Dr. Identity (Identity Theft Prevention)

House Legislation Would Crack Down On SSN Thieves...Except Not

Anne Broache from CNet has the story:

At 56 pages (PDF), the latest effort is far lengthier and more prescriptive but includes many of the same provisions. It was introduced Monday by Reps. Michael McNulty (D-N.Y.) and Sam Johnson (R-Texas), who lead a House subcommittee on Social Security that claims to have held 16 hearings on the subject.

The new bill, called the Social Security Number Privacy and Identity Theft Prevention Act, appears likely to prompt the same concerns from privacy advocates about the number of carveouts on SSN sales it proposes. It would permit the sale and use of the identifiers "to the extent necessary" for law public good," or, of course, with the SSN holder's consent.

Of course, with all of these exceptions, there might as well not be any legislation at all. I'm especially amused by Acxiom demanding more handouts for SSN trading, given that said firm has been involved in not one, but two high-profile data breaches. The national security exception will give Acxiom all the latitude it needs--especially since the Justice Department has been engaged in aggressive data mining using information gleaned from consumer databases.

The only way to end the danger of the SSN as a key to identity theft is to stop using it as an identifier for all but the most pressing business. As long as any exceptions are made for its use, even for the best of purposes, even the strongest criminal penalties will simply be slaps on the wrist, ineffectual after-the-fact solutions that don't address the underlying problem.

VA Secretary Jim Nicholson Resigns

From Talking Points Memo, via the AP:

Veterans Affairs chief Jim Nicholson, who was forced to defend his agency's performance after revelations of shoddy health care at Walter Reed Army Medical Center, announced Tuesday he is resigning to return to the private sector.

I mention this not only because Nicholson presided over the horrific and unacceptable treatment of wounded soldiers at Walter Reed, but it was also on his watch that the VA suffered one of the worst data breaches yet, thanks to an employee who took a laptop home containing personal data that he wasn't authorized to have, and promptly got robbed.

Of course, the Feds claimed that the recovered laptop had not been used for fraud, but in light of news that subsequent breaches followed the same pattern, it's easy to be cynical. I'm sure Nicholson will be happy to return to the private sector where it's okay to cover up data breaches, but in the main, he's let his employees, the people under his care, and the country down, and it's long past due that he beat feet.

I also note that the timing is interesting, given that Nicholson just announced a major initiative to increase treatment and services for soldiers affected by mental trauma and PTSD. Again, given the bad track record, it's tough to be anything but cynical, so we can hope that the new direction fares better with him not guiding it.
 

GAO: Data Breaches Rarely Lead To ID Theft

                                                  "Yep, breaches have no impact whatsoever. Trust me on this..." 


The Government Accountability Office released a report yesterday stating that it was difficult to link data breaches to confirmed cases of identity theft. The GAO also recommended that agencies and businesses adopt a "risk-based standard" for notifying affected people about data breaches. You can read the report here, and my article about it here.

I think the idea of trusting a business or government agency to handle its own internal review or risk study for a breach is akin to going hunting with *** Cheney and expecting to not get shot in the face. Of COURSE they're going to say there's no risk to consumers and that the costs of notification, credit monitoring, etc., aren't necessary. For the vast majority of companies and gov't agencies who have let data get exposed, a breach is just the cost of doing business.  

I might entertain the idea that a neutral third-party actor could be entrusted to handle the risk audit--someone from the Identity Theft Resource Center, perhaps. Otherwise the idea is just stupid on its face. Shame on the GAO for dropping the ball on this important issue.

David Bach on Protecting Yourself From Identity Theft

Financial author and columnist David "Finish Rich" Bach has followed up his November column on identity theft with some more useful discussion, particularly around the ease with which thieves can utilize a Social Security number, name, and address to become another person:

In 2006, there were about 230 million Social Security numbers held by individuals. As Abagnale puts it, those are 230 million targets of opportunity for identity thieves. If someone gets their hands on your name, birth date, and Social Security number, that's all they need to become you.

Bach is referring to Frank Abagnale of "Catch Me If You Can" and PrivacyGuard fame there, by the way. This, in particular, raised the ire of many of the readers, some of whom pointed out that PrivacyGuard was (at least a few years ago) possessed of a rather shady privacy policy. I don't use the service myself, so I can't say if they've cleaned up their act or not, but the fact that Bach didn't do his due diligence before mentioning this got him shredded. You can view their current privacy policy here.

Bach also references Sen. Patrick Leahy's "Social Security Number Misuse Prevention Act," which would severely restrict the commercial use and sale of SSNs--but provides a public records exemption that could be a major loophole. Still, it's progress.

One of the commenters on Bach's article notes that doctors, hospitals, and other medical services regularly ask for your SSN as an identifier, which can be a gateway to medical identity theft. All of that personal information on a person's medical history, just waiting to be stolen and reused for expensive medical procedures, and with very little in the way of safeguards to protect against it or restrict dissemination of the number.

Overall, Bach's advice is good, but he could have done better--and the commenters aren't cutting him any slack. Proof positive that ID theft is a topic that touches a raw nerve in a lot of people, and that the "basic" advice isn't cutting it anymore.
 

Fidelity Data Breach, or When Employees Go Bad

The breach of 2.3 million customer records by a former Fidelity National employee is a perfect example of how a person can do everything possible to protect themselves from being hit with identity theft or fraud, and STILL get endangered through no fault of their own.

Obviously, William Sullivan went bad for some reason--we may never know why he did that. Money? Revenge? Sexual favors? It probably doesn't matter. What matters is that he did, and that he was able to exploit the internal controls of his company and cause a tremendous amount of damage.

How did he do that? How was he able to get access to data he wasn't authorized for and distribute it so easily? How was it that he was able to camouflage the theft so well that Certegy needed to call in the Secret Service to track it down? Simple--the company's internal security procedures for payment processing were weak. Sullivan was able to find holes in the everyday business routine and get access to data he wasn't supposed to have, and used that information to leverage connections in order to resell it.

 Nature abhors a vacuum, and data breaches are not exceptional in this regard. A recent Inspector General report on the VA laptop loss explains this perfectly:

The report also pointed out that administrators there gave the IT specialist access to more data than they should have. He also was given programmer-level access that allowed him to extract information from medical records. " In one instance, he inappropriately incorporated employee health records into a research database, compromising the privacy of VA employees and violating the terms of the protocol," the report stated.

Not only did the VA analyst cover up his own screwups, but he had access to more information than he should have, causing even greater screw-ups still. It's a failure of a workplace culture and one of the main reasons these breaches happen--people let everyday screwups become a matter of practice, and then when a catastrophe occurs, rush to cover up the incident and put Band-aids on it. Doesn't work.
 

Credit Bureaus Cause Identity Theft And Undermine Our Economy

Crossposted at Private Intelligence. Feel free to comment here or there.  

USA TODAY has a great (if unintentionally unflattering) look at the efforts by the bureaus' lobbyists to stop states from adopting credit freezes:

When this trend began to gather steam in 2005, the CDIA deployed Ellman on a series of trips to Montana to dissuade lawmakers from adopting one of the nation's most pro-consumer credit-freeze laws. "He was here so often, I jokingly told him he should start paying state income tax," says Claudia Clifford, Montana-based lobbyist for AARP, a staunch consumer advocate for freezes.

There are a few key paragraphs that really break the issue down past Ellman's protestations and the surface issue. Here they are, with my emphases bolded:

"However, credit freezes could also cut deeply into the credit bureaus' core business. The Big Three issue billions of credit reports each year in support of loan applications. The combined annual revenue of Experian, Equifax and TransUnion tops $4 billion, reports Hoover's.They issue yet more reports to enable lenders to target consumers with junk mail and telemarketing campaigns for new credit cards, auto loans, mortgages and student loans, says John Ulzheimer, president of education for Credit.com, a consumer credit consultancy. Ulzheimer is a former manager at Equifax and at credit scoring company Fair Isaac....

"The mandate of placement of a freeze within 24 hours may compromise the accuracy and integrity of consumer reporting files, the very files banks, credit unions and other businesses rely upon to ensure safe and sound lending decisions. In short, the foundation of the credit economy is the credit bureaus. Rattle the foundation of the credit bureaus, and you rattle the foundation of the credit economy." 

The foundation of our economy is now largely predicated on the lending of money and the selling of services, rather than manufacturing and creation of products. So much of our domestic product is consumer spending that ANY reduction in the easy access to credit will cause catastrophic consequences. Americans are already cutting back on the credit card spending a bit--not a lot, but some--and even that has the financial services and retail industries shaking in their loafers. Imagine if every American in all 50 states could set up credit freezes any time they liked, for minimal or no fees--this would put an end to the "impulse buying" that so many lenders thrive on.

And people like Ellman KNOW this. That's why they so vehemently fight any attempt by ordinary people to get control over their information. Credit bureaus, with their inaccurate records, sloppy reporting, and painful dispute processes, are the biggest threat to your identity. But identity theft, fraud, and data breaches are just a cost of business to the bureaus, but the idea of not being able to sell people's data to affiliates and marketers is a fate worse than death. And this is why they're pushing to get weak federal laws to preempt stronger state laws...and why they have to be opposed.  

Does Posting Employees' Salaries Lead To Identity Theft?

Editor & Publisher has posted a few interesting stories recently about local media outlets posting--or pushing to post--the salaries of state employees online. There's a case in Michigan that's causing a lot of drama, and now there's a similar push for transparency in South Dakota. From the Michigan story:

"We have people in children's protective services, in probation departments, police, and people get killed all the time, or you have people who are trying to hide from an ex-boyfriend or a spouse," Kilar said. "We're not upset about the release of the salaries, because that's public information. It's the release of the other information that we're upset about, definitely. We think this is classic poor journalism."

I've been doing some random searches of the Michigan database, and the information is fairly tame--names, job titles, county assignment, and their salaries. Although the names could be used by themselves for fraud, you'd really need something more like the "holy trinity" of personal information--name, date of birth/address, and Social Security number--to get a scam like that going. It also doesn't seem to share any serious personal data such as office #, e-mail address, or physical address. Now, anyone who seriously wanted to stalk or harm someone listed in this database COULD get that info, but they could probably do so much more easily by other means.

I think the primary concern here is embarrassment at how little some of these folks are paid, which is probably the opposite emotion of what Mickey Hirten was trying to induce. His tactic is obviously to get Michigan residents to get up-in-arms about how overpaid the state workers are, but based on some of these salaries, I'd say a few of them should be paid MORE. :)

In any case, as long as these databases don't post any sensitive personal information (SSN, personal address, and the like), they're a good blow for good government, but they should be watched carefully to ensure that no one goes over the line.  

U.S., U.K. Team Up To Smash Pedophile Ring

This isn't really identity theft related, but since we're boosting interest in TrueScoop, I wanted to mention it:

LONDON - British police, aided by U.S. authorities, have smashed a global Internet pedophile ring that broadcast live-streamed videos of children being abused, investigating more than 700 suspects worldwide and rescuing 31 children in a 10-month probe, officials said Monday....The ring was traced to an Internet chat room called “Kids the Light of Our Lives” that featured images of children being subjected to horrific sexual abuse, including the streaming live videos.

See, that's how you do it. Investigation and enforcement. Not by passing dumb laws or causing hysteria. You find the bad guys and bring them in.

Actually, I wonder if any of these creeps might've been involved in this scam as well. Who says there's no such thing as karma? 

LifeLock In The Crosshairs With Hit Job

A few weeks ago there was a news story making the rounds that claimed identity theft protection company Lifelock had some very shady business in its past--specifically that one of its co-founders, Robert Maynard, was involved in identity theft, fraud, and other unscrupulous dealings. The news quickly made its way around the Internets, with respected anti-fraud bloggers like Ed Dickson smacking up the company -- and rightfully so, it seemed. I didn't comment because, for one thing, MPI and Lifelock are partners in the same space, and honestly because we didn't know the whole story. I am no stranger to working for companies that piss the right people off, nor to how they retaliate.

And that story has just gotten more complicated--Michael Arrington of TechCrunch claims that he got the info on Lifelock from an anonymous tipster, and said information was so massively detailed and organized that he suspects a deliberate hit job:

The primary businesses of the credit bureaus is selling our personal information to credit card, mortgage and other credit-issuing companies. They are one of the primary facilitators of identity theft and credit fraud. Bureaus don’t like services like LifeLock because they pull people out of their information-selling machine. LifeLock is a direct threat to their revenue. Is this enough of an incentive for the bureaus to organize a hit job on a company?

It wouldn't surprise me at all if this were the case, honestly--the major credit bureaus have been getting away with murder using our personal data as the weapon for literally decades. Their lack of security protection makes them a primary source for identity theft, and their incredibly poor vetting for information accuracy makes them the bane of many a harried consumer's existence.  Given that it costs much less to use their vast resources to dig up dirt on people than it does to fix their business model, it would be no shock to find out that a well-placed employee at one of the three major credit agencies spread this info on Maynard.

I'm glad Maynard did the right thing and resigned. I can completely sympathize with what he went through--just like if you're on a bender, you can do some really stupid stuff if you're off your meds. It's a shame it had to come out like this, and reading David Cowan's account definitely provides context, but still--the smear job has been done. A lot of people will not be so quick to trust Lifelock's services now.

And perhaps that's for the best. You should never sign over your personal info to any company--no, not even mine--without checking them out and seeing if they're aboveboard. Whether you're a VC, a CEO, a marketing guy, or a customer, it comes down to respect, honesty, and trustworthiness. If that's ever tainted, it takes a long time to undo the damage. But it CAN be undone, and we should be willing to forgive and forget. Once, at least. ;)  

We may never know the whole story, but in the end, what matters is that Lifelock is out there doing their job, and if they don't do it, customers will react accordingly. 

Identity Thieves Steal From Child Pornographers (aka When Bad Meets Evil)

This scam is social engineering at its finest:

Authorities say an on-going investigation centers around an East European crime ring that operates numerous child pornography websites.  When a person attempts to purchase access to the sites, they are directed to a bogus payment processor page and instructed to enter their credit card information, including CVC code and expiration date.  Investigators say the criminal ring uses the credit card information to purchase new child pornography domain names and ISP hosting space.  When victims discover the fraud, instead of reporting it to law enforcement, they typically just pay the charge and report the card lost or stolen, officials say.

And given how most major banks will immediately cancel and reissue cards while waiving any charges made, it's a perfect circle of skullduggery. The ID thieves get the PII to use, the child porn guys get their cards replaced, and no one is the wiser.  If these guys just stuck to victimizing each other, we'd all go about our merry way.

Unfortunately, that's rarely what ends up happening.

By the way, I'd be remiss if I didn't mention that MyPublicInfo has this great new tool for checking out sex offenders and child predators who may be in your neck of the woods, called TrueScoop. Just sayin'. ;)
 

FTC Chair Majoras Discusses Identity Theft

USA Today's Kimberly Palmer has the scoop:

What should people do to protect themselves?

The first thing to know is that you need to be a smart consumer about protecting your personal information both online and offline. Online, you never give account information out unless you've initiated the contact. Don't throw away your bank statements that have your account numbers on them. Make sure you shred them. Make sure your wallet isn't lying around when you have people coming in and out of your home. Check your bank account and credit card statements very carefully to make sure there are no unauthorized withdrawals or transactions, and you need to check your credit reports from all three credit bureaus at least once a year. If you are victimized, act immediately. Report it to the police department, call the credit bureau, get an alert put on your credit report, and report it to the FTC.

It's all good advice, but Majoras stumbles by talking about a need for a federal anti-ID theft law, especially since the new joint FTC/DOJ identity theft plan would squash state-based plans in favor of weaker federal laws. Don't get me wrong--I'm not against the idea, but federal laws should be the floor from which state laws can build, not the ceiling.

Under Majoras' leadership, the FTC has generally done a good job of taking the lead on ID theft awareness (Check out their snazzy ID theft subsite, for example!), but the pernicious influence of business interests would definitely prefer a bunch of weak federal laws to strong state laws, so I can't give her top marks for this.

Get The Truth With TrueScoop

We interrupt our regular ID theft blogging for a moment of corporate whoredom:  

One reason why blogging here has been so sparse of late is that we're currently beta-testing our new search service, TrueScoop.

TrueScoop is our entry into the world of what I call "niche search," a search engine that's tailored to search for a few things only, but searches for them REALLY, REALLY WELL. :) In this case, we're focusing on sex offenders and child predators--giving parents the tool they need to ensure their kids are safe, and providing lots of functionality to do so in one easy-to-use interface.

It's still getting up on its feet, but in time this has the potential to be a very useful and reputable service. Try it out and feel free to send us copious feedback.

We now return you to your regular blogging schedule, already in progress. 

A Tale Of Two Spyware Bills

Yesterday the House of Representatives approved an antispyware bill, called the "SPY ACT" for short, that would mandate the easy removal of intrusive programs from users' machines and require companies that collect information or install software to warn consumers prior to doing so. Sounds fairly benign, right?

 What makes this interesting is that this bill has been competing with another bill that takes a narrower approach, focusing on criminal enforcement of known spyware vendors. That bill, not to be outdone, is called "I-SPY."

 Although Declan McCullagh does a good job of outlining the struggle between the various factions that support one bill over another, his legendary libertarian leanings come out in the obvious contempt for any sort of regulatory approach towards defeating spyware. What Declan does not address--which surprises me--is the major sticking point of both of these bills, which I mentioned in my article:

Although clear disclosures of potential spyware seems like a win for users, the SPY Act also preempted state-level antispyware laws, limiting venues of redress to state Attorneys General and the Federal Trade Commission (FTC). In addition, it contained many exemptions that could enable security vendors to install spyware on users' machines and monitor their activities. Both I-SPY and the SPY Act prevent individual legal actions against spyware purveyors. If I-SPY becomes law, cases such as the Sony rootkit scandal could not be pursued in civil court, or as part of a class action suit.

Both of these bills not only close off potential avenues of redress for consumers who are victimized by spyware, but the SPY ACT actually preempts state laws, which are often better and stronger in terms of enforcement and scope. That's why the industry is playing both sides by favoring both bills--they win either way, as they have much more control over the content of the legislation--and thus the law--at the federal level.

I sincerely hope neither of these bills becomes law, and I urge you to call your Congressmen and tell them not to support either bill until they are revised to eliminate the preemption clauses. In this case, no action is better than some.

Wachovia To Post Office: We're Buying AG Edwards, So Who Cares What YOU Think?

I apologize for being gone from the blog for a week(!!!), but things've been crazy here at MyPublicInfo and I haven't really had time to do much ID theft-related bloggin' of late. Luckily, it's been pretty quiet on that front as well.

I did run across something amusing today, however. It seems that the U.S. Postal Service is taking issue with a recent Wachovia ad blaming mail services as a leading cause of ID theft:  

Postmaster General John Potter today attacked Wachovia Corp. for suggesting in a TV ad that the mail was a major source of identity theft -- and that customers should pay bills online instead.Asserting that mail accounts for less than 4% of identity theft and that the problem is already confusing enough to consumers, Mr. Potter first ripped the ad, created by Interpublic Group of Cos.' Mullen, Winston-Salem, N.C., without mentioning that it was for the nation's fifth-largest bank.

Now, the biggest offline source of identity theft isn't in the mail, per se, but it comes from all the crappy junk mail and direct marketing solicitations that people get hit with because companies--including banks like Wachovia--sell people's information to other affiliated businesses. Given that fear of identity theft and the like is driving consumers away from conducting business online, it's disingenuous for Wachovia to take shots at the Post Office when they probably contribute their own healthy share of junk mail offers for credit cards, home equity loans, etc.

To be fair to Wachovia, they do have a very comprehensive security and fraud protection sub-site set up.  And given that their massive buyout of AG Edwards just made them the second-biggest brokerage in the known multiverse, they probably don't care what a no-name federal agency like the Post Office thinks as it is. :)

As a reminder, if you want to stop or at least cut down on the amount of junk mail you get, visit OptOutPreScreen.com or call 1–888-567-8688.
Also, be sure to contact your bank and tell them that you want to opt out of any policy they have for selling your CPI ("Customer Proprietary Information") to third parties.

Data Privacy And Guest Workers: It's Worse Than We Thought

As more information comes out about the new immigration proposal, it's becoming clear that the bill not only fails to comprehensively address the root problems of illegal immigration, but introduces a series of new risks to data security, privacy, and civil liberties through its proposed Employee Eligibility Verification System (EEVS) database: 

While others focus on different aspects of the legislation, some IT analysts have pointed out that the federal government does not have the best record when it comes to protecting personal data or to minimizing errors in its databases.

"The government definitely seems to have two consistent problems—one is bad data getting into the database ... and the other is getting bad data out of the database," said John Pescatore, an analyst for Gartner.

 As I often say, all the security software and procedures in the world won't be able to curb bad user habits, and if we already have numerous examples of government employees losing laptops, posting personal data on Web sites, and so on as it stands--how much worse will it get with this massive new treasure trove of information?

 This excellent CNet article nails what one of the biggest problems with this bill is:

"I think it's a horrifyingly bad idea," said James Carafano, a senior fellow at the Heritage Foundation, of the mandatory verification system. "Most people in this country who unlawfully get a job do so through document fraud, which means they get some legitimate data and then they just present it as their own. This system is not going to check that."

Precisely. As long as verification rests on the authentication of breeder documents--which can be easily forged--this won't change anything. Immigrants will still be able to hit the underground economy and obtain forged or stolen information, which they'll then present to their employer. The employer will then dutifully present it to the EEVS, which will then make all of that data--regardless of its authenticity--available to DHS, and who knows what they'd do with it?

The more I look at this plan, the more it appears to have the makings of a massive disaster on every level--for security policy, for undocumented workers, for employers, and for ordinary citizens.