Tuesday, December 30, 2008

Credit industry uses several different scores and formulas to rate consumers

The credit reporting industry offers up to six kinds of credit scores. They are all developed by Fair Isaac Corporation (FICO) but they differ. Equifax uses BEACON, TransUnion uses Rico Risk and Experian (formerly TRW and Chilton) uses FICO II. (I remember the “risk predictor” project when working for Chilton in Dallas back in 1987.) Fair Isaac has three other scores used by insurance companies (especially auto insurance) and possibly other businesses like employers. What would worry me would be an effort to score something like “online reputation” but I haven’t heard of this happening yet. I’ll try to find out what goes in these other three scores and report later. When I worked for Chilton, I used to hear about “investigative consumer reports” (background investigations into “mode of living”) but it seemed that these were rarely done in actual practice.

One important myth this that a credit score is highest if all bills are always paid in full. A small balance may actually show the ability to pay off bills over time and use credit and could improve some scores.

When you have a dispute with a creditor it may help to pay the bill on time and then go to small claims court.

All of this material comes from Lita Epstein, “Eight Myths About Your Credit Score” on AOL today (Dec. 29). The Walletpop link is here.

Saturday, December 27, 2008

"Noble" accolade for American Express for its payment reminders

This posting is probably at most tangential to the theme of this particular blog, but I wanted to announce an accolade. Say, like the “Nobles and Knaves” in the Washington Times editorials.

The Noble award at the year end goes to American Express cards for sending reminders by email to clients several days before a payment is due. None of my other cards do that. They even send the reminder the day after you made the payment, if the bank hasn’t processes it yet.

I suppose this is a good security protection, too. If you get an email about a bill in advance and think you don’t owe the money, you start checking, for possible wrongdoing by others.

Tuesday, December 23, 2008

Wired covers the story of a master con man ("Catch Me If You Can!")

Wired Magazine, for January 2009, runs, on p 94, a detailed article by Kevin Poulsen, “Catch Me If You Can” (after Leonardo Di Caprio’s famous movie on a 1969 con artist), about “Last Days of a Hacker: Taking Down a Credit Card Con Man.” The link is here. This is the detailed story of San Francisco dark knight Max Butler, who developed in his Victorian apartment a plan to “rule the world,” that is, black market credit cards and identities. The story presents him as somewhat of a hacker godfather, who tried to reign in on all the operations, sometimes pretending he was going to turn out to be the good guy.

The story would make a good movie, and perhaps actually will some day. (Make Di Caprio would play him.) The story has other characters, like Christopher Aragon. The story says he could trick SQL servers into running his own commands. (Just think how a typical MySQL facility on a shared Unix hosting works. Something I’ve noticed: the security works for me in Internet Explorer 7 with all the latest fixes – despite the publicity over the flaws; it doesn’t work in Firefox, at least for me.)

The moral of the story is the incredible complexity of all of these applications and the multiple points of vulnerabilities, and the enormous number of user “trust points” in the world of making loans and giving credit.

Thursday, December 04, 2008

Governments should require acquiring companies to strenghten consumer idenfitication as condition for bailout money

During the financial crisis and following bailouts, a lot of banks, insurance companies and financial institutions buy weaker comparable institutions, sometimes as a condition of receiving government guarantees or shares. This can happen in the United States and in Europe or Britain.

Even so, financial institutions are shedding jobs, not just of analysts and traders but also of support information technology staffs, and postponing new projects. Even in “retirement”, I have heard some disturbing stories from other associates first-hand recently.

It seems that government could prod these companies to improve their due diligence in identifying credit or loan applicants. Most companies have some soft of National Change of Address interface, and acquiring other businesses would mean that stronger acquiring companies would need to schedule projects to integrate these acquired companies into their NCOA systems.

As I outlined on my Sept. 25, 2006 entry on this blog, the USPS NCOA system could provide an effective entrance key for designing a securable procedure that all financial institutions should use in identifying customers. This would also be effective in promoting homeland security. The government and the new Obama administration should take advantage of the “opportunity” offered by the bailouts to require financial institutions to schedule and complete projects related to due diligence in properly identifying customers.

Friday, November 28, 2008

Feds break up major home equity loan theft ring

Brian Krebs reports in The Washington Post that the FBI and federal prosecutors have broken through an international identity theft ring that tapped into home equity loan lines. It’s rather odd that this scam could have worked during a time of declining home values and upsidedown mortgages. However, criminals went to public records to find people with healthy mortgages in order to tap them. Then they went through elaborate technical ruses to conceal their identities and tap banker money. Even so, it is surprising that financial institutions didn’t catch this. Much of it may have happened before the real estate crash accelerated into the mess that it has become today. The incidents probably reflect the pressure (the “always be closing” mentality) on employees of financial institutions to sell deals.

The very detailed story is on p E10 of the Nov. 28, 2008 Washington Post, link here.

The incident certainly reminds one of the dangers inherent in placing public records on the Internet.

Thursday, November 20, 2008

More advice on FICO scores -- and maybe some new concerns

AOL today offers a practical column on “Walletpop” by Lita Epstein, “Eight Myths About Your Credit Score”, link here. There is some pretty good and surprising advice. For one thing, the best credit score might not come from paying all balances off every month. A utilization ratio of 10% to 20% might be better. Credit card holders should bear in mind that payment histories tend to get reported to the three main credit card companies just before the billing statement is generated. Walletpop also offers other similar earlier pieces on credit score advice.

Also, card holders should not voluntarily downsize their credit limits – that will lower scores. Credit card companies may do that for you! If you cancel a card, cancel a newer one rather than an old one with long payment history.

The article does provide some discussion about what happens with wrong information or identity theft.

I was working for Chilton Credit Reporting in the 1980s when it developed interfaces to Fair Isaacs, then called "risk predictor." (Chilton is now "Experian.")

So far, credit scoring does seem limited to financial behavior. Other kinds of “private” background gumshoeing and investigating of people could look at things like Internet and social networking activity, as I’ve discussed on other blogs. There is something worrisome to me about this, as, this September, new kinds of blogger’s insurance got offered (see Sept. 28, 2008 on my main blog). It promotes the idea that a blogger (or at least an uninsured amateur) could be at an unpredictable long term risk for incurring judgment or at least expense in defending frivolous litigation, and that could create the perception that the person is a weaker credit risk. I haven’t seen anything like this happen yet, but the thought itself is scary, because it sounds all too logical.

Monday, November 17, 2008

"Future of Privacy Forum" will favor regulating corporate gathering of data on Internet surfers

A group called the Future of Privacy Forum will be headed by former AOL privacy chief Jules Polenetsky, and is getting help from AT&T’s law form, Proskauer Rose, according to a story by Wendy Davis in Media Post Nov. 16, link here. The think tank will develop positions on companies’ tracking consumers surfing habits, suggesting that consumers should have to opt in (as with compensated surveys run by market research companies like Nielsen). Advertisers maintain that they need better data to target their ads because of the recession. However, many people believe that the behavior of these companies jeopardizes the security of consumers and could expose them to identity theft.

The Forum does not appear to have its own website yet.

Kim Hart has a similar story in The Washington Post today, Nov. 17, on p A6 “A New Voice in Online Privacy
Group Wants Tighter Rules for Collecting, Using Consumer Data,” link here.

As I note on my Books blog Nov. 5 with my review, George Washington University law professor Daniel Solove has a new book “Understanding Privacy.”

The best known organization dealing with Internet privacy is the Electronic Privacy Information Center, which was very helpful during the COPA litigation. Note its article today on privacy issues and tracking the flu epidemic.

Thursday, November 13, 2008

New service "ID Watchdog" advertises on CNN

CNN has run ads for another ID protection service called “ID Watchdog”, with website here. The website home page has audio of case histories. The company says that it monitors credit reports and public records for illicit activity, and that it can save the customer “thousands of dollars” and hours in restoring reputation should there occur a breach.

I’ve seen other companies offer similar services, such as Lifelock.

I’ve wondered if people vary in how vulnerable they are. People with unusual or hard-to-spell names may not have identities stolen as often. It’s possible that someone who is even moderately well known, even because of the Internet or social networking site activity, might be harder to impersonate.

Tuesday, November 11, 2008

Job hunters could face identity security issues

Now there are more concerns that job seekers could place themselves in jeopardy of identity theft.

Recently, in Britain, an experiment was set up with a fake employer, encouraging the submission of resumes and CV’s (curriculum vitae). A group called “iProfile” reports on the experiment on this PDF:

Career experts suggest checking lesser known companies out carefully. If employers can check employees on Myspace or Facebook or personal sites and blogs (there are ethical questions about the way this has been done), employees can also check out employers, and should do so.

Another recommendation is to use a secure CV registration service, rather than submit it separately.

A CV could be thought of as like a profile, and some people believe that social networking site profiles should not contain material that would not be appropriate in a career-oriented CV.

Friday, November 07, 2008

Phishing attacks escalate because of financial crisis; phone calls as well as emails try to get personal information

ABC’s Good Morning America this morning (Nov. 7) warned consumers that spammers are increasing their phishing attacks in the wake of the closure or merger of so many banks during the financial crisis. They report that even the president of France had his bank account tapped.

Typically an email arrives warning that a bank account will be frozen if the consumer does not respond with personal information. Often the email has the bank’s trade dress embedded in the HTML and looks authentic. If the user runs the cursor over the links, the actual URL to be linked to may be different from that shown.

Phone scams have increased. People call customers of banks and make the same pitch, asking for personal information. The consumer should ask for a phone number and hang up, and call the bank at the phone number given on the bank’s statement.

Banks never seek personal information by unsolicited email or phone calls.

Tuesday, November 04, 2008

FTC delays "Red Flags Rule" until May 2009; would increase due diligence required of credit grantors

The Federal Trade Commission has developed a “Red Flags Rule” that would apply to credit grantors. The Rule is supposed to require more due diligence from creditors in making loans. “Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.”

However, on Oct. 22, 2008 the FTC announced that it would suspend implementation of the Rule until May 1, 2009. The link is here.

The concept of “creditor” does not apply to all businesses that accept credit cards. It apparently would not apply to a small book publisher or author accepting credit card payments for a book, for example.

The Rule is based on Fair and Accurate Credit Transactions Act of 2003 (FACT), PDF document for the law here.

Private vendors are developing solutions to meet the “Red Flags Rule:, such as “idBusiness”, link here.

Thursday, October 23, 2008

Debt collectors still violate FDCPA: As a "third party" I get an illegal phone call

Yesterday (Oct 22), around 8:30 AM EDT, I received a bizarre phone call asking me to contact a “neighbor” to convey contact information about an urgent “personal business matter.” Since I worked in debt collection myself in 2003 while still in Minnesota, I was “suspicious” but I knew that if this was a collection matter, the caller was probably violating third party rules of the Fair Debt Collection Practices Act (FDCPA). (The FTC copy is here. I took down the information, including case number. I quizzed the caller further and he gave the address for which the party was a “neighbor,” which was my UPS Store mail box address. (UPS Stores now run what used to be called Mail Boxes ETC).

Apparently, the caller did not understand that these is a mailbox store in a high rise office building, and not a physical office number in such a building. At first, the idea that another mailbox in the same building would appear to be a "neighbor" sounds astonishing to common sense.

At the time, I wasn't sure that this was a collection call, or what it was, because it was so bizarre. I called the number he gave, and it repeatedly stalled and then went busy. Finally, around 11 AM I got through and got the name of the company. I looked up the company on the Internet and found out where it was, a "conventional" debt collection company.

I won’t name the company or the location (other than say East Coast – most debt collection offices are actually in the Midwest to take advantage of time zone spread) or, for that matter, of course, the supposed debtor here. I’m debating with myself whether to report this. Debtors should know they have a right to dispute collection calls and tell the agency to stop calling.

Actually, the prohibition against contacting third parties (which includes “neighbors” in the federal law but even includes spouses in a few states like Massachusetts [including same-sex spouses in that state]) is part of the whole new “reputation defense” problem. At least, imagine how it can be. This part of the FDCPA should be vigorously enforced.

Recently there have been several media stories about unscrupulous debt collection practices, even though most of the industry says it follows the rules.

In 2000, I found an old credit card debt on a credit report that had apparently been lost in a household move in the 1980s. It surfaced when Chase bought Chemical Bank. I called the debt company in New York City and was stiff-armed into paying it (about $600 ballooned from an original $120) when I should have been allowed to dispute it. In this case, the agency had bought the debt and was no longer just a third-party debt collector.

The industry trade association is the Association of Credit and Collection Professionals (ACA).

All legitimate debt collection calls should start with the mini-Miranda which is worded like this "This is an attempt to collect a debt and any information obtained will be used for that purpose" and should identify the debt-collecting company and the agent, at least by a first name of pseudonym.

I did read Max Ellison's "Beat the Bill Collector" back in 1997 (from Paladin Press).

Wednesday, October 22, 2008

Supreme Court to hear case about illegals who do not know they are simulating real people when getting work

The Supreme Court will hear, on Oct. 27, a the case of Ignacio Flores-Figuero, an illegal immigrant from Mexico who used the social security number of a real US person with the same name to get work in Illinois. Federal law says that all that is necessary for a conviction is that he used the fake identity of a real person. He does not need to know that this is a real person, but that is the constitutional point at issue. The Eight Circuit has agreed with this interpretation.

The story is by Adam Liptak in the New York Times, Oct. 21, 2008, “Justices take on Illegal Workers and Penalties for Identity Theft,” link here.

The US Code reference from the Cornell University Law Library is US1028a here and next page.

Tuesday, October 21, 2008

Rapid credit rescoring may help consumers during credit crunch

This morning ABC “Good Morning America” briefly discussed the concept of “rapid credit rescore” where errors or omissions on a credit report, was well as payment information as well as incorrect accounts are submitted to all three major credit reporting companies so that the FICO score can be recomputed, sometimes within 48 hours.

A number of companies and sources discuss this opportunity. These include Credit Score News, here, Cisco Credit (which offers a predictive recalculator) here and (prosaically) “CreditReScore.com” here.

Rapid rescoring can be important now in getting a mortgage or even an auto loan. News sources report that GM dealers right now will not give auto loans to those with scores below 700, although hopefully that will change if credit markets loosen with the bailout.

Credit rescoring should be differentiated from “credit repair” with is often scammy.

Monday, October 06, 2008

Could monitoring of individual credit extend to new areas? Also, some credit cards being closed

On this blog, I’ve repeatedly called for establishment of a “preferred contact point” system for lenders, with use of the USPS NCOA (National Change of Address) system. I’ve said that increasing notification and due diligence requirements on lenders could reduce identity theft and fraud, and I suppose the idea could gain traction given the current fiscal mess.

The main objection is, you guessed it, it give the government potentially a greater capability to track the activities and movements of individuals. Yes, this is not China and I am not as concerned about that, although maybe I should be.

There will be more regulation of a lot of other activities, particularly in the financial world, but that could lead to a climate where individuals are looked at more closely. That does worry me. Imagine a world where your credit report or FICO score was checked before you have an Internet domain (because ICANN is dealing with some fraud problems there now – as on my Internet safety blog) or get a domain, or even a social networking site or blog publishing account. Because of some arcane, if still theoretical problems, I can imagine how this could happen some day.

Consumer credit card accounts getting canceled:

By the way, WJLA in Washington is reporting that some banks (especially Bank of America) is starting to close some customer credit card accounts, mainly (1) delinquent or over limit, and some customers are having their limits reduced and (2) cards not used at all for one year or more.

Saturday, October 04, 2008

Major company loses shareholder personal info in shipment

Now there is at least one company that lost the personal information of shareholders during the routine shipment of a computer cassette to an iron mountain facility. As usual, the company (will not be identified here) offers free credit monitoring for one year. I know this from a letter to an individual that I personally saw.

More and more, it seems that many compromises of consumer and investor security are simply matters of logistical security and competence well known from the bricks and mortar world that preceded the Internet.

And this was just a matter of business-to-business logistics. It didn’t even concern employees taking work home or telecommuting.

I can remember when working sometimes taking corporate shipments to UPS or to USPS Express Mail myself and handling the receipts. It’s something that basic.

Thursday, October 02, 2008

Parents find that minor teenagers often have their identities misappropriated when the kids apply for tuition aid

Major media sources now report that an increasing number of high school students are discovering that their identities have been stolen when they apply for college financial aid.

In some cases, the breaches could have occurred over ten years ago. Because minors typically don’t have their own credit histories, parents don’t check for them. Crooks could have taken out loans in their names, which wind up on fake credit report entries for them which should not even exist.

ABC News offers a video on the issue dated Sept. 16, 2008, link here.

Credit reporting companies will need to develop mechanisms to allow parents to check for the possibility of invalid records for their minor children. Since I worked for Chilton (now Experian) in Dallas in the 1980s (mostly in daily and monthly billing), I can imagine that this would be a information technology big project.

Again, a mandatory notification system based on NCOA, as I have discussed here, could prevent the problem.

Tuesday, September 30, 2008

Warning signs that a consumer's identity is compromised

AOL has a story from “Walletpop” this morning (Sept 30) of four signs to look for that your identity could be compromised

(1) You don’t get credit card bills when you expect them. That’s a sign that a thief could be using your account. One antidote is to monitor your credit card accounts online

(2) You get credit cards you didn’t apply for. Normally, this could mean a thief has tried to emulate you but has been sloppy, so you get the mailing. My own plan on this website would force institutions to notify you at a “preferred address” when an account is opened in your name, but it can happen accidentally now.

(3) You are denied credit despite the fact you think you have a good history. Check your own credit reports once a year (free) at "Annual Credit Report") with Trans Union, Experian and Equfiax. The last of these companies will expect you to wait a full year before giving you the free report again.

(4) You get calls from collectors (either first party collectors from vendors, or third party collection agencies) for purchases you did not make. Under the Fair Debt Collection Practices Act (FDPCA) you have certain rights, and can dispute the call immediately if not valid. Don’t allow a collector to threaten to sue you; that’s illegal. You definitely have rights under this law.

Monday, September 22, 2008

Even a Photo CD could leak consumer information is misprocessed (getting someone else's photos as well as yours)

There is a possibility that your information can leak even when you turn in a single-use camera for prints and a Picture CD. I had turned in a color (CVS) camera and a black-and-white (Kodak), even carrying 27 prints, to a CVS store for CD’s.

I was told that they could currently produce only the Kodak formatted CD’s. But for the black and white camera, I got back a CD with two pictures from the color, and then about 200 pictures taken by another family. The CD went into a loop and I had to reboot the computer.

For the color camera, I got back a Kodak CD. It processed OK and had all the prints, but it also had pretty much the same 200 extra prints belonging to the other family.

The pictures were those of a family’s visit to the DC zoo, which I recognized. They were harmless. But what if the pictures had been pornographic? What if they had been illegal for me to even possess? Or, what if they somehow had contained sensitive information?

The problem seemed to have to do with processing on the Kodak machine in the store. It may have become corrupted, or it may have been improperly used. (It should not have created a CD that could not be closed from memory without rebooting.)

So, even something as innocuous as picture CD’s could pose security issues, or leak of information in photos to other parties.

One problem is that both Kodak and CVS load additional software which is unnecessary for a user who only wants to copy the pictures to his hard drive and manipulate them himself.

In fact, a Ctl-Alt-Del in XP shows that the Kodak Software Updater Agent is always running, unnecessarily, after boot, unless it is closed manually.

Monday, September 08, 2008

Should companies vet individual employees for political or social conflicts as part of data security policy?

Could the current concern over consumer data security lead employers to screen job applicants for “hostile” political or social views that might pose a risk for customers?

Consider the concept of a “fraternal company” where the point of the company is to serve customers in a particular identifiable class. The class of customers could be any potential “controversial” group, ranging from LGBT people to members of evangelical denominations. Should an employer be concerned if it performs a “search engine reputation check” and finds political activity that would be inimical to the group?

I once worked for a company that specialized in selling life insurance to military officers. I became publicly involved in opposing “don’t ask don’t tell” in 1993 and later. When the company was purchased by a larger company, I transferred in order reduce the appearance of “conflict of interest” as I saw it. There never was any misuse of data, but I was concerned about “appearance” and there was arguably less “exposure” (especially to hardcopy data) at the new location.

Of course, companies merge, and often turn their operations over to outside vendors so that the data for various "fraternal groups" is consolidated and outside the scope of normal concern.

It’s also true that ten years ago and more, there was much less concern that consumer data could be stolen and misused if left lying around. It was acceptable then for companies to keep less secured copies of consumer data (especially in print), and this belief continued through all the data collection activities associated with Y2K. After 2001 or so, concern about consumer security grew very rapidly, and companies had to become much stricter about how their data was kept and who accessed it.

Wednesday, September 03, 2008

A new NCOA-based system should allow consumers to keep unlisted information from "public" data brokers

I want to remind the visitor that the September 25, 2006 posting on this blog gives my “project proposal” on how a system to protect consumer identity security would work. In short, it would be centered on a “preferred contact address” equivalent to the NCOA (National Change of Address) as managed by the United States Postal Service (and various contractors). In various circumstances, financial and lending institutions would be required to check this address as part of “due diligence” to prevent parties from copying existing persons and creating duplicate identities of these individuals for the purposes of fraud.

One requirement for such a (“new”) system (on a go-forward basis) ought to be that a consumer has the right to prevent this “preferred address” (or any preferred contact point, email, or cell phone) from being sold to data brokers for reverse lookup of essentially “unlisted” information (including family, real estate and income level information). Many companies (I won’t list them here) make this information available for very small purchase price per item to the public. The capability of misuse of such information (which is often incorrect anyway) has been a plot point in more than one soap opera recently—and that’s just “make believe”. These lookups are part of the “deeper Internet” (beyond normal search engines) that some reputation defense companies say that they can check for clients, and say that employers could check (and they indeed could). My own Congressman (a “moderate” Democrat) says that the practice of “for sale” data brokering operates barely within the parameters of what is “legally permissible” and presents troubling potential security (maybe even national security) issues.

Even so, I remember back in the 1980s, that – even in an older mainframe and large-business-driven world -- “promos” (identification information sold to target marketers) was a larger source of revenue for Chilton, a credit reporting company, than were legitimate credit reports themselves. I noticed this then because I maintained their billing systems.

Wednesday, August 27, 2008

ITRC reports record volume of data breaches in 2008

Almost 450 businesses and government agencies have reported lost of consumer identification data this year 2008. That is what the Identity Theft Resource Center of San Diego (“ITRC”) reports. 127 million consumer records were compromised, but 90 million belonged to one company, retail chain T.J. Maxx. That is more than was reported in all of 2007, and it is still August!

The story by Brian Krebs in the Aug. 26 Washington Post, “Data Breaches Have Replaced Level for all of ’07, Report Finds” is here. In fact, the ITRC press release (dated Aug. 22) is here.

Needless to say, the continual reports of businesses losing consumer data will affect work habits. Employers will have to be much tighter in letting workers take work (whether laptops or even diskettes or printouts) home (probably sign-out procedures) and even in keeping production material around in open spaces at work. The security of Internet connections (including firewalls) for telecommuters will become a bigger issues.

Reporter Brian Krebs is well known for his “Security Fix” blog at The Washington Post.

Friday, August 22, 2008

Consumer Reports discusses government compromise of individual identity

The September 2008 issue of Consumer Reports has an article on how government leaks personal information. The story is titled “ID Leaks: A Surprising Source Is Your Government at Work,” link here. You may need an online subscription or hard copy to see all the content.

The worst federal government offender is the Veterans Administration, but the IRS and TSA make the list. Often the problems are lost laptops or disks. Local and state governments, including Ohio and the City of Savannah, have been culpable for publishing social security and other compromising information. 28% of counties displayed social security numbers on the Internet. CR warns “you have no right to be notified if someone is using your SSN under another name.” Astonishing!

What do libertarians say, "government doesn't work".

Sunday, August 17, 2008

Novelist Jeffrey Deaver weighs in on "consumer identity protection"

Parade, the magazine-let insert into many Sunday newspapers, has an article today (Aug. 17) by novelist Jeffrey Deaver, “The Case of the Stolen Identity,” link here. He gives advice according to the acronym “SCAM” and also recommends buying and using a shredder to prevent dumpster diving. I still wonder why we have stooped to the point that we don’t expect our financial institutions to be more careful and expect private individuals to spend the time and expense of protecting themselves and their families.

Deaver gives a personal account of a credit card that got lost during a move, and that generated bogus charges. He got them cleared, but it took credit reporting company computers a year to clear his credit. He found himself paying cash deposits for utility hookups and he found himself locked out of mortgages and home-equity loans, because of the wrongdoing of others, not himself.

He says that 9 million people a year are victims of identity theft, if an annual cost to the national economy of $50 billion. He talks about some of the more “brazen” things that happen with the crime. In his latest thriller, Broken Windows (apparently in process because I don’t see it on Amazon yet), an identity thief actually frames his victims for his murders. People have been false prosecuted for crimes committed by others in their names, and the possibility increases with certain issues on the Internet, and apparently has happened sometimes already with illegal downloads. In Arizona, a teenager was accused in late 2006 of uploading c.p. that may have been placed on his family computer by hackers, although the facts in the case are murky. I covered this story on my Internet safety blog on Feb. 3, 2007, link here.

Deaver, with tongue in cheek, urges the public to forward Nigerian scam emails to him so he can dole out the proceeds.

Monday, August 11, 2008

San Francisco's city systems and records compromised by one dishonest employee

Now, local governments are finding that they have to take background checks on people they hire for network administration seriously. In San Francisco, an administrator (Terry Childs, 43) compromised the city’s systems (for police, payrolls, courts) and would only give the password from jail after several days. It was unclear what his motive could have been, other than to “prove something.” He had turned the whole municipal computer system into a “private network.”

Trustworthiness of employees who run such systems is becoming a critical issue. Background checks need to be run across state lines, with formal procedures (not just Internet “reputation”). The particular employee had a prison record.

The story is on p A3 of the Washington Post, is by Ashley Surdin, and is titled “San Francisco Case Shows Vulnerability of Data Networks: arrest spurs other cities to boost security”, link here.

But The San Francisco Chronicle has a curious story by Jaxon Van Derbeken, “S.F. computer tech had turned life around,” from July 27, 2008, here.

It’s not clear with the City can do to monitor or protect the credit records of its employees and even city residents who have any interaction with the City (almost everyone).

Sunday, August 10, 2008

Please: understand these news stories with the "right" perspective

I want to reiterate my original purpose in starting this particular (generally small) blog. That was to suggest that a system be developed for financial institutions and other businesses to verify customer identity, and that due diligence procedures that businesses should follow be developed. I first placed this proposal on this blog on June 6, 2006, and then moved it to the entry of September 25, 2006 (the archive links on the left may be followed to find these).

The media is constantly reporting incidents where large businesses and government agencies compromise consumer security. This is a developing issue, with many components. For example, in the past local governments used to publish many public records and other matters in open spaces on the Internet; many of them have stopped this practice to protect consumers. Businesses have allowed employees to take work home on laptops and have used live consumer production data for quality assurance testing of system upgrades; obviously, many practices in the way systems people and other employees work with live data have had to be changed and restricted. When I was working in a mainframe IT shop in the 1990s, there was much less attention to physical security of copies of data, because this sort of problem had not become public yet. (Even so, a Merrill Lynch credit card of mine became compromised with bogus telephone charges from Canada in 1995; fortunately the problem was cleared and money refunded, but not without three hours of my time.)

The media is also constantly warning consumers to “be very afraid.” Most of the time, the consequences of data compromise are limited to credit reports and to bogus charges that can be reversed, or to bank accounts that can be restored. But sometimes there is real harm, and in a few cases people have been wrongfully prosecuted when their identities were taken. I think I have to sound like CNN reported Lou Dobbs on this one. There is no reason why we cannot expect our financial institutions and vendors to be more careful and practice more due diligence with consumer data. We can develop new systems to help banks and vendors do this. That is one of the ideas that this blog is all about.

When making a proposal like this, one has to account for all the known vulnerabilities. Part of systems analysis is to write up all the “business requirements” and for consumer protection, it’s necessary to catalog all the ways consumers become vulnerable. In the past, documentation of proposed system requirements stayed within an organization, often as proprietary information. That would be true now. However, if an individual wants to propose this idea in a public forum and make it public, to attract money later, the speaker will need to enumerate and reference all the known problems.

That is certainly the case with my posting yesterday, where an overseas physicist had uncovered one of the most dangerous vulnerabilities deep within the Internet and published it on his own blog. If another blogger (me) gives a link to that, the purpose is to account for the problem, as well as to back up the details of a news story (in this case, in the New York Times) with more “original” research and links. The purpose is not, in any sense, to encourage anyone to try to experiment suggested in this or any other comparable link. The World Wide Web is full of accounts of how to do some very anti-social and illegal things, and they are easily found on all search engines. This particular original news story is particularly shocking, and may provide a clue to other important and unresolved security problems that have been reported recently on the web.

Journalists report on “bad behavior” and give some details all the time. Sometimes the details concern what make someone who commits criminal acts “tick.” There are plenty of examples of this in the past ten years (especially recently). Sometimes the details simply tell authorities or larger companies that they need to develop much more sophisticated security systems. Sometimes there is, in the view of the public, a nagging concern about the “motives” of an “amateur” who posts the same information when working outside the normal media or journalistic “establishment.” I’ve talked about these issues on other blogs, particularly in the context of “online reputation.” The fact is, to be worthwhile, a blog or website about a public problem needs to account for all the facts about it, however disturbing these facts are, regardless of the authorship of the website.

Saturday, August 09, 2008

DNS System has serious potential security issues, needing a long-term solution and not just a patch (from Las Vegas Black Hat convention)

Russian physicist Evgeniy Polyakov posted on his technical blog (you can go to it from his "About page",) an account of how he fooled the Internet’s domain name registry into returning an incorrect address, in a matter of hours. The domain registration industry has a patch for this problem which it has long known about, but according to Polyakov and others, that workaround apparently is inadequate.

At an ongoing "Black Hat" network security conference in Las Vegas, Dan Kaminisky, president of a security firm called IOActive explained this experiment there. You can visit this(link with releases about DNS problem; then read his Executive Overview pdf link there, as well as CERT’s account; and notice that his banner headlines change when you reload the page. Here is another of Kaminsky’s own postings, link.

The fear is that hackers (especially overseas) will take their devious plans a step beyond normal “phishing attacks” now familiar to experienced home email users and actually direct legitimate web requests to bank or financial institution websites to fake sites to steal account holder’s funds or formulate other kinds of identity theft. The story appears in The New York Times, by John Markoff, p B1 Business Day, August 9, 2008, “Patch for Web Security Hole Has Some Leaks of its Own,” link here. The story refers to a recent patch to make such a heist more difficult, but Polyakov and Kaminsky maintain that this patch is still inadequate. Polyakov's blog (mentioned above) refers to the New York Times article.

Brian Krebs wrote about the DNS flaw issue on his "Security Fix" blog on Aug. 7, "Kaminsky Details DNS Flaw at Black Hat Talk," link here. Brian writes that he recommends that webmasters (like me) who use conventional ISP's should use OpenDNS, which as reportedly fixed this problem. I'll have to check into this further myself. (The powerpoint link of Kaminsky's presentation available there did not work, at least for me.)

Financial institutions sound like the most obvious mark, but so could controversial websites. If the problem were not harnessed, hacks like this could be used to make others believe that particular individuals had posted illegal materials which they had not, and it could take law enforcement some time to understand a problem like this before there were false prosecutions.

There are good questions as to whether domain registry companies can and should implement encryption solutions like DNSSEC for regular individual and small business customers, as well as the big boys like banks. It would reduce or eliminate the risk of replacing a DNS entry with intentionally incorrect routing. This might complicate the way A-records work and the way website owners are encouraged to maintain them by the industry now.

The United States government and some European governments will start implementing it soon, especially for defense and intelligence sites, but it would take a lot more development and testing to make this economical and practicable for ordinary business and individual customers, apparently. I haven't yet seen any discussion of this by McAfee, but I presume it will appear and that SiteAdvisor could hook into it some day.

Thursday, August 07, 2008

DC area Bank of America branch, maybe others, hit by hidden camers and skimmers in brazen theft

A brazen scheme to steal information from ATM transactions was discovered by an employee at the Rockville, MD Bank of America branch on Aug. 6. Thieves had installed a skimmer and camera to steal bank account information (including PINs), and may have done so at other banks in Montgomery County, MD. WJLA reported that $60000 had been stolen from accounts. The NBC4 story is here. This incident is one of the most brazen “bricks and mortar” skimming incidents in recent times. Other banks in the region are checking today to make sure this has not happened to them. Both WJLA and NBC4 reported this in the 11 PM news last night in the Washington DC area.

Customers should consider having new cards reissued, with new pins, and verify balances. Customers with online banking should always look at their accounts online frequently, even when out of town (with properly secured connections). It is a good idea for banking customers to ask their banks to place daily limits on ATM withdrawals to prevent massive losses from holdups, and also to place “point-of-sale” limits to prevent fraud.

Bank of America had an incident in 2004 where a printing company owner in Florida had $90000 pilfered.

Tuesday, August 05, 2008

House to look at protection of privacy of web surfers

The House Energy and Commerce Committee will examine the role of surreptitious behavior by advertising companies on the web, and request statements from 33 Internet companies regarding their practices. The House is concerned that consumer privacy and security of consumer information can be compromised, despite claims to the contrary (with op-out provisions) from companies like Embarq, as discussed on my main blog July 25.

The companies include a lot of large players: AOL, AT&T, Comcast, Cox, Verizon, Yahoo! and Time Warner.

The committee chairman is Edward J. Markey (D-MA).

The story appears in the Business Section, p D3, “Lawmakers seek data on targeted online ads: Panel concerned about privacy on web”, by Ellen Nakashima, in The Washington Post today Aug 5, link here.

“For better or for worse,” on-line advertising is an important component of the business models that make free content on the web possible.

Friday, August 01, 2008

DHS can seize, hold laptops at borders; does this indirectly put more consumer data on business laptops at risk?

The Department of Homeland Security in the U.S. has recently disclosed a rule that allows federal agents to seize laptop computers at border checkpoints without suspicion of wrongdoing. The ruling and controversy were reported in a story by Ellen Nakashima in The Washington Post, “Travelers’ Laptops May Be Detained at Border: No Suspicion Required Under DHS Policies,” p A1. The Washington Post, Aug. 1, 2008, link here.

One disturbing observation is that laptops could be held for indefinite and unspecified time periods. They could be damaged. Many people store personal information on off-line files on laptops. If the laptops are out of their control, the personal information could become compromised. A few TSA employees have been caught and fired and prosecuted for stealing passenger items.

Some people use their own personal computers and laptops for both personal and business purposes. The physical danger to laptops increases the risk that business or consumer information could be compromised when employees travel (for business-owned laptops, or for personal laptops that, properly or not, have business information).

Another risk is the theft of laptops at security checkpoints because of the physical clumsiness of going through security, which has gotten more complicated with security rules, and with financial pressure from airlines not to check luggage.

Still another risk when traveling could come from compromise of laptops are wireless hot spots with poorly secured or vulnerable services abroad.

Monday, July 21, 2008

University of Maryland trips up by printing SSN in a mailing

This time, a simple mistake in a data center has led to compromise of individual security. At the University of Maryland in College Park, NE of Washington DC, the university had mailed all students a brochure that contained information about on-campus parking.

Around July 8 the University discovered that the mailing label had included the student social security number. Apparently this was an inadvertent human error, and not the result of any compromise of an internal application or Internet use. This is an incident that could have happened decades ago, before the Internet.

It is certainly true that in the past, it had been common for many businesses to include social security numbers on mailing labels in lists. This practice had probably stopped by and large by the mid 1990s.

Apparently they number was not hyphenated or formatted, and a casual visitor would not have known what the number was. However, it would be harmful to have a printed document visibly displaying home address and SSN on the outside of an envelope in the postal service.

The University is offering affected students free credit monitoring with Equifax.

Again, and especially in view of the subprime crisis, it’s appropriate to ask why lenders have been so careless and shown so little diligence in making loans.

The story appears on WUSA Channel 9 (CBS) in Washington July 18, 2008, here.

Thursday, July 10, 2008

What is legitimate corporate policy regarding consumer data?

Last night, WETA (the PBS station in Washington DC) was carrying on a (radio) discussion about data privacy. One speaker said that consumers had a right to two simple expectations from companies that collect their data. One is that data collected be used only for the purpose stated to the consumer. The other is that the data be destroyed when it is no longer needed.

But, of course, sale of consumer data was big business long before the Internet. When I worked for Chilton Corporation in Dallas in the 1980s (which would be bought by TRW and be spun off as Experian, coming full circle), “promos” were the most often billed service code. Sales of customer data to marketers was bigger business even then than normal credit reports or “Alerts” (which would feed in to what is now FICO scores). None of this is new.

There was also discussion of transferring management of customer telecommunications accounts to third parties. The speaker called this practice “wiretapping.” Another speaker noted the irony that all of these problems are occurring, as an accident of history, post 9/11 and during the somewhat legitimate need for government surveillance.

Wednesday, July 09, 2008

Consumer data jeopardized when employers install file-sharing software on work computers; Justice Breyer's info compromised

Recently, the personal information of about 2000 clients of a MacLean VA investment firm, Wagner Resource Group, were exposed to the public after an employee downloaded a file-sharing network called LimeWire onto a networked work computer. Among the clients was Supreme Court Justice Stephen G. Breyer.

A company called Tiversa is often hired to help companies detect data leaks of customer data. Here is a typical discussion of the problem by the company.

Another company that has worked with Wagner is First Advantage, and there is a paper in PCI Compliance Guide that describes how to respond to a data breach here. In one case, a consumer found $9000 false charges by AT&T on a telephone bill from an overseas source; it was reversed.

Another serious danger from such employee behavior is release of trade secrets.

It would sound obvious that the danger could exist when employees take work home and load customer information onto a home computer or laptop also containing P2P software or other recreational or personal applications, or perhaps not properly secured by a firewall.

Brian Krebs has a story in The Washington Post this morning, “Justice Breyer Is Among Victims in Data Breach Caused By File Sharing,” p A1, link here.

In 1995, I had a Merrill Lynch CMA credit card rejected at a grocery store, and found out yesterday that $400 of bogus AT&T phone charges from Canada had been placed on it. The card was replaced and AT&T reversed the charges, although it took a half day away from work to clear the mess up. I have never had such an incident since.

Wednesday, July 02, 2008

Citibank has major ATM breach, very sensitive in nature

News media widely report a serious deliberate compromise of Citibank’s ATM machines inside 7-11 stores. Identifying information and PINs were taken, and three people are indicted in New York.

The breach seems to have occurred deep within Microsoft’s infrastructure, designed to allow remote repair of machines.

Citibank has apparently refunded or promised to refund any lost money from accounts. In various other kinds of breaches reported in the media in the past few years, refunds have not always occurred.

A typical story is by Jordan Robertson of the AP and appears today Newser.com. The original AP link (July 1) is here. and the story characterizes the “most sensitive part” of the bank’s computerized files and infrastructure as compromised.

It’s interesting to compare this with a recent story that indicates that credit card companies, but not original customers, have sometimes been notified of breaches by others databanks.

Other media briefs indicate that Visa allows customers to make small purchases on debit cards without entering pins. This could work both ways from a security viewpoint.

Tuesday, July 01, 2008

Consumers are not always told about breaches, even when their credit card companies are informed

There are media reports to the effect that the records of about 51000 customers of Montgomery Wards were exposed in a security breach.

Wards had gone out of business in 2001 (I remember shopping there when I lived in Dallas in the 1980s, particularly at the Mesquite Mall). The brand name (and trademark) were taken out of bankruptcy by a 2004 purchase by Direct Marketing Services. Citibank detected an intentional security breach in December of that year. Direct Marketing informed Visa and MasterCard but not the individual customers. Apparently 3-digit card security codes (often required by e-commerce websites), card account numbers, customer names and billing addresses had been compromised.

44 states have laws requiring that consumers be notified, but silence had been an industry norm for years. This practice might have even contributed to a sudden $600 charge on my credit report in 2000, resulting in sudden action against me by a collection agency that had bought the “vampire debt.”

The AP story appeared on AOL yesterday at this link. There was a survey that indicates that most customers do not believe credit card companies are sufficiently careful with personal information, but most AOL visitors do use credit cards anyway. Curiously, the story gets a “not found” when accessed on AP’s own site. The AOL link is here and may require subscription and become archived.

Wednesday, June 25, 2008

Cable providers' use of "deep packet inspection" technology called into question over possible privacy concerns

The fourth largest cable provider in the United States has backed away from plans to monitor the communications of its subscribers. Charter says that the data collection efforts would have protected personal information, but obviously that was the greatest concern.

Monitoring could be quite intrusive, and account for every website visited or email sent. It could detect illegal behavior. It sounds like what might happen in less democratic societies (like the monitoring in China or in Muslim countries).

The technology is called “deep packet inspection” and apparently is intended to be used as a research tool to improve customer service, as well as potential sale to marketers interesting targeted “behavioral” advertising. But consumers feel that it could compromise privacy and invite data theft.

The story in The Washington Post today (June 25) is by Peter Whoriskey and is titled “Internet provider halts plan to track, sell user’s surfing data,” link here, on page 1 of the Business Section (D in print).

Please see also the story today (June 25) on Internet advertising issues, also based on a Post story by Whoriskey, on my "main" blog (see my Profile).

Thursday, June 12, 2008

Debit cards generate repeated overdraft charges

Although this tip does not directly relate to consumer identity protection, it seems very important to pass it along.

Consumers using bank debit cards are being hit by repeated overdraft charges in short time periods. One way this happens is when they manually deposit checks (even through ATMs) and the checks are not added to their balance until the next business day, or possibly until cleared, even though the bank balance adds the “pending” amount into the total it displays. When consumers withdraw or spend from these cards in the mean time, particularly over weekends, they may incur successive overdrafts on every charge.

Consumers should also considering asking banks to place maximum daily and point-of-sale withdrawals on debit cards, as a personal security measure.

Monday, June 02, 2008

LifeLock news; we still don't demand enough of lenders

There is a PC World story from late May about the founded or Life Lock, Todd Davis, whose own identity was stolen. The story also relates some complaints about LifeLock, which is a common issue with many startups. You can find it in Travis Hudson’s PC World blog here.

It still seems to me that in practice, one of the best practical protections for identity protection is to stay alert. Keep watch your own accounts online, especially bank accounts where you have a debit card. Keep up with your credit reports. It seems from personal experience that people who are less computer literate or who are not able to get to their personal information because of business travel, especially overseas, or, especially now, volunteer or humanitarian work overseas, have more issues.

I have wondered if there are subtle demographics that makes someone more or less of a “mark.” For example, I have an unusual Eastern European last name. It might be harder to imitate me and get away with it. Although I am not a celebrity in the usual Tinseltown or “Hillary Clinton” sense, I am somewhat well known, enough that it is not easy to get away with replicating me.

Still, as I’ve said many times, we don’t expect enough due diligence and care from lenders and banks. Look at the way they got us into the subprime mess. Is it any wonder they can drop the ball on not checking applicants’ identities carefully? We still need some sort of identity check database (based on NCOA), and I think we can do it without impinging on ordinary privacy or civil liberties.

Friday, May 02, 2008

ABC World News provides major reports on ID rings, especially overseas

ABC World News Tonight last night (May 1) did a major report on identity protection. The title of the story by Elisabeth Leamy (link here) was “How identity theft happens and how to protect yourself: most common ways your identity gets stolen and how to fight back.”

The report emphasized physical security dangers in the “bricks and mortar” and paper world. That is, giving credit cards to waiters in restaurants, and skimming at ATM machines, as well as physical dumpster diving (which can also be done virtually with unsecured home and office wireless networks, as recently discussed). The report also discusses hacked shopping sites.

The report on television showed an undercover female reporter chatting with “business people” buying and selling lists of personal identities (social security numbers, addresses, credit and debit cards) on online shopping lists overseas. The chat room sites even had “shopping carts”. Many of these operations are in Russia and Eastern Europe, where the US law enforcement does not have practical reach without diplomatic complications.

Tonight, Friday, May 2, ABC World News Tonight will demonstrate an operation that makes counterfeit debit cards and can drain bank accounts. Apparently this can be done if physical and IT security around ATM's is insufficient. One practical measure for consumers is to limit the amount that can be withdrawn from a debit card in one transaction, in one day, or in one point-of-sale. This would also provide security in case of an armed robbery or kidnapping at an ATM. Any bank will do this upon request. Check this link for the story tonight.

The exact link is this. The story title is "Crooks Have Your Card and You Don't Even Know It; How Thieves Copy Credit and Debit Cards and Drain Accounts," story by Elisabeth Leamy.

A related story by Leamy is "Online Fraud: How to Identify It and Fight Back; Tips on How to Recognize Fraud and Protect Yourself," link here.

Thursday, May 01, 2008

Wall Street Journal covers phishing problem today

Walter S. Mossberg has a useful column in the “Personal Journal” section of the May 1 Wall Street Journal, p D1, “How to Avoid Cons That Can Lead to Identity Theft.” The link is here.

Much of his advice is familiar. For example, banks and financial institutions never ask for information by email, so don’t click on links that purport to be from banks and ask for updates or corrections. The same goes for ISP’s (like AOL, and even some other ones have been spoofed in the past few months), who may warn visitors that their accounts have been deactivated, when they haven’t been (that’s easy to check).

Another is to be wary of unsolicited offers of spurious software, such as anti-virus software, especially when it comes from unknown companies or seems to have little explanation. This has been a problem with spam placed in comments on blogs, so offers in blog comments should be viewed with great suspicion, particularly when they bear no relation to the substance of the blog.

He mentions special viewing software such as Microsoft’s Silverlight or Adobe’s Flash. This should be downloaded only from the original vendor, not with an unrelated offer. Microsoft will ask visitors to download Silverlight to look at the Front Page replacement Expression Web.

He also says that there is no inherent reason why Apple Mac is safer than the PC Microsoft world (or anything else like Linux on a PC) other than the popularity of Microsoft as a target. Phishing scams can come on any machine, and now they sometimes show up in cell phone text messages (smishing).

Friday, April 25, 2008

Loose Wi-Fi offiice networks can be an issue for medical, financial, legal consumers

On April 25 (tonight), WJLA (ABC) in Washington DC presented a story of the risk of consumer identification information (or medical, legal, or especially financial information) when given to businesses with office wireless networks that have not been properly secured. “Wireless dumpster divers” can often fish for consumer information. In some cases, security switches on wireless routers have been left on.

The story appears as part of “7 On Your Side: Wi-Fi Dangers” where investigator Aaron Titus demonstrated how easily information could be gleaned from an office, to the anger of at least one law office. The link is here.

The report suggests that consumers who use such services check their names out at SSNBreach. SSNBreach is part of the Liberty Coalition.

Medical information must be secured, when transmitted or exposed, according to HIPAA (Health Insurance Portability and Accountability Act) requirements. Normally medical applications would need extra security that should protect information even if a hacker got access. It would be surprising if personal information from medical offices was captured in an exercise like this. In 2002, I had a phone interview for a mainframe job motivated by complying with HIPAA privacy requirements.

This problem would seem to be related to a larger issue of wireless security in general, especially for people who travel with work. Although most large companies would arrange proper security for traveling employees, large breaches or leaks from major corporations have occurred numerous times, as well documented in news reports (partly just through laptop or diskette theft as well as access compromise). A different problem could occur as people travel on personal business and take laptops and depend on motel or cafĂ© wireless access. I’ll probably write more about this later. But a good article, "Security issues when using outside networks," by Edward K. Zollars on the Tax Adviser explains why wireless and even broadband security can get out of hand: Ethernet was designed when computers were large, expensive and stationary, and physical mobility of machines was not a consideration. The link is here.

A couple of other important articles: Barb Bomman: WPA Wireless Security for Home Networks: link (on Microsoft). She also has an article about airports and motels "On the Road Again" here.
and "Understanding the Wireless Network Connection Dialog Box in XP" link here.

Monday, April 21, 2008

What would REAL ID really do?

The Washington Times has an important editorial on Monday April 21, 2008, “Real facts on REAL ID,” on p A16, here.

The Times takes the position that REAL ID would have prevented the acts of Timothy McVeigh and most of the 9/11 hijackers. It recognizes that some people view the proposed act as a threat to privacy and civil liberties.

The Times points out that the law would not take over production of driver’s licenses or DPS ID’s from states. It does prepare for sharing of specific fields of information among the states and with the federal government. On its face, it would not give information to private companies.

It seems productive to imagine a program where consumers could opt in to its use to identify them for loans and mortgages. In some situations, if used that way, it could lead to much more ready apprehension of anyone who purported to be that person, and provide a deterrent to ID theft. It might even prevent other scenarios where someone could be framed for a crime.

Friday, April 11, 2008

RealID - could it be a boon for consumer identity security?

Today the ACLU sent out an email to its supporters to contact their Representatives to block bills that would enable states to fund their compliance with the RealID Act, which was passed in 2005 as a rider to the Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005.

The original law was HR 418 with the govtrack link here.

RealId is said to be the federal effort to implement at national identity card.

Of course, I understand the civil liberties-based concerns about this bill. I’m also concerned, however, about political action that consists of mailing form-generated emails to politicians that are one-sided and essentially emergency, knee-jerk reactions.

Some form of a “RealID” concept, possibly connected to NCOA, could become a foundation for stopping consumer fraud and identity theft, if addition systems were developed and if lenders were required to use such systems as part of due diligence in granting loans.

Isn’t it silly that we find ourselves manually shredding paper documents (or driving them to community shreds such as those sponsored periodically by NBC4 in Washington) because we can’t make banks and other lenders be more careful about whom they are lending to?

Of course, it’s tough. “Know thy customer” rules could have a deleterious effect on some kinds of small business, and could lead to more Internet regulation.

Monday, April 07, 2008

Mortgage brokers and lenders were reckless; this undermines consumer identity protection

An article by Gretchen Morgensen on the Business Page of the Sunday April 6 New York Times “A Road Not Taken By Lenders,” link here illustrates another flaw in our approach to consumer identity protection.

She points out that mortgage applicants have to supply and sign documents verifying income and allowing lenders to check incomes with the IRS. Yet, many lenders didn’t bother to check. Most had systems of sales quotas that encouraged looking the other way. Not only did they make loans to people who could not pay soon, they could have been encouraging security problems for some communities.

The point of the story is that there is a lot more due diligence that lenders can do to verify applicants, and this story (also available by Podcast on the New York Times website) does give some examples. They don’t do it because of the pressures of “extreme capitalism,” as professor David Callahan wrote in his 2004 book “The Cheating Culture.” It’s odd, when you hear so much about tenant checks and the qualifications to rent an apartment, in a society so biased toward “home ownership.”

Friday, April 04, 2008

"Ordinary" workplace security problems expose consumers

More incidents or corporate and government breaches seem to come in.

Advance Auto in Roanoke, VA admitted around April1 that information on about 56000 customers was stolen by a hacker. The story appeared on Knoxville TN station WBIR, here.

At NIH, a laptop with the names of patients was stolen from an employee’s car. Senator Norm Coleman (R-MN) has audited government agencies and found that few are following required encryption standards yet. AP story is “Patients' Names on Stolen NIH Laptop,” March 24, 2008, link here.
Physical security is becoming increasingly important in workplaces as more people work from home and take work home on laptops.

And on April 2 AP Business Writer Mark Jewell reported that TJX could pay $24 million to Master Card for a security breach, story here.

Workplace security, for both IT professionals and customer service workers, is becoming a real issue.

Wednesday, April 02, 2008

Data brokers and state fusion centers: could they help identify consumers getting credits?

State governments have formed “intelligence fusion centers” to share information about possible threats, including (particularly with New York State) identity theft, particularly inasmuch as impersonation represents secondary security threats. A huge variety of sources is included, even car rental records (from tourists).

The Washington Post has a story by Robert O’Harrow Jr. on the front page of April 2, 2008, “Centers Tap into Personal Databases: State Groups Were Formed after 9/11,” link here.

One particularly obscure data broker, Entersect, was discussed. The company is so obscure as not to have a usable home page on the Internet now. The name reminds me of the IMS database concept “Intersection data.”

The question remains, could a system be designed to check across many of these databases so that lenders (mortgages, car dealers, banks with business loans) could more reliably identify applicants?

Wednesday, March 19, 2008

Treasury Department OFAC list catching, "blacklisting" misidentified consumers

Ellen Nakashima has a story in the Washington Post that mixed consumer identity protection with “reputation defense.” It is “A Good Name Dragged Down: Consumers Get Tangled in Terrorist Watchlist,” link here. The story is on page D1, Business, of today’s Washington Post (Wed. March 19). The story also has an illustration: a nametag with the words "Hello, my name is Mud".

The story refers to the Treasury’s Office of Foreign Assets Control. Companies are not allowed to do business with individuals on the list. But unfortunately they often miss identify consumers, especially those with Muslim-sounding names. One person was asked to undress and show that he did no have a particular tattoo when he tried to buy a car.

The OFAC runs a list of “specially designated nationals.” Banks, apartments, car dealers, etc. can not legally process transactions with persons on the list, who are effectively "blacklisted" by the Treasury Department. But OFAC has not provided a convincing procedure to handle misidentification. Persons have been told to contact credit reporting agencies, but this would not have anything to do with the list. The OFAC list does not seem to be well-coordinated with other lists.

Obviously persons really on the list might have an incentive to steal identities of similarly named people, and an NCOA-check such as what I’ve proposed on these pages might help prevent mishaps.

On March 18 Nakashima had a similar story “Reports Cite Lack of Uniform Policy for Terrorist Watch List, p A02, link here.

Sunday, March 16, 2008

VA bans individuals from posting SSN's from online public records (Virginia)

Dena Potter has an AP story about the new Virginia state law, "Law bars publicizing Social Security Numbers: Violators face $2,500 penalty; ACLU eyes challenge." The AP itself did not show a link to it but The Washington Times ran it today on p A7, the Metropolitan Section, link here.

The law was by the Virginia General Assembly. It would appear to prohibit any individual or entity from publishing (as on a personal website, blog, or social networking profile) the social security number of any individual, even those obtained online from websites operated by the State.

This seems to be going after individuals for what is a government and big business problem. Consumer security is threatened largely because large institutions are reckless in identifying borrowers.

Friday, March 07, 2008

Low-tech problems: a man lives off a name on a student id card for over two decades

Even over twenty years ago, identities could be borrowed. Last night (March 6) ABC World News Tonight presented the story of Charles Free (an ironic name) who escaped from a Florida prison in 1979 (by walking away from a work detail), found a lost student ID card with the last name of Free, and built a new life on that name.

The story is by Jim Avila, Beth Tribolet, Lauren Pearle, and Scott Michels. The title at ABC is "A Free Man for 30 Years, Fugitive Faces Prison; Family of Escapee Who Led Upstanding Life Pleads to Keep Him Out of Jail." He raised a family in Nevada, but now Florida wants him back. (Remember the song "Indiana wants me.") Here is the link. He (actually Jack Allen Hazen) is in poor health and might not survive serving his prison term now.

A somewhat similar story is the Sara Jane Olson story, about a woman who fled from charges related to the Symbionese Liberation Army (with Patty Hearst) in the 1970s. The cops caught up with her in St. Paul, MN in 1999. There was a book about her; here is the review.

In 2004, Lifetime TV aired a movie about another similar story, "The Michelle Brown Story," about how a domestic lived off the identity of her employer.

So there have been plenty of low-tech ways for this to happen in the past.

Saturday, March 01, 2008

110th Congress has signficant bills to protect consumer identity security

The March issue of the Erickson Tribune discusses recent attempts in Congress to protect consumer identification security. I give all the detailed links here.

The most important bill in the 110th Congress is in the Senate: Personal Data Privacy and Security Act of 2007, introduced by Patrick Leahy (D-VT), S. 495. This bill would criminalize many activities that deliberately or negligently jeopardize consumer security, and would require that data brokers make data on individual consumers available when requested. In the past, this has been an issue because data brokers don’t provide credit reports or “FICO scores” as such, but employers and landlords use them, and mis-information is possible. Data is sometimes collected on the wrong individual, and sometimes these companies present data on all like-named individuals in one report, a practice that could harm the reputation of a job applicant from a psychological perspective.

The bill does not appear at first to "burden" small businesses, although entrepreneurs who process their own credit card purchases and have high volumes of customers (often with the help of third party shared or dedicated web hosting) could be impacted, and systems development on the part of large ISPs like Verio could be needed to help them.

The House has a simpler bill, H. R. 958, the Data Accountability and Trust Act. It would also address non-digital records.

The House also has a better known and somewhat controversial bill, H.R. 3046, the Social Security Number Privacy and Identity Theft Protection Act of 2007, introduced by Michael McNulty (D-NY). This would prevent the “sale” of social security numbers, and data brokerage companies (and perhaps credit reporting companies) have argued and lobbied that this law would interfere with legitimate functions in their business.

Still, I think Congress could do more to require due diligence from major lender in properly identifying customers, using the NCOA database owned by the USPS, although considerable systems development and implementation (much of it mainframe, probably done by coordinated major vendors like EDS, Perot Systems, IBM, Computer Sciences, Unisys, Northrup-Grumman, etc) would have to take place first.