Wednesday, January 30, 2008

Georgetown University incident highlights issue of old-fashioned physical security in the workplace

A recent incident at Georgetown University, media reports of a stolen hard drive with personal information and social security numbers, highlights the need for new work habits these days. The brief story appears Jan. 30 in The Washington Post, by Susan Kinzie, "Stolen Hard Drive Had Personal Data," p B03 (Metro), link here.

It has been common for many years for people to "take work home," and in the IT age that can include laptops, diskettes, listings (as in system testing), all with real live data. Sometimes the problem occurs in the case of systems testing where companies make up test QA cases by extracting real data, and software companies ought to work on the idea of scrubbing the data randomly to fictionalize it. Even in the 1990s it was acceptable for people to have real live data at home, but the problems of consumer fraud were only beginning to be understood. (I actually had a Merrill Lynch Visa credit card of mine used for bogus phone calls from Canada on AT&T in 1995, and found out when the card was suddenly rejected in a grocery line; I got a phone call from Merrill Lynch the next day; the card was replaced and AT&T backed out the hundreds of dollars in charges, but it took a whole day of time from work.)

Telecommuting will raise issues. Companies have to decide on the security issues with employees dialing in through the Internet (in the early 1990s people often used dumb terminals taken from the office to connect to the mainframe, and this was probably safer) Now, a number of companies hire customer service agents to work from home using their own computers, and this is bound to raise a whole host of new security questions.

Tuesday, January 22, 2008

TruTV demonstrates some common ruses

On Tuesday, Jan. 22, 2008 TruTV ("Not Reality, Actuality") had two half-hour segments called "The Real Hustle" in which three young people: Apollo, Ryan, and Dannie (female) demonstrated some common scams and tricks in New York City. One of them was a three card trick ("Five Card Stud"). A couple of them were the typical distraction mechanics for pickpocketing, carried to high art. But then there was a rental scam, where they coaxed cash deposits, along with birth dates and social security numbers, as "security deposits" for below-market-rent apartments in New York. (A renovated one bedroom for $2000 in the East Village is still a steal.) In every case, the three young people inform the "victims" of the experiment, return the money, and demonstrate that they are on "candid camera." Another trick was pretending to be a security guard serving a bench warrant for failing to answer a summons, that the "mark" had never received. The "mark" gives away all her personal information to get out of the incident and go on with her lunch. Another incident involved dumpster diving to find records of corporate transactions with personal information.

They also appeared on ABC's "The View" today with Barbara Walters, in which they showed a restaurant trick to collect a credit card imprint, and then a ruse at a bank ATM using a hidden tiny camera to collect and account number and PIN, that could then draw money out of a bank account.

People who have online banking are actually safer, as long as they check their balances daily online for any unauthorized transactions.

Sunday, January 20, 2008

Banks mail secondary tokens to consumers; could help protect identity

A story by Chris Emery in the Baltimore Sun, Jan. 19, 2008. ““Steps to protect teens online: Attorneys general, Myspace work on ID technology,” link here, could provide another important clue as to protect consumer personal identities altogether. This has to do with the idea of banks, brokerages and even PayPal (the last of which is so often spoofed by spammers) mailing consumers “a plastic token that randomly generates a second password” to be entered to log in. Bank of America has a “site key” which must be verified on every computer. If such a token had to be mailed to a “preferred address” as discussed earlier on this blog (Sept. 25, 2006), consumer identity might be further secured if a transaction could not be completed without receipt of this token.

Protection of consumer identities is potentially important for other reasons, to prevent “framing” of computer users for the acts of others, although this is has been uncommon outside of the workplace. I recall when working for a credit reporting company (Chilton, in Dallas, Texas) in the 1980s that we were told to always log off from the mainframe when away from our desks because we were absolutely responsible for anything done with our accounts. In those days, people had CMS (for DOS) passwords that were replaced by Roscoe and MVS in the early 1980s. Another rule even then to protect identity and security was zero tolerance of use of company computers for personal use.

While I’m at it, let me recommend a couple of films: “Identity Theft: The Michelle Brown Story" (2004) and “Identity” (2003).

Thursday, January 03, 2008

Governments still display a lot of personal data online

There are more indications that government websites are still publishing personal information, including “lodestar” social security numbers. Local governments have published this information with land and property records and civil and criminal cases, and only some have started to remove the information.

The story appeared Wed. Jan 2 on p A01 of The Washington Post, by Bill Brubaker, “Online Records May Aid ID Theft: Government Sites Post Personal Data,” here,

The Federal Trade Commission reports that 8.3 million Americans were victims of ID theft in 2005. The FTC issued a prepared statement to a Maryland Task Force back in September, 2007, link here. There is a lot of discussion of the FACT Act, that is, the Fair and Accurate Transactions Act of 2003. It also maintains a clearinghouse.

Still, one of the weakest links is that private credit grantors (and employers) do not have a reliable way to verify identity and contact points, in large part (and ironically) because of mistrust of government with personal information.

NBC Nightly News covered this story with its Jan. 3 broadcast.

Tuesday, January 01, 2008

A harrowing tale recalling "Vertigo": beware of debit cards

The January 2008 issue of Reader’s Digest has a couple of the very worst incidents that motive this blog. On p 94 there appears the article, “I hunted down the woman who stole my life,” by Anita Bartholomew, telling the story Karen Lodrick, who, in San Francisco, tracked down identity thief Marla Nelson, with at least sixty prior arrests, in a chase worthy of Hitchcock’s 1958 classic movie “Vertigo.” The link is here.

What’s important here is how it could have happened. It appears that Karen’s ATM debit card was stolen from an apartment mailbox. Without that theft, none of this would have have happened to her. So one moral of the story is that it is safer to pick up debit cards in person at the bank. (Credit cards are another matter, as money doesn’t come out of your bank account until you pay it.) Once Marla has gotten her social security number, she was able to get fake DMV driver’s license’s with Marla’s picture. DMV’s typically require a piece of mail from home (like a utility bill) to prove residence (that’s true in Virginia; I’m not sure about California), although this may be becoming harder to do as more people do all their billing electronically. In any case, it doesn’t seem that the DMV has any way of checking an “original address” (as off a database) or of notifying the subject separately that a driver’s license or state ID has been issued in their name.

Although Karen apparently got her money reinstated, she still has an enormous mess to clean up, and the inability of the bank to process her claim or even keep track of its own records (affidavits and video surveillance tapes) is unbelievable.

Karen has a very detailed blog about this incident here. Reader’s Digest 's own tips are here:

This issue of RD has a correlated article on p 124 by Teri Cettina, “Avoid These Debit Card Traps.” The article discusses the risk that bogus debit cards can be manufactured and bank accounts drained or raided when businesses keep illegal swipes. Americans pay $18 billion in overdraft fees a year. The link is here.

Again, it seems outrageous that we should have to shred paper documents because banks are careless and don’t seem to have any real consequences for their negligence. But there really needs to be a system to help them identify clients positively. So, one says, that infringes on civil liberties, and brings up all the questions that he have addressed with the Patriot Act, ID cards, even wiretapping. But what is going on is absurd.

I have documented my own proposal in detail om Sept. 25, 2006 on this blog.

Lifelock continues to supply paid advertisements, as on p 14 of the Dec 31 DC Examiner. Lifelock claims in TV ads that it provides the ability for the customer to be notified if someone takes out credit in his/her name. It also claims it reduces the volume of junk mail and pre-approved credit offers. It plays up the idea of "your good name" as something commensurate with "reputation defense." After all, a FICO score is a measure of "financial repuation."

Update: Jan. 14, 2007

Washington Post staff writer Nancy Trejos tells her own tale of having her debit card compromised in the story "Identity Theft Gets Personal: When a Debit Card Number Is Stolen, America's New Crime Wave Hits Home", on p F1, Business, of the Post Sunday Jan. 13, 2008, link here. The compromise apparently occurred with an unsolicited telemarketing phone call. A retailer took the precaution of calling her about an $800 purchase, when the thief did not have the card in his/her possession.

There will be an online discussion on The Washington Post Tuesday Jan 15 at 1 PM, link here.