Tuesday, August 4, 2009


Joe has an email account he has had for over 10 years. He emails coworkers, friends, and family from the account regularly. His mother still sends him e-birthday cards every year. It is used for Turbo Tax, his online banking, and he often emails projects from his work email to his personal email so he can work on the finishing touches from home. His order confirmation emails for Ebay, Amazon, and Travelocity all go to the same email. His doctor’s office and insurance send him appointment reminders and paperless statements to that address. Recently, when he requested an address change online with his bank, the DMV and the Post Office and he was pleased to find he could do it all paperless. He’s very environmentally conscious, and keeps meticulous records. Joe, in fact, is pretty average.

This email address for Joe is about as firmly established as his identity as a credit report- it contains details of his finances, his address history, and his birthday just as a credit report would. His address book reveals his mother’s maiden name, and a compromise of the account could easily result in his tax information and social security number being revealed. A compromise or lockout of this account could be devastating. He doesn’t have a paper copy or other access to those email addresses. In some cases, the only contact information he has for people is email. If someone were to gain access, he would not be the only target. All those individuals in his address book would be contacted and extorted for money. It will take Joe a long time to try to track them all down and warn them, and by that time it is probably already too late. His company might be blackmailed based on intellectual property gained from the compromise. His accounts could be taken over and emptied, his identity stolen and used for credit cards, utilities and medical services. A routine traffic stop might result in jail time while law enforcement figures out that there was a fake ID provided during a DUI stop. With the information available in that email, Joe’s life can be stolen lock, stock and barrel.

If your email is this tied up with your identity, it is important to protect it. When you use your email address to sign up for services or profiles, you are adding another avenue to attack your account. How do you quarantine an email?

  • Security experts actually recommend that, “A good rule of thumb for the average email user is to keep a minimum of three email accounts. Your work account should be used exclusively for work-related conversations. Your second email account should be used for personal conversations and contacts, and your third email account should be used as a general catch-all for all hazardous behavior.”
  • Take inventory. Make a list of all the websites you have attached to your email, all the contacts in your address book and anyone you regularly contact via that account. The average user has about 12 online accounts registered with their main email. Then, go through your folders and archived emails and scan them so you have a good idea exactly what is in your account.
  • Make sure you have a disaster plan. After you have taken inventory, think about what you would do if you were to suddenly loose all access to that email. Are your documents backed up? Do you have phone numbers for your contacts so you can warn them? Do the websites attached to your email account have a 24/7 toll free line for assistance? Do you have any of this contact information for the companies or persons in a non-technical format in case your entire computer is compromised?
  • Never use the trusted email or part of the email address as a username. Never use the same usernames and passwords for all accounts. Also, many services are now offering an option to force your password to expire periodically (live.com has an option for 72 day expiration, for example). Find your security settings and use them.
  • Many websites now offer the ability to register two email accounts with your profile. If the option is available, use it. Create an isolated, secure email and keep it safe. This way, if your email is compromised or the profile hacked you still have a second account you can communicate the issues with the company or retrieve a password.
  • When signing up for social networking sites, use an email account just for that site or your “catch all” email. This prevents hackers from gaining access to your trusted email through the site or from scammers spoofing your email to try to extort money from your list of contacts. People will be more suspicious of an email coming from FacebookJoe@domain.net than from youtrustedemail@sinceforever.com and it will give you time to contact them to tell them of the fraud.
  • Never use your trusted email for comments, blogging, chatting, or any online forms. Your trusted email should be for communicating with real people only. There are plenty of services out there that will set up dummy email addresses for free. This allows you to keep your email address secure but still give contact information out and receive communication at the same inbox. If the dummy email address becomes tainted, you can easily amputate by shutting down the address entirely. Just Google “disposable email address” or “temporary email address” and you will find plenty of services to choose from.
  • Don’t unsubscribe from mailing lists you suddenly find yourself on. Clicking on the “unsubscribe” link or hitting reply could verify your account as “live” to a scammer. Instead, block the email address you are receiving the subscription from.
  • Determine if mobile banking risk is worth the convenience. Does your phone have antivirus? Can you get an antivirus? Contact your service provider and determine if there are additional security settings you can select. For more information on cell phone and smart phone security from the US government, click here.
  • Be cautious of wi-fi. There are plenty of cyber criminals out there who set up unsecured wireless connections in common hot spots to try to catch someone doing a little online banking or email while sipping their coffee. Check your wireless connection at home and in the office- is it secure? Encrypted?
  • When sending highly sensitive information, consider using encryption or stenography for the message and data.
  • Be discriminating about sending forwards. If the email were to fall into the wrong hands, a crook can use the contacts in the email to try to scam everyone included on the communications.
Don't let embarrassment keep you from doing your part in reporting the incident to authorities. Remember that cybercrime is serious, and should be reported to the FBI's Internet Crime Complaint Center at ic3.gov and to your email provider, typically at abuse@[yourdomain.com].

Wednesday, July 29, 2009

Business Identity Theft - Dangers, Gaps, Solutions

I stress that these views are mine and influenced by the works cited here, they are not necessarily the views of ID Experts.

UPDATE 08/06: Panda Security reports 44% of SMBs admit falling victim to cybercrime.

Generally speaking, when most people discuss identity theft, they are referring to an individual using the personal identifying information of another individual, without their consent, to obtain some profit or advantage. Identity theft is largely viewed as a “people” problem, and for good reason- Most state and federal laws, websites, non-profit organizations and consumer advocacy groups tasked with the job of helping identity theft victims address the American consumer at large.

Yet, small and medium sized businesses (SMBs) are an attractive target for identity thieves. According to the Institute of Consumer Financial Education (ICFE), SMBs usually qualify for larger lines of credit, “enjoy extended payment terms and less transactional scrutiny for large purchases or high value ticket items than individual customers.” They often have physical property such as computer equipment of value, or perhaps inexperienced employees that may be susceptible to phishing attempts or bribes. Many SMBs are located in shared business buildings, making it even easier to obtain credit cards and loans. All a criminal has to do is rent a small space or mailbox in your building- the address will verify as correct, and he’ll get the credit cards, loan documents, and bills instead of you. Before you even know something is wrong, he has skipped town without a trace- except for the damage to your business.

In addition to being lucrative, small and medium size businesses are often careless with privacy and security because they are preoccupied with- well, running their business. According to the ICFE, “Many businesses do not regularly review their business credit report.. [or] ..always carefully scrutinize employee charge card billing statements before they are paid, particularly those accounts for which multiple cards are issued.” Additionally, a recent survey from security firm Panda Security shows SMBs in the United States are increasingly the victims of cybercrime, yet many do not take simple precautions to protect themselves. By the numbers:

* (44 percent) were hit by some form of cybercrime

* (10 percent) surveyed were hit so bad that they had to stop production -- worldwide, the average was 30 percent.

* (50 percent) of companies in the survey lost time or productivity as a result of being infected.

* (97 percent) of U.S. SMBs have installed anti-virus and (95 percent) claim their security systems are up to date. YET (29 percent) said they have no anti-spam in place, (22 percent) are without anti-spyware technology and (16 percent) do not have firewalls. (52 percent) said they have no web filtering solution in place. (39 percent) of respondents said that they have yet to be trained about IT threats.

When you combine large cash /credit flow and little scrutiny or security, it is easy to see what a gold mine this is to thieves. I’m not done yet- There is another factor that makes these threats an increasing danger in an age of government transparency and online communications. Not only are you an attractive target, but obtaining the documentation necessary to impersonate a business or pose as a representative of the business is often easier than for an individual.

Your business information is easily obtained from a variety of offline and online sources. Business stationary and business cards are easy to obtain and duplicate, and since “most businesses are eager to open new accounts for other businesses, and the process can be quite simple- such as submitting a request on company letterhead along with the business license number and Tax ID.” (ICFE) Since most businesses display their business license on their wall (as many are required to by law), this theft is dangerously easy. Additionally, businesses may engage in high-risk sharing of their business information. Because many companies such as Costco require an EIN to give users status as a business, the EIN is tossed around a lot on documents and over the phone. Small business owners may even be using their own social security number in place of an EIN, increasing their risk and potential for damage. SMBs aren’t just a gold mine; they’re a gold mine filled with diamonds.

There are unfortunate gaps in our system. There are hundreds of companies, pre-paid legal services, private investigators, non-profits and consumer advocacy groups that are trained and versed in handling personal identity theft- but find themselves either unprepared or unable to assist businesses when they become victims. Their hands are often tied by either state laws, procedural technicalities, binding contracts and user agreements or just plain ignorance.

As pointed out in a recent article by Business Week, “While business identity theft can often be prosecuted under other statutes, like mail fraud or wire fraud, businesses victimized lose many of the protections afforded to consumers under identity theft laws, like access to information about their credit. Before California last year amended its 1997 identity theft law explicitly to include crimes targeting business entities, a business whose identity had been co-opted could not even get a police report. ‘We were having businesses being taken over and their names being used and I could not prosecute them, at least under ID theft statutes,’ California Deputy Attorney General Robert Morgester says.” (The state legislature amended the “person” in identity theft cases to encompass associations, organizations, partnerships, businesses, trusts, companies and corporations, in addition to logos and “photographic representation” as legally recognized personal ID data.) Yet, there are many other states that still do not recognize business identity theft as a separate crime at all.

Additionally, many loan contracts and credit agreements may have fine print that could leave you high and dry. According to ICFE, “liability provisions in many cardholder agreements specifically exclude: unauthorized transactions involving business cards and cards used for business purposes…and instances where a transaction by an individual, who at some point was given permission to use the card by the cardholder, ‘exceeds authority’ given by the account owner.” Since insider threats are still the biggest concern when it comes to loss prevention, this particular fine print can mean a lot to a business owner. Perhaps most devastating: “Most loan documents contain a provision which states that if the lending bank ‘deems itself insecure’, repayment of the loan may be accelerated. If numerous fraudulent accounts have caused the bank to no longer be confident of the business’ long term viability, a business’ loans or credit lines may suddenly be called and most businesses would simply not have sufficient cash or liquid assets available to fully service the debt.” While there has been a little progress in this area, like state laws, there are a lot of gaps. Visa, MasterCard, and American Express no longer distinguish between small business and individual credit card fraud, which helps companies to clear the purchases made by thieves. We can only hope that others follow suit.

A thief with access to EIN, address, key names, and letterhead or company logos can easily apply for credit or obtain loans and merchandise as a “representative” of your company. There are painful gaps in consumer law and business practices that make the extensive, time-consuming, complex and potentially expensive process of recovering from identity theft even harder. Dealing with the theft can take months or years. Don’t take chances, and protect yourself:

Shred. Shred. Shred. Dumpster diving is still a common source of information.

Don’t hold onto documents any longer than absolutely necessary.

Obtain an EIN and use it instead of your SSN. Be cautious with your EIN and give it out sparingly.

Obtain regular credit reports for yourself and your business. Review them carefully.

Review your Better Business Bureau report regularly. In addition to identity theft, business can also become the victim of professional impersonation. In many cases, evidence of both types of crimes will show up on the BBB report.

Owners should review transactions statements and account for all items. If you give review power to another individual, be aware they are now a target for bribes and extortion. The best solution is to take matters into your own hands and report any unusual activity immediately.

Improve your business physical, technical, and personal security. Alarms, firewalls, encryption and anti-virus are all important components, but more important is the education of you and your staff. How to detect and deter phishing attacks, how to report suspicious behavior anonymously, and what to do if you believe you may have compromised information are all topics every employee should know by heart.

Be an informed consumer- ask what precautions businesses take with your applications and other business identifying documents and data. Explain your concerns. Enough business owners bring up these concerns, they will listen.

Other advice includes;

“Consider using electronic payment options. Since the networks are password-protected and the messages are encrypted, wire transfers and ACH payments are much safer than using paper checks…

And lastly, consider a post office box or a lockbox for your mail. This ensures that business mail is retrieved by appropriate personnel and is not left in a box at the reach of any passerby.”

Practical advice for changing the outlook for SMBs: Put your money where your mouth is, and the squeaky voting wheel gets the grease. Do business with companies with good security practices- even if it means it makes it more difficult to do business with them. Write to your representatives and voice your concerns. Bring awareness to the dangerous of identity theft for small and medium businesses to your associates, your lawmakers and your financial institutions. If legislation regarding personal identity theft rights is any indication, it is going to require a concerted grass roots effort to bring awareness to the issue and create change. It is time.

UPDATE 07/30/2009: Another threat to businesses highlighted by the Better Business Bureau, "Scam artists send an invoice for a product commonly purchased by the business. For example, paper or other office supplies, in hopes that the busy staff will pay the funds without question."

Copyright 2009 Rachel James. Please do not republish without written consent. You are welcome to link in reference.

Thursday, July 23, 2009

Getting Engaged can lead to Identity Theft

republished from ID Experts blog.

A few news stories have been circulating about the looming identity theft threat to couples who have decided to tie the knot. Thieves prey on our deepest and strongest emotions, and two people madly in love and about to take the plunge are certainly full of emotions and stress. Stress makes us more apt to decide quickly, without thinking the situation through. The sense of relief we feel may encourage us to accept an offer that seems “too good to be true” when we might otherwise hesitate. Our families and friends may also be targeted, for much the same reasons. Think like a thief- on average weddings cost over $20,000 and guest gifts range between $50-150 each. That places a rather large bulls-eye on anyone involved. Here is just a small list of the kinds of scams that are lurking out there:

  • Fake vendors- these are identity thieves or card frauders. They are online, at bridal shows, and call individuals out of the blue. You may be even approaching them for a genuine service advertised in the classifieds or a bridal magazine, or it may be a “sweepstakes”. As part of the “contract” or “application” you answer personal questions in great detail or provide a credit card number that is later used to defraud you.
  • Fraud vendors- this category is not technically identity theft, but still leaves you stung. Often you are promised a “free” sample and hand over your credit card for shipping and handling, and then find yourself with outrageous charges. Vendors take a deposit for renting you an item as pictured on their site, and when the big day comes, nothing arrives or what arrives bears little resemblance to the model. Sweepstakes and Giveaways should be especially scrutinized if you get a call and you “won” – there may be strings attached.
  • Crooks- these people take advantage of the fact you share so much about your event. They may rob your house while you’re exchanging rings, or wait until you’re away on honeymoon. While everyone at the reception is distracted, they snatch purses or sneak into hotel rooms. Honeymooners are easily targeted by pickpockets, camera snatchers, and hustlers.
  • Disappearing act- this can be anything from a deposit you paid disappearing from the books to a company suddenly going bankrupt. Bankruptcies are up 47% from last year, so this is a big concern. While insurance can help protect you, it is important to purchase coverage carefully.
  • Malware - There are tons of “free” applications out there to help out couples. Cost calculators, dress design software, websites, countdown clocks, reminders, calendars, the list goes on… Then there are the flash animations and videos of weddings, decorations, crafts, flowers and more. However, some of these may contain harmful code that could harvest your information and place you at risk for identity theft and fraud.
  • Robocalls and junk mail – While shopping around online or in person, you’re often asked to leave your contact information. This can result in an increase in junk mail offers and robocalls. Some of these are likely phishing attempts, and are cleverly disguised. Another risk with increased junk mail is the possibility of mail theft going unnoticed for a longer period of time. Pre-approved credit card offers may inflate your mailbox, also increasing your risk of fraud.
  • “In distress” scam- this is commonly used while a couple is on honeymoon, but can strike at any time. Fraudsters may call, email, or take over your email or social networking accounts to contact your friends and family claiming to need emergency money. Excuses range from medical emergencies, to being kidnapped. Often they have “been robbed” and need the money to get home. The rest is ALWAYS to wire money or send Western Union.
  • YOU – of all the threats, YOU might be your own worst enemy. Many couples have wedding announcements; send emails, e-vites, wedding websites, social networking pages, online gift registries with their personal information, personal details, family details, and wedding, reception and honeymoon specifics available to the public at large. Brides and grooms alike tend to become excited and may share greater detail about themselves, their partners and the event with coworkers and friends… and florists, photographers, DJs (or anyone else who will listen).

With a few minor changes and some awareness, you can still have all the bells and whistles to your big day while keeping your friends, family and your identity safe.

  • Assume the numbers and addresses you are using to contact vendors, get quotes, order catalogs are going to be stolen, traded and sold over and over. Set up a PO Box and a separate number to use for your contact information.
  • Contact the Better Business Bureau in your area about any vendor, sweepstakes, or service you are going to fork over a large amount of money to, or that you are unfamiliar with. Do this before you provide them any personal or contact information.
  • Always assume that calls you receive are compromised and never reveal any personal information. You may trust calls you initiate to a trusted business more, but still exercise caution.
  • Read ALL fine print carefully. TWICE.
  • Keep all receipts; require everything in writing and document, document, document. Go over all your credit card and bank statements monthly and notify your financial institution right away if you notice any unusual activity.
  • Quarantine. Don’t use the same passwords or email account for your social networking sites, registry, and wedding webpage. You should never attach your “trusted” email account you have been using to communicate with your friends and family to another site. A compromise of a social networking site can easily lead to an email compromise, and makes it easier for fraudsters to contact your entire address book for money. If your quarantined email is hacked and messages sent to all your friends, they should be more cautious since it is a different email than they are used to communicating with you. This will buy you enough time that you can then use your “trusted” email account to notify them all of the fraud (or better yet- call them!).
  • Never send money Western Union- this is one of the few ways you can send money and never get it back. Provide contact information to their nearest consulate if you are met with this scam online.
  • Limit access to personal information- If you are going to list the details of your big day and honeymoon, look for websites that allow you to create a wedding website for friends only, or that is password protected so you can control who has access.
  • Be careful of accidentally revealing personal information like your mother’s maiden name (which may be derived from guest lists or online friend list on social networking sites) and your date or place of birth. Also, you will be asked a lot of questions so people can “get to know you” before your big day- make sure none of these questions and answers correspond to the security questions of any account you have. Go through each online account and determine what questions are asked if you click “I forgot my password”. You may wish to change those answers.
  • Find gift registries that allow you to control privacy, and insist on revealing as little about yourself as possible. Gift registries often offer a disturbing amount of detail about you, and often are generally open to the public.

Check your credit reports regularly with www.annualcreditreport.com or by calling 1-877-322-8228. If you do experiance fraud or a scam, report it to your Better Business Bureau and the FTC and place fraud alerts with the major credit bureaus.

Tuesday, July 7, 2009

Recession: A Survival Guide

Republished from my contributions to the ID Experts blog.

During this difficult economic time, the problem with scams and fraud is threefold. First, people who are desperate are more willing than ever to “bite” on the lure of convincing scams because of they are under increasing financial stress and pressure. Second, the number of scams and people perpetrating those scams increases during difficult financial times. Third, according to a recent survey by Nationwide Insurance, over half of respondents don’t know if they have enough money to weather fraud. Additionally, “A 2005 Nationwide survey showed the average amount of total charges made using a victim’s identity was $3,968. While most victims were not held responsible for fraudulent charges, 16 percent reported paying an average of $6,440 to cover some or all of the thief’s purchases.”

You may be surprised to find out that spotting a scam it is not as easy as you think. The FTC points out, “[scam] claims are just good enough to be believable; their services and products just practical enough to seem legitimate. Some even try to look like a government agency to enhance their credibility.” Here is a quick rundown of the four most critical issues: Debt, housing, employment and government assistance.

  1. Credit repair / Debit Negotiation companies

The dirty scam: These companies advertise anything from outlandish claims (We can remove ANY debt from your credit report!) to carefully veiled suggestions (We know the tricks that your credit card company doesn’t want you to know). Almost all of them require an upfront fee, and almost none of them deliver on their promises. The IRS highlighted concerns in this report, stating, “Many credit counseling organizations provide valuable advice, education and assistance to those seeking to better manage their debt. But an increasing number of complaints to federal and state agencies indicate that some organizations are engaging in questionable activities.” The report includes some handy tips for detecting deceptive companies. The FTC also has some great advice for those “Knee Deep in Debt or considering one of these companies, as well as the Better Business Bureau. These reports cover dirty scams and provide detailed information about the process, general advice on debt practices, and resources for assistance.

The clean scene: The U.S. Department of Justice’s U.S. Trustee Program provides a list of government-approved credit counseling agencies. The National Foundation for Consumer Counseling provides a list of member agencies online at www.nfcc.org or call 1-800-388-2227 for 24-hour automated office listings. Look over this Fiscal Fitness: Choosing a Credit Counselor document from the FTC, and this new site discussing debt and scams including vehicle repossession, advance fee loans, ‘anyone can get credit’ card offers, debt negotiation and other scams that are increasing with the economic difficulty.

  1. Home refinance or foreclosure scams, loan modification programs

The dirty scam: Taking advantage of the panic in the market, thieves and scammers are contacting victims for loan negotiation, refinance or foreclosure scams. Using complete lies and half-lies, they never deliver what they promise. They could be pretending to offer assistance for your current situation, or offering you a remarkable deal on a foreclosed property. It could be a rent-to-buy or bait-and-switch scam. Victims find they lose money, turn over personal information and/or complete documents that result in damages and financial loss. They can represent legitimate companies with bad business practices, or complete frauds pretending to be from the government ready to inform you how you can benefit from the economic stimulus package. For more information on these types of scams and the red flags to look for, read the highlight by the FTC here.

The clean scene: Be very suspicious of these offers. Check with the attorney general in your state before dealing with any company or person offering assistance. Details on the Federal assistance available to homeowners can be found at http://www.makinghomeaffordable.gov/ . Or, you can contact the Homeownership Preservation Foundation's national hotline at 1-888-995-HOPE. They provide free bilingual assistance to help homeowners avoid foreclosure. HPF is a member of the HOPE NOW Alliance of mortgage servicers, mortgage market participants and counselors. Read more about HOPE NOW at www.hopenow.com. You can also check with the US Department of Housing and Urban Development, and the Federal Reserve’s Foreclosure Resources for Customers. The FTC and Freddie Mac both offer helpful sites for those who are feeling the pressure of mortgage payment or trying to avoiding foreclosure. The Federal Reserve also recommends checking out NeighborWorks. You can also listen to a recent NPR broadcast about these scams.

  1. Employment fraud, classifieds fraud

The dirty scam: Unfortunately, finding a job poses many risks. First, you must be careful about the amount of personal information you place on a resume or online application. Remember that disclosing your social security number and birth date should only be necessary when they are ready to hire you and complete tax information. Even seemingly harmless details, such as the exact dates and companies you worked for, the colleges you attended, and your address, can result in identity theft or professional impersonation (when a thief takes the details of your professional life and presents them as his or her own to land a job). Additionally, you must exercise caution about the ads you respond to and the contacts you receive offering a job. A rule of thumb to remember: if it sounds too good to be true, it probably is. Avoid any job that asks you to cash checks, wire money, or use Western Union on the job. Let’s start with a short list of job scams (and the links to resources regarding them)… ‘Placement service’ for government jobs, head hunters, temporary employment, work-at-home or online jobs, and classifieds fraud.

The clean scene: Resources for government jobs are USAJOBS, US Postal Service Employment, FirstGov, and the Department of Labor. According to the FTC, “Some ads may direct you to call a toll-free 800-number. Once you're connected, you may be switched to a pay-per-call 900-number without your knowledge, or you may be asked to call a 900-number without a proper fee disclosure. Both practices are against the law… Many terms, such as employment agency, personnel placement service, executive search firm, or executive counseling service are used interchangeably. Find out what services a firm offers, how much the services cost, and who pays. If you're required to pay the fee, find out what you'll owe if the employment service fails to find you a job or any leads.” Check suspicious opportunities with the Better Business Bureau, your state Attorney General’s Office, or consumer protection agency. Read these tips from ScamBusters. Find online job hunting privacy tips and a background check fact sheet at Privacy Rights Clearinghouse. As many people are trying to find extra income, we would like to caution people about responses to their classified or craigslist ads. If someone is offering to pay you more than you asked for a service or item don’t do it! Usually they create an elaborate reason that they need you to cash a check and then wire the extra funds to them, or they get you to provide your account number so they can empty your account.

  1. Financial assistance from the government

The dirty scam: Letters, phone calls, emails, text messages- there is nothing that they won’t try! Websites and representatives claim to be able to access “secret” government money and help you apply for it. Usually they want an upfront “processing fee” or sometimes just your personal information. The FTC describes it as, “An email, online ad, or website says you’re eligible to get an economic stimulus payment. You just have to send back a form or submit one online to get it. The message might appear to come from a rebate company or look like it’s straight from the Internal Revenue Service (IRS).

There’s more than one way to perpetuate a stimulus scam. Some scam artists ask you to send a small processing fee, supposedly to get a much larger check in return. That’s money you’ll never see again. Others skip the fee, and instead, ask for your bank account number so they can ‘deposit’ your check. Then, they use the information to clean out your account or open new ones using your identifying information.Some stimulus scams encourage you to click on links, open attached forms, or call phony toll-free numbers. But simply clicking the link or opening the document can install harmful software, like spyware, on your computer. The result could be your personal information ending up in the hands of an identity thief. If you get a message offering you money from the stimulus program in exchange for your personal information, ignore it, delete it, or throw it out. The IRS doesn’t send emails asking for personal information, and rebate companies claiming to have stimulus payments for you should not be trusted, regardless of how plausible the script sounds or how official the forms look.”

The clean scene: Legitimate information about government grants and assistance can be found at www.recovery.wa.gov, www.grants.gov, www.studentaid.ed.gov, www.govbenefits.gov and www.sba.gov. Information for stimulus payments and refunds can be obtained directly from IRS.gov. Do NOT click on any hyperlink contained in an email, type the address directly into your browser. You can check up on your stimulus checks here.

If you are prepared, think critically, and proceed with caution, you should be able to determine the scams from the real deal. There are good habits you can form during this time as well. Using cash as a way to limit spending, and limit the number of places you use your card can help your wallet and prevent identity theft. As the economy starts to improve and the panic resides remember that identity thieves don’t just go away. Accounts can be opened now that will not appear on your report for years. Protection now, and in the future, is vital to keeping your identity safe

A special thank you to Washington's Attorney General's office and many other AG offices for providing much of this material.

Monday, July 6, 2009

So Called Identity Theft "Protection" - A Soapbox

Almost daily someone asks me about identity theft protection or identity theft insurance. Usually, they are just interested in what I personally think is the “best” product out there for protecting yourself from identity theft. Remember- It is not “if” your information will be exposed, but when- and with how much damage.This is my personal rant-my soapbox about the types of "identity theft protection" products out there.

Spoiler alert: There isn’t an effective identity theft protection product.

Typically, a company claiming to be an identity theft protection company will provide one or all of these services; access to credit reports, credit monitoring, and database monitoring. Unfortunately, these services cause security problems themselves. First, you are often required to provide all your personal information to a company so they can provide your credit report. Insider threat aside, they are charging you for a service you can obtain for free by visiting www.annualcreditreport.com or calling 1-877-322-8228. You can obtain your own credit report and review it regularly by spreading out the requests made to each credit bureau by four months. Did you know you can also get a free credit report if you dispute an inaccuracy, are currently unemployed or looking for work, or recently had a negative decision made based on your credit? Sure, access to your credit reports is a great tool. However, it is simply a tool. Many who sign up for these services feel that as long as they have “identity theft protection” they don’t really need to watch their credit reports closely. The idea that someone else is monitoring it provides a false sense of security. You are the only one who knows what should be in your credit report, and the only one who can accurately identify early signs of identity theft.

If you have been a victim of identity theft, or have reason to believe so- you can place a fraud alert. A fraud alert also gives you free access to all three credit reports whenever it is placed. The initial fraud alert lasts for 90 days, but can be extended with a police report to seven years. A seven year fraud alert entitles you to TWO free credit reports from each of the credit reporting agencies annually, so as long as the alert lasts. That is 6 reports a year- equating to a different credit report every other month. All for free. The fraud alert is a “flag” on your credit that says you were a victim of identity theft and that companies should take extra steps to verify your identity before extending credit. (This typically involves sending a letter or calling you at home if an application is received). Sound familiar? This is often the advertised “protection” these companies are offering… only it is free. You just need to call (or go online) one of three credit reporting bureaus, and identify yourself as a victim of identity theft who wishes to place a fraud alert. That bureau will then notify the other two. You must respond to the confirmation letters for your fraud alert to obtain your free credit reports, they are not sent automatically.

Security freezes are another question I get quite commonly. Some of the protection companies out there simply place a security freeze on your credit report. This is also a service that is typically free if you have a police report, or live in certain states. With a Security Freeze, lenders will not be able to gain access to your credit file unless you give permission by "thawing" the frozen file using a secret code, similar to a PIN number. However, the process for placing a freeze involves sending a lot of personal information to the credit bureaus- and even more when you forget the pin number. Notice I said “when” and not “if”. In my experience, most people lose the pin number to their security freeze and neglect checking their credit because of the hassle. This, again, lures consumers into a false sense of security. There is plenty of identity theft that can occur if you have a freeze, and in many instances a freeze just makes it more difficult for you to legitimately check your credit reports to discover the suspicious activity. Payday loans, utility accounts, medical identity theft and criminal identity theft can (and do) still occur with a freeze. It is more common for clients with credit freezes to have identity theft that has been occurring for years than clients who find discrepancies when they request their report quarterly, for just this reason. Security freezes should really be utilized by individuals who are experiencing repeated identity theft, and are comfortable corresponding directly with the credit bureaus. Otherwise, some of the most dangerous kinds of identity theft- including medical identity theft- can occur without detection.

Fraud alerts are not perfect- it is up to the company to take precautions in opening an account. Some occasionally ignore the fraud alert and open the account without further verification. Some go to the other extreme and request you physically appear and provide two forms of photo identification before opening an account. Security freezes cannot be ignored, but consumers who use them tend to ignore the types of identity theft that don’t need a credit report to occur yet still appear on the credit report as a symptom of the fraud. Fraud alerts and security freezes don’t apply to your current accounts, so it is important to monitor your statements closely for fraud and notify your financial institution right away. It is a common misconception that identity theft protection services help protect you against fraud on your current accounts- that is not true. It is not safe to provide a third party with enough financial information in order to monitor your transactions, and they would not be able to distinguish most fraud anyway. Clearly fraudulent charges- such as a sudden $3,000 charge from China when your spending habits are always in Michigan- are typically detected by your financial institution (a service they provide for free) and resolved internally.

Most of these companies claim to monitor thousands of databases looking for signs of misuse. Fantastic- except that it doesn’t help you at all. Suppose that one of these programs does notify you that your social security number is being traded like a stock on some black market internet site. Now what? They’re not in the business of tracking down and apprehending these criminals. Often the alert you receive from these services doesn’t even tell you where the information came from, and instead alerts are generic such as “We are alerting you that your address has been changed in public record”. You must go back to the credit reports to find and correct the information. It’s a great reminder to check up on your information- review your SSA earnings statement, EOBs and so forth… but these are all reports and protective steps you can take anyway. For free.

Many of the companies provide a kind of “insurance” component to their services. Read the fine print. Typically insurance only covers actual expenses you incurred such as fax or mailing fees, and occasionally lost wages if you can prove that there was no other way to resolve the identity theft. Strictly identity theft insurance companies don’t fix your credit report for you, they just help with the expense you incur as you embark on the frustrating task yourself. If you cannot afford to take unpaid time off from work (who can in this economy?) this is nearly useless. Even the “guarantees” that are out there are useless since they require that you prove it was a fault in the system that resulted in your identity theft. In the case of many types of fraud, as LifeLock’s Todd Davis found out, their system is not designed to catch it… and therefore, no million dollars.

Identity theft is a scary proposition. Victims spend an average of 330 hours repairing their credit after having their identities stolen, and 70% report making repeated attempts to have inaccurate information removed from their credit reports. Navigating the confusing maze of legislation and paperwork can be daunting, added with the fact that it is nearly impossible to reach a live human at the credit bureaus. Many people are disappointed when they receive no assistance from law enforcement and are frustrated by the complex process of disputing the account. I understand why people want assistance- It is important that you have an expert or group of experts to turn to during this time. I do not intend to specifically promote the company I work for, but I do honestly believe in the work we do for people at ID Experts. You can see from our resources page and blog that we believe in educating consumers and advocating for victims rights. The following is a general recommendation based on my own experience as an identity theft victim, as a consumer, and a security professional.

Consumers should look for is a company that specializes in identity theft restoration. A good company will be willing to spend the time necessary to educate you about free services available to you as a consumer, but will “take over” if you become a victim. From my conversations with clients, I have not heard of another company that takes the time to educate consumers they way we do. The company should also allow you to speak with the same person twice, or allow their representatives to provide their names so you can get consistent answers. Often, just having my direct extension makes all the difference to a client. No identity theft protection service or product is theft-proof, so it is important to have someone to turn to when it fails. Credit monitoring is a great tool- but it is just a tool. It is not an impenetrable shield, but rather a method available to you to assist you in accessing the information you need to protect yourself. Don’t believe me? The FTC and other consumer advocate groups do not recommend these services either.

Wednesday, June 24, 2009

Teaching a Nation to be Scammed

Why we open ourselves up to identity theft

Why do people give out their social security number to phishers who call them? Why do they email mortgage applications to fraudulent companies? A few decades ago, we might have been able to explain the problem by lack of education. They just don’t know the dangers or the risks. Today, that is a weaker and weaker argument. Clients contact me all the time reporting that they knew something was strange, or they knew that they should never give information over the phone, but they ignored their inner voice and exposed information anyway. Why?

In part, it is because all of our lives we have been taught how to be scammed. The very agencies that we trust to protect us have instilled habits and patterns that make it easier for criminals to manipulate us. From school to work, from local to federal government, we have unwittingly prepared ourselves psychologically to expose the deepest private details about ourselves. Before privacy and security in this country can really make a revolution, these practices must be changed.
I am not advocating mistrust of the government’s intentions in regards to any certain practice- this is not a conspiracy theory. I am advocating a healthy distrust of the humans who must handle that information. According to a recent article by Robert Siciliano, “As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks or government agencies, or simply someone who has an existing relationship with the victim.” The point to this article is not the intention of the legislation behind these practices, but rather the citizen training that occurs when procedures become habits.

First, we have been taught to trust authority figures from a very young age. We have not been taught how to verify them. This skill is absent from many people who panic when they receive a message from someone claiming to be their bank. Using the internet, the Better Business Bureau, or referring to the number on their statement or the back of their card often escapes these victims. Why isn’t their first reaction to verify any form of contact? They were never taught to do so. Did you ever verify your teachers? Even in college? Did you check what degree they held, or even if they had a criminal past? Has a police officer ever encouraged you to take their badge information and verify with the local precinct? Unlikely. Children are taught “don’t talk to strangers” but at the same time we instruct children how to identify a police officer in case they need help. This is similar to when credit card company telling consumers never to give their personal information out over the phone, but then calling a consumer to request that same information to verify transactions. Have you ever gotten a list of questions that call center representatives should be asking you to verify your identity? Do you know if it is or isn’t against company policy for them to ask for your full social security number or the last four digits? If you don’t, then you may be exposing your information to an insider threat at that organization, and you may never know.

In addition to trusting authority figures, we are often asked to repeat our social security numbers or use them as identifiers. Each time we say the number in a response to the request, we have made it just a little easier to say again the next time. The more we reveal the number, the less private we feel it is and we tend to treat it as such. One of the biggest points of contention for this point is the military’s use of SSNs as identifiers. Not only does it pose greater risk to those who are protecting our country, but these individuals maybe at a higher risk while deployed or on active duty. Often military personnel do not have the time, access to resources, or ability to communicate with the credit bureaus. It isn’t just the military, although I expect more protection for the troops from them, it is also employers and professionals. All sorts of companies from dental offices to video rental shops have been using SSNs as account numbers or identifiers for decades. Not only does this expose your information to many more potential insider threats, but it also psychologically devalues the information for us. If I use my social security number at the rental store to pick up the newest DVD, it becomes far easier to hand it out to a solicitor offering to place my information in a prize drawing. The same goes for date of birth. I cringe every time I see a promotional offer come in the mail. Usually a post card that says “Happy Birthday! Good for One Free Meal on January 1st.” Nothing like a flyer announcing my birthday to leave a pit of worry in my stomach- there is no such thing as a free meal, right?

Usernames and passwords are also often overlooked. People seem to be aware of how important it is to keep these secure- yet most people (over 50%) use the same user names and passwords for everything. Remember what I said about insider threat? How easy would it be to compromise every bank account and email address you have if just one insider decided to? If your email address and a password are all you use, even better. Once they have access to your email account, all the accounts you have registered with that email become exposed. Some of us may even be exposing our work email, and our companies, with this practice. Some may even be conversing with their doctor through websites using the same information. Although public backlash forced the city to rescind the request, Bozeman recently required that job applicants provide the usernames and passwords for their internet sites. The news spread quickly, I am sure catching the eye of many a potential hacker and insider threats alike. Many professionals use social networking sites such as Twitter or Facebook. Unfortunately, many of the applications for these sites are run by third parties who are not reviewed by the social networking site for privacy or security compliance. Almost universally, your username and password are requested. Again- these sites may do what they repute… but what else is happening with your information? Who else may be looking at it, unbeknownst to you or the third party application?

Finally, biometric data and DNA- while these are being touted as the crowning achievement in security and crime fighting, the dangers associated with its abuse are staggering. The Washington Post reported last year on the expansion of the US DNA database program. With this extension, “The U.S. government will soon begin collecting DNA samples from all citizens arrested in connection with any federal crime and from many immigrants detained by federal authorities, adding genetic identifiers from more than 1 million individuals a year to the swiftly growing federal law enforcement DNA database.” This includes those arrested and not convicted. I understand that when you commit a criminal charge that you lose some rights, including some rights to privacy. However, including this information from people that are not convicted is a dangerous precedent to set. Not only are you denying them the right to privacy, but you are denying them the rights to control their DNA without any criminal charge. This implies that no one has the right to withhold their DNA. Although fingerprint databases are used as a comparison- it isn’t an accurate one. Fingerprints are just a recording of the lines in your fingers. Your DNA contains much more information about yourself and your family. If that DNA is “misplaced”, it is the equivalent of “misplacing” a whole finger- not your print records.

Just as your SSN can be used to verify your identity, and it can also be used to fraudulently use your identity- your biometric data and DNA is the same. Think about the last time you submitted a urine analysis for a job application. Did you hand the cup directly to your manager? No- of course not. You- and the company that hired you- relied on the nurses, lab technicians, truck drivers and others to safely handle the sample and the information corresponding to it. An insider threat here can result in medical history becoming exposed or misrepresented. Still not convinced? Well, while the FBI tries to block attempts at searching for false matches, youth on social networking sites are posting their STD test results. This is the best evidence available to demonstrate the lack of understanding of privacy and security at all levels of society, which is a direct result of the prevading lack of education. I encourage privacy professionals to at least mention to their employer that they think UAs are an invasion of privacy, especially if you “have nothing to hide” from them. If we, in the industry, don’t set the example- there will be no one left to teach others. This is why the attitude of any administration occupying the White House is critical to the whole privacy structure. The only way to teach privacy and security is by example.

Although not the intention, these practices create a “habit” amongst citizens that your blood, salvia and urine are unimportant and should not be protected. For those who claim that only those with “something to hide” should be concerned, let’s look at the lessons we can learn from other DNA databases. Last year, the Daily Telegraph reported that “Millions of profiles on the national DNA database have been handed over secretly to private companies without the consent of those involved”. If biometric information can be bought and sold as a commodity- the world becomes a dangerous place. Losing control over any information that is used to definitively identify is dangerous- be it a social security number, or a sample of blood. Information for background checks are also a category of information we are trained to give without much thought. As an article published just today pointed out, most applicants are unaware of the "likelihood that much of the PII collected during a background check will travel far beyond the security of U.S. privacy laws to a foreign call center or data warehouse with little to no standards for privacy protection... rightful owner of the Personally Identifiable Information does not even have to be notified when it is sent outside of the country... providers continue 'offshoring' personal data to low-cost labor markets by using companies internationally to increase profits..." Further, "Employee personal data can also be 'repurposed' by background check companies and ATS/JBS providers to be used in another format or product, and also resold to skip tracers, lawyers, data aggregators, and marketing lists to be bought and sold again and again. The growing popularity of offshoring, repurposing, and reselling of PII data has led to identity theft and lost privacy." (Pre-employ.com)

Every time you have a person walk through a process of providing private information, you are creating a habit. It makes it easier for them to provide it again. Regardless of the intended purpose, insider threat for misuse is too great to be balanced by the benefit these practices report to have. Simple principles, taught early, can change the face of identity theft, fraud and scams from the ground up. While politicians and corporate executives fight round after round to hammer out better privacy and security policies that continue to fail attempts to catch up with technology, as consumers we can conduct our own privacy revolution by simply promoting privacy and security awareness in our communities and children. None of these practices provide an impenetratable shield- nor am I advocating outright refusing all requests for information. I am simply advocating that we make it harder to invade our privacy, that we understand exactly where and how our information is used and the potential for misuse.

*Ask current financial institutions, companies and associates how they handle and protect your information. Ask them how they might notify you of a potential breach, and what additional precautions they may have available. What are their record retention and disposal policies? How do they ensure proper disposal of e-waste?

*Ask your financial institutions and other companies what is required to access your information and account. Ask what is necessary to make changes. Some companies use the telephone number you are calling from as part of the identification process. Phone numbers can be easily spoofed, and old phone numbers never get corrected. You may wish to change the information they use to verify you.

*When dealing with a company that asks personal information to identify you, inquire about other methods of verification. Can you place a password instead? What happens if you claim to have forgotten the password, or your social security number? What is their security procedure? Be concerned if the customer service representative doesn’t seem to know. These are the people who handle your information, and if they don’t understand the verification system they can’t use it correctly.

*When you have the opportunity to raise concern about the use of private information- do. Companies respond to complaints- just look at Bozeman. In another state, a temp agency recently changed the appearance of their applications after receiving complaints regarding the use of the full SSN. Now they only ask for the last four until they place an individual in a job.
Teach youth- who are at a higher risk for fraud and identity theft- the right habits to protect their privacy and the right questions to ask.

*Insist on authority verification- there are many consumer protection agencies at the local, state and federal level that can verify the legitimacy of a company. Always insist on initiating a phone call if private information is to be discussed, even if it means calling the same person right back.

*Insist on privacy where possible- especially if you have nothing to hide. Perhaps you have nothing to hide from your potential employer or government, but how can you trust the dozens- sometimes hundreds- of other people who have access?

*Never assume that information will be used only as intended. Assume insider threats and data compromises, and monitor your credit report and financial statements for fraud. You may use http://www.annualcreditreport.com/ or call 877-322-8228 to obtain free copies of your report.

*Treat your information like currency. When I fill out a survey form in a department store to obtain a discount, I know that I’m exchanging my personal information for their use in marketing or advertising in exchange for the 10% off. Is it worth it? Is saving $3.50 on that blouse worth the risk of that information being exposed? If you’re not willing to have the information posted on a billboard for $3.50, chances are it is not worth the risk. Recently, when I voice this concern, I have found retailers accepting just my name and zip code in exchange for the discount. I turn in a mostly blank form, and they get a happy shopper.