Monday, July 19, 2010

Navy sets up "femme fatale" on Facebook to test threat of id theft in classified operations

The Washington Times, on the front page Monday July 19, reports a caper where the US Navy Network Warfare Command set up a fake Facebook profile with a fake female person, to tempt other people with sensitive jobs to give away classified and personal information. The story by Shaun Waterman is titled “Fictitious femme fatale fooled cybersecurity; Intel, defense specialists fell for ruse in test”, link (website url)  here.

People did give away classified information embedded in innocent material, but more disturbing to officials was the way some people gave away their own personal information and that of family members. For people in defense-sensitive jobs, this seems like a particularly sensitive issue, as identity theft could be a particular problem in intelligence operations.

Amateur novelists could have fun with this one. It’s even possible to imagine identities being “contracted”.

I worked for two Naval agencies early in my career, at David Taylor Model Basin and later at Naval Command Systems Support Activity at the Washington Navy Yard. Something like this could have been tested there.

Wednesday, July 14, 2010

Parents sometimes steal their kids' identities

Mellody Hobson and Laura Zaccaro reported on ABC “Good Morning America” today “Parents stealing their kids’ identities in alarming trend”, link here. And it seems to be happening to fully grown adult children.

There is no mechanism to check a fraudulent social security number against age (as there is no direct correlation to age). So parents, desperate in a bad economy, have written off bills on their kids’ identities, who may find their credit ruined or get calls from debt collectors for their parents’ bills.

The report recommended calling both the Federal Trade Commission and local police and filing the reports therefrom to credit reporting companies. Adult children victims who don’t contest the bills with the proper procedures could wind up being legally responsible for the parents’ bills. Remember the old times when children were viewed as an “economic asset”.

The report starts with “look how devastating it can be when your own family steals from you.”

Monday, July 12, 2010

Cell phone phishing for debit cards and "mystery" phone numbers

I have become aware of a cell phone phishing scam where the recipient is told by an automated prompt that his debit card no longer works. There may be variations on what the person is told. The target gets a cell phone call that sometimes fails to maintain connection. If the recipient checks the number (if not marked unavailable) it may be a number that assumes that the caller knows an extension and does not identify the company. The phone number is likely to be a local number, and Intellius will show it as unlisted but with a report available.

The recipient should contact his or her bank or local police if receiving such a call.

Friday, July 09, 2010

Phishers get sophisticated with Bank of America trademark emailks

Today I got a particularly mischievous phish purporting to be “Bank of America,” using the trademark "professionally" (and illegally) claiming that security settings had to be redone. What was different was that the cursor did not show any real link when passed over, and when I forwarded the email to the BofA abuse address, the BofA logo appeared automatically in the new part of the forwarded email. I hadn’t seen this behavior before.

The bank phishers are getting even more bold in simulating real life.

Wednesday, July 07, 2010

Hotels have leaky security with credit cards

Yahoo! republished the following article by Joe Sharkey from July 5 in the New York Times: “On the Road: Credit Card Hackers Visit Hotels All Too Often”, link here.

Hotel IT systems are not all that secure when it comes to encryption (and I have found not all that perfect when it comes to guaranteed reservations). This danger goes on top of unsecured wireless common in many hotel rooms.

Playing on the road involves more risks than letting the opponent bat last.

I’ve had only one really major credit card breach: Back in 1995, a Merrill Lynch visa card was used for about $300 worth of unauthorized AT&T calls in Canada, which AT&T reversed for me, after about an hour on the phone, at work on company time.

Monday, July 05, 2010

Data brokerage companies may offer consumers opt-outs of their public records information being sold


I had a random conversation with someone on the DC Metro last night on the way back from the July 4 celebrations, who told me that his wife worked in intellectual property law, and, after talking about the Facebook controversies, we got to a discussion of data brokers and how personal information can be bought from them even when unlisted.

He said that data brokerage companies generally have an individual opt-out policy which means that you can go to each company and request that that company not sell your personal information, even if it comes from legal sources such as official public records (as maintained by local governments). However, you have to go to each company separately, and there can be many of them. In addition, some local governments publish personal information on line, especially with real estate tax records.

Here is the take on this problem from Intellius (link to privacy policy).

This information could be important to families or individuals that believe they could be especially prone to security problems.

I didn’t see a comparable policy at ChoicePoint (link ) == “purchase a shredder”. Not good.

Moreover the Electronic Privacy Information Center (EPIC) has information of the merger between Reed-Elsevier (owner of Lexus-Nexus) and ChoicePoint, and says it threatens privacy, link here. I’m not sure how old this posting is. but see next note.

See also "BillBoushka" blog, Feb. 29, 2008 for posting about data brokerage companies and online reputation. On Jan.. 30, 2008 on that blog there is discussion of the Reed-Elsevier merger, originating with an Erickson Times, a senior newsletter, article and later a Washington Post story.

Thursday, July 01, 2010

Birth certificates can represent an identity security problem; Puerto Rico orders new ones for everyone

The Associated Press, in a story by Danica Coto, presented a large story of special problems with identity theft in Puerto Rico, as reprinted in the Washington Times on June 28, link here

The story starts with a chronicle of a snack bar owner in Puerto Rico arrested for thefts done in Miami and Chicago under his name.

Part of the problem is that illegal immigrants have been hiding birth certificates under mattresses, and they are easy to steal in a bricks and mortar world, almost becoming like fiat money. Furthermore in Puerto Rico the documents are required to join churches, go to school, and engage in many routine activities. So the territory recently required every resident to apply for a new certificate with security and anti-counterfeit features.

But it is shocking that security procedures with lenders or vendors are so lax that the false certificates get by.

Various other activities in the US require scanning of birth certificates, raising identity security questions, as with this story by Jed Boal from KSL in Utah.

Wikipedia attribution link for map of Puerto Rico