Thursday, December 13, 2018

China, as a state actor, seems to be behind Marriott hack

Mike Pompeo has “accused” Beijing, as a state actor, of hacking the Starwood systems of Marriott hotels, as explained in Politco here.
That could be “good news” for average American consumers who don’t travel abroad to non-western countries.  It is extremely unlikely that the information would be used to create fake identities for normal crime, or that the personal information could be used for financial credit card fraud or for Internet spam or other targeted attacks.  However, in a few cases, people with passports to travel to China or to other authoritarian countries could need to be wary. 

Note how Fox News emphasizes "Communist" China.  How true. 

Tuesday, December 04, 2018

"Deep Fakes" can incriminate people online

CNN has a video explaining the growing problem of “deep fakes” online, which can manipulate videos and make it appear a different person is making an offensive statement or committing some sort of act. (There is a scene in my novel where a defendant in a shoplifting case tries to claim this was done.)

NBC News has a similar recent video on the problem. It cannot be managed by the usual rules involving "revenge porn". 

A company called Truepic is developing counter strategies. 
This story is likely to become more important with time.

Sunday, December 02, 2018

Marriott Hotels data breach still of unknown consequences for consumers

Marriott has reported that between 300 million and 500 million hotel guests’s personal information could have been compromised by unauthorized access that it had detected in September.

The hacks occurred on the Starwood reservation system, including the Westin, St. Regis and Shearton hotels, for stays within the past four years.

It was unclear whether the second internal degree of encryption had been compromised.
The problem may be less serious if over time a customer’s credit cards have replaced by normal expiration.

But it is possible that other PII could have been compromised, facilitating new identities, which might get created overseas without a person’s knowledge.
I’ve wondered about emails, apparently spam from “Apple”, claiming I had purchased video games in Jakarta or even Belarus.  Could something turn up if I were to travel overseas (especially to a country like Russia)?

Update: Dec. 4

A New York Times story today by Ron Lieber discusses the threat, however remote, to passport holders who would travel to certain countries.  The article also mentions the "deep fake" technology as a possible complication (see Dec 4 posting on that specifically, above this one). 

Sunday, November 18, 2018

Frequent flyer miles being stolen from PII on the Dark Web

Hackers are stealing and selling frequent flyer miles on the Dark Web, according to Experian, in a story here

The details come from a report by Comparitech. 
If miles are stolen, it normally means your PII has been compromised from other sources. 

How many people watch their frequent flyer miles balances?  I don't fly often enough on the same airlines to do this. 
Experian offers searches of the “dark web” (similar to those offered by Reputation Defender in the past) to look for stolen evidence and now evidence of stolen miles.   It’s not yet clear how airlines will respond.  These could complicate TSA security.

Friday, November 02, 2018

Identity theft used for dating scams

WJLA7 last night reported a scam involving the use of stolen identities in dating apps.
I couldn’t find the story last night, but people have found that their identities have been used by others to collect support under false pretenses, where as people sending the financial support have been scammed.

The documentary film “Online Dating Scam” from early 2017 explains how it may happen.

I don’t use dating apps, but Economic Invincibility discusses it on YouTube in his channel in May 2018. I like the metaphor “A little minnow about to be devoured by a shark.”  He thinks that the smartphone has destroyed the older online dating world.

Monday, October 22, 2018

FICO will make a major change for consumers with lower credit activity volume

Fair Isaac will make a change to FICO score calculations in early 2019, according to Anna Maria Abdriottis of the Wall Street Journal. 

FICO will consider how a consumer manages cash accounts with checks, deposits and withdrawals as well as traditional repayment behaviors.  It is believed this will improve the scores for many consumers with little credit history but stable finances.

When I worked for Chilton in Dallas in the 1980s, the colloquial name for FICO was "risk predictor". 

Monday, October 08, 2018

Credit freezes -- they're free!! (and hard to find on websites)

As Ann Carnns reports in the New York Times, credit freezes are now free, and many feel people should do it.  Here is the article as of Sept. 14. 

But the freeze scripts are often buried deep within websites, as companies try to see you pleonastic monitoring services.  

The free freezes were part of Trump’s financial re-regulation package.

The AARP related that just 14% of its members use the freezes.
Experian (aka TRW aka Chilton and Pinger) has a detailed page on credit freezes here

Tuesday, October 02, 2018

Rideshare identity theft involving "rented" driver accounts

NBC in San Francisco has reported a scheme of “rideshare driver identity theft”, where brokers set up accounts on Lyft (and possibly Uber) and allow others to “rent” the accounts without going through the usual background checks.

NBCBayArea has a detailed report here .
The report lists eight ways to identify your driver, and the flaws with each method. A driver who does not respond to a text may well be fraudulent.

Monday, October 01, 2018

Porch thieves use stolen personal data to create fake credit accounts in homeowner's names

WJLA7 has uncovered a new identity theft scam, whereby thieves who have obtained stolen personal information from a security breach on the Internet, order credit cards in the victim’s name and steal them from a porch before the victim comes home. Here is the story

The scheme only works with houses or townhouses accessible from the street where the thief has a home address that matches normal credit reporting company records.
In some cases, thieves stake out FedEx or UPS or even US Mail deliveries. Homeowners can stifle the plans with camera surveillance, but often don’t find out until they see a credit report or a bank texts them about an unusual charge.

Monday, September 24, 2018

Followup on Facebook ID protection: You can use advertisers to prove who you are

Just to add to the post of Sept 14.
It appears that Facebook requires that individuals who want to “boost” issue-oriented posts on their pages in advertorials (posts that don’t actually sell anything or ask for donations for a non-profit) have to have proven their US “identities” by having purchased at least one ad in the past for a product they were selling in a conventional manner.  Adsense, Amazon Associates, and ads bought for them by POS publishers for books don’t count.

Also, Facebook has terminated accounts of police departments (like in Memphis) who use fake accounts to entrap some activists or to spy on groups like Black Lives Matter. 

Friday, September 14, 2018

Facebook gets into the business of preventing ID theft for boosted posts

Just a quick note.  If you submit a post of issue-oriented commentary on your Facebook page (not member account) and don’t try to sell anything and then try to boost the page, Facebook may turnyou down and do a very careful vetting of your ID and residence (to make sure it isn’t Russia).
This will included photographing both sides of your driver’s license and having a letter sent to your residence (not business or PO) along the mines of my own proposal in the past based on NCOA.

Monday, August 27, 2018

China has started implementing its social credit system; could such a concept happen in the US with credit reporting?

Business Insider has reported that China has already started implementing its social credit system, based on surveillance. 

People who get penalized can be denied some accommodations and Internet services.  Some of the bad behaviors are familiar in credit reporting (late payments), but they also include, spending too much time on video games.

Could anything like that ever happen in the US?  Could charities get control of ranking individual citizens’ “community engagement”?
There’s also a problem that when people use sharing economy services (rideshares and especially Airbnb) they can build up reputations as consumers.  Could these find their ways into the credit reporting systems?

Tuesday, August 21, 2018

Russian "Fancy Bear" creation of fake websites could create an identity theft threat

A recent report by major news media on Russian hackers creating fake websites relative to some conservative think tanks and politicians could have serious implications in the identity theft world. 
Alex Johnson has a typical story about “Fancy Bear” on NBC News. 

The implication is that foreign hackers could create websites purporting to belong to controversial individuals.  This might work with celebrities, but would possibly be very serious for those less well known if foreign interests wanted to make examples of them in order to show a certain kind of combativeness.

Hosting companies and domain registrars could be pressured to prevent fake registration, or (without net neutrality) telecom companies could be pressured not to allow them to connect. 

There have been numerous cases of fake Facebook profiles of even lesser known people (this has happened to me once, and it was caught quickly by a friend before any material was posted on it). 

Usually these get removed quickly.  Twitter also has a false profile problem with celebrities, but has gotten better at catching and removing them.  When you find a celebrity profile with few or no tweets, you can question whether it is fake.

Platforms in which a person does not have an account can present an issue.  When I got an Instagram account, I found a fake one there with no posts, and it had to be removed first.
There could be serious problems if lesser known people were falsely implicated in criminal activity by fake profiles.  This is also obviously an “online reputation” issue.  There have been prosecutions when a person’s router was used surreptitiously for criminal purposes.  This can also be a problem when having quests (hosting or Airbnb), and is usually handled by allowing only guest account use.

Experian actually recommends people register their families (or even every member) as domain names through ICANN as an identity theft prevention tool.  But I can see how this could cause objections.

Russia still insists it "hears" (from Trump) that there was no "meddling" in the 2016 elections.  These attacks may have been directed at those who were most critical of Putin, this time.  Remember Sony and North Korea. 

It could be possible for someone's identity to be hijacked overseas, and be arrested only when in another country, maybe if compelled to travel to a less stable country for work. 

Wednesday, August 15, 2018

Banks and retailers capture user behavioral biometrics to stop impersonation

Retailers and banks are using “behavioral biometrics” to determine how you swipe, tap, or handle a mouse. NYTimes story by Stacy Cowly.  
This could be useful in identifying fraud at ATM’s (and there is a recent scandal in progress overseas. Mike Snider story on USA Today).   So it sounds useful to limit identity theft.

It could be helpful in providing security to websites, to help identity malicious logon attempts (with Jetpack and Sitelock). 
But it also means that even a lot more data is being collected that hackers could find some day.

Thursday, August 09, 2018

Which states are the worst for identity theft?

The Denver Post has a story by Tynin Fries ranking states as to losses due to identity theft per capita.
Nevada was the worst, but Colorado was second.  The other states are big urban states: California, Maryland, and New York.  Colorado’s loss per victim seems to be about $4400.

It still is hard to believe these losses are unrecoverable.

This recent study was from SecureLife.  But a 2017 study had ranked Michigan as #1.

A good question would be to relate identity theft to election fraud.  We’ll come back to that later.

Tuesday, July 24, 2018

Experian's tips for vacation travel

Experian has an article giving advice on avoiding tech scams while on summer vacations. 

Attackers may set up similarly spelled names to legitimate hotel servers within a few hundred feet of the hotel.

Experian recommends either getting a VPN or using the hotspot from your own smartphone provider (which can be put on the phone or be a separate physical device – although the latter means one more electronics item to get through the TSA).

Experian has a separate article on preparations before leaving home for the airport. It recommends limiting the credit cards you carry to just two or three, and contacting your credit card company for these cards.  It is also advisable to contact your home security company. 

Friday, July 13, 2018

Mueller's probe reports widespread identity theft as a result of Russian hacking; who is liable?

Around noon today, Deputy Attorney General Rod Rosenstein announced indictments of twelve more Russians for hacking activity associated with the 2016 elections, as part of Mueller’s probe.

The announcement seemed controversial since it occurred during Trump’s Europe trip.  

Rosenstein emphasize that no American citizens were charged, and that there was no finding that the hacking changed the election.

But he said that around eleven individuals had their identities stolen.  It was not clear if these were Americans or other western nation citizens.
It is possible for people to be held liable for misuse of their identities in some circumstances.  Some employers presume that associates will take absolute responsibility for any misuse of their identities, as with credit checks. So this is a noteworthy announcement.

Sunday, July 01, 2018

112-year-old veteran in Texas has bank account drained by identity thieves

Sometimes the very elderly are targeted by identity thieves.
Richard Overton, in Austin, TX, now 112 and a WWII veteran, found his bank account drained by an identity thief who had found his social security number and checking account number.
CNN has a detailed story here. The GoFundMe account that funds his home health care was not involved. Fox News has a similar story here
It’s very important for everyone to watch bank accounts regularly online and notice irregularities. The news stories don’t report if the bank can recover any money. It is also unclear if his identity was breached by any one of the major corporate breaches recently (like Equifax). 

Wednesday, June 20, 2018

Identity theft of the deceased is increasing

Identity theft of a deceased person seems to be increasing.

AARP has a list of tips that estate executors should follow, here.  For sure, notify Social Security (not doing so and allowing payments to continue may be a crime), and notify the state to revoke a driver’s license.  Credit card companies will not allow cards in their name to continue and to try to use it as a “trust” card could be illegal (even though the executor pays the bills properly). The executor must replace the card with the executor’s or trust name on it.
The IRS recommends sending a death certificate copy to each major credit reporting company. 
The Digital Executor nomination becomes of issue here.  Most social media companies will delete accounts with no activity at all after some period of time.  Hosted accounts would expire for lack of payment (as could domain names).

Tuesday, June 12, 2018

Vehicle identity theft, warning from Experian

Experian is warning consumers about “Vehicle ID theft”, whereby thieves use stolen VIN info to drive away a car from a lot and saddle you with the debt.  Experians’s link on the problem is here
Thieves would need to steal vehicle registration to make the scam work.
The problem would seem to happen at motels where travelers cannot see their cars.

Also, look at the problem of car dealer ID theft here

Monday, May 21, 2018

Former debt collector sets up charity to buy back and forgive medial debt (RIP)

Craig Antico, a former medical debt collector, has formed a non-profit called RIP Medical Debt, which buys medical debt on pennies on the dollar so that individual debtors can be forgiven. 
NBC News has a video and report here.

I worked for RMA, a debt collector, in the summer of 2003 near St. Paul, MN.  It did have a division that collected medical debt.  

Antico said he used to make 200 calls a day as a bill collector.  That sounds about what I did.

Wednesday, May 16, 2018

Superhero comic character creator sues his own company for international identify theft attempt

Superhero creator Stan Lee has filed a #1 billion lawsuit against a company he helped found.
He claims executives at Pow! Conspired to create a deal to sell Pow to a company in China and then to steal Lee’s identity.
The CNN Entertainment story is here.

It’s hard to believe anyone could pull anything like this off.  But maybe business in China is that opaque.

I got odd requests in 2013 about registering my own domains in China, where I would probably be banned for my political content.

But the possibility of creating someone’s identity in a foreign country, especially a non-democratic one, sounds like a broader danger.  It’s unclear if that would have repercussions for an “average American” unless he/she traveled to the country.  It’s hard to believe fictitious international debts could be successfully pursued.

Tuesday, April 17, 2018

Unusual murder by elderly woman in Florida motivated by identity theft

In a bizarre case of female evil, a woman who shot her own husband in Minnesota fled to Florida, and then killed a woman who looked like her to try to assume her identity.

A station in Florida gives the bizarre account here
The perpetrator is elderly, “grandma”.  Very unusual crime, right out of the movies.
Authorities have already said that identity theft is the Number 1 crime in Florida.

Monday, April 16, 2018

Facial recognition data from leaked social media sites could lead to private blacklists

Forbes reports on a huge worldwide facial recognition project sponsored by Israeli security and hiring ex-spies.

The project would use Facebook and other data taken from social media companies by efforts like Cambridge.
Governments could use the information to build blacklists to keep out “terrorists” and private companies could develop and sell such secret blacklists.

EFF tweeted the story today. 

Sunday, April 08, 2018

Very private data may have been taken from Facebook Messenger, but could also have been taken from personal blogs

The data that may have been available to foreign analysts like Cambridge seems more private and extensive than I had thought, including the contents of private messenger, facial recognition data, and contact information for friends, as in this CNN Money story.  
Since this data could have been matched with dark web data based on other corporate hacks, this seems especially disturbing.
However, it’s also true considerable data about people who had blogged or self-published articles openly on the web could have been available anyway, even without modern social media, if enemy interests really wanted to target ordinary American civilians based on political or religious affiliations – a possibility that would raise new national security concerns were it to ever unravel.  Even shared economy about consumers (which shows physical location) could come into the mix. 

Thursday, April 05, 2018

Feeding of Facebook breach from Dark Web raises id theft risk to users

Craig Timberg, Elizabeth Dworkin and Tony Romm write a front page Washington Post story Thursday, April 5, 2018, “Facebook: Bad actors likely hot most users”, link.

Beyond the previous announcement of 87 million accounts compromised there is the bad news that criminals took data from the dark web, from previous corporate hacks (possibly Equifax) and fed it into Facebook.  It took some sophisticated programming to do this, but in Russia young adults don’t have good legitimate jobs. 

Therefore, you have to say that, especially overseas in authoritarian countries, the back could present a real ID theft to many Faceboook users after all.

There is also a lot of extra concern about the compromise of minors' privacy, literally as part of the business model. 

The regulatory consequences could be quite substantial.  Facebook seems to have violated its agreement with the FCC in 2011. 

Thursday, March 22, 2018

Could Facebook's breach lead to an identity theft risk for some users?

The enormous concerns over the recent misuse of Facebook data by British company Cambridge Analytica naturally could raise questions about possible identity theft. 

Is there really a danger?   I would think not.  Most of the data taken, even of “friends” was non-specific, such as likes or sites visited or purchases.  It generally was not PII as usually understood. So this leak is not as "dangerous" as, say, the Equifax hack. 

Some accounts say that facial images were taken.  Because facial recognition software exists, this could present a security problem for individuals.  I’ve written before here that people in bars and discos are more sensitive to photography by strangers now than they were, say, back in 2010.
However, the Identity Theft Resource Center writes essentially that there could be some risk from very determined foreign hackers who want to target someone. .  

Thursday, March 08, 2018

Russian identity theft scheme gets past usual fraud detection

Russia’s troll “animal farm” seems even more insidious that we thought a month ago.
The Russians were able to match up stolen social security numbers with driver’s licenses, Paypal, credit and bank accounts.  The Verge has a more detailed story Feb. 16 by Russell Brandom, here. 

That means that the normal fraud detection at institutions wouldn’t work.

Yet it seems as though this would involve setting up fake identities that don’t overlap the real person’s activities, otherwise it would be quickly detected.

The recent practice of porting smartphone numbers could have been involved.
I wonder about the phone call I just got offering me a $200,000 line of credit for no reason.  Is there another copy of me overseas somewhere?  Could I get arrested if I go overseas over this identity?

Friday, February 16, 2018

Russian election hack may have used synthetic ID theft of real US persons

It appears that some of the fake Facebook and other social media accounts involved with the 13-point Mueller indictment today may have been created as synthetic fake people with info stolen about real US persons, as in this Wired story
It does not appear that there was widespread direct harm to the persons stolen (credit scores, false prosecutions)

A fake profile of me was created on Facebook in early 2016, caught by a friend, and removed by Facebook before I knew about it.  It has no content.  But it is conceivable that this could have been Russian activity.
A detailed story in the Washington Post about the indictment by Rosalind S. Heldeman and others appears here.
Apparently some real US citizens joined fake groups not knowing these were Russian.
Here is a Scribd pdf text of the US Attorney in Washington DC (37 pages).  It is said to read like a spy novella. 
It is not clear how easily individuals named could be extradited and prosecuted.
The story could turn out be relevant to “fake business scams” currently discussed on my IT jobs blog.

Monday, February 12, 2018

Equifax hack even worse than previously thought; DL info could be exposed

The Equifax hack was worse than we thought.  Maybe it is “so bad”.

It looks like it compromised names, social security numbers, tax id’s, and driver’s license, for up to 143 million people. DL exposure could complicate TSA security. 
Tech Republic has a current story and video by Allison DeNisco Rayonne, here
The company that I worked for in Dallas in the 1980s, Chilton, was very nearly bought by Equifax in 1988 before TRW made a better offer (now it’s Experian).

But all my work there in the 1980s was on a mainframe, on member billing systems, with little interface with consumer records.
There is unusual attention this year to the possibility of IRS W-2 fraud, which could be related to Equifax.

Tuesday, February 06, 2018

Experian lists 20 kinds of identity theft

Today Experian (aka TRW, Chilton, and Pinger) offered a missive “20 Types of Identity Theft and Fraud,” the long list here.

Some are surprising.  One is driver’s license ID theft, very common, and it gets around the picture. Another is Biometric.  Still another is if a criminal gives your identity to police when arrested, which can make the police come after you, although it’s hard to see how a police department doesn’t catch it.

But one possibility would be to get into someone else’s Internet accounts, social media or domain, and place illegal content there or distribute from it, framing the other person.  This hasn’t happened as much as one might fear it could. Another is using someone’s wifi router for illegal purposes, causing that person to have his account canceled. 

Saturday, January 06, 2018

People with trusts might have to be careful when in their own name, if someone makes an fraudulent id-based claim and judgment; is overseas debt a risk?

Every few days I get an email with a spoofed sender address that purports to claim some stuff was bought using my iCloud signon.   Often they are games, and most of them are in Jakarta.  I think there has been one claim of a purchase on the Philippines (on one of the southern islands having violence), and a couple in former Soviet republics.  So it sounds like a simple phishing attack.

There is never a bill on a credit card, and I forward them to

I wonder, if someone had my SSN and somehow created accounts in foreign countries and ran up bills, could I ever be pursued for them?  I would think not unless I traveled to the country.

But it is possible for people to be pursued for judgments for fake accounts using their social security numbers.  In my case, I think it would be pretty easy to prove that it wasn’t me. 

Here’s the rub.  I have two trusts based on inheritances.  A lot of it is in my late mother’s name.  Some has been used to my name only, because for some future purchases that works better.  The part under mom’s trust name is supposed to be immune from creditors.  There could be a theoretical risk of seizure of money in my name only.  Inherited money might not be as well protected (if derived from an estate) for essentially “political” reasons, from tampering in a case like this.

I’ll check with Apple soon (at a store) and see if they know what is going on overseas.