Saturday, December 26, 2015

Strict administrative procedures to avoid ID theft by banks keep a lot of lower income people "unbanked", especially in NYC

Stricter administrative procedures by banks to verify identities of new customers are causing many on the lower economic rungs in New York City to remain unbanked, according to this story in the New York Times Dec. 24, by Michael Corkery and Jessica Silver-Greenberg, “Banks reject New York IDs, leaving ‘Unbanked’ in lurch” (or on “sidelines”).

But my own suggestions for a new system, based on NCOA, proposed here Sept. 25, 2006, intended to make it practically impossible for a new account to be opened without the liable party’s knowledge, could probably run into similar problems. 

Wednesday, December 23, 2015

Creditors use debt collectors to help sue and then block counter-litigation to dispute claims, claiming "arbitration"

In a front page column “Beware the fine print: Making people pay” in the New York Times Wednesday, Jessica Silver-Greenberg and Michael Corkery report “creditors sue, then block use of courts to fight back” by applying “arbitration” clauses in contracts.

The result has been garnishment of bank accounts for old debts, some of which a consumer has forgotten or been unaware of.  There would be the risk that identity theft could set up a situation leading to the garnishments, since (as often written here before) there are not enough security safeguards in the system to verify the identity of people getting loans or to prevent information from being hacked.  The news story also reports that debt collectors have gotten away with collections from states in which they are not authorized to operate.

Monday, December 21, 2015

IRS is supposed to start using collection agencies; will this confound the scam phone call problem?

Congress has recently passed a law directing the IRS to use debt collection services to recover receivables from taxpayers.  A column by Joe Davidson in the Federal Diary in the Washington Post, Monday December 21, 2015, p. A14, reports a concern that consumers will get calls that they will believe are scams.  The IRS did not want this policy change, as it has always said it will not collect by phone.  However, taxpayers would get collection notices in the mail before getting calls.
The risk increases for taxpayers who have very complicated returns, where the possibility of major errors increases.

Debt collectors often can negotiate down balances to settle debts, although the deficiencies may continue to harm the consumer’s credit score.  It wasn’t clear if that negotiating power applies here.

Thursday, December 17, 2015

Lifelock pays a big fine to FTC this time

Lifelock will pay a $100 million fine to the FTC for failing to come through on promises to serve users after privacy breaches, according to a story by Ceclia Kang today, link here.

Lifelock has been fined much less in 2010 and had made an agreement with the FTC.

The company’s services are part of AOL membership.

I have gotten one or two warning texts from Lifelock, but they did not turn out to be real problems.

Wednesday, November 04, 2015

I get Instagram on my phone, and find a bogus user-name connected to my AOL email

I finally got around to signing up for Instagram last night, and ran into a snag that could have significance. 

After installing the iPhone app, it kept telling me that my AOL email was already in use with an account.  I couldn’t log in with my normal username and chosen password, and then I noticed the emails to me gave a different user name that started with an “@”, “@kd3drud”.  That didn’t work either.  I seemed locked out by a deadly embrace.  But then I saw a link to use if you suspected a third party had set it up.  That disconnected this bogus username and then I was able to use my own username and password and everything worked.
What is scary is that I had not gotten around to using Instagram, being filled by blogging, Facebook and Twitter.  Did this username get set up somehow by an automated script somewhere (maybe on Facebook) or did a hacker set it up with my email? 

There is no evidence that anything was ever posted by it, and I never had heard of any use of Instagram under my email address.   Presumably any content has been removed although it could be cached somewhere, if it exists at all.  Instagram seems to have no phone support to research this if necessary. But in theory this could create a form of “identity theft” that could lead someone open to being framed for offenses ranging from arranging terrorism to trafficking child pornography, with the FBI doing a home invasion at 3 AM someday.  In my social circumstances, “innocent until proven guilty” would not stop the rest of my life from being destroyed, a moral point about social resilience indeed.
A moral of the story is that social media apps you don't even use could set up possible traps. I haven't looked at Snapchat because I have no interest in conducting conversations that way. 
I’ve noticed over the years a constant stream of phishing attempts saying “your mailbox is full” that AOL spam filter doesn’t seem to catch.  So far, I haven’t seen any more of these since fixing this last night.  

Tuesday, October 27, 2015

US Army and Selective Service records from Vietnam era may expose veterans to PII disclosure to others

Our own military may be inadvertently exposing PII of people exposed to the Vietnam era draft, as I discovered recently by happenstance. 

Last week, when reviewing the film “Truth” on my Movies blog (Oct. 24), about the reporting on George W. Bush’s apparent behavior in the 1970s with avoiding exposure to conscripted service in Vietnam, I decided to post a page from my own complete DD-214, military records, to make a point.
Then, I noticed that several of the pages, having teletyped military orders showing my movement to Fort Jackson, SC, to start Basic Training back in 1968, listed the names of other draftees, with not only their RA, US, ER or NG service numbers in use at the time, but also their social security numbers.  Before 1970, the Army would drop using separate RA service numbers and use only social security numbers for identification. 

The upshot now is that if anyone uses a photocopy of his records in a blog or video, there is a risk that he or she could expose the SSN’s of other people who went into the service at the same time. Many of these people, like me, would still be alive today. 

After catching this, I changed the picture to be one of a page that doesn’t have any numbers or names, like above.  Of course, it’s very unlikely that a hacker (perhaps working for China, Russia or North Korea) would really try to lift SSN’s off a JPG of military or Selective Service records, but I suppose it is possible.

DD214's (proof of active military service) are often used to establish eligibility for certain benefits, such as with VA loans for homes.  So there is a potential for hacking and leaks. 
In fact, back in 1996, when doing research on my first “Do Ask, Do Tell” book, I got some of my own Selective Service records from the Selective Service System (link) and found the names (and I believe SSN’s) of some other people exposed to the draft at the same time, from the late 1960s.  I made a DVD in 2003, which I have never ripped to post on YouTube, where I used a photo of these records, so I suppose if I want to post it, I’ll need to block any other names and numbers out with Apple Final Cut somehow.
Also, back in 1996, when working on the DADT book, I got my paper patient records from, NIH dating to 1962.  They did have the names, but not the SSN's, of other patients on the ward on which I lived.  

Friday, October 02, 2015

Most retailers in US not ready in time for EMV credit card standards

On Oct. 1, 2015, most retailers in the U.S. were supposed to be compliant with EMV, “Eurocard Mastercard Visa” chip technology standards, that make card skimming and fraud much less likely.
Gradually, consumers will receive new cards in the mail.  I don’t have many of mine yet. But many retailers are still not prepared for the transition, which can make them more liable in case of fraud.
There is an FSQ on how this all works here
The liability shift is well explained on a site call Payments Leader here

Non-profits, which sometimes take cards at events like film festivals, could have a particular problem with all this. 


Wednesday, September 02, 2015

Credit card fraud seems to involve automatically generating many transactions against "random" merchants

On Sunday afternoon, August 23, 2015, I got a sudden text from Bank of America about potential fraud on one of my Visa cards with the bank.  This was accompanied by emails and a phone call, which I took, even as I had to leave for an event.

The card was cancelled immediately and replaced within two days.  But what was curious was the speed with which fraudulent charges had accumulated, from merchants that had no logical connection to one another.

I still had the card.  But I do recall that in the past, BoA has sometimes sent more than one copy of a card (not a good idea). 

There was some reason to think that some of the charges might have come from Florida.  I had visited the Disney and Universal theme parks there in mid-July and gone to a street celebration in downtown Orlando on a Saturday night.  I never used this particular card while there.  But it is conceivable that someone in one of the parks or on the street could have used a scanner capable or reading cards in my wallet.  Also, it is conceivable that these particular entities don’t check card security code, just name and expiration date.

It’s also conceivable that the scam could come from some business that was hacked where this card has been used legitimately, but none of the companies reported in the media would match.
But it’s hard to see how this kind of a scheme could make the fraudster any money, as a practical matter.  The card will almost certainly get denied quickly.  The charges themselves seemed to have been generated by an automated script that might not have even required contacting the merchants.  Maybe the scam needs to make money from only 1% or so of all the transactions if the scammer can generate enough transactions.   It seems likely that the ultimate source of the scam comes from Russia or China.

Tuesday, August 11, 2015

Identity theft could fit into an enemy's asymmetric warfare strategy

Could identity theft motivate an unusually brazen or Hollywood-plot type of crime?
Imagine a controversial writer or blogger who works alone and lives alone.  Suppose he were indeed abducted, perhaps murdered and body destroyed without an obvious trace.  Since he is alone, it’s a while before others notice he is missing.  In the meantime, the criminals impersonate him, even destroy his social media presence, or manipulate it to change what the public perceives about the person. 
No, I haven’t written a screenplay around this particular “logline”, but the thought is chilling enough.  
That’s why I think there are some lines that can’t be crossed, and some crimes or deliberatively combative attacks (asymmetric warfare against persons) cannot be stopped if a potential enemy were determined enough.  I had given some specifics on a Wordpress blog in August 2014 here
The story of Molly Norris, detailed here in a Seattle paper is disturbing enough.  The idea of “law and order” could not save her, and the FBI reportedly insisted she go into hiding.  The 2006 film “Family in Hiding” (Timothy Bond) about a mob case was similar.

Thursday, July 16, 2015

Baltimore's Terbium Labs offers a Lifelock-like service trolling the Dark Web for corporate data breaches

A Baltimore-based startup, associated with Johns Hopkins, can troll the “dark Web” for leaked corporate data for clients, according to a Washington Post story on Thursday, July 16, 2015, p. A15, by Andrew Gregg, link here.

The technology scans the Dark Web for “fingerprints” that match a client’s sensitive data, when being trafficked around.  However, the service appears more likely to be of benefit to large companies (to prevent leaks) and even governments than to small businesses or individuals.  It’s rather like a large company’s version of “Lifelock”.
The company is named after a rare metallic element terbium.

Thursday, July 02, 2015

AOL's Lifelock partnership service

AOL does have a subscription service, which I use – the email is free, but the subscription includes more content, computer anti-virus and firewall protection, and particularly LifeLock identity protection.
I did go ahead and create a “free” account.  It will ask for your credit cards, bank account numbers, addresses, driver’s license, auto insurance policy, phone numbers, and will send an SMS to your mobile phone to start the alert service.
I am probably harder to mimic than a lot of people, with an unusual last name and unusual life history facts that can be verified by any financial institution.  A mortgage company would have to be reckless to let an imitation of me buy a mansion on its dime, but anything is possible. 

Wednesday, June 24, 2015

ICANN wants to stop private registration by proxy for small business owners

Electronic Frontier Foundation is reporting that ICANN wants to stop “private” domain name registration by individual owners who show any possible commercial intent at all (like by allowing ads), as in this story by Jeremy Malcolm and Mitch Stoltz, link here
The ICANN proposal for Proxy Services Accreditation is here
Parties with legitimate need to find owners (to file legal actions) can still use discovery processes. 
However, some owners could be left open to harassment.
I use a UPS store address for business, which I don’t think would be affected.


Monday, June 22, 2015

My Census employment in 2010-2011 led to my getting a letter about the hacking "accident"

Since I worked for the Census Bureau in 2010 (diennial) and 2011 (one of the surveys), hourly, it looks like my PII got caught up in the Chinese hack. I got the dreaded form letter from OPM today.

Do I think it’s very likely anything would happen with it?  No, because of the “law of large numbers”. I don’t work there now and wasn’t in the loop for security clearances. 

But in late 2013, I kept getting emails asking me if I wanted to register my “doaskdotell” domain in China, even though it had been banned before.  That was rather odd.


Thursday, June 11, 2015

Identity theft insurance; more on protecting elderly parents credit, and airline cards

Thursday, June 4, 2015 I did write a piece on homeowner’s and car insurance and social media on my Issue blog.
It’s well to add here that in many states, most homeowner’s and renter’s policies offer optional coverage for Identity Theft and fraud resulting from it. 
It might not work in estate situations where the property inherited belongs to a trust rather than to the beneficiary (typically, only events connected directed to the property are covered). It would have been intended to cover the original owner before her passing from identity theft.
Besides checking credit reports, it goes without saying that one of the best defenses to identity theft is simply frequently checking all financial accounts online.  This is probably more trouble to do for an elder relative in care than for one’s own affairs; the parent is likely to have accounts that one doesn’t know about.

Here’s another problem:  airlines seem to want to give consumers Visa or Mastercards when they sign up for frequent flier miles.  It seems like you get a new card when you book a reservation whether you applied or not.  Maybe the application is embedded in the website somehow. That also means another credit inquiry, possibly lowering a credit score.  

Thursday, May 21, 2015

Debit card data theft has increased radically in 2015

The Wall Street Journal reports, in a front-page story Wednesday, that debit-card data theft has increased radically since the start of 2015, and that much of the theft comes from skimmers placed in non-bank ATM’s in remote locations, link here
Retailers will be expected to have the technology to read the newer debit cards by October 2015.  But ATM’s are slow to come up to speed, although bank ATM’s will probably be brought up to speed in the next few months.  

Friday, May 08, 2015

Annual credit report, data-mining sites, local government records all should be monitored for bogus court judgments as well as ordinary id theft

One problem with robo-calls (which in my case come in on a little used landline) is that, if you don’t answer any numbers you don’t recognize, you could get a collection call and not know about it..
Typically, a debt collector will leave a first name and a number and not state the reason. It’s illegal under the FDCPA to leave information in a phone message about a debt, because a third party could pick it up.
When you all the number back, you learn it is a collection agency.
All of this means it is important to know what it is your credit reports.  If your reports have no negative information, then you know the debt is (probably) not legitimate and you have the right to dispute it. A call like this means you could have been targeted by identity theft and have fraudulent accounts in your name.
There is another sinister possibility, though unlikely, if your life is at all “interesting.”  You might have a court judgment against you (especially out of state).  If you had not been properly served, then the judgment is not enforceable.  Service by mail is possible in most states, but the plaintiff runs the risk of the defendant’s successfully claiming he or she was not served because the item was misdelivered. Certified or registered mail is possible.  I believe that mailbox stores (like UPS) normally accept service of process, and indicate with a card in your box that you have such an item to pick up.  Many apartment complexes do accept service, during normal business hours.
Today, I did pull my “annual credit report”.  Yes, the site uses encryption (https).  Equifax and Experian (formerly TRW and Chilton) separate out negative items and public records (which would include judgments); Trans Union does not.  But Equifax and TransUnion offer PDF copies to download.  With Experian, I had a problem with the html file disappearing (it loads only once for free).  The best report, for readability, was, I think, Equifax. 
No negative information showed up, this time at least. I did see some inquiries, but normal stuff, no “shotgunning”.
Of course, it might be possible to use sites like “Been Verified” to check one’s own public records (Jan. 13).
Homeowners (including especially those with homes acquired through estates) should also learn how to use their own local government’s property tax and utilities billing systems, as another precaution against fraud, like the possibility of a fraudulent mortgage or even title transfer. Like it or not, property tax records are public, and, yes, it’s possible to determine if your neighbor is current just as yourself.  

Saturday, April 25, 2015

"Shotgunning" of inquiries for auto loans sometimes drag down credit scores of unsuspecting consumers

Recently, a few media sources have warned consumers that their credit scores can go down if the allow used car dealers to “shotgun” for loans, and make multiple inquiries.  One such story is here
However, Experian (which used to be Chilton, where I worked in Dallas in the 1980s)  explains that all inquiries for an auto loan within a given period (usually two weeks) is scored as a single inquiry.  Experian has a statement in a letter answering a question here.  By the way, I did not personally work on the interface with Fair Isaac t Chilton, although I worked with people who did;  I worked on the company's member billing systems (mainframe systems) and stayed very busy a few years.  

Thursday, April 23, 2015

Personal information caches could be deleted more quickly in commercial transactions

WJLA-7 in Washington DC held a phone bank on identity theft, as reported here

WJLA also reports on work, proposed at George Mason University, where personal information is deleted from a transaction stream as soon as it is used. a kind of pseudo Snap-Chat. 

But right now companies have too much incentive to mine personal data from the web (not even the “Dark Web), which then winds up in the hands of criminals as well as “legitimate” advertisers.  

Friday, April 10, 2015

AOL reports on another public records reporting company, "Background Alert"

AOL has told its subscribers about another company that aggregates public records on people and allows customers (presumably paying) to look up anyone.  This one is called “Background Alert”, here.
The article says some people find it addictive.  I personally don’t do this, even though I paid for a membership to “Been Verified”. (“Instant Checkmate” is another such company, and this doesn’t mean a chess endgame stalemate draw.)  Presumably, the site would tell you if someone looks you up – if you’re a member. It’s easy to imagine how public records data aggregation sites like this could be misused by “enemies”, loan wolves and the like, as discussed on the news.   They do appear to be entirely legal, and I would expect CNN to report on them one of these days. 

Tuesday, April 07, 2015

What happens when personal data hits the "Dark Web" overseas? On a personal level, less than expected

Kelly Jackson has an article on “Dark Reading”, tweeted by Webroot, “What happens when personal information hits the Dark Web”, link here

This was a controlled experiment, with fake data.  It found that there was a lot of buying and selling of data in Nigeria and Russia and other poor countries.  Yet a lot of the data is pretty worthless.  Once someone detects a fraudulent purchase, the account is cancelled.  Criminals pay for a lot of cord of personal data, knowing that a lot of it, perhaps most of it, cannot be easily used for id theft.  

Monday, March 09, 2015

Credit reporting industry will beef up ability to handle disputes, after agreement with New York State

The Wall Street Journal is reporting Monday that the three major credit reporting companies have agreed to overhaul their procedures for resolving disputes from consumers about specific members, in a front page story by Anna Maria Andriotis, link here
The agreement is with New York State but it should be implemented nationally. 

Extra employees will be hired to resolve disputes. The three major companies are Experian (Los Angeles and Dallas), Equifax (Atlanta), and Trans-Union (Pennsylvania).   Even though these companies have member and affiliated bureaus (one was at the RMA site in St. Paul MN, where I worked a while in 2003), these jobs would probably be at the corporate level.  Implementation will take over three years. 
I worked for Chilton, a precursor to today’s Experian, for six years in Dallas in the 1980s.  Member-consumer disputes were not the issue then that they are today, and identity theft was not nearly as rampant. Chilton’s data center was located on Fitzhugh, in Oak Lawn, and the corporate center was just north of I-635, called “Northpoint”. 

Monday, March 02, 2015

Required parking stickers could compromise home, school security

This little story isn’t exactly about identity theft, but I think it’s useful.  The stickers that people put on their cars can lead criminals to where they live, or particularly where their kids go to school. The AOL story is here.
It’s all pretty creepy.  But more communities these day require residents to have parking stickers.  And, no, the art work for this poster isn't someone's sticker.  

Wednesday, February 18, 2015

Banks consider use of fingerprints instead of passwords

RBS and Natwest have announced plans to allow iPhone (5S and higher) users to access accounts with fingerprints, eliminating pin codes and passwords.  Phil Muncaster has a story on Infosecurity here. It would appear that a similar facility would be offered for ATM’s.  One could imagine the same concept developed with retinal scans.  Will people have bar-coded tattoos some day?  
But depending on fingerprints is not necessarily safer than strong passwords (and especially 2-step verification) according to the article, partly because the large number of fingerprints a person leaves.  But exploiting them is difficult and requires very dedicated criminals --- although Russia and China seem to have a plentiful supply of unemployed techies so motivated.
The innovation needs to be evaluated in conjunction with newer ATM debit and credit cards that have much harder-to-reproduce chips.  There is also the idea that making accounts safer could have the side effect of increasing violent crime (this already happens with autos – carjacking increases because cars are much harder to steal).  

Thursday, February 05, 2015

Major hack on a health insurance Anthem ("Blue") company

The Anthem Blue Cross plan (hq-ed in San Francisco) has endured a large data hack, according to USA Today, link .  Over 80 million records across the company were compromised, and the source appears to be China.  The breach did not involve credit card information, but a great deal of personal information.

The Wall Street Journal has a detailed story by Anna Wilde Mathews and Danny Yadron, link here.
My own work history had two employment episodes associated with the BCBS system.  One was a consortium of up to seven Plans, but the turf-oriented Blues have always had trouble working together so this hack is no surprise to me.  
I think this is the first major hack on a health insurance company, certainly a Blue Plan.

The hacks on major retailers and brokerages so far don’t seem to have directly resulted in a lot of identity theft. 

The biggest threats seem to be fictitious persons made out of children or of others (including the elderly) not needing credit or using it for a long time.  The danger could increase with the opportunity for medical identity theft. The best way to meet the threat seems to be to contact Experian, Equifax and TransUnion and put on credit freezes, which only you can unlock when actually needing credit.
But NBC News has a story explaining how credit monitoring may not stop medical identity theft, which can lead to incorrect patient records and create life-threatening mistakes later with real patients (especially in emergencies, where the careful address verification that I propose on other pages here cannot be done in time). So this gets closer to a real national security problem if coming from a foreign source,  The New York Times (Friday, Feb. 6, p. B4) has a story by Tara Siegel-Bernard on the steps of self-protection here (link), regarding existing accounts, new accounts and social security numbers. 

Thursday, January 29, 2015

"Instant Checkmate" is more than an opening trap in chess

AOL News is informing its subscribers of another site that allows one to check up on potential dates, employees, etc.  It’s call “Instant CheckMate”.   The AOL article seems accessible only to AOL subscribers, but the actual site is here (it makes you agree to a disclaimer) is here. Again, this is an amalgamation of public records.  
I would suspect that if you use the site, you can expect the target to know about it if he or she also subscribes. 
It is pretty obvious that this kind of facility can be horribly abused.
Many communities put their real estate records online, which could be accessed for wrongful intentions. 
The illustration shows, White can be checkmated in two moves.  It actually takes White three moves to confer the shortest possible mate. 

Tuesday, January 13, 2015

"Been Verified" lets anyone look up anyone else's public records, but it's really a two-way street

I got a tweet promoting "Been Verified", as a replacement for search engines.  I went ahead and signed up for a few months, just to see what is out there on myself.  The service shows all data from public records (and that means where you live and home number) and claims to show social media, but that's only Facebook and LinkedIn, no mention of blogger, twitter, or personal sites.

Much of the information is also on a credit report, but you have to be a lender or employer or legitimate member to order a report.  Yes, people will use this service to check out prospective dates.  Or for dangerous purposes, maybe.  But the information is out there anyway.  There is no privacy anyway.

The service will also tell you, by email, if anyone orders a report on you, which is a good thing to know,

No, I don't include to "check up on people" out of curiosity.  Have no concerns.  Unless I tell you myself, I won't run this on "you".  The TOS says you can't use it for employment decisions, just "personal".

Saturday, January 10, 2015

Hackers can now lift fingerprints from high resolution photos

Hackers can now lift fingerprints from photos of people, if the photos have enough resolution, and then these to break into certain iPhones or workstations secured by biometrics, at least fingerprint technology.  A story on Fox DC by Sarah Simmons explains here
It sounds rather hard to believe, but the “proof of concept” has already happened in Germany.


Wednesday, January 07, 2015

IRS, news media warn of phony tax collection phone calls and phishing attacks

The IRS has reported an aggressive phone scam where criminals call individuals and try to collect supposed tax debts from them.  Livingston Daily Press (MI) has a typical story here.  The IRS does call people sometimes, but not until numerous contacts by US Mail.  There isn’t much question that phishing attacks mimicking the IRS also occur. 
The IRS has a fact sheet listing five ways to identify fraudulent calls, here
ABC affiliate WJLA in Washington DC reported on this matter Wednesday.