All about how it happens and how you can keep it from happening to you.
June 2010 - Posts
The Federal Trade Commission has succeeded in getting a federal court to put a stop to an online scam that used identity theft to place more than $10 million fraudulent charges on consumer credit and debit cards.
More than a million consumers were hit with one-time charges of $10 or less, and their payments were routed through dummy corporations in the U.S. to bank accounts in Eastern Europe and Central Asia.
The defendants had used fake company names, similar to legitimate businesses, along with information taken from identity theft victims all over the country. They used the information to open more than 100 merchant accounts with companies that process charges to consumer credit and debit card accounts, according to the FTC complaint. The FTC complaint states that they believe the defendants ran credit checks on the victims to be sure they were credit-worthy.
The thieves also cloaked each fake merchant with an office address near a real merchant's location, along with a phone number, home phone number for the "owner," a Web site pretending to sell product, a toll-free number for consumer use, and a real company tax number found on the Internet.
The FTC said that with spam e-mail, the defendants recruited at least 14 "money mules" in the U.S., which are people paid to form 16 dummy corporations, open bank accounts to receive the payments, and transfer the money overseas. They used debit cards linked to these accounts to set up telephone service, virtual addresses and Web sites.
None of the affected consumers had any contact with the defendants. Most didn't even notice the charge on their bills or didn't seek restitution because it was such a small amount. Consumers who did call the numbers that appeared on their bills found the numbers to be disconnected or got an answering machine instructing them to leave a message. No calls were returned.
The fake companies included API Trade LLC, ARA Auto Parts Trading LLC, Bend Transfer Services LLC, B-Texas European LLC, CBTC LLC, CMG Global LLC, Confident Incorporation, HDPL Trade LLC, Hometown Homebuyers LLC, IAS Group LLC, IHC Trade LLC, MZ Services LLC, New World Enterprizes LLC, Parts Imports LLC, SMI Imports LLC and SVT Services LLC.
The defendants have been charged with making unauthorized charges to consumer credit cards in violation of Section 5 of the FTC Act. The courts have frozen the defendants' assets and ordered them to cease operations.
A U.S. Federal Trade Commission representative said June 21 that current privacy laws fail to protect American consumers and place too much of a burden on them.
Kathryn Ratte, senior attorney for the FTC, said existing privacy laws, which rely heavily on disclosure of data collection and use practices and on informed consumer choice, just don't work.
The agency will be releasing a report later this year that will reflect that very sentiment. The report is expected to make recommendations to Congress regarding new laws, and it may state that the FTC intends to expand its current authority around policing deceptive practices to address more Internet-related business practices.
One of the biggest issues, the FTC found, is getting companies to adopt better "data hygiene" through implementing policies such as minimization and retention limits.
One law that has worked is data breach notification, which makes sure that if there is a data breach, the organization is to notify all affected parties.
In 2009, the U.S. House of Representatives approved a data breach notification bill, but the Senate has yet to act on the bill. The measure states that anyone who "possesses data in electronic form containing personal information shall...notify each individual" affected by the breach.
Implementing sound information security policies and practices that minimize the likelihood of data exposures is more important than dealing with the aftermath of breaches. Better data security should be the first priority of any organization handling personal data.
Organizations that have experienced a breach will certainly agree with the old adage that an ounce of prevention is worth a pound of cure. The cost of responding to a breach, in terms of staff and energy, legal assistance, credit monitoring and related services for affected persons, bad press, adverse employee relations and potential legal exposure, can be profound. Rather than assuming it "won't happen to us," companies must recognize that a security breach is highly likely unless preventative measures are taken.
• Don't collect or store data elements specified in breach notification laws.
• If you must collect and store covered data elements, segregate such data from other data sets.
• Avoid using covered data fields as employee identifiers, on files and systems, parts of user IDs, on badges or in mailings.
• Don't store covered data elements any longer than needed, and destroy them in a secure manner when they are no longer needed.
• Scrutinize the entire life cycle of covered data elements to identify any security vulnerabilities requiring remediation.
• Make sure your current policies, training and confidentiality agreements address the risks and legal obligations involved in handling data elements covered by data breach laws.
A Louisiana woman used a man's stolen identity for almost two years in order to keep her housekeeping job at a Marriott hotel in Montgomery Township
Of all the odd twists in the way people use (or more properly, misuse) identity-related information, this one has to be one of the weirdest!
Julia Perez, a 37-year-old suspected illegal immigrant from Mexico, used the name, Social Security number and birth date of a Louisiana man in order to get a housekeeping job at the Courtyard Marriott Hotel in Montgomery Township.
Perez began working at the hotel in August 2008, and apparently worked in the position for nearly two years before she was arrested at the hotel on June 9th. It seems that someone would have noticed that Julia, who wore a name tag showing “Tomie,” as her name (a shortened version of the identity theft victim's first name – Thomas) was decidedly female, while her employment documents all contained the information of a male.
Perez has admitted to using the Louisiana man's name to gain employment, records said. How exactly she obtained the identity was not clear from Police and court records.
The deception began to unravel after the Internal Revenue Service informed the Louisiana man that his identity was being used by someone else – he then contacted the St. Tammany Parish Sheriff's Department, which launched an investigation and traced the identity theft to an employee that was ultimately identified as Perez.
Perez is currently being held in a Montgomery County Prison on a first-degree misdemeanor charge of identity theft. U.S. Immigration Customs & Enforcement has also placed a detainer on her, meaning federal authorities suspect she is in the United States illegally. Once she is released, whether after serving a sentence for identity theft or after an acquittal, she will be turned over to the I.N.S., who will then determine if she is here illegally. If she is, she will most likely then be deported.
Cemeteries and funeral homes have collected millions of dollars over the years from customers who have chosen to prepay for their burials. The money is to be held in trust, protected from theft and mismanagement.
In some cases, criminals have targeted the elderly, stealing millions and swindling them out of the security of knowing their final requests will be fulfilled. Often times, the victim is left to foot the bill for a new burial plot without any reimbursement from the first attempt to purchase one.
This has been happening all over the country. In Knoxville, Tenn., cemetery owners sold the same plots several times over and defrauded people who had prepaid for funeral services. In Indiana, hundreds of people contributed to a cemetery's trust fund and to their loved one's perpetual care, learning later that they were part of a $27 million securities scam. In Colorado, a funeral home owner stole more than $140,000 from mostly elderly people who had prepaid for funerals. The services were not provided, and the victims were not reimbursed. A former Ohio funeral home director was charged with 43 counts of stealing up to $200,000 from clients who paid ahead for their funerals.
Thieves have also used this type of scam to gain access to personal information such as Social Security numbers, bank and credit card numbers, names and address information.
The list goes on and on. Given that these types of scams are becoming more and more frequent, it's easy to understand that people may be hesitant to proceed with making funeral and burial plans. No one wants to lose thousands of dollars on any type of scam, but it's particularly difficult when dealing with final plans.
The Federal Bureau of Investigation has offered the following tips to help you avoid fraud and theft as you finalize your plans.
• Be an informed consumer, particularly if you are prepaying. Shop around, and call the Better Business Bureau to get a report about a funeral home or privately-owned cemetery. Make sure the business is licensed.
• Get a detailed price list. Funeral homes are required to provide these. It's a good idea to get this in writing.
• Educate yourself about caskets before you try to purchase one.
• Understand the difference between funeral home basic fees for professional services and any fees for additional services.
• Know your state's embalming laws. Embalming is not legally required for direct cremations.
• Carefully read all contracts and purchasing agreements before signing, and make certain that all of your requirements are put in writing. Make sure you fully understand all cancellation and refund terms, as well as you portability options for transferring your contract to another funeral home.
• Do not give your personal information to anyone unless you are sure they are with a legitimate company and you know that the person is trustworthy.
Last of all, make sure your loved ones are aware of your plans. Don't allow yourself to be pressured into making any decisions, signing any contracts or surrendering your personal information. These decisions are yours alone to make and you should be able to take your time in making them – and rest assured that you can trust the people you're dealing with.
Identity thieves have already begun to exploit provisions in the health care reform bill aimed at closing the Medicare “donut hole”
One provision of the health care reform bill is to start closing the Medicare “donut hole” - the coverage gap that many seniors have in their prescription drug coverage.
What exactly is the “donut hole?”
For seniors who must take expensive prescription drugs, or a combination of many drugs that add up to a large expense, Medicare rules state that they must pay the first $310 worth of drugs (the deductible), and then Medicare pays for the next $2,520 with only a small copay paid by the consumer. Once the total cost of $2,830 (the deductible plus the $2,520) is reached, they become responsible for 100% of the cost of their drugs until their total drug cost reaches $4,550. Once that total is reached, Medicare picks up the cost of the drugs they need for the rest of the year, minus the co-pay.
The $1,720 coverage gap is called the Medicare “donut hole.”
As part of the health care reform legislation passed in March of this year, $250 checks have begun going out to those who have already begun paying the total cost of their drugs due to this coverage gap. The amount of the Federal payments will increase each year – until 2020, when the gap will cease to exist.
The government keeps track through its drug usage database of how much Medicare beneficiaries have already spent on their drugs, and as such, it knows exactly the point when the senior has reached the coverage gap. Once a senior has reached the gap in coverage, a check is sent without the consumer having to do anything at all.
Unfortunately, seniors have long been the target of crooks and frauds. Here are some of the ways criminals are mis-using this program, as well as some suggestions about how to prevent the crime:
Phone calls: Someone pretending to work for the government or an aid agency calls with an offer to help the consumer “apply” for the $250 check.
Home visits: Someone comes to your door asking for information in order to "verify that you are eligible" to receive the reimbursement check. You may be asked to provide your social security number, bank account numbers or other personal data - which can result in fraudulent bank transactions or identity theft.
Internet pop up ads: Ads inviting you to fill out an application for your rebate check may “pop up” on some websites.
No doubt there are additional ways that criminals will think of to steal the money. If you are a senior or receive Medicaid drug coverage, you will automatically receive your check at the right time, and there is no information you need to provide, and nothing you need to do to get it.
If you know someone who is likely to get a check – advise them to ignore such scams.
If you or someone you know is contacted by scammers attempting to gain your personal information, report this fraud by calling 1-800-MEDICARE or by going on line to www.stopmedicarefraud.gov.
VISA has compiled a list of applications used by retailers that store sensitive data – and may leave you vulnerable to hackers and identity thieves
Buried in the networks of many major retailers are computer applications, often obsolete or unused, that store the personal and financial data of customers. VISA apparently compiles a list of applications that may store sensitive customer authentication data after a payment has been authorized. Many application versions on the “bad-apps” list are outdated versions or programs or programs that are no longer being sold.
While these programs are not deemed an immediate identity theft threat by VISA - cyberthieves would have to expend a great deal of effort sifting through a retailer's network looking for possible sources of data, with no guarantee that such programs are there (this is called the “ effort-to-benefit ratio”), they are a concern as a possible security breach source – either through the disposal process of old network and server equipment or by data-mining software.
The list is not one that Visa wants to be too easy to get – in fact, the the list is not directly shared with retailers. Yes, there is a slight risk of cyber-thieves searching for the riskier versions in retail systems. It turns out that there is not much of an immediate concern, however, because of the effort-to-benefit ratio. But if that’s a real security issue, then Visa’s publishing an approved list that says “version 5.2 and above is compliant” pretty much telegraphs to the bad buys what they need to seek. In short, it’s a problem regardless of whether the Bad Apps list is disclosed.
Not making cyber-thieves job easier is one reason why VISA is not releasing the full list of “bad-apps” to retailers and purchasers of new software. If criminals know in advance what applications to search for, then VISA will have made their task of stealing data much, much easier!
(See the full list of applications