Articles

California Law Will Add Consumer Protections

Wed, 22 Feb 2012 00:00:00 -0700

A problem millions of Americans face is that they've been victimized by simple errors on their credit reports.

Recent studies have highlighted that up to 80 percent of all credit reports contain at least one error, and in some cases those mistaken entries can lead to significant issues for those who don't know about them. In many cases, these errors are the result of a typographical error - such as transposing digits in a Social Security number - but the end result can be quite troublesome.

Consumers hit with this kind of "debt tagging," a term for when another person's debt is applied to the wrong credit report, can often be targeted by aggressive debt collections agencies who can make life a nightmare for victims.

Fortunately for some of these people, a law that was recently passed in California may help to reduce instances of debt tagging. The Fair Debt Buyers Practices Act will require companies that buy consumer debt from lenders - often for pennies on the dollar - to provide evidence to the debtors they're pursuing that they're trying to contact the right person. In these instances, the burden of proof is often on the accused consumer, and finding documentation that says they don't owe a debt is often difficult to come up with compared with the say-so of debt collections agencies.

"Too often, a consumer can get ensnarled in a long and costly battle to prove they are not the ones responsible for debt," California Attorney General Kamala Harris said in response to the bill's passage. "The Fair Debt Buyers Practices Act will put reasonable requirements on debt buyers and ensure consumers are not forced to pay the debts of others."

Another reason that this type of debt tagging often takes place is that lenders will sell defaulted balances to collections agencies in large bundles, and often the proper documentation can get lost in the shuffle or not provided at all. Under the new law, debt buyers will not be able to sue a consumer unless they can provide documentary evidence that the person owes the money.

For more information about debt tagging and the harm it can cause, please consult the Identity Theft 911 newsletter on the subject.

Google Fixes Potential Wallet Security Flaws

Wed, 15 Feb 2012 00:00:00 -0700

Soon after security issues related to its digital payment platform known as Wallet were discovered and disseminated, Google worked diligently to fix the problem.

The hacks, one of which could only be carried out by a particularly adept cybercriminal and the other could have been done by anyone with illegal intentions, were reported last week by two separate sources. Since then, Google worked to mitigate the security flaws, the company said.

The first problem would have allowed hackers with a strong knowledge of how to "root" mobile device to access the PIN code for a consumer's Google Wallet account, essentially giving them free reign over the hacked account, the report said. In most cases, if Wallet detects that it's being used on a rooted phone, it will automatically delete itself from the device.

The second hack is more insidious, because it allows anyone with bad intentions and a lost or stolen cell phone with Google Wallet loaded onto it to access the account and make fraudulent purchases, the report said. If a lost or stolen device isn't protected with a lock screen code, a criminal could reset the account, create a new password and link the account to a prepaid card that basically gave them access to the victim's funds. As a result of this security flaw, Google recently suspended the use of prepaid cards on Wallet while it was working on a fix, but has since restored support for these accounts.

However, Google assured users Wallet is secure overall, and that it will to be so as Google works continuously to upgrade its protections, the report said. This type of NFC-dependent mobile purchasing system is expected to become quite ubiquitous in the near future.

"Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet," wrote Osama Bedier, vice president of Google Wallet and Payment. "In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don't."

Betty Chan-Bauza, vice president of product management for Identity Theft 911, writes a blog about potential issues related to identity theft and fraud consumers may face from certain products.

Letter from the Chairman

Thu, 09 Feb 2012 10:01:00 -0700

For most people, Valentine’s Day conjures up thoughts of moonlit nights, sunny days, butterflies, wood nymphs gaily dancing in lush green fields, hearts, arrows, chocolates, roses, diamonds, wining and dining. Whether the object of your affection is a boyfriend or girlfriend, spouse or significant other, the holiday offers an opportunity to demonstrate your affection and intentions (and, of course, contribute to the GDP—which, at the moment, clearly needs our help).

Warm and squishy feelings notwithstanding, Cupid’s day also brings a reminder that sometimes the people with whom we are closest can pose the greatest threat. After all, few, if any, of the folks in our social universe have more intimate knowledge of our personal lives, as well as access to our personally identifiable information (PII), than plus-ones. For better or worse (and potentially for richer or poorer), an open heart is the key to the PII vault providing the scorned and/or unscrupulous with all the tools needed to commit identity theft or related fraud.

While sharing shows caring, remove the rose-colored glasses and be sure to make smart decisions about sharing information with the loved ones in your life.

To help, this month we examine a trend in password sharing among couples. The decision to exchange those hopefully carefully chosen alphanumeric, grammatically challenged, upper- and lower-cased data sentries can be a declaration of trust or a way to efficiently manage a shared household but could also quickly backfire should the relationship go south. Learn when to keep those characters to yourself and how to protect your identity in the event of a breakup.

In addition, John Trenton shares his real-life story of love gone wrong. Years after his divorce, the veteran discovered his ex had opened a credit card in his name—and racked up debt to the tune of $10,000.

Of course, regardless of your relationship status, it’s smart to monitor who has access to your personally identifiable information. Our guide to building your own PII Chart™ will help you develop a complete picture of your identity profile, including which types of data you’ve entrusted to different organizations or individuals. It’s a key first step to managing your identity assets.

Finally, for those who are already looking ahead to April 17, we offer a privacy report card that rates different websites where you can file your taxes for free. Choose one that is secure and respects your privacy as a consumer.

Adam K. Levin
Chairman and Cofounder
Identity Theft 911

Net Security Company VeriSign Suffered Hacks

Wed, 08 Feb 2012 00:00:00 -0700

The Web infrastructure company VeriSign recently revealed that, in 2010, it suffered a number of security breaches as a result of hacking attacks by cybercriminals who were able to steal undisclosed amounts of data.

VeriSign has a domain name routing system that protects a large number of Web addresses ending in .com, .net or .gov, and recently revealed that these hacking attacks took place in a quarterly filing with the U.S. Securities and Exchange Commission, according to a report from Reuters. The company processes as many as 50 billion queries per day, and stolen data may allow the hackers to create fake sites or intercept emails that could be particularly sensitive, such as those traded by government employees or corporate executives.

The reason for the delay in reporting, according to the quarterly filing, is that while security staff was aware of the attacks soon after they happened, it did not let VeriSign executives know until September 2011, the report said. The filing did not mention any other action being taken by the company in an investigative capacity.

However, VeriSign executives believe that the attacks it suffered did not breach its domain system network, but is also not saying that the attacks categorically did not affect them, the report said. But even if those systems were safe from the attacks, there are other areas of concern. For example, the company controls a large amount of sensitive information about its many customers, and the services it runs to give out domain names would almost certainly have been targeted.

"This breach, along with the [one suffered by Web authentication company RSA last year], puts the authentication mechanisms that are currently being used by businesses at risk," Melissa Hathaway, a former intelligence official who led U.S. President Barack Obama's cybersecurity policy review, told the news agency. "There appears to be a structured process of hunting those who provide authentication services."

VeriSign was, until August 2010, a major supplier of Secure Socket Layer certificates - bits of information sought automatically by Web browser programs when connecting to secure "https" sites, the report said. Experts worry that if those systems were corrupted, hackers could pose their bogus sites as real ones without the browser being able to recognize the difference between legitimate and fraudulent sites.

Ondrej Krehel, chief information security officer for Identity Theft 911, has a blog about hackers and information security.

Veteran Grapples with Ex-Wife’s Dishonorable Credit Card Charges

Fri, 03 Feb 2012 13:00:00 -0700

John Trenton* thought his relationship with his ex-wife ended with their divorce.

But years later, the retiree learned she charged more than $10,000 to a credit card opened in his name and stuck him with the bill. The account went into collections and sent his credit score plummeting.

Trenton tried to resolve the matter on his own, but he didn’t get very far in his dealings with the debt collectors. “They tormented me daily with calls and threats,” he said.

Then, one day, he and his wife were reviewing the annual update to their insurance policies with MetLife Auto & Home. His wife noticed that coverage included LifeStages™ Identity Management Services from Identity Theft 911.

Trenton immediately called MetLife, which connected him to Identity Theft 911 fraud investigator Maria Valenzuela. “That was the best day I’d had in a long time, when they put me in touch with her,” he said.

Valenzuela informed Trenton that the debt collector was required by law to give him 30 days to prove he was a victim of identity theft under the Fair Credit Reporting Act.

Valenzuela communicated directly with the debt collector and original creditor—with Trenton also on the line—to remove the debt from his name and credit file. To back up his claim, she prepared a mailing that included copies of Trenton’s driver’s license, divorce decree, affidavit, proof of address while the account was active, and a police report.

To protect Trenton from fraud in the future, Valenzuela placed a seven-year fraud alert on Trenton’s file with the three major credit-reporting agencies and enrolled him in Identity Theft 911’s check monitoring system and credit monitoring services.

Within a few months, the case was resolved.

Trenton is relieved the ordeal is over. “I had been getting harassed for years, and Maria fixed it all in six months,” he said. “We’re thankful every day for the assistance Identity Theft 911 gave us. It was like a miracle, really.”

* Name has been changed to protect customer’s privacy.

Video Privacy Law Given Close Look

Wed, 01 Feb 2012 00:00:00 -0700

The Senate Judiciary subcommittee on Privacy, Technology and the Law recently held hearings to look at changes proposed for the Video Privacy Protection Act.

The new bill would amend the existing VPPA to allow video providers - Netflix or Blockbuster, for example - to get customer consent to share their viewing histories up front, rather than on an individual basis, according to a report from the political blog The Hill. Perhaps not surprisingly, the new bill is controversial because, according to the testimony of a number of lawmakers and other witnesses, the VPPA as it's currently written is considered to be a "model privacy law."

Netflix, for its part, says that the changes it would like to see implemented will make it easier for consumers to use its service through their Facebook accounts, and therefore share the information on what they're watching. The service operates a popular streaming video service that allows consumers to watch movies, television shows and other digital content online, and keeps tabs on what each user watches. The company's general counsel, David Hyman, said in his prepared testimony that the approach outlined under the updated law - obtaining blanket permission for all videos, rather than on a case-by-case basis - is consistent with what the company's customers expect and want.

However, U.S. Sen. Al Franken of Minnesota, who is chairing the subcommittee, sees things differently, the report said. In addition, other privacy experts agree that blanket permission to share content does not necessarily constitute "meaningful consent" in all cases.

"It's a really good thing that people can easily tell their video company - 'sure, go ahead and tell people I watched 'The Godfather,' but no, don’t tell them I watched, 'Yoga for Health: Depression and Gastrointestinal Problems,'" Franken said, according to the site.

Another Senator, Vermont Democrat Patrick Leahy, who heads the Senate Judiciary Committee and sponsored the original VPPA in 1988, noted that what may be simpler for companies might not mesh with what's better for consumers' privacy, the report said.

Eduard Goodman, chief privacy officer for Identity Theft 911, writes a blog about the ways in which consumers can better protect their information online, even when sharing it among friends on social networks.

Don't Give Love—and Password-Sharing—a Bad Name

Mon, 30 Jan 2012 13:00:00 -0700

Romance in the digital era is beset by a unique set of challenges, as anyone who has agonized of their Facebook relationship status can attest. And the trickiest hurdle to navigate is dealing with those three little words that mean so much: “What’s your password?”

That’s right: Password sharing has become the new expression of intimacy. For teens, the exchange of email, Facebook or other passwords is a sign of trust, demonstrating that neither party has anything to hide. (A 2011 phone survey by Pew Internet and the American Life Project found that one in three teens had shared a password with a friend, boyfriend or girlfriend.) For adults who live together or are married, swapping those case-sensitive characters extends beyond a symbolic gesture to matters of household efficiency.

But when does convenient sharing cross into risky behavior? And what do you do if the relationship goes south? More often than not, it’s better to think twice before taking the password plunge.

Woodrow Hartzog, an assistant professor of privacy law and online agreement at Stanford University, addressed the social and legal risks of password sharing in a January NPR interview: “A lot of people feel as though they have nothing to hide from a friend or a spouse or romantic partner, so they share, thinking ‘I’m an open book,’ ” he said, but, “it’s significantly more complicated than that.”

First, and perhaps most important to remember, is that by giving out your password, you are giving someone else access to use your personal information.

If you’re savvy about using different passwords for different accounts—and that’s a big “if”—certain types of sharing can be benign: say, allowing your boyfriend the freedom to add titles to the Netflix queue. But in many other instances—with email, instant message, bank and other accounts—handing over a password is tantamount to providing unmitigated access to your personal life and your personally identifiable information (PII). The consequences can range from fights over misinterpreted emails to, in extreme cases, identity theft.

Other pitfalls of password sharing: “You risk getting locked out of your account because someone else has the password and can change it and you wouldn’t know it. You also give someone a very credible means to impersonate you,” Hartzog said. (Imagine an angry ex using your Facebook account to spread spam.) “And all of these things can have legal consequences, the least of which might be violating the terms of service on most websites.”

For those who dare to share it all, the risk for problems after a relationship ends is especially high.

Follow the measures below to protect yourself in the event of breakup, separation or divorce:

Immediately reset passwords on all shared accounts.
Closely monitor your accounts in the months afterward and throughout any legal process.
Don’t share. Be prudent about discussing your relationship on social networking sites.
Secure a safe-deposit box for important documents.
Know the law. Learn your state’s laws about community property and shared debt and credit.

If you suspect your identity has been stolen, call your insurer or bank, which may provideLifeStages™ Identity Management Services from Identity Theft 911. Or contact us directly.

Facebook Timeline Open to All Users

Wed, 25 Jan 2012 00:00:00 -0700

The Facebook feature known as Timeline has been available to many people for some time, but it is now being rolled out over the next few weeks to all of the social network's users.

The mandatory switch from the old-style profile to the new one, which logs all activity on the site ever and makes it easier for others to access, raises a lot of issues about users' privacy on the site, according to a report from Tech Crunch. The problem that privacy experts have with Timeline is that where before it would take a user a considerable amount of time to scroll through and find account activity from years ago, it now takes the simple, single click of a mouse.

That means posts users may have made in, say, 2007, which would have long ago been buried, are now widely available to view, the report said. And an issue that many who may want to delete posts they made in their younger days will face is that they'll have to go through and remove them all manually, or at least set the updates in question as being private "only to me."

Perhaps as a means in aiding cleanup, the social network also recently released a tool called Activity Log, which allows consumers to view all their status updates, changes and other actions in a more convenient way, the report said. This keeps track of every action posted since the day users joined the site.

Facebook has been in a number of privacy fights in recent years related to the way in which it protects its users' information, which may explain why it was rolling out Timeline less aggressively, the report said. For example, it didn't notify users when friends made the switch, and it is now providing a seven-day period in which they can opt in as a means of giving them a chance to go through their old posts and make them more private if they wish. Experts say that might only be troublesome to those who don't use the site regularly and therefore would not be aware that their account had been switched over.

Eduard Goodman, chief privacy officer for Identity Theft 911, writes a blog on which he advises social network users how they can better protect their private information.

The Rich are Different—and Identity Thieves Know It

Thu, 19 Jan 2012 10:04:00 -0700

Over the past five months, the Occupy Wall Street protesters have made political targets of the wealthiest 1 percent of Americans. Now it seems the economic discontent behind the movement is turning top earners into prime targets for a different, more nefarious group: identity thieves.

The risks that come with exceptional wealth are certainly not new. A high net worth means bigger returns to thieves. There’s more cash in the bank to plunder, and credit cards come with high limits or, in some instances, no limits at all.

But this latest trend in identity theft crimes may be a function of the times: Financial desperation or class animosity, or both, might be leading people to take advantage wherever the affluent can be found.

Consider the case of the steakhouse waiters.

In December, more than two dozen waiters and their associates—many of whom hailed from top New York restaurants such as Smith & Wollensky, Capital Grille and Wolfgang’s Steakhouse—were arrested for running an alleged identity theft ring. As described by prosecutors, the waiters stole information from customers’ credit cards (in particular, those who paid with American Express Black and other high-limit cards). They then passed the data to the ring’s leaders, who made new cards and used them to go on shopping sprees at stores including Chanel, Hermes and Cartier.

Other schemes have seen perpetrators gather personal data by digging into wealthy patients’ health records and photocopying donor checks from prominent philanthropists. A crafty threesome stole clientele books—and the personal and credit card information contained therein—from high-end stores like Neiman Marcus, Saks Fifth Avenue and Bloomingdale’s.

Problems can also strike closer to home. Employees of the affluent sometimes use their proximity and insider knowledge to commit identity theft crimes, counting on established trust to forestall scrutiny.

Such was the case with successful self-help author Melody Beattie. During the 2011 tax season, Beattie’s accountant noticed missing bank statements and unaccounted-for checks. The irregularities were soon traced to Beattie’s personal assistant, who, over a period of years, allegedly diverted more than $400,000 of the author’s assets for her own benefit using—among other methods—forged checks.

As with the steakhouse waiters, it’s not always possible to control who has access to your information. But when it comes to the people in your employ, consider the following tips to protect yourself.

Do a thorough background check of potential employees.
Develop a system of checks and balances for employees with access to business and/or personal information.
Personally conduct regular employee audits. Doing so will help you catch problems early. What starts as a relatively small transgression can snowball as people realize they can get away with something.
Trust in your employees is fine. Blind trust is not. Even the most honest person can turn in the face of life-altering circumstances. Act as a large corporation would and enact clear and consistent policies for monitoring employee actions.

Unfortunately, a high net worth also means a higher risk of identity theft—and a lot more to lose. No one is immune to identity theft, but preparing yourself before it happens is the best defense.

Letter from the Chairman

Thu, 19 Jan 2012 10:04:00 -0700

The start of a new year inevitably brings a round of resolutions. And while everyone will have their personal list of aspirations, Identity Theft 911 would like to add a goal that applies to all: Make 2012 the year of fighting back against identity theft.

As we saw in the November/December newsletter, 2011 was rife with data breaches. Nearly every month another company fell victim: RSA, Epsilon, Sony and more. Hundreds of thousands of consumers had their private information exposed or exploited. In other instances, hackers obtained sensitive data that might enable them to inflict greater damage down the line.

The clear lesson: No one is immune.

Accordingly, in 2012, complacency can no longer be accepted nor excuses tolerated. The time has come to set a new standard for privacy security, and change must begin at the level of individual responsibility: with the consumer who orders merchandise online; with the small business owner who must reconcile the dangers of working at home; with the corporate executive who sets his company’s data security policies and the employee whose job it is to carry them out.

Yes, the government and judicial system have critical roles to play in the fight against data and identity theft, and we’ll be watching to see what develops. But the fact is that those gears move slowly, whereas each of us has the potential to do something—right now and in the year ahead—to better protect ourselves.

Keeping this in mind, we’re offering two targeted slide shows—one for businesses and one for consumers. The slide shows identify the trends in data theft that are most likely to affect each group in 2012, along with advice for shoring up defenses.

This month we also explore the increasing risk of identity theft faced by high-net-worth individuals and offer tips for protecting your company from internal breaches. Plus we put together a security primer for home-based small businesses. From best practices to insurance considerations, to employee and self-education, we want you thinking about how to protect your customers’ information and your bottom line.

Finally, the breach at online retailer Zappos only further underscores our point: The onus is on consumers to protect themselves. To that end, our experts offer six key steps to protect your personal information online.

Wishing you a safe and secure 2012.

Adam K. Levin
Chairman and Cofounder
Identity Theft 911

Banks Come Together to Fight Fraud

Wed, 11 Jan 2012 00:00:00 -0700

Later this month, financial giants like Morgan Stanley and Goldman Sachs will meet with researchers to better inform efforts to create a center whose job it will be to sort bank data to detect potential cybercrimes.

The firms meeting with these experts, from the Polytechnic Institute of New York, is just the latest step in financial insitutions' attempts to reduce the threat of cybercrime, increase security and shut down those who would carry out such attacks, according to a report from the Wall Street Journal. Already, Bank of America is hosting other banks and experts in informal quarterly roundtables in which they discuss potential solutions to cybersecurity concerns.

The most recent Bank of America-hosted meeting came in late summer, where executives talked about "advanced persistent threats," the report said. This type of hacking is of particular concern because it involves long-term and repeated attempts to gain access to secure data - essentially testing a system's limitations and weaknesses.

The new era of cooperation is one that many experts would not have predicted for banks, who seem to now recognize that working together, rather than separately, will help to stamp out hackers' attempts, which are often collaborative, the report said.

"The mentality of the banks has been, 'Let's do everything internally because we don't want to give anything away,'" Peyman Mestchian, a managing partner with Chartis Research in London, told the newspaper.

However, the tendency toward secrecy can't be eradicated completely overnight, the report said. For example, some believe that in the case of the development of a center for fraud detection, there is still a faction that believes banks should not share their internal data with independent researchers.

The number of attacks carried out by hackers on large businesses across a number of industries has been on the rise in recent years, and a study from consulting firm Pricewaterhousecoopers found that financial institutions are, perhaps understandably, frequently the targets of these crimes, the report said. It is believed that financial companies will likely increase their spending on fraud detection some 12 percent over the next two years to about $1 billion annually.

Ondrej Krehel, the chief information security officer for Identity Theft 911, maintains a blog on which he posts regularly about hackers and the threats they pose not only to businesses, but individuals as well.

New Software Identifies Anonymous Web Users

Wed, 04 Jan 2012 00:00:00 -0700

One of the biggest complaints many people seem to have about the Internet these days is that users can leave posts and comments with complete anonymity. But that might no longer be the case.

Graduate students at Drexel University recently released a program that is designed to help identify the authors of documents for which interested parties are trying to figure out who wrote them, according to a report from the New York Times. However, the program also serves the function of helping anonymous authors to stay that way by obscuring their personal writing style somewhat. However, both are still new - they're still in alpha testing - and therefore quite buggy.

The program, JStylo, is based on other author recognition tools, such as Oxford University-developed Signature and Duquesne University's Java Graphical Authorship Attribution Program - JGAAP for short - but builds on their functionality, the report said. It works best if those searching for an author have a suspect list of 50 people or less, and about 6,500 words of writing samples per person. That can include everything from Tweets and instant messages to emails. It becomes even more accurate if the "disputed" document is 500 words or longer.

Privacy advocates believe this program could cause serious problems for people like corporate whistleblowers or human rights advocates who release sensitive or private documents, the report said. And it is for this reason that the program's other tool, known as Anonymouth, was created.

"Authorship recognition can be a legitimate threat to privacy and anonymity," the researchers who developed the program said in their presentation at a hacker convention on Thursday, according to the newspaper.

Anonymouth simply suggests to users ways they can change their document to better mask who wrote it, the report said. This can include adding sentences, using more words or changing punctuation that will make it more difficult for programs to spot quirks of language or style that authors rely on. Experts say that a person's writing style is like their fingerprint, unique and identifiable with the right information.

Eduard Goodman, chief privacy officer for Identity Theft 911, maintains a blog on which he writes regularly about the privacy issues many people may face when browsing the Internet, and ways consumers can better protect themselves.

Facebook's Timeline Still Raising Privacy Concerns

Wed, 28 Dec 2011 00:00:00 -0700

The latest change to hit Facebook, the new Timeline program which radically changes the appearance of user's profiles, is raising privacy concerns in many circles as it prepares for a complete global launch.

Many consumers have threatened to leave the site over this new development. The new setup essentially creates a chronological history of all of a user's activity on Facebook since they first signed up for the social networking site, including wall posts, pictures, links or any public messages which may have been sent. Those items can then be sorted by month and year.

While each part of the Timeline is customizable, Discovery News reports that the process of "scrubbing" the new profile is arduous and extremely time consuming. Each Timeline entry has the option to change its permission settings or delete it, and while everyone has seven days to review it before everything is published live, many people may not have the free time to fully vet their profiles. The default setting for new posts also posts everything to the Timeline.

Some experts have said that because the new design also gives consumers mild incentives to add even more personal information on their profile, it could make people more vulnerable to identity theft.

The social networking site is also expected to pair the new profile with a new suite of apps to display activity on other websites or services to consumers' profiles automatically, meaning even more browsing activity would be tracked and published online. While this kind of information will be highly sought by advertisers, it also raises additional privacy concerns.

Facebook as a whole has been the crux of a number of privacy lawsuits and concerns over the past several months, with consumers feeling that their personal information is too exposed and vulnerable to identity theft.

For further discussion about privacy issues, read the blog of Identity Theft 911 Chief Privacy Officer Eduard Goodman.

The new Timeline feature also created news of a potential breach of privacy in Finland, as many users thought that the system was turning private messages public for everyone to see. However, further investigation of the issue by a security firm found that users were most likely mistaken, had posted that information on their public profiles and then later forgotten.

Facebook's Timeline Feature a Privacy Concern?

Wed, 21 Dec 2011 00:00:00 -0700

Last week, the world's most popular social networking site unveiled a new way for users to list their life events, and share that information with friends and family.

The new feature, which Facebook calls Timeline, makes it easier for users to find all photos, links and other shared items on the site, according to a report from the New York Times. Consequently, many experts say that personal information shared on the site is now more accessible than ever, and could be a concern for some users.

Facebook, which has more than 800 million users around the globe, has been storing everything ever uploaded onto the site, and all Timeline has done is simply made it easier to find years-old information, the report said. Eventually, all profiles on the site will be switched over to the new Timeline look, but users are also able to voluntarily update their settings right now.

"We've all been dropping status updates and photos into a void," Ben Werdmuller, the chief technology officer for the video service Latakoo, told the site. "We knew we were sharing this much, of course, but it's weird to realize they've been keeping this information and can serve it up for anyone to see. It's unsettling to see the past presented as clearly as the present. It's your life in context, all in one place."

Of course, Facebook has already been at the center of a number of debates over how easy it is to find consumers' personal information online, and how readily users will share that information without regard for who can access it. For this reason, privacy experts have been advocating for years that the site's users should update their personal privacy restrictions to the highest possible settings, which will help to keep their sensitive data - such as their address, date of birth and other details that can be used for identity theft - as private as possible. This will be especially important now that Timeline exists because it will allow those interested in accessing this information to aggregate it more easily.

Eduard Goodman, the chief privacy officer for Identity Theft 911, writes a blog about ways in which consumers can increase the security of their information on sites like Facebook.

What Were 2011's Biggest Hacker Busts?

Wed, 14 Dec 2011 00:00:00 -0700

While identity theft through cyber crimes has been on the rise in recent years, authorities have also done a better job of cracking down on those whose illegal activities affected large amounts of people.

A number of infamous and elusive hackers were brought to justice in the last year, according to a report from Dark Reading. One of the biggest busts was that of Ryan Cleary, a 19-year-old hacker who was working with the Anonymous and LulzSec collectives to bring down major British websites as a show of force. It was a dispute with members of Anonymous that led to exposure of his personal information, which was eventually used to bust him. Another LulzSec hacker, Cody Kretsinger, was also apprehended for his role in the hacking of Sony Pictures.

Meanwhile, Anonymous also had an inside man at AT&T, who is said to have given the collective tens of thousands of phone numbers in additional to login data for confidential servers, and other documentation that was used by the group in a data dump, the report said. That contractor, Lance Moore, was the only one of 20 in his group to access both the affected servers and the free data uploading site FileApe.

Another young hacker that got busted this year is Aaron Swartz, a fellow at Harvard University's Safra Center for Ethics, who downloaded (perhaps illegally) more than 4 million academic articles from the Massachusetts Institution of Technology using anonymous logins, the report said.

But perhaps a more important series of arrests was made in connection with the DNSchanger malware program, the report said. Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanvov were apprehended in a bust experts say is one of the most important ever. The malware helped them steal more than $14 million worth of advertising views.

The man behind the infamous iPad hacking that took place when the tablet device was first released was also apprehended this year, the report said. Andrew Auernheimer of the Goatse Security group, exploited a flaw in Apple's security and gained access to 114,000 iPad users' email addresses, including celebrities and politicians. Christopher Chaney, another hacker who gained access to dozens of celebrities' email addresses, was also busted this year.

Ondrej Krehel, chief information security officer for Identity Theft 911, writes regularly about hackers on his official blog.

Letter from the CEO

Fri, 09 Dec 2011 10:04:00 -0700

The year 2011 will go down as the year of the data breach. And the worse news is, 2012 could top it.

From the CIA to video-game networks, from brand-name conglomerates to mom-and-pop shops, no sector of business, and no agency at any level of government, was immune to hack attacks. In what we now view as the good old days of weak IT security, you could count on the perpetrators being motivated only by money – stealing credit card numbers or other customer data so they could steal the identities of innocent victims.

This year, with so many political and social conflicts smoldering all over the world, the rise of the “hacktivist” took precedence over the mere money-grubbers. It wasn’t uncommon to see local law enforcement departments, public transport agencies and nonprofits attacked simply for their political views, or else to exploit their security vulnerabilities. Our experts anticipate these and traditional attacks to continue in the new year.

Now for the good news: Our December 2011 newsletter has a wealth of valuable information, starting with our Year in Review slideshow , which takes you through the hacks, month by month. As more organizations fell victim to attacks by hackers, news of data breaches seemed as frequent as celebrity wedding specials, with the victims' names nearly as well known. Sony. PBS. Facebook. Even the U.S. government and its military were hit. No one was immune.

This year also saw significant developments in the privacy movement. The Federal Trade Commission took its role as America’s privacy authority more seriously than ever—ending the year with a strong rebuke and 20-year privacy settlement with Facebook. A number of lawsuits made their way through the legal system, including one now before the U.S. Supreme Court on whether the government can track suspects using GPS without a warrant. Guest privacy expert Khizar Sheikh of Lowenstein Sandler PC explains how this decision could impact your company and customers.

Despite the risks of storing personal information on the Internet, more than one-third of Americans will do their holiday shopping online this year. Why waste time and gas shopping at the mall? It's faster and easier to simply turn on our laptops, pads or mobile devices. With increased convenience, however, comes increased risk. We’ve wrapped some tips into a slideshow that will help you stay safe while shopping online .

Finally, this month's podcast features customer Don Brown's disturbing credit nightmare, caused when thieves targeted his business account. From the discovery of an unauthorized wire transfer to change-of-address attempts, he shares his story and how Identity Theft 911 helped to stop the thieves in their tracks.

As always, we hope you enjoy. Have a happy, healthy holiday season.

Matt Cullina

Chief Executive Officer

Identity Theft 91 1

Ask the Expert

Fri, 09 Dec 2011 10:04:00 -0700

Question: The U.S. Supreme Court is hearing a case on GPS tracking. Is it important to my business and customers?

Answer: Yes. The immediate issue in the GPS tracking case (United States v. Jones) is whether the government can use GPS technology to track an individual’s car without a court warrant; that is, without a judge finding that there is probable cause for the government to investigate. The case is important—it could shed light on how the court will view the government’s use of emerging surveillance technologies and data collection against individuals and businesses.

First, some background. Ever since its 1928 ruling in Olmstead v. United States involving a telephone wiretap the Supreme Court has dealt with issues regarding law enforcement’s use of advancing technology. In the Jones case, the constitutional principle at stake is the Fourth Amendment and whether an individual’s “legitimate expectation of privacy” is violated when law enforcement uses a technique or device without a court-approved warrant.

Over the years, the court has been willing to accept that there is an “expectation of privacy” when law enforcement monitor something inside a home (e.g., law enforcement cannot use thermal imaging technology to measure heat from a home without a warrant), but not when it occurs out in the open (e.g., law enforcement can track an individual’s car by following beeper signals). Even though tracking a car using GPS occurs outside a home, the monitoring involves continuous collection and analysis of data that is not readily public. Is that a private or public activity? Clearly, the rapid pace and reach of surveillance technology is blurring the line between the two.

For example, attaching a GPS isn’t the only way that law enforcement can track people’s movements. Many people today with a cell phone are carrying a device that law enforcement can use to track their location (through technology called Stringray tracking). The court’s decision in Jones, therefore, will show how the court approaches surveillance technology, in general, and what powers law enforcement will have to investigate and track electronically individuals and businesses without a formal finding that there exists cause to begin an investigation.

Indeed, during the Jones oral argument, the potential reach of new technologies and the possibility of Big Brother were clearly on the justices’ minds. The novel “1984” was referenced several times, and the justices raised hypothetical future situations involving the limits of where and when a tracking device could be used without a warrant. The court’s reasoning will impact how the government uses new technologies (such as Stingray) to monitor movements on a 24-hour basis and possibly intercept without warrant an individual’s or business’s electronic data, web traffic, or email (using technologies such as cookies or beacons).

Interestingly, the far-reaching implications of new surveillance technology on electronic communications and location privacy are not just being tackled by the courts, but Congress. The Electronic Communications Privacy Act (ECPA) includes a heightened warrant requirement when the government seeks to intercept electronic communications that are in transit. At the same time, the government’s view is that it doesn’t need a warrant to review stored electronic communications or track movements using mobile phones.

Sen. Patrick Leahy (D-Vt.), chairman of the Judiciary Committee, has introduced a bill, the ECPA Amendments Act (S.1011), which would require the government to obtain a warrant before accessing the content of private electronic communications or before tracking someone’s location in real-time. It will be noteworthy to see if the court and Congress will impose similar requirements for government agents seeking to intercept and monitor individuals’ locations and electronic communications.

The Supreme Court is expected to issue a ruling in Jones sometime early in 2012.

Khizar A. Sheikh is counsel to the law firm of Lowenstein Sandler PC , and a member of the firm’s Privacy Law Practice Group.

Avoid Holiday Shopping Scams This Season

Wed, 07 Dec 2011 00:00:00 -0700

While many consumers may not be thinking of it at this time of year, criminals are always on the lookout for ways they can rip off unsuspecting people.

This is particularly true when it comes to online shopping. As a result, there are a number of things for consumers to look out for, according to a warning from Ondrej Krehel, Identity Theft 911's chief information security officer.

One of the easiest ways for crooks to trick holiday shoppers is by creating websites that look exactly like popular shopping sites. But there's an easy way to differentiate the bogus ones from the legitimate ones: look at the address bar. If it doesn't say "https://" before the website name, the site isn't secure - meaning the information the consumer enters won't be encrypted.

Another way for shoppers to tell if they're at a bogus site is if they're asked to provide their Social Security number or bank details as part of the checkout process, the report said. Any time they begin to suspect that they're on a suspicious website, they should close the window immediately.

Consumers would also be wise to increase the quality of their passwords, the report said. That means not using pet's names, birthdates and the like that can be easily looked up online. Instead, consumers should use passwords that are seemingly random, and contain a mix of upper- and lowercase letters, numbers and symbols.

It can also be effective to never save login or personal information on a retail site, the report said. That will help to ensure that no crooks can go on a buying spree if a computer is stolen. In addition, it can be helpful for consumers to closely read all sites' privacy and return policies before making a purchase to ensure they're comfortable with them.

Shoppers should also keep in mind that using a credit card will give them more protection from fraud than debit cards, the report said. Linking bank accounts to online pay services should be avoided as well, and payment information should never be sent via email, no matter what. And for any purchase made, it's a good idea to save the records, just in case.

Identity Theft 911 also provides tips of other ways consumers can protect themselves from all types of fraud throughout the year.

Small Breach Settlement Could Set Precedent

Wed, 30 Nov 2011 00:00:00 -0700

A relatively minor settlement following a massive 2009 data breach might end up being remarkably important in the way court cases concerning these incidents are heard for years.

The data breach itself, which exposed the personal information of more than 32 million consumers who had their personal information exposed in a December 2009 hacking attack, led to a class-action suit in which the primary plaintiff was awarded the relatively minor sum of $2,000, according to a report from Dark Reading. RockYou - a developer of games for social networking sites like Facebook and MySpace - will also pay his more than $290,000 in lawyers' fees.

The RockYou breach happened because the company stored all of its user account data in plain text files on its database, and left them unencrypted, the report said. The hack exposed users' passwords for outside sites, and the company failed to notify users for several days. When it did alert victims to the incident, it also incorrectly stated that the breach only affected older applications.

But more important than the money is what the case will mean for data breach litigation going forward, as it will likely open the door for more suits brought by consumers whose private personal, financial or medical information was exposed in a data breach, the report said.

In the past, consumers have had to prove that they've suffered damages as a result of having this data exposed in a data breach, but a few court cases in recent months may indicate that a sea change is coming for this type of decision, according to a separate report from Data Privacy Monitor. Another recent decision in the case of the grocery chain Hannaford - in which its credit card readers were hacked, exposing the payment information for millions of consumers - found that the company was liable even to those who did not lose money as a result of fraud.

Of course, consumers typically face a number of costs as a result of many data breaches, such as those related to the cost of mitigating the threat of fraud.

Ondrej Krehel, chief information security officer for Identity Theft 911, writes regularly on his official blog about ways in which consumers can better protect their sensitive information in the wake of data breaches.

Was California Collections Firm a Scam?

Wed, 23 Nov 2011 00:00:00 -0700

Many people have had to deal with collections agencies in the past, but one woman in Pennsylvania says she was contacted by a company about a bogus debt she owed, and was ripped off as a result.

Further, the company may have thousands of other victims across the country as well.

Several months ago, the Pennsylvania woman received a call from a company known as LAR, which told her she had an unpaid credit card debt of $375 that had been sent to collections, according to a report from the Wilkes-Barre Times Leader. She was told that if she did not pay the check, a police officer would show up to her home to arrest her. And so, over the course of the next three months, she sent them three checks for $100 each in attempt to reduce the debt which, as it turns out, did not exist.

However, she believed the company was legitimate because she had been experiencing difficulties in paying her bills on time and in full, but had worked with a credit counseling agency to resolve most of those problems, the report said.

She became suspicious when she did not receive the receipts for her payments the company promised her, and attempts to call the phone number the representative she spoke with initially were unsuccessful, the report said. A later Web search found that the number - 714-888-6888 - turned up a number of hits that indicated other people across the country were allegedly ripped off by the same company, or other ones using the same phone number.

Authorities are now looking into the matter, but have yet to determine whether LAR is a legitimate debt collections agency or a scam, the report said. However, even if it were a real company, the threat of sending a law enforcement official without knowing if that would actually happen violates the Fair Debt Collection Practices Act.

This incident underscores the importance of vigilance, and not blindly trusting any unsolicited demands for money or private information, no matter how official they may sound, the report said. Consumers contacted in such a way should do all in their power to make sure the claims against them are legitimate.

Brian McGinley, senior vice president of data risk management for Identity Theft 911, writes regularly about ways consumers can protect their personal information.

Facial Recognition Software Now Going Mainstream

Wed, 16 Nov 2011 00:00:00 -0700

Advanced facial recognition software isn't just for sci-fi movies any more. Now, consumers can use it for mundane things like figuring out who's at a bar.

A new smartphone application known as SceneTap uses cameras loaded with smartphone application to let consumers figure out a slew of information about patrons at more than 50 participating bars in Chicago, according to a report from the New York Times. While the app does not figure out specific people who are at the bar, it will alert users as to the average age of a certain location's patrons or the male-to-female ratio at any given time.

It's expected that this type of technology will become the "next big thing," particularly when it comes to advertising and direct marketing, the report said. Software that identifies not specifically who a person is, but data like their gender, approximate age and so forth, can help to create personalized ads. Already, "smart" signs will roll out this month in major cities such as Los Angeles, San Francisco and New York City, and will deliver ads based on passersby approximate demographics - i.e. ads for shaving razors flashed at men, and feminine hygiene products for women.

Similar software also exists on sites like Facebook, where users are given "Tag suggestions" when they upload a photo, the report said. These are based on facial characteristics of those on a user's friend list.

But some experts fear that this will also essentially end anonymity, and wonder what that means for consumer privacy, the report said. Already, the proliferation of facial recognition is being blamed on regulators not doing enough to keep up with emerging technology, and the privacy risks some believe that poses are considerable. A recent study at Carnegie Mellon University found that standard facial recognition software could identify roughly one-third of students participating in the research based on their public Facebook profile pictures.

"It's a future where anonymity can no longer be taken for granted - even when we are in a public space surrounded by strangers," Alessandro Acquisti, an associate professor of information technology and public policy at Carnegie Mellon who conducted the study, told the newspaper.

Eduard Goodman, chief privacy officer for Identity Theft 911, writes a regular blog about issues related to consumer privacy and other issues.

Government Offers Protection after Tricare Breach

Wed, 09 Nov 2011 00:00:00 -0700

A recent data breach suffered by a healthcare network affiliated with the U.S. Department of Defense exposed the personal and medical information of nearly 5 million current and former military members and their families.

And now, months after the breach was discovered, the Department of Defense and Tricare, the company responsible for the breach, are finally offering protection to those affected by the incident, according to a report from the Warner Robins Patriot. Initially, neither organization offered victims credit monitoring or restoration, but have now gone back on that stance, extending these services to those who want it.

"These additional proactive security measures exceed the industry standard to protect against the risk of identity theft," said Brigadier General Bryan Gamble, Tricare Management Activity deputy director, according to the newspaper. "We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will not be unaffected by this breach."

The data breach itself took place in September, and exposed the information of more than 4.9 million people who received medical treatment, pharmacy or laboratory services at a San Antonio, Texas, military facility between 1992 and September 7, 2011, the report said. The information was stored on backup tapes, which were stolen from a vehicle used by Science Applications International Corporation, a third party contractor Tricare had hired to compile and maintain its databases. An employee left the tapes unattended in a vehicle while they were being transferred from one federal facility to another.

The information stored on the tapes included victims' Social Security numbers, addresses and health information, but no credit card or bank account details, the report said. Tricare initially said that the risk for data breach as a result of the tapes going missing was low because they required specific knowledge and hardware to extract data from.

Consumers can find more information about the data breach and the protective services available by calling SAIC's incident response center at 855-366-0140, the report said.

For more information about the Tricare data breach, please see Identity Theft 911's earlier coverage, including an overview of the incident and its potential effects on consumers, as well as details about the lawsuit the Department of Defense now faces as a result of the incident.

Physicians Sending Texts Poses Breach Threat

Wed, 02 Nov 2011 00:00:00 -0700

In recent years, many consumers have probably heard about doctors using pagers to receive information about calls to the hospital where they work, but a recent trend has seen them turn to a new communication method that may be troubling for patients.

Many doctors are now sending information about calls via text message and, in doing so, may be breaching patient privacy and security regulations spelled out in the Health Insurance Portability and Accountability Act, according to a report from American Medical News. More than 80 percent of doctors nationwide now carry smartphones, and texting of information has become the norm. But these devices lack the security of electronic medical record systems that many should be relying on for information.

"Physicians are not so much concerned with HIPAA compliance as they are about work flow and physician communication," said Dr. James French, executive director of the hospitalists group at the Cone Health System in Piedmont, N.C., during a recent webinar on texting, according to the site.

Many smartphones may allow users to encrypt all incoming and outgoing messages so that they can't be read or intercepted by others, but not all do, and that's what poses the privacy concern. A recent poll of members of the College of Healthcare Information Management Executives found that 96.7 percent of respondents allowed their physicians to text orders to nursing staff and, more troublingly, 57.6 percent don't use any type of encryption software.

However, there are other safeguards to help mitigate the threat of a data breach through even unencrypted texting, the report said. These include autolocking the data after a few seconds or the ability to remotely wipe the phone's memory, including all email and texts.

The issue, doctors argue, is that HIPAA regulations are still relatively new and take some getting used to, especially given how easy it is to issue orders via texting versus paging or telephone calls, the report said. They say that moving forward this should become less of a problem as medical professionals grow more accustomed to dealing with greater regulatory requirements.

Millions of businesses in the healthcare industry are now digitizing patient records, which makes them easier to share and can increase the quality of care, but also increases the ease with which breaches can expose sensitive data.

Avoiding Fraud Now Counts in Court

Wed, 26 Oct 2011 00:00:00 -0700

A panel of judges working in the U.S. First Circuit Court recently ruled that the costs consumers incur when attempting to protect their personal, financial or medical information following a data breach can count as damages in lawsuits.

When consumers are affected by a data breach, they typically have to pay considerable amounts of money to increase the security of their sensitive data, whether the information exposed included their personal, financial or medical details. However, until the court's recent decision, these costs could not be included in lawsuits against the companies responsible for exposing the information because they were not considered legally cognizable damages, according to a report from Privacy and Security Matters. But the decision, which overturned a previous ruling in the case of Anderson v. Hannaford Bros. Co., will change that.

The case involved a class action suit in which some of the 4.2 million consumers who were affected by a data breach that exposed their debit and credit card information. They tried to sue to regain funds they lost in attempting to avoid fraud but were not actually hit with identity theft, the report said. Plaintiffs argued that the costs they paid out of pocket to acquire fraud alerts on their credit reports and the fees associated with obtaining new credit or debit cards were reasonably foreseeable expenses.

Previous rulings on cases involving similar situations had found that these expenditures were unreasonable in other circumstances, such as the loss of laptops or similar computer equipment. In those situations, the loss of consumer data may not have been the result of a deliberate attempt to steal that sensitive data, the report said. But in this case, that was clearly the criminals' intent, and therefore the charges consumers incurred in the case were perfectly reasonable for them to attempt to recover through a lawsuit.

As such, the decision will likely have far-reaching effects in data breach litigation, as plaintiffs will likely be able to cite similar costs and recover them in court, the report said.

For more information about data breaches and how consumers can protect themselves and their sensitive details following this type of incident, please consult the Identity Theft 911 blog, which contains input from a number of experts.

Letter from the Chairman

Wed, 19 Oct 2011 17:01:00 -0700

Americans are becoming increasingly aware of their identity’s value as an asset. As the Federal Trade Commission tells us, information about consumers’ purchasing behavior, browsing habits, and other online and offline activity is being collected, analyzed, combined, used, shared and sold—often instantaneously and invisibly—every single day.

Unfortunately, each link in this chain of information exchange means one more opportunity for thieves to appropriate and misuse sensitive data for themselves. While that can lead to financial losses for both businesses and consumers, there is another loss to be considered—one that may be more difficult to repair: the consumer’s loss of trust in whatever business carelessly handled their personal and private information.

A consumer who asks how a breach happened next asks the sharper question: “Why didn’t you prevent it?” Whether that carelessness is real or perceived almost doesn’t matter. The result can be the same. He or she takes their business elsewhere.

Looking ahead, then, it’s clear that businesses must not only prioritize issues of privacy and security, but also develop stronger relationships with their customers—ones where mutual trust is in place from the outset. Among other things, business owners must find ways to be more transparent about whom they’re doing business with and how they’re safeguarding their customers’ information. Businesses also would do well to give consumers greater access and control of their own data profiles. When customers have the comfort that comes with being informed and involved, they will reward businesses with their confidence—and their dollars.

With October being National Cyber Security Awareness Month, there’s no better time to consider these and other issues. In this month’s newsletter, one of our own, Kelly Colgan, describes what happened when she found herself stranded and without access to her accounts on a business trip to New York City—proof that in today’s digital era, everyone’s data is susceptible to a breach.

We’re also offering do’s and don’ts for people who receive notification that their personal information may have been compromised in a data breach.

Finally, Ondrej Krehel, our chief information security officer, takes a look at what’s happening on the national stage—and how cyber espionage poses a serious threat to corporate and government intellectual property.

As always, we hope you enjoy.

Adam K. Levin
Chairman and Founder, Identity Theft 911

9 Tips for Breach Victims

Wed, 12 Oct 2011 10:04:00 -0700

Maybe you’ve heard a news report about a data breach at a company where you do business. Or you’ve received a letter stating that your personal information may be in the wrong hands.

What does it all mean?

A data breach is the release of sensitive information into an insecure environment. Breaches can take many forms. Sometimes data is stolen or leaked. Often, though, it is inadvertently exposed when data is lost or shared.

Whether the trouble started with a pilfered laptop or an insidious cyberattack, a breach of personal electronic data triggers mandatory notification laws in nearly all U.S. states and territories. If you haven’t received such a notice already, chances are you will.

But just because your personal information—a Social Security number, birth date, or mother’s maiden name, for example—was affected, it doesn’t mean you’ll become a victim of identity theft. It means something’s happened that could put you at risk.

Follow these steps to protect your identity and credit:

1. Read the notice carefully to learn what information may have been exposed and how. (Keep the notice in case you ever need to prove that your data was compromised through no fault of your own.)

2. Review the breached account. Identify what information it contained and what was compromised. Look for unauthorized activity, such as a change in address or telephone number.

3. Know exactly what’s at risk. If it’s debit or credit card numbers only, there’s a good chance someone will try to use them. On the upside, exposure is limited and, if your bank thinks the risk is high, it will automatically reissue new cards (effectively shutting down the identity thief). Degree of risk gets stickier when data like Social Security numbers, birth dates and addresses are stolen. This information has a long shelf life and can be traded internationally among organized criminals. It’s valuable because, unlike a single credit card number, it can spawn dozens of new accounts. While it’s less likely to be used than a single stolen credit card number (which requires much less time and work), potential damage to your good name is greater.

4. If you’re offered a year of free credit-monitoring, take it.

5. Pay extra attention to your account and billing statements. Check for charges that aren’t yours.

6. Check your credit report and watch for other fraud. After about 30 days (long enough for fraudulent activity to show up), log on to annualcreditreport.com to get a free copy of your credit report from each of the three major credit bureaus. Look for any unusual activity. Investigate suspicious activity and stay on top of it until the matter is resolved. Also look for signs of fraud in your medical files, on your Social Security statement, in insurance claims or in public records.

7. Change all user access credentials. If you use the same passwords for other financial institutions, change them. Watch financial statements—on paper and online—for unauthorized transactions. Be aware of potential email, phone and snail-mail scams. Enable text and email alerts when possible.

8. Notify existing creditors of the breach. Consider canceling your cards and getting new ones. Take advantage of issuers’ services that alert you to unusual transactions.

9. Place a fraud alert on your credit file. An alert placed with any one of the three major credit bureaus signals to potential creditors that you could be a victim of identity theft.

Breach Takes Bite out of Big Apple Lunch

Wed, 05 Oct 2011 10:04:00 -0700

Kelly Colgan’s business lunch in the Big Apple turned rotten when she found herself stranded with no cash, no access to her debit and credit cards—which had been frozen—and dependent on the kindness of strangers to help her get back to her home in Rhode Island.

Colgan, an avid crafter, soon found out she was among tens of thousands of Michaels stores customers whose banking information had been stolen from checkout line PIN pads. Thieves used that data to create fake debit and credit cards. In Colgan’s case, they tried to withdraw money from her accounts, until the bank put the kibosh on their attempts.

“It’s devastating to feel so alone in New York City,” said Colgan, public relations manager at Identity Theft 911. “I had no money and no way to do anything about it.”

Data breaches can happen to anyone. More than 540 million records have been exposed in data breaches since 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer organization. Many consumers have received the telltale notification letters alerting them that their information had been compromised. But many more don’t; they’re unaware that their personal information is at risk.

Data breach victims are more likely to become victims of other kinds of fraud, especially identity theft, according to Javelin Strategy & Research. Last year alone, new account fraud—when an account is created with a stolen identity—contributed to $17 billion in losses in the United States.

Fortunately, Colgan had access to our company’s fraud center, which assigned fraud investigator Mark Fullbright to the case. He reassured Kelly that he would be able to put safeguards in place to monitor her credit and ensure that any fraudulent activity would be removed at once. He immediately:

• Conducted a complete interview to determine what type of breach occurred
• Placed a fraud alert on Colgan’s credit report
• Enrolled her in Identity Theft 911’s fraud and credit monitoring program for one year to watch for additional fraud.

Consumers who are victims of a breach should call their insurer or bank, which may provide LifeStages™ Identity Management Services. Or contact us directly.

The bank’s actions protected her from full-fledged identity theft, but it left her cash poor in Manhattan.

“No one is immune to exposure from a data breach,” Colgan said. “I’m proof positive that it can happen to anyone.”

October is National Cybersecurity Awareness Month

Wed, 05 Oct 2011 10:04:00 -0700

Many consumers across the country may face a number of threats for having their personal, financial or medical information compromised by criminals without even realizing it, and that's why a number of organizations continue to observe National Cyber Security Awareness Month every October.

The National Cyber Security Division of the Department of Homeland Security - as well as the nonprofit groups the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center - began National Cyber Security Awareness Month in 2004 as a means of helping to promote ways consumers can avoid identity theft and other problems online. This is done through a number of events and other campaigns to increase awareness of the many problems that average people face online.

These events include free seminars and assessments from well-known online security companies, and a number of sessions for both businesses and consumers about how to better shield information from prying eyes that would use it for the purposes of identity theft when storing it online. And because more and more people and organizations alike are storing extremely sensitive information about themselves, family members, clients and patients online, they may be putting themselves at greater risk for exposure.

One of the central tenets of NCSAM this year is the concept of "Stop. Think. Connect." This encourages consumers to work to understand the risks they may face in putting information online before they even log onto an Internet connection. That also includes taking the time to better educate themselves about how to recognize potential threats on sight.

Next, consumers are encouraged to think about any link they may click on or site they may visit. Are there any warning signs that it may not be legitimate? How could turning over certain information when prompted affect the safety of a Web user or their family?

Finally, once consumers believe they have a firm grasp on what constitutes a potential security risk and how best to avoid or even combat them, they will be able to browse the Internet with ease, confident in their ability to stay safe online.

National Cyber Security Awareness Month also encourages consumers to do what they can to spread the word about the importance of protecting information online to their friends and family.

Hospital to Fight Data Breach Suit

Tue, 04 Oct 2011 10:04:00 -0700

A recent data breach at a major California healthcare center sparked a class action lawsuit on behalf of the thousands of consumers who had their personal information exposed, but now the hospital says it will fight that suit.

Stanford Hospital and Clinics recently announced that it would "vigorously defend" against a class action complaint filed in Los Angeles Superior Court, which amounted to $20 million, according to a report from the San Jose Mercury News. The data breach exposed the personal and medical information of more than 20,000 patients when a third party posted the information on a commercial website and left it exposed for close to a year.

The suit was filed on behalf of the victims, all of whom were patients at the facility between March 1 and August 31, 2009, the report said. Stanford confirmed that the data breach had taken place on Sept. 8, 2011, and blamed codefendant Multi-Specialty Collection Services LLC for the breach, as the subcontractor was the one that mishandled the consumer data. The hospital has also cut ties with the third party data handling company.

The information released in the breach included consumers' medical record numbers, hospital account numbers, billing charges and both admission and discharge dates, the report said. However, other identifying details such as Social Security numbers and credit card information were not included.

"To date there is no evidence that anyone saw this information on the website and improperly used it for fraudulent or any other improper purpose," Stanford Hospital and Clinics said, according to the newspaper. "(Stanford Hospital & Clinics) has investigated this matter, terminated its relationship with (Multi-Specialty Collection Service), and reported this breach to law enforcement authorities."

The hospital also noted that it moved quickly to remove the posted data from the site - which is designed to help students find help with their homework - after learning about the breach, the report said. In addition, it also notified the affected former patients as soon as possible and even offered to provide identity protection services free of charge.

Medical data breaches are becoming more and more common these days, as a greater number of facilities are turning to using digital records designed to ease sharing of information.

Health Industry Unprepared to Protect Data

Mon, 03 Oct 2011 10:04:00 -0700

The world of healthcare is changing rapidly as a result of greater digitization of records so that they can be shared more easily between medical entities, insurance providers and other companies. But that ease of information swapping also puts companies at greater risk for suffering data breaches that can expose patient records.

A recent survey of 600 executives in U.S. hospitals and physician groups, health insurers and pharmaceutical and life sciences companies found a number of troubling statistics about the possibilities for medical data breaches, according to the PwC Health Research Institute. For example, theft of information accounts for about 66 percent of total healthcare data breaches reported in the last two years.

As a consequence, medical identity theft seems to be on the rise, the report said. In all, 36 percent of hospitals and physician groups - in short, healthcare providers - have had patients try to obtain medical services using another person's name and identification. Further, 54 percent of health organizations said that they've had to deal with at least one issue related to information privacy and security in the last two years.

These problems may be persistent because 55 percent of these organizations have not taken the steps necessary to address privacy and security problems related to using mobile devices, the report said. Less than a quarter also don't have policies related to social media.

The issue most frequently suffered by those who responded to the poll was internal parties mishandling protected information, the report said. About 40 percent of providers have struggled with this problem in the last two years. Meanwhile, insurers, pharmaceutical companies and life sciences firms said their biggest issue was the improper transfer of files containing personal information.

The research also found that increased data breach notification and requirement enforcement is forcing healthcare companies to increase privacy and security measures, and also recognize that protecting consumers' sensitive personal, financial and medical information is critical, the report said. Those companies that take an "integrated approach" to protecting consumer information will typically have greater success in doing so. Health insurers were more likely than other organizations to use this method.

Ondrej Krehel, chief information security officer for Identity Theft 911, writes regularly about the threats consumers face from data breaches on his official company blog.

Digital Espionage in the 21st Century

Mon, 03 Oct 2011 10:04:00 -0700

By Ondrej Krehel

The days of spies in fedoras and trench coats are long gone. The more recent history of governments' planting moles in other governments also is fading. Espionage in the 21st century is anonymous, digital and running rampant.

The world is divided into superpowers and would-be superpowers. In the 1970s and 1980s, manufacturing ruled the day. Now these supereconomies and the global market have an appetite for invention and profit. Intellectual property has never been more at risk.

This year alone, hackers have attacked the International Monetary Fund and a number of U.S. government agencies, including the Pentagon, the CIA, the FBI, and NASA. When Lockheed Martin announced that it was hit, the company wouldn’t say what information was stolen, but the possibilities are mind-boggling. As one of the nation’s largest defense contractors, its computer system holds information on current and future military weapons systems.

The Lockheed attack was made possible through the March breach of RSA, makers of the ubiquitous SecurID key fob. These electronic keys identify employees and regularly update credentials, providing, until now, powerful network security. Attacking RSA was like targeting the locksmith. Own the guy who makes the keys and you own all the locks in town. Lockheed was simply the first lock to get picked.

The hottest liquid-gold commodity, oil, has been targeted multiple times. Classified data related to oil exploration, financial bids, and other confidential matters have been exploited by elite hackers and sold on international markets several times in the last few years. Even the biggest players, Exxon, Shell, and BP, have been breached through Chinese servers.

Governments themselves are at risk. Before the RSA breach this year, Australia and New Zealand made the news. Both government email systems were breached: Although they didn't blame China outright, both governments insinuated that it was the source of the breach. Intelligence experts in the West have said the Red Dragon previously targeted the U.S., Canada, Germany and Japan.

The pace and frequency of these attacks is only quickening. And there are no international regulations that require breached governments or companies to disclose the loss, so assessing the scale of this new kind of espionage is problematic at best, impossible at worst. Even law firms that hold and patent intellectual property are often targets.

Still, we know enough through media sources to say that a hidden war is being waged across fiber-optic lines. Corporate assets are at stake. Intellectual property is the new commerce for our developing digital economies. Never before has information security been so vital to protecting corporate and government secrets.

Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Will the Move to Electronic Health Records Cause Privacy and Security to Flatline?

Mon, 26 Sep 2011 10:04:00 -0700

By Eduard Goodman

Imagine a visit to the emergency room without the hassle of red tape: Doctors retrieve your medical records in electronic format with relative ease. They quickly gain access to your medical history, ascertain what medications are safe to prescribe, and notify your physician of the visit.

In a perfect world, this is a glimpse of the future in 2014, when all medical data is expected to be stored electronically as part of President Obama’s stimulus package, also known as the American Recovery and Reinvestment Act of 2009.

The stimulus package aims to cut health care costs and make records more accessible and portable. More than $19 billion was set aside to upgrade health information technology to make this happen. The hope was that the funding would motivate physicians, practices and hospitals to make the switch to using electronic health records (EHR).

Unfortunately we don’t live in a perfect world. The Obama administration considered the security ramifications of such a massive undertaking for the medical industry by updating a federal law that sets data privacy and security rules for key players in the American health care system. But its preparations seem modest compared with real problems that are beginning to emerge.

Securing digital health records is a big concern—and for good reason. Paper records can be stored in a locked room with surveillance systems in place. They’re retrieved, opened and shared upon request only. It is much more difficult to lock down digital data, a format specifically chosen because it facilitates easy exchange among health care providers nationwide.

Consider these findings from two audit reports by the Office of the Inspector General for the Department of Health and Human Services:

“Audits of seven hospitals nationwide identified 151 vulnerabilities in the systems and controls intended to protect electronic Protected Health Information (ePHI), of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk,” according to a report titled Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight
The different IT systems used to exchange EHRs has resulted in a lack of general IT security control requirements, according to a parallel audit report titled Audit of Information Technology Security Included in Health Information Technology Standards. This report focused on the need for “general IT security standards and IT industry security best practices,” as well as emphasizing to the medical industry “the importance of general IT security.”

The growing number of politically motivated hack attacks underscores the privacy risks to digitizing medical health records. In the wrong hands, personal health data could be used to inflate insurance rates, deny work to job seekers, or for public humiliation.

Medicine is in the grips of great technological change. Subdermal chips containing your entire medical history could be as common to our children as medical bracelets are today.

It’s troublesome that these sweeping changes are coming before security measures are put into place. You can bet that opportunistic thieves will discover the holes in the system. And when they do, they’ll exploit it.

Eduard Goodman, Chief Privacy Officer, Identity Theft 911. An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar's Internet, E-Commerce & Technology Law Practice Section.

IDT911 Goes Back to School to Help Foster Kids

Mon, 26 Sep 2011 10:04:00 -0700

Our identity theft experts went back to school to teach foster children about the many ways their personal information can be used by criminals.

During the three-day course, we taught 30 ninth-graders about different forms of identity theft, why young people are prime targets, and how they can protect themselves and their credit.

The course was part of the First Star UCLA Bruin Guardian Scholars Summer Academy, founded by First Star, Inc., a charity that works to improve the lives of neglected children.

Foster kids are 20 percent less likely to graduate from college, and they’re more vulnerable to identity theft because of the transitory nature of their lives. They move a lot and their personal information is accessible by many people.

On the sprawling UCLA campus in Westwood, Calif., the children practiced tai chi in the morning, brushed up on their math and writing in the afternoon, and even learned how to make healthy meals from chefs sent by Mario Batali. They also listened to guest speakers, including L.A. Kings left winger Luc Robitaille.

When it came time to learn about identity theft risks for their age group—especially when online for social networks and gaming—we thought they’d be tired out from all the excitement.

We couldn’t have been more wrong.

They tackled our identity theft whodunit—using characters from the “Twilight” movie—and excelled in our exercise modeled after “Are You Smarter Than a 5th Grader?” TV show.

They eagerly took in all our tips, especially after learning the hard facts about child identity theft:

140,000 minors per year are victims of identity theft
43 percent of child identity theft happens when the victim is between the ages of 15 and 17
A minor is 51 times more likely than an adult to have his identity stolen

When the program ended and it came time to watch the ninth-graders walk through the academy’s graduation ceremony, we were touched when they shared their joy with group hugs.

Our team—which included Matt Cullina, CEO; Victor Searcy, director of fraud operations; Brett Montgomery, fraud operations team leader; and Mark Fullbright, senior fraud investigator—participated in the First Star Academy to make a difference in the lives of these young people.

But we were pleasantly surprised to find that the kids made a difference in ours.

Ask the Expert

Mon, 26 Sep 2011 10:04:00 -0700

Question: My business deals with sensitive electronic health information. Do you have any cost-effective suggestions for how I can manage the risk of security breaches?

Answer: That’s a great question. More medical professionals are using electronic health records (EHRs) due to government incentives and changing attitudes toward patients’ involvement in their health care. Protecting the private data contained in those records is more important than ever. Also, state and federal breach notification laws are becoming broader in scope. That means more businesses are required to report data breaches to the public, which in turn increases their exposure to lawsuits by affected patients, partners and even employees. Clearly, it’s smart business to ensure the security and privacy of data networks.

Broadly speaking, data safety equals patient safety. So as a first step, identify any activities that might compromise data security. Negligence is currently the No. 1 driver of data breaches. In fact, according to a Ponemon Institute survey, IT and compliance professionals believe that 79 percent of data breach incidents are caused by negligence—50 percent due to internal negligence. Lost laptops or USB drives, for example, may be found and put to malicious use by people with criminal intent. Sometimes, too, employees are tricked into releasing sensitive data through spear phishing schemes. In any event, companies can take a preventive approach by instituting employee education and training programs aimed at curtailing negligent behavior. It’s also smart to put an effective encryption plan in place—ideally one that meets federal standards, as laid out by such organizations as the National Institute of Standards and Technology.

Breaches also can occur through the negligence of independent contractors or vendors, so be sure to do your due diligence and run basic background and credit checks on any vendors with whom your business will be sharing sensitive data. Also, be sure to have a candid conversation with potential vendors about whether they understand data security issues and have a process in place to safeguard EHRs and related data. Avoiding data dumps also is critical; your business should provide third parties with only the information they need to do their jobs (for example, billing partners likely don’t need a patient’s complete health history).

Finally, require network security and privacy (NSAP) coverage as part of any vendor contract. And, just as important, consider purchasing NSAP insurance for your own company. These days, there are many insurers to choose from. But whomever you sign with, the agreement should be broad enough that it is triggered whether a failure to protect information stems from internal employee negligence, vendor negligence, or an outright criminal act. As an added benefit, many NSAP insurers also provide proactive assistance with the risk management process.

Paul E. Paray , Esq., is a commercial litigator with more than 15 years of experience resolving complex claims. Paray is a member of the New York, New Jersey and Washington, D.C., bar associations and has spoken and written extensively on the management of digital risk.

Letter from the Chief Privacy Officer

Mon, 26 Sep 2011 10:04:00 -0700

With cold and flu season approaching, it’s a good time to examine the health of electronic medical records. A cough and runny nose are minor symptoms compared with the more significant aches and pains caused by digital health data security risks.

Keeping electronic health records private is a growing challenge for health care providers. Recent federal audits show security vulnerabilities in digital medical records and systems that share such data. Like the viruses that prey on our immune system, opportunistic thieves are waiting to take advantage of weak security protections.

In our Ask the Expert column, we take a look at how businesses that handle sensitive electronic health data can manage the risk of security breaches. Paul E. Paray, our guest expert and a corporate litigator, shares practical tips for businesses to better protect their customers’ and employees’ digital health data.

One customer’s nightmare began when she discovered that she was ”tagged” with someone else’s medical bills adding up to more than $180,000. The problem had a dramatic impact on her credit file. Learn how one of our fraud investigators stopped creditors from hounding her and restored her credit rating.

Our top fraud experts went back to school to teach foster children about identity theft at the First Star UCLA Bruin Guardian Scholars Summer Academy in Los Angeles. Working with the 30 ninth-graders over the course of three days was an incredibly rewarding experience. Read more about our work to empower foster youths who are vulnerable to this crime.

Finally, this month’s newsletter offers disaster tips to help you stay ahead of the storm. Hurricane Irene caused extensive flood and wind damage to parts of the East Coast. In addition to enduring devastating losses, many people must replace lost documents like birth certificates and Social Security cards. With the hurricane season not yet over and the possibility of autumn twisters, our experts’ advice can help you prepare for the unexpected.

As always, we hope you enjoy.

Eduard Goodman
Chief Privacy Officer
Identity Theft 911

White House Wants to Prevent E-Fraud

Mon, 19 Sep 2011 10:04:00 -0700

One problem that is a point of concern for many Americans is that online fraud is still rampant. But in an effort to help reassure that the transactions they make on the Web will be safe, the Obama administration will soon launch a new type of identification.

The White House plan, officially known as the National Strategy for Trusted Identities Online, was introduced earlier this year and may soon be rolled out, according to a report from The New York Times. This is being done both in an effort to reassure Americans about the safety of their online transactions ease the way in which they are completed.

"What if states had a better way to authenticate your identity online, so that you didn’t have to make a trip to the D.M.V.?" Jeremy Grant, the senior executive adviser for identity management at the National Institute of Standards and Technology, which is overseeing the plan, told the newspaper.

The benefits are clear: companies and government agencies alike would be able to process and secure transactions by consumers with greater ease using a uniform system, the report said. However, some critics of the idea are wary of what that would mean for consumers' identities should the accounts be compromised. The inherent problem with such a system, they argue, is that each user would likely have their account connected with their name, email address or other identifying information that allows companies to track their movements online.

One expert likened the use of a single or small number of agencies to protect an all-encompassing piece of consumer information such as this to using a single master key, rather than a key ring that allowed entrance to some things, but not all of them, the report said.

In addition, there is some concern among privacy experts that the use of these accounts would allow banks, for example, to look into what government or commercial sites their customers visit, the report said. Further, the financial institutions themselves may also be able to access the information of customers at rival banks.

In the end, it will be up to each individual to determine whether such a system, should it ever be put into place, is right for them and their identity protection needs.

For more information on data breaches, check out the blog of Brian McGinley, senior vice president of data risk management for Identity Theft 911.

More Breaches Caused by Third Parties

Mon, 12 Sep 2011 10:04:00 -0700

Most consumers trust their information to major organizations on a regular basis, including businesses, government organizations and healthcare providers. But while many data breaches come from these groups, a large and growing number are also being caused by third parties.

Many organizations are now farming out the management of the private personal or financial data they handle for consumers to companies that specialize in storing and protecting this information. But a number of recent data breaches have also been caused by these third-party vendors, leaving consumers in the lurch - and vulnerable to all types of fraud including identity theft - through no fault of their own, or the company to which they entrusted their data.

One such incident recently came when a data management company that was hired to protect data for Stanford Hospital in Palo Alto, California, posted a spreadsheet containing the names and medical information for more than 20,000 emergency room patients on an online student help site. Another such infamous incident is when the online marketing company Epsilon was attacked by hackers, exposing hundreds of thousands of consumer records for a large number of major companies, including Disney, Walgreens, Best Buy, TiVo, JPMorgan Chase, Citi, Capital One Financial and several more.

In the event that such an incident takes place, consumers should make an effort to find out as much as they can about the breach, including what information was exposed. Further, they should then take steps to protect the information or accounts that may have been exposed.

This can include changing passwords for email addresses and online accounts, as well as checking monthly financial documents such as credit card bills and bank statements to ensure that no suspicious transactions appeared. And if more sensitive information such as a Social Security number was exposed in a breach, consumers should also order a copy of their credit report to ensure that no new loans or other accounts have been fraudulently opened using their personal information.

Current laws for data breach notifications vary from state to state, so also it's important for consumers to learn as much as they can about the ways businesses that cause data breaches have to contact them, and what services, if any, they are required to provide.

Beware of September 11 Anniversary Scams

Mon, 05 Sep 2011 10:04:00 -0700

The 10th anniversary of the largest terrorist attack on American soil is quickly approaching, prompting consumers across the country to remember the occasion with donations to charitable organizations.

However, particularly unscrupulous crooks hoping to prey on the national tragedy will also likely use the opportunity to steal information or money from unsuspecting consumers who just want to do their part. The world is far more reliant on digital information now than it was in 2001, and as such, many thieves are taking to social networking sites and email services in an effort to try to steal from Americans.

For example, many may attempt to start bogus memorial funds and promote them using Facebook and Twitter messages. And in doing so, they may ask consumers to either contribute money or otherwise turn over sensitive financial information such as their credit card or bank account numbers. For this reason, it's advisable that consumers only make contributions to well-known and reputable funds and charities so that they're not duped by an identity thief looking to capitalize on national sorrow.

Another way crooks may try to gain access to consumers' critical personal or financial information is by sending links to fraudulent websites. Typically, these will show up in email and social network inboxes with sensationalist titles related to Al Qaeda, Osama Bin Laden or other names and places associated with September 11. But consumers who click these links will find that there is no video, photo or article, as the site was merely put in place to load malicious software onto the victim's computer. These programs are specifically designed to mine systems for information such as stored credit card or bank account information, which can then be used fraudulently by the crooks who set up the site.

Consumers who want to protect themselves from these threats will need to be vigilant and more cautious than normal during this trying time. They should always closely examine all links they're sent and verify URLs to make sure they're legitimate, and only turn over sensitive data if they're absolutely sure the site won't lead to fraud. Further, it may be a good idea to install antivirus software and scan all potential email attachments and downloads to make sure that they won't do any harm to a computer.

For more tips on how to avoid 9/11 scams, read this post by Identity Theft 911's chief information security officer Ondrej Krehel.

Medical Identity Theft Causes Big Problems

Fri, 02 Sep 2011 10:04:00 -0700

Many consumers may have recently noticed an uptick in the amount of information being exposed in data breaches caused by medical organizations, insurers and healthcare providers.

There are a number of reasons for this disturbing trend.

One of the biggest is that many medical organizations are now in the process of digitizing their records so that information on patients can be shared more efficiently between doctors or insurance companies. But as a result of this sea change in the industry, the likelihood that this information - which was once stored in locked filing cabinets and only accessed when absolutely necessary - will be exposed increases considerably. Often, it's just the result of a mistake by an employee, such as a misplaced thumb drive or the accidental transfer of the data from a work email address to a personal one. But the incident makes it no less concerning for patients who have their information exposed in such an incident.

Another, and more insidious, reason that more these types of breaches are taking place, and putting consumers at greater risk for medical identity theft, is that criminals have begun to identify this data as a treasure trove.

The reason why is simple: consumers' medical records may contain all types of data, including their personal information, financial details and even medical history and records of their health insurance providers. Normally, thieves would have to search in a large number of places to cull all that data about a person, but a medical file will have all of it in one unfortunately convenient place. Names, addresses, dates of birth, Social Security numbers, payment information, health insurance policy numbers, medical history; all of it is likely stored in one thin medical file.

This ease of stealing data on consumers has led to more data breaches because unscrupulous employees or even thieves who break into offices after hours are swiping large amounts of records, and using the information contained in them to open lines of credit, make fraudulent purchases and even receive free medical treatment while attempting to leave their victims with the bill.

Consumers should closely monitor their credit report and monthly financial statements to determine that no accounts, treatments or fraudulent purchases have been made without their knowledge.

Young People Face Identity Theft Threats

Fri, 02 Sep 2011 10:04:00 -0700

As the back to school season approaches, many parents may be sending out their kids' personal information to new schools so they can complete enrollment. But it may not be a good idea to share many aspects of a child's personal data.

A large and growing number of kids are being victimized by identity theft these days for a number of reasons. One of the biggest motivations for crooks to steal the personal information of children - such as their names, addresses, dates of birth and Social Security numbers - is that the crimes likely won't be discovered for years. In many cases, parents would never think to check their child's credit report, and as a result, bogus accounts opened using their information may go years or in some cases decades without being discovered. As a result, it may be easier for some crooks to get away with the crime, and more difficult for the victim to resolve.

Further, many crooks may choose to steal kids' identities because they have clean credit records. If the criminal has a spotty borrowing history and may not be able to get access to a new credit card or loan, they may use a child's information to do so. While the kid will have no borrowing history whatsoever for lenders to base their decision on, it may still put the thief in a better position to be granted the line of credit than on their own.

Disturbingly, the person behind child identity theft isn't some nefarious criminal operating from a darkened room, hacking away at email accounts. More often, it's a relative or family friend who has ready access to most of or even all the information necessary to complete the crime.

So how can consumers tell if their child has been victimized by identity theft? One of the best ways to do so is to keep any eye out for mailed marketing offers or phone calls the child may receive. If they start getting preapproved credit card offers or calls about debts they owe, this is almost certainly a sign their information has been used illegally. If this is the case, it might be a good idea to contact local law enforcement or the nearest attorney general's office to find out what recourse you may have to clear up the crime as quickly as possible.

USB Devices Create Data Breach Issues

Thu, 01 Sep 2011 10:04:00 -0700

These days, having the ability to share information and take it on the go is incredibly important in many different types of businesses. But this demand for greater portability is also causing major problems, because now more of these storage devices have large amounts of data saved on them.

A large and growing number of businesses in a variety of fields are now suffering more data breaches as a result of lost USB flash drives for a number of reasons. The most obvious way such an incident can occur is the loss or theft of this type of device, which can be especially concerning for affected consumers if the data stored on the drive is not encrypted.

However, recent surveys have found that many of these incidents are now being caused by the use of USB drives that contain malware. When these are inserted into computers containing sensitive information, the virus will be loaded onto the system and go to work mining for specific types of information, such as credit card or Social Security numbers.

Another way a data breach may occur as a result of the use of USB flash drives is through employees taking the devices off the business's premises and using that data on a personal computer. Often, this is a largely innocuous practice, but it's considered a data breach because a personal device may not have many of the security measures in place that a legitimate company's might.

Meanwhile, many companies have security concerns of their own. Many do not employ enough precautions - such as antivirus software, firewalls and proper authentication techniques - to ensure that data is as safe as many security experts recommend. In addition, many likely do not have any standardized rules in place for how to handle USB drives, or report when they go missing. Problematically, companies and consumers alike have the ability to add encryption for USB devices that will help to protect the information stored on them, but often do not use those options.

In addition, this trend is not likely to reverse itself in the near future, as needs for data portability will only increase over time, leading to greater risk for USB device-related breaches for those who do not take steps to protect the information stored on them.

Hackers Target Government Agencies

Thu, 01 Sep 2011 10:04:00 -0700

In recent months, there have been a large and seemingly ever-growing number of reports of enterprising hackers gaining access to and stealing information from government agencies at all levels.

In some cases, this may be the result of hacktivist groups with an axe to grind over a political issue, intentionally stealing and releasing sensitive government information largely as a show of force. However, this is also sometimes the result of international cyberwarfare, which is growing in popularity among major world governments.

For example, a number of reports earlier this year indicated that hackers in China - possibly working in affiliation with that nation's government - had breached the secure servers for a number of major organizations in the U.S., in both the private and public sectors. However, the Chinese government also recently reported that it had been hit with nearly half a million cyberattacks in 2010.

However, a recent string of more insidious cases was not carried out by hackers working for any government body, but rather working against the U.S. government for political reasons. The infamous hacking groups Anonymous and AntiSec recently have been targeting the servers and computer systems of contractors and other defense companies that have ties to the federal government, stealing sensitive proprietary data. Upon doing so, they simply post the information online for anyone to view. Perhaps more troublesome is that they seem to do it for sport.

Indeed, recent reports from security firms show that the U.S. is being increasingly targeted by cybercriminals, and a large number of those that were put in hackers' crosshairs are affiliated with the military. This can be troublesome because unless these organizations have a success rate of 100 percent, data that's sensitive to national security could end up being exposed. In addition, these companies are not protected by the federal government specifically despite their affiliation. Only those with .gov domain names are safeguarded by the Department of Homeland Security, and the military can do little to force private sector organizations to beef up security on their end.

In addition, it's likely that this problem will probably become more prevalent, not less, in the coming years. As more data is digitized, it is more likely to be attacked by those who want to expose it, whatever their reasons may be.

What to Do When Disaster Strikes

Mon, 29 Aug 2011 10:04:00 -0700

In recent months, we have seen many consumers' homes hit with some sort of natural disaster like floods, tornadoes and fires. And with hurricane season underway, the number of Americans affected by such an incident could grow appreciably.

But many consumers may not be aware of - or even consider - what they should do in the wake of a natural disaster when it comes to protecting their finances and information from the threat of identity theft. For example, in disasters such as tornadoes and hurricanes, high winds may carry personal documents miles away and leave them lying on the side of the road for anyone to find, and for this reason, it may be helpful to call all lenders and banks and alert them to the potential problem immediately after the storm. This way, the financial institutions may at least be able to better protect consumers from the threat of fraud. Identity Theft 911 CEO Matt Cullina also says consumers should also be alert to criminals using that paper work to poser as bank representatives.

For the same reasons, he says it's probably a good idea for affected consumers to check their credit reports to make sure that no fraudulent accounts have been opened using their exposed information.

Another problem that often arises in the wake of such disasters is that many crooks may come calling. Some may pose as representatives of government agencies or insurance companies and ask for detailed personal information about affected consumers or their finances, but disaster victims should be wary of this type of solicitation because no legitimate organization would ever conduct business in this manner.

And while some criminals may call a person in an attempt to garner this information, more enterprising thieves might instead opt to show up at victims' doors to increase the appearance of legitimacy. However, consumers should try to avoid answering any questions that may lead them to reveal personal information such as their date of birth or Social Security number, and alert local law enforcement officials about the incident.

One other scheme that regularly pops up after disasters is crooks who offer to repair damaged homes at rates that seem too good to be true. But the scam with these criminals is that they demand a large amount of money - often a few thousand dollars - up front. However, after making the payment, bilked homeowners will often find that their money and the bogus contractor are nowhere to be found.

Consumers can also work to take steps before a disaster. This post from data expert and Identity Theft 911 Senior Vice President Brian McGinley says consumers should have an identity protection plan in place.

Letter from the CEO

Thu, 11 Aug 2011 10:04:00 -0700

As summer ends, college students are getting ready for the new academic year. It’s a busy and exciting time for them and their families. They’re moving into dorms or apartments, starting part-time jobs, and sorting out the red tape that comes with student loans and course registration.

But for undergraduates who’ve been the unwitting victims of child identity theft, this can be a period of unexpected challenges. Many young adults, such as Jaleesa Suell, discover the crime in their 20s, years after it has occurred, and they struggle to rehabilitate their credit records. They can’t get credit cards, rent a house or apartment, or secure a loan without their parents co-signing. They might even have trouble landing a job—all because someone stole their identity from right under their nose. We examine this problem, and one solution. You can also listen to Suell’s story here.

Also in this issue, we share one schoolteacher’s hard lesson in identity theft. Imagine Mark Kendel’s shock when he was arrested for writing bad checks in Florida—crimes committed by an identity thief. Learn how one of our fraud investigators took steps to restore his good name.

More than 8 million people were victimized by identity theft last year, and your odds of getting hit increase depending on which state you live in. Learn which factors make some states more vulnerable to attack than others by viewing our slideshow on the 5 Worst States for Identity Theft. Learn how to protect yourself, even if you think your state or city is immune from the crime.

Finally, this month’s Ask the Expert column discusses the disturbing British phone-hacking scandal. As journalists and politicians get grilled over their conduct, the question remains: How is it possible for someone to hack into my cell phone for voicemail messages and other information? Surprisingly, no one is immune from this kind of spying, but there are ways to make life tougher for the intruders. Ondrej Krehel, our Chief Information Security Officer, shares 10 tips to help you shore up your mobile devices and keep your personal life personal.

As always, we hope you enjoy.

Matt Cullina
Chief Executive Officer
Identity Theft 911

Pomp and Suspicious Circumstance

Thu, 11 Aug 2011 10:04:00 -0700

Jaleesa Suell overcame a difficult past, but today the 21-year-old George Washington University student’s greatest challenge is one that threatens her future: child identity theft.

She recently applied for a credit card to establish a credit history—and was denied. Suell spent a good part of her childhood in foster care, living in six different homes and occasionally with relatives until she became an adult. One of her guardians opened a credit card in her name and then defaulted on the payments.

The discovery was devastating. “As a youth in the system, I often worried if I was going to have a place to live the next day or have food,” said Suell, who has ambitions to be a child advocacy lawyer. “I’ve worked so hard to ensure that won’t happen. But I was considered a liability because a family member stole my identity.”

Like Suell, many child identity theft victims first detect the crime when they’re in their 20s, in college, and applying for credit for the first time. They find themselves burdened with someone else’s debt and often unable to secure financing for their education and, later in life, mortgages and auto loans.

Children are tempting targets for identity thieves because they have pristine credit histories and no reason to check a credit report. Foster children like Suell are even more vulnerable because they move around and have various legal guardians who have access to their personal information.

The Federal Trade Commission reports that victims ages 19 and younger comprised 8 percent of all identity theft complaints in 2010, compared with 7 percent the previous year. A recent Carnegie Mellon study found that Social Security numbers of 10.2 percent of children studied had been misused—more than 50 times the rate for the adults studied.

But experts believe those numbers don’t accurately reflect the severity of the problem for children because many perpetrators are related to their victims—and many people are either afraid or hesitant to pursue legal action against a member of their own family.

There is disagreement over the best way to protect minors from identity theft, though all agree that something must be done. The Identity Theft Resource Center has proposed the 17-10 Solution, a registry containing the names, birth dates and SSNs of everyone under the age of 17 years and 10 months. Potential creditors or employers would be required to check all applicants against the database, and, if there is a match, to investigate further before granting credit or hiring.

Privacy experts debate the safety of such a vast store of information. But as Suell and tens of thousands of others like her can attest, any solution is better than allowing the problem to continue at its current pace.

At first Suell tried to remove the bad debt from her credit report on her own until she was referred to Identity Theft 911 for help.

Mark Fullbright, an Identity Theft 911 fraud investigator assigned to her case, immediately took steps to restore Suell’s good name and credit. He placed a fraud alert on her credit report and enrolled her in Identity Theft 911’s fraud and credit monitoring program.

“Mark has been a great help,” said Suell, who was thankful for his help with coordinating communication with the credit bureaus, banks and collection agencies involved. “He’s offered advice on how to build my credit once the dispute is resolved,” she said. “Identity Theft 911 has been nothing but helpful.”

Teacher Learns a Hard Lesson About Identity Theft

Thu, 11 Aug 2011 10:04:00 -0700

Mark Kendel was running errands with his two children when police pulled him over and arrested him on the spot.

A routine license plate check had produced arrest warrants in his name for thousands of dollars worth of fraudulent checks written in Florida. He spent the night in jail and appeared before a judge the next day—in handcuffs. Bail was set at $5,000. He was released after his wife posted a $500 bond.

“The experience was humiliating,” said Kendel, 39, who teaches special education at an Ohio middle school. He said he’s never written a bad check or lived in Florida. About the charges, he added, “I was bowled over. I had no idea what they were talking about.”

The incident took an emotional and financial toll on his family. Kendel was permitted to drive his two children home before going to jail. In subsequent months, however, the family found it difficult to put the episode behind them.

In the following days, Kendel contacted Florida’s attorney general’s office, which explained that someone had used his name, personal information, and image to open several accounts at local banks and Costco. Mark Kendel was listed as the account holder and described as a local business owner. The address of the supposed company was for a vacant lot.

Kendel contacted his home insurer, MetLife Auto & Home, which offers identity protection services on its renters, condominium, homeowners, and automobile policies in most states. The service is offered to customers at no additional cost.

“MetLife Auto & Home is proud to be the first major insurer to offer this enhanced service to customers, which provides a solution designed to help protect consumers against identity theft,” said Deb Quinlivan, senior product consultant at MetLife Auto & Home. “Hopefully it's a service you'll never need to use, but in the event the worst occurs, it can be a powerful tool to help clear your good name.”

Kendel was connected to Mark Fullbright, an Identity Theft 911 fraud investigator, who helped Kendel file a police report, enrolled him in Identity Theft 911’s fraud and credit monitoring program, and placed a fraud alert on his accounts.

Fullbright also worked with law enforcement in Florida and Ohio to expunge Kendel’s record.

”Mark Fullbright was phenomenal,” Kendel said. “I had a lot of questions, and he was there to give me advice on the actions or future precautions I could take. Every time I needed something he was there to reassure us.”

Ask the Expert

Thu, 11 Aug 2011 10:04:00 -0700

Q: I’ve been reading a lot about phone hacking. What is it, and how can I protect my mobile phone?

A: Phone hacking conjures up images of sophisticated high-tech espionage, and it is. The British scandal, however, involves what is more accurately described as voicemail spying, which really isn’t as complicated or as sinister as it sounds. Voicemail spying simply entails breaking into someone else's voicemail.

It’s easier to do than you’d think. Many cell phone providers don’t require a PIN to access voicemail, and few people bother to add one. Although users are given a default PIN, many of them don't change it. Either way, it's an invitation to thieves who know how to "spoof" a phone number, that is, to appear to call from a victim’s personal phone so that a PIN isn’t required to gain access to voicemail.

Fortunately, it’s not hard to protect your mobile device. Follow these 10 tips:

Password-protect your mobile device and voicemail with a PIN.
Memorize your PIN. Don't record it on anything you carry with you. Change your PIN periodically.
Use “strong” PINs that are hard to guess. These will have upper- and lowercase letters, numbers, and at least one symbol. For example, "3Dog$" is better than "1006." You may be limited in PIN selection by the type of phone that you use but do the best you can to create a strong PIN.
Never use a PIN (or password) with the last four digits of your Social Security number, your date of birth, your middle name or anything else that's easily guessed or subject to ready access via other sources.
Encrypt smartphones used for sensitive business communications, activate a time-out password and install an updated antimalware program and on-device personal firewall.
Don't open unfamiliar attachments, emails or text messages from unknown sources. They’re likely to be harmful.
Be judicious about the type of applications that you download. Many apps come with spyware or other malicious software. Consider using a more secure computer for sensitive tasks such as online banking.
Delete voice and text messages with financial or personal information.
Data-wipe mobile devices. Use programs to destroy a device's data if the password is entered incorrectly a certain number of times—say 10. Take advantage of software that locks the phone or erases the data remotely if the phone is lost or stolen.
Before throwing away or recycling a mobile device, delete the information on it. The website Recellular.com provides a deletion guide for most cell phones.

DefCon Conference Covers Hacking, Data Security

Wed, 10 Aug 2011 10:04:00 -0700

A conference of self-confessed hackers in Las Vegas may not necessarily sound like the best idea to many consumers, but it turns out that not all hackers are created equal.

The DefCon Conference, held annually for the last 19 years, is a meeting of hackers, yes. But it's one that is designed to address thelarge and growing number of security concerns facing the world's consumers and companies, and the way they handle and, more importantly, protect their data.

The annual conference is used by both criminal hackers and the IT pros tasked with stopping them (often referred to as "black hat" and "white hat" hackers, respectively) to discuss the many security concerns firms big and small may face from cyberthieves. This year even opened its doors to kids between the ages of 8 and 16 who are interested in hacking. This was done in the hope that these youngsters will use their advanced computer skills to fight crime instead of create it.

Among the main topics at this year's adult conference, however, was the way consumers and companies alike work to protect data stored on mobile devices such as smartphones and tablet PCs. Because consumers are putting more of their sensitive personal, financial and even medical data on these devices, hackers have been able to mine them more effectively in an effort to steal information.

True to this concern, some of the attendees may have found out the hard way that they're not as safe as they'd like to think. Multiple reports indicate that the hacktivist groups Anonymous and LulzSec made an appearance in the form of bogus application upgrades that were offered to those using 4G and CDMA wireless networks. The goal of these attacks was to infiltrate a large number of devices and intercept data being sent to and from them.

Beyond mobile phones, some researchers also held demonstrations that illustrated how hackers may be able to carry out various attacks by exploiting previously unknown security flaws, including how to hack printers in offices, smartphones and even laptop batteries. Other activities included games and contests for hackers who want to prove their prowess at stealing files or accessing data stored difficult-to-crack devices like voting machines.

What to Do When Disaster Strikes

Thu, 04 Aug 2011 10:04:00 -0700

In recent months, we have seen many consumers' homes hit with some sort of natural disaster like floods, tornadoes and fires. And with hurricane season rapidly approaching, the number of Americans affected by such an incident could grow appreciably.

But many consumers may not be aware of—or even consider—what they should do in the wake of a natural disaster when it comes to protecting their finances and information from the threat of identity theft. For example, in disasters such as tornadoes and hurricanes, high winds may carry personal documents miles away and leave them on the side of the road for anyone to find, and for this reason, it may be helpful to call all lenders and banks and alert them to the potential problem immediately after the storm. This way, the financial institutions may at least be able to better protect consumers from the threat of fraud. Identity Theft 911 CEO Matt Cullina says consumers should also be alert to criminals using that paper work to poser as bank representatives.

For the same reasons, he says it's probably a good idea for affected consumers to check their credit reports to make sure that no fraudulent accounts have been opened using their exposed information.

Another problem that often arises in the wake of such disasters is that many crooks may come calling. Some may pose as representatives of government agencies or insurance companies and ask for detailed personal information about affected consumers or their finances, but disaster victims should be wary of this type of solicitation because no legitimate organization would ever conduct business in this manner.

And while some criminals may call a person in an attempt to garner this information, more enterprising thieves might instead opt to show up at victims' doors to increase the appearance of legitimacy. However, consumers should try to avoid answering any questions that may lead them to reveal personal information such as their date of birth or Social Security number, and alert local law enforcement officials about the incident.

One other scheme that regularly pops up after disasters is crooks who offer to repair damaged homes at rates that seem too good to be true. But the scam with these criminals is that they demand a large amount of money - often a few thousand dollars - up front. However, after making the payment, bilked homeowners will often find that their money and the bogus contractor are nowhere to be found.

Consumers can also work to take steps before a disaster. This post from data expert and Identity Theft 911 Senior Vice President Brian McGinley says consumers should have an identity protection plan in place.

Ask the Expert

Thu, 14 Jul 2011 10:04:00 -0700

Q: What are the challenges that businesses face when dealing with wire fraud?

A: Banks and credit unions are losing hundreds of millions of dollars due to wire fraud each year, and once the money is gone it’s almost impossible to recover. Under banking regulations, an institution that wires money to another organization is responsible for the funds. In a fraudulent wire transfer, the funds often disappear after multiple transfers to domestic and international locations.

In this day and age, banks and credit unions want to be competitive. They don’t want to lose customers. And consumers want convenience. Financial institutions work hard to make banking as easy and secure as possible. But when it comes to wire transfer fraud, it’s in the consumers’ best interest to opt for less convenience and better security.

The latest technology, which makes it easier to deposit and transfer money, also makes it easier for criminals to commit wire fraud. Now consumers don’t even have to visit an ATM. They can pull out their smartphones, log in to their banks, access their accounts and transfer money. Consumers can just snap a picture of the front and back of an endorsed check and send that using a bank app. And that’s it—the bank doesn’t require any further verification.

Criminals are aware of this technology and are using it to their advantage. Since they know that customers rarely visit bank branches, it is easier to take over their identities.

Banks and credit unions either need to be able to take a financial hit when they become a victim of wire fraud, or they need to slow down the process of how money is transferred. If banks can’t afford the loss, they need to make things more inconvenient. They could require consumers to visit a bank branch and show identification for certain kinds of transactions. Verifying the information over the phone isn’t good enough to prevent wire fraud because criminals often hijack a victim’s phone lines. And when they receive the call from a bank requesting verification, the fraudster will be able to impersonate the victim—they will be able to provide the last four digits of a Social Security number and a mother’s maiden name.

Businesses can help protect their customers by following these six tips:

Set a monetary threshold above which wire transfer requests must be made in person.
Encourage members to add “strong” passwords to their accounts. A strong password contains numbers, symbols and characters; it doesn’t use a date of birth, child or pet’s name, or mother’s maiden name. Members should change passwords often and avoid using the same one for online banking that is used for shopping or social networking sites.
Keep multiple current phone numbers and email addresses on accounts so customers can be reached in the event of a suspicious transaction or problem.
Look for recent changes to customer activity and profile characteristics that might indicate someone is testing the system or changing information.
Use “Out of Wallet” verification questions that are based on information driven by public records or credit history.
Trust your instincts. If the caller can verify everything, but you still feel like something is wrong, then don’t approve the transaction. Have the customer appear in person.

Credit unions especially need to beef up their fraud departments, so they are more aware of red flags and better able to respond to fraudsters. Spending the time and money now can save millions of dollars in the future.

Victor Searcy has more than 20 years of experience managing fraud operations in the banking industry. His areas of expertise include fraud detection, claims, investigations and recovery functions.