April 5, 2005
BY JONATHAN KRIM
THE WASHINGTON POST
Want someone else's Social Security number? It's $35 at www.secret-info.com. It's $45 at www.iinfosearch.com, where users also can sign up for a report containing an individual's credit-card charges, as well as an e-mail with other "tips, secrets & spy info!" The Web site Gum-shoes.com promises that "if the information is out there, our licensed investigators can find it."Although Social Security numbers are one of the most powerful pieces of personal information an identity thief can possess, they remain widely and inexpensively available despite public outcry and the threat of a congressional crackdown after breaches at large information brokers.
Brokers such as ChoicePoint Inc. and LexisNexis have pledged to restrict the availability of such data after personal information on more than 175,000 people was purloined from the two firms by identity thieves posing as legitimate businesspeople.
So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multitiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud.A simple Internet search yields more than a dozen Web sites offering an array of personal data.Some are run by small data brokers. Others are run by private investigators, many of whom have complained that recently announced restrictions on the availability of Social Security numbers would hurt their ability to assist law enforcement, track down deadbeat dads or locate witnesses.
Yet with only scant checks to verify whether someone requesting data is legitimate, several sites sell full Social Security numbers, potentially contributing to an epidemic of identity theft and fraud that touched about 10 million Americans in the past year.No law prohibits the sale of Social Security numbers, but privacy experts and some government agencies have warned for years that the number is overused and under-protected.
Inaugurated in 1936, the nine-digit number was intended to match citizens to the retirement money they would eventually receive. Over time, the number became essential for getting or verifying credit and for employment background checks.Eventually, it became so deeply linked to personal data throughout the economy that it became a de facto national identifier.
"For identity thieves, it's their magic key ... that gets into every door," said Daniel Solove, a George Washington University law school professor who specializes in privacy law.Nonetheless, some insurance companies still use the Social Security number as an individual's account number, printing it on identification cards, leaving people immediately vulnerable if wallets are stolen or lost. Medical offices routinely request Social Security numbers, often when initial appointments are made, and many universities use them as student identification numbers.
According to a recent study commissioned by Unisys Corp., a technology consulting company, about half of large financial institutions use Social Security numbers to verify the identities of customers who call in for services. Some even use the numbers to identify customers as part of the log-in process when they want to access accounts via the Internet.So vital are Social Security numbers in this sea of information that ChoicePoint warned investors in a recent Securities and Exchange Commission filing that its business could suffer if the rules on distribution of Social Security numbers were tightened.
The mass breaches of data at ChoicePoint and LexisNexis forced the companies to become proactive.Executives of both firms told Congress last month that for many of their non-law- enforcement clients, Social Security numbers would be truncated so that only five digits would appear on reports.But plenty of sources for the information still exist.
Using an intermediary, The Washington Post was able to obtain the full Social Security number of a reporter within 24 hours from two of three online providers the intermediary contacted.Not all providers advertise Social Security numbers, and those that do promise to verify that the buyer has a legitimate reason for seeking a number, such as to complete tax forms of an employee or to find someone involved in a court action.The intermediary, a security consultant who helped the Federal Trade Commission identify illegal data sales in 1999, told the providers he needed the number for tax purposes. Two providers accepted that reason without question or requests for documentation. A third refused to supply Social Security numbers.
Under a law that took effect in 2001, non-public data from financial records cannot be sold or transferred without giving the individuals involved a chance to opt out. There are several exceptions, however, including employment checks, for tax filing, or to process a financial transaction. The system relies on the honesty of the person seeking data, and the diligence of the person selling it.
Several members of Congress are sponsoring new privacy legislation, including bills that would ban the sale of Social Security numbers without individuals' permission.Privacy experts say financial institutions should use multiple test questions when people call in for account information, rather than just requesting a Social Security number. If the number is compromised, they say, it's hard to limit the damage because new numbers are almost never issued.
Copyright 2005 Newsday Inc.
Wednesday, April 27, 2005
Privacy watchdog warns job seekers to beware
April 21, SecurityFocus — Privacy watchdog warns job seekers to beware.
Online fraudsters are increasingly taking advantage of vulnerable job seekers
by using online résumés to steal their identity, a privacy expert warned this week.
The threats range from job fraud, where a criminal group poses as a legitimate
employer to launder money, to the sale of résumé details to database companies for
use in background checks. The seemingly small act of posting a résumé
publicly can have significant impact: over the past year, more than a dozen
Americans have been accused of a felony because their identity has been used for
online crime, said Pam Dixon, executive director of the World Privacy Forum.
Ironically, the major résumé services offer tools to help job seekers keep their
identity private from the public, but workers fail to take advantage of the features
because they do not understand the dangers, Dixon said. However, a
majority of résumé services still don't take the issues seriously, she added.
Online fraudsters are increasingly taking advantage of vulnerable job seekers
by using online résumés to steal their identity, a privacy expert warned this week.
The threats range from job fraud, where a criminal group poses as a legitimate
employer to launder money, to the sale of résumé details to database companies for
use in background checks. The seemingly small act of posting a résumé
publicly can have significant impact: over the past year, more than a dozen
Americans have been accused of a felony because their identity has been used for
online crime, said Pam Dixon, executive director of the World Privacy Forum.
Ironically, the major résumé services offer tools to help job seekers keep their
identity private from the public, but workers fail to take advantage of the features
because they do not understand the dangers, Dixon said. However, a
majority of résumé services still don't take the issues seriously, she added.
Tuesday, April 26, 2005
Identity theft can be costly to small business
Identity theft can be costly to small business
Small corporations can be more vulnerable
Tracy Kershaw-Staley
DBJ Staff Reporter
Small businesses aren't immune from the data security breaches that have recently stung LexisNexis Corp. and DSW Corp., experts say.
They said small-business owners are faced with myriad issues involving data security. Companies of every size must guard their databases against intruders and in case of a breach, notify customers and salvage their businesses reputation.
"The small businesses, medium busines's, large businesses -- all should be concerned," said Sheila Adkins, spokeswoman for the Council of Better Business Bureaus in Arlington, Va.
In March, LexisNexis announced that intruders accessed information including names and Social Security numbers of more than 300,000 customers. Columbus-based DSW Corp. announced last month that computer hackers stole data from more than 100 DSW stores, including two in Dayton, making away with 1.4 million credit card numbers.
Despite the high-profile cases at large corporations, small-business networks are particularly vulnerable to attack, said Vincent Weafer, senior director of security response for Cupertino, Calif.-based Symantec. Symantec, an Internet security company, recently studied attacks during July 2004 through December 2004.
Local offices of large corporations are subject to attacks from hackers who see them as a weak entry point to the entire corporation's network, Weafer said.
Also, small businesses tend to overprotect one computer, for instance one that houses the accounting software, but leave others unprotected. Intruders will use the unprotected computers as a way to get into the better protected machine, Weafer said. Spammers also are attracted to small-business computer networks because they tend to be left on, allowing the spammer to constantly send e-mails, he said.
"Awareness and preparation are the biggest differences between a large enterprise and a small business," he said.
Steve Anzur, director of the Springfield Small Business Development Center, said the issue of data security has never come up during his meetings with small-business owners.
And Rebecca Wells, an associate marketing professor at the University of Dayton, said she was surprised to find that small-business owners in a focus group she ran a couple years ago had not thought about security issues but were doing a lot business electronically.
But Anzur said it's time for all of Ohio's small-business development centers to address it.
"As a group of small-business development centers, we need to put that on the front burner and begin to develop some strategies for small businesses in this area," he said. "At this point we have not."
Wells said companies that are hit with an attack should acknowledge the incident, show a plan of action and do whatever is necessary to restore the trust.
"The response of the company can make all the difference," she said.
Companies soon could be required by federal law to notify individuals in writing or e-mail when it's believed that personal information has been compromised. U.S. Sen. Diane Feinstein (D-Calif.) recently introduced a National ID Theft Notification Bill.
At a hearing on the bill, Kurt Sanford, president and chief executive officer of U.S. corporate and federal government markets for LexisNexis, said the company supports the idea of legislation that would address the issue. LexisNexis also would support tougher penalties for identity theft crime, Sanford said during his testimony.
Anzur said he thinks consumers have a right to be notified if their information is violated, regardless of the cost to the business.
"They have to end up passing those costs on to their clients," Anzur said. "But at the same time I think the legislators are correct, regardless of the cost, you cannot continue to have those security breaches and whatever it takes to close the door has to be done."
Small corporations can be more vulnerable
Tracy Kershaw-Staley
DBJ Staff Reporter
Small businesses aren't immune from the data security breaches that have recently stung LexisNexis Corp. and DSW Corp., experts say.
They said small-business owners are faced with myriad issues involving data security. Companies of every size must guard their databases against intruders and in case of a breach, notify customers and salvage their businesses reputation.
"The small businesses, medium busines's, large businesses -- all should be concerned," said Sheila Adkins, spokeswoman for the Council of Better Business Bureaus in Arlington, Va.
In March, LexisNexis announced that intruders accessed information including names and Social Security numbers of more than 300,000 customers. Columbus-based DSW Corp. announced last month that computer hackers stole data from more than 100 DSW stores, including two in Dayton, making away with 1.4 million credit card numbers.
Despite the high-profile cases at large corporations, small-business networks are particularly vulnerable to attack, said Vincent Weafer, senior director of security response for Cupertino, Calif.-based Symantec. Symantec, an Internet security company, recently studied attacks during July 2004 through December 2004.
Local offices of large corporations are subject to attacks from hackers who see them as a weak entry point to the entire corporation's network, Weafer said.
Also, small businesses tend to overprotect one computer, for instance one that houses the accounting software, but leave others unprotected. Intruders will use the unprotected computers as a way to get into the better protected machine, Weafer said. Spammers also are attracted to small-business computer networks because they tend to be left on, allowing the spammer to constantly send e-mails, he said.
"Awareness and preparation are the biggest differences between a large enterprise and a small business," he said.
Steve Anzur, director of the Springfield Small Business Development Center, said the issue of data security has never come up during his meetings with small-business owners.
And Rebecca Wells, an associate marketing professor at the University of Dayton, said she was surprised to find that small-business owners in a focus group she ran a couple years ago had not thought about security issues but were doing a lot business electronically.
But Anzur said it's time for all of Ohio's small-business development centers to address it.
"As a group of small-business development centers, we need to put that on the front burner and begin to develop some strategies for small businesses in this area," he said. "At this point we have not."
Wells said companies that are hit with an attack should acknowledge the incident, show a plan of action and do whatever is necessary to restore the trust.
"The response of the company can make all the difference," she said.
Companies soon could be required by federal law to notify individuals in writing or e-mail when it's believed that personal information has been compromised. U.S. Sen. Diane Feinstein (D-Calif.) recently introduced a National ID Theft Notification Bill.
At a hearing on the bill, Kurt Sanford, president and chief executive officer of U.S. corporate and federal government markets for LexisNexis, said the company supports the idea of legislation that would address the issue. LexisNexis also would support tougher penalties for identity theft crime, Sanford said during his testimony.
Anzur said he thinks consumers have a right to be notified if their information is violated, regardless of the cost to the business.
"They have to end up passing those costs on to their clients," Anzur said. "But at the same time I think the legislators are correct, regardless of the cost, you cannot continue to have those security breaches and whatever it takes to close the door has to be done."
Tuesday, April 19, 2005
Newlyweds targeted in identity theft scam
April 17, The News Journal (DE) — Newlyweds targeted in identity theft scam.
The latest identity theft scam targets newlyweds, said New Castle County, DE, Clerk of the Peace Ken Boulden. The unwitting couple receives a letter saying they are required to register their name change with the federal government. They are asked to supply a wealth of personal information −− address, birth date, even Social Security number. A fee of $15 to $20 is needed, payable by check or credit card.
"Not only have you given them your entire life on this registration card,
you've given them copies of your signature, your routing number or your bank account number, and you're paying them to take it," Boulden said. "There is no federal or state requirement or law that mandates that you register or record your change of name after marriage, period," he said. Boulden first learned of this relatively new scam while attending a conference. He said he was surprised to hear of it, and even more surprised that newlyweds have started calling his office to ask about mailings from entities with official−sounding names such as National Record Service Corp. and U.S. Record Service Corp.
Source: http://www.delawareonline.com/newsjournal/local/2005/04/17newlywedstarget.html
The latest identity theft scam targets newlyweds, said New Castle County, DE, Clerk of the Peace Ken Boulden. The unwitting couple receives a letter saying they are required to register their name change with the federal government. They are asked to supply a wealth of personal information −− address, birth date, even Social Security number. A fee of $15 to $20 is needed, payable by check or credit card.
"Not only have you given them your entire life on this registration card,
you've given them copies of your signature, your routing number or your bank account number, and you're paying them to take it," Boulden said. "There is no federal or state requirement or law that mandates that you register or record your change of name after marriage, period," he said. Boulden first learned of this relatively new scam while attending a conference. He said he was surprised to hear of it, and even more surprised that newlyweds have started calling his office to ask about mailings from entities with official−sounding names such as National Record Service Corp. and U.S. Record Service Corp.
Source: http://www.delawareonline.com/newsjournal/local/2005/04/17newlywedstarget.html
Monday, April 18, 2005
Guide for Snipers Posted Online
April 15, 2005
An illustrated, eight page, guide published recently on al-Qaeda’s military message boards details the role snipers play in an organized military effort as well as provides basic training and equipment suggestions. For example, the authors take pains to specify that, due to their highly specialized and essential role, snipers must have better equipment than normal infantry. The guide proceeds to describe the situations in which snipers can be most effective, specifically “cities and towns, ambushes, fights against patrols, slaying operatives, and sneaking behind the enemy”. The last situation underscores the guide’s repeated ascertains that snipers should be able to conduct operations behind enemy lines, effectively doubling as scouts. The illustrations not only include diagrams on how to move while camouflaged, but also several photographs depicting equipment needed by a sniper.
According to the guide, “he [the sniper] is indispensable to any field leader… by achieving his main mission, the sniper will have inflicted casualties upon the enemy, frightened and demoralized them, confused them, and slowed down their movements”. Snipers should “operate in teams of two” in “a stable, comfortable place where [they] can find targets, estimate the distance, height, wind speed, and adjust [their] position correspondingly”.Finally, the guide demonstrates ways of moving stealthily by “low crawling”, “medium crawling”, “high crawling”, and “walking”.
April 15, 2005
An illustrated, eight page, guide published recently on al-Qaeda’s military message boards details the role snipers play in an organized military effort as well as provides basic training and equipment suggestions. For example, the authors take pains to specify that, due to their highly specialized and essential role, snipers must have better equipment than normal infantry. The guide proceeds to describe the situations in which snipers can be most effective, specifically “cities and towns, ambushes, fights against patrols, slaying operatives, and sneaking behind the enemy”. The last situation underscores the guide’s repeated ascertains that snipers should be able to conduct operations behind enemy lines, effectively doubling as scouts. The illustrations not only include diagrams on how to move while camouflaged, but also several photographs depicting equipment needed by a sniper.
According to the guide, “he [the sniper] is indispensable to any field leader… by achieving his main mission, the sniper will have inflicted casualties upon the enemy, frightened and demoralized them, confused them, and slowed down their movements”. Snipers should “operate in teams of two” in “a stable, comfortable place where [they] can find targets, estimate the distance, height, wind speed, and adjust [their] position correspondingly”.Finally, the guide demonstrates ways of moving stealthily by “low crawling”, “medium crawling”, “high crawling”, and “walking”.
Sample International Travel Policy
Travel Policy During National/International Unrest
Policy:
Business travel should be limited to those situations where business cannot be reasonably conducted without face-to-face interaction or visits to specific locations. Special rules for times of international or national crises including threats of terrorism, local unrest or war are provided below.
Procedures:
1. Safety of international travel will be determined by following State Department guidance on travel by Americans to other countries. Under no circumstances will employees travel to countries declared as unsafe.
2. Employees on travel in countries which later become declared unsafe will be expected to leave the country immediately, making contact with the U.S. embassy and/or U.S. consulate wherever possible before departure.
3. The employee’s direct supervisor is expected to monitor the notices for high-risk countries on a daily basis to ensure the safety of existing employees during travel out of the country.
4. Domestic travel should proceed as planned, following current guidance issued by the FAA regarding safety and security.
5. All employees traveling during such periods should leave their supervisors with a detailed itinerary including flight information, destination contact information, cell phone number and updated emergency contact information prior to departure.
6. Employee safety is of primary concern and will always be carefully balanced with business and job-related requirements.
7. Employees who have particular concerns about traveling at a specific time or to a specific location should address their concerns with their supervisor.
Policy:
Business travel should be limited to those situations where business cannot be reasonably conducted without face-to-face interaction or visits to specific locations. Special rules for times of international or national crises including threats of terrorism, local unrest or war are provided below.
Procedures:
1. Safety of international travel will be determined by following State Department guidance on travel by Americans to other countries. Under no circumstances will employees travel to countries declared as unsafe.
2. Employees on travel in countries which later become declared unsafe will be expected to leave the country immediately, making contact with the U.S. embassy and/or U.S. consulate wherever possible before departure.
3. The employee’s direct supervisor is expected to monitor the notices for high-risk countries on a daily basis to ensure the safety of existing employees during travel out of the country.
4. Domestic travel should proceed as planned, following current guidance issued by the FAA regarding safety and security.
5. All employees traveling during such periods should leave their supervisors with a detailed itinerary including flight information, destination contact information, cell phone number and updated emergency contact information prior to departure.
6. Employee safety is of primary concern and will always be carefully balanced with business and job-related requirements.
7. Employees who have particular concerns about traveling at a specific time or to a specific location should address their concerns with their supervisor.
Subscribe to:
Posts (Atom)
Posts
