Saturday, July 14, 2007

Good Housekeeping has major story

The August 2007 issue of Good Housekeeping, on p 140, offers a comprehensive article by Amy Engeler, “The ID Theft You Haven’t Hard Of”. She describes schemes by which people outsmart the banking and credit reporting system to get jobs, get hospital treatment, and even buy homes. Besides people with substance issues (previous post), many of the perpetrators are illegal immigrants (was with the Lifetime movie “The Michelle Brown Story”). The article discusses systems problems, particularly within the credit reporting industry, by which people are identified from a variety of search keys, including social security number, but also various combinations. Credit reporting companies also do automatic file update from member transactions (after partial matches, that have the potential of identifying the wrong consumers) and that increases the risk of compromise and the difficulty in correcting a consumer’s record after a major incident. Certain inconsistencies and bureaucracy in social security processing complicate problems (can lead to fraudulent claims). In health insurance, new HIPAA regulations can make it more difficult for an improperly billed consumer (for someone else’s treatment) to find and correct incorrect bills.

It seems unacceptable that ordinary consumers should be expected to shred ordinary junk mail, or cannot trust financial institutions and credit reporting vendors and even law enforcement to practice the proper due diligence in processing information.

In software engineering, a class is a collection of objects with certain properties and characteristics. In instance is an occurrence of a specific object (a person). It’s always important to identify an instance precisely. In our world, social security number alone is no longer adequate to identify a consumer properly when processing

Good Housekeeping
is a well-known "women's magazine", dating back to WWII times, well established before Betty Friedan. It's view is that mothers and fathers are concerned about the practical issues or protecting their families, not with the theoretical discussions on personal or corporate responsibility and ethics.

Thursday, July 12, 2007

CNBC program "American Greed" focuses on physical security

One of the major concerns I used to have in the good old days was just the risk of losing a checkbook. It would happen sometimes, and I would ponder recovering the manual handwritten register on the book, remembering the last check, the possibility of stop payments, etc. I never had a loss from it, but the idea that money could be lost if a teller was “careless” was very real.

Same with losing wallets to pickpockets. A couple times they have disappeared in movie theaters, sliding under seats, resulting in replacing all of the credit cards. Only once has anyone who knew me stolen anything (and that was back in 1978, in New York, a long time ago).

Today, the current advice is to no longer leave mail to be picked up by the USPS letter carrier (with the red flag), and to watch carefully if checkbooks or wallets are stolen from homes as well as in public. And, particularly, shred all junk promo mail. And never use your social security numbers. And less and less it has to do with security on a home computer (hotel and library computers are riskier), but more with 1970s style physical security.

Tonight, Thursday July 12, 2007, the CNBC Channel aired a major episode in its “American Greed” series. The website reference is here. The program was called “Meth Identity Thieves.” It starts with a woman getting stopped for speeding in Denver, and finding a bench warrant for check forgery. Apparently, she did not have online access to check her account frequently (but it is surprising that her account would be drained in less than one month). Counterfeited checks had been manufactured from her banking information. Her husband has to raise $10000 to bail her out of jail. Quickly, the police discover the forgery ring that has printed and cashed checks in her name. Apparently imposters even wore wigs to impersonate her going to the banks! The charges are quickly dropped for lack of evidence, but the record of her arrest remains (it’s not clear how important that is, as on employment applications she would normally only have to note convictions). She has to take months to clear her name. It’s not clear if she gets the bond money back. In the meantime, over several years, the police break the ring, but have to rearrest one woman on probation. Almost all of the thieves are addicted to methamphetamine.

The question remains, why don’t banks check more carefully. When printing new checks, they should always go to a preferred NCOA address. (Of course, banks send convenience checks as promotions, and that is another loophole. Another issue is online generated checks, and it seems that banks are not strict about reuse of check numbers. Debt collectors can also generate “check by phone” with debt collection software.

Some additional security issues have been reported for home users using peer-to-peer (Limewire was mentioned in the report), with thieves stealing from hard drives through lapses in P2P. Of course, we hear a lot about keystroke-watching spyware, and phishing sites, which can usually be identified by running a mouse over a link embedded in an email and see if it matches the spelling of the link in the email (HTML does not require that it match – don’t click if it doesn’t match!).

An identity monitoring and cleanup service mentioned in the program is IDWatchdog. I’ll check more into how it works.

Sunday, July 01, 2007

Credit reporting freeze available in DC

The District of Columbia, starting today July 1, 2007, will have a new law allowing consumers to order credit freezes as a way of preventing fraud. California was the first to have such a law, in 2003, with 33 states having such laws. Maryland will allow consumers to do this starting January 1, 2008, and Virginia does not have a low like this.

A consumer may, with certified letters, request Experian, Trans Union and Equifax to freeze their records, causing denial of any attempts to take credit out in the consumer’s name. Credit reporting agencies can charge a small fee for this. It takes several days to unfreeze credit, as to buy a home, and that process may be available online soon.

Credit freezes accomplish manually what might be accomplished anyway by forcing credit grantors to verify preferred addresses with NCOA, as I have suggested. The posting was in September 2006, here.

In an earlier posting, I had discussed the proposed Financial Data Protection Act (or Data Accountability and Trust Act) of 2006, here: This is HR 3997, and here is the Gov Track link:

The story today about Washington DC is in The Washington Times, Business Section, p. C9, Saturday June 30, 2007, by Melanie Hicken, “Law helps D.C. residents prevent ID theft.” There is a similar story on page 11 of the DC Examiner, Monday July 2, 2007.

Update: (July 3)

See last page of this post for story about employer physical security (incident at Fidelity National Information Services unit of Certegy Check Services, Inc. in Florida).

Important blogger story July 6 about identity protection and what happened in Britain, here.

See this blog June 26, 2006 for an earlier story about this concept of credit freeze.