Friday, December 21, 2007

Wall Street Journal still writes about paper and CD shredders


Despite political and technical progress in advancing the idea that lenders should be more careful in advancing credit (to identify the borrowers), The Wall Street Journal, on Thurs. Dec. 20, on p D3 of the “Personal Journal” and “Home and Family” page, has a “Shopping Around” on paper shredders, by Anjali Athavaley. The column is called “Diminutive Countertop Models” and features five models. These are the Aleratac DVD/CD shredder (yup, because people backup their personal data); Aleratac DVD/CD Shredder; Staples Mallmate M3 Shredder; Royal Desktop Crosscut Paper Shredder; Staples Mailmate Junk Mail Shredder.

Tuesday, December 04, 2007

UPS store phone call about an unordered package helps bust a ring


A story by Maryclaire Dale of the AP today (also a headliner on AOL) illustrates the simple deterrent value of having the real owners of an identity contacted by a mail service. In this case, a UPS store called the neighbor of the thief whose identity had been used about a package that the woman had not ordered (from Britain) when it arrived. This led the police to track down a Pennsylvania couple that was living “high on the hog” and living in a penthouse apartment under the names of others. They also got a hold of a lot of physical keys, which is not clear (and a residential security issue, in conjunction with media reports earlier this year about bump keys). Police found the book The Art of Cheating: A Nasty Little Book for Tricky Little Schemers and Their Hapless Victims (Paperback) (2007, from Basic Books) by Jessica Dorfman Jones, in the ritzy apartment. The book itself, if you look on Amazon, seems to be more about the practical little white lies, not “crime”. Nevertheless, it fits into what Princeton professor David Callahan calls “The Cheating Culture” in his 2004 book (Harcourt), in which he analyzes a breakdown of "Golden Rule" ethics in our "just in time" society driven by extreme capitalism.

UPS Stores provide mail boxes and a variety of mail and package services, complementing (rather than competing with) Fed-ex Kinkos. Many people with small businesses have land address mail boxes with them when they do not want to publish their residence addresses, and this even happens with Internet domain owners who can use them for WHOIS contact (although private registration is also available from Network Solutions and similar companies).



Note: The next NBC4 Safe & Secure Community Shred (in the Washington DC area) is Dec. 8, information here. Of course, it's silly that shredding of paperwork should even be necessary. I drove to the last one in September (then at RFK stadium) and found myself trapped in traffic in DC streets, and when I got to the stadium I had to drive around to find the exact lot.

Thursday, November 15, 2007

Financial security pros recommend consumers consider a security freeze


Today, Nov. 15, 2007, the Business Section of The Washington Post has, on p D02, a column by Michelle Singletary, "The Color of Money: A Way to Freeze Out ID Thieves" here.

The security freeze, offered by Experian, Trans Union and Equifax, allows consumers to block accesses to their reports from new vendors. This would indirectly prevent new accounts from being set up in a person's name illegally. Usually this requires a certified letter, and each bureau has a procedure to lift the freeze at the end. There may be a charge for this freeze, although many states are pressing to force companies to make these freezes free.

Again, we wonder why credit grantors are so careless that they are not sure of the identity of the person to whom they grant car loans or credit cards. This has been covered before.

Thursday, November 01, 2007

Bipartisan victim's restitution bill introduced in Congress


MSNBC and Reuters reported on Oct. 16, 2007 that Congress is considering a bipartisan bill that would let victims of identity theft recover restitution for time and money spent in repairing their credit. The story is here. The Microsoft security site (from the site where Windows users go to check for and download security updates) has a story here, posted Oct. 30.

Then, today, November 1, 2007, Michelle Singletary has an article “The Color of Money: Getting to Know Identity Thieves,” on page D2 of The Washington Post, link here.
The story indicates that a Secret Service study indicates that about half of these compromises occur at more conventional businesses (not from home users or individuals with their own businesses), that many occur with low tech methods (stealing laptops or disks rather than downloading or hacking, even dumpster diving), and that friends and relatives account for at least a small portion of incidents.

The rather provocative picture comes from an exhibit in the US Postal Service Museum in Washington DC.

Sunday, October 21, 2007

Lifelock offers consumer identify protection


Although I usually don’t promote specific companies on these blogs, I do mention them when they seem newsworthy.

Recently, a company named Lifelock has been advertising on some cable stations that it protects consumer identify. Of one goes to the website, one sees a picture of the CEO Todd Davis with his social security number in large typeface. The implication is that one can safely post one’s SSN if one uses the service, which as of today is $10 a month (or $110 a year) for individuals (less for minors).

The website does have an internal link explaining how it works. It appears that it does for the customer what the customer really can do for himself or herself. Essentially, it sets and manages consumer fraud alerts with the major credit reporting companies. It also arranges to have the consumer’s name removed from pre-approved junk mail and credit card lists.

Now, consumers can order one free report a year from each of the three major companies (Equifax, Experian, Trans-Union). Sometimes there are complications in getting all three to work. Companies charge a little to provide FICO or Vantage credit scores. Consumers can do these other things manually but they are probably clumsy to do. One thing that I recall from my days at Chilton in Dallas in the 1980s (now Experian) is the multitude of separate bureaus, some owned by the major companies and some affiliated. I worked on the member billing systems for six years in the 1980s and the interbureau stuff was quite intricate. I don’t know if this could have a practical effect on consumer security today.

I still think that the main trick to protecting consumers is to set up mandatory preferred contact addresses (for consumers who want them) , like the USPS NCOA, and have a highly secured agency or contractor manage them, and require credit grantors to notify consumers of contracts at these addresses.

Monday, October 08, 2007

Identity Protection Safeguard questions; RSA


I’ve always wonder how effective those security questions that many websites require to reissue or let users reset their own passwords. The Sunday, Oct. 7, 2007 “Style & Arts” Section M of The Washington Post has a front page story by Monica Hesse, “This Is Your Life: As Determined By Confounding Identity-Protecting Safeguards.” The article mentions Chillicothe as a home town – well, if that’s Ohio (well within “Days of our Lives” territory) it’s a station on the old Erie Canal – but it doesn’t have to be Ohio.

The article discusses a company called Verid, with is RSA Identity Verification (“Remote Security Authentication”). The company can search public records databases (although many localities have been removing these from the Internet) for other questions to really challenge the visitor for sensitive clients. The philosophy behind the design of the questions is a subject of some interest. Programmers and geeks may not be sensitive to the kind of questions that people can answer and that are the most effective screeners. This sounds like a real field for research.

Tuesday, October 02, 2007

Concern over social announcements in newspapers: that's overdoing it


Monday, The Washington Times, in an insert about cybersecurity for teens, provided considerable discussion of consumer protection for adults, as well. (The blogger entry is here.) The issue was critical even of people announcing weddings, debutante parties, and similar results in local newspapers, as making the subjects targets. This does seem like carrying things a bit far. Newspapers have made social announcements like these for decades without problems. It seems, again, that the underlying problem is carelessness of financial institutions and lenders in identifying customers and following up with proper notification.

In fact, the practice of banks of charging penalties for missing credit card payments by even one day (more acute now as banks have shortened the payment date by five days) may have an upside: it encourages online banking (actually supported by the article) and encourages visitors to check their balances online almost daily, making a heist by hackers less likely. The main hitch is that people who do online banking realize that banks will not ask them to update information with emails, and that all such emails are really phishing attacks, which are really very common and are often sent as spam even to people who do not have accounts at the subject banks. (Often the spam has each bank’s separate embedded trademark image – itself a violation of federal law and an obvious civil trademark infringement and prospective dilution according to recent law -- but the same text.) Since these emails usually result offshore, they have been difficult to shut down.

On Saturday, Sept. 29, NBC4 in Washington had a “community shred” at RFK stadium in Washington (ironically after the Nats ‘s last game there, as they get a new stadium next year). The only problem was that on the same day Washington sponsored a triathlon and driving to the stadium around closed streets got me trapped in a maze.

Wednesday, September 19, 2007

Real ID Act: a possible tool?


Homeland security expert Randall J. Larsen, in his book "Our Own Worst Enemy" (Grand Central Press, 2007) discussed, among many other ideas, the possible benefits of a national id card. He mentions the REAL ID Act of 2005, officially named Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005. The bills were HR 418 and 1268. Bush signed it into law in 2005. But the enforcement of the Act has been postponed until December 2009. The Wikipedia reference, well cited, is here.

Civil libertarians criticize proposals for national ID cards, which could even include encodings related to retinal or iris prints. However, supporters believe that they might make it much easier to prevent enormous crimes. Furthermore, they (like USPS NCOA use as a master reference, as I have proposed) could give banks, car dealers and other lenders a reliable way of identifying borrowers, therefore protecting consumers. Larsen points this out.

Monday, September 10, 2007

More on credit card due dates rolling forward


I reported, on Aug. 7, about the practice of credit card companies of shortening the payment period from 25 to 20 days. Several companies, including Bank of America and Sun Trust have done this. I called both companies, and both said they would push back the statement mailing dates by five days in order to make the due date what it was before, but that would take two billing cycles. Since I missed one date by 3 days when I missed this, I had a $29 penalty which I got reversed. Bank of America said that this did not get reported as delinquent to affect FICO score until it was 30 days late.

I also noticed, with Chase, that online access gets lost if a security package (McAfee) deletes the cookie in its weekly scheduled scan. But that’s probably a good thing.

Furthermore, I found that Bank of America had given me three American Express accounts (even though the cards were marked “Visa”) which I did not request. From a FICO point of view, it’s not a good idea to have too many unused cards.

It’s a good idea to have all of your credit statements online to check, however, not just for the usual unauthorized purchases (although this does happen at gas stations when the consumer fails to pick up the printed receipt or a transaction somehow fails – you can use another card and then the original transactions shows up anyway as a double billing – this has happened with Exxon / Mobil). One reason is to make sure that there are no illegal transactions posted on your account by criminal activity from someone else, a hacker, or someone wanting to frame someone (remember the “absolute liability offense” on my Internet safety blog Feb 3 and Feb 25 entries – access through the Blogger Profile). It’s a good idea to be able to see all of the transactions conveniently; paper statements are too easy to lose.

Tuesday, August 07, 2007

Some banks bump up credit card payment due dates


Although this posting really is not about identity protection, it does relate to credit scores and financial "reputation" of consumers.

For the August 2007 bill, Bank of America, after buying many Mastercard and Visa accounts from the previous company MBNA, decreased the payment period from the statement date from 25 days to 20 days. They did print it on the bill, but I usually don't look at them in the mail; I look at them online when I know them to be due. My ICCP Visa used to be due on the eighth of the month, and suddenly it got bumped up to the third. When I looked online yesterday, I found a $29 charge logged already on Aug 3 as a late fee, and that would count against my credit report as a late payment. I scheduled the proper balance payment immediately yesterday and called the bank's 800 number. After a very long wait (needless to say, many other consumers were probably complaining about this surprise) I reached someone who explained the new policy, and said I should have read the statement carefully when it arrived. He agreed to reverse the $29, which did happen this morning.

My Master Card got bumped up last year when MBNA was taken over.

Many people count on stable due dates and make household budgets around these dates, in relation to their paycheck dates. This is a most objectionable practice. Any comments?

Sunday, August 05, 2007

The USPS NCOA form; Selective Service form; WHOIS registration



I’ve shown a few of the forms that show up in any USPS lobby. The most important form is the “Official Mail Forwarding Change of Address Order.” Shown here is the paper cardboard form, but in software terms it is an object, an instance in a class. The “behavior” of filling in and submitting this object is to create a legal record of where a person wants to be contacted if some matter comes up that another party needs to notify him or her of.

Likewise, when someone owns an Internet domain, he or she (if an individual) registers a preferred contact address. This preferably (for reasons of personal security) should not be a residence address but it may be a land mail box address such as those offered by UPS. This ought to be the same as the NCOA address for legal purposes. It is noteworthy that Network Solutions and other companies offer private registration, too, where only the company knows the address but still can reach the owner. The Network Solutions link for this is here:

Note the Selective Service registration form available in all post offices. It says “MEN: 18-25 YEARS: You can handle this: REGISTER: It’s quick and easy. It’s the law." Selective Service mails back a Registration Acknowledgment Card. It does sound sexist, doesn’t. I came of age during the era of the Vietnam draft and student deferments and this has a lot of moral meaning to me.

Saturday, July 14, 2007

Good Housekeeping has major story


The August 2007 issue of Good Housekeeping, on p 140, offers a comprehensive article by Amy Engeler, “The ID Theft You Haven’t Hard Of”. She describes schemes by which people outsmart the banking and credit reporting system to get jobs, get hospital treatment, and even buy homes. Besides people with substance issues (previous post), many of the perpetrators are illegal immigrants (was with the Lifetime movie “The Michelle Brown Story”). The article discusses systems problems, particularly within the credit reporting industry, by which people are identified from a variety of search keys, including social security number, but also various combinations. Credit reporting companies also do automatic file update from member transactions (after partial matches, that have the potential of identifying the wrong consumers) and that increases the risk of compromise and the difficulty in correcting a consumer’s record after a major incident. Certain inconsistencies and bureaucracy in social security processing complicate problems (can lead to fraudulent claims). In health insurance, new HIPAA regulations can make it more difficult for an improperly billed consumer (for someone else’s treatment) to find and correct incorrect bills.

It seems unacceptable that ordinary consumers should be expected to shred ordinary junk mail, or cannot trust financial institutions and credit reporting vendors and even law enforcement to practice the proper due diligence in processing information.

In software engineering, a class is a collection of objects with certain properties and characteristics. In instance is an occurrence of a specific object (a person). It’s always important to identify an instance precisely. In our world, social security number alone is no longer adequate to identify a consumer properly when processing

Good Housekeeping
is a well-known "women's magazine", dating back to WWII times, well established before Betty Friedan. It's view is that mothers and fathers are concerned about the practical issues or protecting their families, not with the theoretical discussions on personal or corporate responsibility and ethics.

Thursday, July 12, 2007

CNBC program "American Greed" focuses on physical security


One of the major concerns I used to have in the good old days was just the risk of losing a checkbook. It would happen sometimes, and I would ponder recovering the manual handwritten register on the book, remembering the last check, the possibility of stop payments, etc. I never had a loss from it, but the idea that money could be lost if a teller was “careless” was very real.

Same with losing wallets to pickpockets. A couple times they have disappeared in movie theaters, sliding under seats, resulting in replacing all of the credit cards. Only once has anyone who knew me stolen anything (and that was back in 1978, in New York, a long time ago).

Today, the current advice is to no longer leave mail to be picked up by the USPS letter carrier (with the red flag), and to watch carefully if checkbooks or wallets are stolen from homes as well as in public. And, particularly, shred all junk promo mail. And never use your social security numbers. And less and less it has to do with security on a home computer (hotel and library computers are riskier), but more with 1970s style physical security.

Tonight, Thursday July 12, 2007, the CNBC Channel aired a major episode in its “American Greed” series. The website reference is here. The program was called “Meth Identity Thieves.” It starts with a woman getting stopped for speeding in Denver, and finding a bench warrant for check forgery. Apparently, she did not have online access to check her account frequently (but it is surprising that her account would be drained in less than one month). Counterfeited checks had been manufactured from her banking information. Her husband has to raise $10000 to bail her out of jail. Quickly, the police discover the forgery ring that has printed and cashed checks in her name. Apparently imposters even wore wigs to impersonate her going to the banks! The charges are quickly dropped for lack of evidence, but the record of her arrest remains (it’s not clear how important that is, as on employment applications she would normally only have to note convictions). She has to take months to clear her name. It’s not clear if she gets the bond money back. In the meantime, over several years, the police break the ring, but have to rearrest one woman on probation. Almost all of the thieves are addicted to methamphetamine.

The question remains, why don’t banks check more carefully. When printing new checks, they should always go to a preferred NCOA address. (Of course, banks send convenience checks as promotions, and that is another loophole. Another issue is online generated checks, and it seems that banks are not strict about reuse of check numbers. Debt collectors can also generate “check by phone” with debt collection software.

Some additional security issues have been reported for home users using peer-to-peer (Limewire was mentioned in the report), with thieves stealing from hard drives through lapses in P2P. Of course, we hear a lot about keystroke-watching spyware, and phishing sites, which can usually be identified by running a mouse over a link embedded in an email and see if it matches the spelling of the link in the email (HTML does not require that it match – don’t click if it doesn’t match!).

An identity monitoring and cleanup service mentioned in the program is IDWatchdog. I’ll check more into how it works.

Sunday, July 01, 2007

Credit reporting freeze available in DC


The District of Columbia, starting today July 1, 2007, will have a new law allowing consumers to order credit freezes as a way of preventing fraud. California was the first to have such a law, in 2003, with 33 states having such laws. Maryland will allow consumers to do this starting January 1, 2008, and Virginia does not have a low like this.

A consumer may, with certified letters, request Experian, Trans Union and Equifax to freeze their records, causing denial of any attempts to take credit out in the consumer’s name. Credit reporting agencies can charge a small fee for this. It takes several days to unfreeze credit, as to buy a home, and that process may be available online soon.

Credit freezes accomplish manually what might be accomplished anyway by forcing credit grantors to verify preferred addresses with NCOA, as I have suggested. The posting was in September 2006, here.

In an earlier posting, I had discussed the proposed Financial Data Protection Act (or Data Accountability and Trust Act) of 2006, here: This is HR 3997, and here is the Gov Track link:

The story today about Washington DC is in The Washington Times, Business Section, p. C9, Saturday June 30, 2007, by Melanie Hicken, “Law helps D.C. residents prevent ID theft.” There is a similar story on page 11 of the DC Examiner, Monday July 2, 2007.

Update: (July 3)

See last page of this post for story about employer physical security (incident at Fidelity National Information Services unit of Certegy Check Services, Inc. in Florida).

Important blogger story July 6 about identity protection and what happened in Britain, here.

See this blog June 26, 2006 for an earlier story about this concept of credit freeze.

Sunday, June 03, 2007

CNN "In the Money" report updates consumer protection issues


On May 26, 2007 CNN “On the Money” presented an hour-long update on the difficulties of consumer identity protection. The show started with some advice from Betsy Broder from the Federal Trade Commission, reminding consumers that banks and brokerages do not send emails (or make phone calls) requesting personal information. These are the notorious phishing attacks that are getting more and more clever. They often use the bank’s trademark (itself illegal) but direct the visitor to a website that does not match the description in the text of the email (check this by passing the mouse over the hyperlink in the email). I’ve tested some of these (using WHOIS on the IP address), and usually found them to be overseas servers (often in China). (I like http://www.domaintools.com for this, but the visitor can just use the WHOIS link at http://www.networksolutions.com ). A common ruse is to claim that the bank is testing a “system change”, and once I got that phish from several “banks” in succession in the early AM of a Sunday morning.

Visitors should report all of these as spam. Larger ISPs (like AOL) send these to CERT for investigation and sometimes prosecution.

The program recommended longer passwords (as long as 12 characters) with at least one special character, at least one number, at least one upper case letter and one lower case letter, and nonsense strings. There are tools coming into the market to assist home users with password management, such as http://www.mypasswordmanager.com/

One of the worst problems that may occur is that an identity may be stolen and someone may be accused of the other person’s crimes. It isn’t hard to imagine how this could be attempted on the Internet in chat rooms, instant messages, and the like. The risk is much greater for a home user who is not the only user of a computer (which is one reason why experts often recommend that computers be kept in a visible area of a house and not in kids’ rooms). Generally, any transmission from a computer can be traced to the specific IP address for that computer (which may be dynamic with some dialup services like AOL but which is static with high-speed cable Internet. In the case of dialup, I’m not sure how the forensics work in mapping the temporary AOL-assigned IP address to a particular computer or network in a particular home. But the possibility of computer crime under someone else’s ID has existed for years. In the 1980s, at Chilton Corp in Dallas (a credit reporting company that is now Experian), employees were advised to always sign out before leaving their workstations (and in those days we had a “tube city”) as the employee was responsible if his logon were misused. The Lifetime film “The Michelle Brown Story” (2004) dramatized the problems. (Review)

The practice of credit reporting companies of “auto capture” – dynamic updating the address information of a consumer with a request – confounds the problem. This was common in the 1980s when I worked for Chilton, because the company wanted to use the “latest” consumer address information for bulk mailing promotional lists, a major source of revenue (and our job stability)

The concept of checking any address change against a preferred address on a secured (non public) NCOA database would confound techniques like auto capture. .

Monday, May 21, 2007

DMV's and DPS departments should watch for fake cards


I have subtitute taught intermittently for three years, and on a couple of occasions I have noticed students whom I knew were well under legal age in establishments that claimed to admit persons only 21 and over. I don't know what my legal responsibilities would be, if any; but clearly such occurrences mean that it is not that unusual for teens to be able to make or procure fake ID cards.

Police departments should set up stings to catch these. Devices should be developed to screen for barcodes that would not be easy to counterfit. States generally have stiff fines for possession of fake ID's, $500 in Texas, link here.

There was a "scandal" in 2005 regarding fake airline boarding passes and grad student Chris Soghoian at Indiana University, discussed in a blog by Brian Krebs at The Washington Post, Nov. 28, 2006, link here.

A master preferred NCOA address database, like that discussed earlier in this posting, could store a bar code or graphic designed to defeat counterfeiting. Mainframe databases like DB2 (easier to secure) have no problem accomodating such objects. Again, such a database would be off limits from the public Internet.

Is this a BigBR (Big Brother) society? (I once wrote a program for Univac called "BigBr" to monitor the system use of employees of a client.) I don't know; the mood in Britain, for example, is coming around to accepting this kind of security as necessary. Can democracy deal with this? I think so. We still are left wondering why financial insitutions do so little due diligence on identity before granting credit. There seems to be no discincentive preventing them from such careless behavior.

Fake Id's figured into a major episode of TheWB Everwood show in the 2003 season.

The Lifetime Channel (Women's, associated with Lions Gate) aired a film called "Identity Theft: The Michelle Brown Story" in 2004. The review is here.

Sunday, April 01, 2007

TJMaxx media stories; more about FICO


During the last week of March 2007, major media outlets reported major intrusions into T.J.Maxx stores ‘s computer systems, with the outside possibility of the loss of personal information on over 40 million credit card customers. In all fairness, most of the information probably would not be usable. Nevertheless, retail employees and police in (at least) Florida and Great Britain apparently detected unauthorized use attributable to this loss, which may have occurred before Dec 2006. The Tjmaxx website has an “important customer alert” that opens from the top of its home page.

This breach, like several others from data collection companies and even from the federal government (the Veterans Administration) show that corporate databases are as large a vulnerability for consumer security as is home computer, personal website or social networking site use.

I “retired” from my mainstream information technology career at the end of 2001. Most of it was spent on mainframe business systems, running daily and monthly batch cycles. From the late 1980s on, these systems tended to have major security (RACF, Top Secret) that prevented unauthorized production file access by applications programmers. In time, source code management and elevation procedures improved to the point that one could prove that, in theory, these systems should be quite secure. Client-server replications of this data were not always as secure.

More relevant is the way many implementations and ugrades are tested, often with full parallels involving full production data. Sometimes employees access this data from home by telecommuting, or from laptops that they take with them when traveling. Sometimes listings are taken home for detailed eyeballing during systems testing and implementation plans. This was more or less acceptable (except with government classified data) in the 1980s and 1990s, but is likely to become much less acceptable today. Companies will have to become progressive in adopting more secure systems parallel procedures during implementations. This is a sensitive matter for associates, whose job performance depends on the accuracy of system parallels. Automated file-to-file or database compares (File-Aid on the mainframe has tools to do this) could reduce the need for copying and moving around production data.

Previous proposals on this blog have suggested that a “preferred address” consumer notification system based on the USPS NCOA become a lynchpin in protecting consumer data security. Such a system would need to be offline from the public Internet and need very careful physical security planning.

More about FICO:

Fair Isaacs (the FICO score company – that gives every consumer an akashic “grade”) has its own personal data security recommendations here.

Credit scores, which of course have become controversial in the consumer data security problems, are sometimes used for other purposes than loans, credit cards and mortgages. Employers and, of course, landlords also use them. It used to be common on job applications for applicants to sign statements consenting to private investigations of their “mode of living” but in practice these statements were usually meaningless. In theory, they would authorize investigative consumer reports by credit bureaus, including interviewing people who know the applicant. In practice, when I worked for Chilton in the 1980s (a credit reporting company in Dallas that is folded into Experian – still active in Dallas – today) it appeared that these requests were relatively infrequent. Here is a wiki reference on use of Credit scores.

FICO considers only financial behavior. A FICO score, as far as I know, does not consider other behaviors, publicity, personality, or non money-related factors (and these could be very much affected by the Internet if they did count). When I worked for Chilton in the 1980s, the FICO interface from our credit reporting system was called "risk predictor" and was written in assembler language on the mainframe.

Tuesday, March 20, 2007

ABC news story on vulnerability of hotel systems for financial information access


Len Tapper and Asa Eslocker have a report on the March 20, 2007 ABC “Good Morning America” “Russina Criminals Targeting U.S. 401Ks and Online Traders”. The report claims that some computers in some hotel “business centers” are rigged with spyware to steal user ids and passwords to brokerage and bank accounts. The story is here.

Particularly risky, the report claims, is online brokerage trading on hotel computers. The report urges users to consider installing programs on their accounts that automatically change passwords constantly, although I’m not sure how the user then would know the password (unless carrying a coordinated smartcard device, or going to a special site, and these facilities are being developed).

It would seem safer to carry one’s own laptop and always use that, but laptop travel may become more difficult as there is a controversy about laptop batteries igniting, and TSA rules may become stricter.

Many hotel chains have business areas or even have public computers in lounge areas with AOL and other major ISP access. I have sometimes used these and found them unreliable, often not working or prone to crash or lock up, or very slow. I have been reluctant to log on to AOL on these on the theory that a pw could be stolen and illegal content could be sent by a hacker, although this has never happened. Libraries and Kinko’s also have public computers, and these computers always warn users not to conduct sensitive business on public computers.

Road access to personal accounts is important to many people. Many jobs require a lot of travel, and employers are often befuddled that employees need to use work computers for personal purposes, in violation of policy, but work-related travel can be one factor.

Travelers should consider developing other strategies for checking financial information on the road. Generally, banks and brokerages have 800 numbers and scripts that enable a customer to check balances by cell phone without logging on to a hotel computer. Some people, however, may need to trade online while on the road, as this may be part of their strategy, and safer business practices for this need to be developed.

Of course, the other major vulnerability is phishing scams, and spyware on home computers. In 2004, the media reported about the owner of a printing business in Florida who had a $90000 line of credit drawn against his Bank of America account without his knowledge. So this sort of problem has been around for some years. Bank websites always advise home users to log off formally and close browser sessions after logging off, apparently as some additional defense against buffer overflow.

Banks and brokerages are not legally liable to refund money lost to hackers because of events that occurs outside of the systems belonging to the financial institutions. Government retirement plan administrators have recently warned federal employees of this fact.

One protective security strategy, however, would be for banks or brokerages not to allow significant money (as a percentage of account value) to be removed from a user’s account without a physical event (like a fax and signature) from the outside world. This practice is often followed.

Again, as postings on the board have suggested before, the development of a definitive preferred address and contact system, out of the USPS NCOA, and its maintenance on a facility not available to the public Internet (preferably with traditional IBM-like mainframe technology, which I still believe is easier to secure, at least in my own experience), could be part of a strategy for preventing this kind of crime.

Monday, March 12, 2007

See It Safe is a new service


The New York Times Magazine, Sunday March 11, 2007, p. 24, has an article by Stephen J. Dubner and Steven J. Levitt, "Identity Crisis: When a thief steals your personal data, who really pays?: Counting the Cost of a 'Chargeback'" These two writers are the authors of "Freakonomics."

The mention a service, Sell It Safe, a company startup by Steven Preisner. This service checks consumer information against a huge database of stolen information. Again, this would provide a due diligence steps for banks and credit lenders, a step that ought to be required to protect consumers.

The Netflix film "Maxed Out" that opened this weekend really did not get into the due diligence that out to be required of lenders in identifying customers.

Monday, February 26, 2007

WJLA does demonstration of data-mining of personal information from the Web


On February 26, 2007 Washington DC ABC affiliate WJLA did a demonstration with two subjects about the ease with which personal information (such as home address, names of relatives, comp values of homes in neighborhoods) may be found from free sources on the Web with search engines. Some of this information may come from "skip tracer" sites like zabasearch.

People concerned about their privacy (and that of family members) should never post home addresses on public sites. (Obviously people should not post such information about other individuals or families; there might be an issue with "digital vigilante" sites concerning bad behavior witnessed and filmed in public; discussion here.) People should consider using PO Boxes, or land address mail-box services run by companies like UPS. People can consider registering web domains with private registration for small extra fees (which means that the registration company can serve as an intermediary to contact the domain owner for legal purposes). Even so, very determined gumshoes could track them down with these skip-tracer sites. Here is a letter to me from Congressman Jim Moran (D 8th Dist. VA) in 2005 about the legality of these sites.

WJLA made some simple suggestions to protect privacy, such as unlisted phone numbers and not filling out Internet surveys. The tone of the report suggests that in the future legislators might address the legality of what people post about others on blogs and social networking sites.

Even so, of credit grantors practiced the appropriate due diligence to notify those receiving credit properly, as already discussed in this blog, this would be a much less serious problem.

The WJLA story can be accessed here.

Monday, January 29, 2007

NBC reports on a new service to check for the security of your information


NBC4 in Washington DC, on January 29, 2007 discussed a new website that can check whether a social security number of credit card number has been compromised. The link is this. The name of the site is "stolenidsearch." The website has the NBC4 logo on it. The site reportedly looks beyond familiar sources like search engines into arcane resources on the Internet.

The website does urge the visitor to join its monitoring service, although checking a SSN or credit card number is itself free.

Again, I believe that the practice of diligently checking registered preferred addresses (as with NCOA) would do much more to prevent these problems.

Saturday, January 27, 2007

Major CNN report


CNN broadcast a major one hour documentary (by Drew Griffin) on this problem on Saturday, Jan. 27, 2007, going into detail with several major schemes used against banks. Much of this is associated with overseas and "Nigerian" activities. Nigeria is said to have very poor financial control laws.

Most of these schemes would not work if banks rigorously checked addresses against a secured NCOA system. Banks have started more address verification of their "security deposit" credit cards for people with poor credit histories.

The program also described fraud in Texas using fake notary stamps and also mailbox addresses. Notary stamps could certainly be more carefully controlled, and mailbox addresses (usually used by people to protect residential privacy, itself a legitimate purpose) could be more secure with a more secure NCOA system from the USPS (requiring a major systems development effort), as described in previous posts.

Many white collar crooks described in this report sounded sociopathic, and claimed they were just "making a living" in a competitive world (what David Callahan calls "The Cheating Culture"). Ideas of right and wrong seem to go bye-bye. One young white collar criminal in prison was very insistent that little could be done to stop people like him, although many of us would strongly disagree.

Banks are still free to share personal information with subsidiaries (unless the customer opts out) and have a lot more work to do with encryption.

There is more at this link.

Tuesday, January 02, 2007

Quick credit from Amazon dot com


Yesterday I had a sword drill in the issues confronting private information protection. I went to buy Lou Dobbs's new book "War on the Middle Class" from amazon on New Years Day, and I was, upon checkout, greeted with an invitation to get $30 credit if I would get an Amazon Visa card from Chase. Now I already have such a card (from AOL), but in my situation I cannot afford to pass up $30 free books and DVDs, so I filled out the application. It seemed OK, although I could have added others to the account without their knowledge, it seemed. On employment, it seemed to accept being retired as long as you named the company you had retired from. It took about 45 seconds to approve, and did issue a card with a $1000 limit. I hope that the low limit is just a precaution (until I establish bill payment history on the card), and not an indication of a problem that I don't know about. (The free credit reports in September were OK, was were the FICO and Vantage scores.)

Could such convenient credit and freebie offers work in an environment that requires a grantor to perform due diligence and check with a beefed-up NCOA (National Change of Address)? For very small amounts of credit, this would be OK, as long as confirmed by a mailing to the NCOA address within 72 hours to let the person know a new card was taken out in his/her name.