California Identity Theft Legislation (SB-20)

Earlier this week, SC Magazine reported that the California State Senate passed SB-20. This is good news for consumers. California Senate Bill SB-20 requires:

"... any agency, person, or business that must issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, as specified. The bill would also require any agency, person, or business that must issue a security breach notification to more than 500 California residents pursuant to existing law to electronically submit that security breach notification to the Attorney General."

Current laws require companies and agencies to tell affected consumers only that a breach occurred, and don't require the disclosure of details about the breach (e.g., number of consumers affected, types of data lost or stolen, events that led up to the breach, status of the post-breach investigation, etc.). While California has led the nation in passing consumer-friendly identity-theft legislation, this new legislation fills a critical gap. The additional requirements in California Senate Bill SB-20:

"The security breach notification shall include, at a minimum, the following information:
(A) The name and contact information of the reporting agency subject to this section.
(B) A list of the types of personal information, as defined in subdivision (g), that were or are reasonably believed to have been the subject of a breach.
(C) The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided, and the date of the notice.
(D) Whether the notification was delayed as a result of a law enforcement investigation.
(E) A general description of the breach incident.
(F) The estimated number of persons affected by the breach.
(G) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a bank account or credit card number, a social security number, or a driver's license or California identification card number."

In order to make timely and effective decisions to protect their sensitive personal data, consumers need to be fully informed about data breaches. In my experience, IBM's breach notice never disclosed the number of records lost/stolen or the number of consumers affected by its February 2007 breach. Nor did IBM disclose the results of its breach investigation, or even if it fired/reprimanded the vendor involved.

Earlier this month, my wife received a breach notice from her credit union. That notice lacked details about both the breach and the follow-up investigation.

The California Senate Bill SB-20 is a good bill. Thanks to California State Democrat Senator Joe Simitian for introducing SB-20. (He also sponsored SB-1386, the landmark 2003 identity theft legislation that paved the way for other states' identity theft legislation.)  I hope that the California Assembly approves it and that Governor Schwarzenegger signs it. I hope that other states pass similar legislation. If you agree, tell your elected officials today.

Is AT&T Honoring Its Promise To Do Behavioral Advertising 'The Right Way'?

Back in September 2008, AT&T promised in writing in response to a Congressional inquiry to do behavioral advertising "the right way." The right way meant getting consumers explicit consent before conducting behavioral advertising (also known as, "targeted advertising" or "behavioral targeting"). With that factual history, I found this MediaPost news item very interesting:

"AT&T has spent much time in this last year criticizing behavioral targeting companies for their privacy policies. But in contrast to its public stance, the telecom's marketing department has apparently been working with behavioral targeting company Audience Science to sell AT&T products and services..."

To be clear, behavioral advertising in and of itself is not evil. My concern is that companies communicate with transparency: tell consumers clearly and upfront what they are doing, and provide users with the opportunity to opt-in to any behavioral advertising programs. Consumers that don't opt-in don't get tracked.

I'm concerned because data breaches happen and companies collect vast amounts of sensitive consumers' personal data with behavioral advertising programs.

Providing consumers with an opt-out mechanism after the behavioral advertising program has already started is insufficient. The consumers' sensitive personal data has already been collected, and it doesn't give consumers real choice. Previously, ISPs conducted behavioral advertising without consumers' explicit consent, used the opt-out approach, made it difficult for consumers to find the opt-out mechanism, and made it nearly impossible to opt-out (e.g., the consumer had to opt-out repeatedly as the advertiser included new companies in its advertising network).

As I see it, companies prefer the opt-out approach because they hope that consumers will forget or won't bother to opt-out and they'll get more consumers in their program than otherwise. Opt-out is dishonest.

Based on this news report, AT&T seems to be doing the opposite of what it preached others should do:

"Yesterday, at a House Energy and Commerce subcommittee hearing, Rep. Anna Eshoo (D-Calif.) attempted to question AT&T Chief Privacy Officer Dorothy Attwood about the company's use of behavioral targeting. But Attwood misunderstood the question and said that AT&T doesn't use deep packet inspection technology to power behavioral targeting."

Not using deep packet inspection technology is a partial answer. Eshoo's question is about whether AT&T provides consumers with an opt-in choice before starting any behavioral advertising program:

"Audience Science, like many companies that track people online and then serve ads based on sites visited, allows people to opt out of targeting. But the company does not first seek consumers' explicit consent. That model remains legal -- and AT&T's relationship with Audience Science would not be an issue, except that AT&T has so publicly criticized the opt-out approach."

So, is AT&T going to practice what it preaches? Or is AT&T practicing do-as-I-say-but-not-as-I-do?

If you want to learn more about behavioral advertising, start with this prior post or select "Behavioral Advertising" in the tag cloud in the right column.

Data Breach Affects 5,000 Liberty Bay Credit Union Customers

Last week, my wife received a letter from the credit union where she banks:

April 16, 2009

Dear Member,

Re: Liberty Bay Debit Card

Although this is a general advisory for your information only, the Credit Union recommends that you cancel your existing card and have a new card issued.

MasterCard has recently informed the Liberty Bay Credit Union that your Liberty bay Debit card has been suspected of being compromised and or exposed. MasterCard is in the process of investigating this unauthorized access of your card information. To date, no fraud on these accounts has been reported at the Liberty bay Credit Union.

Please contact the member Services Dept. at 617-XXX-XXXX [phone number redacted], if you would like us to issue you a new Liberty Bay Debit card with a new number and pin. Once you have requested a new card your compromised card will automatically be cancelled in 30 days.

We apologize for any inconveniences this may have caused you. If you have any further questions regarding this matter please do not hesitate to call the Member Services Department.

Sincerely,
Member Services Department
Liberty Bay Credit Union

So far, my wife hasn't received any notices from MasterCard. She checks her bank statements online, so she is sure that there hasn't been any fraudulent charges submitted -- so far.

My wife called Liberty Bay Credit Union (LBCU) to learn more about the data breach and what LBCU is doing to help. An LBCU representative said that MasterCard did not release any details about the breach, and that all of LBCU's 5,000 members were affected.

This is troubling for several reasons:

• Members deserve better notification about the breach details. The letter did not list the types of sensitive personal data stolen. I didn't seen any news releases about the breach at LBCU's Web site.
• The letter contains the typical, unhelpful language, "To date, no fraud on these accounts has been reported..." In my experience, it takes fast notification of consumers who are often best positioned to notify the bank (or credit union) of which charges are bogus.
• LBCU's notification should be stronger than an "advisory." It doesn't offer any credit monitoring services. It doesn't indicate what the credit union is doing to help -- like pressure MasterCard for breach details. It doesn't mention who is paying the cost of new accounts for LBCU members. (Hopefully, MasterCard or the company that suffered the breach is paying the cost, and not LBCU.)
• If members request a new debit card account, the old account should be canceled immediately. It should not take as long as 30 days. That delay seems unacceptably slow and prone to fraud.
• The lack of details about the breach incident causes me to wonder if this breach is part of the larger Heartland Payment Systems breach
• The tone of the letter gave me the impression that LBCU is being totally reactionary and is letting MasterCard perform all of the investigative work.

My wife is understandably angry. Again, a company (e.g., MasterCard, one of its payment processors, or a vendor) has been unable to adequately protect consumers' sensitive personal data, and this has inconvenienced consumers. And, this was not the first breach notice my wife has received from a financial institution. It makes her question whether our financial industry really knows what it is doing about data security.

I question the speed of LBCU's notification. Consider this January 23, 2009 news story from USA Today:

"Visa and MasterCard have begun notifying member banks around the nation to contact patrons whose card accounts may have been compromised in the Heartland Payment Systems data breach. Robert Baldwin, Heartland's President and CFO, said in a USA TODAY interview that Visa and MasterCard are "instructing many card issuers" to offer fraud-monitoring protection, replace cards, or do a combination of both for customers whose card purchases were processed by Heartland."

Consequences of the Heartland Data Breach (Part Two)

In Part One of this story, we met Janet after fraudsters had attempted to submit charges to her Visa credit card. Janet's story continues with some unexpected twists, which we all can learn from.

After Visa -- and not her credit union -- had notified Janet of some fraudulent charges, Janet followed my advice and notified Visa in writing (e.g., a letter via Postal Mail with a Return Receipt) that the charges were indeed bogus. Visa removed the bogus charges.

Janet was curious why her credit union had not notified her about the fraudulent credit card charges, since the credit union issued her Visa credit card. Her credit union indicated that her situation was not a result of the Heartland Payment Systems data breach, since her credit card number wasn't on the list of compromised card numbers the credit union received.

This seemed odd to me since Visa's arrangement with Heartland is well documented in the news media. Thinking that here situation was resolved, Janet was surprised to receive via postal mail a letter from Experian notifying her of an attempted address-change request. Somebody was attempting to change Janet's address on her Experian credit report. This was a troubling surprise for several reasons:

• Janet had not submitted an address to change to Experian or to any other credit reporting agencies
• Janet has a Security Freeze on her credit reports at the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion) to prevent unauthorized access. An attempted address change by a fraudster is clearly an unauthorized access.
• In its letter, Experian also said that it had sent a notice of this attempted address change to both the new address and to Janet's current address

Janet is puzzled why Experian would send a letter to the new address when she alread has in place a Security Freeze prventing access to her Experian credit report. Next, Janet did what anyone would do: she called Experian's customer service number to talk with a representative. Janet did not want to just send a letter to Experian. She wanted faster action, since identity thieves were trying to access her sensitive personal data.

Sadly, Janet has been unable to talk with a human representative at Experian. When calling the Customer Serivce number, she gets stuck in an endless series of menus to phone messages, with no way to talk to a human customer service representative. Same results with Experian's web site.

Janet followed my advice and filed a police report with local law enforcement. After filing the report, the detective involved has also been unable to contact a human representative at Experian.

Janet asked me what she should do next, since she is leaving for vacation for 10 days. I said that while she is on vacation, I will try to contact the President or CEO of Experian to see what type of response I could get for her. Janet is also contacting her local Congressional Representative.

Janet should be able to talk with a human representative from Experian, especially during a time when identity thieves are attempting to access her Experian credit reports. Janet's experience so far seems to indicate a customer service melt-down at Experian.

This story is far from over. If you want to learn what happens, sign up for either e-mail or RSS updates from I've Been Mugged. As I learn more, I will post it in this blog.

Get 'Mugged' On Facebook

I am pleased to announce that starting today, Facebook users can easily follow updates from the I've Been Mugged blog.

Simply, visit the I've Been Mugged Fan page on Facebook.com and select the "Become a Fan" link.

It's that easy!

The Stress of It All is Becoming Dangerous

[Editor's Note: today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

It seems that not a day goes by during these most difficult financial times when we don't hear a story about people "losing it". Just this week, a young man apparently took his life. He was the acting chief financial officer of Freddie Mac whose stated mission is to help stabilize residential mortgage markets in the United States. The Treasury Department took over the company last September. He was only 41.

That story was followed up by another in which it was reported that a lawyer mother ordered her two daughters out of the car because they were yelling too much and wouldn't quiet down. I checked up on the mother and found that she is a skilled senior attorney whose specialty is law that governs banking and other lending institutions with particular emphasis on the very issues being faced by, we the people, and our Treasury Department.

No matter what else was going on in the lives of these two individuals, I recognized in them, one of the real threats to the health and welfare of the American people.

STRESS.

Every day, in addition to whatever we've had to previously bear, we are now faced with losing our jobs, keeping our homes, feeding ourselves and our children not to mention the loss of dreams of retirement, college education and just a plain better life.  This folks results in stress and it has a profound impact on us.

According to a 1996 article in Psychology Today, "When stresses become routine, the constant biochemical pounding takes its toll on the body; the system starts to wear out at an accelerated rate. By responding to the stress of everyday life with the same surge of biochemicals released during major threats, the body is slowly killing itself. The biochemical onslaught chips away at the immune system, opening the way to cancer, infection, and disease. Hormones unleashed by stress eat at the digestive tract and lungs, promoting ulcers and asthma. Or they may weaken the heart, leading to strokes and heart disease."

"Chronic stress is like slow poison," [Jean] King [Ph.D. of the University of Massachusetts Medical School] observes. "It is a fact of modern life that even people who are not sensitized to stress are adversely affected by everything that can go wrong in the day."

This is another reason why I have been so worried about the war in Iraq and Afghanistan. I am not concerned about the professionalism of our armed forces but I am concerned about the constant stress that four or five years of combat, four, five, six 12 and 15 month deployments have had on our service people and their families. And don't think that bravado will overcome it. It will not. Examine the increasing suicide rate among the military and you will find that we have a problem that can't be swept under a rug.

Watch the way people drive these days, listen to the concerns we share with one another. We as a nation are worried and stressed. Our institutions have failed us and our social contract has been broken. Now we can fix it, but there must be more relief given directly to the people in order that the stress of it all doesn't endanger us in ways we have never yet experienced as a society.

What do you think?

Copyright 2009 WBSeebeck

'Spyware Tapping:' Your Privacy May Be At Risk By Your Cell Phone

This is disturbing. WTHR television (Indianapolis, Indiana) produced an investigative video about the privacy risks by cell phones infected with spyware. I encourage everyone to watch the WTHR video.

"... more than a dozen companies to sell this type of cell phone spy software, which ranges in price from $60 to $3,000. The majority of the companies are located in foreign countries such as Thailand, Taiwan and the United Kingdom - and for good reason. Most of the advertised applications for the spy software are illegal in the United States, and the existence of the software angers CTIA-The Wireless Association, an industry organization representing the nation's major cell phone manufacturers."

What consumers can do to protect their privacy and sensitive personal data:

... keep a close eye on your cell phone so that others never get an opportunity to download information such as spy software when you're not looking... install a security password on your phone to restrict anyone else from using it... high-end cell phones that include internet access and online capability are particularly vulnerable to Spyware tapping... choose a cell phone that is not internet-accessible... remove the battery from your cell phone when it's not being used and, for sensitive phone calls, he suggests making them on a newly-purchased cell phone that comes with a pre-paid month-to-month service plan."

How to tell if your cell phone has already been infected with spyware:

"- Cell phone battery is warm even when your phone has not been used
- Cell phone lights up at unexpected times, including occasions when phone is not in use
- Unexpected beep or click during phone conversation"

FTC Launches Red Flag Rules Web Site

From the Identity theft and Business blog:

"After a year or more of confusion on the part of businesses and their counsel the Federal Trade Commission (FTC) has launched a Web site to help businesses and non-profits to come into compliance with the Red Flags Rules. The FTC will begin enforcing the rules on May 1. The site offers articles and guides for helping create identity theft prevention programs, a key requirement of the rules. The site also details which entities must adhere to the rules, which were created to reduce instances of identity theft. The FTC has also published a very good guide for businesses who must determine if they have “covered accounts” and how to go forward with their program. I have added a permanent link to the FTC Red Flags site to my links for your convenience."

This web site is another reason why companies have no excuse for complying with the Red Flag Rules and its May 1 deadline to better protect consumers' sensitive personal data.

Can Consumers' Computers Connected to The Internet Be Secure? Government Spying, Breaches, and 'GhostNet'

My head is still spinning from these massive data breaches. Yesterday's Wall Street Journal reported:

"Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials... Similar incidents have also breached the Air Force's air-traffic-control system in recent months... In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems... The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together."

Like other consumers, I expect my government to fully protect itself and its assets -- and hence me. What the US Government is doing to protect itself:

"The U.S. has no single government or military office responsible for cyber security. The Obama administration is likely to soon propose creating a senior White House computer-security post to coordinate policy and a new military command... The Bush administration planned to spend about $17 billion over several years on a new online-security initiative and the Obama administration has indicated it could expand on that."

Earlier this month, WBUR's OnPoint program reported about the unmasking of GhostNet:

"... a crack team of computer sleuths in Canada unveiled a global computer spying network, apparently run out of China, called “GhostNet.” It’s a spying operation that has reached into more than a thousand key computers around the world, rifling through high-security files, even turning on computers’ cameras and microphones to watch and listen from halfway round the world."

The spying was first uncovered in Tibet. The investigative team would uncover over 1,000 "participating" computers. Countries are spying on each other, and are often using consumers' Internet-connected computers to do the grunt work. Computers far beyond Microsoft-Operating-System computers were targeted. New terms and phrases have emerged to describe the activities and players: "Command-and-control Server," "Geo-Political Competition in Cyber-space," "Arms Race in Cyber-space," "Cyber-Warfare," "InfoWar," "Byzantine Hades," "Cyber-Terrorism," "Ghost Rat," "Patriotic Hackers," and others. Reportedly, the supposedly secure and encrypted Skype system was also compromised.

It would seem that the cold war has moved to the Internet, and that the Internet is becoming militarized. I encourage you to listen to the WBUR OnPoint podcast.

Delta Returns Outsourced Call-Center Jobs From India To USA

From the Boston Globe newspaper:

"Delta says it's no longer outsourcing reservation calls to India. Why? The move was made in response to years of complaints by American customers who say they sometimes have a tremendous amount of difficulty understanding the foreign telephone workers."

The airline company closed its India call-center during the first quarter of 2009, and employs about 4,500 call-center workers in the USA. will continue to operate call centers in Jamaica and South Africa. Delta Air Line's offshore outsourced call-center change comes about two months after United Airlines announced the closing of its call center in India.

While the changes affect a tiny number of jobs, I believe that this is important for several reasons. First, it is good that Delta is responding to customer dissatisfaction. Poor quality or incompetence is unacceptable in whatever country the call-center is located.

Second, both airlines have been transparent in their communications with consumers. More companies need to follow their lead and tell consumers exactly what they are doing.

Third, Delta's move may or may not be a positive one in the long term. It depends how the company handles customer service. The move will be a positive one if Delta improves its human customer service. The move will be a negative one if Delta replaces human customer service with automated messages, forcing consumers to navigate an extensive loop of phone-based menu selections, and reply only via e-mails or letter. There are certain instances when consumers need to talk with a human customer service representative.

Fourth, when companies use offshore outsourcing, it means that customers' sensitive personal data is being moved across country borders. Call-centers in more countries means more risk since more sensitive personal data is moving around the globe; risks that companies rarely discuss including the associated data breaches at these call-center locations.

Fourth, like the airline companies all of the major credit reporting agencies outsource their call-center operations to vendors in several countries. Since I began this blog, I have repeatedly heard complaints from consumers about poor and low-quality customer service, especially about the agencies' online credit monitoring services. The silence and lack of transparent communications by the credit reporting agencies speaks volumes about these companies' lack of consumer focus.

Congress Rips PCI Security Standards

Earlier this month, ComputerWorld reported:

"At a U.S. House of Representatives hearing yesterday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little to stop payment card data thefts and fraud. The hearing, held by a subcommittee of the House Committee on Homeland Security, also highlighted the longstanding bitter divide between retailers on one side and banks and credit card companies on the other..."

I am not a PCI security expert. Like many consumers, I am learning about PCI DSS -- what it is and which companies are supposed to use it. Regardless, the system seems seriously broken when companies that are supposedly PCI DSS compliant experience massive data breaches:

"Hannaford was certified as PCI-compliant by a third-party assessor in February 2008, just one day after the company was informed of the system intrusions, which had begun two months earlier. That means the grocer received its PCI certification "while an illegal intrusion into its network was in progress... Similarly, RBS WorldPay Inc. and Heartland Payment Systems Inc. were both certified as PCI-compliant prior to breaches that the two payment processors disclosed in December and January, respectively. Visa Inc. dropped Heartland and RBS WorldPay from its list of PCI-compliant service providers last month and is requiring them to be recertified..."

Should consumers be concerned? Absolutely. First, read my prior post about some of the consequences of the Heartland data breach. Second, consider what the stolen monies are used for. From the PCI DSS Compliance blog:

"We have read complaints on other blogs about the PCI standards, claiming they are a burden for merchants and software developers... Kimberly Kiefer Peretti, Senior Counsel in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, recently wrote an excellent white paper, "Data Breaches: What the Underground World of ‘Carding’ Reveals.” In this paper, she gives a concise overview of large scale data breaches by skilled hackers —- who is doing it and how, as well as the implications of these breaches. One of Peretti’s most salient points comes in her discussion of how carding—activities surrounding the theft and fraudulent use of credit and debit card account numbers -— is linked to other criminal behavior, including terrorism and drug trafficking."

Roller Derby

Today's post is a playful diversion from the usual identity theft and data breach fare.

Yesterday evening, I attended a roller derby bout between the Wicked Pissahs and the Nutcrackers at Shriner's Auditorium in Wilmington, Massachusetts. One of my coworkers skates on the Wicked Pissahs team:

Roller Derby - April 2009 from George Jenkins on Vimeo.To learn more about upcoming events, visit BostonDerbyDames.com .

How To Confirm That Your Bank Is FDIC Insured

Great advice for consumers from The Consumerist blog. First, some background:

"... FDIC insurance covers banks and NCUA insurance covers credit unions. Not all credit unions are insured by the NCUA, the ones that aren't often have insurance from American Share Insurance (ASI)..."

Here's the important information:

"The best and only way you can confirm that a bank is FDIC insured is by using the FDIC's Bank Find tool. The search will tell you whether or not the bank is in the database but it's not very robust because it does a broad match search. If you search for ING, as in ING Direct, you'll get every bank with 'ing' in its name which is is pretty much every single bank with the word "Savings" in it. An alternative is if you go to the site and find the FDIC certificate number. On the FDIC Bank Find page, click on "More Search Options" and you can enter the certificate number."

For consumers who use credit unions:

"The NCUA has a similar Find a Credit Union search that lets you find the credit union you're interested in. Again, the search is broad match so it might be easier to get the Charter Number of the credit union and entering it directly... Finally there's ASI and you can search for credit unions insured by ASI at their credit union search. FDIC and NCUA are effectively backed by the full faith and credit of the United States, ASI is not."

'Botox Bandit' Writes Bad Check At California Spa

From the Orange County Register:

"... two women came to the Luxe MedSpa in March for a consultation and treatment. Both received Botox and filler treatments to smooth lines and wrinkles.The women, who used false names, wrote a check to pay for their treatments..."

The $3,300 check bounced, stiffing the Yorba Linda spa. The spa now no longer accepts checks from its customers. Police have a good lead, since the spa took photos of both fraudsters before their cosmetic treatments. This was not the first 'Botox Bandit' fraud incident:

"... a similar incident in Huntington Beach, where police sought the "Big-Bust Bandit." A woman identified as Yvonne Pampellonne, allegedly used a false identity to get breast implants and liposuction then skipped out without paying. Pampellonne turned herself in to police last month. In January and February, a "Botox Bandit" struck at two Newport Beach clinics, where an unidentified woman had $1,000 to $3,000 worth of injections of Botox and dermal filler, then walked away without paying..."

Massive Amount Of Health Care Spending Is Lost To Medical Fraud

This news item at DotMed.com caught my attention for a couple reasons:

"The National Health Care Anti-Fraud Association (NHCAA.org) conservatively estimates that 3 percent of all health care spending--about $68 billion--is lost to fraud. A more jaundiced, or perhaps realistic estimate by the FBI and CDC puts the rate at 10 percent, a crippling $226 billion loss yearly. Suddenly the urgency for electronic medical record adoption is in sharp focus because the best way to spot fraud is by using high-tech data mining tools. One company at the forefront of this effort is HealthCare Insight, South Jordan, UT. HCI explained to DOTmed News that medical identity theft is a multi-faceted problem... in a nation of nearly 50 million uninsured the temptation is great for families to misrepresent who is eligible for insurance... So there are perpetrators who add others falsely or give their card to a family member or someone else to get care, and it is still fraud..."

Consumers are not the only ones who commit medical fraud. Companies do it too:

"... all too often the bad actors are not the patients but health care professionals... also on the provider side where billing schemes use a legitimate provider's identification number and name but set up a phony address... Once the scheme is in place, reimbursements can be diverted to the bad guys..."

This article caught my attention for two reasons.

First, whether the accurate fraud statistic is 3% or 10%, either way that represents a massive amount of money, and fraud. And that is bound to attract a lot of identity thieves and fraudsters looking to borrow or steal consumers' medical credentials.

Second, anytime I read about data mining, alarms go off in my mind. Any time a company is analyzing consumers' electrnic medical records, there is the possibility for data breaches; either at the analysis firm or during transmission between health care organizations and the analysis firm. Firms may not want to admit this, but it is what it is.

Slumping Economy Makes It Harder For Consumers To Recover From ID-Theft

A new Nationwide Insurance survey found that:

"... nearly half of respondents said that if their identity were stolen today, they did not know if they had enough money in reserve to weather the recovery process. The new survey also found that 10% of identity theft victims polled missed payments due to the crime. Of those victims, four out of five say the theft caused serious repercussions – including lower credit scores, utilities shut off, bankruptcy, vehicle repossession, home foreclosure or even jail time."

The survey included telephone interviews of 400 adults, including 200 ID-theft victims, and was conducted from December 12-17, 2008 by MRSI. Additional findings:

"... identity theft victims tend to be Caucasian, female, ages 35-54, college-educated, married, and employed full time. Additionally, people who are separated or divorced, and those making $75,000 or more a year are more likely to fall prey to identity theft than the general population."

How consumers respond to identity theft:

"... 52% of respondents said they would tackle the recovery process from identity theft on their own... Nationwide’s previous polls found that identity theft victims spent an average of 81 hours trying to resolve their case and one in four cases were unresolved after a year of trying..."

Wow! That statistic is higher than I thought. There's so much time and work involved in fixing damage from identity theft, that I'd definitely use a credit restoration service. Sure, there are some things consumers can do on their own (e.g., fraud alerts, Security Freezes, opt-out of pre-aproved credit offers), but a trustworthy credit restoration service can definitely help. With higher unemployment rates, now is not the time to miss work and jeopardize your job while trying to resolve the financial account and credit report damage done by identity thieves and fraud.

Interested individuals can read more at the Nationwide Insurance site.

Consequences of the Heartland Data Breach

About a week ago, my friend Janet (not her real name) received a phone call from Visa about suspect charges on Janet's Visa credit card through her credit union. Janet asked me not to disclose the name of her credit union, but it is a well-known higher education credit union located in the Northeast.

Janet asked me what she should do next. Her story has implications for many consumers.

Visa was proactive with contacting Janet about several small charges. Visa wanted to know if the charges were valid. Together, the five charges were less than $50 total, but Visa explained to Janet that often identity thieves and fraudsters submit small charges first. The identity thieves hope that the charges go paid and unnoticed, since many consumers don't check their monthly credit card statement. The real damage is done later when large, fraudulent charges are submitted.

Janet informed Visa that the charge were indeed bogus. Visa closed her credit card account and opened a replacement account. Visa also said that they were going to send Janet an affidavit to sign, indicating that the charges were were indeed fraudulent, which Janet must sign and return to Visa.

My advice to Janet:

1. Keep breathing. Yes, identity theft is scary but her situation is manageable. It definitely seemed that fraudster had obtained her credit card number, if not more sensitive personal data.
2. Definitely sign the form and return it to Visa via Certified postal snail-mail with a return receipt requested. That way she'd have a written record of when Visa received her signed form.
3. Keep a copy of the signed form for her records.
4. File a police report with her local police department, and attach a copy of the affidavit if needed.
5. Definitely accept the new credit card account Visa had arranged
6. Check her credit reports for any bogus entries. (Janet had already placed a Security Freeze on her credit reports years previously, when this became available in Massachusetts.)
7. Inform her credit card issuers of her upcoming travel abroad, so they know that credit card purchases in certain countries within certain dates will be valid charges; and do not suspend or close her credit card accounts
8. File a complaint with the U.S. Federal Trade Commission, since the FTC tracks fraud and relies upon consumers to notify it
9. Check her monthly credit card statement closely for bogus charges. Janet said that she already did this regularly and would continue doing so.

Then, I asked Janet if her credit union or Visa had mentioned the Heartland Payment Systems vendor. Like most consumers, Janet hadn't heard of Heartland since Heartland isn't a vendor consumers usually do business with. Janet, like most consumers, is familiar with the credit card companies and banks.

I briefly explained to Janet the Heartland data breach, how hundreds of thousands of credit card numbers were exposed/stolen, and how Heartland isn't sure exactly how many credit/debit card accounts were exposed/stolen. A January 2009 Washington Post story mentioned that the Heartland breach may be the largest breach ever for the number of accounts stolen. Janet said that she'd ask Visa about it the next time she talked with them on the phone.

A few days later, Janet informed me that Visa confirmed that they use Heartland to process credit card transactions, and that this was probably a result of the Heartland breach. Janet's story has several implications for consumers:

• Check your credit card statements closely every month
• File a police report about the fraud with local law enforcement. If local law enforcement won't accept a police report, contact the elected officials in your state
• File a complaint with the FTC. The FTC analyzes the size and scope of identity theft and fraud
• Use a credit card issuer that proactively will warn you of possible bogus charges before your monthly statement arrives
• Know the sensitive personal data about yourself that you should protect
• If you suspect that identity thieves have collected more sensitive personal data than just your credit/debit card number, check your credit reports at the big-three credit reporting agencies for accuracy and for any bogus entries
• If you are the victim of fraud, consider placing a Fraud Alert or a Security Freeze on your credit reports at the big-three credit reporting agencies
• Know the difference between a Fraud Alert and a Security Freeze
• Know the risks of shopping with your debit card versus your credit card. Even better, use cash at retailers you believe may not practice good data security

What bothers me about Janet's story is:

• As of April 12, the Heartland breach site still does not disclose the number of consumers' credit/debit card accounts affected by its data breach. Either the company knows and refuses to say, or they don't know the number affected. If Heartland knows, then the number must be huge -- bigger than the TJX debacle
• Consumers like Janet are not being informed that their credit/debit accounts may have been affected (e.g., stolen) during the Heartland data breach. This seems to contradiction states' laws requiring consumer notification
• At its breach web site, Heartland encourages companies not to take any action about the Heartland breach since things will be fixed soon. Huh? Consumers have been affected. This "take no action" advice seems to also apply to communications to consumers. After all of the problems in the financial and banking industry during the past year, I would have thought that Heartland would understand the benefits of transparency about communications. Keeping secrets does damage, and consumers' trust is damaged or broken by secrets
• Janet's credit union doesn't seem to have provided much help, so far

To be fair, this week Janet plans to contact her credit union for more information and to see what they are doing about the fraud. Maybe Janet's credit union is following Heartland's advice.

If you have experienced fraud recently on your credit card or debit card account, I hope that you'll follow Janet's lead to protect yourself and your sensitive personal data. If you want to share your story below, it would be appreciated.

Recognizing The Different Types of Injured ID-Theft Victims

The staff at javelin Research have produced a very interesting and valuable report, titled, "Profiling 'Severely Injured' Identity Fraud Victims: Using Triage to Ease the Pain of Customers At Risk.”

Given the increases in 2008 in identity theft and fraud, Javelin Research studied and identified the key differences between ID-theft victims whose fraud experience was resolved to their satisfaction versus victims who described their financial lives as severely injured. The researchers sought to answer the following questions:

• "What are the consequences of having severely injured victims of identity fraud as customers?"
• "How can fraud victims at particular risk of severe injury be identified?"
• "What do financial institutions, identity protection service vendors and consumers need to do to prevent severely injured victims?"
• "What types of fraud experiences cause more severe impact to victims?"
• "What positives can result from the severely injured victim's experience?"

The researchers randomly surveyed 4,784 respondents during October, 2008. Summary findings:

• "While the severely injured have lower overall rates of card fraud, the severely injured suffer from debit card frauds at a much higher rate than average (48% vs. 35% of all fraud victims). Conversely, the severely injured experienced credit card frauds at a lower rate than typical (51% vs. 63% of all fraud victims)."
• "The severely injured are twice as often defrauded by someone they know personally (26% vs. 13% for all consumers). This includes relatives, housemates, coworkers, and in-house workers
  and are referred to as so-called 'friendly frauds.' ”

I've blogged previously about the risks to consumers of shopping with debit cards. It seems that many consumers continue to shop with their debit cards.

This type of study is good news in that it highlights the need for solutions to target the different types of fraud victims. A one-size-fits-all approach is inappropriate. Hopefully, state legislatures will modify their breach notification laws to address the differing needs of fraud victims.

Interested users can download an excerpt of the Javelin Research report (PDF format). The full report can be ordered for $1,295.

Unreported Data Breach at TrueCredit.com, Trilegiant, or Great Fun?

Recently, an I've Been Mugged reader wrote:

"Do not sign up for truecredit.com. Here is the path of relationship association that reveals big problems with id theft. Here goes...Transunion's subsiderary with truecredit which DBA great Fun (among others) is owned by Trilegiant (formerly Cedant) Trilegiant was sued last July for $25million by the state of Illinois. Ok...how do I know all this? My identity was passed on from truecredit.com to great fun then for some strange reason...on the same day...my account got hit with almost $1,000 charges by people ordering different goods being shipped to all different states also West Africa. So what can you do? I reported to everyone I can report to and I feel this needs some national attention on a grand scale. Any suggestions? Has anyone else experienced this same nightmare?"

Trixie is correct. Trilegiant Corp settled with the State of Illinois in July 2008. According to the St. Louis Business Journal:

"Trilegiant Corp., a subsidiary of Cendant Corp., must pay $25 million to settle a class-action lawsuit filed by consumers who were charged for products they never ordered... More than one million people nationwide, including some in St. Louis, complained about the incorrect charges, said Rob Schmieder, an attorney who worked on the case."

Also:

"Norwalk, Conn.-based Trilegiant allegedly billed and collected unauthorized charges from consumers for products and memberships consumer never requested, including Privacy Guard, Credit Alert, Auto Vantage, Travelers Advantage, Buyers Advantage, Compete Home, Digital Protection Plus, Great Fun, Great Options, HealthSaver, Hotline, Just for Me, National Card Registry, NetMarket, Shoppers Advantage, Travel ER and others."

Of course, as part of the settlement deal Trilegiant admitted no wrong-doing. I checked several breach databases and did not see any breach notices from Trilegiant, Great Fun, or TrueCredit.com. Based on Trixie's experience, there seems to have been an unreported data breach by one of these companies.

If you think that you have been affected, let us know below. More importantly, consumers should report any identity theft and fraud to both their local law enforcement and to the U.S. Federal Trade Commission. If consumers still don't get any satisfaction, write to your elected officials in Congress.

When A 391% Annual Interest Rate Is Legal

From The Consumerist blog:

"Lobbyists from the payday industry bought Congress' support by showering influential members, including Chairman Luiz Gutierrez, with campaign cash... Indeed, the payday lending industry is strenuously resisting Gutierrez's measure, which it says would devastate its business. The measure would cap the annual interest rate for a payday loan at 391 percent, ban so-called "rollovers" - where a borrower who can't afford to pay off the loan essentially renews it and pays large fees - and prevent lenders from suing borrowers or docking their wages to collect the debt... The Online Lenders Alliance, formed in 2005, nearly quintupled, to $480,000, its lobbying expenditures from 2007 and 2008. It contributed $108,400 to candidates in advance of the 2008 elections compared to about $2,000 in the 2006 contests. Gutierrez was among the top House recipients, getting $4,600, while the top Senate recipient was Sen. Tim Johnson, D-S.D., a Banking Committee member who got $6,900. After watching members of the military fall prey to exorbitant payday loans, Congress in 2006 capped the interest rates for military payday loans at 36%. Fifteen states have similar caps or outright bans... Someone — maybe Carolyn Maloney, who did an excellent job with the Credit Card Bill of Rights—needs to step up and punch the payday lending lobbyists in the face."

If a lender can't run a profitable business on 36% interest, in my opinion they don't deserve to be in business. 391% interest is corporate welfare in disguise. And yes, I'm still mad after receiving notification about huge credit card interest rate increases.

If this bothers you (and I surely hope that it does), I encourage you to write to your elected officials and tell them to cut the crap, and simply ban payday loans. Payday loans target the poor who are often least able to defend themselves.