Tuesday, December 12, 2017

Synthetic identity fraud seems little known but accounts for a lot of identity theft

Here’s a discussion of how “synthetic identity theft” or  “synthetic identity fraud” works.   It often uses social security numbers of minors or of individuals not likely to need credit for years.  The fraudster creates fictitious people out of combinations of real information.

Note toward the end of the article that legitimate card users are solicited to allow others to use their credit history for compensation. This would sound criminal even on the part of the legitimate holder. I have never encountered this personally.  Note the “data furnishing” process.
Experian has a brief blog posting explaining the problem to businesses.  But Experian says that synthetic fraud accounts for 85% of all identity fraud. 

Monday, December 04, 2017

Credit card and telecom companies getting more pro-active with using NCOA to detect consumer relocations

Well, I have to say that the USPS NCOA system is working, as I got an email last night from Verizon Wireless asking me to confirm (with 2-step identification) my recent move to a condo, including the “phone numbers” of my iPad and Midi hotspot as well as main smart phone.

As I’ve noted here before, activity with NCOA can be a useful tool in reducing the risk of identity theft (Sept. 25, 2006). 

I’m also finding that some companies can detect that a UPS store, which claims to be a land address, really is not one and prefer to mail to real residences.  This may be a new security trend, as companies beef up their customer "clientization" databases.  I prefer to get less mail at home and more in a UPS store where there is someone there to receive it when I am away.

Tuesday, November 14, 2017

Experian gives 12 symptoms of identity theft

Experian (which used to be TRW which in turn used to own Chilton and Pinger) has a list of twelve warning signs that your identity might be stolen. It’s a pretty interesting list.

Particularly disturbing are #8 – you could find out from your employer, who might not be that forgiving – and #9, you get unexpected two-factor authentication requests. 

Failing to receive expected bills (which might be electronic) is another one.

I wonder about, if you have a small business, getting unrequested lines of credit. 

Sunday, November 12, 2017

Criminals doing "id theft" of legitimate contractors to scam consumers as imposters

WJLA7 in Washington (Sinclair) is advising users about another scam, possibly with Google Business.

In a few cases, criminals have changed the contact info for legitimate contractors and scammed homeowners after repairs.
Customers should verify phone contact in several sources (Including own website). Google is working on confirming address changes with contractors, possibly with 2-step identification. 

Thursday, October 05, 2017

Can public record searches of property be done for nefarious purposes?

What do property records show for the idly curious?

Here’s an article .

I think it’s interesting that you can find out if a couple living in a home is going through a divorce, and might sell for less.  Sounds creepy.

There are all kinds of potential information available, such as trust ownership, trustees, the presence of inheritances or estates, and possibly home-based businesses or controversial activities.  But a lot of it might be very hard to find in some communities.  Generally, the development and clientization (with modern database management systems) of big geographical systems concerning property is likely to make more of this kind of information avaible to snoops over time.

Looking up property might be done in tandem with looking up individuals on various sites, discussed here before.  I think this can get dangerous because some individuals might be politically motivated to look up such information, rather than simply jealous over the loss of a relationship (like for stalking).
I’ll note also that real estate sites like Zillow will, in my experience, tend to overstate the values of many properties, given the comps of what neighboring properties have actually sold for. And it may be harder to determine the physical condition of a home. 

Thursday, September 14, 2017

All three major credit companies are snowed with credit freeze requests and cannot get them processed

Now all three major credit reporting companies are having trouble processing requests for credit report freezes due to increasing volume, NBC story here.

Equifax has refused NBC's request for an interview.

All the companies say they are authorizing overtime.

Again, consumers need to watch all their financial statements for unusual charges.  The most problematic situation would be when consumers apply for credit (loan) and find incorrect accounts in their names.

As I've indicated here before (Sept. 2006), a mechanism to use NCOA could force automatic notification of all consumers of any new accounts in their names (similar to email verification for lists).  It has not been done.

My own Equifax subscription notification service did work this morning and provided an updated credit report showing no problems (yet).

Keep in mind that criminals could use stolen information many years into the future.

Thursday, September 07, 2017

Equifax lays an egg

One of the U.S. three main credit reporting agencies, Equifax, is reporting a hack that could expose 140 million people to identity theft, info including social security number, birth date, and home address (which conceivably could be used for targeting by foreign agents, although there is some safety in the mere size of the hack).   Milo Yiannopoulos has his own story on this. 

It’s unclear if hackers print credit cards in the names of the people if they would really get anywhere.  Equifax will have to recognize illegitimate transactions in the subject’s name that the subject will never know about or see a bill for.  Equifax says that no credit reports or scores were compromised.
 Does it know?  Can Equifax make the same search of the Dark Web that Experian offers (and that’s even part of “online reputation”)? 

It’s rather amazing, though, to see mortgages and car loans taken out on stolen identities and not getting caught by normal due diligence. But, then again, the 2007 subprime scandal was shocking.

Maybe it would be interesting to “own” a house you don’t know exists.  Enough movie stars own multiple condos that someone could slip one by, and even keep it rented on Airbnb. 

Update:  Sept. 9

Craig Timberg has a speculative article on p A11 of the Washington Post Saturday morning, in which he says overseas hackers could use stolen identities to commit crimes not even imagined.  Presumably he refers to child pornography, sex trafficking, and terror recruiting or money laundering with fake accounts (probably on the Dark Web) in using targets' PII.

One is reminded of risks discussed before, of a computer being infected with a virus depositing c.p., a and discovered by repairmen, a risk covered on these blogs back in the summer of 2013.  In most cases, it's probably pretty easy to prove that a fake account is not yours.  (That's been pretty easy with Facebook and social media so far, because fake accounts prop up and get reported and taken down;  Facebook is getting good at automatic detection of these.)   But there is always the remote risk of having to defend yourself against litigation or prosecution, which could increase when traveling abroad, as well as of job termination.  I have some defense in that I don't have or use P2P (although that would have changed had I hosted anyone like an asylum seeker).  In the end, you are responsible for your own reputation, no mater what.

Update: Sept. 10

Consumer Reports offers this advice.  Note the possible risk to 401(k)'s which should be closely watched.  But larger companies usually have medallion signature and verification policies. 

Tuesday, September 05, 2017

Experian offers Dark Web scan

Experian is offering a Dark Web scan of any username based on an email, at “Experian.com/scan”I tr.
I tried it and the scan found just four records dating back to 2006.  But the most recent was in December 2016.

Experian usually can’t identify an exact Dark Web source.
Reputation.com has also said it looks at the Dark Web.

Experian is offering an identity protection service, but I have Lifelock through AOL.
Experian is the successor of TRW. Which merged with Chilton in 1989.  Chilton had been located in Dallas, the Oak Lawn area (where I worked 1981-1988);  now it is located in McKinney, TX on US 175, north of Plano, as well as other places.

Friday, August 25, 2017

FTC reports growing cell phone account hijacking

The Federal Trade Commission reports that mobile phone accounts have been hijacked by identity thieves, who actually call and fool service centers to get access to accounts, The FTC report is here, by Lorrie Cranor, herself an FTC technology specialist with her own story, so this seems ironic. 

In many cases, virtual wallets have been depleted (they are more common for those who use digital currencies like bitcoin).

But controversial people have also been attacked. 

Wednesday, August 23, 2017

ESPN pulls sportscaster with name of "Robert Lee" from a football game in Charlottesville

In a social travesty that sounds like giving in to vigilantism, ESPN has announced it has pulled a sportscaster named Robert Lee from broadcasting the first University of Virginia football game this year.  Matthew Haag has the New York Times story here
ESPN said “It is a shame that this is even a topic of conversation and we regret that who calls the play-by-play of a football game has become an issue.  

Friday, August 18, 2017

People misidentified as marching with right wing in Charlottesville get doxed

Misidentification of people at the Charlottesville riots (mostly of people in the extreme right wings groups) has been taking place, with doxing and various threats to some people.
MSN has republished a story from the New York Times, by Daniel Victor, “Amateur sleuths aim to identify Charlottesville marchers, but sometimes misfire”, here

The story concerns a University of Arkansas professor at the engineering school misidentified was a protestor wearing a shirt from the school.  You can imagine what followed.

The article examines how the establishment press verifies identities. 

Amateur sleuths do risk getting sued, but the targets may be in danger from some time.

This could become an existential problem in social media. 

Thursday, August 10, 2017

Chip credit card technology is not perfect

ABC News reports that chips have been falling out of a few of the new chip cards, leaving consumers vulnerable, story here.
It’s possible for a thief to use a chip that had been found on another credit card.  So now there is a "chip hack".


It’s also possible for some smart phones to swipe a chip by being very new it.  

Thursday, July 27, 2017

Dallas Cowboys potential player dropped after real life identity theft in a convenience store robbery; will he be reinstated?

Identity theft can result in job loss or being cut from a pro sports team, as Lucky Whitehead was dropped from the Dallas Cowboys after someone was arrested in Prince William County, Virginia for a theft at a convenience school and claimed to be him, even with social security number.  NBC News has a typical story here.

Lucky maintains he even wasn’t in Virginia at the time of the offense. But it appears that so far the Cowboys are unwilling to reinstate him, saying there had already been some other problems (story). So he was not “lucky”.

It seems that sometimes you are responsible for the use of your own identity, no matter what. 

Ironically, there is a another story where a University of Oregon Ducks football player was arrested for perpetrating identity theft.

Update: Aug. 10

Whitehead has been reported to be picked up by the New York Jets.

Sunday, July 16, 2017

More sites offer background checks on individuals

I stumbled across a couple more sites that offer public records information: Mylife.com, and Whitepages.  Mylife even offers a public “reputation score” and lists a number of personal activities without the reader’s being a member.  Records from theses sites may come up on Google searches of the formal legal name. 

Some such sites claim that the subjects will not know “you” have checked up on them. 

Mylife did not have one on me, but did have one on a relative in the Midwest.
I generally will not look at these unless there is a “business” reason.  

This would certainly seem to matter for "online reputation." 

Sunday, July 02, 2017

People skills of debt collectors

Just recalling those two-plus months I worked as a debt collector in Minnesota in 2003.

I can remember being told when asking for a person who picks up the phone, to pretend being a “friend” of the person (in the days before Facebook).  I’m not much of a manipulator or imposter, although this is how stings are set up, too.

Tuesday, June 20, 2017

What about debts after death? Can deceased people's identities be stolen?

Do you need to “worry” about your debt after you pass away?  Well, you can’t do anything about it.
Here’s an AOL article on the issue. 

Apparently your unsecured debt disappears with you.

But in most cases, the money can be tied to an estate that has to be paid off.  When my Mother passed, I immediately paid the remaining caregiving bills.  I canceled her social security, and one payment was taken back.  I had a credit card in her name.  I paid the bills on it, and kept using it for house (trust expenses) until the bank called and said it had to cancel the card.  I did pay the final bill ($900).  I had thought I could use it until distribution (there was no probate since there was a trust).  

 The bank feared I could simply not pay, I suppose, but I did pay it off in full.

Sometimes some of my mother’s accounts have shown up on my own credit report, which is incorrect.  I’m planning to pull detailed reports on myself soon because of the possibility, at least, of relocation.

But I wonder what could happen if a criminal “reincarnated her identity” to create a fictitious person for identity theft.  Not too easy with an unusual last name, and I would think lenders could check to make sure she wasn’t deceased. 

Sunday, June 18, 2017

Are some people less vulnerable to identity theft than others?

Are some people less vulnerable to identity theft than others?

Probably so.  It helps to have an unusual or hard-to-spell foreign last name, and less common first name.  It probably helps to be older and have a longer credit history.

It may, ironically, help to have a robust personal social media presence, one which might be more likely stand out with employers.

And it might help to be famous.  Public figures are more vulnerable to invasion of privacy and defamation attempts, but less so to identity theft.

Many homeowner’s policies are adding identity theft endorsements to their policies in many states.

Monday, May 08, 2017

Accounts in collections, and your credit score

Credit Karma has some good advice on how having an account in collection can affect your credit score, link here.

It’s possible for this to happen with identity theft, if you never got the bills and if the creditors completely dropped the ball in giving the imposter credit. (It might be relatively easy to track down and prosecute the imposter unless it is overseas and you have a very careless or reckless lender.)  It might happen by being mixed up with relatives.

If your credit score was high, than a previously unknown collection account could impact your score more.  Paying the debt does not immediately improve your score.

I had an issue in 2000 with two bad debts I did not know existed.  One was about a Discover card renewal that dropped, and I just paid the one time renewal to erase it. The other was a Visa debt for a stereo purchase in Texas that seemed to get lost and wound up with National Credit Systems, which was quite aggressive over the phone.  I didn’t learn how the ropes work until I worked for RMA in Minneapolis as a debt collector myself for a while in 2003.  The Visa claim probably should have been disputed, and I may have paid $600 I didn’t owe.  I did the credit check myself when I was considering buying a home, which I didn’t do there.  Not all three agencies had both debts.  Equifax may be the most likely to have them.

Thursday, April 13, 2017

IRS now uses debt collection companies for large long-overdue tax bills

Private debt collection of some large overdue tax bills will start in April 2017, according to the IRS’s own announcement.

This could compromise advise to consumers not to answer phone calls claiming to come from the IRS, as they have always been scams.

However, the IRS will not call without having contacted the taxpayer by mail first.

Sunday, April 02, 2017

Physical security matters for identity protection; a note about messaging encryption

WJLA7 Saturday night offered a list of seven things people should never carry in their wallets if they want to protect themselves from identity theft.

The most important tip is not to carry a social security card.  However, seniors, when they travel, may need to carry Medicare identifying information which includes SSN.  Typically I carry this identification on paper in a carryon bag, but it is conceivable that it can get lost.

Another item is passport, unless you are traveling internationally or have an unusual reason for a second id.

Another tip is to be careful about carrying printed lists (or thumb drives) with passwords.  I had an incident recently where I carried such a cheatsheet to Best Buy to work on a problem with a laptop.  There’s a lot of stuff to carry around and remember to take with you.  I caught my error and had to make a quick return visit.  The paperwork was still there in a cubicle, undisturbed.  You pay for your own mistakes (at least the extra gas to drive back).  The call that personal responsibility.

Another tip is to carry only one or two credit cards when out and about.  I had all of them when mugged at a Metro stop in March 2013.  It took about three or four days to replace them (including Virginia DL).  My loss was zero.  However, the criminal attempted a scam with fake Smart cards, costing Metro thousands.  I believe the person was prosecuted for a different crime later.

I would think states would change DL numbers after robberies, as they are often used as supplementary ID.

When wearing pants, people should carry wallets in front pockets if possible.  But of course that crowds pockets and can cause car or house keys to fall out (which happened to me with a rental car in France in 1999).
I want to pass along an op-ed by Max Read in the Review section of the New York Times today, “Trump is president, encrypt your email”.  Actually, he’s talking mostly about chat applications and discusses Signal and GroupMe.  I don’t do much chat for social reasons.  But his comment about “herd immunity” is well made.  

Saturday, March 18, 2017

I get duplicated with a fake profile on Facebook -- why?

Yesterday I got a post on my Facebook timeline warning me that my Facebook account might have been “hacked” because she got a duplicate friend request.  I didn’t think much of it, as I’ve gotten spam emails with headers spoofed to look like they are from Facebook friends.

Then, while I was out, another friend got one, and she reported it to Facebook.  When I got back on, I checked and found that the fake profile had already been removed.   I never saw it, but the friend told me it had no postings but had already attracted five “friends”.

I don’t see much point in setting up a fake profile imitating someone, but here is a cautionary tale on Forbes. from back in 2009, by someone in the BioTech industry.  Here’s a more recent tall tale from Baltimore.

The Huffington Post (2015) says that the motive could be “Likenomics”  -- teenagers overseas are hired to create them to increase hits and get revenue for less reputable interests (porn) and aren’t very savvy in who would make a credible person to mimic.

Here’s another site that lists up to ten reasons, link here.  Two of the more disturbing reasons could be revenge or trolling, or extreme political activism.  This doesn’t sound very credible with someone like me:  I hardly make a target for revenge porn.

But it might be possible to set up a fake profile to try to make someone guilty of sex trafficking or of making terror threats.  Again, that might be possible with a router.

That a fake Facebook profile would be part of a major scheme of identity theft sounds unlikely, although make some more unusual crimes (like house title theft) could be envisioned.

Let me mention I've seen fake Twitter accounts (like one imitating popular actor Richard Harmon).  I use Instagram very little, but when I created it I had to have a fake account set up in my name (with no images -- which could be dangerous) removed.  I don't have Snapchat (because I don't have much use for the concept right now), but I have no way of knowing if someone else could imitate me on it. Then one day the police knock.

Picture: no connection to the hack, from political demonstrations on "the Day Without a Woman".

Sunday, March 12, 2017

House stealing is a relatively under-reported consequence of identity theft, and has happened to owner-occupied homes

An email from Quora (a site you can join and supply answers to questions and get followers) discusses the grim possibility of house stealing as a result of identity theft, major link here.

And the FBI has a little known link on the problem here.
The problem is more likely to occur with a vacant house, or even a rented one; but titles have been stolen even from owner-occupied homes.  It’s a good idea to check your local government’s land title records (which will show assessed valuation and property tax payments due sometimes) online periodically, even once a month if possible.

Saturday, March 11, 2017

You can dispute a debt you don't recognize; don't fall for fake debt collection

I used to work for a debt collection (in the summer of 2003, while in Minneapolis), and one question would come up today:

Could a robocaller impersonate a debt collector to get PII and make fraudulent collection?  Could this happen by a message left on an answering machine or in digital voice if the user didn’t pick up?

It would sound likely, so consumers should know that they can dispute collection claims that they do not believe are valid.  If a caller mentions a debt you do not recognize, you can tell him or her to place it in dispute immediately. Here are the rules.  

Thursday, March 02, 2017

Private domain name registration is another prophylactic against identity theft

Verio (the ISP that hosts my legacy “doaskdotell.com” site) sent a email today “8 things you can do to prevent identity theft”.  While most of them are pretty much the same standard recommendations as always, one of them stands out: “Enroll all your domains in domain privacy”.

Generally private domain registration is only slightly more expensive than standard.

The email (I couldn’t find a URL reference for it) makes an interesting point.  A criminal could try to impersonate you based on the information on public registration.

It would get hard, though, it you use a business address (or a land address like a UPS store) and pat attention to your credit cards and financial accounts.  It’s also helpful to pay attention to references to your domain name online or your name (online reputation).

Two or three times, I’ve gotten unsolicited lines of credit (for hundreds of thousands of dollars each) sent to my UPS store in my business name,  I find no evidence that they have been used, but I wonder why people would offer them to me,  But if one were used, the purchase would have to go somewhere, which would identify the party.
I’ve also gotten inquiries as to registering my domain name in China (odd), and all kinds of procurement and collection deals from China, Vietnam, the Philippines, etc.   But I don’t think I’m responsible for anything someone does in China – unless I visit there.

Thursday, February 09, 2017

Identity theft insurance

Here’s a good article from the Insurance Information Institute on identity theft insurance. It was mentioned on the NBC Today show this morning.

A number of companies (besides Lifelock through AOL membership) offer it;  my experience is that it costs about $30 a month.

The article suggests that victims of identity theft often have lower credit scores and sometimes lose employment.  In the distant past, it was sometime common for some employers to hold associates “absolutely accountable” for their own reputations for security purposes.

The article also suggests aggressively checking your own credit reports in detail before doing a job search or looking for a new place to live.

One of the best defenses to your bank accounts is simply to check them regularly online, not from emails but from going directly to the sites.  Make sure you spell the URL’s right.

Identity theft insurance is often offered as a rider on property (homeowner's insurance) as it is on mine.  It may be part of umbrella coverage.  It is not the same, however, as coverage for online liability incidents, which I don't think can reliably be underwritten with ordinary property insurance.

Tuesday, January 03, 2017

Trump's "No computer is safe"

Donald Trump’s recent 4-worder “No computer is safe” could certainly be interpreted in the context of identity theft.  Because until there was widespread use of the Internet in commerce (after the late 90s) there were few such schemes.
Yet, by 2004 the problem was serious enough that Lifetime TV had produced the film “Identity Theft: The Michelle Brown Story”.
Trump, however, on Nov. 11 had announced a comprehensive program for cybersecurity despite his subsequent hints that digital life cannot be made safe (CNN story).

Remember, too, in the Old West:  there were horseback payroll robberies, and stagecoach and train hijackings, unpredictably.