Sunday, December 05, 2010

One in 7 social security numbers are misused

NBC Today has been reporting Sunday morning that social security number fraud has increased, and that there are millions of social security numbers with multiple names. In fact, 1 of 7 social security numbers have been used by someone other than the owner, according to the story.

Most people don’t find out about the problem until they interact with government and apply for some sort of benefits, or sometimes when they apply for more credit.

Some social security number fraud occurs when information is entered mistakenly into systems that take social security numbers, which are much less often required than in the past.

MSNBC’s link to the story is here.

Wednesday, December 01, 2010

Automated calls offering mortgage refiancing: suspcicious?

It has come to my attention that people get automated phone calls offering mortgage refinancing. Some of the phone calls appear to go to people who don’t even have mortgages, and they may be attempts to get personal information illegally, through the phone system rather than by Internet phishing.

I’ll check more on what the FTC says about this problem.

Tuesday, November 02, 2010

Debt collecting companies purchase old debt and use robo-signing for "due diligence"

Here’s a new wrinkle, or really an old one, in the debt collection world: debts sold to other companies, which then pursue debtors and sometimes sue them. Sounds like a precursor to Righthaven copyright suits in the news recently (my main blog) and it is, the same concept.

One problem is that information on debts is often inaccurate (you guessed it, partly because of identity theft). So innocent people could wind up having to pay legal expenses to defend themselves (even if they don’t blog – in fact, people with public reputations may be harder for thieves to “impersonate”).

David Segal had a story in the November 1 New York Times, “Debt Collectors face a Hazard: Writer’s Cramp”, link here. It seems like there is a robo-signing activity for affidavits related to purchased debts. Remember how in middle school at detention you had to write down “I will not talk in class” 500 times (Oh, I remember one time in ninth grade, we – “the kids” -- were “swinging from the chandeliers”. ) You got writer’s cramp as punishment.

I found a 10 year old credit card debt in 2000 on a Trans Union report and wound up paying $660 for a $130 debt in 1980 that had been missed when I moved. I never got to challenge it, but I was naïve at the time. In 2003, I worked as a debt collector for a while.

Friday, October 22, 2010

"Annual Credit Report" has some changes this time; including an id security score from TU

Yesterday, I pulled up my annual free reports at “annualcreditreport.com” (not “free credit report).

Experian charged $7.95 for a Vantage score (max 990) Equifax charged for a FICO score (max 850). Trans Union offered a free Vantage score for a one week trial, followed by a $14.95 subscription for monitoring,

Trans Union also offered an identity theft risk assessment, where low 200’s was low risk.

Only Equifax specifically offered a line on public records (none) this time, as far as I could see. It would be important to make sure there were no default judgments against oneself, which could happen because of identity theft.

Monday, October 04, 2010

Does one late payment really lower your credit score? It can happen to anybody

Last week, I noticed a past due on one of my credit cards. I thought I had checked it in time, and that there had been $0 due. But at least there was no penalty ($39 normally), just about $1.50 in interest. I immediately paid it online.

I don’t know if this oversight will affect my credit scores, but I found an article by Don Taylor on Bankrate ("Ask Dr. Don") about the issue, (website url) here.  Actually, what we call FICO is FICO with Experian (aka TRW/Chilton), Beacon with Equifax (aka CBI), and Emperica with Trans Union.

Taylor also discusses whether inquiries can affect your score. It does seem as though I dodged the bullet, this time.

Sunday, September 26, 2010

"First Life" identity security lessons

Just a little more wisdom about “physical world” security. Today, I parked my car near a scenic overlook in West Virginia, and the hike to the view took much longer than expected. I left a sheet of paper out in plain sight with potentially some business matters I really wouldn’t want others to see. It was still there when I cam back, but it’s good to remember that some “identity” problems come from carelessness in the physical (pre-Internet) world (“First Life”), too.


Another visitor left his lights on, I thought as the family left a van in a handicapped space, and I said so, and the man said, “Oh, they turn themselves off. I think they will.” They did, after the family walked down the trail, just as I was leaving. What if they hadn’t? Wouldn’t want to get stuck in the boonies with a car that doesn’t start.

Wednesday, September 22, 2010

AOL continues discussion on homeowner's, auto insurance and identity, CLUE and FICO

AOL offered a guide on homeowner’s insurance today similar to one offered by MSN in April of this year. AOL stressed the idea that sometimes phone calls asking whether a minor loss is covered can affect a CLUE report. The report is by Candy Evans, is called “Know what you’re buying”, and distinguishes between “bare bones” coverage (the standard companies) and luxury or Cadillac coverage. The link is here.

People can have property insurance problems because of “pre-existing conditions” from CLUE reports just as with health insurance. Previous owners on a property could have an effect. So can someone’s FICO score, which can be affected by identity theft.

Several states have passed laws prohibiting insurance companies from reporting to CLUE inquiries that don’t result in claims.

Another point is that sometimes real property and auto insurance can be packaged for a discount, and if offered for a married couple, is cheaper if autos are titled in both names. This would discriminate against same-sex couples in states that don’t recognize same-sex marriage.

Check Lexis-Nexis for its explanation of property and subject home and auto reports, and samples.  The reports apparently show claims made before a subject acquired the property but identify them as such. Note mention of the FACT (Fair and Sccurate Credit Transactions) Act.

Tuesday, September 21, 2010

AOL warns of new perilts to identity security; watch for impersonation on Twitter and Facebook

AOL has struck again (and not with an April Fools probe of Jupiter once invented by Steve Case). It has a lead story “Imposters and the art of Identity Theft” again today. Here’s their link.

The focus today is on impersonation on the web, both on Facebook and Twitter, or celebrities, and of non-celebrities (and in these days of self-display, it’s hard to tell the difference). A few states are trying to outlaw the practice. And be wary of friend requests from “Brad Pitt”, etc. (Oh, I liked Babel, too.) Of course, make sure you don't get impersonated.

Another thing to watch for is using debit cards in card readers at gas stations. Hackers have gotten to these in data transfer.

The rest of the advice in the article is pretty standard.

Whatever accounts you have online, check them frequently. That can be a bit of a problem if you have to travel a lot (especially internationally), and your employer doesn’t let you use a work laptop for personal purposes. You should consider carrying your own laptop, too, so you can keep up with everything. Handhelds and mobiles are getting better at this all the time.

Friday, September 03, 2010

P2P also invites data thieves to spy on your hard drive

Now today AOL has a warning article “Are you inviting criminals into your home?” link here. This article concerns the risks of P2P computing, often for sharing music and video, where others are allowed to access your hard drive directly (although there is plenty of web based malware that might do that).

The Today show cited a study where 150000 tax returns and over 600000 credit reports could be found on personal hard drives.

It would be interesting to study whether the level of P2P participation, function as a “super node” (which EFF says attracted RIAA lawsuits in the past) could invite more criminal activity.

Wednesday, September 01, 2010

New FTC rule regarding debt settlement firms may actually jeopardize consumers

Debt settlement companies, as opposed to legitimate debt collection companies, are certainly getting bad press these days, according to a report reprinted on AOL this morning from Daily Finance, by Charles Wallace, “Consumers Face Huge Losses with Debt Settlement Firms”, link (web rul) here.

The Federal Trade Commission adopted a new rule July 28 to stop debt settlement companies from collecting fees before settling debts, but the upshot could be that many go out of business, having taken consumers’ money.

The FTC has a related story today about Clean Credit Report Services, Inc.,, about an agreement to get it from making false claims, link (website url) here.

The FTC also has a July 2010 report, “Protecting Consumers in Debt Collection Litigation and Arbitration”, PDF link here.

Wednesday, August 25, 2010

Russia looks the other way on credit card and DOS hackers; harassment of consumers seems like part of its strategy

Andrew E. Kramer has an important story about the arrest in France of Russian hacker Vladislav A. Horohorin (“BadB”) on or partly on a warrant from the US Secret Service for stolen credit card numbers, with possible extradition to the US. The story is titled “Hacker’s arrest offers peek at crime in Russia”, with link here.  The US Justice Department has a statement on the arrest here.

The Times story explains why Russia tends not to arrest and prosecute hackers who have been publicly identified: that is, because the activity seems to fit into Russian national strategy, particularly to stifle dissidence, sometimes disrupting the operation of Facebook and Twitter with denial of service attacks against specific marks, as well as to disrupt commerce of competitors to Russian business.

Wednesday, August 04, 2010

Infant identity theft, and "phone denial of service attacks" covered by AOL article

AOL’s walletpop offered an article this morning about child identity theft and several other scams, link here.

The infant id theft occurs when new social security numbers of babies are lifted and used to create fake people years before the kids will need to act as their own “number holders”. But during the teen years, parents might get sudden calls from debt collectors or run into issues when the kids apply for college. Lenders don’t seem to have adequate programs in place to detect social security numbers that may be those of infants. ‘

The article also describes (with another link within Walletpop) a bizarre and “creative” scheme using old technology, the “phone denial of service attack”. Months after the target has given out information in a phishing attack, criminals tie up users’ phones while trying to empty bank accounts, often impersonating the victims with separate lines. Banks don’t seem to have caught up with how to intercept these schemes. However, cell phone users, and people who check their accounts frequently online (generally younger customers) are much less likely to become victims.

There are also timeshare scams and fake auto dealer scams. Most of these can’t work with consumers who are more prudent with their habits.

The article discusses various schemes to defraud seniors, who may sometimes have lost reasoning ability before noticeable memory loss and be gullible for scams.

Sunday, August 01, 2010

Passport technology could boost identity security for everyone

The US Passport Office, of the Obama administration and Clinton State Department, is asking for new law-enforcement style authority to fight identity fraud, after some dress rehearsal tests identified some fraudulent passports, according to a Washington Times story July 29 by Shaun Waterman, here

The office wants to use biometric and facial recognition software, data which, if more widely used in private banking and other business, might make identity theft much harder.

Could this be used readily at ATM machines, or even to sign on to a computer? Biometric control happens a lot in the movies. Here is a typical site explaining it.

At home, it could be inconvenient, or it could be an additional adjunct to home security.

Monday, July 19, 2010

Navy sets up "femme fatale" on Facebook to test threat of id theft in classified operations

The Washington Times, on the front page Monday July 19, reports a caper where the US Navy Network Warfare Command set up a fake Facebook profile with a fake female person, to tempt other people with sensitive jobs to give away classified and personal information. The story by Shaun Waterman is titled “Fictitious femme fatale fooled cybersecurity; Intel, defense specialists fell for ruse in test”, link (website url)  here.

People did give away classified information embedded in innocent material, but more disturbing to officials was the way some people gave away their own personal information and that of family members. For people in defense-sensitive jobs, this seems like a particularly sensitive issue, as identity theft could be a particular problem in intelligence operations.

Amateur novelists could have fun with this one. It’s even possible to imagine identities being “contracted”.

I worked for two Naval agencies early in my career, at David Taylor Model Basin and later at Naval Command Systems Support Activity at the Washington Navy Yard. Something like this could have been tested there.

Wednesday, July 14, 2010

Parents sometimes steal their kids' identities

Mellody Hobson and Laura Zaccaro reported on ABC “Good Morning America” today “Parents stealing their kids’ identities in alarming trend”, link here. And it seems to be happening to fully grown adult children.

There is no mechanism to check a fraudulent social security number against age (as there is no direct correlation to age). So parents, desperate in a bad economy, have written off bills on their kids’ identities, who may find their credit ruined or get calls from debt collectors for their parents’ bills.

The report recommended calling both the Federal Trade Commission and local police and filing the reports therefrom to credit reporting companies. Adult children victims who don’t contest the bills with the proper procedures could wind up being legally responsible for the parents’ bills. Remember the old times when children were viewed as an “economic asset”.

The report starts with “look how devastating it can be when your own family steals from you.”

Monday, July 12, 2010

Cell phone phishing for debit cards and "mystery" phone numbers

I have become aware of a cell phone phishing scam where the recipient is told by an automated prompt that his debit card no longer works. There may be variations on what the person is told. The target gets a cell phone call that sometimes fails to maintain connection. If the recipient checks the number (if not marked unavailable) it may be a number that assumes that the caller knows an extension and does not identify the company. The phone number is likely to be a local number, and Intellius will show it as unlisted but with a report available.

The recipient should contact his or her bank or local police if receiving such a call.

Friday, July 09, 2010

Phishers get sophisticated with Bank of America trademark emailks

Today I got a particularly mischievous phish purporting to be “Bank of America,” using the trademark "professionally" (and illegally) claiming that security settings had to be redone. What was different was that the cursor did not show any real link when passed over, and when I forwarded the email to the BofA abuse address, the BofA logo appeared automatically in the new part of the forwarded email. I hadn’t seen this behavior before.

The bank phishers are getting even more bold in simulating real life.

Wednesday, July 07, 2010

Hotels have leaky security with credit cards

Yahoo! republished the following article by Joe Sharkey from July 5 in the New York Times: “On the Road: Credit Card Hackers Visit Hotels All Too Often”, link here.

Hotel IT systems are not all that secure when it comes to encryption (and I have found not all that perfect when it comes to guaranteed reservations). This danger goes on top of unsecured wireless common in many hotel rooms.

Playing on the road involves more risks than letting the opponent bat last.

I’ve had only one really major credit card breach: Back in 1995, a Merrill Lynch visa card was used for about $300 worth of unauthorized AT&T calls in Canada, which AT&T reversed for me, after about an hour on the phone, at work on company time.

Monday, July 05, 2010

Data brokerage companies may offer consumers opt-outs of their public records information being sold


I had a random conversation with someone on the DC Metro last night on the way back from the July 4 celebrations, who told me that his wife worked in intellectual property law, and, after talking about the Facebook controversies, we got to a discussion of data brokers and how personal information can be bought from them even when unlisted.

He said that data brokerage companies generally have an individual opt-out policy which means that you can go to each company and request that that company not sell your personal information, even if it comes from legal sources such as official public records (as maintained by local governments). However, you have to go to each company separately, and there can be many of them. In addition, some local governments publish personal information on line, especially with real estate tax records.

Here is the take on this problem from Intellius (link to privacy policy).

This information could be important to families or individuals that believe they could be especially prone to security problems.

I didn’t see a comparable policy at ChoicePoint (link ) == “purchase a shredder”. Not good.

Moreover the Electronic Privacy Information Center (EPIC) has information of the merger between Reed-Elsevier (owner of Lexus-Nexus) and ChoicePoint, and says it threatens privacy, link here. I’m not sure how old this posting is. but see next note.

See also "BillBoushka" blog, Feb. 29, 2008 for posting about data brokerage companies and online reputation. On Jan.. 30, 2008 on that blog there is discussion of the Reed-Elsevier merger, originating with an Erickson Times, a senior newsletter, article and later a Washington Post story.

Thursday, July 01, 2010

Birth certificates can represent an identity security problem; Puerto Rico orders new ones for everyone

The Associated Press, in a story by Danica Coto, presented a large story of special problems with identity theft in Puerto Rico, as reprinted in the Washington Times on June 28, link here

The story starts with a chronicle of a snack bar owner in Puerto Rico arrested for thefts done in Miami and Chicago under his name.

Part of the problem is that illegal immigrants have been hiding birth certificates under mattresses, and they are easy to steal in a bricks and mortar world, almost becoming like fiat money. Furthermore in Puerto Rico the documents are required to join churches, go to school, and engage in many routine activities. So the territory recently required every resident to apply for a new certificate with security and anti-counterfeit features.

But it is shocking that security procedures with lenders or vendors are so lax that the false certificates get by.

Various other activities in the US require scanning of birth certificates, raising identity security questions, as with this story by Jed Boal from KSL in Utah.

Wikipedia attribution link for map of Puerto Rico

Sunday, June 27, 2010

New FICO algorithm may be more forgiving of incidental late payments

MarketWatch reports (on MSN) a change in the FICO scoring practice (“FICO 08”) used by some lenders that will reduce the impact of small lapses, such as a couple late payments of credit card bills. On the other hand, people who are closer to credit limits may find their scores lowered. The link ("The new math of FICO credit scores") is (web url) here.

People who “piggeback” onto stranger’s accounts with credit-repair companies will also see their scores lowered. The practice sounds fraudulent.

Monday, June 21, 2010

Social media users found to be blase about any identity theft risks by study

A site called “Net Security” has an interesting column “The truth about social media identity theft”, link here . It refers to a study from the Ponemon Institute.

The survey showed that most users don’t use high privacy settings, and a large number actually publish their home addresses. Generally respondents didn’t feel that identity theft was a big risk from social media use. This may be because social media users are computer fluent and often check their accounts anyway, and because they believe lenders should be able to detect fraud anyway.

It is prudent to publish only a mail box address and mobile (not land) phone. However, very determined criminals still might track down a person by using data mining services that sell reports based on unlisted numbers and the like. But this tendency has not been consistently reported to be a big problem, even though some senior-associated publications (like Erickson), as well as some members of Congress, have expressed concern about it.

It is a bit hard to understand how crimes based on setting up copied identities where the targets don’t even receive bills could work for long, as one would think that address mismatches (detected with software like Group-1 or Pitney Bowes) would enable lenders (and credit reporting companies) to discover fraud more easily (even when DOB’s and SSN’s and names match). Problems may occur when lenders don’t verify transactions with the legitimate customers. Problems may be more common in industries, like hospitals or health care, where business processing is slow, giving crooks more time to get away with schemes.

Monday, June 14, 2010

Last night and weekend phishing from "banks" increases; oil spill compensation phishes sent

Well, when you get multiple notices from your bank that your account access is suspended, and they were sent around 1 AM on a Sunday morning, you really know it’s phishing.


I’ve never seen so many phishing attempts sent to me over a weekend and in wee morning hours as this past weekend, from several different “banks” (some of which I do not have accounts with) as well as Paypal. I even got a couple of phishes offering me compensation from the oil spill, and I live in Virginia, in an inland area, far away from water, on higher land.

Also I’ve noticed a number of attempts to send comments in Chinese with multiple links to my blogs, apparently by mass attempts to get around the captchas required for sign ins. I get one or two of these to reject every day.

The spammers are as busy as ever, and most of them seem to be overseas, maybe in China and Russia. (If you pass your mouse over an embedded link in a phish, often it's a server in China.)   Is the Chinese government still involved in hacks?

Friday, June 11, 2010

Media covers cell phone scams, and there are many different kinds of them

In the past week or so, local television stations have discussed cell phone scams and identity security.

There’s a problem with being billed for cell phone notification services not ordered or authorized, or carried over from “dirty cell phone” numbers, as explained here.

Another problem some users have experienced is spam text, particularly in connection with (illegal) pump-and-dump stock market manipulations.

People may be exposed to hackers when they conduct financial transactions over cell phones, as in the Ezline article explanation (web url) here .

Or people may simply get calls from people purporting to be banks asking for personal information. Since people carry cell phones, such calls are more likely to be answered immediately rather than be returned. But banks don’t ask for personal information from cold phone calls just as they don’t ask for it in emails, so generally such calls amount to cell phone phishing. But banks do telemarket and offer credit cards or identity theft insurance. It’s much safer to visit a branch bank if you want such a service than to accept such a call.

Here’s a list of tips on cell phone ringtone scams: In the past week or so, local television stations have discussed cell phone scams and identity security.

Tuesday, June 08, 2010

Banks charge interest on all your purchases if you withhold anything during a vendor dispute

Here’s a little knickknack that I’ve noticed on credit cards, at least with the Bank of America. I usually pay the “balance at last statement” every month, but if part of the bill is in dispute with a particular vendor, I subtract that amount (assuming I don’t go below the minimum, which never has happened).


The bank has never charged interest when the “amount due at statement” was paid, but if any portion is not (even one penny), it seems to charge interest all the time on all your purchases, even that not billed yet. That is sneaky! Therefore, if you would want to avoid any interest, you would have to pay disputed charges and wait for a vendor to refund.

I often have one dispute or another from time to time; usually I have $25-$100 in dispute among my cards much of the time.

Tuesday, June 01, 2010

Payment Card Compliance Guide: small businesses that process cards should check it out

I got an email today from a company that thought that I process credit cards. I don’t, but the (Payment Card) PCI Compliance Guide, Facts and Myths, is well worth reading, with link here.

Note that there are four levels of merchants. A small business or non-profit that only occasionally takes cards (credit and/or debit) is at level 4 (it sounds like something out of sci-fi). But a data breach can escalate the level, or result in fines that could put a small operator out of business.

A business owner who processes no cards but funnels all his or her activity to Amazon, BN, Ebay, etc. would not be affected, because then his site does not need to record any personal or credit-related information. That is the case with me.

Some small local “bricks and mortar” businesses still take no cards. A local barber shop here in Arlington VA does not; same for a family restaurant I stumbled on in Glassboro NJ.

Wednesday, May 26, 2010

MSN Money: You can sue your debt collector for FDPCA violations

Here’s a good one: not just “beat the bill collector” but sue your debt collector. At least that’s the topic of an MSN article today, “Sue your debt collector: Federal law sets clear limits on what debt collectors can do. If their tactics go beyond those limits, you can win -- and it's a surprisingly easy process”, by Kathryn Reynolds Lewis of MSN Money, link here.

Federal law allows a debtor to receive $1000 for each instance of abuse of their rights under the FDPCA (Fair Debt Collector Practices Act), which can include making false threats or calling at non-allowed times.

It’s not clear from the article whether the debt collection company is liable, or whether the individual debt collector as an employee of the company is liable as an individual for an FDCPA violation, but I believe it is the latter.

Debt collectors don’t make that much an hour (typically $12 or less), but do make commissions on what they collect. So the system can invite abuse.

Sunday, May 23, 2010

ING creates site for educating kids about money, credit; says keeping low credit balances lowers credit scores

ING was my employer from 2000 through the end of 2001, and it’s good to see ING Direct has a website ("Planet Orange") to educate teachers and parents, and kids, about credit and money -- and at least indirectly, about protecting private information and keeping your identity safe. Here is the site. It calls its members “astronauts”, rather like Geek Squad (Best Buy) calling its techs “special agents”.  I think it's ironic that Titan, the largest moon of Saturn, may have a largely orange surface.

ING Direct also has its own quiz on which behaviors lower credit scores. The link on Yahoo! finance is here. What’s interesting is that keeping a small credit balance can lower your score. Many people (myself included) pay off last month’s bill but typically there are new charges since the last bill. I don’t know if this counts; Fair Isaacs can certainly identify a pattern of paying the due amount. Also, I don’t pay disputed amounts (as long as it won’t become delinquent). It’s normal for me to have a hundred dollars or so of bills in dispute. I wonder if that hurts. Yahoo’s link for the credit behavior quiz is here.

Tuesday, May 18, 2010

Congress considers a bill limiting ability of employers to check credit histories

Can you be fired for bad credit? Liz Pulliam Weston has an article on MSN for MSN Money (4/23) that is pretty sobering. In Cleveland, the Defense Financial and Accounting Service fired some workers for bad credit because they couldn’t pass security checks. And just as with online reputation, people don’t get job offers because of credit scores and are never told why. The link for the story is here.


According to a survey from the Society for Human Resources Management (SHRM) 60% of employers use credit checks for some associates, and 13% do so for all employees, even those who don’t handle money. Must 65% allowed applicants to explain credit check problems before making hiring decisions.

Representative Steve Cohen (D-TN) has a bill to prohibit credit checks except for jobs requiring security or FDIC clearance, a managerial position in a financial institution, or certain state agency jobs.

At the same time MSN has an article suggesting that stellar credit scores, from people who do pay bills on time, can be brought down by accepting new credit lines and not using them.

Needless to say, identity security issues could damage credit scores of job applicants.

In 1987, Chilton Corporation, a credit reporting company in Dallas, decided to require credit checks of employees (it seemed ironic it had taken so long), while I worked there; when TRW acquired Chilton, it dropped the requirement. TRW is now Experian.

Wednesday, May 12, 2010

Banks sell identity protection; so do homeowners insurance companies, with caveats

Consumers can often purchase identity theft protection, both from banks and from property (homeowners) insurance companies.


Wells Fargo, for example, has a link that explains how it covers up to $10000 for out-of-pocket losses, here.

And “Insurance agents” considers identity protection as almost a “mandatory” add-on for most people, as explained here.

Typically, this coverage is sold as an endorsement that will cover “resolution services” and lost wages and legal fees. But the coverage may not protect someone if the loss occurred because of online activity connected with a home-based business.  I presume that this is available for renters, too.

The whole picture of identity protection may be evolving quickly, as insurance companies are starting to become more concerned about the risks people are creating for themselves online.

Monday, May 10, 2010

AARP: Medical id theft usually costs victims a lot out of pocket

The May 2010 AARP Bulletin Today has a frightening article by Sid Kirchheimer “Scam Alert: Not what the doctor ordered: your medical records are very appealing to identity thieves”, link here.


Because of medical identity theft, victims sometimes lose health insurance or must pay higher premiums to keep coverage. The article says that it costs an average of $20000 out of pocket to close a case of medical identity theft. This is a shocking finding.

The problem could get worse if more medical records are automated (so that various specialists can see the medical chart and prescriptions online). The article also notes that stolen medical records could facilitate passport fraud, and could prove to a tempting lure for terrorists.

Tuesday, May 04, 2010

Consumer Reports notes that many people's carelessness on social media invites identity theft and other security problems

Consumers Reports has recently run a survey that found that about 52% of social media users routinely post birthdates, home addresses, vacation plans, and other information that could endanger both home security and increase the risk of identity theft through the Internet.

The San Francisco Chronicle ran a story May 4 by Benny Evangelista, “Social network users found to endanger privacy”, link here.

The article mentions a number of steps that can improve security, including better use of social media privacy controls, especially using “only friends” option on Facebook and unchecking search engine availability.

I did find an article on Consumer Reports, "7 things to stop doing now on Facebook", link here.  I did find the recommendation "letting search engines find you" a bit glaring, and it needs to be understood in context.

On the other hand, many individuals have, from their viewpoint, good reason to want to be found by everyone, including by search engines. This includes people who self-publish political or social materials, or artists and musicians attracting new performance opportunities. Furthermore, there is a big of a logical contradiction in sharing things only with “friends” if the purpose of social media is taken to be to make more “friends.”

Everyone’s situation is different, with regard to such matters as living circumstances, job conflicts, job travel, family structure, and most of all, skill in monitoring one’s own circumstances. So perhaps the adage “different strokes for different folks” applies here. A well implemented home security system is a good idea, as is the ability to monitor one’s own accounts and credit score online and ability to detect problems very early. Still another issue is maturity, and the ability to see through scams. Prevention of identity theft or other security issues has a lot to do with “whether you know what you’re doing”. Still, as I noted on the “BillBoushka” blog April 20 (and again April 29), interests ranging from property insurance companies to school principals are becoming increasingly concerned about the reach and subtlety of these problems, especially when there are minors at home without the maturity to deal with them.

Friday, April 23, 2010

Lenders are careless in checking applications for fraud; helps explain large number of victims despite FACTA

Brad Stone has an important blog entry today on the New York Times site (Bits blog) exploring how careless lenders are in verifying applications, link here.


A paper at the University of California by Chris Jay Hoofnagle, “Internalizing Identify Theft”, with 9.9 million victims in 2009 just as in 2003, Social Science Research Network abstract link (web url) here.

In 2003, a change was made to the Fair Credit Reporting Act with the Fair and Accurate Credit Transactions Act (FACTA) (link ) that allows victims of identity theft to ask lenders for copies of fraudulent applications submitted under their names. Yet this capability has not reduced the crime, because lenders were so eager to grant credit, and still sometimes remain so, despite all the problems in the credit markets since the Crash of 2008.

Would the presence of an NCOA-based database for verifying identities (as I proposed here Sept. 25, 2006) and ensuring that people learn of all applications in their name slow down the activity of careless lenders?

Monday, April 19, 2010

Credit card companies know you pretty well, may even troll your Facebook "friends"

Today (Monday April 19), AOL offered its visitors a “Daily Finance” article by Betsy Schiffman, “Who knows you better: your credit card company or your spouse?”, link here.

Data gathering goes on all the time, even when a cashier asks for a zip code at a supermarket and you pay by check. But, as noted before, credit card companies may be looking at the “poverty level” indicators of stores where you shop, or changes in patterns, for use of porn, etc. They also look for evidence of divorce (surprisingly, single people may look better in their eyes in many scenarios).

There’s the question of legality, and what they can get away with given recent laws in Congress. Another likelihood will be fees. Will they penalize customers who pay balance in full and don’t give them interest income (the “freeloaders”?) If so, that’s a problem, because cancelling credit cards to avoid fees will lower a FICO score even for someone who pays all bills on time.

There is even a rumor, maybe an urban legend, that some companies are using the bill paying habits of your Facebook “friends” to help score you, as if your “Friends” could help predict the level of your own financial responsibility. It sounds pretty unfounded scientifically.

I wrote about data collection on my “BillBoushka” blog (see Profile) on Feb. 29, 2008.

Monday, April 12, 2010

MSN offers consumers advice on homeowner's insurance industry "secret practices"

MSN and Dell offered visitors a comprehensive guide to the homeowner’s insurance business, with all the dirty little secrets about canceling or dropping people, today. The link is here

A couple of points: CLUE reports (discussed here in July 2009) are based on the property and can be influenced by claims filed by former owners. Insurance companies are more likely to look at insured’s FICO credit scores than in the past, so identity theft can be a real issue.

Some unusual perils (such as lava from volcanoes, sinkholes, or meteors) may in some states really be covered, even though most homeowners need to be careful to purchase special flood, earthquake, or maybe even mudslide or wildfire insurance. People in remote areas may have more difficulty because of wildfire risks in drought-prone areas.

The article noted that some insurers have dropped coverage when a homeowner started a home-based business. On the other hand, some insurers have covered media perils for online activity (libel) as long as the activity was totally “non commercial”. That issue is sure to evolve, and I think media perils should be covered separately, as I’ve discussed on my main blog in several past posts.

It does look like the claims management area of a property insurance company is a bottom-line-driven place to work. It seems to stress manipulation and competition more than "truth", judging from this article.

Saturday, April 10, 2010

Debt collection for medical/dental bill leads to house foreclosure


Here is a curious sidebar story by Michelle Diament in the April 2010 AARP Bulletin, p. 6, about the work of some debt collectors. It’s “what an outrage: dental bill puts bite on homeowner,” link (web url) here


A woman lost track of a partially ubpaid dental bill in Utah. She says she never received the bill. It went into collections, was escalated to a collection agency’s litigation subsidiary, and eventually a sheriff ordered her house sold for about $1500 to pay the debt. She paid the buyer, Jarmaccc Properties LLC, the $1500 but cannot get the title back.

Thursday, April 01, 2010

ABC GMA reports on increase in ATM scams, duplication of debit cards

On March 31, ABC “Good Morning America” presented a story about bank ATM skimmers that are, in plain daylight sometimes, taken by thieves to connect to other machines, available on the Internet, to duplicate debit cards and drain bank accounts.


The news story is by Elisabeth Leamy and Chris Strathmann in a “Consumer News” column, link here

It is difficult for a consumer to protect herself against this with certainty. It may help to use a neighborhood ATM with which one is familiar. It is more difficult to defend against away from home. Presumably banks would have to make up losses.

Saturday, March 27, 2010

Another scam pulled on grandparents, reported on NBC

On the NBC Today show today, another scam was exposed: people troll the Internet (especially social networking sites) to look for family relationships, and then call elderly people pretending to be a grandson in jail, needing money to get out on bail. It’s unbelievable that they can play on sympathy this way, and even tell the “grandparents” not to tell the parents. “Today” simulated one of these calls.

Wednesday, March 24, 2010

CA attorney general: Prescription drug rings use id-theft

From A proposal for a project to develop system to protect personal identity in credit granting

Today, March 24, California Attorney General Jerry Brown appeared on the Dr. Phil show and spoke about identify theft by people getting illegal repeated prescriptions for certain pain-relieving or mind-altering drugs and controlled substances.

The link to Brown’s appearance is here.

So that seems to be the latest wrinkle on the debate on the id theft problem, sales of painkillers to fictitious people.

Jerry Brown was a governor of California in the 1970s, lived as a bachelor in a small apartment and not in the governor's mansion, and may run again.

Thursday, March 18, 2010

Census forms will not seek personal information


Multiple media outlets this morning are reporting that 2010 Census forms are arriving by mail this week, but that individuals and families should be careful about fraudulent imitations. Census will not contact you by email; it may call you after you return the form to clarify an answer. After May 1, if you did not return the form, you may be visited door-to-door but the worker will have ID and will not come into your home.

Census does not use personal information at an individual level; it only aggregates information for statistical purposes. It will not ask for personal identifying information. Forms that ask for personal information are fake.

Census also has strict confidentially policies for its employees, who must sign a lifetime confidentiality oath, even for information that is aggregated. See my “information technology job market” blog Feb. 2, 2010, and my “some approaches to filtering and labeling…” blog Feb. 8, 2010.

Saturday, March 13, 2010

Phone scams can phish for personal info was well as Internet emails


While we hear a lot these days about phishing (and we have heard a lot about this for years), there may be an older, low-tech scheme to watch: phone phishing.

Yesterday I got a call (on a landline, even) from someone who claimed to be from the FTC (Federal Trade Commission) and who claimed that the FTC was “managing” a sweepstakes or lottery winning, and that I had won an improbable sum. I haven’t even played a lottery or sweepstakes within recent memory, and the FTC doesn’t give out winnings. This sounds like an old-fashioned ploy for personal information. I hung up.

Remember how security was in the old bricks and mortar world? People didn't worry about it much in the suburbs until perhaps the late 1970s.

Monday, March 01, 2010

Fake NCOA changes could lead to id theft (consumers union advisory insert)


The Sunday Washington Examiner on Feb. 28 contained an insert called “Dollars and Sense Guide: Credit Union’s Consumer Resource to Financial Management”. On page C14 there appears a piece “Are you at risk of identity theft?”

The recommendations for consumers are the usual ones, except that it adds suggestions to use shredders with cross-cuts producing confetti bits rather than strips or slivers. That seems kind of paranoid. It also talks about dumpster-diving and old hazards from the bricks-and-mortar world.

But the article also highlighted a particular danger that crooks could submit NCOA changes to replace your identity. The symptom would be that you stop receiving expected bills by mail (although it you switch to doing everything online, you’ll still get them). Would my September 2006 proposal circumvent this? The problem is that a financial institution would still make a hit on the (mainframe, highly secured) NCOA database and not pick up a problem. However the USPS could set up independent verification schemes that would preclude updating NCOA until these identifiers are properly supplied. The MoveForward, etc. products used by companies to update clientization databases could easily be modified to check these parameters (including extra functions in the required USPS audit of financial institutions).

Sunday, February 07, 2010

Be wary of check processing job scams!


MSN/Dell is warning the public about “payment processing” job scams where the “home worker” deposits a fraudulent check to the bank, takes a commission, and then wires money to the “employer”. For a short period of time, the bank is required to honor the amount, so this scheme has become an attractive scam, attracting people looking for work. The link is here.

Kathryn Reynolds Lewis (MSN Money) has the story “Cash a check, maybe go to jail: Did you get conned into joining a check-cashing scam? Even if authorities decide you're an innocent victim, you could find yourself owing a bank thousands of dollars.”

In a few cases, check processors have been threatened with prosecution, which would be possible if they knew that it was a fraud or should reasonably have known. They will wind up with liability for the money and could have their accounts frozen.

Some of these jobs have been offered on Craigslist.

Wednesday, February 03, 2010

Reviewing the Identity Theft and Assumption Deterrence Act of 1998


I don’t think that I’ve explicitly covered the legal basis for prosecutions for “identity theft” in federal law, but one of the most important tools is the Identity Theft and Assumption Deterrence Act of 1998, Public Law 105-318, 112 Stat. 3007 (Oct. 30, 1998), Public Law 105-318, 112 Stat. 3007 (Oct. 30, 1998), HR 4151.

The FTC maintains a copy of the text of the statute at this link.

The site wikia.com has a better description than Wikipedia, with the (web URL) link here.

The law is criticized as not offering individual victims the right to collect civil damages for their time and inconvenience and disruption; instead institutions are compensated, and individuals must depend on law enforcement to bring about prosecutions.

The articles refer to a controversial Federal Victim and Witness Protection Act of 1982, which was supposed to assist victims and witnesses to crimes, but more often in criminal investigation and testimony situations, familiar in the movies. A link that summarizes many of these laws is at DOJ here.

A simpler reference is here.

Thursday, January 28, 2010

Internet Privacy Day: an occasion to "celebrate"!


Today, Jan. 28, 2010, is Internet Privacy Day, and AOL Walletpop has a good summary story, “Internet Data Privacy Day 2010: How to protect your kids (and yourself) online,”, by Lita Epstein, link here.

The story gives many links from different organizations, such as the Girl Scouts, but emphasizes that even with privacy settings, nothing is completely private anymore. The story gives links to other stories that discuss the harm of Internet rumor.

The article mentions an AOL blog “Safety Clicks” (link here) with many entries, including an entry that Social Networking Profiles could become a new target for hackers in 2010.

Monday, January 04, 2010

TSA no-fly list could be tied to an NCOA-based identity protection system


Justin Florence has an article in the Jan. 4 Washington Post , “A Better No-Fly List”, that does link to the problem of identity protection. The link is here.

The article suggests a way for people mistakenly singled out by the list to appeal, with an in-person procedure where TSA employees could check identities more carefully on a system not connected to the Internet (and probably an old-fashioned mainframe system with mainframe security, starting with RACF). There also could be an appeals procedure, but who should pay the cost of attorneys is a good question when an innocent person is wrongly singled out. Similar names will be a reason for mis-identifications.

Of course, so could identity theft. It makes sense that such a system could tie in to NCOA verifications that I suggested on Sept. 25, 2006 on this blog.