Identity Theft Secrets           Videos             News               SuperSleuths                Articles               About          Solution           Contact          Links

Join the IDT SecretsSuperSleuths.    Your Name:      E-mail:

How do you become known as the #1 bank in America for helping protect people from Identity Theft?

Well, it's quite simple actually.

The Javelin Strategy and Research firm, which evaluated 24 major banks, awarded the top three banks similar marks for their ability to help protect customer data. Here's some of the strong points, from the last year or so, that you should consider if you wish to be among the top three.

First, it would be a good idea to lose 2.6 million customer records belonging to Circuit City credit card holders. Accidentally take the records to a landfill and bury them.

Next, you could find yourself among the best by allowing several data breaches to take place. Accidently leave digital doors open, or even physical doors, so that your customers' information can leave with a criminal. Make sure that when you're shipping information, you use a company that will lose data tapes for 145,000 government and military cardholders.

After that, make sure that your executives have limitless access to sell customer information for personal and corporate gain, and while you're at it, incentivize employees to open new accounts in the name of your customers.

(If you haven't yet caught that this is satirical, now would be a good time to pick up on that.)

There are undoubtedly some people inside of these banks who are working extremely hard to make sure your information stays secure. To these people, the customers of those banks owe a huge debt of gratitude.

But why are these companies (a bank is, after all, a company) even talking about awards for technologies to protect our credit and banking information from Identity Theft?

Why are we not talking about ways to revise the ways our social security numbers are used?

Why are we not talking about putting walls of protection around individuals, where they're most vulnerable.

While some very intelligent people should be awarded for the software and technologies they have created to protect people's information, the fact remains that their employers, these banks, are hiring and assigning them to create solutions to address the symptoms of a much larger disease.

Identity Theft, and the ease with which thieves can commit this atrocity, is a much larger problem than something that can be solved by the "adoption of "two-factor" authentication" or some other similar method.

Here's a novel idea for the banks and card companies - make my information less valuable to a thief.

Suddenly, the problem of Identity Theft begins to become much less severe.

If the lobbies for the banks got together and demanded changes in the laws surrounding our social security numbers, and demanded that the credit bureaus and medical information bureau and Social Security Administration used something to verify us other than a silly little 9 digit number... if these very powerful lobbyists were willing to use their power to cut through the symptoms and attack the root of the problem, that would TRULY be something worth awarding.

For now, I'll stick with my local bank, and move my money away from all the companies mentioned below. I recommend you find a way to do the same.

The banks involved in the judging for this *award* included AmSouth, Bank of America, Bank of New York, BB&T, Citibank, E*Trade, Fifth Third Bank, HSBC, JP Morgan Chase, KeyBank, M&T Bank, Marshall & Ilsley Bank, National City Bank, Navy FCU, NetBank, PNC Bank, Regions Bank, Sovereign Bank, SunTrust, Union Bank of California, US Bank, Wachovia, Washington Mutual, and Wells Fargo,

Posted by Jonathan at 01:30 PM | Permalink | Comments (3)

The New York Times pubished an article yesterday which has a kind of tongue-in-cheek approach to the data theft which has been taking place at companies around the United States and Canada.

A survey of 484 United States-based information technology departments within business or governmental organizations...found, among other things, that more than half of corporate laptops contained unprotected sensitive data, that one in 10 laptops is stolen and that 97 percent of those are never recovered. The study also found that 81 percent of firms reported that an “electronic storage device such as a laptop” specifically containing sensitive or confidential information had been lost or stolen in the past year.

If nothing else, the Commerce Department can be comforted by the fact that its loss of 1,137 laptops over the last five years is hardly unusual.

This kind of toungue-in-cheek comment is sort of the way I approach identity theft. The problem is so big, and the misinformation in the marketplace so prevalent, that, as the NYT states; "the volume of lost consumer data remains almost comically epidemic."

The biggest problem is that our social security numbers are so valuable, and so universally used.

But that's not going to change any time too soon. The lobbies for insurance, credit, and the banking industry as a whole are simply too large, and too powerful, for any smaller initiative to achieve any really valuable change in the way our social security numbers are used. (I will be talking about an interesting patent tomorrow though.)

The article goes on to say that Joseph Ansanelli, the chief executive and founder of Vontu, who has testified before Congress on privacy problems, says that although that is necessary for companies to have passwords and encryption technologies in place, the more important thing to do is to establish a policy for your company on how to deal with data.

“Only by focusing on understanding where data is stored and where it is going can organizations better protect information and prevent it from being carried or sent insecurely,” Mr. Ansanelli said. “Taller fences or more locks on the doors won’t help.”

I couldn't agree more.

What's confusing is that the article points out that if companies don't start doing this on their own, then the government may be forced to step in and start requiring companies to create policies for data protection.

Well, here's the thing that they seem to have missed.

Congress has already stepped in.

FACTA
There is a law called FACTA. I've written several articles on FACTA (which have been widely plagaried), and done a FACTA video presentation, explaining that under the FACTA disposal provision, if you don't destroy information, and it leads to Identity Theft, then there are federal fines of up to $2,500.00, and state fines up to $1,000, per employee, per incident. The business is liable for any damages the individual suffers as the result of a breach of information, and can be taken to court for this.

HIPAA (Expansion of the original happened in April 2006)
This refers to Health Information - but for any employer who loses employee information, the penalties can be up to $250,000/employee/incident, AND those responsible can actually serve jail time.

Gramm-Leach-Bliley Safeguards Rule
For any employer who loses employee information, the penalties can be up to $1,000,000/employee/incident, those responsible for losing the information can actually serve jail time, AND they can be held criminally liable for the actions committed by the Identity Thief.

I don't know about you, but these seem like some pretty intense penalties to me. So it's confusing that the New York Times published a respected expert on Identity Theft saying that :

"if organizations do not stop the insanity of data loss, Congress will be forced to act and mandate new protections for all this information"

Congress has already put the mandates in place. The problem is that most small to medium-sized companies don't know that the mandates exist. If they lose the information and are taken to court, they will likely no longer be in business.

To ask questions on how this affects your company, click here.

Posted by Jonathan at 08:34 AM | Permalink | Comments (0)

So there are some companies out there that are marketing their products under the guise that their services will help you prevent Identity Theft.

Actually, there are HUNDREDS of companies marketing their "solutions" as things that will help you with Identity Theft.

Though there are many, we are going to pick on just two today.

Product #1
Data Safe Wallets:

From the Press Release:
"Its new line of DataSafe Wallets(TM) for men and women (are) designed to protect the new 'smart card' credit cards from wireless identity theft."

Well, yah, I guess you could say that you would be protecting your already encrypted smart card by having a wallet shielded with some sort of RF-blocking material. While this is a good idea in concept, it doesn't really address Identity Theft. All it does is protect the cards in your wallet. Since the vast majority of Identity Theft doesn't occur by someone grabbing your information wirelessly from an encrypted data stream, these wallets aren't really helping people with the problem of identity theft.

Overall impact on helping people with Identity Theft? Minimal

Product #2
GPS Installed into Laptop computers

This is being marketed as something that will decrease incidence of Identity Theft.
This product is actually very cool. Not only does it track a stolen laptop, but it will actually hide sensitive files based on the proximity of a computer to a sensor, or based on a person logging in to a web site and "Locking down" sensitive information on the computer remotely.

While a cool product, this doesn't really help with Identity Theft:

#1. An Identity Thief who is stealing the computer for the purpose of getting personal information from it, is going to get the information off of the computer as quickly as possible (possibly before it leaves the location where it's stolen from, and possibly even before anyone knows it's stolen).

#2. What if the Identity Thief is the person you've hired and given the computer to? There are numerous cases, but here's an example.http://www.buzzle.com/editorials/3-16-2005-67177.asp

Overall impact on helping people with Data Security? Likely very good.
Overall impact on Identity Theft: Minimal

Be careful when you're looking at purchasing Identity Theft Solutions. The products may be cool, but unless they provide a complete umbrella of protection around you, they're likely using the buzz around the term "Identity Theft" to market to you.

Posted by Jonathan at 10:30 PM | Permalink | Comments (1)

The Identity Theft Task Force has gone to work in Washington, offering some really good ideas on what should be done to curb and slow the growth of Identity Theft.

One interesting point from the article at Information Week is this:

Victims of identity theft should be allowed to seek restitution from defendants for time spent undoing damage from the offense, according to interim recommendations issued Tuesday by a federal task force on ID theft.

This is an excellent suggestion. There is, however, a challenge with it. That challenge is to ask the question, who is the defendant?

When we're talking about Identity Theft as a society, we're generally not talking about the whole picture of Identity Theft.

As I have talked about in previous posts, there is a reseller network at work, who wants to steal your information. And they will do whatever they need to do in order to profit from your information.

The article says that

Businesses were the source of information breaches in 30% of cases. Of these, data breaches accounted for 6% of the overall total, fraudulent transaction processing accounted for 7%, and employee wrongdoing accounted for 15%.

So here's a possible process for Identity Theft to take place:
Employer --> hires employee --> sells information to crook by physically handing them a disk --> uploads information to online forum for sale to information broker --> sells information to reseller --> sells information to a criminal --> criminal activity committed in the name of the defendant.

Who's responsible? Who's the "defendant"?

Well, generally, the criminals can be pretty hard to track. Only 1 in 700 people taking part in Identity Theft are actually prosecuted. So who becomes the defendant?

If the information loss can be tracked back to the business, then the employee will likely be arrested or charged.

But is the employee the defendant, or is the employer the defendant? According to the Federal Trade Commission, a widening of the laws under Gramm Leach Bliley, as well as the FACTA disposal provision, and even the expansion of HIPAA, as well as some state statutes, BOTH are responsible if proper provisions haven't been put in place.

Kind of makes employers feel all warm and fuzzy.

What I'm recommending is that employers contact a Certified Identity Theft Risk Management Professional to help them be sure they're in full compliance with this whole new set of issues. If you are interested in learning more about protecting your company, I'd be happy to take a few minutes with you. You can contact me here.

Posted by Jonathan at 12:56 PM | Permalink | Comments (0)

The daily Trojan, which is the Student Newspaper for the University of Southern California, today is reporting that the Los Angeles Police Department is investigating 16 USC Identity Theft crimes.

What’s interesting is that between August 4th and September 5th, someone used student, faculty, and staff account, to make unauthorized ATM Withdrawls, purchase things fraudulently on the Internet, and open unauthorized credit card accounts. Peter Tom, the vice president of member services for the USC Credit Union, says that he didn’t know about the LAPD investigation, and doesn’t really know why this could be taking place.

I’d like to offer a possible reason for why it could be taking place.

On the Privacy Rights Clearinghouse Web site, you can see a chronology of data breaches since the original choice point data breach incident. Looking at that page, it is easy to see that USC has had two different data breaches, resulting in over 300,000 pieces of collective compromised data from different points at the University of Southern California.

How could this have possibly resulted in false accounts being created in the names of USC Students?

Well, as we’ve covered in previous Identity Theft Secrets videos, there is a large reseller network, at work, to sell your information. And while someone may have stolen the information on a laptop, the information, if re-sold, can be sold, and re-sold, and re-sold over again, and used by criminals over, and over, and over again.

There are multiple web sites on the internet which basically serve as forums for criminals to sell and re-sell information, once it’s stolen.

They can also use IRC (or Internet Relay Chat) to communicate with one another. And many frequently do.

So, while it is possible that the reason student information was mis-used was because students were just returning to school and that gave more opportunities for the information to be stolen, it is also possible, and even likely, that the students themselves had nothing to do with their information being mis-used. It is even likely that their information has now been made available on the larger underground trading market where people’s information is being bought and sold as a commodity.

Posted by Jonathan at 06:09 PM | Permalink | Comments (0)

The New York Times ran a large article spread today covering something we have been talking about for a long time: Identity theft isn't just about financial gain.

Oh really? You mean that those cute Citibank ads aren't really explaining the whole problem of Identity Theft to me?

Parts of the article seem to offer that it's okay for people to enter this country illegally, and use the social security numbers of Americans to get work.

The Federal Trade Commission, which estimates that 10 million Americans have their identities stolen each year, does not distinguish between people who steal Social Security numbers so they can work and those who are out to steal money. Illegal immigrants make up nearly one of every 20 workers in America, according to estimates by the Pew Hispanic Center, and most are working under fraudulent Social Security numbers, which can be bought in any immigrant community or in Mexico.

What the article seems to be suggesting is that we should we really distiguish between:

Someone who does something illegal in order to do something legal

from

Someone who does someting illegal in order to do something illegal

That's the way I read that paragraph anyway. The statistical data might be interesting to have, but what does it really matter? Identity Theft is Identity Theft, regardless if it's a means to a positive or a negative end.

The article goes on to show this quote from a professor of sociology at Princeton

“It’s basically a subsidy from migrant workers to the aggregate of American taxpayers,” said Douglas S. Massey.

A subsidy? The only way that illegals are somehow "subsidizing" the aggregate of American taxpayers is if you look at the tiny little issue of immigrants paying into a system they illegally entered, from which they will never draw benefits.

Let's look at the bigger picture for a moment. Financial institutions, and ultimately consumers, lose billions of actual dollars every year to identity theft losses. Factor in the time people lose while dealing with the issue, and identity theft becomes extremely expensive. The "subsidy" that an illegal pays into the system for a $10/hour (or less) job is far outweighed by the costs each of us incur, as legitimate and legal American taxpayers, for the people working in our courts and financial systems who spend thousands of hours each year working to help the people who are victimized by Identity Theft and fraud.

Ms. Lybbert estimates that for four or five months she spent 30 hours or more a week making telephone calls, feeling passed from one agency or voice-mail system to another: the Social Security Administration, the state attorney general, the three bureaus that issue credit ratings and police departments in two cities. “Everyone I talked to handed me off to someone else, saying that’s not our department, call this number,” she said. “I was being led in a circle.”

She did all of this simply to clear a record of the damage that had been done by someone who didn't even want to do her harm. An illegal immigrant, who took the identity of her 3 year old daughter, simply wanted to have a better life while living and working in the United States. However, imagine if that illegal had actually wanted to do her harm financially, or, at the very least, simply didn't care.

Illegals are filing for bankruptcy, using someone else’s number. I had one 78-year-old with three defaults on houses she never owned.

Scott Smith of Ogden, Utah, discovered that someone was using his daughter Bailey’s Social Security number when he applied for public health insurance for her. Mr. Smith, who owns four shredders, is by his own description “real paranoid” about identity theft. “We even take the shreddings and put them in different garbage cans,” he said.

Mr. Smith went on to be quoted as saying:

“My opinion was, Hey, we’ve got someone hard-working who’s come from Mexico, who just wants to get a leg up — give her Bailey’s Social Security number and issue us a new one. Let her stay in the country. But they arrested her. I actually feel bad about her being deported.”

I guarantee that Mr. Smith would not have felt the same way, had he been unfortunate enough to suddenly find himself the father of Bailey, the daughter with a criminal record, wanted for check fraud in four states.

He also won't feel that way when his daughter's information goes through the reseller network and suddenly there are 37 jobs his daughter has never had associated with her social security number. Particularly if those are jobs he wouldn't want her to have.

All in all, the New York Times did some good research for this piece. The problem of illegal immigrants using social security numbers to get jobs in the names of actual Americans is not going away, and the NYT is right to point out that something has to be done here. However, as with most of the information people are receiving about Identity Theft, they're simply not presenting the whole picture to an American public that really doesn't understand what's happening, or how big the problem of Identity Theft has become.

Other blogs discussing "Some ID Theft Is Not for Profit, but to Get a Job":

Morning Coffee
Common Sense America

Posted by Jonathan at 02:13 PM | Permalink | Comments (1)

Hello? Is anybody paying attention in Madison, Wisconsin? The amount of misinformation coming from the news media, concerning Identity theft, constantly amazes me.

A case in point? This article on a Madison, Wisconsin TV "News" station's web site.

They tell you that "While dumpster diving is still the number one source of identity theft, scammers are getting more creative."

Dumpster diving is #1?

It's not like I expect the average news person writing this story to be an expert on Identity theft. But a little background research would help them to better serve the people of Madison. Reading this article makes me think that it is from 2003, but it's actually shown as a "current" piece of news they have posted on their web site.

A very quick glance at the 2005 statistics on Identity Theft from the Federal Trade Commission would tell you that the #1 source of actual Identity Theft is from friends and family applying for new credit accounts in the name of the victim.

The #1 way people get the information is by taking it from the people they know.

But even if you didn't know that, you could look at the Privacy Rights clearinghouse Chronology of Data Breaches since the ChoicePoint incident and discover that as of Sept.1, 91,064,388 pieces of information have been stolen or lost.

Could it be that 91 MILLION+ pieces of stolen data are more likely to lead to Identity Theft than some people getting together and grabbing records that were tossed out behind the doctor's office?

This article goes on to quote some "expert" who advises that the best way to protect your identity is to "get a copy of your credit report, regularly check your credit card and bank statements, and always keep your receipts."

Madison, how's that going to help me when the Veteran's Administration loses my information? Let's role play here a bit: I just checked my credit report yesterday. Someone uses my information to apply for credit in my name today. This Identity Thief uses my good credit to receive a credit card, with my name on it. They receive that card at an address I've never lived at, so I can't possibly know about this credit account, and by law, I can't get another free credit report for 4 months. How will my having checked my credit report yesterday help me today?

When I get pulled over for a routine traffic stop, give over my driver's license, and find out that "I" skipped town after being bailed out of jail, and I am now being arrested for something I never did, in a state I've never been to, how will your expert's advice help me?

The "expert" advises that you should "also, never give out personal information over the phone."

That will be really helpful when the University of Colorado loses my information to a hacker, as they did not once (on July 21, 2005), not twice (again on Aug. 2, 2005), but three times (again on Aug. 19, 2005).

Madison, not to be overly critical, but you might want to do a little more research on such a big issue before attempting to help your viewing public. They really need good information on identity theft, which in this case you unfortunately did not provide.

Posted by Jonathan at 08:01 AM | Permalink | Comments (1)

This interview is from 1999. You'll note from the video that the company had 425,000 memberships in 1999. Today, the company has more than three times that many members, and they're all on a month-to-month service, meaning that they can cancel at any time.

See the solution to Identity theft that this company has created

Posted by Jonathan at 01:23 AM | Permalink | Comments (0)

There are plenty of ways Identity Theft can be committed.

One way is by stealing people's credit/debit card information. This can be done with a simple little device called a Card Reader or a skimmer. You've seen them before in grocery stores and at the gas station, but perhaps you never knew that they could be purchased, and be made small enough to fit in the palm of your hand. And if you didn't know, a quick Google search would give you plenty of search results which would tell you what you needed to know about card readers. Take a look at a result I got

And hey, if you really had the technical know-how, you could get instructions on how to build a card reader.
http://camelspit.org/handyswipe/

But why build a card reader? That would take time and energy, and (GASP!) it would even take some thought. Why not just buy a card reader at eBay or Mag-Stripe.com for under $400?

That's probably what Arthur Crumpley Jr. and Cecil Lamont Hicks did. Then they went to a local Taco Bell, recruited a cashier working for $6/hour, and told her they would pay her $1000 for every 50 cards skimmed by the machine they gave her.

Let's see, you mean that I can increase my wages by TWO HUNDRED TIMES if I just run a few cards through this little machine?

"Oh sure, why not."

The way she was caught? The manager investigated her because she was moving so slowly when having people pay at the window, that he thought something must be wrong.

You can read the whole article here, but the point is that police think that this is part of a much larger ring operating in the Atlanta area.

Here's a clue... it's part of a much larger operating ring, period. For as much as Identity Theft has been in the news, I don't believe we've even BEGUN to see the depths to which people will stoop to get other people's information.

And, as Cpl. Ron Underwood, a detective in Cobb's criminal investigation unit, is quoted as saying in the article, "If you are a victim of identity theft just one time, you'll understand how serious this is."

The IdentityTheftSecrets SuperSleuths remind you: Create a real solution to the problem of Identity Theft for yourself.

Posted by Jonathan at 12:24 AM | Permalink | Comments (0)

News 12 out of Arizona ran an article talking about insurances you don't need. On their list was Identity Theft Insurance. They say that Identity Theft Insurance "does not include unauthorized charges or funds siphoned from accounts." What they recommend you do instead is check your credit reports regularly.

And yet, the federal government has now authorized blanket purchase agreements to two credit bureaus (Equifax and Experian), Bearak Reports, and a company called "Identity Force", to provide policies, using taxpayer dollars, to people whose information is stolen from agencies of the Federal Government.

So who's right?

Well, both are. The federal government is right to realize that they have to take some responsibility for helping people get their information restored, if a data breach on their end results in a person becoming a victim of Identity Theft.

News 12 is right to recommend that you don't buy a policy which simply covers dollar expenses incurred as a result of the loss of your information. They are also right to say that you should check your credit reports regularly. But what constitutes "regularly"? There are three major credit bureaus which alow you to check your credit once/year each for free. Beyond that, you have to pay to check your credit. So, if you were really conscientious, and remembered to check at each credit bureau, you could, at most, check your credit once every four months. So here's the question: Between now and four months from now, could an Identity Thief trash your credit and ruin your good name?

News12 also clearly didn't do their homework with regard to researching Identity Theft and Identity Theft Insurance policies. With the average Identity Theft victim losing over $1600 and 600 hours in the fight to restore their information, you really should have someone to help you through the process. Sure, you could fix the problem yourself, given the right amount of time, knowledge, and resources (which you can get, and you can do yourself), but that would be like fixing your car yourself. You could probably fix your own car, given the right amount of time, knowledge, and resources (which you can get, and you can do yourself), but you generally have the repair person fix your car when it breaks, because it takes them less time, is less hassle for you, and you will know that it's done right if you take your car to a good mechanic.

You can restore your name yourself, but based on the statistics about the average time and money a victim spends, you should plan on taking the next five years' worth of lunch hours to get your information restored, with no guarantees of results on the other end of five years' worth of work.

So if you do need someone to help you through the process, the question is not whether or not to buy Identity Theft Insurance, but which identity theft insurance to buy.

Do you want a policy which covers just some credit monitoring and out of pocket expenses, or would you like a little better solution?

Posted by Jonathan at 12:13 PM | Permalink | Comments (4)