in Search

ID theft

All about how it happens and how you can keep it from happening to you.

December 2008 - Posts

  • Katrina aid applicants' info posted on Internet; FEMA says, "We're (mostly) not to blame."

    I’m going to try real hard to remain objective about this data breach and trust FEMA when they say they had nothing to do with further victimization of Hurricane Katrina survivors. It’s going to take a whole lot of effort, though, given FEMA’s track record.

    No matter who’s responsible for the screw up, the fact remains that the personal information of almost 17,000 Katrina survivors somehow ended up posted on the Internet.

    FEMA maintains that MOST (emphasis is mine; qualification is theirs) of the information pertaining to aid applicants from Mississippi, Louisiana and Texas was appropriately released to an unidentified agency of an unidentified state, and that that unnamed state agency is responsible for posting the data on, not one but TWO privately-owned websites.

    (Is it just me? Doesn’t their saying MOST of the information was appropriately released beg the question of which information was “inappropriately” released? Or, how did it happen that some of the information was “inappropriately" released? Or, will anyone at FEMA ever take responsibility for the never-ending debacle that is post-Katrina assistance?

    Could it get any worse for these 16,857 people who sought assistance from the Federal Emergency Management Agency? The answer is “you bet it could”. Now that their names, addresses, Social Security numbers and other personal information has been made available to almost anyone in the world, there’s a pretty good chance that at least some of these folks will have their identities stolen.

    An only partially unrelated side note

    The February edition of Vanity Fair will feature an oral history of President George Bush’s administration, with these comments from Matthew Dowd, Bush's pollster and chief strategist for the 2004 presidential campaign:

    'Katrina to me was the tipping point. The president broke his bond with the public. Once that bond was broken, he no longer had the capacity to talk to the American public. State of the Union addresses? It didn't matter. Legislative initiatives? It didn't matter. P.R.? It didn't matter. Travel? It didn't matter.'

    (Oops! Looks like my objectivity is "mostly" blown.)

    Posted Dec 31 2008, 10:15 AM by IdentityTheft with no comments
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • New Hampshire data breach makes them latest member of STUPID, States That Undermine Personal Information Defense

    The New Hampshire Dept. of Health and Human Services “inadvertently” exposed the personal and financial information of 9,300 of the states’ Medicare Part D participants.

    State officials claim that the unidentified employee who “mistakenly” attached the information to an email did so “accidentally”, but other unnamed employees express jubilation that the incident qualifies the state for membership in STUPID, States That Undermine Personal Information Defense.

    “Earlier membership carries greater honor,” the mole said. “We really were concerned that we would miss the December 31 deadline for 2008 STUPID membership and get left out entirely like Arkansas, Delaware and Wyoming.”

    Forty-seven states have now met the criteria by placing their residents at risk of financial, personal, criminal and medical identity theft; no new members will be admitted to STUPID after this year. Instead, member states will vie for honors according to a points system based on the overall number of data breaches, the number of residents exposed and the number of risk categories the data breaches fulfilled. Special honors will be awarded to states whose employees initiate the STUPIDest data breaches.

    STUPID Club officers have previously expressed frustration with finalizing the point system structure. Member states delayed the finalization because of a proposal that laptop loss or theft would carry no points. Laptop Information Loss, LIL, will no longer add to the total point tally.

    “The officers felt that LIL had become so commonplace that it no longer carried an honor,” a STUPID Club officer said, “and after looking at the data, our member states agreed.”


     

    Posted Dec 18 2008, 01:59 PM by IdentityTheft with no comments
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • Brits may have to kiss their medical privacy goodbye

    I usually limit my writing here to identity theft risks and privacy right violations that occur in the U.S. But occasionally there are incidents or risks so great, mind-boggling or boneheaded they seem relevant. This is one of the more appalling potential risks.

    Two of the UK’s largest and most influential research organizations—Wellcome Trust and Medical Research Council—are pressuring the government to allow them access to patients’ complete medical records (including all identifying information) without the patients’ consent.

    The organizations’ impetus is that access to the information would provide them with ideally targeted, demographically representative and easily accessed candidates for research and clinical trials.

    The researchers’ vision goes something like this:

    (ring, ring) Patient: Allo?

    Researcher: Allo, Mrs. Smith. I’m from Wellcome Trust, and we’re conducting clinical trials on a drug for people who have a history of genital herpes, Chlamydia, gonorrhea and genital warts. I have your most private medical information before me now, and it looks like you reported to your physician that you had sex with 147 partners before you married your husband, the vicar. We think you’d be an ideal candidate for our research.

    Or:
    (ring, ring) Patient: Allo?

    Researcher: Allo, Mr. Jones. I’m a researcher with the Medical Research Council, and we’re conducting research on people like you who suffer from long-term erectile dysfunction caused by latent homosexuality and the trauma of being buggered by a priest.

    Patient: Wait just a minute. My wife’s mother is here. Let me take you off speakerphone.
     

    Posted Dec 17 2008, 01:53 PM by IdentityTheft with 2 comment(s)
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • And you thought you were doing a good thing

    The company name ‘Innisbrook” might not immediately ring a bell. But, if you have kids in school, or if your siblings, friends or coworkers have kids in school, or, if there’s a school kid living within a two-mile radius of your home, chances are you’ve been approached by a kid trying to sell you Innisbrook’s gift wrapping, candy or school supplies.

    Thousands of schools around the country sell Innisbrook products as fundraisers.

    Well, it looks like someone else was forgoing the gift wrap and hacking Innisbrook’s online school supplies site in August as their own personal fundraising project. And, though thieves aren’t typically very smart, this one was clever enough to plan his work for a time when a million frantic parents were ordering up pencils and notebooks for their little darlings at the start of a new school year.

    Innisbrook’s customer service manager, Debi Stacy, said 24 North Carolina schools were affected, but wouldn’t say which ones. Only online customers who paid with credit cards were affected, she said, but wouldn’t say how many. What she most wanted to get across was that the Innisbrook school supplies server was the only one affected.

    So, according to Innisbrook, if you bought gift wrap, you’re safe, even if you bought it online. In fact, buying gift wrap online is probably safer than buying it from a fundraising kid; buy from them just once and they’ll keep coming back like hungry stray dogs.

    And, really, would you trust your credit card information to a fourth grader?
     

    Posted Dec 16 2008, 02:49 PM by IdentityTheft with 1 comment(s)
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • Identity thief killed him off, stole his house and took out loans against it

    Identity theft is always a rotten experience, but on a 1 to 10 scale, this one probably rates a 9. (I reserve 10s for the people who get arrested because a sleazebag ID thief used the victim’s name when they got arrested.) Read it, and let me know how you’d score it.

    James Plummer has finally gotten his house back after a five-year battle. That’s a long fight for anyone, but for a man who died in 1992, it’s epic.

    Plummer’s trouble started when Ronda Coons, a tenant in his New Jersey rental house, phonied up her father’s death certificate so it showed Plummer’s name and a 1992 death date. She took it to the Mercer County Clerk’s office, along with a will that named her as his executor and a deed to the house with a forged attorney’s signature. The County Clerk’s office recorded all the documents.

    Ten days later she started taking out the home equity loans that would eventually total more than $60,000.

    Plummer received the county’s property tax statement that showed the house was owned by Ronda Lige, whose real name is Ronda Coons. You’d think Plummer’s making an appearance at the courthouse, proving that he was, in fact, live, livin' and breathin' would be enough to untangle the records. No such luck. The Clerk’s office maintained they had followed proper procedure and they saw no reason to undo what had been done.

    Plummer hired an attorney to resolve the issues with the Clerk’s office, but it still took years to clear away all the liens placed against the house by the stiffed lenders.
     

    Posted Dec 15 2008, 02:42 PM by IdentityTheft with 1 comment(s)
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • Best Buy bandits tripped up by Rewards card greed

    How’s this for a racket:

    Gabriel K. Jang and Billy Morris Britt supervised a gang of thieves who broke into Seattle-area gym lockers to steal credit cards. Jang and Britt used what an assistant U.S. attorney called their “mobile counterfeiting lab” to make fake drivers’ licenses with the credit card holders’ names and their own photos.

    They then made a beeline to Best Buy where they bought high-end computers and cameras with the newly minted credit cards. These ambitious identity thieves then sold the loot on eBay under Jang’s company name, Nexus Systems Inc. (Sometimes they were efficient enough to steal the cards, print the drivers’ licenses, make the purchases and post them on eBay within only hours.)

    A Best Buy security employee became suspicious when he spotted a Rewards card that was used more than 125 times for purchases of more than $250,000 paid for with 77 different credit cards. He started watching eBay offerings whenever that card was used, and sure enough, the just-purchased merchandise would show up for sale by “Nexusi”, an ID linked to Jang.

    At the same time, a Seattle detective was following up on a complaint about some credit cards stolen from a gym locker. He was able to link one of the stolen credit cards to the overused Rewards card and the email address associated with it.

    Jang and Britt face charges in U.S. District Court of wire fraud and aggravated identity theft. Investigators say their enterprise netted more than $3 million dollars since 2001.

    And all the thousands of eBay shoppers who were lucky enough to buy their fabulous electronics from Nexus Systems for less-than-retail prices? They’ve been notified that their goods have to be returned.
     

    Posted Dec 12 2008, 02:52 PM by IdentityTheft with 3 comment(s)
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • To market, to market to buy an ID

    If a hacker steals information on 100,000 accounts—including yours--from a retailer or a bank, that particular sleaze bag isn’t going to use your information. He’s going to sell it on one of hundreds of online marketplaces for buying, selling and trading stolen identities and account information. But hang in there with me ‘cause there’s good news coming.

    Hang in there with me, ‘cause this might end up being a good thing.

    There are now so many sleazebag hackers, and they’ve stolen so much information, and there are so many online marketplaces selling the stolen information that prices for that information are dropping, according to Francois Paget, a security guru for McAfee who consults and with law enforcement.

    How much is your information worth? Paget says from what he’s been seeing online, all of the information associated with a bank account, including passwords, is worth only 5 or 10% of its value. Have $10,000 in the bank? It’ll sell for roughly $750.

    How about your credit card account info? In a batch of 10, it’s worth less than $50. That’s if it has all associated information like your billing address and your mother’s maiden name. Without those details, it’ll bring only $1.

    The good news? The rules of supply and demand apply even on the black market. Supply is up; prices are down. If your credit card account information is worth only a buck, and there are millions of credit card accounts out there for sale, how long can this kind of stuff remain profitable?

    This is where LifeLock comes in. Part of their identity theft prevention voodoo includes a program called eRecon that monitors the black market Marrakesh of stolen identities and financial information. If you want to check it out, go to LifeLock.com. If you decide you want it, get it with the LifeLock promo code RD17 ‘cause that’s the lowest price you’re going to get.
     

    Posted Dec 11 2008, 05:15 PM by IdentityTheft with no comments
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • "Data security no big deal," say smiling corporate leaders who can't tie their own shoes.

    Want to know why there are so many data breaches? One of the biggest problems is the disconnect between corporate decision makers and reality, according to a recent study by The Enterprise Strategy Group and Application Security Inc.

    For instance, 84% of them said all or nearly all of the confidential info they possess is protected and secure. Then more than half of them admitted they’d had at least one data breach in the last 12 months. And, get this: 5% of these corporate leaders shrugged, wiped the drool from their chins and replied, “I don’t know.”

    It gets worse. When asked about their compliance to compulsory security procedures, 38% of the reality-resisting corporate leaders smiled confidently and said they’d bombed at least one audit in the last 12 months. Five percent proved themselves to be in the nose-picking, slack-jawed droolers’ camp when they answered with, “I don’t know” or “You’re not my mother. I’m not gonna tell you, and you can’t make me.”

    Don’t look for any big improvements in the near future, either. Job cuts are inevitable as the economy worsens, and if these knuckleheads have any employees who try to maintain even a modicum of data security, they’ll get the ax first. Now figure in the inherent security risks of having a disgruntled, overworked workforce, and things start looking really bleak.

    If the aforementioned drooling knuckleheads are faced with simultaneous and mutually exclusive needs for cutting budgets and purchasing security-enhancing tools, it’s a sure bet that they’ll blithely nix security add-ons.

     

    Posted Dec 10 2008, 02:23 PM by IdentityTheft with 1 comment(s)
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • Good customer service shouldn't include identity theft

    "Thank you for calling. May I have your account number, please?"

    Sometimes you have no choice but to give out personal or financial information over the phone. Have a question about your credit card account? Want to increase the minutes on your cell phone contract? You have to tell all to the customer service rep in the call center. But, hey, you can trust them, right? Maybe. Maybe not.

    ID Analytics recently reported results from their study of 12 internal data theft incidents, eight of which led to more 1,300 fraud attempts involving bankcards, retail cards and wireless service.

    Among the ID Analytics findings:
    • If your information is part of an internal data theft, the chance of your info being used fraudulently goes up 2,400%.

    • If your info is used fraudulently, it’s probably going to be used within 20 miles of the place it was stolen.

    • Just like identities stolen from outside an organization, most identities stolen from the inside are used quickly then discarded within a two-week period. In five of the eight incidents, online purchases and services were responsible for 80% of the fraudulent activity.

    When you call a customer service center, there’s nothing you can do to protect your information. Like it or not, once your data is out there, it’s completely out of your control.
     

    Posted Dec 09 2008, 05:51 PM by IdentityTheft with 1 comment(s)
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • Source for data breach information

    Question: How many records have been lost or exposed in data breaches in the past four years?

    Answer: Far more than 246,091,423--and that's just within America. The answer is "far more than" is because many of the private and public entities don't know how many records were exposed. Worse than that, roughly half of all companies surveyed don't report their data breaches or notify their customers or constituents.

    I get this information from the Chronology of Data Breaches, a product of the nonprofit Privacy Rights Clearinghouse. They get their information from Attrition.org which is hosted by the Open Security Foundation.

    When you look at these databases it's especially interesting to note which of the breaches is governmental or private industry. Or, how many are from hospitals, universities or K-12 schools. Or, take a look at how many breaches a specific entity has reported over the last four years.

     And we wonder why identity theft is rampant.

    Posted Dec 08 2008, 09:27 AM by IdentityTheft with no comments
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • News Flash! Laptops and mobile data devices to blame for half of all data breaches!

    Brendon Lynch, Microsoft’s director of privacy strategy, delivered this bit of news you already knew at the Privacy and ID Theft Conference in Vancouver last week. He also made the dubious statement that businesses were protecting our personal information inside the office.

    While he’s right about the first part—that laptops, PDAs and flash drives are responsible for most data losses—he was a little too optimistic about the second part.

    In fact, if companies and public entities had better security policies, far less data would be walking out the door. Even within the office, there are often few restrictions on who is allowed access to sensitive information. And, without a strongly-worded and strictly-enforced policy demanding that data taken away on laptops, etc. must be password protected and encrypted, every lost or stolen laptop leaves more people at an elevated risk of becoming identity theft victims.

    Bryant again resorted to common knowledge to fill his minutes at the podium with his remarks regarding hackers and how they’ve changed over the years.

    He reminded us all that hackers were originally geeky guys with greasy hair who wanted to impress their equally geeky and greasy friends by gaining inside access. Now, he said, hackers are cogs within sophisticated organized crime syndicates.

    What he failed to mention was the international flavor of those crime rings. Federal officials are still investigating the recent hackings of then-presidential candidates Barack Obama and John McCain, presumably to gain insight into future foreign policy. The feds seem to think the attack originated in Russia or China.

    Microsoft is working on a new system that replaces the username and password with “Information Cards” that wouldn’t contain any personal information, but would connect the user to service providers, banks, etc.

    However, given all the other tired old news Bryant trotted out, it’s hard to get excited about what he called “game-changing strategies.”

    Posted Dec 05 2008, 09:40 AM by IdentityTheft with 2 comment(s)
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • It's all about your wallet

    Pickpockets, strap-slashers and food court loiterers know that once they get their hands on your wallet they have everything they need to assume your identity.

    Here’s what you do to thwart the sleazebags:

    • Stay alert, especially during the holiday season when there are so many crowds and distractions.
    • Never leave your purse or wallet in the car where it’s visible to passersby.
    • Plan ahead. Put your cash, check or credit card along with your driver’s license into a fanny pack or a small bag you can wear across your chest. Leave your purse at home, or lock it in the trunk before leaving home. DON’T put it in the trunk in a parking lot where everyone can see.
    • Use a money clip for cash, credit card and ID instead of a wallet so you can more easily carry it in your front pocket. If you don’t think a pickpocket to reach into your pants pocket without your knowing, you’re wrong; it happens everyday, and crowds make it easier.
    • Clean out your wallet, and carry only the essentials: Your driver’s license, one credit card OR one check OR cash. NEVER carry your Social Security card with you. Leave your auto insurance card in the glove compartment. Everything else belongs at home in a lockbox.
    • Make sure you know what’s in your wallet in case it’s stolen. The sooner you can contact the credit card issuers the better; time is on the side of the identity thief.

    I already warned you that I’d be plugging some LifeLock products, and WalletLock is my personal favorite—because I’ve left my wallet in a phone booth, a fitting room and the Rome Airport.

    With WalletLock you make only one call to LifeLock if your wallet is swiped or lost and they’ll take care of canceling and replacing just about anything except your photos.

    Covered documents include your driver’s license, health and auto insurance cards, Social Security card (what was that doing in there, anyhow?), professional association cards, credit cards, bank cards, check book or checks—even your passport, visa or immigration documents. They’re open 24/7 so they’ll always be able to help you, even if you’re out of the country and several time zones away.
     

    Posted Dec 04 2008, 11:29 AM by IdentityTheft with no comments
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web
  • Florida agency posts 250,000 names, SSNs to website

    The following article is about yet another data breach. The loss and exposure of personal data is one of the reasons all Americans are vulnerable to identity theft and need identity theft protection like that offered by LifeLock.
     
    More than a quarter million Floridians have been placed at an elevated risk of identity theft after The Florida Agency for Workforce Innovation posted their names and Social Security numbers on the Internet. Some of the records go back as far as 2002.

    The records were on the Internet for approximately one month, according to an Agency spokesman. They weren’t password protected, encrypted or behind a firewall, all of which are considered elementary procedures in data protection. As a result, anyone with an Internet connection would have been able to view the information.

    Fifty minors’ Social Security numbers were among the records. The Agency has not responded to the nonprofit Liberty Coalition’s inquiry as why the Agency had records for these Floridians under the age of eighteen.

    The data breach victims haven’t been notified yet, but a spokesman for the Agency said they plan to send letters to them. There has been no mention of whether credit monitoring or identity theft protection services will be provided to the victims.

    Even if free credit monitoring is provided, its protection is limited to customer notification after a new account is opened by the thieves. In comparison, LifeLock takes measures to prevent the thieves from using stolen personal information, and from buying, selling or trading it on the Internet.

    In a response to questions from Liberty Coalition, the Agency said they “pledge to learn from its mistakes.” However the Agency apparently didn’t learn from an earlier, similar mistake. In 2002 4,624 Floridians’ names and Social Security numbers were posted on the Internet. That data wasn’t password protected, encrypted or behind a firewall, either, and was discovered when one of the victims did a Google search on his own name.

    Visit LifeLock.com to learn more about Life Lock's innovative services that have made them the ID protection service chosen by more than a million Americans. If, after you’ve read the article, you decide to fully safeguard your credit and finances, use the LifeLock promotion code RD17 for the best available discount.

     

    Posted Dec 03 2008, 01:58 PM by IdentityTheft with no comments
    Add to Bloglines Add to Del.icio.us Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web

This Blog

Syndication

Tags