8 Of 10 Americans Worried About Identity Theft

According to a recent poll by Bankrate, 8 of 10 Americans are worried about identity theft, spcifically having their identities stolen. This concern is based upon:

"... personal knowledge of a victim. One-third of Americans (34 percent) know someone who has been a victim of identity theft. In the Northeast, it's closer to one in four (28 percent) while in the West almost one in two people (44 percent) know an ID theft victim."

The survey results were part of a broader study of Financial Literacy about identity theft. Bankrate had engaged Gfk Roper America to conduct a random survey of American households to understand consumers understanding of identity theft. Interviewers questioned 1,006 adults -- 524 women and 482 men. The report found that consumers' worry increased with their personal knowledge of identity theft victims. Basically, people who knew ID-theft victims were more worried than people who didn't.

The numbers could be much higher (or lower), due to consumers' varying definition of identity theft. According to Avivah Litan, vice president and analyst at Gartner:

"Everyone has their own definition of 'identity theft... For some it means wholesale identity hijacking. For others it could mean credit card theft. So it's hard to know what the respondents were thinking; thus the results could be skewed either way."

What are consumers doing to address their ID-theft concerns? Survey respondents reported the following activities:

Participants' Response to ID-Theft (Bankrate - GfK Roper survey - North America - April 2008)	Concerned About ID-Theft	Not Concerned About ID-Theft
More likely to shred documents with sensitive personal data	82%	52%
Use a secure snail-mail mail box (at post office or a locked box at home)	63%	51%
Avoid online banking	54%	55%
Check credit reports regularly	53%	30%
Refuse to shop online	42%	47%
Requested a Security Freeze on their credit reports	23%	6%
Only pay bills online	16%	13%
Haven't made any changes to avoid identity theft	35%	19%

I find the 35% statistic in the last row astounding. These people practice the "head in the sand" approach. These are people who personally know ID-theft victims, but still refuse to do anything to avoid identity theft. Maybe they have given up, or maybe the problem seems overwhelming.

My impression: some companies probably rely upon this "head in the sand" attitude after a data breach. After a data breach, these companies rely on many ID-theft victims (e.g., employees, former employees, retirees, contractors, etc.) to "keep their heads in the sand" and not take advantage of the company's credit monitoring service offer... which is often free for a year or two. It lowers the company's post-breach costs. Companies know this, and are less likely to enact stronger data security measure when they know consumers don't do all they can to protect their sensitive personal data.

The survey results by gender:

• Women were more likely than men to shred documents
• Women were more likely than men to use a secure mailbox
• Men were more likely than women to avoid online banking
• Women were more likely than men to check their credit reports regularly
• Men were more likely than women to request a Security Freeze on their credit reports
• Men are more likely than women to practice the "head in the sand" approach

Now that you know what other consumers are (and are NOT) doing, I hope that more people will take action to avoid identity theft, and after a data breach will accept the company's credit monitoring service offer.

'Income Tax Return Identity Fraud' Scam Threatens Some Taxpayers' Refund And Stimulus Checks

Now that April 15 has passed and you have filed your income tax returns, you are probably thinking about how you are going to spend your tax refund checks and stimulus check. Well, most of you will receive your checks, but some may not.

Just when you thought that nothing else could go wrong with identity theft, Phuong Cat Le at the Seattle Post-Intelligencer blog reported about income tax return identity fraud:

"Earlier this week, one of my colleagues sat down at her computer to file her income tax return electronically using TurboTax. Twice, her return was rejected. The message she got back was startling: the IRS already had a tax return filed under her Social Security number. How could this be? She hadn't filed yet."

Phuong's colleague did what any of us would do, and called both the Social Security Administration and the Internal Revenue Service to resolve the problem and receive her checks. Apparently:

"A thief had filed a fraudulent tax return under her name, and would likely get her $1,000 refund, not to mention her $600 economic stimulus payment. Thus began her tedious task of clearing her name: filing a police report, filing a complaint with the Federal Trade Commission, putting a fraud alert on her credit report and mailing in her tax return with copies of her driver's license, police report and other documents to prove her identity."

More importantly, this scam appears to be on the rise:

"... complaints about this type of theft jumped 579 percent, from 3,000 to more than 20,000, between 2002 and 2007, according to an audit released this week by the Treasury Inspector General for Tax Administration. Not only are fraudulent returns on the rise, so are cases where thieves use another person's Social Security number to gain employment."

The IRS has promised a better response to identity theft/fraud, but seems to have started too late and from way behind:

"Finance Committee Chairman Max Baucus, D-Mont., said that on average it takes almost a year for the IRS to sort out who is the real taxpayer when there is an identity issue. "In the meantime the victim's tax accounts get frozen. The IRS issues no refund," he said. 'The taxpayer waits in tax limbo for months and months.' "

The Post-Intelligencer also reported:

"The IRS does not keep track of identity theft incidents and investigates and prosecutes identity theft cases only if they occur in conjunction with other criminal offenses having a large tax impact, according to a report this week from the Treasury Inspector General for Tax Administration."

This is great news for identity criminals, and very troubling news for consumers, especially if you are due a refund. It definitely reinforces the impression that the IRS is focused only on tax collections and not on data security, while it is entirely possible and appropriate to focus on both.

This situation infuriates me. If it infuriates you too, I encourage you to write to your elected officials today and demand that they act immediately to fix data security at the IRS. For those that are interested, read the full report of the audit of IRS tax collection.

Until the IRS fixes its data security holes, it may be a good idea to consult with a tax accountant to adjust your withholding to minimize the chances of a large refund check which could be stolen (and which gives the government an interest-free loan).

CVS And The State Of Texas AG Reach An Agreement Regarding Information Security

KLTV reported that the Texas Attorney General's office and CVS Pharmacy, Inc. agreed to a settlement to protect CVS customers from identity theft:

"The settlement resolves the state's April 2007 enforcement action against the nation's largest retail pharmacy, which was charged with violating state laws that govern the disposal of customer records containing sensitive personal information. Under an agreed final judgment obtained by the Attorney General, CVS will overhaul its information security program. The program must be fully documented in writing and contain administrative, technical and physical safeguards designed to protect the personal information of CVS customers. CVS also will pay $315,000 to the State of Texas, which will be appropriated for the investigation and prosecution of other identity theft cases, pursuant to the Identity Theft Enforcement and Protection Act."

The Attorney General's office took action after hundreds of documents containing customers' sensitive personal information (e.g., credit card numbers and expiration dates; prescriptions with date of birth, doctors names, medication type) were unlawfully dumped behind a CVS store in Liberty, Texas. The state will use the money to prosecute other identity theft cases.

Details about the settlement:

"... CVS must implement a new training program to inform its Texas employees about the company's enhanced information security procedures. The employee training program must provide employees with a review of CVS' privacy procedures and a review of state laws governing the disposal of customer records. The training program also must explain identity theft, its costs to individual consumers and businesses, and the importance of abiding by the company's disposal program."

Only Texas employees? This sounds to me like sensible and appropriate data security actions any and all companies should implement nationwide, without waiting for a state AG to sue them to comply. Forbes Magazine reported:

"... the improper disposal of this information was a violation of [CVS'] record retention and privacy policies, and CVS took appropriate disciplinary action,' the statement said. When the suit was filed last year, CVS said the store manager had been fired. Earlier this month, CVS Caremark agreed to pay almost $37 million to nearly two dozen states and the federal government to settle claims it billed Medicaid programs for a more expensive formulation of an antacid."

When disposing of customers' and employees' records, companies would be well advised to follow the advice in this National Law Journal article: "Shred It Or Regret It."

House Stealing: The Newest Identity Theft Scam

On March 25, the Federal Bureau of Investigation (FBI) issued a warning to consumers about a new form of fraud. The new threat:

House Stealing = Identity theft + Mortgage Fraud

According to the FBI, here's how the scam works:

"The con artists start by picking out a house to steal—say, YOURS. Next, they assume your identity—getting a hold of your name and personal information (easy enough to do off the Internet) and using that to create fake IDs, social security cards, etc. Then, they go to an office supply store and purchase forms that transfer property. After forging your signature and using the fake IDs, they file these deeds with the proper authorities, and lo and behold, your house is now THEIRS."

With the deed, criminals can sell the house right from under you and pocket the cash. According to the Boston Herald newspaper:

"It’s happened in Dorchester. Police last year arrested three people at the Suffolk County Registry of Deeds after they tried to sell the home of a former nun and Catholic school teacher out from under her. Andre J. Lamerique, 25, of Sharon, Carmella F. Lassegue, 26, of Hyde Park, and Judy A. Bonas, 51, of New York, were charged with conspiracy, identity fraud and aiding and abetting after they allegedly stole the identity of Judy Melody, 65, of Dorchester. A federal postal inspector accuses the trio of using Melody’s identity to purchase homes in Brockton and Halifax. They were caught on Jan. 23, 2007, when they allegedly attempted to use the same scheme to sell Melody’s home. Lamerique is in custody awaiting trial, federal court papers show. Lassegue and Bonas are free on bail."

I find it odd when researchers claim that identity theft instances are decreasing. New trends like House Stealing are direct evidence otherwise. Identity criminals constantly change their tactics, which provides a challenge for researchers and government agencies to track the appropriate statistics to accurately measure identity theft instances. According to the Boston Herald:

"While the FBI does not maintain statistics for specific types of mortgage fraud, they know the crime of home theft is on the rise. In Fiscal 2007, financial institutions alerted law enforcement to 46,717 examples of mortgage fraud suspicious activity reports... Just a part of the way through Fiscal 2008, that figure has nearly reached the 30,000 mark."

Experts predict that mortgage fraud could increase to 60,000 in 2008. The FBI recommends the following to protect yourself from this new scam:

• If you receive a payment book or information from a mortgage company that’s not yours, whether your name is on the envelope or not, don’t just throw it away. Open it, figure out what it says, and follow up with the company that sent it.
• From time to time, it’s also a good idea to check all information pertaining to your house through your county’s deeds office. If you see any paperwork you don’t recognize or any signature that is not yours, look into it.

According to the FBI, this new scam is rare. Of course, contact your local police, the FBI, and file a complaint with the FTC if you have been victimized.

Hannaford Data Breach

The Hannaford Brothers grocery chain has received a lot of attention during the last week. On March 18, the Boston Globe reported:

"Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency."

There's no getting around the fact that 4.2 million debit card and credit card numbers are a lot. Not as much as the TJX/TJ Maxx breach and data security debacle, but a lot nonetheless. Hannaford's response:

"A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken..." In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization."

During the transmission? An MSNBC report on March 20 seemed to best explain this:

"While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit. "Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway."

Okay, I get it: identity criminals are computer-savvy and smart enough to find holes in computer systems to hack into. The criminals are also fast: within a month they generated at least 1,800 reports of identity and credit card fraud. The MSNBC article also highlighted two important points about the Hannaford data breach. First:

"But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval."

Second:

"... that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

This is important because:

"The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security."

The MSNBC article added:

"... the [PCI] standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment... Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process."

That's just peachy. First, the rules aren't strong enough to guarantee compliance. Second, the rules are loose enough to allow retailers to cut corners and not encrypt our sensitive personal data throughout the retailers' entire data transmission process. Why?

"But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware."

One industry expert emphasized as a solution:

"... the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions would remove 75 to 90 percent of the fraud in the system."

InformationWeek reported:

"A retailer's [PCI] compliance status matters: The penalties for noncompliance are significant, and the card brands can fine the retailer while also raising the transaction fees levied for each credit or debit card transaction. A finding of noncompliance also will be potent ammunition for inevitable lawsuits. The big loser: consumers."

Yes, we consumers are the big loser. We consumers end up paying:

• Higher credit card fees and/or higher interest rates from credit card issuers to cover their expenses to issue replacement cards and accounts. While identity theft victims enjoy the $50 credit card liability limit, credit card issuers cover their identity theft expenses by charging higher fees and rates to all credit card holders
• Higher banking fees, because banks must issue replacement debit cards and accounts. A few generous banks may also replace the stolen monies. Banks charge higher fees, and fees on a wider range of transactions, to cover their identity theft expenses, too.

In my opinion, the consequences and fines to retailers still aren't severe enough. In both scenarios above, the companies pass along their increased costs to consumers. While replacement credit cards with $50 maximum liability is great, one year of free credit monitoring for identity theft victims isn't enough.

The good news just kept coming. More stores were affected by the Hannaford breach. Also on March 20, the Albany Times Union reported:

"Independent stores in Ravena and Schaghticoke affiliated with Hannaford were also affected by the recent hacking of customer credit card numbers, the Scarborough, Maine-based supermarket chain said today. The company’s Web site lists more than 20 independents around the Northeast that had credit card information stolen as a result of the security breach. Hannaford supplies the Ravena and Schaghticoke stores, which operate under the Shop ‘n Save name, but does not own them. In September, Hannaford purchased formerly independent stores in West Sand Lake and Voorheesville."

Several class-action lawsuits have already been filed against Hannaford in New Hampshire, Maine and Pennsylvania. What's a consumer to do?

1. Contact your bank and credit card issuer, if you shopped and paid with plastic at Hannaford between Dec. 7, 2007 and March 10, 2008.
2. If you continue to shop at Hannaford, use your credit card and not a debit card to get the best protections. Or use cash.
3. If you are a Hannaford identity theft victim, read closely any correspondence you receive from the company. File a police report for any monies stolen or abuse of your financial accounts. Place a Fraud Alert on your credit reports. Monitor your credit reports closely for abuse, since criminals may use your stolen personal data to try to take out new credit in your name. If Hannaford offers free credit monitoring, accept their offer if you don't already have a credit monitoring service. Watch the news to see if you qualify for any of the class-action lawsuits.
4. Read the I've Been Mugged blog. During the coming weeks, I will post on this blog reviews of several credit monitoring services. There is a link in the top of the right column to sign up for alerts via e-mail.

2008 Identity Theft Survey - Javelin Research (Part Two)

Yesterday's post discussed the results of the latest identity theft and identity fraud survey in the USA by Javelin Research. In it's report, Javelin recommended the following for consumers to detect identity theft and identity fraud:

• Monitor your bank and credit card account activity regularly. Check the activity online, via phone, or via ATM machine
• Use e-mail or telephone alerts to monitor activity on your accounts. Activity can include deposits, withdrawals, balance transfers, specific charges, address changes, new names added to your accounts
• Javelin emphasizes that the longer it takes a consumer to detect fraud, the greater the amount stolen

Javelin recommends the following for consumers to resolve identity theft and identity fraud:

1. Contact your bank or credit card company immediately
2. Close any accounts that have been compromised
3. Ask your financial provider about fraud resolution teams or services to help you fix your credit and recover any money lost
4. Place a Fraud Alert on your credit reports at all three credit bureaus
5. Know the data breach notification rights in your state. When an employer or prior employer  loses your personal data (or it is stolen), in many states that company is required by law to notify you of that loss/theft. Other rights, such as free credit monitoring services, may also be available to you in your state
6. Consider placing a Security Freeze on your credit reports at all three credit bureaus. this will prevent criminals from opening new accounts and obtaining credit in your name. Some states require a Security Freeze to be free to identity theft victims
7. File a report with the local police
8. Notify the U.S. Federal Trade Commission (FTC). The FTC tracks complaints and identity theft activity
9. Consider signing up for a credit monitoring service, which can help you monitor your credit reports at the three credit bureaus

While all of the above items are solid and valuable recommendations, they focus on financial identity fraud. Unfortunately, there are so many ways criminals can abuse stolen personal data. They can use it to commit medical identity fraud, insurance identity fraud, criminal identity fraud, obtain a fraudulent driver's license, or apply fraudulently for a job, and none of these activities will show up on your credit report.

If that sounds awfully scary, it is. And it should scare you. This is the current state of U.S. business and government systems. A good first step would be to write to your elected officials and ask them what they plan to do about it.

2008 Identity Theft Survey - Javelin Research (Part One)

Last week, I spent some time reading the "2008 Identity Fraud Research Report" by Javelin Strategy And Research. Javelin survey about 5,000 adults and identity-theft victims in the United States. Key findings from the survey:

• There is a difference between "Identity theft" and "Identity Fraud." Identity Theft is when, "your personal information is accessed by someone else without your explicit permission. Identity Fraud occurs when a criminal takes the illegally-obtained information to use it for financial gain."
• The most common ways criminals steal consumers' personal data: lost/stolen wallets (33%); "shoulder surfing" while conducting a transaction (23%); "friendly" theft by family members oro others you know (17%); online (12%); and data breaches (7%).
• Vishing is on the rise. Vishing is a phone-based version of the phishing scam. Vishing is when criminals attempt to trick a consumer into providing personal data over the phone. In some instances, criminals contact consumers fist via e-mail with a bogus phone number for replies

So, what can consumers do to protect themselves? Javelin recommends a 3-step approach (e.g., Prevention, Detection, Resolution) similar to the U.S. Federal Trade Commission (e.g., Deter, Detect, Defend). The basic idea is that consumers should use a range of methods to protect their personal data, since criminals use a variety of methods to steal personal data.

Javelin recommends the following to prevent identity theft and identity fraud:

• Protect your personal computer, laptop, PDA, and mobile phone with paswords
• Do not use PIN numbers or passwords that are easily guessed (e.g., birthdays, your maiden name, your kids' names, your pet's name, etc.)
• Shred sensitive documents before placing them in the trash
• Use a locked mailbox or a Post Office Box for your snail mail
• Do not leave documents with your personal data laying around, especially documents with your bank account numbers or social security number
• Monitor your online accounts (e.g., bank, credit card, retirement, and othe financial accounts) for suspicious or unauthorized activity
• Move your paper financial statements to online accounts. Avoid paying bills with checks, and instead pay via online banking
• Review your credit reports at least once a year. You can visit annualcreditreport.com or call toll-free at (877) 322-8228

Tomorrow: more recommendations by Javelin.

2008 Consumer Fraud and Identity Theft Complaint Data (FTC)

Last week, I took the time to read the latest 90-page identity theft report from the U.S. Federal Trade Commission. The FTC issued the "Consumer Fraud and Identity Theft Complaint Data" report in February 2008. The report covers consumer complaints submitted to the Consumer Sentinel database during January through December 2007. Highlights:

• During 2007, the FTC received 813,899 consumer fraud and identity theft complaints; up 21% over 2006
• During 2007, consumers reported losses of $1.2 billion, slightly more than in 2006
• 3% of consumers lost more than $5,000. About 10% lost between $1,001 and $5,000
• The 5 leading complaint categories were Identity Theft (32%), Shop-at-home/Catalog Sales (8%), Internet Services (5%), Foreign Money Orders (4%), and Prizes/Sweepstakes/Lotteries (4%)
• The payment methods in these complaints included credit cards (33%), wire transfers (28%), bank account debit (17%), personal checks (10%), money orders (7%), and cash advances (3%)
• Total complaints by the age of the consumer: 40 - 49 (23%), 30 - 39 (21%), 50 - 59 (20%), and 20 - 29 (16%)
• Identity theft complaints by age of the consumer: 18-29 (28%), 30 - 39 (23%), 40 - 49 (19%), and 50 - 59 (13%)

It's important to emphasize that the above is based on actual complaints submitted by consumers, and not a survey. In my experience, most consumers do not file complaints with the FTC, so the above numbers are probably far higher.

Regardless, identity theft seems to be a growing problem since both the number of complaints and the amount of losses have increased.

Two really sad aspects to this report are a) the lack of involvement by consumers, and b) the lack of consistent response by law enforcement. 65% of victims did not file a police report. That is both sad and unacceptably high. 27% of victims did file a police report which was accepted by local law enforcement. 8% of victims tried to file a police report and it was not accepted.

Identity criminals probably feel encouraged by those results. Almost two-thirds of victims don't both filing a police report, which could aid inthe capture and prosecution of identity thieves. And, 8% of victims tried to get help from local loaw enforcement and couldn't get that help.

The report also provides statistics for identity theft victims by state:

1. Arizona - 137.1 (identity theft complaints per 100,000 population)
2. California - 120.1
3. Nevada - 114.2
4. Texas - 107.9
5. Florida - 105.6
6. New York - 100.1
7. Georgia - 91.6
8. Colorado - 89.0
9. New Mexico - 87.5
10. Maryland - 85.8

My state, Massachusetts, ranked #23  with 66.5 identity theft complaints per 100,000 population. North Dakota was #50 with 28.5 identity theft complaints per 100,000 population.

I'm not sure how relevant these numbers are since Internet-based identity thievery is largely geography independent

What To Do When Your Debit/ATM Card Number Is Stolen

Every few weeks, I get an e-mail from a somebody who has had their personal data stolen. When the stolen data includes a bank account number, the identity thief usually attempts to empty the victim's bank account.

Recently, a coworker (Scott) had his debit card number stolen. When I saw Scott, he was rushing to his bank to discuss and fix the problem. Scott had that frazzled look of "oh crap, what do I do now?" on his face. A couple days later, I contacted Scott via instant messaging (im) to see what had happened. Our instant messaging thread:

George: how did it go the other day at the bank?
Scott: hey George! they were very cool about it
Scott: it was obvious by looking at my transaction activity that something funky was going on

George: did u file a police report?
Scott: i didn't
George: u should

Scott: should i do it here in Boston or in Baltimore where the purchases were made?
George: first, do it here. it will help should the thieves do more damage
George: second, call one of the credit bureaus and place a Fraud Alert on your credit report
Scott: i def will... hadn't even thought about it. think i was more concerned bout the bank
Scott: great suggestions

George: they charged stuff to your credit card, right?
Scott: debit/credit
George: sh--
Scott: a [bank name suppressed] bank account
George: def file a police report. now that the thieves know your debit/checking acct number, they can do more damage
George: did the bank give you a new checking acct number?
Scott: yea
George: third, change all of your passwords on your bank accts
Scott: i'm in there now, so i'll do it right away
George: remember to use a strong password: mix of caps and lower case... mix of numbers and text
Scott: covered

George: leave work today and go file a police report at the police station closest to where you live... ask them how to handle the balt location
Scott: you got it...
Scott: thanks for the suggestions. i'll call one of the credit bureaus too
George: now that the thieves know your debit and bank information, they may try to a) reroute your snail mail, b) break into your online accts, c) try to apply for credit in your name
Scott: oh man
George: d) create a phony ID and visit your bank branch to try to get the bank to disclose your SSN or other personal data
George: so, be alert that you get all of the mail you expect
Scott: for sure

George: yes, this sucks. welcome to identity theft in 2008. check my blog for tips
Scott: i certainly will
George: click on one of the right column categories to learn more about that subject (e.g., fraud alerts, credit monitoring services). u should check your credit reports at all 3 credit bureaus... that is your first line of defense should somebody try to apply for credit in your name

Scott: if i call one of the credit bureaus will all 3 somehow be notified or do i have to call all 3?
George: for a Fraud Alert, if u call one, it notifies the other 2. For a Security Freeze, you have to contact each credit bureau independently
George: my blog explains the difference between a Security Freeze and a Fraud Alert

George: Last... DON'T shop with your debit/ATM card. It doesn't give you the same protections as a credit card. I only use my debit/ATM card at my bank's ATM machines. I have a blog post about why shopping with an debit/ATM card is a bad idea
George: call or im me if u have more questions

George: but do the police report today
Scott: will do. thanks for all the great info
George: call and place the Fraud Alert today
Scott: totally appreciate it
George: u r welcome

[Editor's note: I should have also advised Scott to file a complaint with the Federal Trade Commission.]

Judge Hands Identity Thief The Maximum Sentence

From the St. Louis Today newspaper:

"A federal judge handed down a maximum sentence Friday to an identity thief who authorities said began a new scheme while still serving time in a halfway house for a previous one. The thief, Robert Unique Haines, 43, of the St. Louis area, must serve 14 years in prison, the U.S. attorney's office said. He pleaded guilty in October of conspiracy, aggravated identity theft, fraud with identification documents and escape."

Apparently, Haines recruited employees at an Old Navy store and at United Healthcare to steal customers' personal information. The thieves used the personal data to open credit accounts in the customers' names or take over their accounts. The theft was pretty extensive:

"The shoppers got cash and permission to use the cards for their own purchases, officials said, while Haines and others would sell the merchandise at a discount for cash. Investigators located 58 customer victims and $150,000 in fraudulent purchases or charges, although the companies notified more than 15,000 that their information was at risk.

The conspirators also received prison sentences:

"Former United Healthcare employee Clare Hungerford, 37, of the 11000 block of Hidden Lake Drive in St. Louis, was sentenced last month to four years in prison in the case. Former Old Navy employee Timothy Short, 32, of the 900 block of Concordia Lane, was sentenced in November to two years in prison. Six others have also pleaded guilty to related charges and were ordered to serve sentences of probation to 75 months in prison."

While the good news in this story was that the thieves were caught and sentenced, there is a cautionary message. The thefts relied on employees working inside the companies. This should be a signal to companies everywhere that security checks both before and during employment are necessary.

A New Kind Of Identity Theft?

Last Friday, the CBS television affiliate (WBZ-TV) in Boston ran a news story about, "A New Form of Identity Theft." Apparently, an identity thief targeted and stole money from several women with the same name:

"The identity thief was posing as Lisa White. White never even owned a credit card until someone stole her identity and opened up 17 accounts using her Social Security and drivers license numbers. Now comes Lisa White, of Monson. She too is a victim of identity theft and is trying to cancel some $13,000 of debt someone spent on store accounts using her Social Security and license numbers... Then there's Lisa White from Somerset, who is also stuck with a pile of mystery credit cards. A thief stole her identity and wracked up about $35,000 of dept that she had nothing to do with."

The police haven't caught the identity thief yet, but they do have the thief on video tape. reportedly, about ten people in Massachusetts with the same name have reported problems.

My guess: this isn't a new type of identity theft. Rather, the police haven't yet discovered the connection, which may be very subtle. If all of the victims use the same bank, the police aren't saying. If not that, then it may be an inside job at the Social Security Administration or another equivalent state agency, like the Registry of Motor Vehicles or the Massachusetts Department of Revenue. That would explain why the thief did not steal the victims' existing credit card numbers, but instead opened new lines of credit with the victims' social security numbers.

California Senate Votes For Anti-Skimming Bill (RFID)

The InformationWeek blog reported:

"The California State Senate voted to make it a crime to skim information stored on RFID tags. The Senate voted 36 to 3 to pass the bill, introduced by State Sen. Joe Simitian (D-Palo Alto). The bill, SB 31, goes to the California State Assembly."

The sentiment of the proposed law is nice, but I wonder how it will actually prevent skimming. The law makes it clear what the penalties are for skimmers who are caught, but as with most identity theft thieves seem to never get caught. Hence, the popularity of this crime.

Want to learn more about RFID and identity theft? Start here.

Credit Card Truncation, Identity Theft, and Class Action Lawsuits

At the Credit Slips blog, contributing author Adam Levitin wrote an interesting post about retailers' responsibility to truncate credit card and debit card account numbers on consumers' bills:

"In 2003, Congress enacted the federal credit card truncation statute, 15 U.S.C. § 1681c(g), as part of the Fair and Accurate Credit Transaction Act (FACTA). This law, which was intended to help prevent identity theft, forbids anyone who accepts credit or debit cards from printing more than the last 5 digits of the card number or expiration date on any electronically printed receipt given to the cardholder at point of sale. The law became effective for all new cash registers as of Jan. 1, 2005, and for those registers already in use, as of Dec. 4, 2006."

Adam's post drives home the point about retailers' liability:

"If the merchant was negligent, then the merchant is liable for actual damages and attorneys’ fees/costs. But if the violation was willful—and this is key—meaning—meaning knowing or intentional, not malicious—then the merchant is subject to statutory damages of a minimum of $100 violates, plus punitive damages, and costs/attorneys fees. $100 doesn’t sound like a lot, but multiply that by every transaction made at that register since the truncation statute’s effective date and potential damages are huge."

The Clausen Miller law firm confirmed this in a November 2007 post to their corporate clients:

"Whether large or small, all businesses that are not in compliance with FACTA are potential targets of this litigation. The driving force behind this flurry of class action litigation is financial. Statutory damages for a willful violation of FACTA are between $100 and $1,000 per violation, regardless of whether any actual damages were incurred or whether an individual’s identity was stolen."

The Clausen Miller article also highlighted the resulting class-action lawsuits:

"Entities such as Victoria’s Secret, Toys “R” Us, The Gymboree Corporation, California Pizza Kitchen, In-N-Out Burgers, Adidas Promotional Retail Operators, El Pollo Loco, Costco, and IKEA have all been involved in this litigation."

Want to learn more? Similarly, the Jones Day law firm advises their corporate clients to comply with the FACTA.

So, the next time you go shopping, check to make sure that the retailer's receipts display only a portion of your credit card or debit card number. And, shred any unneeded receipts which contain your personal information.

IronMountain Can't Find A GE Money Data Tape With Records For 650,000 Consumers

Stuff like this isn't supposed to happen to a company whose core business is data security and storage. InformationWeek reported last week:

"Iron Mountain can't find a backup tape belonging to GE Money that contains the personal information of some 650,000 customers of J.C. Penney and about 100 other retailers. GE Money handles credit card processing for the affected retailers. The missing data includes about 150,000 social security numbers, according to an Associated Press report. GE Money requested the backup tape from an Iron Mountain vault in October, according to a statement issued by Iron Mountain. When the tape could not be located, Iron Mountain personnel began looking for it. The tape remains unaccounted for."

I've seen this play before. In February 2007, IBM exposed my personal data when its transportation vendor lost backup data tapes. IBM refused to disclose the number of records exposed, and never fired the transportation vendor. We'll see what GE Money does. At least GE Money disclosed the number of records exposed.

When things like this happen, I wonder if it's an inside job. The tape has been missing since at least October 2007. Data protection is supposedly Iron Mountain's core business. From Iron Mountain's web site:

"With over 30 years of experience, Iron Mountain delivers the most reliable, battle-tested, data protection and recovery solutions available - from offsite tape vaulting and archiving to server and PC data backup, email continuity, and disaster recovery."

A disaster? Yes. Reliable? Apparently not. Backup data tapes shouldn't go missing. Senior management heads at Iron Mountain need to roll. If you received a breach notification letter about this, let us know in the Comments section below what the breach notification letter said. I've Been Mugged readers want to know.

Appeals Court Upholds Verdict in Sloane v. Equifax

A recent FindLaw article by Anthony Sebok reported:

"The U.S. Court of Appeals for the Fourth Circuit recently upheld a sizable verdict against a credit agency for failing to promptly and efficiently aid a victim of identity theft. The decision in Sloane v. Equifax Information Services does not break new doctrinal ground. It does, however, underscore how identity theft could become a headache not only for individual consumers, but large financial reporting companies."

In 2003, Suzanne Sloane (Sloane) had her SS# stolen at Prince William Hospital in Virginia by a hospital employee named Shovana Sloane. The identity thief quickly ran up a $30,000 debt in Sloane's name. Sloane contacted Equifax of the theft and provided appropriate documentation of the fraudulent charges according to Equifax's instructions. Shovana Sloane was later arrested and convicted of the identity theft crime. At the jury trial, Equifax was found liable through its incompetence to have compounded the problem and never accurately fixed Suzanne Sloane's credit report.

"Finally, in November 2005, Sloane sued all three of the national credit reporting agencies, the Prince William Hospital and the employment agency that had helped place Shovana Sloane. Sloane settled with all the defendants but Equifax."

Here's the most important part of the story for consumers:

"Sloane sued the credit agencies under the Federal Credit Reporting Act, a 1968 law Congress passed to protect consumers from negligently-maintained credit records. The law sets out requirements to ensure that credit reporting agencies maintain accurate records, and it provides for a private right of action by injured consumers, who may seek to recover damages in the event that a credit reporting agency negligently violates any of the statute's requirements. At trial, the jury found that Equifax had violated the FCRA and awarded Sloane $106,000 in economic losses and $245,000 in mental anguish."

The Appeals Court did reduce the amount of Sloane's award to $150,000. Maybe the credit bureaus will now take identity theft more seriously. In my opinion, the reduction was unwise since identity theft strikes at a consumer's ability to take care of their self and their family. In his article, Sebok correctly concludes:

"As the Fourth Circuit itself noted, FCRA cases are changing. Whereas errors used to arise from simple carelessness within the banking industry itself, the possibility of the errors' resulting, instead, from identity theft, as occurred here, is increasing, along with the ubiquity of the Internet, Wi-Fi, and smartphones. Credit reporting agencies will be the means by which much more misinformation will be "published" and the consequences of lax practices for correction will grow even more severe."

Data Security Gaps At Retail Stores Where you Shop

This past Sunday evening, the 60 Minutes television show presented an excellent segment on identity theft, titled "Hi-Tech Heist." The segment explained the poor data security use by many of the retail stores and chains we shop at. More importantly, the segment showed how identity thieves steal consumers' credit card (and debit card) data via the retail stores' wireless data connections:

"When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls."

The segment did a good job explaining how identity thieves steal data:

"[60 Minutes Correspondent] Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data."

When retail stores use unsecure or poorly protected wireless connections, stealing data is easier than you think:

"We can just pluck it, is what you're saying, right through the wall," Stahl remarked. "Absolutely," Harms replied. All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results. "Right now, we're right in front of Best Buy," Stahl remarked. "Right so, Best Buy has a wireless network," Harms explained. The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.

What I found most irritating was the segment reported that many retail stores still refuse to invest in effective and current data security methods, while being fully aware of the TJX/TJ Maxx data breach debacle. In an attempt to cut costs and save money, retail companies still install and use obsolete encryption methods for their wireless transmission of your (and mine) credit card information:

"WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes. Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded."

More about TJX / TJ Maxx:

"At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP. "Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart...  TJX did know, but in a letter told 60 Minutes - in their defense, that they believe 'our security was comparable to many major retailers.' "

So, the retail chain with the largest data breach in USA history admits that their wireless security was no better (or worse) than other retailers! That's pretty damning evidence about the retail industry, which seem more interested in making money that providing secure transactions for consumers.

To me, this is a clear reminder that you should never use a debit card at a retail store. It's best to shop with cash until retailers improve their data security. If you haven't seen this 60 Minutes show, you can watch the 60 Minutes video online.

Wildfire Victims Targeted By Identity Thieves

As if the wildfire victims didn't have enough bad news. The Redlands Daily Facts reported:

"Redlands fraud investigators are warning of an increased risk of identity theft targeting victims of the recent wildfires. Following the Old Fire in 2003, Redlands police saw an increase in identity theft among those who had homes damaged or destroyed in the fires and those who were evacuated from their homes... looters often sift through damaged property or homes under evacuation orders, making off with bank and credit card statements, tax documents, and other financial information. The information is then used or sold to others to access victims' accounts or rack up thousands of dollars in debt charged to the victim."

According to the Earth Times on November 13, 2007:

"TrustedID, a leading provider of proactive identity theft protection solutions, today announced it will offer free identity theft protection services to families affected by the California wildfires to prevent identity theft while they recover and rebuild. During the month of November, residents can call TrustedID's special hotline to receive three months of free coverage under TrustedID's IDFreeze service, which offers the strongest proactive identity theft protection available today for families."

According to a news release at PR-USA:

"... AxcessPoints is offering a free year of service for its secure, online repository through Nov. 30, 2007. AxcessPoints is $9.95 per month. AxcessPoints, a highly secure online planning resource for organizing and retrieving critical personal, medical and financial information, said disaster victims often suffer a second tragedy following a catastrophe by failing to have key financial records and other critical data readily available to work with insurance companies, banks, utilities and other service providers."

Note: the I've Been Mugged blog does not endorse the above services. I do not have a business relationship with either company. Like any other services, consumers should research the company, its services, and shop around to compare services before making a purchase decision.

Chase Harasses A Credit Card Fraud Victim

This post at the Consumerist blog is a worthwhile read. Brandon's story highlights how a company can harass an identity theft victim instead of working with the victim to resolve the fraud. Brandon's story:

"In January 2007, I was traveling in Mexico and was mugged, having my wallet and passport stolen. By the time I got back to the hotel and began calling my credit card companies to cancel, the criminal had charged close to $3,000 on my CHASE Circuit City Visa card. I explained to CHASE that the charges were fraud, and they sent me a fraudulent charge affidavit to complete and have notarized. As I couldn't take care of this until I returned from my trip, and had more important things like a passport to worry about, I waited a few weeks before completing the paperwork and during those weeks received those weeks received about 2 calls a day from CHASE urging me to send the documents."

According to the post, Brandon did a lot of things correctly. He completed the necessary documents and communicated with Chase in writing. The post includes a copy of Brandon's correspondence. But, Chase continued harass him for payment.

The best advice (from the Consumerist) is at the end of the post:

"You called and reported the fraud the day of, and yet they're still trying to collect. Under federal law, you have no responsibility for unauthorized charges after reporting loss or theft of a credit card. That you waited a few weeks to send in the papers doesn't matter. Worst case scenario, your maximum liability is $50. Have you sent them a "drop-dead" letter? Or a letter of dispute? Include the information in the preceding paragraph in your letter. You could also try kicking it up to Chase executive customer service: 1-888-622-7547 - extension 4350 or 847-488-6833, or 888-622-7547 x 6833."

Unfortunately, Your Average Joe's Data Breach (Part 2)

Over at his Mostly Harmless blog, Dave Owczarwk provides a good summary of the restaurant chain's data breach, plus a solution for consumers who want to continue eating at the restaurant:

"Anyway, this is a tough break for Joe's, but what is the consumer to do? My recommendation, if you like the place, is to continue to patronize it and just use cash."

That's good advice I recommend for any other retail stores consumers want to shop but and are worried about the security of their credit card information. Definitely don't use your debit card! Read this post why credit is better debit.

Working Asset or Working Liability?

Earlier this week, a former coworker, Diane, shared with me the following breach notification she received via e-mail:

From: "Working Assets" <workingassets@act.actforchange.com>
Date: November 4, 2007 12:26:55 AM EDT
Subject: Important Notice: Security Breach

Dear Working Assets Customer,
We regret to inform you that the company we contract with to provide online services, Convio, has identified a breach of one of their internet security systems. There was no breach of personally-identifiable information or credit card data, but your email address and password for managing your Act For Change and Working For Change subscriptions were obtained by an unauthorized third party. Please note that the database holding account information related to Working Assets long distance, wireless and credit card accounts was not affected.

There is potential for misuse of this information however, should you use the same email address and password on other personal accounts, whether Working Assets products, banking, PayPal, Amazon, etc. Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:

- If this email address and password are used together on any other accounts, it is recommended that you change your password on those accounts and sites immediately. We recognize that this is an enormous inconvenience, but this step will minimize your security risk.

- Pay careful attention to emails you may receive requesting personal and financial information, and only provide it when you can confidently confirm that it has come from a trusted organization.

- Report any suspicious activity immediately to the account provider (bank, credit card, etc.) and to credit bureaus. We take your privacy seriously, and as a protective step have immediately deleted all passwords from the Act For Change and Working For Change website and subscriptions. This will not affect your subscriptions or site usage, and you will simply be prompted to create a new password when you go to manage your account.

Our vendor Convio has asked us to convey their deepest apology and assurance that security has been restored. If you have any questions or concerns, please feel free to call (800) 788-0898 or to email customerservice@wafs.com.

Stephen Gunn
Vice President, Operations
Working Assets

While I like the social causes that Working Assets (WA) supports, I can't ignore the problems with this breach notification. First, the notification relies on a single channel: e-mail. Users often view e-mail breach notification as spam. While e-mail notification is definitely cheaper and faster than snail-mail notification, the savings and speed must be balanced against customers' trust. Better to inform identity-theft victims both by e-mail and snail-mail.

Second, the notification's content gives the impression that WA's goal is to avoid responsibility for the breach. Most of the e-mail letter covers what the consumer should do, and not what WA is doing. The letter does not explain what WA is doing to:

• prevent future data breaches by Working Assets and/or its subcontracts,
• closely monitor and demand data security upgrades by subcontractor (Convio),
• closely monitor other subcontractors it hires,
• offer credit monitoring and/or credit restoration to identity theft victims already affected

Moreover, WA's notification seems to be a copy with few changes to Convio's breach notification. This makes me wonder what value WA adds to their notification, if any. This notification also does not promote feelings of trust with WA.

Third, while WA's data breach didn't disclose any sensitive data (e.g., SS#, driver's license number, credit card number, banking account numbers), it did disclose the sign-in information (e.g., e-mail address and password pair) thieves could use to access sensitive data in Working Assets or other accounts. I doubt many consumers will see a difference between having their sign-in information stolen versus having their sensitive personal data stolen directly. The end result for identity-theft victims is the same: their sensitive data has been put at risk.

Fourth, the communication doesn't mention a WA web site for the ID-theft victim to obtain updates about the breach, answers to frequently asked questions, WA's data security, WA's investigation, Convio's data security, and Convio's investigation. This gives me the impression of a lax and somewhat disorganized response by WA to their data breach. (To the good, WA does provide a simple Security Notice page in its web site.) Basically, the e-mail notification seems to be one big, "we're sorry and best of luck to you" kiss-off.

I'd grade Working Assets' breach notification as a D- in terms of completeness and corporate responsibility. I wonder if the company has studied and learned from prior breaches and corporate responses, like the TJX debacle and Don Imus' blunder. WA customers should also learn more about security problems at Convio.