This blog has discussed how to recognize skimming devices attached to ATM machines. According to Wired magazine, law enforcement authorities in Europe seized the video below from an identity thief's actual surveillance camera. The video shows:
Thieves use the tiny surveillance camera to record bank customers' PIN numbers as they entered them. Thieves use the skimming device on the card slot to copy all of the data stored on the magnetic strip of bank customers' debit cards. Both devices transmit their contents via a wireless connection to the thief's laptop computer somewhere nearby.
With these pieces of bank account information, thieves then create duplicate debit cards and return to one of your bank's ATM machines to drain all of the money from your checking (and savings) account. And, you'll never know it until a check bounces, you try to withdraw cash, or you check your account balance.
The video shows some bank customers safely covering their hands when entering their PIN numbers. To protect your PIN number and bank account, you should cover the hand you use to enter your PIN number. Watch all of this video:
Alert users will notice that this ATM machine is accessible via a public sidewalk. I do not use these ATM machines. I use only the ATM machines behind a locked door at my bank's ATM booths.
Theft by ATM skimming devices is a nationwide problem. Experts say that every year ATM machines dispense about $1 trillion dollars (that is $1,000,000,000,000), and theft by ATM skimming devices is less than one-half of one percent of that total -- still a huge amount of money. So, the problem is not going away anytime soon. Plus, the ATM skimming devices are getting smaller and more sophisticated.
As good as the above video is as a training tool, it won't help you at gas stations because thieves often insert skimming devices inside unattended gas station pumps. To learn about how to protect yourself at gas stations, read this blog post.
Most of us pay taxes and our tax return documents contain plenty of valuable information identity thieves would love to steal and abuse. One thing criminals can do with your stolen personal information is fraudulently cash your tax refund checks.
How can taxpayers avoid this and other tax-related fraud? The U.S. Internal Revenue Service (IRS) provides these 10 tips for taxpayers:
"1. The IRS does not initiate contact with a taxpayer by e-mail.
Simply, if you receive email messages that appear to be the IRS asking your confirm your information, you now know these messages are phishing scams. What should taxpayers do:
The third tip is a warning about all of the different ways criminals can steal your tax and personal information:
"2. If you receive a scam e-mail claiming to be from the IRS, forward it to the IRS at firstname.lastname@example.org.
"Stealing your wallet or purse... Posing as someone who needs information about you through a phone call or e-mail... Looking through your trash for personal information, Accessing information you provide to an unsecured Internet site."
This blog includes suggestions about using a locking postal mailbox and shredding documents, bills, and statements with your sensitive personal information. All online users, including taxpayers, must learn how to recognize a phishing website. Identity thieves will create real-looking but bogus websites to trick you into disclosing your tax, financial, and sensitive personal information:
4. If you discover a website that claims to be the IRS but does not begin with ‘www.irs.gov’, forward that link to the IRS at email@example.com."
All online users, including taxpayers, need to learn how to recognize a secure website. This is important for both wired and wireless Internet connections. To learn more, visit the Onguard Online website operated by U.S. Federal Trade Commission (FTC). This blog has covered tips on how to protect yourself from sidejacking when using a public wireless Internet connection.
Most people know that your Social Security number is a critical piece of personal information you must protect from theft and abuse. Here's why:
"6. If your Social Security number is stolen, another individual may use it to get a job. That person’s employer may report income earned by them to the IRS using your Social Security number, thus making it appear that you did not report all of your income on your tax return."
This blog covered the consequences when another person uses your Social Security number. The consequences go far beyond taxes. Here are ways you will know if another person is using your Social Security number:
"7. Your identity may have been stolen if a letter from the IRS indicates more than one tax return was filed for you or the letter states you received wages from an employer you don’t know. If you receive such a letter from the IRS, leading you to believe your identity has been stolen, respond immediately to the name, address or phone number on the IRS notice."
Many consumers have been the victims of data breaches, where an employer or prior employer has exposed your sensitive personal information to the public via loss or theft. This happened to me when a former employer lost my sensitive personal information. Thankfully, my credit and tax records have not been abused. If you think that your tax information may be abused, the IRS recommends:
"8. If your tax records are not currently affected by identity theft, but you believe you may be at risk due to a lost wallet, questionable credit card activity, or credit report, you need to provide the IRS with proof of your identity. You should submit a copy of your valid government-issued identification – such as a Social Security card, driver’s license, or passport – along with a copy of a police report and/or a completed Form 14039, Identity Theft Affidavit. As an option, you can also contact the IRS Identity Protection Specialized Unit, toll-free at 800-908-4490. You should also follow FTC guidance for reporting identity theft at www.ftc.gov/idtheft."
When people ask me what to do after their wallet has been lost or stolen, this is one reason why I always suggest that they file a police report with local law enforcement and notify their state motor vehicles registry.
"9. Show your Social Security card to your employer when you start a job or to your financial institution for tax reporting purposes. Do not routinely carry your card or other documents that display your Social Security number.
The tenth tip is for consumers should visit the IRS Identity Theft and Your Tax Records page at the IRS website to learn more to protect your tax records and information.
Reportedly, about 150 million consumers participate in 700,000 employer-sponsored 401(K) retirement plans. Given a lingering economic recession, credit crunch, and poor managerial decisions some small business executives may be tempted to use the employee-sponsored 401(k) plan as a loan source to help with their cash flow.
If any of this has happened to you, then you probably felt mugged. We all expect our employers to honor their agreements and promises. And one important promise (required by law) is for company executives to deposit employee contributions in a timely and accurate manner into the employer-sponsored 401(K) retirement plan.
"In FY 2009, EBSA closed 3,669 civil investigations, with 2,833 (77.21%) resulting in monetary results for plans or other corrective action... In FY 2009, 204 cases were referred for litigation... EBSA cases referred to the Solicitor’s office for litigation are often resolved, with monetary payments, short of litigation. Nationwide in FY 2009, litigation was filed in 107 civil cases... In FY 2009, EBSA closed 287 criminal investigations. EBSA’s criminal investigations, as well as its participation in criminal investigations with other law enforcement agencies, led to the indictment of 115 individuals – including plan officials, corporate officers, and service providers – for offenses related to employee benefit plans... In FY 2009, EBSA’s Benefits Advisors handled nearly 365,000 inquiries and recovered $124.5 million in benefits on behalf of workers and their families through informal resolution of individual complaints."
"If you contribute to your retirement plan through deductions from your paycheck, then the employer must follow certain rules to make sure that it deposits the contributions in a timely manner. The law says that the employer must deposit participant contributions as soon as it is reasonably possible to separate them from the company’s assets, but no later than the 15th business day of the month following the payday."
When your company executives at your employer (who are usually 401(k) plan fiduciaries) fail to follow these rules, file a complaint immediately with the U.S. Department of Labor:
"Fiduciaries that do not follow the required standards of conduct may be personally liable... if an employer did not forward participants’ 401(k) contributions to the plan, they would have to pay back the contributions to the plan as well as any lost earnings, and return any profits they improperly received."
If your employer goes out of business:
"Federal law requires that retirement plans fund promised benefits adequately and keep plan assets separate from the employer’s business assets. The funds must be held in trust or invested in an insurance contract. The employers’ creditors cannot make a claim on retirement plan funds."
If you discover abuse, notify your employer immediately. If your employer fails to correct the problem, file a complaint with the U.S. Department of Labor office nearest to you.
Last week, Norton released its 2010 Cybercrime Report. The main finding is that cybercrime is a huge, worldwide problem:
"For the first time, this report reveals that nearly two thirds of adults globally have been a victim of some kind of cybercrime (65%). Cybercrime hotspots where adults have experienced cybercrime include: 83%, China; 76% Brazil/India; 73% USA."
What is "cybercrime?" Cybercrime includes:
"Computer viruses and malware attacks are the most common types of cybercrime people suffer from, with 51% of adults globally feeling the effects of these. In New Zealand, Brazil and China it’s even worse, with more than six out of 10 computers getting infected (61%, 62% and 65% respectively). Adults around the world have also been on the receiving end of online scams, phishing attacks, hacking of social networking profiles and credit card fraud."
Readers can download one or several several country-specific versions of the report. I downloaded the United States version. Some of the detailed findings:
The online survey was conducted February 2-22, 2010 for Symantec Corporation by StrategyOne, an independent market research firm. The survey included 7,066 adults aged 18 and over in 14 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States). The survey used the primary language in each country.
Only 9% of adults worldwide feel very safe online. Combine that statistic with any of the above findings about expecting to be a victim, criminals not being brought to justice,, feelings of anger, and the cost of resolution and you have a very sad commentary on the state of today's Internet.
The report confirms something I have said for a long time. Consumers demand control over their sensitive personal information -- the number one rule consumers in the USA use as a solution to protect themselves online. In the USA, the leading "common-sense rules" consumers in the USA use to protect themselves online are:
This blog contains plenty of resources to help consumers stay safe online. To learn more, click on the "List of Lists" or "Reviews" links in the horizontal navigation bar at the top of this page. If you use Facebook.com, you see the list of blog posts in the Facebook module in the near-right column.
This organization's post-breach response has been disappointing. First, some background. Weymouth Massachusetts-based South Shore Hospital (SSH) announced in July a data breach that affected 800,000 patients (and former patients), including patients also at Harbor Medical Associates and South Shore Physician Hospital Organization. The computer files in that breach contained patients' medical and financial information that was not encrypted. Encryption is preferred because it makes it difficult for identity thieves to access and use stolen information.
During July, the hospital also posted a sample breach notification on its website. The good news: that sample notification provided instructions for breach victims to protect themselves and their sensitive personal/medical information. The bad news: breach victims will learn this only if they heard or read about it in various news reports, blogs (like this one), or visited the hospital's website. SSH did not notify breach victims directly.
Earlier this month, in a statement at its website SSH announced the completion of its breach investigation. SSH engaged Huron Consulting (PDF document with investigation report) to assist with the breach investigation. In a statement about the breach investigation, SSH:
"... concluded that there is little to no risk that information on the files has been or could be acquired, accessed or misused based on the following key investigation findings: The back-up computer files were stored on unmarked computer tapes that were packed in three sealed boxes... South Shore Hospital, the private investigation team, and Ohio-based R+L Carriers – the company that transported the files for offsite destruction – conducted multi-state searches for the two missing boxes... two boxes of computer tapes are believed to have been disposed of in a secure commercial landfill that R+L Carriers uses to dispose of unclaimed materials and are therefore unrecoverable... Even if the computer tapes were found, Huron’s experts have concluded that specialized equipment, proprietary software, sophisticated knowledge, time and financial resources would be required to access, aggregate, interpret and ultimately use information on the files."
To summarize, three companies, including the one that originally lost the computer tape shipment, looked high and low for the lost/stolen shipments. The believe that it ended up in a secure landfill. And breach victims are supposed to believe that this is okay.
What? Believing a thing does not make it so. After three years of writing this blog, I have learned that identity thieves are persistent and creative. Does SSH really believe that criminals won't open sealed boxes. Does SSH really believe that identity criminals wouldn't be curious about what is on unmarked computer tapes? SSH's above statement stretches believability and insults consumers' intelligence.
Plus, "little to no risk" does not mean zero risk. What is "little risk?" Five percent, one percent, or half of one percent? Risk is personal. What one person considers risky another may not. Would you feel secure with a 5% chance that your sensitive personal and medical information could be abused and misused? Breach victims deserve better: to be directly notified and fully informed. Breach victims have the right to decide for themselves what risk they want to assume.
Plus, should identity thieves use the stolen information the risk is to the breach victims who will likely be the first to notice the problem on Explanation Of Benefits statements, when reading their medical records, or when accessing health care services. I find the part about "specialized equipment, proprietary software, sophisticated knowledge, time and financial resources" debatable since identity criminals regularly develop and distribute sophisticated computer viruses, phishing emails, and phishing websites. The continual flood of phishing scams indicates that scammers around the planet make money with identity theft and fraud. If they didn't make money, the phishing scams would stop.
Stricter data security regulations went into effect in Massachusetts in March. Moreover, Massachusetts' 2007 breach notification law requires organizations to notify breach victims individually, with this exception for "substitute" notification:
"... if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice."
Apparently, the hospital is using "substitute" notification for its breach response: notices at its websites and in newspapers. More likely, the hospital is trying to minimize total post-breach costs, which usually include notification, legal fees, fines, and complimentary credit/medical monitoring services.
The Massachusetts Attorney General's office issued this response about SSH's decision not to notify breach victims individually:
"The Attorney General’s Office has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss. The Attorney General’s Office will continue to monitor and investigate South Shore Hospital’s actions..."
I wonder what breach victims (e.g., patients and former patients) think of SSH's post-breach response. Other hospitals and health care organizations (e.g., AvMed and BC/BS of Tennessee) notified their breach victims individually and provided complimentary credit/medical record monitoring services. Insurer Health Net chose not to notify its breach victims and was investigated by several states' attorney general offices.
Prior research indicated that data security at hospitals is poor. It seems to me that breach victims want SSH to demonstrate with its actions that it is doing everything to protect their sensitive personal and medical information. That includes both effective data security methods to prevent breaches, and helping patients protect themselves after a data breach. After all, the breach was SSH's fault (via an outsourced vendor) and not the patients' fault.
A comprehensive and consumer-friendly breach response means doing more than the legal minimum. SSH's post-breach seems like the hospital is cutting corners. If the hospital cuts corners here, I wonder where else it cuts corners in its operations and data security. Knowing all of this, would you go to SSH for health care?To learn more about these breach notification and related medical data security issues in general, there will be a workshop Tuesday September 21 about HIPAA, HITECH and the new Massachusetts data security laws that became effective in March 2010 (e.g., MA 201 CMR 17). The workshop, sponsored by Sophos and the Mintz Levin law firm, will discuss related compliance, legal, technology, and security issues with medical information. Scheduled speakers include representatives from the Ponemon Institute, Mintz Levin, Sophos, and MFA Cornerstone Consulting.
This workshop seems especially appropriate and timely given the SSH data breach and the hospital's post-breach response. I registered for the workshop and will report in this blog what I hear and learn.
The CBS News Early Show features a really good video warning job seekers about employment scams. I strongly recommend watching the video, since it is short, informative, and very helpful.
Experts advise job seekers to:
I like the Google search engine since I can usually find what I am looking for. I frequently use special characters and search operators to perform very targeted searches. Given this positive experience, I recently tried the new Google Instant search feature:
"Our key technical insight was that people type slowly, but read quickly, typically taking 300 milliseconds between keystrokes, but only 30 milliseconds (a tenth of the time!) to glance at another part of the page. This means that you can scan a results page while you type. The most obvious change is that you get to the right content much faster than before..."
Simply, Google Instant displays search results before you finish typing your search terms. You must use your laptop or desktop computer since Google Instant is not yet available on mobile devices. Google Instant does not work with the Google search box in your browser toolbar.
For me, relevance and precision are more important than speed. However, I recognize that many consumers prefer speed. Since Google archives so much information about users, I wish that the Google Instant announcement explained its approach for displaying search results before I have finished typing. Is the display based on a calculation of similar searches performed by all consumers? Is the display based on a calculation of past searches I have performed? And if it is the latter, what personal data is Google using to perform that calculation?
Obviously, Google is using some sort of calculation or algorithm to display results in Google Instant. And, that algorithm doesn't necessarily display all search results you would see in a standard Google search. It seems to guess what you are trying to type. Some bloggers have gone so far to say that Google Instant censors search content, and that censoring is not applied consistently.
As an adult, I don't need nor want the censoring. And if I had purchased Google search words for the search results page, I doubt I'd be happy with Google Instant. Fewer users will see the search results page.
A couple videos explain the new Google Instant feature:
Readers of this blog know that I am not a fan of location-based messaging by consumers at social media sites. This news story highlights another reason why.
NECN reported that a burglary ring targeted Facebook users in New Hampshire. About 50 home were broken into and more than $100,000 of items stolen. The thieves targeted consumers who had posted location-based status messages on Facebook that they were not home, out of town, or on vacation.
This is not the first time this has happened. In March of this year, CBS News reported an incident where a Facebook user was burglarized by one of their Facebook friends. This Facebook user posted a status message online about when they would attend a concert and not be at home. A home surveillance camera recorded the burglary. The theft victims posted online the video of the burglary.
We all know at least one Facebook friend whose account has been hacked. And, the reality is that not all of your Facebook friends have locked down their Facebook privacy settings. So, it seems wise to assume that your messages are public -- which makes location-based status messages risky.
If you choose to use location-based services and/or post messages about where you are, then bulk up on your property insurance. For more tips about things you should not do on Facebook, see the Facebook topical module in the near-right column.
The U.S. Federal Trade Commission (FTC) seeks comments from the public about a planned survey on the frequency of consumer fraud in the United States. The FTC performed this survey previously in 2003 and 2005. A major finding in the 2005 survey (5.1 MBytes, Adobe PDF document) was:
"An estimated 13.5 percent of U.S. adults – 30.2 million consumers – were victims of one or more of the frauds covered in the 2005 fraud survey during the year before the survey was conducted (Table 2). There were an estimated 48.7 million incidents of these frauds during this one year period.
The FTC proposes to survey by phone consumers aged 18 and older with a nationwide randomly-selected sample. The agency says that the survey results will help it determine the rates of consumer fraud, the makeup of types of consumer fraud, and how to fight consumer fraud. The last survey found that the most frequent types of fraud included fraudulent weight-loss programs, fraudulent foreign lotteries and buyers clubs, fraudulent prize promotions, and fraudulent work-at-home programs. The types of victims varied:
"Eighteen percent of Hispanics and 20 percent of African Americans are estimated to have been victims of one or more of the frauds covered by the survey. The rate for non-Hispanic whites was 12 percent..."
A chief factor that made some consumers more vulnerable to fraud:
"Consumers who indicated that they had more debt than they could comfortably handle were more likely to be victims of fraud than those with less debt. Almost one quarter of those who indicated that they had more debt than they could comfortably handle were victims of one or more of the survey frauds..."
It will be interesting to see how the economic recession and home foreclosures during the past two years affects the next survey's results. And, there are several new technologies and mobile devices that didn't exist five years ago.
The deadline for submitting comments is November 1, 2010. Consumers can submit comments online at a secure FTC website, or via postal mail to:
Federal Trade Commission
Office of the Secretary, Room H-135
(Annex J), 600 Pennsylvania Avenue, N.W.
Washington, DC 20580
Written comments should reference the "Consumer Fraud Survey 2010, FTC File No. P105502" so that consumers' comments are accurately collected. Because the FTC makes public all comments it receives, your submission should not include any sensitive personal information, such as your Social Security Number, birth date, driver’s license number or other state identification number, passport number, financial account number, and/or credit or debit card number. Your submission should not include any sensitive medical information or trade or secret business processes.
I was reading a Scam Alert in the AARP Bulletin and learned something new about what to do after your wallet (or purse) is lost or stolen. We call plenty of sensitive identification documents in our wallets. The first six steps I already knew about, but the seventh step is an option for consumers that I didn't know about:
I check for my home state, and the Massachusetts Registry of Motor Vehicles (RMV) provides an "Activity Hold Request" form for drivers to use for this type of identity theft. This is something you can easily do yourself for free. The Activity Hold Request form is easy to complete and you should use it if your driver's information has been stolen or if identity fraud has already been committed with your stolen license and/or identity information.
I wish that the Massachusetts RMV made this form easier to find online. There is not an identity theft link on the RMV main page. You have to click on "Forms Overview" and then "Identity Theft to access this identity theft form.
The California Department of Motor Vehicles (DMV) has an easy-to-find "Lost or Stolen License or ID Card" link on its main page. The California DMV advises consumers to contact the DMV after their driver's license and/or identity information has been stolen or used fraudulently:
If your DL/ID is stolen or misused contact DMV at 1-866-658-5758 or by e-mail at DLFraud (at) dmv.ca.gov. IMPORTANT: An e-mail or fax transmission of confidential information such as your social security number or credit card information is not fully secure. You may wish to contact DMV by mail or telephone... If you discover that you have become a victim of DL or ID card fraud, immediately contact your local DMV to report the misuse. For an appointment call 1-800-777-0133 or you can make an appointment on-line at www.dmv.ca.gov.
If you live in a state other than California or Massachusetts, you should check the DMV website for your state about what to do. Hopefully, you will never have to experience a lost or stolen wallet and driver's license.
Welcome back from the long holiday weekend. I cannot emphasize enough that consumers need to be really careful where you use your debit card. Stolen debit card information gives criminals direct access to your entire checking account.
The Skokie Patch (Skokie, Illinois) reported incidents where several consumers were victims of ATM fraud. During a few days, eight consumers had about $10,900 stolen in fraudulent bank account withdrawals after using certain ATM machines. According to police reports about 23 fraudulent withdrawals were made by criminals, each for about $500. All of the victims reported that they still possessed their debit cards when the fraud happened.
This is another example that ATM skimming is a nationwide problem. Criminals also hide skimming devices inside unattended gas station pumps, which are impossible for consumers to detect. Experts advise consumers to:
Me? I use my debit card only at my bank's ATM machines. And I use ATM machines I am familiar with, so it is easier to spot any attached devices. At gas stations, I never pay at the pump and I pay inside with either cash or a credit card.
Perhaps, the executives at Facebook should have used an approach like this, so their users can opt-out of Places.
For more than three years, I've written this blog about identity theft, breaches, and corporate responsibility. The topics of privacy and control of sensitive personal information are closely related. Over the past two years, I've written about the limitations and frustrations of Facebook.com. See the module in the near right column for a list of blog posts about Facebook.
Frankly, I am ready to move on to the next, best thing because Facebook isn't it -- at least it isn't it for me. So, last week I warned my Facebook friends that I had decided to reduce both my personal time on the Facebook site and the volume of personal posts. I had already removed most of my liked pages and sensitive personal data from my Facebook profile. I had already removed most photos, too. In the future, most of my time on Facebook would be to maintain the Facebook fan page for this blog.
Given that, I began to wonder what elements would make up my ideal social networking site. Here is my list (in priority order):
Alert readers will notice that I didn't say the service has to be free. If the service is providing truly value-added features and benefits, I am willing to pay a reasonable amount. Often I have found that you get what you pay for with free services.
What do you want in an ideal social networking site? Feel free to add your items below.