Identity Theft Secrets

Sears Holdings Corp. is launching an investigation in the wake of cyber attacks on other retail stores.  Sears, the retailer run by Edward Lampert, has not revealed any details of an actual attack or security breach.

Sears spokesman Howard Riefs said in a press statement, “There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach.”

Riefs added that there has been no information to indicate a breach so far which completely contradicts a report made by Bloomberg News.  Bloomberg News, using an un-indentified source, reported that the U.S. Secret Service was involved in investigating a secret breach at Sears.  The U.S. Secret Service is remaining quiet on whether or not it is actually investigating a breach at the retailer.

What is known is that the U.S. Secret Service is leading the investigation into last year’s cyber attack on Target and last year’s attack on Neiman Marcus.  The Target breach lead to the theft of approximately 40 million credit/debit card numbers and over 70 million pieces of personal data.  Neiman Marcus has also faced the harm of a data breach.  The luxury retailer had 1.1 million credit and debit cards hacked by malware that infiltrated terminals point of sale systems.

Target, Neiman Marcus and other retailers who have experienced data breaches are attempting to gain back customer support by doing a lot of damage control. Target has offered free credit monitoring  and identity theft protection to customers for free for one year as part of its damage control efforts.

The rumor that Sears is investigating a possible security breach may still harm the retailer.  Lampert has struggled to make Sears profitable after 28 straight quarters of declining sales. A tarnished image from a potential data breach isn’t going to make shoppers rush out to buy anything from the retailer.

Original reports of the Target and Neiman Marcus breaches made clear that it could take months to confirm that breaches were made, how many victims were affected, and account for what data was stolen.

Stolen Identity Refund Fraud (SIRF) is a category that falls under identity theft. It involves the theft of the “tax” identity of the victim. As the tax filing season descends upon us we need to be aware of the very real threats of having an identity stolen.

Victims of stolen identity refund fraud have had their lives ruined. The criminal steals the “tax” identity of an individual for the purpose of filing a tax return. The criminal will obtain information about the victim and use it to obtain his or her social security number. The thief will then submit a false tax return in the name of the victim claiming a tax return. Forbes report claims that “unfortunately, in many instances the refunds are issued.”

The victims are left to discover the fraud when they go to file their tax returns. The IRS refuses to send out a refund because a return was already filed under the name of the individual.  The burden of proof rests on the individual to prove that their identity was actually stolen and that they did not file a return in the first place. It can be a very lengthy process for an individual to get straightened out with the IRS and it can be an even lengthier amount of time for any resolution to happen.

Sadly, stolen identity refund fraud victims are the elderly and individuals who are not required to file tax returns. Criminals who steal this information often get away with it for a long time before being caught. Often the victim finds out when they apply for state or federal benefits and cannot receive them due to information found on the fraudulent returns.

The IRS and the Justice Department have begun cracking down on identity theft and have been active in fighting identity fraud. The IRS makes it clear that the agency is devoted to preventing identity fraud. The website has information on how to report suspected identity theft and the precautionary measures that people can so they don’t become a victim.

Consumer Reports is warning to consumers that use of email addresses as a user ID increases your risk of identity theft.  The report cites the theft of millions of Yahoo users who had their email addresses stolen recently. Yahoo identified the attack on user email accounts and immediately acted to protect users by prompting holders to reset their passwords, according to a blog post by the corporation.

While there is no evidence that data was breached from Yahoo’s computer network, according to Bloomberg Businessweek, there is evidence that user names and passwords may have been taken from a third-party database. Consumer Reports warning is to users who often use their email address as their user ID because it can increase the chance of hackers getting into any other accounts you have associated with that email/user ID.

Identity thieves call the maneuver multipurposing. They steal personal data from one account and use it to break into other accounts. The theft of an email address can also lead to phishing scams, malicious software being placed on users’ computers, and malicious and fraudulent links being sent to everyone on a users contact list.

Once a criminal has access to email and passwords he can use it to break into a users bank accounts, online accounts, and use the information gathered to steal a users identity.

Consumer Reports gives an example, “Once the criminal has your e-mail address, he tries to sign into accounts at some large banks or major shopping sites, claiming he forgot his password. Some institutions will e-mail a “password reset” link or, worse, the password itself, to your address.”

Consumer Reports goes on to explain that once the password has been reset to the criminals password he will have full use of banking or shopping accounts that were broken into. The best way users can protect themselves is to consistently change their passwords and never use the same user ID as their email.

Protecting personal information is important. It is extremely important in the online world. Identity theft is a real problem. Thieves who steal information often gather it easily from unsuspecting victims who willingly give out personal information to the wrong person or those who give out the information unwillingly but didn’t have their information protected.

Identity theft might become an even bigger problem with the announcements that were made at the White House’s “Datapalooza” event. “Datapalooza” is an ambitious new agenda that has been outlined by President Obama to combat rising college costs and to make college more affordable for American families.  It was a meeting of policy leaders and innovators exploring how open government data could help the education system in the United States. Part of the plan includes using technology for tools, services, and apps to help students evaluate and select colleges.

Apps will be used to help students access information about colleges including statistical data, program data, and form data (i.e. FAFSA).  Third party apps are also being considered for integration into the U.S. Department of Education’s financial aid toolkits. These applications should be viewed skeptically by students.  If the apps do not have the proper protections and encryptions against hack attacks then hackers might have “datapalooza” with student’s personal information.  Identity theft is a real concern with the potential data that would need to be stored online to use the governments’ apps.

The White House announced at “Datapalooza” that Americans will now be able to download their tax returns directly from the IRS’ new service Get Transcript.  Tax information is not easily accessible and for good reason. Tax papers have very personal information on them including names, birthdates, social security numbers, and wage information.  To obtain tax information before one would have to fill out a questionnaire, send it back and wait 5-10 business days for physical forms to arrive. Get Transcript makes it much easier for people to download their tax information instead of waiting to get the physical forms. But it also means that much more personal information is at risk of being stolen.

Data collection scams and debt collection scams have risen dramatically in the last few years.  Mal-ware at point of sale terminals has been used to steal customer data. Emails that phish for information have been used to steal consumer information and fake debt collectors who threaten victims with lawsuits and arrests have used information gained to exploit consumers.

“Unscrupulous scams hurt consumers and unnecessarily impedes legitimate debt collection efforts,” said ACA International CEO Pat Morris. “The recovery of consumer debt is vitally important to our local, state, and national economies. Those who purposely violate the law to exploit consumers should be held fully accountable for their actions.”

Consumers need to protect personal data and they need to know the difference between a legitimate debt collector and a fake scam being conducted to steal personal information.

ACA International recommends several important items in discerning a legitimate attempt to recover a debt. The first item is that a debt collector may not contact a consumer at times known to be inconvenient. Generally, a legitimate debt collector may not contact a consumer before 8 a.m. or after 9 p.m. in the consumers’ time zone.

Another item is that a debt collector must disclose its identity to the consumer and notify the consumer that the communication is from a debt collector, and (in the initial communication) that any information obtained will be used to effect collection of the debt. Debt collectors are not allowed to make false representations and may not threaten to take action against a consumer if it doesn’t actually intend to seek such action. Consumers also need to be aware that they can dispute the validity of the debt and during the time the debt is being dispute the debt collector must cease collection activity until verification of the debt has been provided. More guidelines can be found at ACA International.

Consumers can protect their personal data by checking credit and debit cards vigilantly and reporting any charges that appear questionable, even small amounts. Consumers can also monitor their credit profiles along with their card activity and consumers need to keep in mind that phishing scams for information don’t just happen via email and the phone. Phishing scams can come through snail mail also.  Shred paper with personal information before throwing it away, make online passwords stronger by using a mix of capital and lowercase letters, symbols and numbers, and take great care when giving out credit or debit card numbers, Social Security numbers or other personal information online and offline.

Target’s data breach over the holiday season turned out to span far wider than the original numbers estimated.  The major retailer said the breach that happened between Nov. 27 and Dec. 15, 2013 compromised the financial information of approximately 40 million shoppers shortly after the breach occurred. Recently, the company informed consumers that it had uncovered an additional 70 million to 110 million customers who may have had their names, mailing addresses, phone numbers and email addresses stolen.

The data stolen from Target was originally thought to come from the terminals where customers swipe credit and debit cards. The retailer said originally that the only information affected was the information stored in the magnetic strips on the back of customers’ cards. The retailer learned shortly after that customers’ encrypted PIN data had also been obtained. The latest revelation by Target is raising more concerns because personal information isn’t stored on the magnetic strips on credit and debit cards.

Target’s data breach has severely impacted the company and will continue to as long as more information about the breach becomes known. The retailer has apologizes to customers for the broadening violations of customers’ private information.

“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg W. Steinhafel, Target’s chief executive, said in a statement to the New York Times.

Target is now offering free credit monitoring and identity theft protection to customer’s for one-year free.  The one-year offer includes a credit report, daily credit monitoring, identity theft resolution, identity theft insurance and ProtectMyID ExtendCARE, personalized assistance from a highly-trained Fraud Resolution Agent after the one-year period expires.

Target has listed tips for customers who wish to protect their information:

“Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number. Delete texts immediately from numbers or names you don’t recognize. Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.”

A FAQ page has been set up on Target’s website to deal with information regarding the data breach and information related to other scams.

Snapchat suffered a major security breach on New Year’s Eve when a reported 4 million usernames and passwords were collected by hackers.  Snapchat had been warned twice by security experts about a vulnerability in its system, according to Yahoo News.

Snapchat is a private company that has marketed itself on being a more secure alternative that Facebook and Instagram. It lets users send photo and video messages that disappear once viewed.  According to the New York Times, users of the self-destruct message service were sending 350 million photos a day in September –increased from 200 million in June.

Related content:  Are Instagram and Snapchat safe for Kids?

Security researchers were not convinced that the app actually deleted information.  The hackers who stole the usernames and passwords from Snapchat were actually security researchers with Gibson security who were able to hack into Snapchat’s servers and find the data that had been stored in a database similar to other big internet companies.

The security researchers posted the hacked information onto a website called SnapchatDB.info after privately warning Snapchat about the weakness in its system.  The researchers then posted a warning about the security hole online on Christmas Eve after the notice was ignored. Snapchat did patch the hole in the system but it didn’t do enough.  The data was not encrypted nor were there any basic security measures in place to prevent hacking.

The usernames and passwords put online in the data dump on New Year’s Eve had the last two digits of phone numbers removed. Snapchatdb.info has since been suspended for the data dump, but not before word spread of the breach.

The breach severely tarnishes Snapchat’s reputation and image. It could threaten the company’s rapid growth.

Gibson Security says users can delete their Snapchat accounts and ask their phone company to change their phone number in order to protect their information. Although, they warn that deleting the account won’t remove information from the leaked database information.

“Ensure that your security settings are up to scratch on your social media profiles. Be careful about what data you give away to sites when you sign up –if you don’t think a service requires your phone number, don’t give it to them,” Gibson told the Associated Press.

Snapchat is trying to reassure users’ that is has adopted security measures that would prevent spam and abuse. They also claim they are working to prevent “future attempts to abuse our service.”

The National Security Agency isn’t going away any time soon and the White House isn’t planning on placing new restraints on the agency. According to the Washington Post, “the Obama administration has decided to preserve a controversial arrangement under which a single military official is permitted to direct both the National Security Agency and the military’s cyberwarfare command despite an external review panel’s recommendation against doing so.”

A group of top U.S. intelligence officials got together and decided that the two divisions (NSA and Cyber Command) should be placed under separate leadership. The argument for the division is that it would ensure greater accountability and prevent investing too much power in one individual.  The two divisions also have different missions. The NSA mission is spying and the Cyber Command’s mission is to conduct military attacks.  Both divisions work closely together since the Cyber Command depends on the NSA’s ability to hack into the computer systems of enemies for intelligence and to conduct potential operations.

According to the Washington Post, an email from Caitlin Hayden, White House spokeswoman, said, “Following a thorough interagency review, the administration has decided that keeping the positions of NSA Director and Cyber Command commander together as one, dual-hatted position is the most effective approach to accomplishing both agencies’ missions.”

There have been over 40 recommendations made by the intelligence panel. Currently, the White House appears not to want to add constraints onto the surveillance agency.  The NSA is working toward making changes within the organization to combat any leaks that could be comparable to the leak committed by Edward Snowden.

The leak committed by Snowden informed the public that the NSA was conducting surveillance and collecting virtually all phone calls of Americas through a metadata collection process. NSA still claims that their collection of billions of phone records was for counterterrorism purposes and that the content of the calls is unknown, the agency purportedly only collects where the calls were made and how long they lasted.

What do you think?  Is this collection of data necessary? Doesn’t it put us at an even greater risk?

I recently had the chance to talk to the experts at ZoneAlarm about  Facebook’s latest privacy changes – where teens can publicly share their photos and updates as well as be found by the general public.  What does this mean for a teen’s online security?  What are some concerns parents should have or be made aware of?  It’s no secret that from cyberbullies to online stalkers and predators, teens face an increasing range of online threats. What can parents do to help their teens protect themselves online? Their experts offered up this infographic as well as some helpful statistics and tips for keeping our kids safe.

Did you know that?

• 23 percent say they have been victims of cyberbullying.
• 62 percent of teenagers have witnessed taunting and other cruel behavior online.

Control who sees timeline posts. Under privacy settings, you can select: “Who can see my posts?” Then, by changing it from “Public” to “Friends” or “Close Friends”, all future posts that your teen creates will just be seen by the audience that she specifies. She can also change the “Limit who sees old posts” setting from “Public” to “Friends of Friends” or “Friends.”

Watch out for apps. Read the rest of Tips for keeping your teens and tweens safe online

Consumers already worry about businesses storing and possibly stealing financial information. Now consumers have to worry about the credit card processors stealing the information from businesses. Recently, several proprietors of a credit card processing company  have been indicted on several charges in Phoenix, Arizona.

The various charges include money laundering, wire fraud charges, and changing contract terms among other charges. Sean Clinton Mecham, 36, Ashley Brisbin Mecham, 27, Jonathon L. Cannon, 31, and Jake Brisbin, 26, were all indicted by a federal grand jury.

According to court documents, the accused were executives and employees at Icon Payment Solutions, Axiom Merchant Services and Oracle Payment Services. These companies are all the same company just under different names and they processed credit card payments for retailers.  Prosecutors allege that the quartet were misleading customers, forging the signatures of business owners and deposited $2.9 million of the ill-gotten gains into personal accounts. The money was then used to buy a luxury boat, Maserati cars and off-road trucks for racing.

There were multiple complaints against the quartet and the companies that they owned to the Better Business Bureau.  The accused Read the rest of Credit Card Processors Stealing from Business Clients