July 26, TechWeb News — One in four identity theft victims never fully recover. Making things right after a stolen identity can take months and cost thousands, according to a survey of identity theft victims released Tuesday, July 26. Worse, in more than one in four cases, victims haven't been able to completely restore their good name.
The survey, conducted by Nationwide Mutual Insurance Co., found that 28 percent of identity thieves' marks aren't able to reconstruct their identities even after more than a year of work. More than half of the victims discovered the theft on their own by noticing unusual charges on credit cards or depleted bank accounts, but that took time: on average, five and a half months passed between when the theft occurred
and when it was spotted.
Forty percent of the victims polled named the police, their financial
institution, or their credit card issuer as the "most difficult" to work with when trying to revolve the problem. Poor customer service was cited as one of the more egregious problems encountered. A surveyed victim from Orlando, FL, for instance, noted: "The institution we do all of our banking with made us feel like we were the ones trying to 'pull' something."
Survey information: http://vocuspr.vocus.com/VocusPR30/Temp/Sites/2133/a1c28924f
2fd4ef8a9ba8373a0ebdcd3/national%20release.pdf
Source: http://informationweek.securitypipeline.com/news/166402691
Thursday, July 28, 2005
Wednesday, July 27, 2005
Professors make password protection product.
July 25, Associated Press — Professors make password protection product. The increase in identity theft has prompted two Stanford University professors to develop software that protects computer passwords from Internet thieves.
John Mitchell and Dan Boneh will unveil Pwdhash,software that scrambles passwords typed into Websites, then creates a unique sign−on for each site visited, at the Usenix Security Symposium in Baltimore, MD, next week.
It's the latest attempt to thwart attempts by cyber−criminals who steal passwords by creating phony online banking or e−commerce sites. Cyber criminals dupe victims into believing the site is legitimate and lure them into typing their passwords. The crooks then use the password to loot the victim's bank account. For e−commerce shoppers, many of whom have stored credit card information at their favorite online stores, the thieves may use their information to go on a shopping spree.
All the security tools are free browser plug−ins available at Stanford's Website.
Source:
Plug−ins: http://soe.stanford.edu/profiles/profile_infotech_mitchell.html
John Mitchell and Dan Boneh will unveil Pwdhash,software that scrambles passwords typed into Websites, then creates a unique sign−on for each site visited, at the Usenix Security Symposium in Baltimore, MD, next week.
It's the latest attempt to thwart attempts by cyber−criminals who steal passwords by creating phony online banking or e−commerce sites. Cyber criminals dupe victims into believing the site is legitimate and lure them into typing their passwords. The crooks then use the password to loot the victim's bank account. For e−commerce shoppers, many of whom have stored credit card information at their favorite online stores, the thieves may use their information to go on a shopping spree.
All the security tools are free browser plug−ins available at Stanford's Website.
Source:
Plug−ins: http://soe.stanford.edu/profiles/profile_infotech_mitchell.html
Personal 'ICE' number on cell phone can save your life
Personal 'ICE' number on cell phone can save your life
July 25, 2005 - By John Capelland KATU Web Staff
PORTLAND, Ore. - Did you know there is a simple thing you can do on your cell phone to help emergency personnel if you are injured or have some other kind of medical emergency?
It's called 'ICE' and it could help save your life.
Emergencies happen all of the time across the Portland metropolitan area. This time, the call is for an unconscious woman on a bike path in southwest Portland.
The woman cannot speak or give the responding medical team critical details about why she might have fallen, what medications she might be on or who to contact in an emergency.
"The more information you have about someone and their needs, obviously you are able to treat that person more effectively," says Gary Gray, a paramedic with the Portland Fire Bureau.
Fortunately, in this case, the woman's husband was there to fill in paramedics on what they needed to know, but what if she had been alone, or traveling out of town?
'ICE,' which stands for 'In Case of Emergency' may be one answer.
In recent weeks, a growing e-mail movement is encouraging people to program at least one emergency contact name and number following the code word 'ICE' in their cell phone. The number would be one that emergency responders could call of something happened to you.
"(It's a) good concept," says cell phone user Matilda Rosenberg. "Sounds like a safe way to alert people."
Parents say 'ICE' is especially good for kids, who might not be carrying any other form of identification. Portland EMTs had not heard of the idea until KATU News told them about it, but say they will be looking for 'ICE' numbers from now on. "I think it's a terrific idea," says Lt. Sid Palmer with the Portland Fire Bureau. "I hope more people get in the movement and start doing this. I think it will help us provide better care and to notify family members faster."
Paramedics say programming an 'ICE' number into your cell phone might turn out to be an important addition to things like medical alert bracelets and medical ID cards.
July 25, 2005 - By John Capelland KATU Web Staff
PORTLAND, Ore. - Did you know there is a simple thing you can do on your cell phone to help emergency personnel if you are injured or have some other kind of medical emergency?
It's called 'ICE' and it could help save your life.
Emergencies happen all of the time across the Portland metropolitan area. This time, the call is for an unconscious woman on a bike path in southwest Portland.
The woman cannot speak or give the responding medical team critical details about why she might have fallen, what medications she might be on or who to contact in an emergency.
"The more information you have about someone and their needs, obviously you are able to treat that person more effectively," says Gary Gray, a paramedic with the Portland Fire Bureau.
Fortunately, in this case, the woman's husband was there to fill in paramedics on what they needed to know, but what if she had been alone, or traveling out of town?
'ICE,' which stands for 'In Case of Emergency' may be one answer.
In recent weeks, a growing e-mail movement is encouraging people to program at least one emergency contact name and number following the code word 'ICE' in their cell phone. The number would be one that emergency responders could call of something happened to you.
"(It's a) good concept," says cell phone user Matilda Rosenberg. "Sounds like a safe way to alert people."
Parents say 'ICE' is especially good for kids, who might not be carrying any other form of identification. Portland EMTs had not heard of the idea until KATU News told them about it, but say they will be looking for 'ICE' numbers from now on. "I think it's a terrific idea," says Lt. Sid Palmer with the Portland Fire Bureau. "I hope more people get in the movement and start doing this. I think it will help us provide better care and to notify family members faster."
Paramedics say programming an 'ICE' number into your cell phone might turn out to be an important addition to things like medical alert bracelets and medical ID cards.
"Growing Trend: Prosecution for Workers' Injuries, Deaths"
"Growing Trend: Prosecution for Workers' Injuries, Deaths"National Law Journal (07/18/05) Vol. 27, No. 45, P. 13 ; Sozio, Stephen G.; Gregory, Earnest B.
Prosecutors are increasingly charging businesses and their managers with criminal conduct in certain cases where workers have been injured or killed on the job. Although the combination of the civil tort system and federal worker-safety regulations have generally been sufficient to provide incentives for businesses to keep workers safe, criminal prosecution creates an additional risk for companies that do not follow the regulations. The most common criminal charge in such incidents is reckless homicide or reckless assault, with "recklessness" being defined as disregard of a known risk without regard to the possible consequences. As a result, businesses should establish up-to-date compliance standards for safety procedures and treat workplace injuries or deaths with the same seriousness as they would the commission of a crime. The risks of criminal prosecution for those who do not comply with federal safety standards and regulations include jail time for individuals and increased insurance costs and government monitoring for the business as a whole.
Prosecutors are increasingly charging businesses and their managers with criminal conduct in certain cases where workers have been injured or killed on the job. Although the combination of the civil tort system and federal worker-safety regulations have generally been sufficient to provide incentives for businesses to keep workers safe, criminal prosecution creates an additional risk for companies that do not follow the regulations. The most common criminal charge in such incidents is reckless homicide or reckless assault, with "recklessness" being defined as disregard of a known risk without regard to the possible consequences. As a result, businesses should establish up-to-date compliance standards for safety procedures and treat workplace injuries or deaths with the same seriousness as they would the commission of a crime. The risks of criminal prosecution for those who do not comply with federal safety standards and regulations include jail time for individuals and increased insurance costs and government monitoring for the business as a whole.
Tuesday, July 19, 2005
Imposter sites plaque free credit report web sites
Imposter sites plague free credit report site
By Alorie Gilbert
http://news.com.com/Imposter+sites+plague+free+credit+report+site/2100-1028_3-5789299.html
Story last modified Thu Jul 14 20:45:00 PDT 2005
A Web site created by federal mandate last year to help consumers spot identity theft is opening up new avenues for fraud, according to a privacy watchdog group.
The site, AnnualCreditReport.com, offers consumers free copies of their own credit reports. It was launched in December by Equifax, Experian and TransUnion, the three major credit reporting agencies in the United States, in accordance with the Fair and Accurate Credit Transactions Act of 2003. The federal law aims to quell growing concerns over privacy and disclosure of sensitive financial data.
However, the online service has quickly fallen prey to imposter sites, which are designed to lure traffic from a legitimate Web site by adopting a similar domain name. Imposters targeting the AnnualCreditReport.com site now number 112, according World Privacy Forum, a nonprofit based in San Diego that's studying the problem. Another 120 registered domains that aren't currently active employ the words annual credit report in some combination or are close misspellings of the official site, the group said.
Many of the imposter sites serve as "ad farms," referring visitors to credit bureaus that charge for the reports, World Privacy Forum said. The imposters then collect referral, or "pay per click" advertising, fees from for-pay bureaus.
The privacy advocate sounded an alarm bell on Thursday in a report that said the imposter sites "have been aggressively attempting to deceive and misdirect consumers."
Some of the sites ask visitors to supply Social Security Numbers, date of birth and other personal information, the report said. Others send consumers to pornographic sites and other sites that have nothing to do with credit reports. Only seven of the 112 imposters posted a privacy policy and only 21 of them provided consumers with information for contacting the sites' operators.
People can be reeled into imposter sites by either typing the wrong domain name of the site they mean to visit or by using a search engine to find the site and clicking on the wrong search result.
World Privacy Forum is urging the Federal Trade Commission to crack down on credit bureaus that advertise on imposter sites.
"The FTC should require credit bureaus and their subsidiaries to cease and desist from all search engine and other online advertising campaigns--including affiliate marketing programs--that use the words annual + credit + report in any combination if these search terms take consumers to a for-pay commercial site or any site other than the official annualcreditreport.com site," the group said in its report. "This is a challenging area, but one that needs to be tackled."
The FTC did not immediately return calls for comment
By Alorie Gilbert
http://news.com.com/Imposter+sites+plague+free+credit+report+site/2100-1028_3-5789299.html
Story last modified Thu Jul 14 20:45:00 PDT 2005
A Web site created by federal mandate last year to help consumers spot identity theft is opening up new avenues for fraud, according to a privacy watchdog group.
The site, AnnualCreditReport.com, offers consumers free copies of their own credit reports. It was launched in December by Equifax, Experian and TransUnion, the three major credit reporting agencies in the United States, in accordance with the Fair and Accurate Credit Transactions Act of 2003. The federal law aims to quell growing concerns over privacy and disclosure of sensitive financial data.
However, the online service has quickly fallen prey to imposter sites, which are designed to lure traffic from a legitimate Web site by adopting a similar domain name. Imposters targeting the AnnualCreditReport.com site now number 112, according World Privacy Forum, a nonprofit based in San Diego that's studying the problem. Another 120 registered domains that aren't currently active employ the words annual credit report in some combination or are close misspellings of the official site, the group said.
Many of the imposter sites serve as "ad farms," referring visitors to credit bureaus that charge for the reports, World Privacy Forum said. The imposters then collect referral, or "pay per click" advertising, fees from for-pay bureaus.
The privacy advocate sounded an alarm bell on Thursday in a report that said the imposter sites "have been aggressively attempting to deceive and misdirect consumers."
Some of the sites ask visitors to supply Social Security Numbers, date of birth and other personal information, the report said. Others send consumers to pornographic sites and other sites that have nothing to do with credit reports. Only seven of the 112 imposters posted a privacy policy and only 21 of them provided consumers with information for contacting the sites' operators.
People can be reeled into imposter sites by either typing the wrong domain name of the site they mean to visit or by using a search engine to find the site and clicking on the wrong search result.
World Privacy Forum is urging the Federal Trade Commission to crack down on credit bureaus that advertise on imposter sites.
"The FTC should require credit bureaus and their subsidiaries to cease and desist from all search engine and other online advertising campaigns--including affiliate marketing programs--that use the words annual + credit + report in any combination if these search terms take consumers to a for-pay commercial site or any site other than the official annualcreditreport.com site," the group said in its report. "This is a challenging area, but one that needs to be tackled."
The FTC did not immediately return calls for comment
Tuesday, May 10, 2005
How to avoid Phising Scams
Consumer Advice: How to Avoid Phishing Scams
The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically. While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet.
The Anti-Phishing Working Group has compiled a list of recommendations below that you can use to avoid becoming a victim of these scams.
Be suspicious of any email with urgent requests for personal financial information unless the email is digitally signed, you can't be sure it wasn't forged or 'spoofed'phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately they typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc. Phisher emails are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.
Don't use the links in an email to get to any web page, if you suspect the message might not be authentic instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser.
Avoid filling out forms in email messages that ask for personal financial information you should only communicate information such as credit card numbers or account information via a secure website or the telephone.
Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser.To make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://"
Consider installing a Web browser tool bar to help protect you from known phishing fraud websites. EarthLink ScamBlocker is part of a free browser toolbar that alerts you before you visit a page that's on Earthlink's list of known fraudulent phisher Web sites. Its free to all Internet users - download at http://www.earthlink.net/earthlinktoolbar.
Regularly log into your online accounts. Don't leave it for as long as a month before you check each account.Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate.If anything is suspicious, contact your bank and all card issuers.
Ensure that your browser is up to date and security patches appliedin particular, people who use the Microsoft Internet Explorer browser should immediately go to the Microsoft Security home page -- http://www.microsoft.com/security/ -- to download a special patch relating to certain phishing schemes
Always report "phishing" or “spoofed” e-mails to the following groups:
forward the email to reportphishing@antiphishing.com
forward the email to the Federal Trade Commission at spam@uce.gov
forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
when forwarding spoofed messages, always include the entire original email with its original header information intact
notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov/
For more information, check some of the following sources:
For more information about how to protect yourself, see our Fact Sheet 17a Identity Theft: What to do if It Happens to You at http://www.privacyrights.org/fs/fs17a.htm. Read the information and tips put out by the Federal Trade Commission about phishing at http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm. Read the Department of Justice's recent whitepaper "Special Report on Phishing" at http://www.antiphishing.org/DOJ_Special_Report_On_Phishing_Mar04.pdf
The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically. While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet.
The Anti-Phishing Working Group has compiled a list of recommendations below that you can use to avoid becoming a victim of these scams.
Be suspicious of any email with urgent requests for personal financial information unless the email is digitally signed, you can't be sure it wasn't forged or 'spoofed'phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately they typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc. Phisher emails are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.
Don't use the links in an email to get to any web page, if you suspect the message might not be authentic instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser.
Avoid filling out forms in email messages that ask for personal financial information you should only communicate information such as credit card numbers or account information via a secure website or the telephone.
Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser.To make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://"
Consider installing a Web browser tool bar to help protect you from known phishing fraud websites. EarthLink ScamBlocker is part of a free browser toolbar that alerts you before you visit a page that's on Earthlink's list of known fraudulent phisher Web sites. Its free to all Internet users - download at http://www.earthlink.net/earthlinktoolbar.
Regularly log into your online accounts. Don't leave it for as long as a month before you check each account.Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate.If anything is suspicious, contact your bank and all card issuers.
Ensure that your browser is up to date and security patches appliedin particular, people who use the Microsoft Internet Explorer browser should immediately go to the Microsoft Security home page -- http://www.microsoft.com/security/ -- to download a special patch relating to certain phishing schemes
Always report "phishing" or “spoofed” e-mails to the following groups:
forward the email to reportphishing@antiphishing.com
forward the email to the Federal Trade Commission at spam@uce.gov
forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
when forwarding spoofed messages, always include the entire original email with its original header information intact
notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov/
For more information, check some of the following sources:
For more information about how to protect yourself, see our Fact Sheet 17a Identity Theft: What to do if It Happens to You at http://www.privacyrights.org/fs/fs17a.htm. Read the information and tips put out by the Federal Trade Commission about phishing at http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm. Read the Department of Justice's recent whitepaper "Special Report on Phishing" at http://www.antiphishing.org/DOJ_Special_Report_On_Phishing_Mar04.pdf
Workplace Violence Increasing
Workplace violence increasing, report says
A majority of senior executives responsible for human resources and security -- 82 percent --report the number of workplace violence incidents have increased in the last two years.
A survey of 602 senior executives sponsored by Risk Control Strategies reveals increased outsourcing, downsizing, wage garnishments/salary reductions, perceived insufficient raises/bonuses and overall softening of the economy are contributing to the burgeoning backlash of workplace violence.
"Economic conditions are often the motivating factor for employees to retaliate against senior management," says Paul Viollis, Ph.D., president of Risk Control Strategies. "As the economic downturn continues, outsourcing increases and wage garnishments skyrocket as a result of the new bankruptcy bill; things are only going to get worse for HR managers and security directors."
Fifty-eight percent of companies report disgruntled employees have threatened to assault or kill senior managers in person or through e-mail in the last 12 months. Additionally, employees are intentionally downloading computer viruses, sexually harassing co-workers and sabotaging the company through malicious product tampering.
"Leveling verbal threats is one of the first signs that violence is imminent," says Doug Kane, executive vice president of Risk Control Strategies.
Although 80 percent of respondents believe workplace violence is a bigger problem today than it was two years ago, only 15 percent of companies have increased their spending to combat workplace violence, according to the study.
A majority of senior executives responsible for human resources and security -- 82 percent --report the number of workplace violence incidents have increased in the last two years.
A survey of 602 senior executives sponsored by Risk Control Strategies reveals increased outsourcing, downsizing, wage garnishments/salary reductions, perceived insufficient raises/bonuses and overall softening of the economy are contributing to the burgeoning backlash of workplace violence.
"Economic conditions are often the motivating factor for employees to retaliate against senior management," says Paul Viollis, Ph.D., president of Risk Control Strategies. "As the economic downturn continues, outsourcing increases and wage garnishments skyrocket as a result of the new bankruptcy bill; things are only going to get worse for HR managers and security directors."
Fifty-eight percent of companies report disgruntled employees have threatened to assault or kill senior managers in person or through e-mail in the last 12 months. Additionally, employees are intentionally downloading computer viruses, sexually harassing co-workers and sabotaging the company through malicious product tampering.
"Leveling verbal threats is one of the first signs that violence is imminent," says Doug Kane, executive vice president of Risk Control Strategies.
Although 80 percent of respondents believe workplace violence is a bigger problem today than it was two years ago, only 15 percent of companies have increased their spending to combat workplace violence, according to the study.
Wednesday, April 27, 2005
Social Security numbers for sale: Who pays?
April 5, 2005
BY JONATHAN KRIM
THE WASHINGTON POST
Want someone else's Social Security number? It's $35 at www.secret-info.com. It's $45 at www.iinfosearch.com, where users also can sign up for a report containing an individual's credit-card charges, as well as an e-mail with other "tips, secrets & spy info!" The Web site Gum-shoes.com promises that "if the information is out there, our licensed investigators can find it."Although Social Security numbers are one of the most powerful pieces of personal information an identity thief can possess, they remain widely and inexpensively available despite public outcry and the threat of a congressional crackdown after breaches at large information brokers.
Brokers such as ChoicePoint Inc. and LexisNexis have pledged to restrict the availability of such data after personal information on more than 175,000 people was purloined from the two firms by identity thieves posing as legitimate businesspeople.
So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multitiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud.A simple Internet search yields more than a dozen Web sites offering an array of personal data.Some are run by small data brokers. Others are run by private investigators, many of whom have complained that recently announced restrictions on the availability of Social Security numbers would hurt their ability to assist law enforcement, track down deadbeat dads or locate witnesses.
Yet with only scant checks to verify whether someone requesting data is legitimate, several sites sell full Social Security numbers, potentially contributing to an epidemic of identity theft and fraud that touched about 10 million Americans in the past year.No law prohibits the sale of Social Security numbers, but privacy experts and some government agencies have warned for years that the number is overused and under-protected.
Inaugurated in 1936, the nine-digit number was intended to match citizens to the retirement money they would eventually receive. Over time, the number became essential for getting or verifying credit and for employment background checks.Eventually, it became so deeply linked to personal data throughout the economy that it became a de facto national identifier.
"For identity thieves, it's their magic key ... that gets into every door," said Daniel Solove, a George Washington University law school professor who specializes in privacy law.Nonetheless, some insurance companies still use the Social Security number as an individual's account number, printing it on identification cards, leaving people immediately vulnerable if wallets are stolen or lost. Medical offices routinely request Social Security numbers, often when initial appointments are made, and many universities use them as student identification numbers.
According to a recent study commissioned by Unisys Corp., a technology consulting company, about half of large financial institutions use Social Security numbers to verify the identities of customers who call in for services. Some even use the numbers to identify customers as part of the log-in process when they want to access accounts via the Internet.So vital are Social Security numbers in this sea of information that ChoicePoint warned investors in a recent Securities and Exchange Commission filing that its business could suffer if the rules on distribution of Social Security numbers were tightened.
The mass breaches of data at ChoicePoint and LexisNexis forced the companies to become proactive.Executives of both firms told Congress last month that for many of their non-law- enforcement clients, Social Security numbers would be truncated so that only five digits would appear on reports.But plenty of sources for the information still exist.
Using an intermediary, The Washington Post was able to obtain the full Social Security number of a reporter within 24 hours from two of three online providers the intermediary contacted.Not all providers advertise Social Security numbers, and those that do promise to verify that the buyer has a legitimate reason for seeking a number, such as to complete tax forms of an employee or to find someone involved in a court action.The intermediary, a security consultant who helped the Federal Trade Commission identify illegal data sales in 1999, told the providers he needed the number for tax purposes. Two providers accepted that reason without question or requests for documentation. A third refused to supply Social Security numbers.
Under a law that took effect in 2001, non-public data from financial records cannot be sold or transferred without giving the individuals involved a chance to opt out. There are several exceptions, however, including employment checks, for tax filing, or to process a financial transaction. The system relies on the honesty of the person seeking data, and the diligence of the person selling it.
Several members of Congress are sponsoring new privacy legislation, including bills that would ban the sale of Social Security numbers without individuals' permission.Privacy experts say financial institutions should use multiple test questions when people call in for account information, rather than just requesting a Social Security number. If the number is compromised, they say, it's hard to limit the damage because new numbers are almost never issued.
Copyright 2005 Newsday Inc.
BY JONATHAN KRIM
THE WASHINGTON POST
Want someone else's Social Security number? It's $35 at www.secret-info.com. It's $45 at www.iinfosearch.com, where users also can sign up for a report containing an individual's credit-card charges, as well as an e-mail with other "tips, secrets & spy info!" The Web site Gum-shoes.com promises that "if the information is out there, our licensed investigators can find it."Although Social Security numbers are one of the most powerful pieces of personal information an identity thief can possess, they remain widely and inexpensively available despite public outcry and the threat of a congressional crackdown after breaches at large information brokers.
Brokers such as ChoicePoint Inc. and LexisNexis have pledged to restrict the availability of such data after personal information on more than 175,000 people was purloined from the two firms by identity thieves posing as legitimate businesspeople.
So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multitiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud.A simple Internet search yields more than a dozen Web sites offering an array of personal data.Some are run by small data brokers. Others are run by private investigators, many of whom have complained that recently announced restrictions on the availability of Social Security numbers would hurt their ability to assist law enforcement, track down deadbeat dads or locate witnesses.
Yet with only scant checks to verify whether someone requesting data is legitimate, several sites sell full Social Security numbers, potentially contributing to an epidemic of identity theft and fraud that touched about 10 million Americans in the past year.No law prohibits the sale of Social Security numbers, but privacy experts and some government agencies have warned for years that the number is overused and under-protected.
Inaugurated in 1936, the nine-digit number was intended to match citizens to the retirement money they would eventually receive. Over time, the number became essential for getting or verifying credit and for employment background checks.Eventually, it became so deeply linked to personal data throughout the economy that it became a de facto national identifier.
"For identity thieves, it's their magic key ... that gets into every door," said Daniel Solove, a George Washington University law school professor who specializes in privacy law.Nonetheless, some insurance companies still use the Social Security number as an individual's account number, printing it on identification cards, leaving people immediately vulnerable if wallets are stolen or lost. Medical offices routinely request Social Security numbers, often when initial appointments are made, and many universities use them as student identification numbers.
According to a recent study commissioned by Unisys Corp., a technology consulting company, about half of large financial institutions use Social Security numbers to verify the identities of customers who call in for services. Some even use the numbers to identify customers as part of the log-in process when they want to access accounts via the Internet.So vital are Social Security numbers in this sea of information that ChoicePoint warned investors in a recent Securities and Exchange Commission filing that its business could suffer if the rules on distribution of Social Security numbers were tightened.
The mass breaches of data at ChoicePoint and LexisNexis forced the companies to become proactive.Executives of both firms told Congress last month that for many of their non-law- enforcement clients, Social Security numbers would be truncated so that only five digits would appear on reports.But plenty of sources for the information still exist.
Using an intermediary, The Washington Post was able to obtain the full Social Security number of a reporter within 24 hours from two of three online providers the intermediary contacted.Not all providers advertise Social Security numbers, and those that do promise to verify that the buyer has a legitimate reason for seeking a number, such as to complete tax forms of an employee or to find someone involved in a court action.The intermediary, a security consultant who helped the Federal Trade Commission identify illegal data sales in 1999, told the providers he needed the number for tax purposes. Two providers accepted that reason without question or requests for documentation. A third refused to supply Social Security numbers.
Under a law that took effect in 2001, non-public data from financial records cannot be sold or transferred without giving the individuals involved a chance to opt out. There are several exceptions, however, including employment checks, for tax filing, or to process a financial transaction. The system relies on the honesty of the person seeking data, and the diligence of the person selling it.
Several members of Congress are sponsoring new privacy legislation, including bills that would ban the sale of Social Security numbers without individuals' permission.Privacy experts say financial institutions should use multiple test questions when people call in for account information, rather than just requesting a Social Security number. If the number is compromised, they say, it's hard to limit the damage because new numbers are almost never issued.
Copyright 2005 Newsday Inc.
Privacy watchdog warns job seekers to beware
April 21, SecurityFocus — Privacy watchdog warns job seekers to beware.
Online fraudsters are increasingly taking advantage of vulnerable job seekers
by using online résumés to steal their identity, a privacy expert warned this week.
The threats range from job fraud, where a criminal group poses as a legitimate
employer to launder money, to the sale of résumé details to database companies for
use in background checks. The seemingly small act of posting a résumé
publicly can have significant impact: over the past year, more than a dozen
Americans have been accused of a felony because their identity has been used for
online crime, said Pam Dixon, executive director of the World Privacy Forum.
Ironically, the major résumé services offer tools to help job seekers keep their
identity private from the public, but workers fail to take advantage of the features
because they do not understand the dangers, Dixon said. However, a
majority of résumé services still don't take the issues seriously, she added.
Online fraudsters are increasingly taking advantage of vulnerable job seekers
by using online résumés to steal their identity, a privacy expert warned this week.
The threats range from job fraud, where a criminal group poses as a legitimate
employer to launder money, to the sale of résumé details to database companies for
use in background checks. The seemingly small act of posting a résumé
publicly can have significant impact: over the past year, more than a dozen
Americans have been accused of a felony because their identity has been used for
online crime, said Pam Dixon, executive director of the World Privacy Forum.
Ironically, the major résumé services offer tools to help job seekers keep their
identity private from the public, but workers fail to take advantage of the features
because they do not understand the dangers, Dixon said. However, a
majority of résumé services still don't take the issues seriously, she added.
Tuesday, April 26, 2005
Identity theft can be costly to small business
Identity theft can be costly to small business
Small corporations can be more vulnerable
Tracy Kershaw-Staley
DBJ Staff Reporter
Small businesses aren't immune from the data security breaches that have recently stung LexisNexis Corp. and DSW Corp., experts say.
They said small-business owners are faced with myriad issues involving data security. Companies of every size must guard their databases against intruders and in case of a breach, notify customers and salvage their businesses reputation.
"The small businesses, medium busines's, large businesses -- all should be concerned," said Sheila Adkins, spokeswoman for the Council of Better Business Bureaus in Arlington, Va.
In March, LexisNexis announced that intruders accessed information including names and Social Security numbers of more than 300,000 customers. Columbus-based DSW Corp. announced last month that computer hackers stole data from more than 100 DSW stores, including two in Dayton, making away with 1.4 million credit card numbers.
Despite the high-profile cases at large corporations, small-business networks are particularly vulnerable to attack, said Vincent Weafer, senior director of security response for Cupertino, Calif.-based Symantec. Symantec, an Internet security company, recently studied attacks during July 2004 through December 2004.
Local offices of large corporations are subject to attacks from hackers who see them as a weak entry point to the entire corporation's network, Weafer said.
Also, small businesses tend to overprotect one computer, for instance one that houses the accounting software, but leave others unprotected. Intruders will use the unprotected computers as a way to get into the better protected machine, Weafer said. Spammers also are attracted to small-business computer networks because they tend to be left on, allowing the spammer to constantly send e-mails, he said.
"Awareness and preparation are the biggest differences between a large enterprise and a small business," he said.
Steve Anzur, director of the Springfield Small Business Development Center, said the issue of data security has never come up during his meetings with small-business owners.
And Rebecca Wells, an associate marketing professor at the University of Dayton, said she was surprised to find that small-business owners in a focus group she ran a couple years ago had not thought about security issues but were doing a lot business electronically.
But Anzur said it's time for all of Ohio's small-business development centers to address it.
"As a group of small-business development centers, we need to put that on the front burner and begin to develop some strategies for small businesses in this area," he said. "At this point we have not."
Wells said companies that are hit with an attack should acknowledge the incident, show a plan of action and do whatever is necessary to restore the trust.
"The response of the company can make all the difference," she said.
Companies soon could be required by federal law to notify individuals in writing or e-mail when it's believed that personal information has been compromised. U.S. Sen. Diane Feinstein (D-Calif.) recently introduced a National ID Theft Notification Bill.
At a hearing on the bill, Kurt Sanford, president and chief executive officer of U.S. corporate and federal government markets for LexisNexis, said the company supports the idea of legislation that would address the issue. LexisNexis also would support tougher penalties for identity theft crime, Sanford said during his testimony.
Anzur said he thinks consumers have a right to be notified if their information is violated, regardless of the cost to the business.
"They have to end up passing those costs on to their clients," Anzur said. "But at the same time I think the legislators are correct, regardless of the cost, you cannot continue to have those security breaches and whatever it takes to close the door has to be done."
Small corporations can be more vulnerable
Tracy Kershaw-Staley
DBJ Staff Reporter
Small businesses aren't immune from the data security breaches that have recently stung LexisNexis Corp. and DSW Corp., experts say.
They said small-business owners are faced with myriad issues involving data security. Companies of every size must guard their databases against intruders and in case of a breach, notify customers and salvage their businesses reputation.
"The small businesses, medium busines's, large businesses -- all should be concerned," said Sheila Adkins, spokeswoman for the Council of Better Business Bureaus in Arlington, Va.
In March, LexisNexis announced that intruders accessed information including names and Social Security numbers of more than 300,000 customers. Columbus-based DSW Corp. announced last month that computer hackers stole data from more than 100 DSW stores, including two in Dayton, making away with 1.4 million credit card numbers.
Despite the high-profile cases at large corporations, small-business networks are particularly vulnerable to attack, said Vincent Weafer, senior director of security response for Cupertino, Calif.-based Symantec. Symantec, an Internet security company, recently studied attacks during July 2004 through December 2004.
Local offices of large corporations are subject to attacks from hackers who see them as a weak entry point to the entire corporation's network, Weafer said.
Also, small businesses tend to overprotect one computer, for instance one that houses the accounting software, but leave others unprotected. Intruders will use the unprotected computers as a way to get into the better protected machine, Weafer said. Spammers also are attracted to small-business computer networks because they tend to be left on, allowing the spammer to constantly send e-mails, he said.
"Awareness and preparation are the biggest differences between a large enterprise and a small business," he said.
Steve Anzur, director of the Springfield Small Business Development Center, said the issue of data security has never come up during his meetings with small-business owners.
And Rebecca Wells, an associate marketing professor at the University of Dayton, said she was surprised to find that small-business owners in a focus group she ran a couple years ago had not thought about security issues but were doing a lot business electronically.
But Anzur said it's time for all of Ohio's small-business development centers to address it.
"As a group of small-business development centers, we need to put that on the front burner and begin to develop some strategies for small businesses in this area," he said. "At this point we have not."
Wells said companies that are hit with an attack should acknowledge the incident, show a plan of action and do whatever is necessary to restore the trust.
"The response of the company can make all the difference," she said.
Companies soon could be required by federal law to notify individuals in writing or e-mail when it's believed that personal information has been compromised. U.S. Sen. Diane Feinstein (D-Calif.) recently introduced a National ID Theft Notification Bill.
At a hearing on the bill, Kurt Sanford, president and chief executive officer of U.S. corporate and federal government markets for LexisNexis, said the company supports the idea of legislation that would address the issue. LexisNexis also would support tougher penalties for identity theft crime, Sanford said during his testimony.
Anzur said he thinks consumers have a right to be notified if their information is violated, regardless of the cost to the business.
"They have to end up passing those costs on to their clients," Anzur said. "But at the same time I think the legislators are correct, regardless of the cost, you cannot continue to have those security breaches and whatever it takes to close the door has to be done."
Tuesday, April 19, 2005
Newlyweds targeted in identity theft scam
April 17, The News Journal (DE) — Newlyweds targeted in identity theft scam.
The latest identity theft scam targets newlyweds, said New Castle County, DE, Clerk of the Peace Ken Boulden. The unwitting couple receives a letter saying they are required to register their name change with the federal government. They are asked to supply a wealth of personal information −− address, birth date, even Social Security number. A fee of $15 to $20 is needed, payable by check or credit card.
"Not only have you given them your entire life on this registration card,
you've given them copies of your signature, your routing number or your bank account number, and you're paying them to take it," Boulden said. "There is no federal or state requirement or law that mandates that you register or record your change of name after marriage, period," he said. Boulden first learned of this relatively new scam while attending a conference. He said he was surprised to hear of it, and even more surprised that newlyweds have started calling his office to ask about mailings from entities with official−sounding names such as National Record Service Corp. and U.S. Record Service Corp.
Source: http://www.delawareonline.com/newsjournal/local/2005/04/17newlywedstarget.html
The latest identity theft scam targets newlyweds, said New Castle County, DE, Clerk of the Peace Ken Boulden. The unwitting couple receives a letter saying they are required to register their name change with the federal government. They are asked to supply a wealth of personal information −− address, birth date, even Social Security number. A fee of $15 to $20 is needed, payable by check or credit card.
"Not only have you given them your entire life on this registration card,
you've given them copies of your signature, your routing number or your bank account number, and you're paying them to take it," Boulden said. "There is no federal or state requirement or law that mandates that you register or record your change of name after marriage, period," he said. Boulden first learned of this relatively new scam while attending a conference. He said he was surprised to hear of it, and even more surprised that newlyweds have started calling his office to ask about mailings from entities with official−sounding names such as National Record Service Corp. and U.S. Record Service Corp.
Source: http://www.delawareonline.com/newsjournal/local/2005/04/17newlywedstarget.html
Monday, April 18, 2005
Guide for Snipers Posted Online
April 15, 2005
An illustrated, eight page, guide published recently on al-Qaeda’s military message boards details the role snipers play in an organized military effort as well as provides basic training and equipment suggestions. For example, the authors take pains to specify that, due to their highly specialized and essential role, snipers must have better equipment than normal infantry. The guide proceeds to describe the situations in which snipers can be most effective, specifically “cities and towns, ambushes, fights against patrols, slaying operatives, and sneaking behind the enemy”. The last situation underscores the guide’s repeated ascertains that snipers should be able to conduct operations behind enemy lines, effectively doubling as scouts. The illustrations not only include diagrams on how to move while camouflaged, but also several photographs depicting equipment needed by a sniper.
According to the guide, “he [the sniper] is indispensable to any field leader… by achieving his main mission, the sniper will have inflicted casualties upon the enemy, frightened and demoralized them, confused them, and slowed down their movements”. Snipers should “operate in teams of two” in “a stable, comfortable place where [they] can find targets, estimate the distance, height, wind speed, and adjust [their] position correspondingly”.Finally, the guide demonstrates ways of moving stealthily by “low crawling”, “medium crawling”, “high crawling”, and “walking”.
April 15, 2005
An illustrated, eight page, guide published recently on al-Qaeda’s military message boards details the role snipers play in an organized military effort as well as provides basic training and equipment suggestions. For example, the authors take pains to specify that, due to their highly specialized and essential role, snipers must have better equipment than normal infantry. The guide proceeds to describe the situations in which snipers can be most effective, specifically “cities and towns, ambushes, fights against patrols, slaying operatives, and sneaking behind the enemy”. The last situation underscores the guide’s repeated ascertains that snipers should be able to conduct operations behind enemy lines, effectively doubling as scouts. The illustrations not only include diagrams on how to move while camouflaged, but also several photographs depicting equipment needed by a sniper.
According to the guide, “he [the sniper] is indispensable to any field leader… by achieving his main mission, the sniper will have inflicted casualties upon the enemy, frightened and demoralized them, confused them, and slowed down their movements”. Snipers should “operate in teams of two” in “a stable, comfortable place where [they] can find targets, estimate the distance, height, wind speed, and adjust [their] position correspondingly”.Finally, the guide demonstrates ways of moving stealthily by “low crawling”, “medium crawling”, “high crawling”, and “walking”.
Sample International Travel Policy
Travel Policy During National/International Unrest
Policy:
Business travel should be limited to those situations where business cannot be reasonably conducted without face-to-face interaction or visits to specific locations. Special rules for times of international or national crises including threats of terrorism, local unrest or war are provided below.
Procedures:
1. Safety of international travel will be determined by following State Department guidance on travel by Americans to other countries. Under no circumstances will employees travel to countries declared as unsafe.
2. Employees on travel in countries which later become declared unsafe will be expected to leave the country immediately, making contact with the U.S. embassy and/or U.S. consulate wherever possible before departure.
3. The employee’s direct supervisor is expected to monitor the notices for high-risk countries on a daily basis to ensure the safety of existing employees during travel out of the country.
4. Domestic travel should proceed as planned, following current guidance issued by the FAA regarding safety and security.
5. All employees traveling during such periods should leave their supervisors with a detailed itinerary including flight information, destination contact information, cell phone number and updated emergency contact information prior to departure.
6. Employee safety is of primary concern and will always be carefully balanced with business and job-related requirements.
7. Employees who have particular concerns about traveling at a specific time or to a specific location should address their concerns with their supervisor.
Policy:
Business travel should be limited to those situations where business cannot be reasonably conducted without face-to-face interaction or visits to specific locations. Special rules for times of international or national crises including threats of terrorism, local unrest or war are provided below.
Procedures:
1. Safety of international travel will be determined by following State Department guidance on travel by Americans to other countries. Under no circumstances will employees travel to countries declared as unsafe.
2. Employees on travel in countries which later become declared unsafe will be expected to leave the country immediately, making contact with the U.S. embassy and/or U.S. consulate wherever possible before departure.
3. The employee’s direct supervisor is expected to monitor the notices for high-risk countries on a daily basis to ensure the safety of existing employees during travel out of the country.
4. Domestic travel should proceed as planned, following current guidance issued by the FAA regarding safety and security.
5. All employees traveling during such periods should leave their supervisors with a detailed itinerary including flight information, destination contact information, cell phone number and updated emergency contact information prior to departure.
6. Employee safety is of primary concern and will always be carefully balanced with business and job-related requirements.
7. Employees who have particular concerns about traveling at a specific time or to a specific location should address their concerns with their supervisor.
Subscribe to:
Posts (Atom)
Posts
