of their organizations," said Francis deSouza, group president for enterprise products and services at Symantec. "This is particularly true as the increasing adoption of tablets, smartphones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time. It is essential for companies to put the proper information protection policies and procedures in place to counterbalance these new realities."

However, not far behind on that list was malicious or criminal attacks, which accounted for more than a third of the breaches these organizations experienced, the report said. Malicious attacks have also been the most costly data breaches for organizations to experience since the 2007 version of the study. On average, they cost the companies which suffer these breaches 25 percent more than those hit with other types of incidents.

Fortunately for organizations suffering data breaches, the costs associated with them is coming down somewhat, the report said. Detection and escalation costs slipped to an average of $433,000 in 2011 from $460,000 the year before, but at the same time, the cost of notifying those who were victimized by the breaches also rose between 2010 and 2011. In all, the average breach cost an organization $5.5 million last year, as opposed to $7.2 million the year before, based on a cost-per-record decline of $20, to $194 from $214.

Ondrej Krehel, the chief information security officer for Identity Theft 911, has a blog that outlines the problems faced by organizations and consumers alike in the wake of a data breach.

Insurance Company Paying For Data Breach

Thu, 15 Mar 2012 00:00:00 -0700

A data breach that occurred in 2009 and exposed the private personal information for more than a million people led to a recent settlement between a well-known insurer and the federal government.

BlueCross BlueShield of Tennessee recently struck a deal to pay $1.5 million in penalties to the U.S. Department of Health and Human Services as a result of a data breach that violated the Health Insurance Portability and Accountability Act, according to a report from Computer World. In addition to paying that money, the insurer also has to review and alter its privacy and security policies, as well as train employees regularly on their responsibilities when handling sensitive data.

Leon Rodriguez, director of the HHS Office for Civil Rights, stated this settlement was a major milestone in data breach notification rules, because it was the first reached as a result of action taken under Health Information Technology for Economic and Clinical Health requirements, the report said.

"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," Rodriguez said, according to the site.

The breach itself happened in late 2009 when a thief broke into a training center run by the insurance company and stole 57 hard drives containing unencrypted information on the more than 1 million victims, the report said. The exposed data included about 600,000 recordings of customer calls to the company, and another 300,000 screen shots from call center representatives' computers during those calls. This data contained information of varying types on the victims, though the company believes little or none of it has been used for fraudulent purposes some two and a half years later.

So far, the company has seen costs related to the investigation, notification and mitigation of the breach's causes and effects climb to nearly $17 million, the report said. It devoted as many as 800 full- or part-time employees to review and recompile the lost data.

Ondrej Krehel, the chief information security officer for Identity Theft 911, writes a blog about the issues that may arise for consumers and companies alike following a data breach, and what can be done to keep those concerns minimized.

Letter from the CEO

Wed, 14 Mar 2012 14:27:00 -0700

We kicked off March with National Consumer Protection Week, the annual campaign that encourages consumers to take full advantage of their consumer rights and make better-informed decisions.

Identity Theft 911 was proud to join more than 30 government and nonprofit organizations to support this important cause. For the event, we cooked up a recipe to help consumers protect their privacy. And we identified nine places in your life where your personal identifiable information or PII is at its most vulnerable. Our hope is that the more we can do to educate consumers, the better equipped they’ll be to safeguard their identity assets.

Recognizing that March brings us into the thick of tax season, we offer several tax-related features:

A report on a disturbing new trend: the increasing incidence of crooks using children’s PII to commit tax fraud. Because children don’t have credit reports, the typical countermeasures—such as setting up fraud alerts—don’t work. Read one customer’s experience and find out how to protect your family’s finances and your children.
A slideshow on the top tax scams affecting consumers this season. Among the most worrisome are phishing schemes in which taxpayers receive fake email messages that woo them with promises of refunds or, perhaps worse, that use alarmist tactics to trick them into thinking they need to update their W-2 forms with the IRS. In both cases, the taxpayer can wind up delivering PII directly into the hands of criminals. Learn how to avoid becoming a target.

On the social media front, we highlight a new report’s findings that LinkedIn users are more at risk of identity theft. Consumers who used the professional networking site experienced a 10 percent fraud incidence rate. Our slideshow discusses these results, demonstrates how a phishing email might be used to lure site users, and offers key tips to shield yourself from fraudsters.

As always, we hope you enjoy.

Matt Cullina

Chief Executive Officer

Identity Theft 911

Hacking Collective LulzSec Suffers Massive Crackdown

Wed, 07 Mar 2012 00:00:00 -0700

The notorious hacking collective known as LulzSec suffered a major blow this week when one of its own used his place in the "hacktivist" community to lead authorities to the doors of a number of his former compatriots.

A hacker known as The Real Sabu - real name Hector Xavier Monsegur - has been helping to encourage his fellow hackers to carry out attacks against private companies and government agencies around the world, but has been doing so at the behest of the U.S. Government, according to a report from the New York Times. Monsegur, a 28-year-old New Yorker, pleaded guilty in August to a number of counts of conspiracy to attack computers and has been instigating similar attacks in efforts to help authorities ever since.

As part of his efforts, four men in Britain and Ireland, and another in Chicago, were arrested and charged with computer crimes earlier this week, the report said. This crackdown was part of a worldwide effort to reduce the effectiveness of hacktivist collectives like LulzSec and the better-known group Anonymous. Experts say that this revelation, that a former hacker turned informant, will likely be a serious blow to the global community.

"It is going to be very difficult for Anonymous to recover from such a breach of trust," Mikko Hypponen, a security researcher at F-Secure Labs in Helsinki, told the newspaper. "You can see the Anonymous people now looking left and right and realizing, if they couldn't trust Sabu, who can they trust?"

But at the same time, experts also wonder on the exact effects the news that Sabu was working with law enforcement officials will have, the report said. In general, these collectives are designed to be loose and decentralized by design, and seem to choose their targets for very disparate reasons. In addition, more hackers are joining their ranks all the time. However, it is hoped that this type of distrust may be enough to dissuade former participants from being quite so eager to engage in similar attacks in the future.

Ondrej Krehel, the chief information security officer for Identity Theft 911, has a blog about the threats posed by hackers to organizations and consumers alike, and what steps can be taken to mitigate these concerns.

6 Ways to Protect Your Child From Tax Fraud

Tue, 06 Mar 2012 13:00:00 -0700

Tax fraud is on the rise. And now, it’s affecting your children.

The Identity Theft 911 Fraud Resolution Center experienced a tenfold increase in such cases in February 2012 compared with the previous month.

To learn more about this disturbing trend, read our story and blog post.

Follow these six steps to protect your child from tax-related identity theft:

1. Never give out your child’s Social Security number unless you already know and trust the recipient. It is okay to question why they need it, what they will do with it, and how they plan on safeguarding it.
2. Never carry your child’s Social Security card or number in a purse or wallet. Leave it at home in a secure place or in a safety deposit box.
3. Teach your child the risks of providing personal information, such as a SSN or mother’s maiden name, to anyone outside the immediate family. There are people who could be trying to defraud them. Don’t give children their SSNs until they’re old enough to know how to properly use and protect them.
4. Watch out for warning signs, such as credit cards arriving in the child’s name or calls from creditors regarding current and past-due debts.
5. Check your child’s credit report if you suspect identity theft. It’s good news if there is no credit file with your child’s name and SSN. To check if one exists, complete the Child Identity Theft Inquiry with TransUnion, one of the three national credit reporting companies.
6. Shred anything with your child’s personal information. Before putting it in the trash, cross-shred documents with personal identifying information.

If you suspect your identity has been stolen, call your insurer or bank, which might provide LifeStages™ Identity Management Services from Identity Theft 911. Or contact us directly. One of our fraud specialists will guide you and provide practical support until your good name and credit are restored.

Tax Fraud Using Children's IDs Is on the Rise

Tue, 06 Mar 2012 13:00:00 -0700

Parents today are more vigilant than ever, cranking up home Internet controls to the highest, least permissive settings, restricting cell phone plans, and even monitoring their kids’ social media accounts.

Still, it’s hard to protect our children from all threats. Tax season serves as a reminder that tax-related identity theft can affect both parents and their kids. Indeed, the Identity Theft 911 fraud resolution center reported a tenfold increase in such cases in February 2012 compared with the previous month.

Shelly Waldman* of Michigan was stunned when she learned that her oldest daughter’s Social Security number had been stolen to commit tax fraud. Like other parents of children who are victims of this crime, Waldman faced two immediate challenges:

1. How to protect her child’s stolen identity.
2. How to get her tax refund.

“When my accountant told me, I said, ‘Are you kidding me?’ ” Waldman recalled. “I was panic-stricken.”

Fortunately, Waldman received Identity Theft 911 LifeStages™ Management Services through her insurer. Her insurance company’s customer service representative immediately connected her to an Identity Theft 911 fraud investigator dedicated to handling her case until it was resolved.

Taking immediate action, the investigator:

• Conducted a complete interview to establish the timeline of events.

• Coordinated a joint call with Waldman to TransUnion to check credit files for family members included on her tax return. Minors don’t typically have credit files. If they do, it’s a strong sign their personal information has been used to open a new line of credit, and action must be taken.

• Warned potential creditors that Waldman and her husband may be victims of identity theft by placing an alert on their credit files.

Fraud investigator Mark Fullbright “has been fabulous, very calm, and reassuring,” Waldman said. “Now no one can open a credit card account or anything with [my daughter’s] information.”

Finally, Fullbright assured Waldman that IRS identity theft investigations normally take at least six months, and that, despite the headache, most victims end up with their rightful checks.

“My husband and I filed early this year as we always do,” Waldman said. “We were anticipating a huge refund. We count on that money.”

Fullbright will monitor the status of Waldman’s identity theft claim with the IRS to make sure she’s on track to receive her refund within the established timeline.

In the meantime, Waldman said she’s comforted to have Identity Theft 911’s services.

* Name has been changed to protect customer’s privacy.

Court Battles Increase Before Google Change

Wed, 29 Feb 2012 00:00:00 -0700

A consumer group and the federal government are currently at odds over the proposed sweeping privacy changes for Google's various online services.

The Electronic Privacy Information Center and Federal Trade Commission have both been hard at work in recent months filing various motions related to the rollout of Google's new privacy policy, and the action has been particularly strong in the days leading up to the change, according to a report from ZD Net. In particular, EPIC objects to the FTC's recent decision that Google's policy changes are not subject to judicial review, and has sought a temporary restraining order and preliminary injunction against the policy being put into place.

However, the FTC, which is being represented in court by the U.S. Department of Justice, says that it does not have to enforce its recent privacy settlement with the Web giant, which was finalized on October 11, 2011, the report said. That case was related to Google's use of deceptive practices as part of its Buzz social service.

Earlier this year, Google announced that it would alter its current privacy policies so that instead of having individual plans for all its various services - including Gmail, Google Plus, Calendars, Docs, and so forth - it would have one large, overarching policy in place, the report said. EPIC is not alone in trying to stop this proposed change, which is scheduled to take place on March 1. The Center for Digital Democracy also sent a letter to the FTC asking it to find state that Google violated its earlier consent order, as well as conduct an investigation into the policy change and postpone the new policy rollout.

Eduard Goodman, chief privacy officer for Identity Theft 911, maintains a blog about privacy issues facing consumers when they use online services.

California Law Will Add Consumer Protections

Wed, 22 Feb 2012 00:00:00 -0700

A problem millions of Americans face is that they've been victimized by simple errors on their credit reports.

Recent studies have highlighted that up to 80 percent of all credit reports contain at least one error, and in some cases those mistaken entries can lead to significant issues for those who don't know about them. In many cases, these errors are the result of a typographical error - such as transposing digits in a Social Security number - but the end result can be quite troublesome.

Consumers hit with this kind of "debt tagging," a term for when another person's debt is applied to the wrong credit report, can often be targeted by aggressive debt collections agencies who can make life a nightmare for victims.

Fortunately for some of these people, a law that was recently passed in California may help to reduce instances of debt tagging. The Fair Debt Buyers Practices Act will require companies that buy consumer debt from lenders - often for pennies on the dollar - to provide evidence to the debtors they're pursuing that they're trying to contact the right person. In these instances, the burden of proof is often on the accused consumer, and finding documentation that says they don't owe a debt is often difficult to come up with compared with the say-so of debt collections agencies.

"Too often, a consumer can get ensnarled in a long and costly battle to prove they are not the ones responsible for debt," California Attorney General Kamala Harris said in response to the bill's passage. "The Fair Debt Buyers Practices Act will put reasonable requirements on debt buyers and ensure consumers are not forced to pay the debts of others."

Another reason that this type of debt tagging often takes place is that lenders will sell defaulted balances to collections agencies in large bundles, and often the proper documentation can get lost in the shuffle or not provided at all. Under the new law, debt buyers will not be able to sue a consumer unless they can provide documentary evidence that the person owes the money.

For more information about debt tagging and the harm it can cause, please consult the Identity Theft 911 newsletter on the subject.

Google Fixes Potential Wallet Security Flaws

Wed, 15 Feb 2012 00:00:00 -0700

Soon after security issues related to its digital payment platform known as Wallet were discovered and disseminated, Google worked diligently to fix the problem.

The hacks, one of which could only be carried out by a particularly adept cybercriminal and the other could have been done by anyone with illegal intentions, were reported last week by two separate sources. Since then, Google worked to mitigate the security flaws, the company said.

The first problem would have allowed hackers with a strong knowledge of how to "root" mobile device to access the PIN code for a consumer's Google Wallet account, essentially giving them free reign over the hacked account, the report said. In most cases, if Wallet detects that it's being used on a rooted phone, it will automatically delete itself from the device.

The second hack is more insidious, because it allows anyone with bad intentions and a lost or stolen cell phone with Google Wallet loaded onto it to access the account and make fraudulent purchases, the report said. If a lost or stolen device isn't protected with a lock screen code, a criminal could reset the account, create a new password and link the account to a prepaid card that basically gave them access to the victim's funds. As a result of this security flaw, Google recently suspended the use of prepaid cards on Wallet while it was working on a fix, but has since restored support for these accounts.

However, Google assured users Wallet is secure overall, and that it will to be so as Google works continuously to upgrade its protections, the report said. This type of NFC-dependent mobile purchasing system is expected to become quite ubiquitous in the near future.

"Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet," wrote Osama Bedier, vice president of Google Wallet and Payment. "In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don't."

Betty Chan-Bauza, vice president of product management for Identity Theft 911, writes a blog about potential issues related to identity theft and fraud consumers may face from certain products.

Letter from the Chairman

Thu, 09 Feb 2012 10:01:00 -0700

For most people, Valentine’s Day conjures up thoughts of moonlit nights, sunny days, butterflies, wood nymphs gaily dancing in lush green fields, hearts, arrows, chocolates, roses, diamonds, wining and dining. Whether the object of your affection is a boyfriend or girlfriend, spouse or significant other, the holiday offers an opportunity to demonstrate your affection and intentions (and, of course, contribute to the GDP—which, at the moment, clearly needs our help).

Warm and squishy feelings notwithstanding, Cupid’s day also brings a reminder that sometimes the people with whom we are closest can pose the greatest threat. After all, few, if any, of the folks in our social universe have more intimate knowledge of our personal lives, as well as access to our personally identifiable information (PII), than plus-ones. For better or worse (and potentially for richer or poorer), an open heart is the key to the PII vault providing the scorned and/or unscrupulous with all the tools needed to commit identity theft or related fraud.

While sharing shows caring, remove the rose-colored glasses and be sure to make smart decisions about sharing information with the loved ones in your life.

To help, this month we examine a trend in password sharing among couples. The decision to exchange those hopefully carefully chosen alphanumeric, grammatically challenged, upper- and lower-cased data sentries can be a declaration of trust or a way to efficiently manage a shared household but could also quickly backfire should the relationship go south. Learn when to keep those characters to yourself and how to protect your identity in the event of a breakup.

In addition, John Trenton shares his real-life story of love gone wrong. Years after his divorce, the veteran discovered his ex had opened a credit card in his name—and racked up debt to the tune of $10,000.

Of course, regardless of your relationship status, it’s smart to monitor who has access to your personally identifiable information. Our guide to building your own PII Chart™ will help you develop a complete picture of your identity profile, including which types of data you’ve entrusted to different organizations or individuals. It’s a key first step to managing your identity assets.

Finally, for those who are already looking ahead to April 17, we offer a privacy report card that rates different websites where you can file your taxes for free. Choose one that is secure and respects your privacy as a consumer.

Adam K. Levin
Chairman and Cofounder
Identity Theft 911

Net Security Company VeriSign Suffered Hacks

Wed, 08 Feb 2012 00:00:00 -0700

The Web infrastructure company VeriSign recently revealed that, in 2010, it suffered a number of security breaches as a result of hacking attacks by cybercriminals who were able to steal undisclosed amounts of data.

VeriSign has a domain name routing system that protects a large number of Web addresses ending in .com, .net or .gov, and recently revealed that these hacking attacks took place in a quarterly filing with the U.S. Securities and Exchange Commission, according to a report from Reuters. The company processes as many as 50 billion queries per day, and stolen data may allow the hackers to create fake sites or intercept emails that could be particularly sensitive, such as those traded by government employees or corporate executives.

The reason for the delay in reporting, according to the quarterly filing, is that while security staff was aware of the attacks soon after they happened, it did not let VeriSign executives know until September 2011, the report said. The filing did not mention any other action being taken by the company in an investigative capacity.

However, VeriSign executives believe that the attacks it suffered did not breach its domain system network, but is also not saying that the attacks categorically did not affect them, the report said. But even if those systems were safe from the attacks, there are other areas of concern. For example, the company controls a large amount of sensitive information about its many customers, and the services it runs to give out domain names would almost certainly have been targeted.

"This breach, along with the [one suffered by Web authentication company RSA last year], puts the authentication mechanisms that are currently being used by businesses at risk," Melissa Hathaway, a former intelligence official who led U.S. President Barack Obama's cybersecurity policy review, told the news agency. "There appears to be a structured process of hunting those who provide authentication services."

VeriSign was, until August 2010, a major supplier of Secure Socket Layer certificates - bits of information sought automatically by Web browser programs when connecting to secure "https" sites, the report said. Experts worry that if those systems were corrupted, hackers could pose their bogus sites as real ones without the browser being able to recognize the difference between legitimate and fraudulent sites.

Ondrej Krehel, chief information security officer for Identity Theft 911, has a blog about hackers and information security.

Case Study: Veteran Grapples with Ex-Wife’s Dishonorable Credit Card Charges

Fri, 03 Feb 2012 13:00:00 -0700

John Trenton* thought his relationship with his ex-wife ended with their divorce.

But years later, the retiree learned she charged more than $10,000 to a credit card opened in his name and stuck him with the bill. The account went into collections and sent his credit score plummeting.

Trenton tried to resolve the matter on his own, but he didn’t get very far in his dealings with the debt collectors. “They tormented me daily with calls and threats,” he said.

Then, one day, he and his wife were reviewing the annual update to their insurance policies with MetLife Auto & Home. His wife noticed that coverage included LifeStages™ Identity Management Services from Identity Theft 911.

Trenton immediately called MetLife, which connected him to Identity Theft 911 fraud investigator Maria Valenzuela. “That was the best day I’d had in a long time, when they put me in touch with her,” he said.

Valenzuela informed Trenton that the debt collector was required by law to give him 30 days to prove he was a victim of identity theft under the Fair Credit Reporting Act.

Valenzuela communicated directly with the debt collector and original creditor—with Trenton also on the line—to remove the debt from his name and credit file. To back up his claim, she prepared a mailing that included copies of Trenton’s driver’s license, divorce decree, affidavit, proof of address while the account was active, and a police report.

To protect Trenton from fraud in the future, Valenzuela placed a seven-year fraud alert on Trenton’s file with the three major credit-reporting agencies and enrolled him in Identity Theft 911’s check monitoring system and credit monitoring services.

Within a few months, the case was resolved.

Trenton is relieved the ordeal is over. “I had been getting harassed for years, and Maria fixed it all in six months,” he said. “We’re thankful every day for the assistance Identity Theft 911 gave us. It was like a miracle, really.”

* Name has been changed to protect customer’s privacy.

Video Privacy Law Given Close Look

Wed, 01 Feb 2012 00:00:00 -0700

The Senate Judiciary subcommittee on Privacy, Technology and the Law recently held hearings to look at changes proposed for the Video Privacy Protection Act.

The new bill would amend the existing VPPA to allow video providers - Netflix or Blockbuster, for example - to get customer consent to share their viewing histories up front, rather than on an individual basis, according to a report from the political blog The Hill. Perhaps not surprisingly, the new bill is controversial because, according to the testimony of a number of lawmakers and other witnesses, the VPPA as it's currently written is considered to be a "model privacy law."

Netflix, for its part, says that the changes it would like to see implemented will make it easier for consumers to use its service through their Facebook accounts, and therefore share the information on what they're watching. The service operates a popular streaming video service that allows consumers to watch movies, television shows and other digital content online, and keeps tabs on what each user watches. The company's general counsel, David Hyman, said in his prepared testimony that the approach outlined under the updated law - obtaining blanket permission for all videos, rather than on a case-by-case basis - is consistent with what the company's customers expect and want.

However, U.S. Sen. Al Franken of Minnesota, who is chairing the subcommittee, sees things differently, the report said. In addition, other privacy experts agree that blanket permission to share content does not necessarily constitute "meaningful consent" in all cases.

"It's a really good thing that people can easily tell their video company - 'sure, go ahead and tell people I watched 'The Godfather,' but no, don’t tell them I watched, 'Yoga for Health: Depression and Gastrointestinal Problems,'" Franken said, according to the site.

Another Senator, Vermont Democrat Patrick Leahy, who heads the Senate Judiciary Committee and sponsored the original VPPA in 1988, noted that what may be simpler for companies might not mesh with what's better for consumers' privacy, the report said.

Eduard Goodman, chief privacy officer for Identity Theft 911, writes a blog about the ways in which consumers can better protect their information online, even when sharing it among friends on social networks.

Don't Give Love—and Password-Sharing—a Bad Name

Mon, 30 Jan 2012 13:00:00 -0700

Romance in the digital era is beset by a unique set of challenges, as anyone who has agonized of their Facebook relationship status can attest. And the trickiest hurdle to navigate is dealing with those three little words that mean so much: “What’s your password?”

That’s right: Password sharing has become the new expression of intimacy. For teens, the exchange of email, Facebook or other passwords is a sign of trust, demonstrating that neither party has anything to hide. (A 2011 phone survey by Pew Internet and the American Life Project found that one in three teens had shared a password with a friend, boyfriend or girlfriend.) For adults who live together or are married, swapping those case-sensitive characters extends beyond a symbolic gesture to matters of household efficiency.

But when does convenient sharing cross into risky behavior? And what do you do if the relationship goes south? More often than not, it’s better to think twice before taking the password plunge.

Woodrow Hartzog, an assistant professor of privacy law and online agreement at Stanford University, addressed the social and legal risks of password sharing in a January NPR interview: “A lot of people feel as though they have nothing to hide from a friend or a spouse or romantic partner, so they share, thinking ‘I’m an open book,’ ” he said, but, “it’s significantly more complicated than that.”

First, and perhaps most important to remember, is that by giving out your password, you are giving someone else access to use your personal information.

If you’re savvy about using different passwords for different accounts—and that’s a big “if”—certain types of sharing can be benign: say, allowing your boyfriend the freedom to add titles to the Netflix queue. But in many other instances—with email, instant message, bank and other accounts—handing over a password is tantamount to providing unmitigated access to your personal life and your personally identifiable information (PII). The consequences can range from fights over misinterpreted emails to, in extreme cases, identity theft.

Other pitfalls of password sharing: “You risk getting locked out of your account because someone else has the password and can change it and you wouldn’t know it. You also give someone a very credible means to impersonate you,” Hartzog said. (Imagine an angry ex using your Facebook account to spread spam.) “And all of these things can have legal consequences, the least of which might be violating the terms of service on most websites.”

For those who dare to share it all, the risk for problems after a relationship ends is especially high.

Follow the measures below to protect yourself in the event of breakup, separation or divorce:

Immediately reset passwords on all shared accounts.
Closely monitor your accounts in the months afterward and throughout any legal process.
Don’t share. Be prudent about discussing your relationship on social networking sites.
Secure a safe-deposit box for important documents.
Know the law. Learn your state’s laws about community property and shared debt and credit.

If you suspect your identity has been stolen, call your insurer or bank, which may provideLifeStages™ Identity Management Services from Identity Theft 911. Or contact us directly.

Facebook Timeline Open to All Users

Wed, 25 Jan 2012 00:00:00 -0700

The Facebook feature known as Timeline has been available to many people for some time, but it is now being rolled out over the next few weeks to all of the social network's users.

The mandatory switch from the old-style profile to the new one, which logs all activity on the site ever and makes it easier for others to access, raises a lot of issues about users' privacy on the site, according to a report from Tech Crunch. The problem that privacy experts have with Timeline is that where before it would take a user a considerable amount of time to scroll through and find account activity from years ago, it now takes the simple, single click of a mouse.

That means posts users may have made in, say, 2007, which would have long ago been buried, are now widely available to view, the report said. And an issue that many who may want to delete posts they made in their younger days will face is that they'll have to go through and remove them all manually, or at least set the updates in question as being private "only to me."

Perhaps as a means in aiding cleanup, the social network also recently released a tool called Activity Log, which allows consumers to view all their status updates, changes and other actions in a more convenient way, the report said. This keeps track of every action posted since the day users joined the site.

Facebook has been in a number of privacy fights in recent years related to the way in which it protects its users' information, which may explain why it was rolling out Timeline less aggressively, the report said. For example, it didn't notify users when friends made the switch, and it is now providing a seven-day period in which they can opt in as a means of giving them a chance to go through their old posts and make them more private if they wish. Experts say that might only be troublesome to those who don't use the site regularly and therefore would not be aware that their account had been switched over.

Eduard Goodman, chief privacy officer for Identity Theft 911, writes a blog on which he advises social network users how they can better protect their private information.

The Rich are Different—and Identity Thieves Know It

Thu, 19 Jan 2012 10:04:00 -0700

Over the past five months, the Occupy Wall Street protesters have made political targets of the wealthiest 1 percent of Americans. Now it seems the economic discontent behind the movement is turning top earners into prime targets for a different, more nefarious group: identity thieves.

The risks that come with exceptional wealth are certainly not new. A high net worth means bigger returns to thieves. There’s more cash in the bank to plunder, and credit cards come with high limits or, in some instances, no limits at all.

But this latest trend in identity theft crimes may be a function of the times: Financial desperation or class animosity, or both, might be leading people to take advantage wherever the affluent can be found.

Consider the case of the steakhouse waiters.

In December, more than two dozen waiters and their associates—many of whom hailed from top New York restaurants such as Smith & Wollensky, Capital Grille and Wolfgang’s Steakhouse—were arrested for running an alleged identity theft ring. As described by prosecutors, the waiters stole information from customers’ credit cards (in particular, those who paid with American Express Black and other high-limit cards). They then passed the data to the ring’s leaders, who made new cards and used them to go on shopping sprees at stores including Chanel, Hermes and Cartier.

Other schemes have seen perpetrators gather personal data by digging into wealthy patients’ health records and photocopying donor checks from prominent philanthropists. A crafty threesome stole clientele books—and the personal and credit card information contained therein—from high-end stores like Neiman Marcus, Saks Fifth Avenue and Bloomingdale’s.

Problems can also strike closer to home. Employees of the affluent sometimes use their proximity and insider knowledge to commit identity theft crimes, counting on established trust to forestall scrutiny.

Such was the case with successful self-help author Melody Beattie. During the 2011 tax season, Beattie’s accountant noticed missing bank statements and unaccounted-for checks. The irregularities were soon traced to Beattie’s personal assistant, who, over a period of years, allegedly diverted more than $400,000 of the author’s assets for her own benefit using—among other methods—forged checks.

As with the steakhouse waiters, it’s not always possible to control who has access to your information. But when it comes to the people in your employ, consider the following tips to protect yourself.

Do a thorough background check of potential employees.
Develop a system of checks and balances for employees with access to business and/or personal information.
Personally conduct regular employee audits. Doing so will help you catch problems early. What starts as a relatively small transgression can snowball as people realize they can get away with something.
Trust in your employees is fine. Blind trust is not. Even the most honest person can turn in the face of life-altering circumstances. Act as a large corporation would and enact clear and consistent policies for monitoring employee actions.

Unfortunately, a high net worth also means a higher risk of identity theft—and a lot more to lose. No one is immune to identity theft, but preparing yourself before it happens is the best defense.

Letter from the Chairman

Thu, 19 Jan 2012 10:04:00 -0700

The start of a new year inevitably brings a round of resolutions. And while everyone will have their personal list of aspirations, Identity Theft 911 would like to add a goal that applies to all: Make 2012 the year of fighting back against identity theft.

As we saw in the November/December newsletter, 2011 was rife with data breaches. Nearly every month another company fell victim: RSA, Epsilon, Sony and more. Hundreds of thousands of consumers had their private information exposed or exploited. In other instances, hackers obtained sensitive data that might enable them to inflict greater damage down the line.

The clear lesson: No one is immune.

Accordingly, in 2012, complacency can no longer be accepted nor excuses tolerated. The time has come to set a new standard for privacy security, and change must begin at the level of individual responsibility: with the consumer who orders merchandise online; with the small business owner who must reconcile the dangers of working at home; with the corporate executive who sets his company’s data security policies and the employee whose job it is to carry them out.

Yes, the government and judicial system have critical roles to play in the fight against data and identity theft, and we’ll be watching to see what develops. But the fact is that those gears move slowly, whereas each of us has the potential to do something—right now and in the year ahead—to better protect ourselves.

Keeping this in mind, we’re offering two targeted slide shows—one for businesses and one for consumers. The slide shows identify the trends in data theft that are most likely to affect each group in 2012, along with advice for shoring up defenses.

This month we also explore the increasing risk of identity theft faced by high-net-worth individuals and offer tips for protecting your company from internal breaches. Plus we put together a security primer for home-based small businesses. From best practices to insurance considerations, to employee and self-education, we want you thinking about how to protect your customers’ information and your bottom line.

Finally, the breach at online retailer Zappos only further underscores our point: The onus is on consumers to protect themselves. To that end, our experts offer six key steps to protect your personal information online.

Wishing you a safe and secure 2012.

Adam K. Levin
Chairman and Cofounder
Identity Theft 911

Banks Come Together to Fight Fraud

Wed, 11 Jan 2012 00:00:00 -0700

Later this month, financial giants like Morgan Stanley and Goldman Sachs will meet with researchers to better inform efforts to create a center whose job it will be to sort bank data to detect potential cybercrimes.

The firms meeting with these experts, from the Polytechnic Institute of New York, is just the latest step in financial insitutions' attempts to reduce the threat of cybercrime, increase security and shut down those who would carry out such attacks, according to a report from the Wall Street Journal. Already, Bank of America is hosting other banks and experts in informal quarterly roundtables in which they discuss potential solutions to cybersecurity concerns.

The most recent Bank of America-hosted meeting came in late summer, where executives talked about "advanced persistent threats," the report said. This type of hacking is of particular concern because it involves long-term and repeated attempts to gain access to secure data - essentially testing a system's limitations and weaknesses.

The new era of cooperation is one that many experts would not have predicted for banks, who seem to now recognize that working together, rather than separately, will help to stamp out hackers' attempts, which are often collaborative, the report said.

"The mentality of the banks has been, 'Let's do everything internally because we don't want to give anything away,'" Peyman Mestchian, a managing partner with Chartis Research in London, told the newspaper.

However, the tendency toward secrecy can't be eradicated completely overnight, the report said. For example, some believe that in the case of the development of a center for fraud detection, there is still a faction that believes banks should not share their internal data with independent researchers.

The number of attacks carried out by hackers on large businesses across a number of industries has been on the rise in recent years, and a study from consulting firm Pricewaterhousecoopers found that financial institutions are, perhaps understandably, frequently the targets of these crimes, the report said. It is believed that financial companies will likely increase their spending on fraud detection some 12 percent over the next two years to about $1 billion annually.

Ondrej Krehel, the chief information security officer for Identity Theft 911, maintains a blog on which he posts regularly about hackers and the threats they pose not only to businesses, but individuals as well.

New Software Identifies Anonymous Web Users

Wed, 04 Jan 2012 00:00:00 -0700

One of the biggest complaints many people seem to have about the Internet these days is that users can leave posts and comments with complete anonymity. But that might no longer be the case.

Graduate students at Drexel University recently released a program that is designed to help identify the authors of documents for which interested parties are trying to figure out who wrote them, according to a report from the New York Times. However, the program also serves the function of helping anonymous authors to stay that way by obscuring their personal writing style somewhat. However, both are still new - they're still in alpha testing - and therefore quite buggy.

The program, JStylo, is based on other author recognition tools, such as Oxford University-developed Signature and Duquesne University's Java Graphical Authorship Attribution Program - JGAAP for short - but builds on their functionality, the report said. It works best if those searching for an author have a suspect list of 50 people or less, and about 6,500 words of writing samples per person. That can include everything from Tweets and instant messages to emails. It becomes even more accurate if the "disputed" document is 500 words or longer.

Privacy advocates believe this program could cause serious problems for people like corporate whistleblowers or human rights advocates who release sensitive or private documents, the report said. And it is for this reason that the program's other tool, known as Anonymouth, was created.

"Authorship recognition can be a legitimate threat to privacy and anonymity," the researchers who developed the program said in their presentation at a hacker convention on Thursday, according to the newspaper.

Anonymouth simply suggests to users ways they can change their document to better mask who wrote it, the report said. This can include adding sentences, using more words or changing punctuation that will make it more difficult for programs to spot quirks of language or style that authors rely on. Experts say that a person's writing style is like their fingerprint, unique and identifiable with the right information.

Eduard Goodman, chief privacy officer for Identity Theft 911, maintains a blog on which he writes regularly about the privacy issues many people may face when browsing the Internet, and ways consumers can better protect themselves.

Facebook's Timeline Still Raising Privacy Concerns

Wed, 28 Dec 2011 00:00:00 -0700

The latest change to hit Facebook, the new Timeline program which radically changes the appearance of user's profiles, is raising privacy concerns in many circles as it prepares for a complete global launch.

Many consumers have threatened to leave the site over this new development. The new setup essentially creates a chronological history of all of a user's activity on Facebook since they first signed up for the social networking site, including wall posts, pictures, links or any public messages which may have been sent. Those items can then be sorted by month and year.

While each part of the Timeline is customizable, Discovery News reports that the process of "scrubbing" the new profile is arduous and extremely time consuming. Each Timeline entry has the option to change its permission settings or delete it, and while everyone has seven days to review it before everything is published live, many people may not have the free time to fully vet their profiles. The default setting for new posts also posts everything to the Timeline.

Some experts have said that because the new design also gives consumers mild incentives to add even more personal information on their profile, it could make people more vulnerable to identity theft.

The social networking site is also expected to pair the new profile with a new suite of apps to display activity on other websites or services to consumers' profiles automatically, meaning even more browsing activity would be tracked and published online. While this kind of information will be highly sought by advertisers, it also raises additional privacy concerns.

Facebook as a whole has been the crux of a number of privacy lawsuits and concerns over the past several months, with consumers feeling that their personal information is too exposed and vulnerable to identity theft.

For further discussion about privacy issues, read the blog of Identity Theft 911 Chief Privacy Officer Eduard Goodman.

The new Timeline feature also created news of a potential breach of privacy in Finland, as many users thought that the system was turning private messages public for everyone to see. However, further investigation of the issue by a security firm found that users were most likely mistaken, had posted that information on their public profiles and then later forgotten.

Facebook's Timeline Feature a Privacy Concern?

Wed, 21 Dec 2011 00:00:00 -0700

Last week, the world's most popular social networking site unveiled a new way for users to list their life events, and share that information with friends and family.

The new feature, which Facebook calls Timeline, makes it easier for users to find all photos, links and other shared items on the site, according to a report from the New York Times. Consequently, many experts say that personal information shared on the site is now more accessible than ever, and could be a concern for some users.

Facebook, which has more than 800 million users around the globe, has been storing everything ever uploaded onto the site, and all Timeline has done is simply made it easier to find years-old information, the report said. Eventually, all profiles on the site will be switched over to the new Timeline look, but users are also able to voluntarily update their settings right now.

"We've all been dropping status updates and photos into a void," Ben Werdmuller, the chief technology officer for the video service Latakoo, told the site. "We knew we were sharing this much, of course, but it's weird to realize they've been keeping this information and can serve it up for anyone to see. It's unsettling to see the past presented as clearly as the present. It's your life in context, all in one place."

Of course, Facebook has already been at the center of a number of debates over how easy it is to find consumers' personal information online, and how readily users will share that information without regard for who can access it. For this reason, privacy experts have been advocating for years that the site's users should update their personal privacy restrictions to the highest possible settings, which will help to keep their sensitive data - such as their address, date of birth and other details that can be used for identity theft - as private as possible. This will be especially important now that Timeline exists because it will allow those interested in accessing this information to aggregate it more easily.

Eduard Goodman, the chief privacy officer for Identity Theft 911, writes a blog about ways in which consumers can increase the security of their information on sites like Facebook.

What Were 2011's Biggest Hacker Busts?

Wed, 14 Dec 2011 00:00:00 -0700

While identity theft through cyber crimes has been on the rise in recent years, authorities have also done a better job of cracking down on those whose illegal activities affected large amounts of people.

A number of infamous and elusive hackers were brought to justice in the last year, according to a report from Dark Reading. One of the biggest busts was that of Ryan Cleary, a 19-year-old hacker who was working with the Anonymous and LulzSec collectives to bring down major British websites as a show of force. It was a dispute with members of Anonymous that led to exposure of his personal information, which was eventually used to bust him. Another LulzSec hacker, Cody Kretsinger, was also apprehended for his role in the hacking of Sony Pictures.

Meanwhile, Anonymous also had an inside man at AT&T, who is said to have given the collective tens of thousands of phone numbers in additional to login data for confidential servers, and other documentation that was used by the group in a data dump, the report said. That contractor, Lance Moore, was the only one of 20 in his group to access both the affected servers and the free data uploading site FileApe.

Another young hacker that got busted this year is Aaron Swartz, a fellow at Harvard University's Safra Center for Ethics, who downloaded (perhaps illegally) more than 4 million academic articles from the Massachusetts Institution of Technology using anonymous logins, the report said.

But perhaps a more important series of arrests was made in connection with the DNSchanger malware program, the report said. Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanvov were apprehended in a bust experts say is one of the most important ever. The malware helped them steal more than $14 million worth of advertising views.

The man behind the infamous iPad hacking that took place when the tablet device was first released was also apprehended this year, the report said. Andrew Auernheimer of the Goatse Security group, exploited a flaw in Apple's security and gained access to 114,000 iPad users' email addresses, including celebrities and politicians. Christopher Chaney, another hacker who gained access to dozens of celebrities' email addresses, was also busted this year.

Ondrej Krehel, chief information security officer for Identity Theft 911, writes regularly about hackers on his official blog.

Letter from the CEO

Fri, 09 Dec 2011 10:04:00 -0700

The year 2011 will go down as the year of the data breach. And the worse news is, 2012 could top it.

From the CIA to video-game networks, from brand-name conglomerates to mom-and-pop shops, no sector of business, and no agency at any level of government, was immune to hack attacks. In what we now view as the good old days of weak IT security, you could count on the perpetrators being motivated only by money – stealing credit card numbers or other customer data so they could steal the identities of innocent victims.

This year, with so many political and social conflicts smoldering all over the world, the rise of the “hacktivist” took precedence over the mere money-grubbers. It wasn’t uncommon to see local law enforcement departments, public transport agencies and nonprofits attacked simply for their political views, or else to exploit their security vulnerabilities. Our experts anticipate these and traditional attacks to continue in the new year.

Now for the good news: Our December 2011 newsletter has a wealth of valuable information, starting with our Year in Review slideshow , which takes you through the hacks, month by month. As more organizations fell victim to attacks by hackers, news of data breaches seemed as frequent as celebrity wedding specials, with the victims' names nearly as well known. Sony. PBS. Facebook. Even the U.S. government and its military were hit. No one was immune.

This year also saw significant developments in the privacy movement. The Federal Trade Commission took its role as America’s privacy authority more seriously than ever—ending the year with a strong rebuke and 20-year privacy settlement with Facebook. A number of lawsuits made their way through the legal system, including one now before the U.S. Supreme Court on whether the government can track suspects using GPS without a warrant. Guest privacy expert Khizar Sheikh of Lowenstein Sandler PC explains how this decision could impact your company and customers.

Despite the risks of storing personal information on the Internet, more than one-third of Americans will do their holiday shopping online this year. Why waste time and gas shopping at the mall? It's faster and easier to simply turn on our laptops, pads or mobile devices. With increased convenience, however, comes increased risk. We’ve wrapped some tips into a slideshow that will help you stay safe while shopping online .

Finally, this month's podcast features customer Don Brown's disturbing credit nightmare, caused when thieves targeted his business account. From the discovery of an unauthorized wire transfer to change-of-address attempts, he shares his story and how Identity Theft 911 helped to stop the thieves in their tracks.

As always, we hope you enjoy. Have a happy, healthy holiday season.

Matt Cullina

Chief Executive Officer

Identity Theft 91 1

Ask the Expert

Fri, 09 Dec 2011 10:04:00 -0700

Question: The U.S. Supreme Court is hearing a case on GPS tracking. Is it important to my business and customers?

Answer: Yes. The immediate issue in the GPS tracking case (United States v. Jones) is whether the government can use GPS technology to track an individual’s car without a court warrant; that is, without a judge finding that there is probable cause for the government to investigate. The case is important—it could shed light on how the court will view the government’s use of emerging surveillance technologies and data collection against individuals and businesses.

First, some background. Ever since its 1928 ruling in Olmstead v. United States involving a telephone wiretap the Supreme Court has dealt with issues regarding law enforcement’s use of advancing technology. In the Jones case, the constitutional principle at stake is the Fourth Amendment and whether an individual’s “legitimate expectation of privacy” is violated when law enforcement uses a technique or device without a court-approved warrant.

Over the years, the court has been willing to accept that there is an “expectation of privacy” when law enforcement monitor something inside a home (e.g., law enforcement cannot use thermal imaging technology to measure heat from a home without a warrant), but not when it occurs out in the open (e.g., law enforcement can track an individual’s car by following beeper signals). Even though tracking a car using GPS occurs outside a home, the monitoring involves continuous collection and analysis of data that is not readily public. Is that a private or public activity? Clearly, the rapid pace and reach of surveillance technology is blurring the line between the two.

For example, attaching a GPS isn’t the only way that law enforcement can track people’s movements. Many people today with a cell phone are carrying a device that law enforcement can use to track their location (through technology called Stringray tracking). The court’s decision in Jones, therefore, will show how the court approaches surveillance technology, in general, and what powers law enforcement will have to investigate and track electronically individuals and businesses without a formal finding that there exists cause to begin an investigation.

Indeed, during the Jones oral argument, the potential reach of new technologies and the possibility of Big Brother were clearly on the justices’ minds. The novel “1984” was referenced several times, and the justices raised hypothetical future situations involving the limits of where and when a tracking device could be used without a warrant. The court’s reasoning will impact how the government uses new technologies (such as Stingray) to monitor movements on a 24-hour basis and possibly intercept without warrant an individual’s or business’s electronic data, web traffic, or email (using technologies such as cookies or beacons).

Interestingly, the far-reaching implications of new surveillance technology on electronic communications and location privacy are not just being tackled by the courts, but Congress. The Electronic Communications Privacy Act (ECPA) includes a heightened warrant requirement when the government seeks to intercept electronic communications that are in transit. At the same time, the government’s view is that it doesn’t need a warrant to review stored electronic communications or track movements using mobile phones.

Sen. Patrick Leahy (D-Vt.), chairman of the Judiciary Committee, has introduced a bill, the ECPA Amendments Act (S.1011), which would require the government to obtain a warrant before accessing the content of private electronic communications or before tracking someone’s location in real-time. It will be noteworthy to see if the court and Congress will impose similar requirements for government agents seeking to intercept and monitor individuals’ locations and electronic communications.

The Supreme Court is expected to issue a ruling in Jones sometime early in 2012.

Khizar A. Sheikh is counsel to the law firm of Lowenstein Sandler PC , and a member of the firm’s Privacy Law Practice Group.

Avoid Holiday Shopping Scams This Season

Wed, 07 Dec 2011 00:00:00 -0700

While many consumers may not be thinking of it at this time of year, criminals are always on the lookout for ways they can rip off unsuspecting people.

This is particularly true when it comes to online shopping. As a result, there are a number of things for consumers to look out for, according to a warning from Ondrej Krehel, Identity Theft 911's chief information security officer.

One of the easiest ways for crooks to trick holiday shoppers is by creating websites that look exactly like popular shopping sites. But there's an easy way to differentiate the bogus ones from the legitimate ones: look at the address bar. If it doesn't say "https://" before the website name, the site isn't secure - meaning the information the consumer enters won't be encrypted.

Another way for shoppers to tell if they're at a bogus site is if they're asked to provide their Social Security number or bank details as part of the checkout process, the report said. Any time they begin to suspect that they're on a suspicious website, they should close the window immediately.

Consumers would also be wise to increase the quality of their passwords, the report said. That means not using pet's names, birthdates and the like that can be easily looked up online. Instead, consumers should use passwords that are seemingly random, and contain a mix of upper- and lowercase letters, numbers and symbols.

It can also be effective to never save login or personal information on a retail site, the report said. That will help to ensure that no crooks can go on a buying spree if a computer is stolen. In addition, it can be helpful for consumers to closely read all sites' privacy and return policies before making a purchase to ensure they're comfortable with them.

Shoppers should also keep in mind that using a credit card will give them more protection from fraud than debit cards, the report said. Linking bank accounts to online pay services should be avoided as well, and payment information should never be sent via email, no matter what. And for any purchase made, it's a good idea to save the records, just in case.

Identity Theft 911 also provides tips of other ways consumers can protect themselves from all types of fraud throughout the year.

Small Breach Settlement Could Set Precedent

Wed, 30 Nov 2011 00:00:00 -0700

A relatively minor settlement following a massive 2009 data breach might end up being remarkably important in the way court cases concerning these incidents are heard for years.

The data breach itself, which exposed the personal information of more than 32 million consumers who had their personal information exposed in a December 2009 hacking attack, led to a class-action suit in which the primary plaintiff was awarded the relatively minor sum of $2,000, according to a report from Dark Reading. RockYou - a developer of games for social networking sites like Facebook and MySpace - will also pay his more than $290,000 in lawyers' fees.

The RockYou breach happened because the company stored all of its user account data in plain text files on its database, and left them unencrypted, the report said. The hack exposed users' passwords for outside sites, and the company failed to notify users for several days. When it did alert victims to the incident, it also incorrectly stated that the breach only affected older applications.

But more important than the money is what the case will mean for data breach litigation going forward, as it will likely open the door for more suits brought by consumers whose private personal, financial or medical information was exposed in a data breach, the report said.

In the past, consumers have had to prove that they've suffered damages as a result of having this data exposed in a data breach, but a few court cases in recent months may indicate that a sea change is coming for this type of decision, according to a separate report from Data Privacy Monitor. Another recent decision in the case of the grocery chain Hannaford - in which its credit card readers were hacked, exposing the payment information for millions of consumers - found that the company was liable even to those who did not lose money as a result of fraud.

Of course, consumers typically face a number of costs as a result of many data breaches, such as those related to the cost of mitigating the threat of fraud.

Ondrej Krehel, chief information security officer for Identity Theft 911, writes regularly on his official blog about ways in which consumers can better protect their sensitive information in the wake of data breaches.

Was California Collections Firm a Scam?

Wed, 23 Nov 2011 00:00:00 -0700

Many people have had to deal with collections agencies in the past, but one woman in Pennsylvania says she was contacted by a company about a bogus debt she owed, and was ripped off as a result.

Further, the company may have thousands of other victims across the country as well.

Several months ago, the Pennsylvania woman received a call from a company known as LAR, which told her she had an unpaid credit card debt of $375 that had been sent to collections, according to a report from the Wilkes-Barre Times Leader. She was told that if she did not pay the check, a police officer would show up to her home to arrest her. And so, over the course of the next three months, she sent them three checks for $100 each in attempt to reduce the debt which, as it turns out, did not exist.

However, she believed the company was legitimate because she had been experiencing difficulties in paying her bills on time and in full, but had worked with a credit counseling agency to resolve most of those problems, the report said.

She became suspicious when she did not receive the receipts for her payments the company promised her, and attempts to call the phone number the representative she spoke with initially were unsuccessful, the report said. A later Web search found that the number - 714-888-6888 - turned up a number of hits that indicated other people across the country were allegedly ripped off by the same company, or other ones using the same phone number.

Authorities are now looking into the matter, but have yet to determine whether LAR is a legitimate debt collections agency or a scam, the report said. However, even if it were a real company, the threat of sending a law enforcement official without knowing if that would actually happen violates the Fair Debt Collection Practices Act.

This incident underscores the importance of vigilance, and not blindly trusting any unsolicited demands for money or private information, no matter how official they may sound, the report said. Consumers contacted in such a way should do all in their power to make sure the claims against them are legitimate.

Brian McGinley, senior vice president of data risk management for Identity Theft 911, writes regularly about ways consumers can protect their personal information.

Facial Recognition Software Now Going Mainstream

Wed, 16 Nov 2011 00:00:00 -0700

Advanced facial recognition software isn't just for sci-fi movies any more. Now, consumers can use it for mundane things like figuring out who's at a bar.

A new smartphone application known as SceneTap uses cameras loaded with smartphone application to let consumers figure out a slew of information about patrons at more than 50 participating bars in Chicago, according to a report from the New York Times. While the app does not figure out specific people who are at the bar, it will alert users as to the average age of a certain location's patrons or the male-to-female ratio at any given time.

It's expected that this type of technology will become the "next big thing," particularly when it comes to advertising and direct marketing, the report said. Software that identifies not specifically who a person is, but data like their gender, approximate age and so forth, can help to create personalized ads. Already, "smart" signs will roll out this month in major cities such as Los Angeles, San Francisco and New York City, and will deliver ads based on passersby approximate demographics - i.e. ads for shaving razors flashed at men, and feminine hygiene products for women.

Similar software also exists on sites like Facebook, where users are given "Tag suggestions" when they upload a photo, the report said. These are based on facial characteristics of those on a user's friend list.

But some experts fear that this will also essentially end anonymity, and wonder what that means for consumer privacy, the report said. Already, the proliferation of facial recognition is being blamed on regulators not doing enough to keep up with emerging technology, and the privacy risks some believe that poses are considerable. A recent study at Carnegie Mellon University found that standard facial recognition software could identify roughly one-third of students participating in the research based on their public Facebook profile pictures.

"It's a future where anonymity can no longer be taken for granted - even when we are in a public space surrounded by strangers," Alessandro Acquisti, an associate professor of information technology and public policy at Carnegie Mellon who conducted the study, told the newspaper.

Eduard Goodman, chief privacy officer for Identity Theft 911, writes a regular blog about issues related to consumer privacy and other issues.

Government Offers Protection after Tricare Breach

Wed, 09 Nov 2011 00:00:00 -0700

A recent data breach suffered by a healthcare network affiliated with the U.S. Department of Defense exposed the personal and medical information of nearly 5 million current and former military members and their families.

And now, months after the breach was discovered, the Department of Defense and Tricare, the company responsible for the breach, are finally offering protection to those affected by the incident, according to a report from the Warner Robins Patriot. Initially, neither organization offered victims credit monitoring or restoration, but have now gone back on that stance, extending these services to those who want it.

"These additional proactive security measures exceed the industry standard to protect against the risk of identity theft," said Brigadier General Bryan Gamble, Tricare Management Activity deputy director, according to the newspaper. "We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will not be unaffected by this breach."

The data breach itself took place in September, and exposed the information of more than 4.9 million people who received medical treatment, pharmacy or laboratory services at a San Antonio, Texas, military facility between 1992 and September 7, 2011, the report said. The information was stored on backup tapes, which were stolen from a vehicle used by Science Applications International Corporation, a third party contractor Tricare had hired to compile and maintain its databases. An employee left the tapes unattended in a vehicle while they were being transferred from one federal facility to another.

The information stored on the tapes included victims' Social Security numbers, addresses and health information, but no credit card or bank account details, the report said. Tricare initially said that the risk for data breach as a result of the tapes going missing was low because they required specific knowledge and hardware to extract data from.

Consumers can find more information about the data breach and the protective services available by calling SAIC's incident response center at 855-366-0140, the report said.

For more information about the Tricare data breach, please see Identity Theft 911's earlier coverage, including an overview of the incident and its potential effects on consumers, as well as details about the lawsuit the Department of Defense now faces as a result of the incident.

Physicians Sending Texts Poses Breach Threat

Wed, 02 Nov 2011 00:00:00 -0700

In recent years, many consumers have probably heard about doctors using pagers to receive information about calls to the hospital where they work, but a recent trend has seen them turn to a new communication method that may be troubling for patients.

Many doctors are now sending information about calls via text message and, in doing so, may be breaching patient privacy and security regulations spelled out in the Health Insurance Portability and Accountability Act, according to a report from American Medical News. More than 80 percent of doctors nationwide now carry smartphones, and texting of information has become the norm. But these devices lack the security of electronic medical record systems that many should be relying on for information.

"Physicians are not so much concerned with HIPAA compliance as they are about work flow and physician communication," said Dr. James French, executive director of the hospitalists group at the Cone Health System in Piedmont, N.C., during a recent webinar on texting, according to the site.

Many smartphones may allow users to encrypt all incoming and outgoing messages so that they can't be read or intercepted by others, but not all do, and that's what poses the privacy concern. A recent poll of members of the College of Healthcare Information Management Executives found that 96.7 percent of respondents allowed their physicians to text orders to nursing staff and, more troublingly, 57.6 percent don't use any type of encryption software.

However, there are other safeguards to help mitigate the threat of a data breach through even unencrypted texting, the report said. These include autolocking the data after a few seconds or the ability to remotely wipe the phone's memory, including all email and texts.

The issue, doctors argue, is that HIPAA regulations are still relatively new and take some getting used to, especially given how easy it is to issue orders via texting versus paging or telephone calls, the report said. They say that moving forward this should become less of a problem as medical professionals grow more accustomed to dealing with greater regulatory requirements.

Millions of businesses in the healthcare industry are now digitizing patient records, which makes them easier to share and can increase the quality of care, but also increases the ease with which breaches can expose sensitive data.

Avoiding Fraud Now Counts in Court

Wed, 26 Oct 2011 00:00:00 -0700

A panel of judges working in the U.S. First Circuit Court recently ruled that the costs consumers incur when attempting to protect their personal, financial or medical information following a data breach can count as damages in lawsuits.

When consumers are affected by a data breach, they typically have to pay considerable amounts of money to increase the security of their sensitive data, whether the information exposed included their personal, financial or medical details. However, until the court's recent decision, these costs could not be included in lawsuits against the companies responsible for exposing the information because they were not considered legally cognizable damages, according to a report from Privacy and Security Matters. But the decision, which overturned a previous ruling in the case of Anderson v. Hannaford Bros. Co., will change that.

The case involved a class action suit in which some of the 4.2 million consumers who were affected by a data breach that exposed their debit and credit card information. They tried to sue to regain funds they lost in attempting to avoid fraud but were not actually hit with identity theft, the report said. Plaintiffs argued that the costs they paid out of pocket to acquire fraud alerts on their credit reports and the fees associated with obtaining new credit or debit cards were reasonably foreseeable expenses.

Previous rulings on cases involving similar situations had found that these expenditures were unreasonable in other circumstances, such as the loss of laptops or similar computer equipment. In those situations, the loss of consumer data may not have been the result of a deliberate attempt to steal that sensitive data, the report said. But in this case, that was clearly the criminals' intent, and therefore the charges consumers incurred in the case were perfectly reasonable for them to attempt to recover through a lawsuit.

As such, the decision will likely have far-reaching effects in data breach litigation, as plaintiffs will likely be able to cite similar costs and recover them in court, the report said.

For more information about data breaches and how consumers can protect themselves and their sensitive details following this type of incident, please consult the Identity Theft 911 blog, which contains input from a number of experts.

Letter from the Chairman

Wed, 19 Oct 2011 17:01:00 -0700

Americans are becoming increasingly aware of their identity’s value as an asset. As the Federal Trade Commission tells us, information about consumers’ purchasing behavior, browsing habits, and other online and offline activity is being collected, analyzed, combined, used, shared and sold—often instantaneously and invisibly—every single day.

Unfortunately, each link in this chain of information exchange means one more opportunity for thieves to appropriate and misuse sensitive data for themselves. While that can lead to financial losses for both businesses and consumers, there is another loss to be considered—one that may be more difficult to repair: the consumer’s loss of trust in whatever business carelessly handled their personal and private information.

A consumer who asks how a breach happened next asks the sharper question: “Why didn’t you prevent it?” Whether that carelessness is real or perceived almost doesn’t matter. The result can be the same. He or she takes their business elsewhere.

Looking ahead, then, it’s clear that businesses must not only prioritize issues of privacy and security, but also develop stronger relationships with their customers—ones where mutual trust is in place from the outset. Among other things, business owners must find ways to be more transparent about whom they’re doing business with and how they’re safeguarding their customers’ information. Businesses also would do well to give consumers greater access and control of their own data profiles. When customers have the comfort that comes with being informed and involved, they will reward businesses with their confidence—and their dollars.

With October being National Cyber Security Awareness Month, there’s no better time to consider these and other issues. In this month’s newsletter, one of our own, Kelly Colgan, describes what happened when she found herself stranded and without access to her accounts on a business trip to New York City—proof that in today’s digital era, everyone’s data is susceptible to a breach.

We’re also offering do’s and don’ts for people who receive notification that their personal information may have been compromised in a data breach.

Finally, Ondrej Krehel, our chief information security officer, takes a look at what’s happening on the national stage—and how cyber espionage poses a serious threat to corporate and government intellectual property.

As always, we hope you enjoy.

Adam K. Levin
Chairman and Founder, Identity Theft 911

9 Tips for Breach Victims

Wed, 12 Oct 2011 10:04:00 -0700

Maybe you’ve heard a news report about a data breach at a company where you do business. Or you’ve received a letter stating that your personal information may be in the wrong hands.

What does it all mean?

A data breach is the release of sensitive information into an insecure environment. Breaches can take many forms. Sometimes data is stolen or leaked. Often, though, it is inadvertently exposed when data is lost or shared.

Whether the trouble started with a pilfered laptop or an insidious cyberattack, a breach of personal electronic data triggers mandatory notification laws in nearly all U.S. states and territories. If you haven’t received such a notice already, chances are you will.

But just because your personal information—a Social Security number, birth date, or mother’s maiden name, for example—was affected, it doesn’t mean you’ll become a victim of identity theft. It means something’s happened that could put you at risk.

Follow these steps to protect your identity and credit:

1. Read the notice carefully to learn what information may have been exposed and how. (Keep the notice in case you ever need to prove that your data was compromised through no fault of your own.)

2. Review the breached account. Identify what information it contained and what was compromised. Look for unauthorized activity, such as a change in address or telephone number.

3. Know exactly what’s at risk. If it’s debit or credit card numbers only, there’s a good chance someone will try to use them. On the upside, exposure is limited and, if your bank thinks the risk is high, it will automatically reissue new cards (effectively shutting down the identity thief). Degree of risk gets stickier when data like Social Security numbers, birth dates and addresses are stolen. This information has a long shelf life and can be traded internationally among organized criminals. It’s valuable because, unlike a single credit card number, it can spawn dozens of new accounts. While it’s less likely to be used than a single stolen credit card number (which requires much less time and work), potential damage to your good name is greater.

4. If you’re offered a year of free credit-monitoring, take it.

5. Pay extra attention to your account and billing statements. Check for charges that aren’t yours.

6. Check your credit report and watch for other fraud. After about 30 days (long enough for fraudulent activity to show up), log on to annualcreditreport.com to get a free copy of your credit report from each of the three major credit bureaus. Look for any unusual activity. Investigate suspicious activity and stay on top of it until the matter is resolved. Also look for signs of fraud in your medical files, on your Social Security statement, in insurance claims or in public records.

7. Change all user access credentials. If you use the same passwords for other financial institutions, change them. Watch financial statements—on paper and online—for unauthorized transactions. Be aware of potential email, phone and snail-mail scams. Enable text and email alerts when possible.

8. Notify existing creditors of the breach. Consider canceling your cards and getting new ones. Take advantage of issuers’ services that alert you to unusual transactions.

9. Place a fraud alert on your credit file. An alert placed with any one of the three major credit bureaus signals to potential creditors that you could be a victim of identity theft.

Case Study: Breach Takes Bite out of Big Apple Lunch

Wed, 05 Oct 2011 10:04:00 -0700

Kelly Colgan’s business lunch in the Big Apple turned rotten when she found herself stranded with no cash, no access to her debit and credit cards—which had been frozen—and dependent on the kindness of strangers to help her get back to her home in Rhode Island.

Colgan, an avid crafter, soon found out she was among tens of thousands of Michaels stores customers whose banking information had been stolen from checkout line PIN pads. Thieves used that data to create fake debit and credit cards. In Colgan’s case, they tried to withdraw money from her accounts, until the bank put the kibosh on their attempts.

“It’s devastating to feel so alone in New York City,” said Colgan, public relations manager at Identity Theft 911. “I had no money and no way to do anything about it.”

Data breaches can happen to anyone. More than 540 million records have been exposed in data breaches since 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer organization. Many consumers have received the telltale notification letters alerting them that their information had been compromised. But many more don’t; they’re unaware that their personal information is at risk.

Data breach victims are more likely to become victims of other kinds of fraud, especially identity theft, according to Javelin Strategy & Research. Last year alone, new account fraud—when an account is created with a stolen identity—contributed to $17 billion in losses in the United States.

Fortunately, Colgan had access to our company’s fraud center, which assigned fraud investigator Mark Fullbright to the case. He reassured Kelly that he would be able to put safeguards in place to monitor her credit and ensure that any fraudulent activity would be removed at once. He immediately:

• Conducted a complete interview to determine what type of breach occurred
• Placed a fraud alert on Colgan’s credit report
• Enrolled her in Identity Theft 911’s fraud and credit monitoring program for one year to watch for additional fraud.

Consumers who are victims of a breach should call their insurer or bank, which may provide LifeStages™ Identity Management Services. Or contact us directly.

The bank’s actions protected her from full-fledged identity theft, but it left her cash poor in Manhattan.

“No one is immune to exposure from a data breach,” Colgan said. “I’m proof positive that it can happen to anyone.”

October is National Cybersecurity Awareness Month

Wed, 05 Oct 2011 10:04:00 -0700

Many consumers across the country may face a number of threats for having their personal, financial or medical information compromised by criminals without even realizing it, and that's why a number of organizations continue to observe National Cyber Security Awareness Month every October.

The National Cyber Security Division of the Department of Homeland Security - as well as the nonprofit groups the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center - began National Cyber Security Awareness Month in 2004 as a means of helping to promote ways consumers can avoid identity theft and other problems online. This is done through a number of events and other campaigns to increase awareness of the many problems that average people face online.

These events include free seminars and assessments from well-known online security companies, and a number of sessions for both businesses and consumers about how to better shield information from prying eyes that would use it for the purposes of identity theft when storing it online. And because more and more people and organizations alike are storing extremely sensitive information about themselves, family members, clients and patients online, they may be putting themselves at greater risk for exposure.

One of the central tenets of NCSAM this year is the concept of "Stop. Think. Connect." This encourages consumers to work to understand the risks they may face in putting information online before they even log onto an Internet connection. That also includes taking the time to better educate themselves about how to recognize potential threats on sight.

Next, consumers are encouraged to think about any link they may click on or site they may visit. Are there any warning signs that it may not be legitimate? How could turning over certain information when prompted affect the safety of a Web user or their family?

Finally, once consumers believe they have a firm grasp on what constitutes a potential security risk and how best to avoid or even combat them, they will be able to browse the Internet with ease, confident in their ability to stay safe online.

National Cyber Security Awareness Month also encourages consumers to do what they can to spread the word about the importance of protecting information online to their friends and family.