Thursday, December 15, 2016

Yahoo! coughs up one billion identities to hackers

Here we go again, with another major hack, this time, over one billion Yahoo account, as reported, for example, by Tech Crunch,

Credit card and bank info was not taken.  There is such a huge cache that it sounds improbable that any one person would be targeted for identity theft.

On the other hand, you can't change your birthdate, and changing your name is impractical.  (Oh, in fifth grade, a girl wanted to change her name because I teased her over the "Life with Elizabeth" show -- and "Elizabeth, aren't you ashamed?"  Head shaken.  Betsy is a nickname for Elizabeth.)

My own Yahoo account no longer exists, it seems.  It was used during the glory days of GLIL.

Yup, there is even more pressure for everyone to move to two-factor authentication everywhere.

Here's a video on how to tell if your Yahoo! account is hacked.

YouTube has a lot of videos on how to hack Yahoo! (just type in that key search argument).

Tuesday, November 22, 2016

Widespread identity theft of minors reported again

Just as dead people are targets for identity theft, recent reports have covered children's identities being stolen, sometimes even by parents desperate to pay bills, as in this New York Times story by Ron Lieber in April 2015.

Typically, minors don't find out they have a problem until they are of college age and start trying to get their first credit cards, or first apartments and cars.  Kids who work while in college or even high school  have a better chance of finding out they have a problem earlier, as some employers will run checks.  

Monday, November 21, 2016

"Ghosting": identity theft of dead people

The AARP has recently advised families to take active steps to protect their deceased loved ones from identity theft, especially for IRS tax refund scams; an earlier article.

The crime is called “ghosting”. and is hard to catch.  The IRS has guidelines here.

Families should not publish exact birth-dates in obituaries.

Wednesday, November 16, 2016

Facebook identity scams? Fake senders?

Can people's Facebook accounts get hijacked?

I don't know.  I got a mystery message this morning about my government benefit.  No, it wasn't social security.  I was supposed to know what she was talking about.  I don't. Some "lucky fund from the government".

Then her messages went blank, saying that the Facebook sender needed verification.

Monday, October 17, 2016

Why is a west coast company sending me a card with a half million line of credit, unsolicited?

This is pretty scary.  I get a blue "Notable Capital Premium Platinum Capital" card in the mail from Scottsdale, AZ, unsolicited.  With a $500,000 line of credit.

There's an 800 number to activate it.

Earlier cards were for $100,000 or $200,000.

Oh, maybe it;s in bitcoin.

It's getting close to time for my free Annual Credit Report.

But why are companies so eager to mail me credit lines that I didn't ask for?  

Thursday, September 01, 2016

"Truthfinder" seems to be another tool for "spectator spying" on people

Here’s a story about another “background investigation” tool, called “Truthfinder” , on AOL news.

It seems to comprise an uber-compilation of public records about a person, but I don’t know how reliable it is, or whether it picks up the wrong person sometimes.

I don’t look people up on these sites ordinarily.  I don’t spy on people out of “curiosity” or as a “spectator sport”. The only exception would be if the person were going to be housed or employed by me.  But then, who should bear the moral hazard for any inaccurate information on a site like this. I guess the other person could find out you had looked him up by joining.

Tuesday, August 02, 2016

Debt collection, especially debt buying, faces real regulation and the legit companies want it

Once again, debt collection may come under more regulation, but this time the Consumer Financial Protection Bureau means business, and legitimate debt collection companies seem to support more regulation, according to a story in the New York Times by Stacey Cowley July 28.
Some reports indicated that companies that buy debt will be more carefully regulated.

I found out in 2000, when doing a credit search because I thought I would buy a house in Minneapolis, that I had a $650 accumulated debt from an unsettled VISA bill that could have fallen through the cracks when I moved to Dallas in 1979 (or later during another move).  It showed up on Trans Union and Equifax but not on Experian.  In 1987, as an employee of Chilton (to become TRW and then Experian) in Dallas, I had undergone a credit check and nothing had been found.

A NYC company had bought the debt, and was very rude when contacted, and unwilling to validate the debt, and threatened immediate lawsuit, which would be illegal now.  I paid up, but it’s not clear that it had been properly owed.  The FDCPA guarantees consumers can dispute debt claims.  But when debts are sold, the new companies have in the past somehow avoided the dispute rules.  No longer.

Tuesday, May 10, 2016

Airline passengers could face id-theft threat from discarded boarding passes

Recently, media outlets have reported personal security risks to airline travelers from discarded boarding passes with printed bar codes. Is it safer to stick with smart phone passes?

Hackers might be able to combine information obtained from barcode decoders with social media posts to guess passwords and eventually obtain PII, CBS reported in October 2015 here.
Yet, the practical risk for most travelers of an actual identity hack from such an event sounds remote.  My own name, being somewhat unusual, makes this more difficult.  You still wonder how banks and financial institutions give mortgages and car loans to people who don’t exist.

Sunday, May 08, 2016

Company seems to offer a plug-in that would simulate https everywhere

This promoted story appeared on ABC’s Yahoo link (for Good Morning America).  It looks like a sales pitch. “1 Reason Not to Go Online if you live in US”, link.

The article purports to claim that signing up for this “limited service” provides what sounds like essentially the same protection as https everywhere.

Maybe someone knows if a product off the shelf can really do this.

Tuesday, May 03, 2016

States can levy additional penalties on illegal immigrants who commit id theft to get work

The Washington Times reports that states can imposed their own penalties on illegal immigrants who commit identity theft to get a job, as in the front page story Tuesday May 3, 2016, top banner, here.

The Ninth Circuit ruled in favor of Maricopa County sheriff Joe Arpaio on Monday.

The Lifetime film "Identity Theft: The Michelle Brown Story" (2004, dir. Robert Dornhelm) comes to mind, as a true story where this really happened.

Wikipedia attribution link for Maricopa County (Phoenix) AZ courthouse.  (author “Tony the Marine”).

Monday, April 11, 2016

Could id-theft lead to a phony lease used by a house squatter? Idaho judge refuses to evict

Tonight, ABC World News Tonight reported a case where a couple owning a home in Canyon County, Idaho, apparently entered a sale contract and then went away for a while.  When the couple came nack, they found a squatter who produced a “lease” which was obviously fraudulent. Yet, a judge refused to let the couple evict the squatter.

The ABC link was not yet available.

But the University of Massachusetts Law School has a paper by Shannon Dunn McCarthy on the problem of “lifting the heavy burden to evict unwanted company”.  One question seems to be simply home security.  There should have been a security system, or someone trusted should have been checking the property periodically.

Wikipedia attribution link for northern Idaho mountain picture by Charmar, under CCSA 2.0.  My most recent visit to the area was in July 1990.

Wednesday, April 06, 2016

Debt collectors still going after people for non-existing loans

I recently saw a social media posting from a friend (in New York State) saying he was getting calls from a South Carolina collection agency for a bank loan from a bank with whom he had never had an account, and from a retirement financial planning service he had never used.  It was difficult to tell if these were phone calls or emails.  There are details on Yelp.

I often get collection emails from “banks” with who, I have no connection, and mark the emails as spam without opening (probably laced with malware). It is possible, however, that a bank contacting a consumer could have bought another bank with whom the consumer had done business, or could have bought the debt.

Consumers should remember that, by FDCPA, they always have a right to dispute invalid debts from debt collectors after which a collector cannot legally continue contacting them.
I wonder about these gray line-of-credit cards I get in the mail, unsolicited.  What if I got contacted for a loan I had never taken out?

Wednesday, March 09, 2016

IRS suspends PIN retrieval tool as part of attempt stop refund fraud

The IRS has suspended the use of a retrieval tool for “identity-protection PINS”, as a result of the epidemic of fraudulent returns, as reported by Andrea Petersen in the Washington Post Wednesday March 9, 2016, p. A16.

Closely connected was the IRS “Get Transcript” tool which was breached last year.

The IRS has used the pins on sites (like HR Block and TruboTax) that file returns online, as part of a digital signature.  Given all the complexity of this and some matters, it looks like my own return will have to be by mail (after printing from the website) this year, as it was last year.
The article notes that crooks have become more proficient in guessing answers to security questions, possibly culling them from social media – items like my favorite pet, city of birth, etc), so the trend will be to let users define their own security questions

Tuesday, February 16, 2016

Media coverage of the fake tax refund problem continues

Recently, many media outlets have reported the generation of fake W-2 forms and the filing of them with the IRS, disrupting returns to legitimate taxpayers, that get held up for months.
Here’s a typical story, from Myrtle Beach, SC.  WJLA in Washington DC ran a story Tuesday night.

Since the IRS does not send payers W-2 forms but allows them to be printed, it would seem hard to make a legal case against the use of counterfeit forms. That’s one opinion.   But there’s a good question if it can be illegal to provide a service that has only a criminal use (a line of thinking we’ve heard in other areas, like copyright).  Some companies claim they offer “novelties”.

But it’s rather shocking, what you get when you search Google for “fake W-2 forms”. Like Forrest Gump, you never know what you're going to get.

Monday, February 01, 2016

Fake tax refund scams could affect targets for years

Michelle Singletary offers a disturbing commentary in the Business Section of the Washington Post, Sunday, January 31, 2016, “Victims of tax-fraud could be looking over their shoulders for years”  .

 The article specifically addresses fake tax returns on stolen SSN’s or identities.

The IRS has an “identity protection specialized unit” and can offer an “Identity Protection Personal Identification Number” or IPPIN.

It’s getting time to start gathering together all the info for the 2015 taxes.

Friday, January 01, 2016

Aggregation of voter PII from many states raises privacy, ID theft concerns

On p. A15 if the New York Times on December 31, Nick Corasaniti and Rachel Shorey write “Database of personal information from voter records appears online” (the online title is less specific as to significance).
The database collates voting records, including PII and party affiliation, but not how people voted secretly, of 191 million people from various states. The significance of the finding is that it’s all in one place, where a hacker could use it for phishing or even extortion. But the collection of the data by both major parties in many states is seen as necessary for campaigning.