Heartland To Pay American Express $3.6 Million For Breach

Last week, PC World reported:

"Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year."

Heartland processes credit card and debit card transactions. Typically after a breach banks and credit card issuers incur expenses to delete the compromised credit card accounts and issue new credit/debit cards to consumers. So, it is appropriate for Heartland to reimburse the credit card brands and credit card issuers.

"Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches."

Earlier this year, the company set aside over $12 million to cover fines and other breach-related expenses. In February of 2009, at least two class-action lawsuits were filed against Heartland. By Une, about 31 lawsuits had been filed.

Anybody Can Buy And Operate an ATM Machine

This is wrong on so many levels.

Apparently, anybody can buy and operate an ATM machine. It's easier than you think. And, we consumers need to get smarter about recognizing an ATM machine that criminals have tampered with. Watch this video about how a security expert bought an ATM machine on Craig's List:

What do I do? I never use a standalone ATM machine, like those you find in casinos and convenience stores. I always use one of my bank's ATM machines that is located in a secure facility.

If you want to learn more, read this blog post on Information Security Resources. More importantly, write to your elected representatives in Congress and demand consumer protections with ATM regulations.

Online Personal Finance Web Sites: a "Perception of Security?"

Last year, I wrote a very popular blog post about Mint.com and data security. It seems that others are also looking at the security offered by personal finance Web sites.

In a blog post titled, "How Mint and other Web startups make users feel safe," the reputable Javelin Strategy & research firm said this:

"Though many consumers inherently trust bank security, the reality is that some will be willing to experiment with such sites because they believe there’s an acceptable trade-off between risk and reward. To get a feel for how Web startups tell their security stories, I examined the sites for Mint, Wesabe, Geezeo and Rudder, which suffered an embarrassing security mishap in May. And it turns out there’s a basic formula that involves creating a perception of security, minimizing the use of personal data, deputizing the customer with financial alerts and disclosure. But most interesting of all to me: Two of the sites spin their biggest functional weakness into a security strength. That weakness is that users of such sites can only monitor their money..."

Javelin Strategy advises its corporate and banking clients about how to make money online. I found the phrase "perception of security" most interesting, and this comment too:

"The challenge for Web startups is to create a perception of security.... as much as consumers are anxious about security, they can get over that hurdle if the benefits of the personal finance management tools are strong enough."

What does this say about today's Internet users and consumers? What does this say about how companies view today's Internet users? It suggests that we are a group of gullible sheep. As a group, we seem to be willing to overlook real security lapses and engage in a gamble that identity theft and fraud won't happen to me. That's not how I choose to do my online banking. I demand the best security available.

How To Check Your Insurance Company's Complaint Record

Everyone has horror stories about insurance companies, whether its auto insurance, health insurance, homeowners, or property insurance. There's a good article at Kiplinger.com that has documented the leading ways insurance companies "mug" or abuse their customers:

"... the top complaint had to do with claims payments -- claims-handling delays (19.1%), followed by denial of claims (17.9%) and unsatisfactory settlement offers (15.0%). You should be concerned if a company you're considering has a lot of complaints in these areas. The next category of complaints revolves around underwriting -- the insurer's process of accepting or rejecting applicants and setting rates. Premium and rating accounted for 4.8% of the complaints, and policy cancellation for 4.2%. The type of insurance policyholders had the most complaints about was accident and health insurance (37.7%), followed closely by auto insurance (33.7%). There were fewer complaints about homeowners insurance (12.71%) and life insurance and annuities (10.4%)."

Maybe you are looking for a new insurance company, or just curious about your current provider. To check an insurance company's complaint record, visit the Consumer Information Source Web site produced by the National Association of Insurance Commissioners (NAIC). Then:

"Type in the name of the company, the state where you live and the type of insurance. (Under "statement type" and "business type," click on "property/casualty" for home and auto insurance or "life, accident and health.") The site then provides the insurer's national complaint statistics. Focus on the complaint ratio, which shows the ratio of the company's U.S. market share of complaints to the company's U.S. market share of premiums for a specific policy type... If the national median complaint ratio is 1.00 and the ratio for the company you're considering is 2.00, for example, that should be a red flag. Also look at the complaint trend report to see whether the company's complaints have been increasing or decreasing over time. If the insurer's complaint ratio is high, check its record at your state insurance department and find out whether any enforcement actions have been taken against the insurer."

To find your state government's insurance department, browse this NAIC Web page with a map of insurance commissioners by state. Both links are great resources, whether you are happy with your current insurance company or looking for a new one.

ChoicePoint Settles With The FTC About Its Data Breaches and Security Lapses

I'd written previously about my less than consumer friendly experiences with ChoiceTrust, a service from ChoicePoint, Inc.. Recently, the U.S. Federal Trace Commission (FTC) announced a settlement by ChoicePoint, Inc. after the company's past data breaches and data security lapses:

"In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention. The FTC alleged that if the security software tool had been working, ChoicePoint likely would have detected the intrusions much earlier and minimized the extent of the breach. The FTC also alleged that ChoicePoint’s conduct violated a 2006 court order mandating that the company institute a comprehensive information security program reasonably designed to protect consumers’ sensitive personal information."

Gee, that's extremely poor management. First, the company fails to implement every security feature it had already established. Second, its actions violated a previous court order about data security. How arrogant can a company act?

ChoicePoint's settlement included actions to:

"... strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information... This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000."

Was this fine sufficiently large enough? In my opinion, no.

Will ChoicePoint do the right thing and maintain adequate protections for the consumer data it stores and sells? Will it comply with applicable Red Flag rules by the FTC in 2010? Time will tell. I'm not holding my breath.

I'd love to be able to pull my C.L.U.E. insurance reports and records from Choicetrust, but we consumers don't have that option. Due to ChoicePoint's cozy relationship with the government, the company enjoys a near-oligopoly status regarding C.L.U.E. insurance reports. This is a good example of a "free market" sham. Same for the credit-reporting agencies.

At some point, this crap has to end.

FTC Delays "Red Flag" Enforcement Again

Once again, at the request of members of Congress, the Federal Trade Commission (FTC) has delayed the enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors.

The prior enforcement date had been November 1, 2009. In May of 2009, the FTC changed the enforcement date from May 1, 2009 to August 1, 2009.

As part of the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditor companies to address identity theft. The resulting regulations require these companies to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- commonly called "Red Flags" -- that could indicate identity theft.

The FTC regulations are pretty specific about the types of companies covered by these new identity-theft regulations:

"The Rule defines a “financial institution” as: 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a “transaction account” belonging to a consumer. “Transaction accounts” are deposits or accounts from which a consumer can make payments or transfers to third parties. Banks, federally chartered credit unions, and savings and loans come under the jurisdiction of the federal bank regulatory agencies or the National Credit Union Administration and should check with them for guidance. The FTC’s jurisdiction extends to state chartered credit unions and other institutions that hold transaction accounts – for example, mutual funds that offer accounts with check writing or debit card privileges or other businesses that offer accounts where consumers can make payments or transfers to third parties. Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing... In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector..."

In April of 2009, the FTC launched a Web site to help small and medium-sized businesses comply with the new Red Flag regulations. A U.S. District recently ruled that attorneys are exempt form the new regulations. A different set of regulations apply to hospitals and health care firms.

During the coming weeks and months I will explore the Red Flag rules more closely since the new enforcement data is an opportunity for consumers to demand more from companies that store and user their sensitive personal information. The opportunity is for consumers to be able to ask a company they are considering doing business with for a written statement of how that company protects their sensitive personal data.

Will the June 2010 date hold? Who knows. The FTC's pattern of delays suggests probably not. As this issue moves forward, the I've Been Mugged blog will report about it.

Hotel Safe Scam

The BBC News recently reported about the habits of a con man and thief:

"... his scams have tended to take place in luxury hotels around the world. Typically, he would arrive at a hotel, claim to be a guest, and then tell security that he had forgotten the combination code to his safe. When hotel staff helped him to open the safe, he would pocket the contents and make his escape."

Don't hotel staff ask for identification (e.g., Passport, driver's license) before opening up a safe? Doesn't the management of the luxury hotels train their staff about effective security methods?

Violent Criminals Switch To Medicare Fraud

This is not good news. Breitbart reported:

"... Mafia figures and other violent criminals are increasingly moving into Medicare fraud and spilling blood over what once a white-collar crime... For criminals, Medicare schemes offer a greater payoff and carry much shorter prison sentences than offenses such as drug trafficking or robbery... Medicare scammers typically make their money by billing Medicare for medical equipment and drugs that patients never receive—and never needed. Some pay homeless people on Los Angeles' Skid Row for Medicare or Social Security numbers to use in fake billing invoices. Others intimidate elderly victims to use their Medicare numbers, federal authorities say."

This shift suggests that many local governments and cities need to stiffen the penalties and prison time for identity theft, Medicare, and related fraud crimes:

"Most Medicare schemes are based in cities such as Miami, Los Angeles, Detroit and Houston... A Medicare scammer could easily net at least $25,000 a day while risking a relatively modest 10 years in prison if convicted on a single count. A cocaine dealer could take weeks to make that amount while risking up to life in prison."

Debt Collection Scams And Identity Theft: How To Avoid Both

Last week a friend, Mary Grace, sent an e-mail message asking if I had:

"... heard of NCO Financial Debt Collectors? I got an automated call and when I called the number back it was busy. I called their main 800 number off of their website and they asked me for my social and name - they would not give me any information on the reference number that was left on the automated message. I did not give them my name or my social and ended up hanging up on the rep because he could not identify why they called me stating there were many names associated with the reference number and he needed my information to understand why they called."

I hadn't heard of NCO Financial Debt Collectors. There is a valid collections company with a similar name: NCO Group (a/k/a NCO Financial Systems. The call sounded sketchy since the reference number didn't identify Mary Grace specifically. I told her to contact the Better Business Bureau (BBB), and contact the U.S. Federal Trade Commission (FTC). I assured her that she was correct to not disclose her Social Security Number and other sensitive personal information without first getting written proof of the debt.

In her e-mail message, Mary Grace also wrote that she had:

"... called AT&T to check on the 888 number the automated message left and [the AT&T customer service representative] said it was probably an outbound number only and that he hears these kinds of calls all the time but can not give any advice because of legal reasons."

Yes, this debt collection call was definitely sounding like a scam.

Mary Grace couldn't think of any company she owed money to, as she is very good with her credit. Perhaps she had a debt at Cedars-Sinai Medical Center due to a recent surgery, but theyhadn't contact her.

Since Mary Grace lives in California, I suggested that she check the State of California attorney general's web site for advice about her rights and how to deal with debt collection phone calls and collection agencies. Every state has an attorney general (AG), and the AG's web site usually describes the rights consumers have and what constitutes harassment by a debt collector.

While California state law allows debt collectors to supply information about bills they are collecting to credit reporting agencies, the collection agency cannot threaten a consumer with this unless it is already a customer of the reporting agency. The collection agency must tell the reporting agency whether any dispute has been filed, and it must update the consumer's record to show when the debt is paid.

I did some light research and found that there tend to be two types of debt collection scams:

• Fake debt collection agencies
• Valid debt collection agencies with fake debts

The first type usually includes a scam artist calling with fake debts. The scammer is trying to trick consumers into revealing over the phone their sensitive personal data: Social Security number, bank account information, and so forth. Disclosing any of this could lead to identity fraud.

How do the collections scammers get consumers' name and address information? Any number of ways: from combing through online white pages web sites, or purchased on the black market from with data resold by thieves after a data breach.

If you receive a debt collection call, experts advise consumers to demand written proof of the debt. Tell the caller that you only reply to debts submitted in writing with written proof. If the scammer does send a letter via postal mail of a debt you know is fraudulent, then you have written proof of the scam.

The second type of scam is a little trickier. Sometimes a valid debt collection company is calling with a valid debt that they think is yours, but really belongs to another person. Perhaps you changed your phone number recently, and the collections agency has confused you with the prior owner of the phone number. Perhaps you moved recently and the collection agency has confused you with the prior resident at our current address. A less than honorable collector wants to collect money and may pressure the person they contact into paying.

Either way, the best response is to demand that the debt collection caller fully identify their company. Then, demand written proof via postal mail that the debt is yours. Ask the caller for a phone number so you can call them back. Scammers hate this and will serve up a variety of excuses why you can't call them back.

In this case, Cedars-Sinai sent a bill to Mary Grace's old address, even though the medical center also had her current address on file. The medical center then sent the unpaid debt to two valid collection agencies... a case of one internal department failing to communicate with another department.

A couple days later, I received a follow-up e-mail from Mary Grace:

"... Cedars-Sinai knew I had a stellar record with them. They called the true collection agencies, had them retract my name and restore my credit ratings, and I paid [Cedars-Sinai] directly. I should receive letters from Cedars, and the agencies stating just that. Then I will look at my credit report to ensure that it was restored. Who knew that a phony call could end up exposing all this!"

And, NCO Financial Debt Collectors turned out to be a scam -- a phony debt collection agency. So, if you get a phone call from them, hang up and report it to the BBB and FTC.

Mary Grace's experience provides clear instructions for consumers about how to handle debt collection phone calls:

• Asked the caller to identify their company
• Don't trust the caller at their word. Don't share sensitive personal data over the phone. Demand written proof via postal mail of any debts
• File a complaint with the BBB about any phony debt collector you encounter
• Demanded written proof of paid debts
• Demanded written proof from a creditor of debts sent in error to collection agencies
• Demanded correction of erroneous entries to credit reporting agencies

Why It Is Important Not To Disclose Certain Personal Data on Social Networking Sites

In an earlier post, I wrote about the risks of disclosing your birth date in e-mails and at social networking sites. It's a key piece of personal data for identity thieves and fraudsters. There are more personal data items you should not disclose to avoid identity fraud.

From a recent AARP Bulletin:

"Along with your birth date, your place of birth may help scammers guess most, if not all, of the nine digits of your Social Security number, suggests a recent study published in the Proceedings of the National Academy of Sciences. Those two pieces of information were all that Carnegie Mellon University researchers needed to discover patterns in how SSNs are issued, resulting in impressive success in guessing exact numbers."

The researchers documented how identity thieves could use your hometown information to guess your Social Security number:

"... The first three digits of the SSN are an “area number,” issued according to the ZIP code of the mailing address provided on a Social Security application form. High population states have many area numbers — New York has 85, for example — but Delaware and Alaska have only one... The fourth and fifth digits of the SSN are a location-based “group number”; those digits change periodically, usually in increments of 2. For instance, for people born in 1966 in Oregon, those middle numbers started at 47, and 60 days later, switched to 49. “Because of this, knowing a birth date and hometown makes the first five digits of a SSN the easiest digits to guess... The last four digits, the ones most often used as identifiers on accounts, are issued sequentially. But they’re harder to guess because they depend on how long it took to process a Social Security application..."

So, security experts advise consumers not to disclose both their birth date and hometown information on social networking sites. Now, you know what to do and why.

A Really Damaging Data Breach At the University of North Carolina

This blog does not cover every breach incident; only the ones with broad implications or where the organization should do more to help its breach victims. Campus Technology reported last week:

"A data breach that took place in 2007 at the University of North Carolina at Chapel Hill and was discovered in late July 2009 is finally being reported to victims by letter. University staffers reported that they believe the security breach exposed social security numbers for about 114,000 women, although about 180,000 records were potentially exposed as a result of the incident."

You can read online the breach notification letter (PDF format) from the University and its explanation of the breach event (PDF format). The following illustrates just how damaging this data breach was:

The women's records were part of a multi-year medical research study, the Carolina Mammography Registry, which collects and analyzes data from 31 sources in seven states using software developed by the university. The records also contained names and in many cases dates of birth, addresses, phone numbers, demographic information, insurance status, and health history information."

In my opinion, the University should do more beyond referring its breach victims to the three major credit-reporting agencies to file Fraud Alerts. The University should:

• Pay for at least five years of credit monitoring services for the breach victims, due to the ongoing threat to their financial accounts
• Pay the Security Freeze fees at all three major credit-reporting agencies, so the breach victims can lock down their credit reports
• Provide its breach victims with a user-friendly web site, and not a couple PDF documents, with ongoing status information about the breach incident investigation, what the university is doing to fix the problem, and what the university is doing to prevent further data breaches

The Consequences When An Identity Thief Commits A Crime In Your Name

This is a horrible experience for any person. The Omaha World-Herald reported a particularly nasty case where a citizen was jailed twice due to mistaken identity:

"Last week, Salazar, 38, spent a night in the Douglas County Jail after he and his girlfriend called Omaha police to report a burglary. Ten months ago, he spent two weeks, including Christmas and New Year's Day, in jail after being pulled over for speeding. The reason: Every time Joe Salazar comes in contact with law enforcement, police discover there's an arrest warrant out for a Joe Salazar for failing to appear for sentencing in a 2002 drug case."

The real Joe Salazar lost his wallet in a restaurant: identification, Social Security number, date of birth, and other sensitive personal data. The criminal used Salazar's identity during a crime and then skipped out on bail from a scheduled court data. Hence, the arrest warrant for Salazar and local law enforcement keeps arresting the real Salazar.

Local law enforcement doesn't know the criminal's identity, but they do have his finger prints. Obviously, the real Salazar would like to see some fast, corrective action of his situation with the criminal caught. The real Salazar said:

"It's frustrating, because you know there's nothing you can say or do to convince (police)... I tell them ‘You've got the wrong guy. But I'm sure they hear that all the time.”

What can a consumer do to resolve this? Nothing that I know of. Salazar's problem will continue until the criminal is caught. Will any credit monitoring service help? No. Those services are for helping consumers protect their credit report, not for crimes. With the increasing number of data breaches with stolen consumers' sensitive data, I fear that cases like Joe Salazar's will only happen more often.

[Oct. 16 - Editor's Note: I encourage readers to read the comments below. Several readers submitted informative comments which consumers may find useful.]

Trends In Data Breaches

Recently, GovInfo Security interviewed Mary Monahan, Managing Partner and Research Director at Javelin Strategy & Research. I found Monahan's assessments very informative. Monahan's view of current data breaches and hacks:

"Fraudsters are definitely taking advantage of website vulnerabilities. This is a common trend that they have been taking advantage of these website vulnerabilities and then identifying them over and over and over again to download package sniffers, open back doors..."

Monahan's assessment of the types of data breaches to expect in 2010 and beyond:

"... criminals are moving up the food chain. They are going after -- last year we saw them at the restaurants; this year they are at the processor, the restaurant processor. So they are definitely moving up the food chain. The Heartland breach with 130 million credit and debit cards is a lot bigger breach. So they are taking what they are learning at the smaller breaches and moving up that food chain. Using the same types of messages, but refining them as they go along, so last year where we might have been able to find that package sniffer, now they are learning to erase traces of the sniffer on their computer program... We see [criminals] changing their target. So because there are so much credit and debit card numbers out there that this data is becoming less valuable. So they are going to start targeting other types of information."

The information targeted by criminals that Monahan referred to includes "PIN thefts" at banks and financial institutions, and redirects of consumers to phishing sites. Think of it this way: rather than steal a consumer's credit card number, it is worth more to steal the consumers' sign-in credentials so the criminal can directly access the money in the consumer's online financial accounts.

So, my advice for consumers:

• Activate the anti-phishing software on your computer,
• Learn how to recognize a phishing web site,
• Learn about the anti-phishing features at your bank's or financial institution's web site,
• If your bank or financial institution doesn't provide anti-phishing features with its online banking service, look for another bank
• Create and use strong passwords,
• Use different passwords for your online banking vs. e-mail accounts and social media sites
• Protect the PIN number you use with your debit card at all ATM machines

Warning College Students About Identity Theft

It was good to read this article in the New York Post:

"D theft is on the rise on university campuses as thieves take advantage of open dorm doors, the careless habits of students and plenty of laptops to steal ID from and use to gain access to the assets of not only the students, but also their parents. Parents should be aware that "criminals look at universities because not only are students the path of least resistance, but universities are lax in their security," said Robert Siciliano, an identity-theft expert. "Twenty percent of students do not acknowledge that it's a problem. They are just irresponsible and making all of their parent's personal information vulnerable.

What the consequences can be:

"This past summer, a 22-year-old male at the Southern University in Louisiana experienced ID theft due to carelessness in the dorm room and is now faced with explaining to his parents why their credit card has a $2,400 balance."

Hopefully, parents will pay attention and warn their college-age children to keep sensitive papers and records under lock and key.

Do You Know The Black-Market Value of Your Sensitive Personal Data?

Symantec recently launched its Norton Online Risk Calculator, an online tool that computes the black-market value of a consumer's sensitive personal data. I tried this calculator to see what it was all about.

First, the calculator asks basic information about your online habits and general demographic data (e.g., gender, age range, whether you have an e-mail account, etc.). Smartly, the calculator asks you for an age range and not your specific birth date. Otherwise, I wouldn't have completed the calculator.

Second, the calculator ask questions about whether you do banking and shopping online. The tool includes related questions about whether you bank online and pay bills online. It also asks if you shop online with a debit card, and whether you have installed and use anti-virus and spyware software on your computer. The calculator asks a very relevant question about whether you disclose on social media sites your birth date. The calculator also asks you to estimate to the total value of your online accounts and what you think thieves would pay for your sensitive personal data (e.g., name, address, birthdate, and bank account information).

Prior I've Been Mugged posts have explored the value of stolen consumer data, the risks of disclosing your birth date on social media sites, how to create strong online passwords, how to avoid getting your e-mail account hacked, and how to recognize phishing e-mail spam and sites. Unfortunately, many consumers believe their computers are protected by anti-virus software when in fact they aren't. And, it is extremely difficult to tell when your computer is infected by spyware and botnet software.

According to the Symantec calculator, my sensitive personal data is worth about $30.29.

Is this risk calculator any good? Part of me feels that it is a slick method to advertise their Norton anti-virus software. After you complete the calculator, the site does present a couple of their software products. Like any other viral application, the site presents a "Send to a Friend" link at the end, hoping you will disclose your friends' e-mail addresses and tell your friends about the risk calculator. I did not refer any friends.

Symantec could have done a better job with this calculator. Why?

1. The calculator should have been produced as a secure site (https://), which it isn't.
2. The calculator is a Flash application and the site does not disclose how it uses the Flash cookie on the consumer's computer.
3. The calculator does not state what it will do with your answers, how long it will store them, and what other companies it will share the information with. The site has a general link to Symantec's Privacy Policy.
4. The calculator does not ask if your sensitive personal data has actually been exposed already during a data breach, nor did it ask if the consumer monitors their credit reports with a credit monitoring service, nor did it ask if the consumer already protects their credit report data with a Security Freeze.
5. The calculator did not ask any questions about whether you use RFID or contactless credit/debit cards.

My recommendation: skip this site. It's just not worth it. I expected something far more rigorous from a security software company.

How Much Is A Stolen Credit Card Worth On The Black Market?

The news media has covered very well the Gonzalez- led theft of 130 million credit card numbers. What is this information worth to criminals? In other words, what does this stolen information sell for?

According to a post on VirusList.com dated Aug. 17, 2009, U.S. consumers' Visa credit cards are worth about $2 each. While analyzing virus software, Kaspersky Lab virus analyst Dmitry Bestuzhev found a Web site with pricing information for stolen credit cards. German credit cards, at $6 (USD) each, fetch the highest price at piece. With technical support and a sliding scale of prices, this appears to be organized business.

It appears that the price also varies by order size. CBC News Canada reported:

"Stolen credit card numbers now go for as little as six cents each, if they're bought 10,000 at a time. The price can be $30 US per card for smaller orders. Access to hijacked email accounts can cost 10 cents to $100, while bank account credentials range from $10 to $1,000. Scammers can hire people to "cash out" compromised bank accounts for between eight per cent and 50 per cent of the amount they're stealing. Hosting for scam websites ranges from $3 to $40 per week."

That implies that the 130 million credit card numbers stolen by the Glonzalez-led theft ring are worth about $7.8 million (USD) on the black market, if purchased in bulk.

2009 In Review: Data Breaches

Bank Info Security recently reported:

"... 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year... The good news is that, based on percentages, financial institutions consistently have lower percentages of data breaches than other organizations... The bad news is when financial institutions - or their third-party service providers -- are breached ... it's big. Example: the Heartland Payment Systems breach, which resulted in the compromise of 130 million credit and debit cards. Financial data -- bank account numbers, social security numbers, and other personal identifying information - is invaluable to hackers..."

In other words, on average financial institutions have fewer breach events compared to other industries, but when financial institutions have a data breach, far more records are stolen with consumers' sensitive personal and financial information.

Early on, Heartland Payment Systems had no idea how many records were stolen, and some class-action lawsuits were filed.  The I've Been Mugged blog explored consequences of the Heartland breach. Later, breach details emerged as the Miami hacker's role was exposed.

The ITRC analyzed the types of breaches at financial institutions and found seven types:

• "Insider theft: 12 breaches;
• Skimming: 8;
• Missing paper documents: 10 of the breaches
• Exposure of data on the Internet: 4;
• Accidental breaches: 2;
• Stolen or missing hard drives/laptops: 5;
• Outside network intrusions: 2;
• Unknown cause: 3."

The bottom line: consumers should know that any site that advertises itself as having "bank-level security" isn't 100% hacker proof. Unfortunately, there is a risk involved and bad stuff happens.

Lifelock And The Credit Monitoring Industry Struggle To Protect Consumers

This past weekend, Todd Davis, Lifelock's Chairman and CEO, announced in a video message the company's intention to release new services during the coming weeks. This was prompted by a court ruled in May 2009 in favor of Experian to stop companies like Lifelock from setting Fraud Alerts on behalf of its customers. Lifelock had appealed the decision.

In February 2008, I've Been Mugged reported the Experian v. Lifelock lawsuit. The fight between Experian and Lifelock was like two five-year-old kids arguing over who gets the last brownie on the kitchen table while there is a fire burning in the living room. There are bigger issues. Fraud Alerts are a relatively weak tool, since it doesn't force lenders to contact consumers. Credit monitoring service that include a Fraud Alert tool still do not stop:

• Criminal identity theft: when a criminal uses another person's identity during a crime
• Medical identity theft and fraud: when a person uses another person's identity to gain free medical care, and wrecks the victim's access to health care they rightfully paid for
• Data breaches and fraud at outsourcing vendors and at offshore outsourcing vendors
• Poor data security practices by companies and employees
• Insider identity theft and fraud

To be clear, I am no fan of Lifelock. Much of what the company charges for, consumers can (and should) do for themselves for free. In April of 2008 Consumer Reports gave Lifelock a less than stellar review.

However, on one point Davis and I agree. This court ruling is a setback for consumers. It limits choice in the marketplace at a time when data breaches and identity theft have increased. The ruling means that consumers must go directly to Experian (and other credit reporting agencies) to establish a Fraud Alert.

It will be interesting to hear during the coming weeks about Lifelock's new services. Hopefully, the company has done its homework and developed a set of truly innovative and more comprehensive identity protection tools.

It is in consumers' best interest for a comprehensive identity protection service. Why? Many consumers I've talked with have no idea what to do about identity after their sensitive personal data has been stolen. Many consumers need all the help they can get. Few know the difference between credit monitoring and credit restoration. Few understand the limitations (e.g., see the bullet list above) with credit monitoring services. Then, it's a rush to learn what to do to protect themselves, and establish some preliminary protections.

It is sad that the identity protection industry so fragmented and disorganized.

There's a gap in the marketplace and a truly comprehensive identity protection service would go a long way towards helping consumers. The credit reporting agencies don't offer a comprehensive service; they focus narrowly on monitoring (usually their own) credit reports, and providing credit scores. Regional credit reporting agencies are essentially ignored, along with insurance reporting services like ChoiceTrust.

All of these regional credit reporting and insurance companies' reports are high-value targets by identity criminals. The credit monitoring services by independent companies are somewhat better than the credit reporting agencies' service, but that is not a high bar to leap. As I wrote in May 2009:

Since I started this blog, I have searched for a truly comprehensive identity protection service, which should include:

• Unlimited access to the full text of all of my credit reports from both the major credit reporting agencies and from the smaller, regional credit reporting agencies (e.g., Innovis)
• Unlimited access to the full text of all of my C.L.U.E. insurance reports
• Unlimited access to the full text of all of my sensitive personal medical information
• Monitoring of my identity across social networking sites
• Instant e-mail, text messaging, Twitter, or RSS alerts about status changes to any of the above
• Tools and calculators to help me evaluate these reports
• The ability for to customize alerts based on my individual needs
• Options to add Fraud Alerts to any or all of the above reports
• Options to add Security Freezes to any or all of the above reports
• Criminal fraud monitoring (if my identity is used by thieves during a crime)
• Identity fraud assistance when traveling outside the USA
• Identity resolution services and insurance for all of the above reports
• 24/7, and easy access to a real person in customer service via phone
• Arrangements with employers so that after a data breach, I get reimbursed for my monthly fee for this service, rather than receive an offer for another credit monitoring service I don't need

Consumers can't get all of the above. To get large portions of it, you'd have to cobble together at least five or six different services. The Experian v. Lifelock court ruling adds to the problem, since Fraud Alerts will now be available only at the major credit reporting agencies.

It shouldn't be this hard for consumers. Maybe Lifelock has tackled this problem with their new services. We shall see during the coming weeks, and I've Been Mugged will report on it.

An Example of Insider Medical Identity Theft

From the Billings, Montana Gazette:

"A 33-year-old Columbia Falls woman has been sentenced to two years in prison and ordered to pay more than $18,700 in restitution for her role in an identity theft case... Prosecutors say [Andrea] Mackowiak took names, Social Security numbers and dates of birth from patient account records at a clinic and gave the information to a person in Washington state. That person used the information to set up Qwest telephone accounts that were used by prison inmates."

Thanks to local law enforcement that this identity criminal was caught and prosecuted.

Tips For Elders To Protect Themselves From Identity Theft

Sadly, many identity criminals target elders. The Houston Family Examiner has a pretty article with tips that apply to everyone and not just elders. Some of the tips and suggestions:

"Many seniors have carried their social security card and number around for decades and it is a hard habit to break but seniors need to understand that today the practice simply isn’t smart or safe. Medicare card numbers put seniors at risk too. Instead seniors can leave their cards secured at home and instead carry a copy of their Medicare card with them, with the SSN blacked out. This will help you get the medical treatment you need in case of emergency and but still keep your information safe in case of a theft."

A really good tip since many Americans are very trusting (e.g., a character strength that some will try to exploit):

"Do not give out information over the phone, especially bank account or credit card information. If someone calls and claims to be from a bank or credit card company, hang up and call the institution back at a number you already have on a statement. Real institutions will not ask you for sensitive information over the phone and will already have the answers..."

Also:

"There are so many worthy charities out there and unfortunately so many charity scams that want to prey on the generosity of the elderly. CharityNavigator.org is a trustworthy site for researching charities before giving."

Of course, the standard preventative measures apply:

• Don't carry your Social Security card in your wallet or purse. Store it in a safe place like a safety-deposit box at your bank
• Use a postal mailbox with a lock
• Use a shredder before placing documents with sensitive personal data and address data) into the trash
• Shred pre-approved credit and loan offers. Even better, use OptoutPrescreen.com to stop receiving pre-approved offers via postal mail, if you don't need the credit
• Sign up for the Do Not Call Registry
• Use strong passwords at online web sites