17 posts from October 2009
The BBC News recently reported about the habits of a con man and thief:
"... his scams have tended to take place in luxury hotels around the world. Typically, he would arrive at a hotel, claim to be a guest, and then tell security that he had forgotten the combination code to his safe. When hotel staff helped him to open the safe, he would pocket the contents and make his escape."
Don't hotel staff ask for identification (e.g., Passport, driver's license) before opening up a safe? Doesn't the management of the luxury hotels train their staff about effective security methods?
This is not good news. Breitbart reported:
"... Mafia figures and other violent criminals are increasingly moving into Medicare fraud and spilling blood over what once a white-collar crime... For criminals, Medicare schemes offer a greater payoff and carry much shorter prison sentences than offenses such as drug trafficking or robbery... Medicare scammers typically make their money by billing Medicare for medical equipment and drugs that patients never receive—and never needed. Some pay homeless people on Los Angeles' Skid Row for Medicare or Social Security numbers to use in fake billing invoices. Others intimidate elderly victims to use their Medicare numbers, federal authorities say."
This shift suggests that many local governments and cities need to stiffen the penalties and prison time for identity theft, Medicare, and related fraud crimes:
"Most Medicare schemes are based in cities such as Miami, Los Angeles, Detroit and Houston... A Medicare scammer could easily net at least $25,000 a day while risking a relatively modest 10 years in prison if convicted on a single count. A cocaine dealer could take weeks to make that amount while risking up to life in prison."
Like most people, I have recently started reading about electronic health records (EHR) and how secure my medical information is. The list of abbreviations and acronyms can be confusing. For example, there are subtle but important differences between the terms: EHR, Personal Health Record (PHR), and Electronic Medical Record (EMR).
You may find this overview article from PrivacyGurus.com helpful with understanding the current state of privacy about your medical information:
"Long-standing laws in many states and the age-old tradition of doctor-patient privilege have been the mainstay of medical privacy protection for decades. But in the 21st century, those privileged to your medical information have increased in number - and not always for the better. The extent of privacy protection given to your medical information often depends on where the records are located and the purpose for which the information was compiled. That means that the laws that cover privacy of medical information vary by situation. Confidentiality is likely to be lost in return for circumstances like insurance coverage, an employment opportunity, your application for a government benefit, or an investigation of health and safety at your work site. That means that you may have a false sense of security based on the highly touted Health Insurance Portability and Accountability Act (HIPAA)."
I found this particularly important:
"... a wide range of people, both in and out of the health care industry, share your medical information, often because you’ve agreed to it. One is the Medical Information Bureau (MIB), which is a central database of medical information of approximately 15 million Americans and Canadians. About 600 insurance firms use the services of the MIB primarily to obtain information about life insurance and individual health insurance policy applicants. The MIB is a consumer-reporting agency subject to the federal Fair Credit Reporting Act (FCRA) and doesn’t fall under HIPAA. It functions more like a credit score for health. The MIB does not have a file on everyone. But if you have an MIB file, you will want to be sure it is correct. You can obtain a free copy once a year by requesting it from their website or by calling (866) 692-6901."
The U.S. Department of Health & Human Services (HHS) federal agency operates the official HIPAA privacy web site. Several medical experts contribute to the unofficial HIPAA.com site, where you can browse the list of personal data items of consumers protected by HIPAA.
Last week a friend, Mary Grace, sent an e-mail message asking if I had:
"... heard of NCO Financial Debt Collectors? I got an automated call and when I called the number back it was busy. I called their main 800 number off of their website and they asked me for my social and name - they would not give me any information on the reference number that was left on the automated message. I did not give them my name or my social and ended up hanging up on the rep because he could not identify why they called me stating there were many names associated with the reference number and he needed my information to understand why they called."
I hadn't heard of NCO Financial Debt Collectors. There is a valid collections company with a similar name: NCO Group (a/k/a NCO Financial Systems. The call sounded sketchy since the reference number didn't identify Mary Grace specifically. I told her to contact the Better Business Bureau (BBB), and contact the U.S. Federal Trade Commission (FTC). I assured her that she was correct to not disclose her Social Security Number and other sensitive personal information without first getting written proof of the debt.
In her e-mail message, Mary Grace also wrote that she had:
"... called AT&T to check on the 888 number the automated message left and [the AT&T customer service representative] said it was probably an outbound number only and that he hears these kinds of calls all the time but can not give any advice because of legal reasons."
Yes, this debt collection call was definitely sounding like a scam.
Mary Grace couldn't think of any company she owed money to, as she is very good with her credit. Perhaps she had a debt at Cedars-Sinai Medical Center due to a recent surgery, but theyhadn't contact her.
Since Mary Grace lives in California, I suggested that she check the State of California attorney general's web site for advice about her rights and how to deal with debt collection phone calls and collection agencies. Every state has an attorney general (AG), and the AG's web site usually describes the rights consumers have and what constitutes harassment by a debt collector.
While California state law allows debt collectors to supply information about bills they are collecting to credit reporting agencies, the collection agency cannot threaten a consumer with this unless it is already a customer of the reporting agency. The collection agency must tell the reporting agency whether any dispute has been filed, and it must update the consumer's record to show when the debt is paid.
I did some light research and found that there tend to be two types of debt collection scams:
- Fake debt collection agencies
- Valid debt collection agencies with fake debts
The first type usually includes a scam artist calling with fake debts. The scammer is trying to trick consumers into revealing over the phone their sensitive personal data: Social Security number, bank account information, and so forth. Disclosing any of this could lead to identity fraud.
How do the collections scammers get consumers' name and address information? Any number of ways: from combing through online white pages web sites, or purchased on the black market from with data resold by thieves after a data breach.
If you receive a debt collection call, experts advise consumers to demand written proof of the debt. Tell the caller that you only reply to debts submitted in writing with written proof. If the scammer does send a letter via postal mail of a debt you know is fraudulent, then you have written proof of the scam.
The second type of scam is a little trickier. Sometimes a valid debt collection company is calling with a valid debt that they think is yours, but really belongs to another person. Perhaps you changed your phone number recently, and the collections agency has confused you with the prior owner of the phone number. Perhaps you moved recently and the collection agency has confused you with the prior resident at our current address. A less than honorable collector wants to collect money and may pressure the person they contact into paying.
Either way, the best response is to demand that the debt collection caller fully identify their company. Then, demand written proof via postal mail that the debt is yours. Ask the caller for a phone number so you can call them back. Scammers hate this and will serve up a variety of excuses why you can't call them back.
In this case, Cedars-Sinai sent a bill to Mary Grace's old address, even though the medical center also had her current address on file. The medical center then sent the unpaid debt to two valid collection agencies... a case of one internal department failing to communicate with another department.A couple days later, I received a follow-up e-mail from Mary Grace:
"... Cedars-Sinai knew I had a stellar record with them. They called the true collection agencies, had them retract my name and restore my credit ratings, and I paid [Cedars-Sinai] directly. I should receive letters from Cedars, and the agencies stating just that. Then I will look at my credit report to ensure that it was restored. Who knew that a phony call could end up exposing all this!"
And, NCO Financial Debt Collectors turned out to be a scam -- a phony debt collection agency. So, if you get a phone call from them, hang up and report it to the BBB and FTC.
Mary Grace's experience provides clear instructions for consumers about how to handle debt collection phone calls:
- Asked the caller to identify their company
- Don't trust the caller at their word. Don't share sensitive personal data over the phone. Demand written proof via postal mail of any debts
- File a complaint with the BBB about any phony debt collector you encounter
- Demanded written proof of paid debts
- Demanded written proof from a creditor of debts sent in error to collection agencies
- Demanded correction of erroneous entries to credit reporting agencies
In an earlier post, I wrote about the risks of disclosing your birth date in e-mails and at social networking sites. It's a key piece of personal data for identity thieves and fraudsters. There are more personal data items you should not disclose to avoid identity fraud.
From a recent AARP Bulletin:
"Along with your birth date, your place of birth may help scammers guess most, if not all, of the nine digits of your Social Security number, suggests a recent study published in the Proceedings of the National Academy of Sciences. Those two pieces of information were all that Carnegie Mellon University researchers needed to discover patterns in how SSNs are issued, resulting in impressive success in guessing exact numbers."
The researchers documented how identity thieves could use your hometown information to guess your Social Security number:
"... The first three digits of the SSN are an “area number,” issued according to the ZIP code of the mailing address provided on a Social Security application form. High population states have many area numbers — New York has 85, for example — but Delaware and Alaska have only one... The fourth and fifth digits of the SSN are a location-based “group number”; those digits change periodically, usually in increments of 2. For instance, for people born in 1966 in Oregon, those middle numbers started at 47, and 60 days later, switched to 49. “Because of this, knowing a birth date and hometown makes the first five digits of a SSN the easiest digits to guess... The last four digits, the ones most often used as identifiers on accounts, are issued sequentially. But they’re harder to guess because they depend on how long it took to process a Social Security application..."
So, security experts advise consumers not to disclose both their birth date and hometown information on social networking sites. Now, you know what to do and why.
This Marketwire press release announced some dismal statistics about the security of companies' Internet applications. A survey ("Making Web Applications Hacker Proof") by eMedia and Cenzic of about 400 IT professionals found that:
- A majority of IT professionals think their Web sites might not be secure,
- 63 percent of companies test the security of their Web applications quarterly or less often
- 28 percent of respondents were unaware that their company had a data breach
Geez. This highlights the fact that too many companies and too many corporate executives do not take data security seriously. It highlights the fact that consumers' (e.g., employees, contractors, former employees, and customers) sensitive personal data is at risk.
The Better Business Bureau (BBB) announced its Secure Your ID Day events for October 17, 2009. The nationwide event includes free shredding services (for your old checks, junk mail, bank statements, old files, etc.) and educational programs by local BBB's in each state to help consumers avoid identity theft. Browse the Secure Your ID Day site to learn more about events in your area. Canadian residents should visit the BBB Canada site.
This BBB event coincides with the second annual National Protect Your Identity Week events October 17 - 24, sponsored jointly by the the Council of Better Business Bureaus (CBBB) and the National Foundation of Credit Counseling (NFCC). The event site is available in English and Spanish.
I strongly urge consumers to learn more and attend both events.
This blog does not cover every breach incident; only the ones with broad implications or where the organization should do more to help its breach victims. Campus Technology reported last week:
"A data breach that took place in 2007 at the University of North Carolina at Chapel Hill and was discovered in late July 2009 is finally being reported to victims by letter. University staffers reported that they believe the security breach exposed social security numbers for about 114,000 women, although about 180,000 records were potentially exposed as a result of the incident."
You can read online the breach notification letter (PDF format) from the University and its explanation of the breach event (PDF format). The following illustrates just how damaging this data breach was:
The women's records were part of a multi-year medical research study, the Carolina Mammography Registry, which collects and analyzes data from 31 sources in seven states using software developed by the university. The records also contained names and in many cases dates of birth, addresses, phone numbers, demographic information, insurance status, and health history information."
In my opinion, the University should do more beyond referring its breach victims to the three major credit-reporting agencies to file Fraud Alerts. The University should:
- Pay for at least five years of credit monitoring services for the breach victims, due to the ongoing threat to their financial accounts
- Pay the Security Freeze fees at all three major credit-reporting agencies, so the breach victims can lock down their credit reports
- Provide its breach victims with a user-friendly web site, and not a couple PDF documents, with ongoing status information about the breach incident investigation, what the university is doing to fix the problem, and what the university is doing to prevent further data breaches
This is a horrible experience for any person. The Omaha World-Herald reported a particularly nasty case where a citizen was jailed twice due to mistaken identity:
"Last week, Salazar, 38, spent a night in the Douglas County Jail after he and his girlfriend called Omaha police to report a burglary. Ten months ago, he spent two weeks, including Christmas and New Year's Day, in jail after being pulled over for speeding. The reason: Every time Joe Salazar comes in contact with law enforcement, police discover there's an arrest warrant out for a Joe Salazar for failing to appear for sentencing in a 2002 drug case."
The real Joe Salazar lost his wallet in a restaurant: identification, Social Security number, date of birth, and other sensitive personal data. The criminal used Salazar's identity during a crime and then skipped out on bail from a scheduled court data. Hence, the arrest warrant for Salazar and local law enforcement keeps arresting the real Salazar.
Local law enforcement doesn't know the criminal's identity, but they do have his finger prints. Obviously, the real Salazar would like to see some fast, corrective action of his situation with the criminal caught. The real Salazar said:
"It's frustrating, because you know there's nothing you can say or do to convince (police)... I tell them ‘You've got the wrong guy. But I'm sure they hear that all the time.”
What can a consumer do to resolve this? Nothing that I know of. Salazar's problem will continue until the criminal is caught. Will any credit monitoring service help? No. Those services are for helping consumers protect their credit report, not for crimes. With the increasing number of data breaches with stolen consumers' sensitive data, I fear that cases like Joe Salazar's will only happen more often.
[Oct. 16 - Editor's Note: I encourage readers to read the comments below. Several readers submitted informative comments which consumers may find useful.]
Plenty has been written about Facebook.com; from its Beacon fiasco, to security concerns, to a data breach, to its terms of service, to personal data leakage by FB apps, and the settlement of a class action lawsuit.
Lately, I've noticed an increasing number of error messages while using Facebook. Perhaps you've seen them:
Then, there are times when Facebook stops working and presents this message:
Then, there's this extremely readable and user-friendly message:
I have no idea what this error message means, but I see it frequently. Facebook should change this error message for geek-speak to something understandable, like plain English.
Then there are times when Facebook gets tricky. See if you can spot the error in the Facebook page below:
The above page seemed to load correctly, but it didn't. The above Facebook page is missing the "Older Posts" link at the page bottom. I can't view more Facebook posts.
All of the above error messages I get on a variety of computers. So, I know it's a Facebook problem.It makes me wonder what other problems happen on facebook's servers that we users don't see. Is Facebook guarding my personal data as well as they claim?
Twitter has its famous "Fail Whale." I wonder what a similar image for Facebook should be. Fail Hyena? Fail Elephant? Mashable suggested some Facebook Fail images, but what do you think is an appropriate Fail image for Facebook?
I guess this is an example of the "price" of free. I wonder if service would be this bad if Facebook charged a monthly subscription fee.
Internet Retailer reported:
"Heartland Payment Systems Inc. spent about $32 million in the first six months of this year on forensics, legal work and other activities related to the December 2007 database breach that resulted in the theft of millions of credit and debit card numbers, CEO Robert Carr told the U.S. Senate Committee on Homeland Security and Government affairs... Heartland this week also launched E3secure.com, an educational web site about end-to-end encryption technology and the E3 solution."
This is another clear, painful consequence for companies that fail to protect consumers' sensitive personal data. When Heartland first announced its breach incident, the company's stock dropped precipitously.
Computer Business Review magazine reported that to prevent future data breaches, a United Kingdom organization has:
"... moved to prevent the leakage of any data from its network of 4,100 fixed and mobile desktops by issuing 900 tamper-proof and encrypted USB memory sticks to its workforce. IT staffs at Caerphilly County Borough Council, which is the fourth largest local authority in Wales employing around 9,000 people, have taken the precautionary steps to minimise the operational risk of a security breach..."
The council took this action to require employees to use only approved USB memory sticks and to protect the organization computer viruses. The council offered an amnesty program, where employees could swap any current un-approved USB memory sticks for the standard, approved devices. A company representative said that their computer system also provides a complete audit trail of USB memory device usage by each employee.
Creditcards.com has a pretty good interactive map of the states that have breach notification laws for consumers. You can easily see by year which states added a law requiring companies to notify affected consumers after a data breach.
There are two problems I see. First, residents of South Dakota, Alabama, Kentucky, New Mexico and Mississippi are pretty much out of luck. These states lack laws requiring companies to notify affected consumers after a breach. For the rest of us, notification is required but varies by state, by the format of the information, and the type of information stolen.
A better map presentation would have overlaid breach notification for consumers' financial information with consumers' medical records.
I am pleased to announce that work has started on the third edition of the Age Of Conversation book! You may remember that I authored a chapter in the second edition: The Age Of Conversation: Why Don't They Get It.
Well, the editors of the third edition are accepting new authors. Each author is responsible for writing a one page chapter up to 400 words. Chapters must be submitted during November 2009. Authors can select one of ten (10) themes to write about. The third edition will feature up to 300 authors. All proceeds from book sales will go to a charity to be selected by the authors.
Which theme did I pick? To find out, you'll have to read the third edition of the book when it is available in 2010.
Last week, the Washington Post newspaper reported:
"Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information. Morrestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations."
The hackers targeted a phishing e-mail message at only PayChoice's customers, an attempt to trick the customers into revealing their corporate bank account sign-in credentials:
"... a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice's online payroll service... If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC."
PayChoice's response to the breach:
"PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the onlineemployer.com site and instituted fresh security measures to protect client information, such as requiring users to change their passwords."
I checked the PayChoice site and didn't see a news release about the breach. The company's breach response seems quick but sloppy. It seems that the company responded to the breach only after its customers started receiving phishing e-mail messages. PayChoice says that only onlineemployer.com customers were affected by the breach. I wonder what other data was stolen that the company may not know about. Currently, the onlineemployer.com site includes a cryptic message warning its customers about the phishing e-mail message. A better and more comprehensive breach response would have included:
- A full press release at the company's site
- What other data the hackers stole when they broke into PayChoice's systems
- Details and frequently asked questions for breach victims
- A statement of what help PayChoice is offering to its breach victims and its employees
- A statement about what PayChoice is doing to prevent future breaches
As I've written previously in this blog, identity criminals and fraudsters are smart and persistent. They will search for the weak link in a company's security defenses.
This breach serves notice to all financial services and related companies that handle consumers' sensitive payment and payroll information. Identity criminals first targeted consumers' computers. Then they targeted the banks for credit card information. Next, they moved upstream and targeted the credit card transaction processes. Now, they have moved further upstream and targeted the payroll processing services.