FTC Delays "Red Flag" Enforcement Again

Once again, at the request of members of Congress, the Federal Trade Commission (FTC) has delayed the enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors.

The prior enforcement date had been November 1, 2009. In May of 2009, the FTC changed the enforcement date from May 1, 2009 to August 1, 2009.

As part of the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditor companies to address identity theft. The resulting regulations require these companies to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- commonly called "Red Flags" -- that could indicate identity theft.

The FTC regulations are pretty specific about the types of companies covered by these new identity-theft regulations:

"The Rule defines a “financial institution” as: 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a “transaction account” belonging to a consumer. “Transaction accounts” are deposits or accounts from which a consumer can make payments or transfers to third parties. Banks, federally chartered credit unions, and savings and loans come under the jurisdiction of the federal bank regulatory agencies or the National Credit Union Administration and should check with them for guidance. The FTC’s jurisdiction extends to state chartered credit unions and other institutions that hold transaction accounts – for example, mutual funds that offer accounts with check writing or debit card privileges or other businesses that offer accounts where consumers can make payments or transfers to third parties. Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing... In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector..."

In April of 2009, the FTC launched a Web site to help small and medium-sized businesses comply with the new Red Flag regulations. A U.S. District recently ruled that attorneys are exempt form the new regulations. A different set of regulations apply to hospitals and health care firms.

During the coming weeks and months I will explore the Red Flag rules more closely since the new enforcement data is an opportunity for consumers to demand more from companies that store and user their sensitive personal information. The opportunity is for consumers to be able to ask a company they are considering doing business with for a written statement of how that company protects their sensitive personal data.

Will the June 2010 date hold? Who knows. The FTC's pattern of delays suggests probably not. As this issue moves forward, the I've Been Mugged blog will report about it.

Violent Criminals Switch To Medicare Fraud

This is not good news. Breitbart reported:

"... Mafia figures and other violent criminals are increasingly moving into Medicare fraud and spilling blood over what once a white-collar crime... For criminals, Medicare schemes offer a greater payoff and carry much shorter prison sentences than offenses such as drug trafficking or robbery... Medicare scammers typically make their money by billing Medicare for medical equipment and drugs that patients never receive—and never needed. Some pay homeless people on Los Angeles' Skid Row for Medicare or Social Security numbers to use in fake billing invoices. Others intimidate elderly victims to use their Medicare numbers, federal authorities say."

This shift suggests that many local governments and cities need to stiffen the penalties and prison time for identity theft, Medicare, and related fraud crimes:

"Most Medicare schemes are based in cities such as Miami, Los Angeles, Detroit and Houston... A Medicare scammer could easily net at least $25,000 a day while risking a relatively modest 10 years in prison if convicted on a single count. A cocaine dealer could take weeks to make that amount while risking up to life in prison."

The Consequences When An Identity Thief Commits A Crime In Your Name

This is a horrible experience for any person. The Omaha World-Herald reported a particularly nasty case where a citizen was jailed twice due to mistaken identity:

"Last week, Salazar, 38, spent a night in the Douglas County Jail after he and his girlfriend called Omaha police to report a burglary. Ten months ago, he spent two weeks, including Christmas and New Year's Day, in jail after being pulled over for speeding. The reason: Every time Joe Salazar comes in contact with law enforcement, police discover there's an arrest warrant out for a Joe Salazar for failing to appear for sentencing in a 2002 drug case."

The real Joe Salazar lost his wallet in a restaurant: identification, Social Security number, date of birth, and other sensitive personal data. The criminal used Salazar's identity during a crime and then skipped out on bail from a scheduled court data. Hence, the arrest warrant for Salazar and local law enforcement keeps arresting the real Salazar.

Local law enforcement doesn't know the criminal's identity, but they do have his finger prints. Obviously, the real Salazar would like to see some fast, corrective action of his situation with the criminal caught. The real Salazar said:

"It's frustrating, because you know there's nothing you can say or do to convince (police)... I tell them ‘You've got the wrong guy. But I'm sure they hear that all the time.”

What can a consumer do to resolve this? Nothing that I know of. Salazar's problem will continue until the criminal is caught. Will any credit monitoring service help? No. Those services are for helping consumers protect their credit report, not for crimes. With the increasing number of data breaches with stolen consumers' sensitive data, I fear that cases like Joe Salazar's will only happen more often.

[Oct. 16 - Editor's Note: I encourage readers to read the comments below. Several readers submitted informative comments which consumers may find useful.]

Warnings For Consumers From The Federal Reserve Board

This blog is all about empowering consumers (whether you have been mugged or not) to protect their money and sensitive personal information. Last week, the Federal Reserve Board (FRB) issued a warning to consumers to be aware of:

"... fraudulent solicitations that appear to be made with the approval or involvement of the Federal Reserve, Federal Reserve officials, or other U.S. government officials. These solicitations promise bogus financial services or large sums of money in exchange for either payment or personal information that can then be used to access a consumer's bank account."

This type of warning usually means a rise in the amount and frequency of phishing e-mail messages and/or phishing Web sites -- methods to trick consumers into disclosing their sensitive personal information (e.g., bank account numbers, Social Security number, etc.) to identity criminals. That means you may see official-looking but bogus e-mail message that appear to come from the FRB. The FRB operates this web site for users to file complaints about fraud. You should also notify your local law enforcement and submit a complaint to the FTC.

Recently, the I've Been Mugged blog reported advice for consumers from the FRB about private educational loans, shopping for mortgages, and credit cards.

The Credit Card Industry Struggles With Keeping Consumers' Data Secure

The last few weeks have included a huge increase in identity-theft news. First, we consumers heard on August 17 about the indictment of three hackers -- a Miami man and two Russian accomplices -- in what is probably the largest data breach and theft in the USA. More than 130 million debit and credit card numbers were stolen.

This latest theft of 130 million card numbers covered data breaches from 2006 to 2008 for companies including Heartland Payment Systems, a card payment processor, and retail chains 7-Eleven Inc and Hannaford Brothers. The Heartland breach has affected dozens of banks nationwide.

Second, we learned that this the Miami man, Albert Gonzalez, was also a former government informant for the U.S. Secret Service since 2003 and was already known to government officials, and already in prison for a series of eight retail hacks affecting and additional 40 million credit cards. The thefts of those 40 million additional cards included retail companies such as BJ's Wholesale Club and TJX Companies/T.J.Maxx. So one man (with help from some friends) stole more than 170 million debit/credit cards.

How do three people steal 130 (or 170) million credit cards? Third, we started hearing technical terms like the "SQL injection" technique the criminals used to exploit weaknesses in the way computer system developers write code for credit card databases. According to InternetNews:

"For his crimes, if Gonzalez is convicted in the Heartland incident, he'll face a fine of at least $250,00, and up to 25 years in prison. Gonzalez had servers in California, Illinois, Latvia, the Netherlands and Ukraine..."

Sounds to me like far more than three people are involved. You don't simply set up servers in multiple countries without some help. This theft smells like an organized business. I want law enforcement to capture and prosecute other criminals worldwide (e.g., Hacker-1 and Hacker-2 who are in or near Russia) who aided the thefts and/or resold the stolen data.

Fourth, details then began to emerge about the breaches at specific companies:

"... Dallas-based 7-Eleven, while confirming security breaches, said that only ATMs at some stores were affected... Moreover, the Dallas chain would not say where the affected stores were.... A 7-Eleven statement said the chain became aware of attacks in late 2007, saying they had occurred Oct. 28 through Nov. 8. The indictment said the chain’s network was breached from August 2007... Each card-issuing company made its own decision on what action to take, including replacing cards or putting card numbers on an alert for fraud..."

Like a bad screenplay, we further learned that Gonzalez went by the "soupnazi" online alias and he:

"... reportedly became an informant for the Secret Service in 2003, helping in a sting of a cybercrime syndicate, known as Shadowcrew.com. But afterward, Gonzalez re-established his own hacking group, called "Operation Get Rich or Die Tryin," according to Threat Level..."

Perhaps most troubling:

"Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks."

Most of this was summarized nicely in the New York Times:

"The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research."

You may remember that the breaches at Heartland and Hannaford occurred while both companies were supposedly within compliance to security requirements. Again, from the New York Times:

"Those standards were set by a council that includes the world's two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald's Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc... Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa."

Clearly, the security standards are insufficient and need to be strengthened. Then, we learned that J.C. Penny, Target, Boston Market, DSW, Office Max, Barnes & Noble, and Sports Authority were affected by the Gonzalez-led breaches. By the end of the week, Gonzalez pled guilty to several charges about the breaches, and would get a maximum of 25 years in prison.

Meanwhile, the banks, credit card networks, and retailers argue about the appropriate security standards and who should pay. What should consumers do?

We consumers can't control the squabbles between the banks, credit card networks, and retailers. We can control which cards we use and when. My advice is this:

1. Shop online with your credit card, since that gives you more protection than a debit card.
2. If you can, use cash for in-store purchases, or use a credit card. Why? Retailers are not honest and transparent about informing consumers of breaches or about which stores in their chain are problematic. (Remember, not all states have data breach notification laws.) And, the credit card industry still hasn't solved its security problems. See this blog post above.
3. Use your debit card at your bank's ATM machines. Regardless of those entertaining Visa and MasterCard advertisements on television, the system isn't as secure as it should be. I avoid ATM machines in convenience stores, and try to use ATM machines only in my bank's branches.
4. Review your monthly credit card statements, since some fraud shows up as tiny charges first (e.g., 25 cents) and since you may spot fraud first. Don't rely on your bank spotting it first. If you spot fraudulent charges, report it quickly to your bank or credit card issuer.

Fact Check The Messages In Your E-mail In-Box Before Forwarding

A few days ago, an acquaintance in Atlanta (who is a doctor) forwarded this e-mail message to me:

"Subject: SOCIAL SECURITY CHANGES

It does not matter if you personally like or dislike Obama. You need to sign this petition and flood his e-mail box with e-mails that tell him that, even if the House passes this bill, he needs to veto it. It is already impossible to live on Social Security alone. If the government gives benefits to 'illegal' aliens who have never contributed, where does that leave those of us who have paid into Social Security all our working lives? As stated below, the Senate voted this week to allow 'illegal' aliens access to Social Security benefits. Attached is an opportunity to sign a petition that requires citizenship for eligibility to that social service. Instructions are below. If you don't forward the petition and just stop it, we will lose all these names. If you do not want to sign it, please just forward it to everyone you know. To add your name, click on 'forward'. Address it to all of your email correspondents, add your name to the list and send it on. When the petition hits 1,000, send it to comment@whitehouse.gov .

Dear Mr. President:
We, the undersigned, protest the bill that the Senate voted on recently which would allow illegal aliens to access our Social Security. We demand that you and all Congressional representatives require citizenship as a pre-requisite for social services in the United States. We further demand that there not be any amnesty give n to illegal aliens, NO free services, no funding, no payments to and for illegal immigrants.
[Names redacted]"

My acquaintance wanted to know what I thought of this message, and if the e-mail message is accurate. First, understand that I am all for citizen participation in a democracy. And that includes petitions.

When I receive an e-mail message like this, I try to verify its accuracy and authenticity. One way I do this is to see if the e-mail message includes any references and/or citations. The citation could be the formal bill number and/or a web site address. Bills written in the U.S. Congress have an HR-xxx number, and bills written in the U.S. Senate have a S-xxx number. This is how everyone tracks Federal legislation, and it assumes you know how the legislative process works. For a complete list of resolution and bill prefixes, see this U.S. Senate site page.

The e-mail message above didn't include a date, any references to bill numbers, any links to Web site pages by the sponsor of the petition, or to related news articles. Maybe this information was deleted as multiple people forwarded the message. Regardless, the message I received didn't provide any means to evaluate the petition's accuracy and authenticity. Hence, this e-mail message is garbage, in my opinion, and I deleted it after sending a reply to my acquaintance.

As a last resort, I suggested that my acquaintance check snopes.com, which does a good job of analyzing and debunking the hoaxes and fictitious e-mail messages. Maybe snopes.com has analyzed this email message. I felt that the message was not worth me wasting any more time on it.

After thinking about this some more, I began to wonder if messages like this are slick attempts at e-mail harvesting.

I also wonder about the thinly disguised bigotry in the message, since it targets undocumented workers in the USA, and not the companies that hire them without perform adequate and sincere background checks. Yes, people who immigrate illegally into the USA often use stolen identification papers in order to gain employment. That usually means using another person's Social Security number (SSN) to get paid. There are severe consequences for a consumer when another person uses your SSN.

This situation is good and bad news. While these undocument workers are working illegally, they pay into Social Security, local taxes, and Federal taxes. Our state and local governments seem happy to receive this tax revenue. The bad news is for the victims -- the consumers whose SSN's are being used by two people. It places the burden on the victims to prove the fraud. Citizens are already urged to check our annual Social Security Statements for fraud, which is a dubious data security process at best. Experts state that this method won't catch all SSN fraud.

In my opinion, the USA needs a better, more secure process for creating, administering, and securing Social Security numbers. A couple computer scientists should not be able to create real Social Security numbers using mathematical formulas. It also means holding companies responsible to perform adequate background checks when hiring workers.

Currently, there is no effective way for citizens to protect their SSN from abuse. The only thing you can do is monitor you annual social security statement and if the salary in that does not match what you earned last year, then it's a good chance another person is using your SSN. At that point, you need local law enforcement and a lawyer to help you resolve and unravel things.

There has to be a better way than this current approach. We citizens should demand that of our legislators. That is a more important issue. It's about the integrity of the Social Security system.

Fake ATM Machine Scams Consumers At Las Vegas Convention

This blog has always been about empowering consumers to protect their identity information and money. The Threat Level blog recently reported:

"A malicious ATM kiosk was positioned in the conference center of the Riviera Hotel Casino capturing data from an unknown number of hackers attending the DefCon hacker conference before someone noticed something suspicious about the kiosk. An organizer for the conference said security authorities seized the device... Witnesses say the kiosk was well-placed to avoid surveillance cameras... The ATM had been placed right outside the hotel’s security office."

I'm always conscious about the ATM machine I choose to use. My habit is to use ATM machines at my bank's branches, and avoid ATM machines at convenience stores. By using familiar ATM machines, it is easy for me to spot skimming devices attached. But when you are traveling, it's not so easy since every ATM machine is unfamiliar.

How can a consumer avoid getting "mugged" by a fake ATM machine? According to Bankrate.com:

"... when you're using an ATM, pay attention. Look for strange wording, like 'swipe your card here before using the ATM.' If your card doesn't come back right away, contact the bank. Don't let strangers help with transactions, or even stand close to you for that matter."

When traveling Bankrate.com advises:

"Thieves place phony ATM machines at high-traffic tourist areas. So stick to ATMs that are near banks or in airports or in hotels. Visa and MasterCard have worldwide ATM locators on their Web sites. So it's easy to scope out legitimate ATM locations in the areas where you'll be traveling.

When Vinny Met Sally (Lexis-Nexis' Data Breach And Organized Crime)

This Information Security Resources article titled, "He’s Not After Your Heart, Just Your Data" documented a new threat which is the intersection of dating, insider identity theft, and organized crime:

"Lexis-Nexis made public notification of a data breach that federal authorities say is tied to a New York mafia crime family. The New York-based company has sent more than 13,000 letters to former customers whose personal data may be at risk. The 13,000 customers may have been targeted for extortion and identity theft. Earlier in May, the U.S. Attorney General’s office in Southern District of Florida handed down an indictment charging 11 men with racketeering conspiracy. The 11 had ties to the Bonnano organized crime family."

How the operation worked:

"The alleged suspect, Lee Klein, one of the 11 charged in the indictment, “was an employee of a former Seisint customer who misused his employer’s Accurint access... Accurint is used by law enforcement and other entities to verify identity and locate people... Klein worked for the criminal “crew” of Thomas Fiore, an associate of the Bonanno organized crime family. The indictment alleges that Klein illegally used “information obtained from computer databases in order to acquire identification information regarding potential victims of extortion” and people suspected by Fiore’s criminal organization of being involved with law enforcement."

How the dating connection figures into all of this:

"One of the “old school” tactics that the organized crime figures use, says [Avivah Litan, an analyst at the Gartner Group], is going to the local watering holes and seducing young girls and finding out where they work. The mob’s tactic of dating new employees who work at companies that have access to customer data leads to Litan’s warning, 'He’s not after your heart; he’s after your data.' ”

The FTC To Rigorously Study Fraud

In his Bizop News blog, attorney Michael Webster wrote:

"The FTC has finally decided to start studying fraud and not simply rely upon the discredited notion of disclosure for prevention. The FTC held a workshop earlier in the year about consumer fraud. From that workshop, the FTC made a decision to try empirically understand the determinants of consumer fraud."

The FTC program was announced in the U.S. Federal Register (PDF). This is clearly good news since:

"The [FTC] Commission has also conducted telephone surveys in 2003 and 2005 designed to measure the proportion of the U.S. adult population that has fallen victim to various consumer frauds. Despite this, surprisingly little is known about what determines consumers' susceptibility to fraud. For example, the 2003 and 2005 FTC Consumer Fraud surveys found that education was not a significant predictor of fraud victimization. Understanding when and why people are vulnerable to fraud would better inform the FTC's substantial, ongoing efforts to fight fraud through law enforcement and consumer education... study results may aid the FTC's efforts to better target its enforcement actions and consumer education initiatives, and improve future fraud surveys."

The FTC's approach towards a rigorous study of fraud:

"Economic and psychological experiments have identified several decision-making biases, such as impulsivity, over-confidence, overoptimism, and loss aversion, that can cause inaccurate assessments of the risks, costs, and benefits of various choices. FTC staff proposes to conduct an economic laboratory experiment to study whether these types of decision biases are related to consumer susceptibility to fraudulent or deceptive marketing claims. Staff intends to study consumers’ assessment of potentially deceptive advertisements... The FTC proposes to conduct an experiment in a university’s economics laboratory with 250 subjects drawn from the campus community. A sampling of 250 persons enables random assignment of subjects into different experimental conditions..."

According to the Federal Register, interested consumers and companies can submit written comments
electronically or in paper form about proposed study approach. Comments should refer to the "Fraud Susceptibility Experiment, FTC File No. P095501," and include your name and state. You can submit comments online at the FTC Web site on or before August 10, 2009. Comments will be made public so do not disclose any sensitive personal or financial information.

How To Protect Yourself Against A Rental Scam

You've probably heard about in on the news. It is a variation of the Craig's List check scam I wrote about previously, but this scam affects both landlords and renters. I encourage you to watch this ABC News video (an advertisement plays first):

To avoid getting "mugged" via a rental scam, the FTC advises consumers to look for these signs:

"They want you to wire money... There’s never a good reason to wire money to pay a security deposit, application fee, or first month’s rent. Wiring money is the same as sending cash — once you send it, you have no way to get it back."

"They want a security deposit or first month’s rent before you’ve met or signed a lease. It’s never a good idea to send money to someone you’ve never met in person for an apartment you haven’t seen... do a search on the landlord and listing. If you find the same ad listed under a different name, that’s a clue it may be a scam."

"They say they’re out of the country. But they have a plan to get the keys into your hands. It might involve a lawyer or “agent” working on their behalf. Some scammers even create fake keys. Be skeptical, and don’t send money overseas."

Teach Your Dad About 'Phishing' This Father's Day

To help consumers avoid identity theft, the U.S. Federal Trade Commission has developed an electronic Father's Day card with tips about how to spot bogus phishing e-mail messages. Versions of the FTC e-card are in English and in Spanish.

To learn more about phishing, whaling, v-phising and other scams, browse the Scams and Threats section of this blog. Or, take one of these online identity theft quizzes.

If you or a parent have been the victims of identity theft and fraud, you should report it to both local law enforcement and to the FTC. To file a complaint in English or Spanish, visit the secure FTC Complaint Assistant site, or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad.

Fraud And Scam Warnings To Consumers From the Better Business Bureau

A couple warnings to consumers so you don't get "mugged," become a fraud victim, or pay more than you have to. First, the BBB advises consumers to read the fine print at online social media sites, especially Facebook, since:

"... the large print doesn’t always tell the whole story... in January, BBB issued a warning to consumers about online ads and Web sites that use Oprah’s name to sell acai berry supplements as weight-loss miracles... these ads are still common on Facebook and MySpace and link to fake blogs such as www.jennylosesweight.com that are designed to look like testimonials of women who lost weight on the acai supplements... The phony blogs link to Web sites that offer a free trial of an acai supplement, and while the customer may think they only have to pay shipping, they could get billed as much as $87.13 every month if they don’t cancel before the trial period ends."

Another scam consumers should be aware of:

"There are many ads on Facebook that advertise ways to make easy money from home... the ads link to blogs that were supposedly created by people who made money through a work-at-home program. One such blog written by a “Sarah Roberts” claims that she added “$67,000 a year to my family’s income working 10 hours a week... The blogs direct readers to Web sites for programs such as Internet Money Machine and Easy Google Cash where they can sign up for a seven-day trial access to information on how to make money from home. While the free trial supposedly only costs $1.95-$2.95, the individual will be charged $69.90 every month..."

Be sure to follow the above link to learn about more scams. Second, the BBB warns consumers about automated phone calls offering lower credit card interest rates:

"Consumers across the U.S. and Canada are sounding off to Better Business Bureaus about incessant automated telemarketing calls promising to lower interest rates on their credit cards. Not only are the calls a nuisance and violate U.S. and Canadian Do-Not-Call laws, but some companies behind the calls are ripping off consumers by charging large up-front fees to negotiate lower interest rates with credit card companies — something consumers can do on their own for free... After the initial recorded message, consumers must dial another number to be connected to a live person. The live “operator” usually starts the sales pitch by asking for the consumer’s credit card number and whether the consumer is interested in lowering their interest rates. From there, callers begin closing the sale, asking if the consumer is willing to pay – usually from $700 to $1,000 - to have their firm contact the credit card company and negotiate lower rates."

About telephone offers, the BBB advises consumers to:

"Never give personal information, including Social Security, bank or credit card numbers, over the phone to an unknown telemarketer. Always research the company first by reviewing its Reliability Report at www.bbb.org.; When considering any company offering any type of financial assistance, insist on getting a contract in which all terms and conditions are clearly explained before signing up or providing credit card or other payment information; U.S. consumers can place their home phone number on the federal Do Not Call list by visiting www.donotcall.gov. If the consumer’s number is already on the list but continues to receive telemarketing calls—or is receiving robocalls on a cell phone—he or she can use the same Web site to report the incident to the FTC. Canadian consumers can learn more at www.lnnte-dncl.gc.ca.

Identity Fraud Threat And Impacts Continue For Decades

I started this blog after a prior employer's data breach exposed the sensitive personal data of all of its employees and former employees, including mine. Like many other companies, in 2007 IBM offered its data breach victims one year of free credit monitoring with Kroll.

I have always felt that one year of credit monitoring was not even close to being long enough to cover the duration of the threat after the data breach event. This Reuters news story proves it:

"Two decades ago, Charlie Weidman, an upstanding family man from Boulder,Colorado, lost his wallet. Twenty years later, Mr. Weidman found there were three active warrants for his arrest and that he was listed as "armed and dangerous" by his local sheriff`s department... Mr. Weidman, who learned that he had been the victim of ID crime during a routine background check for a mortgage refinancing. To his disbelief, Mr. Weidman discovered that in addition to the criminal record, he had accumulated $50K in medical debt for hospital stays he had never taken and had a new driver`s license issued in Florida."

To summarize: over a couple decades this consumer was victimized in several ways: identity theft, criminal identity fraud, and medication identity fraud. I believe that this could happen to any of us.

Any bill of rights for consumers must acknowledge the duration of the threat. And, as long as companies provide token efforts of post-breach security (e.g., one year of free credit monitoring), then it will be consumers who absorb the true, ongoing cost of identity fraud from data breaches.

If this situation bothers you (and I sincerely hope that it does), write to your elected officials in Congress and demand legislation for longer and stronger post-breach help for consumers. In my opinion, after a data breach companies should provide consumers with at least 25 years of free credit monitoring, identity resolution, and protection services like Security Freeze fees.

What do you think?

Victims' Perspectives: The 2008 ITRC Annual Identity Theft Survey

Every year, the Identity theft Resource Center surveys identity theft victims, consumers who are in the best position to report what it is like to deal with the consequences of identity theft and identity fraud. Last week, the ITRC released its annual report for 2008. (PDF, 360 K bytes). The key findings:

"Financial identity theft continues to be the most prevalent form of identity theft... The “unlawful use of personal identifying information” for only financial identity theft crimes was reported by 73% of the respondents, a marginal decrease from 2007. Criminal cases represented 5%, a slight increase from the past couple of years. Governmental issues, which may involve employment, benefit fraud, tax fraud or someone using a fraudulent driver’s license as an identifier, accounted for 2%. The rest were combination cases: financial and criminal (6%), financial and governmental (9%), and a combination of all three types (5%)."

The ITRC used the following definitions for the different types of identity theft:

Financial: Information was used in situations involving money, credit, checking, debit, or collection issues; Criminal: Information was used by an impostor was given a ticket, arrested, arraigned or prosecuted; Governmental or Benefit Fraud: There are now problems with the IRS, DMV, SSA or other government assistance programs."

Detailed findings regarding financial identity theft:

"For the past six years, opening new lines of credit has remained the most frequently occurring financial crime. In 2008, 67% of the victims were in this category.... charges on stolen credit cards and debit cards without a PIN also ranked high on the list (39%). This is more than double any preceding year... check fraud grew to 17% in 2008, increasing from the 12% in 2007. Criminals also took out various types of loans using personal identifying information. Mortgages and 2nd mortgages (33%), car loans (22%), personal loans (32%) and business loans (8%)..."

What does this mean? Identity criminals take the easiest path. Retailers that accept credit cards without a PIN make it very easier for criminals to commit fraud:

"The advice of the ITRC to strengthen identity verification at the point of application and/or sale is a simple and effective way to immediately reduce card-based fraud. Matching a photo ID to the name on the card may be inconvenient for a person making the purchase, but it pales in comparison to the inconvenience and consequences of an identity crime. A simple way to verify identity documents used in loan processes is a more intractable problem and will take longer to solve because it requires the private sector – the people who grant credit – and the government to cooperate."

The consequences of criminal and government identity fraud (bold, italics added):

"Often times, victims of identity theft are not just plagued by financial crimes... innocent people have had to prove they were not the person given a ticket, on probation or wanted on a warrant. Often they don’t know about the problem until notified adversely by law enforcement. First awareness could be a denial to get on a plane, a pulled driver’s license, or a knock on the door by law enforcement. You are now guilty until proven innocent. A criminal history on background checks for a job or tenancy may also be the first indication of a problem. This often leads to a resounding “you aren’t the type of person we are looking for” response from a potential employer."

How this criminal fraud can happen:

"Your imposter gives your name and address when cited for vandalism, speeding or other misdemeanors while claiming not to have any identifying documents. Perhaps a fraudulent driver’s license is used to cash a bad check. Bad checks are bounced and reported by banks to the District Attorney’s bad check division resulting in a warrant for an arrest. Fraudulent documents can be used to get welfare. Anyone knowing your Social Security Number can file a tax return before you do, get your refund, or cause you to pay additional taxes for “your second job.”

The ITRC's findings about medical identity theft:

"More than 2/3 of those responding to these questions reported that medical providers billed for services received by the imposter. Another 56% were contacted by a collection agency or billing department for those services. One-third of the respondents said there is now another person’s information on their medical records and 11% were denied health or life insurance due to unexplained reasons."

This means that consumers are directly affected: lost jobs, lost medical coverage, and lost money:

"Respondents in 2008 spent an average of $739 dollars in out-of-pocket expenses for damage done to an existing account indicating an increase from 2007 ($550). These expenses include: postage, photocopying, purchasing police reports, travel, buying court records, and childcare. In reference to new accounts, respondents spent less in 2008 with an average of $951 compared to $1865 in 2007. At least one person reported this included fees charged by an attorney... victims reported spending an average of 58 hours repairing the damage done by identity theft to an existing account used or taken over by the thief. In cases where a new account was created, respondents reported an average of 165 hours to clean up the fraud."

I doubt that most consumers don't have the money ($740) and time (60 hours) to undo the damage from identity thieves and identity fraud. For many consumers the time needed to fix the damage by identity thieves is far longer (bold italics added):

"For the past five years, there has been a steady increase in the number of respondents able to clear issues of all misinformation within the first six months. In 2008, 53% reported their time involvement was 1-6 months. Nearly 30% reported that it took 7-23 months to resolve their case... The number of respondents needing more than 2 years to clear their name has remained relatively steady for the past two years at nearly 20%. It is disturbing that some victims still need such an extended amount of time to clear their records.

The ITRC concludes that this long duration to fix fraud damage could indicate continued fraud by criminals, and/or a more severe case such as criminal identity theft which often requires multiple steps to erase records within local and national crime databases. All identity fraud victims experience emotional impacts:

In 2008, ITRC found more victims acknowledging short term feelings of feeling defiled (37%), betrayal (60%), a loss of innocence (21%), and a sense of powerlessness (63%). Long term emotional responses included: 30% felt unable to trust people, 4% felt suicidal, 25% were ready to give up the fight, and 10% believed that they have lost everything. The answer of “family doesn’t understand why I’m feeling like I do” is higher than ever reported (33%). Also, 33% reported that those close to them “don’t want to understand my feelings.” Almost half said family life is stressed and another 21% stated that children are also affected.

Breach At Lexis Nexis Affects About 40,000 Consumers

On May 1, CBS News reported:

"Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 people whose “sensitive and personally identifiable” information may have been viewed by individuals who should not have had access. The United States Postal Inspection Service is investigating a data breach at both companies..."

Investigative Professonals performs background checks for individuals and companies.

This breach is important for a couple reasons. First, since the breach occurred between June 14, 2004 and October 10, 2007, this is the longest post-breach delay of consumer notification I have heard: two years. CBS News also reported:

"... the data breach is linked to a Nigerian Scam artist who used the information to incur fraudulent charges on victims’ credit cards. Peter Rendina, a spokesman for the Postal Inspectors Service said that of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards."

Second, the breach is not only credit card theft and fraudulent credit card charges, but also credit fraud since the thieves obtained new credit in the breach victims' names. The CBS News story included the text of the consumer breach notification. Social Security numbers were stolen -- a key element of sensitive personal data for thieves to obtain new credit:

"... sensitive personally identifiable information about you may have been viewed by a few individuals who should not have had access to such information. These individuals were operating businesses that at one time were both ChoicePoint and LexisNexis (hereafter “LexisNexis”) customers, but are no longer. Please be aware that the United States Postal Inspection Service, a federal law enforcement agency investigating this matter, has already notified you directly if it has reason to believe you have been an actual victim of a crime... By utilizing fraudulently-opened mail boxes at commercial mail receiving businesses and personal information of United States residents obtained via LexisNexis, these individuals were able to apply for and obtain fraudulent credit cards...the information accessed may have included your name, date of birth, and/or social security number... the USPIS instructed LexisNexis to delay notifying you until the completion of the USPIS investigation."

Third, this is not the first breach at Choicepoint, acquired by Lexis-Nexs in 2008. After selling its reports to identity thieves in 2005 for about 160,000 consumers, Choicepoint settled with the FTC and paid fines of $10 million in civil penalties and $5 million in consumer redress. Choicepoint seems to have a history of, a) aggressively selling its reports to other companies, some of whom have been identity thieves; b) poor at customer service, and c) lax when it comes to data security. Choicepoint doesn't seem consumer friendly, and it it went out of business tomorrow, I wouldn't shed a tear.

Fourth, Lexis-Nexis offered its breach victims credit monitoring services from Experian. This is a good start, but it's not enough. (Read my review of Experian's service.) Lexis-Nexis should pay the fees for its breach victims' Security Freezes on their credit reports at all three major credit reporting agencies. Why? A Security Freeze is stronger than a Fraud Alert. A Security Freeze will stop thieves from obtaining new credit. Credit monitoring only helps consumers discover fraudulent entries in their credit reports after the fact. Security Freezes help prevent some types of fraud before it can happen.

I checked the United States Postal Inspection Service site (USPIS) for additional information about the breach and its investigation. The Press Releases section of the site featured the latest press releases from 2007. What?! There's nothing more recent?

I also checked the Investigations section of the USPIS site. That was disappointing, since the site section discusses the types of investigations the USPIS performs and not the results of on-going investigations. The USPIS site needs to do a lot more to inform consumers about the status of its investigation, especially victims of the Lexis-Nexis breach. What identity thieves were arrested? What criminals were prosecuted? Is restitution being demanded from the criminals? Neither the USPIS nor Lexis-Nexis are saying.

Two years is a long time to delay a breach notification to consumers. The results of the investigation should justify the delay and be made public. I encourage consumers to contact the USPS Inspector General and your elected officials in Congress.

Data Breach Affects 5,000 Liberty Bay Credit Union Customers

Last week, my wife received a letter from the credit union where she banks:

April 16, 2009

Dear Member,

Re: Liberty Bay Debit Card

Although this is a general advisory for your information only, the Credit Union recommends that you cancel your existing card and have a new card issued.

MasterCard has recently informed the Liberty Bay Credit Union that your Liberty bay Debit card has been suspected of being compromised and or exposed. MasterCard is in the process of investigating this unauthorized access of your card information. To date, no fraud on these accounts has been reported at the Liberty bay Credit Union.

Please contact the member Services Dept. at 617-XXX-XXXX [phone number redacted], if you would like us to issue you a new Liberty Bay Debit card with a new number and pin. Once you have requested a new card your compromised card will automatically be cancelled in 30 days.

We apologize for any inconveniences this may have caused you. If you have any further questions regarding this matter please do not hesitate to call the Member Services Department.

Sincerely,
Member Services Department
Liberty Bay Credit Union

So far, my wife hasn't received any notices from MasterCard. She checks her bank statements online, so she is sure that there hasn't been any fraudulent charges submitted -- so far.

My wife called Liberty Bay Credit Union (LBCU) to learn more about the data breach and what LBCU is doing to help. An LBCU representative said that MasterCard did not release any details about the breach, and that all of LBCU's 5,000 members were affected.

This is troubling for several reasons:

• Members deserve better notification about the breach details. The letter did not list the types of sensitive personal data stolen. I didn't seen any news releases about the breach at LBCU's Web site.
• The letter contains the typical, unhelpful language, "To date, no fraud on these accounts has been reported..." In my experience, it takes fast notification of consumers who are often best positioned to notify the bank (or credit union) of which charges are bogus.
• LBCU's notification should be stronger than an "advisory." It doesn't offer any credit monitoring services. It doesn't indicate what the credit union is doing to help -- like pressure MasterCard for breach details. It doesn't mention who is paying the cost of new accounts for LBCU members. (Hopefully, MasterCard or the company that suffered the breach is paying the cost, and not LBCU.)
• If members request a new debit card account, the old account should be canceled immediately. It should not take as long as 30 days. That delay seems unacceptably slow and prone to fraud.
• The lack of details about the breach incident causes me to wonder if this breach is part of the larger Heartland Payment Systems breach
• The tone of the letter gave me the impression that LBCU is being totally reactionary and is letting MasterCard perform all of the investigative work.

My wife is understandably angry. Again, a company (e.g., MasterCard, one of its payment processors, or a vendor) has been unable to adequately protect consumers' sensitive personal data, and this has inconvenienced consumers. And, this was not the first breach notice my wife has received from a financial institution. It makes her question whether our financial industry really knows what it is doing about data security.

I question the speed of LBCU's notification. Consider this January 23, 2009 news story from USA Today:

"Visa and MasterCard have begun notifying member banks around the nation to contact patrons whose card accounts may have been compromised in the Heartland Payment Systems data breach. Robert Baldwin, Heartland's President and CFO, said in a USA TODAY interview that Visa and MasterCard are "instructing many card issuers" to offer fraud-monitoring protection, replace cards, or do a combination of both for customers whose card purchases were processed by Heartland."

Consequences of the Heartland Data Breach (Part Two)

In Part One of this story, we met Janet after fraudsters had attempted to submit charges to her Visa credit card. Janet's story continues with some unexpected twists, which we all can learn from.

After Visa -- and not her credit union -- had notified Janet of some fraudulent charges, Janet followed my advice and notified Visa in writing (e.g., a letter via Postal Mail with a Return Receipt) that the charges were indeed bogus. Visa removed the bogus charges.

Janet was curious why her credit union had not notified her about the fraudulent credit card charges, since the credit union issued her Visa credit card. Her credit union indicated that her situation was not a result of the Heartland Payment Systems data breach, since her credit card number wasn't on the list of compromised card numbers the credit union received.

This seemed odd to me since Visa's arrangement with Heartland is well documented in the news media. Thinking that here situation was resolved, Janet was surprised to receive via postal mail a letter from Experian notifying her of an attempted address-change request. Somebody was attempting to change Janet's address on her Experian credit report. This was a troubling surprise for several reasons:

• Janet had not submitted an address to change to Experian or to any other credit reporting agencies
• Janet has a Security Freeze on her credit reports at the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion) to prevent unauthorized access. An attempted address change by a fraudster is clearly an unauthorized access.
• In its letter, Experian also said that it had sent a notice of this attempted address change to both the new address and to Janet's current address

Janet is puzzled why Experian would send a letter to the new address when she alread has in place a Security Freeze prventing access to her Experian credit report. Next, Janet did what anyone would do: she called Experian's customer service number to talk with a representative. Janet did not want to just send a letter to Experian. She wanted faster action, since identity thieves were trying to access her sensitive personal data.

Sadly, Janet has been unable to talk with a human representative at Experian. When calling the Customer Serivce number, she gets stuck in an endless series of menus to phone messages, with no way to talk to a human customer service representative. Same results with Experian's web site.

Janet followed my advice and filed a police report with local law enforcement. After filing the report, the detective involved has also been unable to contact a human representative at Experian.

Janet asked me what she should do next, since she is leaving for vacation for 10 days. I said that while she is on vacation, I will try to contact the President or CEO of Experian to see what type of response I could get for her. Janet is also contacting her local Congressional Representative.

Janet should be able to talk with a human representative from Experian, especially during a time when identity thieves are attempting to access her Experian credit reports. Janet's experience so far seems to indicate a customer service melt-down at Experian.

This story is far from over. If you want to learn what happens, sign up for either e-mail or RSS updates from I've Been Mugged. As I learn more, I will post it in this blog.

Congress Rips PCI Security Standards

Earlier this month, ComputerWorld reported:

"At a U.S. House of Representatives hearing yesterday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little to stop payment card data thefts and fraud. The hearing, held by a subcommittee of the House Committee on Homeland Security, also highlighted the longstanding bitter divide between retailers on one side and banks and credit card companies on the other..."

I am not a PCI security expert. Like many consumers, I am learning about PCI DSS -- what it is and which companies are supposed to use it. Regardless, the system seems seriously broken when companies that are supposedly PCI DSS compliant experience massive data breaches:

"Hannaford was certified as PCI-compliant by a third-party assessor in February 2008, just one day after the company was informed of the system intrusions, which had begun two months earlier. That means the grocer received its PCI certification "while an illegal intrusion into its network was in progress... Similarly, RBS WorldPay Inc. and Heartland Payment Systems Inc. were both certified as PCI-compliant prior to breaches that the two payment processors disclosed in December and January, respectively. Visa Inc. dropped Heartland and RBS WorldPay from its list of PCI-compliant service providers last month and is requiring them to be recertified..."

Should consumers be concerned? Absolutely. First, read my prior post about some of the consequences of the Heartland data breach. Second, consider what the stolen monies are used for. From the PCI DSS Compliance blog:

"We have read complaints on other blogs about the PCI standards, claiming they are a burden for merchants and software developers... Kimberly Kiefer Peretti, Senior Counsel in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, recently wrote an excellent white paper, "Data Breaches: What the Underground World of ‘Carding’ Reveals.” In this paper, she gives a concise overview of large scale data breaches by skilled hackers —- who is doing it and how, as well as the implications of these breaches. One of Peretti’s most salient points comes in her discussion of how carding—activities surrounding the theft and fraudulent use of credit and debit card account numbers -— is linked to other criminal behavior, including terrorism and drug trafficking."

'Botox Bandit' Writes Bad Check At California Spa

From the Orange County Register:

"... two women came to the Luxe MedSpa in March for a consultation and treatment. Both received Botox and filler treatments to smooth lines and wrinkles.The women, who used false names, wrote a check to pay for their treatments..."

The $3,300 check bounced, stiffing the Yorba Linda spa. The spa now no longer accepts checks from its customers. Police have a good lead, since the spa took photos of both fraudsters before their cosmetic treatments. This was not the first 'Botox Bandit' fraud incident:

"... a similar incident in Huntington Beach, where police sought the "Big-Bust Bandit." A woman identified as Yvonne Pampellonne, allegedly used a false identity to get breast implants and liposuction then skipped out without paying. Pampellonne turned herself in to police last month. In January and February, a "Botox Bandit" struck at two Newport Beach clinics, where an unidentified woman had $1,000 to $3,000 worth of injections of Botox and dermal filler, then walked away without paying..."

Slumping Economy Makes It Harder For Consumers To Recover From ID-Theft

A new Nationwide Insurance survey found that:

"... nearly half of respondents said that if their identity were stolen today, they did not know if they had enough money in reserve to weather the recovery process. The new survey also found that 10% of identity theft victims polled missed payments due to the crime. Of those victims, four out of five say the theft caused serious repercussions – including lower credit scores, utilities shut off, bankruptcy, vehicle repossession, home foreclosure or even jail time."

The survey included telephone interviews of 400 adults, including 200 ID-theft victims, and was conducted from December 12-17, 2008 by MRSI. Additional findings:

"... identity theft victims tend to be Caucasian, female, ages 35-54, college-educated, married, and employed full time. Additionally, people who are separated or divorced, and those making $75,000 or more a year are more likely to fall prey to identity theft than the general population."

How consumers respond to identity theft:

"... 52% of respondents said they would tackle the recovery process from identity theft on their own... Nationwide’s previous polls found that identity theft victims spent an average of 81 hours trying to resolve their case and one in four cases were unresolved after a year of trying..."

Wow! That statistic is higher than I thought. There's so much time and work involved in fixing damage from identity theft, that I'd definitely use a credit restoration service. Sure, there are some things consumers can do on their own (e.g., fraud alerts, Security Freezes, opt-out of pre-aproved credit offers), but a trustworthy credit restoration service can definitely help. With higher unemployment rates, now is not the time to miss work and jeopardize your job while trying to resolve the financial account and credit report damage done by identity thieves and fraud.

Interested individuals can read more at the Nationwide Insurance site.