Tuesday, December 22, 2009

Three big tips for identity security

Smart Money has a three-way tip sheet on “how to thwart identity thieves” today, Dec. 22, which MSN/Dell shared with its users today. The link is here.

The first tip is to stay with big names when shopping, because “they have the most to lose” if security fails. Amazon got good marks. But I still find that some “really indie” film DVD’s are not available in Amazon and need to be bought from the self-distributor.

Another tip is to watch out for “shoulder surfing”, a physical security problem at ATM’s and even with cell phones and Blackberries (which can be harder to type on). But the biggest danger could be mugging or robbery off hours at ATM’s that are not in locked spaces (requiring card access).

Another tip is to watch debit cards use very carefully for bogus charges. Security purists say, don't use debit cards at all.

I think there are some others. Use strong passwords, and develop a secure system for keeping them straight, especially when traveling. Think through your security plans before traveling, which can force you to build good habits for when you return home. (Maybe that movie “Up in the Air” has some pointers for frequent fliers.)

Saturday, December 19, 2009

Homeland Security delays RealID requirementsm

States will have until 2011 to comply with federal RealID requirements, according to a Washington Post story Saturday Dec. 19 by Spencer Hsu. Now states will have until May 11, 2011 to comply with RealID requirements in issuing drivers’ licenses and public safety ID cards (instead of Dec 31, 2009). The link for the story is here.

RealID is touted as a major enhancement of travel security (airports and probably trains and even transit systems in the future). However, the concept is similar to a proposal advanced here to build an NCOA database as a repository for due diligence checks to make impersonation of people much more difficult. It would be possible to combine the two plans.

Moderately well known people (even bloggers or self-published writers), especially with unusual names in less common languages or uncommon spellings, are probably harder to impersonate even as things are now.

Wednesday, December 16, 2009

New Visa/MC scam reported in Canada

Toronto police are warning North American users of a new scam in which a caller claims to be from Master Card or Visa and to have detected unusual activity on your card, very likely a lot of it overseas. The scammer already has your card numbers, but needs one more piece of information (usually a social security number in the US or similar government number in Canada or the UK) in order to start impersonation. They might ask for a PIN number.

The scam is apparently common in Canada now and spreading.

Sunday, December 06, 2009

Note: "Western Union" phishing scam

In recent days, I’ve gotten repeated emails about payments from “Western Union”. Of course, this is a variant of the “Nigerian scam” or phishing attack. I’ve gotten about five of these a day for the past week.

But what’s really curious, to me at least, is that when I worked for a debt collection agency in 2003, we often urged debtors to pay through Western Union (rather than send a check in the mail – some debtors are “unbanked” – as discussed today in a CNN report). That was mainly out of a need to convey a sense of “urgency.” Western Union was also a major customer of Sperry Univac when I worked for Univac in the early 1970s.

Wednesday, December 02, 2009

So, "Free Credit Report dot com" actually works!

Well, “Free Credit Report”, with all the minstrel singing by attractive pseudo-deadbeats, actually worked. Recently, I misplaced a new Suntrust card, which I noticed when I pulled out the card at a gas station and saw it was the old one.

The Suntrust telephone script will close out the old account immediately, create a new one, and mail the card. But the interesting thing is, yes, I did get the email from “Free Credit Report” in 24 hours, as well as an email from Experian showing it as “potentially negative information.”

So, something here actually works.

Wednesday, November 04, 2009

House title theft is on the rise: visit FBI tip page

Here’s identity theft taken to new highs: “house theft”. Criminals, after obtaining personal information, create various accounts and fraudulent documents and then go to county or local authorities and gain control to the deeds of property.

There’s a story by Paul McNamara on Network World here.

The FBI actually has a detailed page describing how the scams work, web URL here ("House stealing: the latest scam on the block"). Some tips: if you receive a payment booklet in the mail that you don’t expect, investigate. (But don’t click on unsolicited emails related to your mortgage, as they are probably phishing attacks). It’s a good idea to check your deed at your local government once a year. Title insurance companies will have to develop practices to detect house or land title stealing.

Tuesday, November 03, 2009

FTC not amused by "free credit report" services

Ron Lieber has a not-so-amusing front page story in the Tuesday Nov. 3, 2008 New York Times, in a series called “The Card Game: Playing Off Anxiety.” It is titled “A free credit report score followed by a monthly bill”. The link is here.

Experian’s “Free Credit Report” (link) offers the Experian Plus score, not used by lenders (the FICO score is the lending industry standard), and requires signing up for monthly monitoring for a fee. It’s true that the monitoring would help some consumers catch identity theft. But the Federal Trade Commission is, according to Lieber, is not “amused” at the Free Credit Report TV spots, that show “slackers” forced or "demoted" into the life of the proletariat (demoted from the bourgeoisie) because criminals stole their identities. The young men in Pirate waiter gear and playing guitars are attractive enough, and fit the visual stereotypes of who would look good in a gay country and western disco (like Remington’s in Washington or the RoundUp in Dallas).

The government’s mandated report service is actually called “Annual Credit Report” (link) and the government has actually offered a spoof of the Free Credit Report commercial.

Wednesday, October 21, 2009

FTC has handbook on Red Flags Rules; CoNetrix offers major implementation service

CoNetrix has a web page on Section 114 of the 2003 Fair and Accurate Credit Transactions Act (FACTA), as well as Section 315. The law requires financial institutions to implement an Identity Theft Prevention Program with “Red Flag Rules”. The link is here. The program comes with a subscription.

The FTC (Federal Trade Commission) has a press release on the Red Flags Rules (practices discovered by automatic audits that suggest a high probability of identity theft), that had to be in placed by November 2008, URL link here. The Manual and other basic literature can be accessed at the basic Red Flags link here.

One of the most interesting Red Flags is not trying to collect a debt, either directly for from a debt collection agency. When a party does not claim a benefit that generally would be legitimate, that is a sign of intentions that are amiss.

Tuesday, October 20, 2009

Small businesses need to heed the FACTA Shredder Law; New product "Identity Finder" and pre-protect personal info

As far back as 2005, the FTC warned small businesses that keep customer personal information that they must “shred or else”. Even mom-and-pop shops face fines if they lose personal information. There is a column all the way back in May 2005 “Identity Theft 911” describing the Fair Accurate Transaction Act (or FACTA). To comply with the FACTA Disposal Rule (or “Shredder Law”) Businesses must shred documents and destroy electronic data (not merely delete it), although they may hire third party vendors to do these things.

A copy of the text of the law is at this link at the Government Printing Office (GPO) site.

I do not process transactions with individual people now, although in the past (well before 2005) I have sold copies of my book directly to people. According to the law, I would have to destroy their name and address information.

Here’s another item: Fortune Small Business has an article by Jennifer Alsever, “Steal Your Own Identity: New software sniffs out personal information before hackers can get to it”. The CNN Money link for the story has web URL here. The product is called “Identity Finder” (link) which will scan your PC for personal information, show you individual items and ask you if you want to encrypt the item.

Monday, October 19, 2009

Be careful with personal information on job boards: customs are changing

Some job posting boards could become targets of identity thieves, according to the Oct. 19, 2009 issue of the Career News, link here.

It used to be that employers expected to find full home address and phone and employer information. In earlier days, resumes were on paper and circulated by recruiters on fax machines. With the Internet, the possibility of abuse of normally private information comes to the fore. Unscrupulous persons (maybe even unscrupulous employers) could use data brokers to get even more personal information about people they really are not interested in hiring.

Hence, with online job boards, the practice of making identifying information much leaner is developing. A UPS mail box address is one idea, too.

Many experts advocate using a different email for job search responses, in order to further reduce the risk of spam, or that your email will be used in spam spoofing as a fake sender.

Wednesday, October 14, 2009

Sun offers corporate customer identity life cycle management, free white paper/buyer's guide

Today Sun Microsystems emailed its list an invitation to peruse its PDF booklet “A Complete Buyer’s Guide to Identity Management”. The visitor must fill out a simple registration form (“identifying” himself or herself).

The view of the Guide is that “identity” is a core concept and property of an internal or external customer in an enterprise. Therefore security checklists and protocols must be based on the idea that one will expect the visitor to validate that he or she is who “it” says “it” is. The guide does provide a long series of successive checklists for designing security architecture for an enterprise, related to how various Sun libraries are structured. Sun also describes a concept called “identity lifecycle management.”

The most important link is this. There is also open source directory management here.

Monday, October 05, 2009

Hotel peep-hole case involving filming Erin Andrews raises questions about identity security in hotels for everyone

USA Today has a feature “Hotel Check: A road warrior’s guide to a changing landscape”, and it’s not exactly a replay of the classic movie “Grand Hotel”. Or maybe it is, in the official story “ESPN's Erin Andrews filmed through tampered peephole at Marriott Nashville hotel”, link here.

For this column, the lesson is that physical hotel security could be an important issue in personal identity security protection. Many hotels offer connecting rooms (my parents used to rent them all the time for me when I was growing up), and these offer opportunities for spying through peepholes or other devices (the witty Sony Screen Gems flick “Vacancy” (2007), dir. Antal Nimrod, offers an entertaining object lesson). The alleged activities of salesman David Barrett, as detailed in media reports, do blow the mind as to the extent that a stalker will go – and then, the alleged perpetrator thought that this sort of activity is necessary and sufficient for making money on the Internet.

Monday, September 28, 2009

How credit cards lower limits based on card-use locations, driving down FICO scores

Today, on "American Morning", CNN reported on the practice of credit card companies, especially American Express, of lowering credit limits on “responsibly paying” customers (on time) -- even those with good FICO scores -- if there are sudden changes in patterns in where they shop and use their cards. AE told one customer that his limit had been lowered fro, $10000 to $3800 because other customers of the businesses he frequents have poor payment histories. Gerri Willis appeared, and explained that if a customer who usually shops at high-end stores suddenly starts using Wal-Mart a lot, that is a signal to the credit card company of possible impending or realized job loss. The sudden appearance of bar tabs on cards is a red flag.

Others on CNN called the practice outrageous, to penalize good customers for what others do. But isn’t that how insurance works? May credit limits will work that way too.

Lowering of credit limit can lower FICO score and cause other credit card companies to lower limits in a chain reaction, resulting in a lower FICO score.

Sunday, September 06, 2009

My Safe ID says that the average victim loses $500 out of pocket despite best efforts

A site called “My Safe ID” now claims that there are 10 Million identity theft victims per year, and that the average victim, despite his best restorative efforts, will incur a $500 out of pocket cost, and about 70 clock hours spent. The link is here. It’s true that the site seems to be selling a protection service.

Most creditors will work with victims to clear accounts, but there is a “guilty until proven innocent” mentality with collection agencies and creditors, according to the article.

Friday, August 28, 2009

Federal Reserve Chairman is accidental victim of id theft

Although one would think it should be harder to impersonate celebrity, Federal Reserve Chairman Ben S. Bernanke and his family became victims, according to a story on p 22 of the Washington Post today by Jerry Markon, Neil Irwin, and Keith L, Alexander, link here. A purse was stolen, and one check for $900 was written illegally in his name. Now there is a prosecution of at least nine people in an identity-theft ring in federal court in Alexandria.

Today’s millionaire show asked which kind of device was useful in fighting identity theft, with the answer being “paper shredder.”

Thursday, August 27, 2009

Can a computer user hide his IP address? Does he need to?

Here’s another trick question, in a “Tech MSN” column written by Paul Hochman. The article is called “Hiding in plain sight: Is my personal information safe when I go online?”

A reader asks Paul if there is a way to hide his IP address when he sends an email. Paul gives an answer that, no, it can’t be hidden, although many ISP’s (like AOL) change it all the time. But it takes a court order to get anything more, even your name if your anonymous (and I’ve written a lot lately about misbehaving anonymous bloggers).

His answer is here.

If you have your own website, most ISP’s give you access to logs, which may enable you to see where page requests for your site come from. You can do a reverse IP lookup on WHOIS sites like “Domain tools”. If it’s your employer, a lot of times the IP address will give your employer away. That happened for me in 2005 with the local public school system where I was substitute teaching. I could tell that a school administrator had searched for my name with a disturbing search argument, and solve a personnel issue that was going on.

Tuesday, August 25, 2009

Beware of phishing with debt collection emails

Today I got a debt collection notice by email, with instructions to “settle” for $79 by paypal. Of course, I marked it as spam. Curiously, AOL had let it through, and Spysweeper did not flag it.

The email did not have the mini Miranda worded correctly, and did not identify the supposed creditor. Furthermore, my credit reports are clean (there was one small medical bill that a doctor mis-submitted but that was for considerably more than $79).

As far as I know, you must be contacted by phone or US mail to collect a debt. The phone call must start with the Mini-miranda, must identity the creditor and amount.

So phony debt collection notices may be the next type of phishing attacks.

Friday, August 21, 2009

Debt collectors don't have an easy job!

I could put this on my IT blog because that’s where I talk about the job market, but debt collection is related to identity security, so I’ll put it here. Today, AOL posted a “Career Builder” page “Confessions of a debt collector” which follows a 10 year old book “Beat the Bill Collector” by Max Edison.

The link is here.

I worked for a collection agency for a while in 2003 while still in Minnesota, and the quota was much less than $300000. But they are right about the FDCPA, the Fair Debt Collection Practices Act. Ethical companies do require collectors to follow it, and employees are monitored randomly by managers.

Good collectors are gentle with the customers, and focus on contacting customers who really want help with clearing up debt. Good collectors know that there are enough customers who do want help that they don’t need to harass those who don’t.

Thursday, August 20, 2009

Unspam group goes after banks for info on their systems in suit against hackers

Saul Hansell is reporting today (Aug. 20) in The New York Times Business Day that Unspam Technologies is taking legal action to get information about security systems and practices at banks that have accidentally leaked personal information to computer hackers. The suit appears to have been filed formally against the hacker gangs overseas. But the disclosure technique is similar to that used in “anti-anonymity” cases with bloggers and libel, or particularly to identify computer users who download songs illegally through P2P.

The story is “A lawsuit tries to get at hackers through the banks they attack” and the link is here.

Tuesday, August 18, 2009

Major id-theft and hacking ring broken with indictments (Heatland Payment Systems case)

Three hackers have been indicted for compromising the payment processing systems of Heartland Payment Systems in 2008; indirectly affected are the customers of 7-Eleven convenience stores and Hannaford Brothers groceries.

There are many media stories, but Brian Krebs as an account in the Aug. 18 Washington Post here.

One of those indicted is a former Secret Service agent, Albert Gonzalez, and has already been indicted on some high profile compromises such as T.J. Maxx.

Hackers in the US worked with those in Russia and Eastern Europe.

It was not immediately clear how much monitoring assistance would be available to consumers.

Tuesday, August 11, 2009

Surprise mini-Miranda goes to "dead air"; Government websites tracking cookies could compromise privacy

Well, guess what. I got a phonecall with a bad connection and the beginnings of a mini-Miranda when the call dropped into “dead air”. So I checked my credit reports on freecreditreport.com (the fish sticks guy) and found no problems, so I think it is a small medical bill that the hospital center sent to the wrong Medicare supplementary insurance carrier. Yes, the provider did not get paid, and I will get a call from a collection agency. I used to work as a debt collector (though not in medical – they say “you used the services”). I know how it works. I will get a call from a collector. It’s up to Virginia Hospital Center to fix it (or eat the cost).

But I think there are ways for phony accounts to get set up that wind up in collections but don’t even hit your three credit reports. It’s unusual, but there are technical loopholes that let it happen.

Today the Washington Post had a major story about tracking cookies and government websites., by Spencer S. Hsu and Cecillia King, “Obama Web-Tracking Plan Stirs Privacy Fears”, link here. This whole fiasco started with Obama’s own video website and the rigging of the video application. No,really I don’t think that this will lead to identity theft, but after what just happened today I start to wonder.

Saturday, August 08, 2009

I encounter an apparent Blackberry glitch: a way personal information could leak

Something bizarre happened with my Blackberry today that sounds like another identity security peril. I placed a sensitive call and left a message, having used the white tracking ball to bring up the number. I believe that I got the usual greeting for that number.

When I put it back on my belt, somehow the cursor moved and it playing back some recorded instructions. I looked at the call log, and it said that the call had been placed to another number, an 800 number for a bank. I logged on to my Verizon account and today’s call log did not show yet. Furthermore, the record of the earlier call to the correct number disappeared, and the call count got added in to the wrong number.

It’s conceivable that personal information could have been left with a wrong number. I’ll have to find out from the right party if it actually got one or two calls from me. I really think it got two calls, and it will turn out that this is a Blackberry software bug of some kind. But it could represent a serious security problem for some people in some circumstances.

As a movie title says, “something wicked this way comes.” Hopefully the Secret Service as eliminated any software bugs from president Obama's Blackberry, but it’s easy to imagine how something like this could be a security problem in military or diplomatic situations, too.

Wednesday, August 05, 2009

Tell credit card companies that you're "desirable"!

On Aug. 4, 2009, the “Small-Change” column in the Washington Post, by Nancy Trejos, gave advice on “negotiating with your creditors”. There was attention to unused credit cards being canceled, or for limits being reduced (and therefore your FICO score) when you’ve done nothing wrong. There was a line in the article (here) that struck me as funny, going back to my own Army days: “Prove that you’re desirable”.

Actually it’s not funny.

The National Foundation for Credit Counseling is here.

But cracking down on less used cards may actually improve consumer security and make fraud less likely.
Picture: Barber shop in Colonial Williamsburg

Friday, July 31, 2009

Equifax advisers job seekers on identity protection

Equifax, one of the three major credit reporting companies, has an important story in its July 2009 newsletter, “How Identity Thieves Target Job Seekers: How to Stay Safe”. The link is here.

The Atlanta credit reporting company recommends separate email accounts for job hunting (I didn’t do that), and being very wary of jobs like “payment representative.” Also many scams have poor grammar and spelling, due to overseas origin and boiler room operation.

Of course, one should not include social security numbers on resumes (like they once were expected thirty years ago) and not give out bank account or other personal information.

Sunday, July 26, 2009

"Identity Protection": should all juries be anonymous?

The Washington Times Sunday Read on July 26, on p 4, has an interesting proposal about “identity”, reported by Kristi Jourdan: “Identity Protection: Maryland, Virginia mull proposals for juries to be anonymous in all trials.” Here is the link.

The issue comes about because of fears of jury tampering and of threats against jurors in certain kinds of cases, such as those involving gangs, drug cartels or the “Mob.” It’s the stuff of John Grisham novels (like “Runaway Jury”, which became an important Fox film). But the constitutional theory is that selective anonymity undermines the presumption of innocence.

In the age of the Internet, it would sound like enforcing anonymity would be difficult.

Problems of identity exist with witness protection programs anyway, such as in the 2006 Lifetime film “Family in Hiding.”

I was called to jury duty four times while living in Dallas in the 1980s (the one day, one trial system). I was the foreman on a weapon's trial, resulting in conviction. My presence in a cvil malpractice case helped force a settlement because after the voir dire my background in work with HIV and the clinical issues came to the attention of the plaintiff's lawyers.

Saturday, July 25, 2009

Network Solutions experiences major breach; question on credit card recepits

Brian Krebs of The Brian Krebs of The Washington Post reported on p A13 Saturday July 25, that Network Solutions, one of the nation’s biggest ISP and domain name providers, was hacked between March and June of 2009, and about 4300 e-commerce domains processing credit card transactions for over 570000 consumers could have been compromised.
The link for the story (p A13 in print) is here.

I have one small domain hosted by NS, but it does not process credit cards; in fact, I do not process any credit card transactions myself; all transactions for my books are processed by Amazon, Barnes and Noble, or iUniverse, or a few other retailers. So no visitors to any of my materials could have been affected by this.

On Friday July 24, Liz Crenshaw of NBC Washington briefly discussed FACTA, the Fair and Accurate Credit Transactions Act of 2003. The Privacy Rights Clearinghouse a critical discussion of FACTA here. A viewer had asked Liz whether credit card receipts can compromise identity security. Part of the answer has to do with truncation of credit card numbers to the last 4 or 5 digits on receipts (link).

Friday, July 24, 2009

Media reports that Romanian ATM scheme has led to massive consumer losses worldwide

Major media sources have reported an astronomical amount of money being scammed from bank accounts by devices planted around ATM machines, and supposedly a “Romanian” gang is implicated.

Back in 2008, there were numerous reports about this problem, such as this one from Ireland on Blogger, incorporating an original story on The Irish Examiner (site) by Seán McCárthaigh (original not available). There is an independent story from Ireland about the Romanian Connection here. The blogger had previously made a supplementary post about illegal immigration in Europe as contributing to the problem that has now surfaced in the US.

An Australian site reported (story by Arjun Ramachandran) the “Romanian racket” as global in April 2009, link here.

The news reports yesterday indicated that the scams had included many credit and debit card readers at gasoline stations around the US, Canada and Europe, where customers are not as careful as at bank ATM machines about the possibility of physical spy cameras.

Thursday, July 23, 2009

Real world simple traps on privacy protection

Here’s another minor tip in identity protection. When using a Blackberry and finishing a phone call, remember to press the red icon, to disconnect. Otherwise, if you carry on a conversation and mention sensitive matters, the other party may be able to “listen in”. This is something I’ve noticed since getting an “Obama-like” Blackberry myself. This sounds like the “overhearing” problem that occurs in soap operas where no one has privacy.

Anderson Cooper on AC360 reported the “Erin” photos, and speculated that someone could have used a minwebcam through a peephole in a hotel door, or in a hole in a wall, or a lamp. Trojan horses can give attackers control of your webcam with some laptops, especially on the road.

Monday, July 20, 2009

PBRC helps consumers by adding normal recurring payments to credit histories

A Maryland company called PRBC, or “Payment Reporting Builds Credit” may help consumers improve their FICO scores by adding recurring payment items like rent, cable, utilities, insurance, even daycare. The basic link is here.

PRBC was explained as point 5 in another “several ways” article on Walletpop on AOL today, with link here. This list emphasized diversifying credit, and having one or two items actually paid off on time, especially for renters. I just broke that rule when I charged my new Vista laptop on Visa at BestBuy rather than bothering to use their financing, just because it would take so much time

Sunday, July 19, 2009

Small town newspapers report on id theft problem

Smaller city newspapers are getting into reporting the identity theft problem. Today, Brandon Bietz, on p B4 “Money” of the Hagerstown MD “Herald Mail” reports “Credit card theft is biggest form of identity theft in the U.S., story link here. His story starts with the concept of reputation and what “makes you unique”. Later he reports 20% of id theft scams involve credit card fraud, specifically getting new accounts without a person’s knowledge.

The victim finds out perhaps with a call from a debt collector: then you wonder why the lender didn’t cross check the preferred address and sends bills to a fraudulent address. There seems to be no due diligence requiring the lender to do so.

We can solve this problem. Yes we can.

Thursday, July 16, 2009

Bank ATM's are still vulnerable to webcam spies

Station WJLA (ABC) in Washington today reported on more problems with bank ATM’s, with incidents of hidden cameras below the devices able to read both the debit card numbers and also able to read PINs. It recommended that bank customers cover up their keypads and cards physically when using them.

The miniaturization of cameras may be part of the issue. Consider how small the webcam camera is in a modern laptop, which Windows Vista uses to authenticate users with facial recognition software. The character Jan on "Days of our Lives" introduced us to webcam mischief about four years ago; it hasn't let up.

People ought to be in the habit of checking their accounts online daily, although this is more difficult for people who must travel overseas or into remote areas.

Tuesday, July 07, 2009

Social security numbers may be too easy to guess, especially for seniors

Brian Krebs has a story in The Washington Post, July 6, “Researchers: Social Security Numbers Can Be Guessed”, with link here.

The social security numbering system was never intended to be used for authentication, and older people may find that social security numbers are derived from other demographic data, or may have been given in sequence to family members. Identity thieves could make up algorithms to keep trying and guess the numbers.

The Social Security Administration has long cautioned private companies against using social security numbers as a prime identifier. Banks and financial institutions used to use them, but have tended to shift toward randomly generated user ids as well as passwords.

AOL also has a major story on "guessing social security numbers" with URL here. The article refers to a Carnegie Mellon report, which breaks down how the social security number has often been parsed. The first three digits of a Social Security number were called the area number and correlated to ZIP code. The middle two numbers were called the group number and were assigned within a "region", often consistently for years. Lists of assigned area and group numbers are available through Web sites associated with the Social Security Administration, the report said. In 1988, the government mounted an effort to assign social security numbers right after birth. The number system is rather like that of a library that changes its catalogue locations a few times over a long period.

Carnegie Mellon has a "SSN watch" website here.

Thursday, July 02, 2009

Insurance Scores: less well known than FICO: learn about them!

Besides your credit score (such as FICO), another “measure” that can affect “your” life could be your Insurance Score, when you go to purchase homeowner’s or auto insurance. It’s not clear that it makes as much difference with renter’s insurance. I’m not sure if it is used for mortgage or title insurance, but it could make sense to use it.

Insurance companies use proprietary “top secret” formulas for the scores, and there seems to be less information about the score and less direct ways to address it than there are for FICO scores. One major purpose of assessing people with the Insurance Score as part of the application process is to assess a premium relative to risk, and to prevent anti-selection, both of which insurance companies say are essential to their business models.

However, all the literature around suggests that insurance scores are computed mainly from your credit report (the same items that contribute to a FICO score), and from the loss history for the property. A company called ChoicePoint maintains a database called C.L.U.E. (like the board game - actually the acronym means "Comprehensive Loss Underwriting Exchange") (FAQ) that relates to the claims experience for properties. Other items could enter into the calculation, such as the claims experience in a general neighborhood, and the risk of flood, earthquake, wind, or wildfire in an area, relative to the coverages offered (flood usually has to be purchased separately). For auto insurance, your driving record (moving violations – not certain about photo enforced items) would become the most obvious item, as well as some profile items like age and gender and marital status (which may be becoming less important than they used to be; wouldn’t a 21 year old trained to drive a military vehicle or operate an jet be a better risk than the average 21 year old behind the wheel?)

To some extent the subject is disturbing because identity theft could compromise an insurance score, and it may be harder to resolve. Yet many property companies offer identity theft insurance endorsement, even to the point of coverage wrongful conviction for a crime committed by another.

All of this sounds related to still other services, like Tenant Checks, which screen perspective renters and look at items such as prior evictions.

Social activists are properly concerned about the potential for redlining certain neighborhoods. Many metropolitan areas experience unusually aggressive crimes in some neighborhoods, associated sometimes with illegal immigration, drug cartels and gangs – to the point that the problem is a genuine Homeland Security issue and should not be just the responsibility of local law enforcement and the insurance business.

The literature, however, does seem reassuring that insurance scores do not directly concern themselves with personal issues (sexual orientation, for example), or religious or political beliefs, or other social diversity factors.

The major starting point for this subject is the Insurance Scores website.

Look also at About.com’s FAQ reference, and at Choice’s own reference (which offers a preview score for a small charge). These references indicate that one cannot easily get CLUE data on a property without legitimate purposes.

Wednesday, July 01, 2009

Where you shop affects your credit score -- really?

AOL Walletpop offers an article on how what you buy could affect your credit score. Companies are treating purchases made at second-hand stores or at pawn shops as indicative of poor credit risk, even though there are supposed to be regulations prohibiting the practice.

I think that the title of the article “What you buy affects your credit” and the picture of a generic dishwasher fluid on the strike page from AOL as misleading. It’s where you shop that may be a problem. The New York Times had reported on this problem in late 2008.

The story link is here.

Wednesday, June 24, 2009

Know how FICO scores are calculated: watch that "mix of accounts"

AOL today provided a “wallet pop” column on how your credit score is computed, by Janene Mascarella. I thought I would provide it on this blog, since id theft has often compromised credit reports and credit scores. The article is titled: “Are you clueless about credit scores? What you need to know.” The most interesting item for me was “mix of accounts”. The article reads “Ideally, the credit bureaus like to see a mortgage, an auto loan, and three to five credit cards.” I don’t have a mortgage or auto loan, although I could have either or both (particularly the latter) in the foreseeable future. (Yup, I ought to go Oprah and drive a hybrid.) In 1979, I did not get approved for a particular credit card (National Car Rental) partly because of "lack of home ownership." That soon changed.

I worked for Chilton in the 1980s, as a mainframe computer programmer-analyst. Chilton is an ancestor of Experian and at the time I worked tangentially on “risk predictor” which was the feed to Fair Isaacs.

The link for the article is here.

Wednesday, June 17, 2009

AOL offers ten basic tips for identity protection: No. 1 is watch what you put online to idenfity yourself; and watch the trash

Lisa Rogak, of CreditCards.com, has an entry on AOL walletpop today (Wednesday June 17) of “10 Things to Know About Identity Theft,” link here.

The main tip is not to give out a birthdate or home address or land home phone on any public website, including social networking sites, profiles, and online resumes. Use a UPS mailbox. If you have an Internet domain, do the same (private registration is even safer). Remember, however, that there are companies that sell unlisted information about people in low cost reports, probably barely within what my own Congressman (Moran, D-VA) says is “legally permissible.”

The advice considers the physical world of paper as dangerous, more so, than the Internet. Checkout counters and restaurants. Apparently a credit card number can sometimes lead to the whole identity being used.

An important defense is computer literacy: frequent inspection of online accounts. Get your money into well-managed and secure accounts (trusts are even safer) that you can check.. Computer and security literacy is particularly important for people who have to travel for work or family reasons.

Saturday, June 06, 2009

ABC introduces "Card Cops" with alarming report of overseas ID theft

The Money section of ABC News and Nightline have an alarming report, June 3, “Thieves Snatch Billions in Credit Card Fraud: 'Nightline' Tracks Hackers in Underground Identity Theft chatrooms; How to Protect Yourself”.

The link is here. ABC tried an experiment and found that a fictitious credit card was siphoned in 15 minutes by crooks in Kiev.

The story mentions Dan Clements, of Card Cops, a company that tracks international identity theft, particularly in credit card numbers and bank account information. Sometimes accounts get set up in a person’s name that the person never knows about or gets bills for. Other times bank accounts are siphoned. Most of the activity is overseas, in Russia, or former Eastern European countries or Asia, mostly in poorer countries where youth have some indignation and gang-like incentive to steal and "prove themselves".

The story says that a lot of compromise happens with phishing of naïve Internet users, but a lot of “shoulder surfing” happens in retail establishments, involving dishonest (and perhaps underpaid) clerks.

The story recommends opening new cards with new account numbers rather than letting them renew automatically. They also recommend changing debit card pin numbers frequently.

Naïve users are more vulnerable than experienced people with Internet literacy. Other defenses include frequent checking of bank accounts and credit cards online, and frequent checking of credit reports. Does Internet activity make one a “target”, or is a moderate amount of “fame” a protection because the person becomes harder to impersonate and not get caught. It’s hard to say.

Still, I think that we can build systems to stop this if only we have the will and invest the resources.

Tuesday, June 02, 2009

Fortune suggests tips to protect yourself while job hunting

AOL today republished a Fortune article “Don’t Let ID Thieves Hijack Your Job Hunt.” The article is by Anne Fisher, and lists six ways to protect yourself.

The article suggests never giving complete identifying information (especially date of birth, as well as social security number and home address) on an online resume, social networking site, or anywhere else online. It’s perhaps a better idea to use a land UPS store address. Another tip is to watch for “too good to be true” job ads.

All of this seems to lean toward the idea of much more integrated presence online than in the past. Yet multiple “identities” online might help thwart fraudsters. So it’s a thorny question.

Tuesday, May 26, 2009

Lifelock loses suit by Experian on automatic renewal of fraud alerts

U.S. District Judge Andrew Guilford of the Central District of California ruled recently that Lifelock cannot automatically renew its fraud alerts for consumers without specific requests, after a ruling on a lawsuit filed by Experian, which maintains that it incurs involuntary expenses when the alerts are renewed.

Experian had argued that this was an “unfair business practice”. It indicated that the Fair Credit Reporting Act requires consumers to apply for the alerts themselves.

The “Redtape” story on MSNBC is by Bob Sullivan, link here.

When fraud alerts are in place, lenders call consumers or go through extra due diligence to verify identity. It’s been the contention of this blog that a due diligence system could be set up to be used in all cases.

Wednesday, May 20, 2009

It's all to easy to eavesdrop on cell phones -- how to protect yourself? Local TV station reports

Reporter Ross McLaughlin from WJLA-7 (an ABC affiliate in Washington DC and Arlington VA) demonstrated today (on the local news) how cell phone spying can take place, of both conversations carried on near the phone, and of texting, even when the machine is turned off, if the phone has been infected with certain spyware. The link with the transcript of the report is here.

It was not completely clear from the report how the user can protect herself, other than by keeping the phone physically secure and being prudent about what Internet sites are visited. Symptoms would include increased minutes used and more rapid draining of a battery. It is prudent to check your wireless account online periodically, just as it is prudent to check bank accounts.

Link to the blog on the report. That indicates that usually the spyware would be installed when the phone is out of your possession.

Tuesday, May 12, 2009

DC agency accidentally emails personal info of student loan applicants

The Office of the State Superintendent of Education (OSSE) of the District of Columbia (Washington DC) accidentally, with an email from a worker in the Higher Education Financial Services Program, accidentally included an attachment that gave out personal information of 2400 applicants and sent it to more than 1000 recipients.

The attachment was an Excel spread sheet, and anyone who (even legitimately) emails a lot of material knows there are ways that sometimes email programs can leave attachments in place for future emails.

The District agency asked all recipients to destroy the copy of the spreadsheet.

This is the third major government personal information breach reported around the country in the past five days. Last week, a major breach was reported at a Virginia agency that could affect millions, theoretically. Another was reported at the University of California.

Bill Turque has the story in The Washington Post, Tuesday May 12, Metro Section, link here.

All of these cases speak to the need for a more systematic due diligence procedure in identifying consumers applying for credit. That’s been proposed on this blog (see Sept. 2006). Yet, “know thy customer” rules have serious hazards, too.

Friday, May 08, 2009

Virginia prescription monitoring site hacked, could compromise identity of most Virginians

On May 3, the site Wikileaks reported that secure state government website of the Virginia Prescription Monitoring Program had been breached and a ransom demand had been placed on the site, based on over 8 million patient records and 35 million prescriptions. Possibly any resident of the Commonwealth using a prescription could have his personal information taken.

The report is here.

The site is pmp.dhp.virginia.gov and on Friday morning (May 8) it was still timing out.

The FBI and Virginia State Police are investigating. The story has appeared on Washington and Richmond television stations and in the Washington Post (written by Brian Krebs and Anita Kumar) here Friday May 8.

My own reaction is, keep watching my own financial information online. Log in and check it frequently. Get a free credit report at least once a year, or maybe more frequently. Currently I have two Medicare prescriptions, which could have been disclosed.

In another story of where hackers compromised consumer information on a government-related site, Chloe Albanesius of PCMag reports "Hackers Obtain 160,000 Records from U.C. Berkeley", May 8, link here.

Friday, May 01, 2009

Beware of security deposits or earnest money for "stolen" foreclosed properties

Media outlets in the Washington DC area have reported a new kind of quasi identity theft scheme with phony rental offers.

A family, homeless for a while, had saved up cash for a security department to rent a townhouse in a distant Virginia suburb, and made the deposit. Then the “landlord” disappeared. It turned out that the “landlord” was a woman who had broken into a foreclosed home to offer it.

The problem has been reported in other areas, such as Florida, such as with this posting by the Attorney General of Florida.

The other risk would be schemes to collect earnest money for “stolen” homes.

Thursday, April 23, 2009

Scammers find new ways to misuse social networking sites

It seems that social networking sites are attracting more schemes attempting identity theft.

Today NBC-Washington reported that overseas hackers were employing workers for pennies an hour to answer captchas to create fake Facebook and Myspace accounts for phishing attacks. Also, other researchers have reported computer algorithms for guessing captchas to create fake accounts, defeating their purpose. The story was not immediately available online at NBC, but the Tennessean has an article April 23 by Acohido from USA Today, “Crooks’ bots swarm Facebook, Myspace” link here. (I couldn’t find ht e USA Today link).

MSNBC’s “Red Tape” file has a story by Bob Sullivan, Jan. 30, 2009, “Facebook ID Theft Targets ‘Frieds’”, link here, which describes a new kind of “Nigerian scam” based on manipulating social networking sites’ friends lists.

Picture: (no relation to news story): EarthDay concert, Washington, April 19.

Wednesday, April 22, 2009

Former Wells Fargo VP, after victim of a purse snatching, is falsely arrested for id theft: major story on NBC Today

The NBC Today show recently reported one of the worst cases of identity theft ever. A retired Wells Fargo Bank vice president, Margot Somerville, was accused of identity theft in Colorado under what seems like an incredible set of coincidences.

The complete story appears in the San Francisco Chronicle, by Susan Sward, “A strange case of identity theft”, March 22, 2009, link here.

The story started when her wallet was stolen on a streetcar in San Francisco in 2006. Five months later, money started disappearing from her accounts. Through a series of connected incidents, the bank and police came to believe that she had masterminded a scheme, and claimed that her handwriting matched that on forged documents (signed by another woman shown in the video below and captured on security cameras). It would sound, off hand, as if her background as a Wells Fargo vice president could have confused “appearances.”

Her ordeal started when she was on a California golf course, and she got a cell phone call from police in Colorado that she was about to be arrested.

The story goes on to explain how banks sometimes suspect people who complain of identity theft, because some convoluted schemes are possible this way.

Eventually the charges were dropped because of the lack of likelihood of conviction. She may litigate to get $50000 of attorney’s fees back.

The Today show has an interview between Margot, her son Todd Harris, and correspondent Matt Lauer here. Lauer emphasized that she actually “did everything right” but was still targeted as a suspect by police. I wondered how the police and bank could have lost track of the money trail, because obviously it didn’t show up in her accounts.

Monday, April 13, 2009

Caller-ID spoofing, "open to the public," has become a new ID theft trick

Elisabeth Leamy has a major report on ABC News, broadcast this evening on ABC “World News Tonight” (Monday April 13) that identity thieves have been “spoofing” Caller-ID systems and imitating banks, trying to get personal information. The "bank" calls, with both the number and voice spoofed, and tells you that you account is compromised and seeks personal information.

The practice undermines a major security assumption by banks, that they never email customers and that phone calls (up until now) would have been presumed to be "legitimate".

The story title is “Crooks Trick Your Caller ID for Identity Theft: Spoofing Services Let Users Alter Caller ID; Learn How to Protect Yourself from Fraudulent Phone Scams,” link here.

Companies have been set up to allow customers to change the number they seem to be calling from. The main legitimate use of such services is to help people calling from homeless shelters or battered women’s shelters find jobs and housing.

Thursday, April 02, 2009

Some married or divorced women may be more likely to become victims of id theft

Seamus McAfee from “creditcards.com” (I don’t know if the last name is related o the McAfee anti-virus company) has an article published in AOL Walletpop, “Are you a likely victim of ID Theft”? The most likely victims seem to be married women of divorcees with incomes of greater than $75000 a year. The study was conducted by Nationwide Insurance. In a difficult economy, a significant portion of the victims suffered real financial loss from which they did not fully recover, including damage to their credit scores and inability to keep up with bills.

Credit card fraud is easier to combat than debit card heists, or bank account losses, or fraudulent loans taken out in one’s name.

In some cultures, married women may be less prepared to manage their own affairs safely and independently than men or single women.

The 2004 Lifetime film “The Michelle Brown Story” shows a loan processor stealing the identity of a rich person whose loan she processed.

The Federal Trade Commission’s Identity Theft Site is here and seems to have been redesigned.

Wednesday, April 01, 2009

FBI warns workplace and organizational computer users about "spear phishing"

The FBI has put up a special page warning Internet users about the practice of “spear phishing”, link here.

Spear phishers send emails to a narrower or more targeted group of individuals, such as those who work for one company or support one organization. They may have gotten personal information on employees or members by hacking into an organization’s network. Then they send emails that make it appear that they came from the organization, often abusing the organization’s trademarks. Then the hackers use stolen information, either directly from the hacking or from answers supplied by the misled targets, for identity theft or bank fraud.

Thursday, March 26, 2009

Yes, a "cleared" check can still "bounce"

It is possible for a check to be “cleared” and then turn out to be bogus and be withdrawn. A bank can subsequently “bounce” a previously “cleared” check if it later finds it to be fraudulent.

Liz Crenshaw of NBC Washington reported, on March 26, 2009, on scams from foreign lotteries where this happens. The check “bounces” after the victim has sent in some money to get the rest of the “fee.”

A forum on “Fatwallet” explains how this can happen. Look at the explanation on Oct. 22, 2007. The check could bounce if the supposed originator of the check shows that the check was fraudulent and that the supposed party did not actually issue the check.

Here is another explanation on “classical values”

There is also a bad check restitution program. http://en.wikipedia.org/wiki/Bad_Check_Restitution_Program

Tuesday, March 24, 2009

Credit card lists, names and addresses seem to float freely (and fall freely) in cyberspace

Tracy Coenen has an interesting story on AOL Walletpop, “What’s several thousand credit card numbers between friends?” The link is here.

The story relates the lists of credit card numbers, names, addresses and other personal information that floats around in cyber space. For a small fee, several companies (such as Intellius) will sell the low-down on anyone (say, a “culprit” in the recent financial collapse). From that point, there is only imagination.

Of course, it’s true that the Internet has made the younger generation (probably most people 70 and younger if computer literate and comfortable with the Web and maybe with P2P) perceive “privacy” a little different. As I noted on my main blog yesterday, “privacy” and “personal autonomy” are by no means the same things, but a lot of people behave as if they were.