'Whaling' Is The Latest Phishing Threat

From Yahoo News:

"US federal court officials have warned that hackers are emailing phony subpoenas embedded with malicious software to high-ranking executives to steal valuable corporate information. Thousands of powerful US executives have received the bogus emails that contain links which, if clicked on, install software letting hackers take control of computers and swipe passwords or other sensitive data. Internet security insiders refer to the attacks as "whaling" because they use social-engineering trickery involved in "phishing" but target individual "big phish" instead of casting nets in a sea of Internet users."

Apparently, these whaling attacks have had a high success rate with getting executives to open those bogus e-mails and either click on attachments or click on links. Consumers should be aware that within the USA, subpoenas are usually served in person by process servers, to assure judges that the orders from courts have been properly received by those named.

This news article also appears at AFP. If you are unsure how to recognize a phishing scam, read:

• Yahoo Security Center: Phishing
• Microsoft: recognize phishing scams and Fraudulent e-mails
• Privacy Rights Clearinghouse: Phishing
• Anti-Phishing Working Group

Whether or not you are caught by a phishing scam, you should always report it.

BBC Exposes Facebook Flaw

This May 1, 2008 BBC News video is short, clear, and informative for both current Facebook members and consumers considering Facebook. I strongly recommend that you view the BBC video. Be an informed user of social networking sites.

You may also find these prior I've Been Mugged posts helpful:

• Will The Lack Of Security Be the Downfall of Facebook?
• Facebook: Beacon Of Light Or Darkness?

You may also want to browse this MoveOn petition.

If all of the above has scared the daylights out of you, then you might want to view this YouTube video:

CNN Data Doctor: When Criminals Take Over Your Web Mail Account

I'd like to thanks Bruce for alerting me to this CNN video.

A lot of people use Web mail because of its convenience. Criminals use Web mail too, but not in the way you might expect. Criminals will try to take over your Web mail account. Why? One, they can use it to send spam. Two and more likely, they hope to use your sign-in information (e.g., Web mail username and password) to access your financial and bank accounts. Simply, that's where your money is... and many people use the same sign-in information for several accounts.

The CNN video includes advice about how to prevent criminals from taking over your Web mail account, and what to do if they've already taken over your account. So, a word to the wise:

• Protect your e-mail sign-in information like gold, just as you would protect your sensitive personal data
• Don't use a computer you think might be compromised or infected
• Practice safe Internet surfing habits, so you don't become a sidejacking victim
• Keep the anti-virus software on your home computer up-to-date
• Use strong passwords as part of your Webmail and account sign-in information
• Consider a Fraud Alert or a Security Freeze on your credit reports, if your sensitive personal data has already been stolen or exposed
• Stay current with the identity threats and scams. Reading I've Been Mugged is a good first step
• Realize that you may have to change your identity protection tactics, since criminals change their methods and scams
  

There are several posts in I've Been Mugged that can help you with each item listed above.

Seattle Man Sentenced To 51 Months In Prison For Identity Theft

I am pleased to forward news when identity thieves receive what they deserve. The Seattle Post-Intelligencer reported:

"Kopiloff pleaded guilty to aggravated identity theft, mail fraud and accessing a protected computer without authorization to further fraud. He victimized more than 50 people and caused about $70,000 in losses, according to court records."

Readers should also note:

"The peer-to-peer network Kopiloff exploited is the type that is used to swap music online. Kopiloff used software such as LimeWire to search the computers of members of the file-sharing network for federal income tax returns, student financial aid applications and credit reports, according to prosecutors. The stolen merchandise would be shipped to mailboxes around the Puget Sound region, then sold for about half its retail value."

This story should be a warning to consumers about both the risks with file-sharing software, and the need to properly configure home firewall, wireless network, and anti-virus software.

House Stealing: The Newest Identity Theft Scam

On March 25, the Federal Bureau of Investigation (FBI) issued a warning to consumers about a new form of fraud. The new threat:

House Stealing = Identity theft + Mortgage Fraud

According to the FBI, here's how the scam works:

"The con artists start by picking out a house to steal—say, YOURS. Next, they assume your identity—getting a hold of your name and personal information (easy enough to do off the Internet) and using that to create fake IDs, social security cards, etc. Then, they go to an office supply store and purchase forms that transfer property. After forging your signature and using the fake IDs, they file these deeds with the proper authorities, and lo and behold, your house is now THEIRS."

With the deed, criminals can sell the house right from under you and pocket the cash. According to the Boston Herald newspaper:

"It’s happened in Dorchester. Police last year arrested three people at the Suffolk County Registry of Deeds after they tried to sell the home of a former nun and Catholic school teacher out from under her. Andre J. Lamerique, 25, of Sharon, Carmella F. Lassegue, 26, of Hyde Park, and Judy A. Bonas, 51, of New York, were charged with conspiracy, identity fraud and aiding and abetting after they allegedly stole the identity of Judy Melody, 65, of Dorchester. A federal postal inspector accuses the trio of using Melody’s identity to purchase homes in Brockton and Halifax. They were caught on Jan. 23, 2007, when they allegedly attempted to use the same scheme to sell Melody’s home. Lamerique is in custody awaiting trial, federal court papers show. Lassegue and Bonas are free on bail."

I find it odd when researchers claim that identity theft instances are decreasing. New trends like House Stealing are direct evidence otherwise. Identity criminals constantly change their tactics, which provides a challenge for researchers and government agencies to track the appropriate statistics to accurately measure identity theft instances. According to the Boston Herald:

"While the FBI does not maintain statistics for specific types of mortgage fraud, they know the crime of home theft is on the rise. In Fiscal 2007, financial institutions alerted law enforcement to 46,717 examples of mortgage fraud suspicious activity reports... Just a part of the way through Fiscal 2008, that figure has nearly reached the 30,000 mark."

Experts predict that mortgage fraud could increase to 60,000 in 2008. The FBI recommends the following to protect yourself from this new scam:

• If you receive a payment book or information from a mortgage company that’s not yours, whether your name is on the envelope or not, don’t just throw it away. Open it, figure out what it says, and follow up with the company that sent it.
• From time to time, it’s also a good idea to check all information pertaining to your house through your county’s deeds office. If you see any paperwork you don’t recognize or any signature that is not yours, look into it.

According to the FBI, this new scam is rare. Of course, contact your local police, the FBI, and file a complaint with the FTC if you have been victimized.

More About Sidejacking

After I wrote my first post about sidejacking, I did some more online research. A post at The Consuming Experience blog offered information about sidejacking:

"You're at risk from sidejacking when you use the internet via a free, or even paid-for, unsecured public wi-fi or WLAN (wireless networking) hotspot. That could include just accessing your Hotmail or other webmail, or your Facebook or MySpace or other social networking account, your Amazon account, etc. An attacker on the same wifi network could "sniff", steal and use login details and info of users of that open WLAN - such as "AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth."

Since many web sites do not encrypt every site page, identity thieves can:

"... intercept the unencrypted information, particularly the "cookie" files saved with your browser and sent between it and the site - and which are often used to log you in."

And there are other ways your laptop can disclose your personal data:

"... all sorts of other unencrypted info can be intercepted and copied, and used to deduce details about you or your accounts which can then be used by the thief... when you power-on your computer. It will broadcast to the world the list of WiFi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to."

What's a person to do to keep your personal information safe?

"Before you login to a website, at least make sure that the page where you enter your details, the one with the boxes for your login info before you hit Submit or OK, is a secure page - i.e. starts with "https". But that's not enough, it has to be SSL all the way."

The post at The Consuming Experience blog post offers more tips and solutions, for people who are technology-savvy and for those that aren't. There are also some solutions in my prior post about sidejacking.

A New Kind Of Identity Theft?

Last Friday, the CBS television affiliate (WBZ-TV) in Boston ran a news story about, "A New Form of Identity Theft." Apparently, an identity thief targeted and stole money from several women with the same name:

"The identity thief was posing as Lisa White. White never even owned a credit card until someone stole her identity and opened up 17 accounts using her Social Security and drivers license numbers. Now comes Lisa White, of Monson. She too is a victim of identity theft and is trying to cancel some $13,000 of debt someone spent on store accounts using her Social Security and license numbers... Then there's Lisa White from Somerset, who is also stuck with a pile of mystery credit cards. A thief stole her identity and wracked up about $35,000 of dept that she had nothing to do with."

The police haven't caught the identity thief yet, but they do have the thief on video tape. reportedly, about ten people in Massachusetts with the same name have reported problems.

My guess: this isn't a new type of identity theft. Rather, the police haven't yet discovered the connection, which may be very subtle. If all of the victims use the same bank, the police aren't saying. If not that, then it may be an inside job at the Social Security Administration or another equivalent state agency, like the Registry of Motor Vehicles or the Massachusetts Department of Revenue. That would explain why the thief did not steal the victims' existing credit card numbers, but instead opened new lines of credit with the victims' social security numbers.

California Senate Votes For Anti-Skimming Bill (RFID)

The InformationWeek blog reported:

"The California State Senate voted to make it a crime to skim information stored on RFID tags. The Senate voted 36 to 3 to pass the bill, introduced by State Sen. Joe Simitian (D-Palo Alto). The bill, SB 31, goes to the California State Assembly."

The sentiment of the proposed law is nice, but I wonder how it will actually prevent skimming. The law makes it clear what the penalties are for skimmers who are caught, but as with most identity theft thieves seem to never get caught. Hence, the popularity of this crime.

Want to learn more about RFID and identity theft? Start here.

Sidejacking: What It is and How to Protect Yourself

We all know what carjacking is. Sidejacking is when an identity thief spies on your Internet session while you use your laptop at a public, unsecured WiFi connection to the Internet, or "hotspot." Common hotspot locations are airports, coffee shops, hotels, and some downtown city locations.

So, if you use your laptop at public hotspots, this CNN video is a must-see. Colburn suggests the following to protect yourself:

• Don't use a public hotspot if you don't have to
• If you must use hotspots, surf the web but don't sign in to secure sites (e.g., bank accounts, e-mail, etc.)
• If you use hotspots frequently, consider installing a hotspot shield on your laptop

I have not used the product from Anchorfree.com, nor do I have any relationship with Anchorfree.com or with CNN. So I cannot provide an opinion on the effectiveness of the Anchorfree.com software. If you have used this or another brand of wireless VPN software, please share your experience below in the comments section. As with any other software purchase, check the software specifications to make sure it runs on your laptop. Shop around and research Anchorfree.com before a purchase.

Want to learn more about sidejacking? You can start reading here.

Computer Virus Hits Nokia Mobile Phones

Well, it has finally happened. PC World magazine reported yesterday:

"Security vendor Fortinet has uncovered a malicious SymbianOS Worm that is actively spreading on mobile phone networks. Fortinet's threat response team warned on Monday that the worm, identified as SymbOS/Beselo.A!worm, is able to run on several Symbian S60 enabled devices. These include handsets such as Nokia 6600, 6630, 6680, 7610, N70 and N72 handsets. The malware is disguised as a multimedia file (MMS) with an evocative name: either Beauty.jpg, Sex.mp3 or Love.rm. Fortinet warned this is deceiving users into unknowingly installing the malicious software onto their phones."

The worm seems to be spreading in the EMEA (Europe, Middle East, and Africa) region. Up until now, mobile malware (e.g., computer viruses) has been rare.

"After installation, the worm harvests all the phone numbers located in the phone's contact lists and targets them with a viral MMS carrying a SIS-packed (Symbian Installation Source) version of the worm. In addition to harvesting these numbers, the malware also sends itself to generated numbers as well. Interestingly, all these numbers are located in China so far and belong to the same mobile phone operator."

What should mobile phone users do? Practice safe mobile phone use just like you do with your computer. Don't accept or open files from people you don't know. Be careful who you share your mobile phone number and text messaging address with. Contact your mobile phone manufacturer or mobile network provider for assistance.

Social Here, Social There, Social Security Numbers Everywhere!

A friend , Catherine,sent me the link to this recent Washington Post newspaper article which highlighted a huge identity vulnerability in the USA. Frankly, there are millions of paper documents in federal, state, and local records which disclose consumers' Social Security numbers:

"Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

This is a very dangerous situation. I cannot over-emphasize the risk. The large number of documents containing Social Security numbers with accompanying names, addresses, and birth dates makes it very easy for identity thieves to visit a local courthouse or government office and collect personal data from paper (and online) records documents.

While the federal law was changed in 2001 to remove Social Security numbers from documents, the law doesn't include documents produced before then and documents in state and local government records files:

"A recent spot-check found the nine-digit numbers -- introduced in 1936 to track employee earnings and benefits -- on hundreds of land deeds, death certificates, traffic tickets, creditors' filings and other documents related to civil and criminal court cases. Federal courts have banned the numbers from appearing on public documents since 2001... However, millions of paper records were filed across the United States before the laws and rules took effect. Generally, such records are not covered by the prohibitions. And court clerks said it would be virtually impossible to redact all of the Social Security numbers in them."

The article also highlights central Virginia activist Betty "B.J." Ostergren, who pushes lawmakers and government agencies to take sensitive personal data off state-run Web sites. Ostergren operates the thevirginiawatchdog.com site, which lists examples of public figures whose Social Security numbers have appeared in public records.

One thing we consumers can do is press our state and local politicians and government to protect our personal data which resides in records documents. The best summary:

"It's alarming, because the government should be setting the example in really trying to protect people's private information," said state Sen. Jamie B. Raskin (D-Montgomery). "Look, there's a whole criminal underground now that thrives on stealing people's credit cards and usurping their identity for as long as they can."

Who Hackers Will Target In 2008

In his ZDNet Gear For Geeks blog for IT professionals, Adrian Kingsley-Hughes predicts that computer hackers will target in 2008 what Adrian calls the "stupid crowd" since hackers (and identity thieves) follow the path of least resistance:

"The term 'stupid crowd' might seem harsh and unjust, but it’s as good a label as any... The 'stupid crowd' is made up of those users who don’t let anything get in their way when they’re after that funny video, porn, a keygen or pirated movie. The 'stupid crowd' click first and ask questions later (thinking doesn’t seem to factor in the process at any stage)... Anyone who’s had to throw away a PC because it was trashed by malware is a member of the stupid crowd."

Adrian makes some valid points about (home and business) computer users who ignore good computer security habits while surfing the Internet, sending documents, or reading e-mail. However, Adrian has described only one segment of the "stupid crowd."

In the few short months I've written the I've Been Mugged blog, I've read about many corporate data breaches and data security failures... enough so I've concluded that a second (and perhaps larger) segment of the "stupid crowd" includes companies where their senior management and IT professionals implement obsolete data security and data encryption methods, or insufficiently fund effective data security programs. Obviously, the "corporate stupid crowd" includes companies that suffer repeated data breaches.

The "corporate stupid crowd" includes:

• IT and HR managers who fail to train their employees on effective data security practices, especially regarding the downloading and storing of sensitive data on company laptops
• Companies that fail to implement data security processes with their contractors... and fail to hold those contractors accountable when data breaches occur
• IT managers who fail to secure their computer equipment liquidation process
• Retail companies with obsolete wireless encryption and data security
• Companies that ignore or fail to comply with Payment Card Industry (PCI) data security standards
• Companies who have the bad habit of placing profits ahead of data security for the sensitive personal data they archive

We only have 2007 to review to see the companies that are part of the "corporate stupid crowd." To see examples, browse the Data Breaches, Corporate Responsibility, and TJX / TJ Maxx topics in this blog. This flow diagram aptly describes the "corporate stupid crowd" regarding data security and data breaches.

If that's not enough, there's a ZDNet blog that documents the missteps and fumbles of the corporate stupid crowd: IT Project Failures.

RoboScalpers: Somewhere (Online) There Is a Crime Happening

It's the holidays and you want to see your favorite theater show, concert, or sports event. As soon as tickets are available, you try to buy them online but the event is already sold out. Have you ever wondered why this happens? According to a recent post at the Consumerist blog:

"Ticketmaster is suing RMG Technologies for selling lecherous software that instantly sucks up tickets to everyone's favorite concerts and sporting events. Groups like RMG are the reason tickets sell out just minutes after going on sale, only to mysteriously reappear at outrageously marked up prices on ticket resale sites like StubHub."

When consumers buy tickets online, there is an implicit level of trust that everyone has equal access to tickets. Consumer trust that they and other humans are buying tickets, and are not competing against machines for tickets. Obviously, this is not the case and the consumers' trust is being abused. The Consumerist post clearly describes how ticket-resellers acquire tickets, which some call "RoboScalping":

"How brokers can jump to the front of the line is described in supplemental documents filed in Ticketmaster v. RMG Technologies, an active Federal District Court case asserting that the defendant's automated ticket-buying software violated the Ticketmaster Web site's terms of use. The papers describe a subterranean world of software designed to enter Ticketmaster's online ticket-purchasing system at will and to scoop up tickets without limits."

What does this have to do with identity theft and corporate responsibility? Plenty. The process of RoboScalping costs consumers plenty. We lose the opportunity to buy tickets at or near face value; we pay higher ticket prices from ticket-resellers, or we miss attending the event. To buy large quantities of tickets, the RoboScalpers use automated software to pretend they are humans. And the companies involved go along with this deception because there is money to be made.

To learn more, read this SF Weekly article.

Software Viruses Found On New Hard Drives

While browsing the ZDNet Gear For Geeks blog, I found a post about software viruses found on new computer hard drives. Yes, you read that correctly. Not used hard drives but new hard drives.

I guess that virus-infected hard drives came from China shouldn't be a surprise, since we've already experienced tainted children's toys made in China, tainted toothpaste, and mad-cow beef from Europe.

Anyway, most of the post focused on issues for business computer users and IT (Information Technology) professionals, since most of the infected drives were large-capacity drives bought by government agencies for large databases. However, the end of the post presented some good advice both consumers and business computer users should follow:

"However, there’s a moral to this story.  Practice “safe sectors” and scan, or preferably wipe, all drives... Don’t assume that a drive is going to be blank and malware free. Trust no one. Same goes for USB flash drives - you never know what’s been installed on them."

I'd never thought about scanning my flash drives for viruses. I will from now on.

The McAfee and FBI Webinar About Safe Online Shopping Tips

Are you a safe online shopper? On Wednesday, I attended an online seminar by McAfee (the security company) and the F.B.I. (the U.S. Federal Bureau of Investigation). The online seminar titled, "Shopping Online: How to Minimize Your Risk" included some useful tips for a safe online shopping experience for the holidays.

The F.B.I. representative explained some of their online resources used to hunt and capture identity thieves worldwide. The representative also explained the key identity theft scams and threats:

1. Unsafe web surfing: includes, "download program from an untrusted Web site; visit a dangerous Web site with an unprotected computer; your computer lacks firewall software; visit a legitimate site taken over by hackers"
2. Botnets: a "network of computers that have been infected by Trojans or other threats. This allows a hacker to control these 'zombie machines' remotely."
3. Spam
4. Phishing... especially "charity phishing"
5. Holiday greeting cards infected with mal-ware and computer viruses

The McAfee reperesentative explained the 10 best things consumers can do to protect themselves and ensure safe online shopping:

1. Install comprehensive security software on your home computer
2. Keep your security software up-to-date
3. Ensure that the Web sites you shop at are secure (there are several ways to tell)
4. Install patches for Microsoft and other software on your home computer
5. Don't go phishing
6. Don't use the links in an e-mail solicitation. (Instead, enter the company's web site address in your web browser)
7. If an e-mail solicitation says it's free, then you'll probably pay (by downloading a virus or mal-ware)
8. Use strong passwords
9. Avoid spam
10. Avoid high-risk Web sites

To see if you are a safe online shopper (or not), take this short online quiz. I scored 9 out of 10 correct. For more security tips and information, see the McAfee Security Advice Center. A prior I've Been Mugged post discussed online identity theft quizzes. Or, you can download the McAfee presentation (Adobe PDF; 634 KB).

Data Security Gaps At Retail Stores Where you Shop

This past Sunday evening, the 60 Minutes television show presented an excellent segment on identity theft, titled "Hi-Tech Heist." The segment explained the poor data security use by many of the retail stores and chains we shop at. More importantly, the segment showed how identity thieves steal consumers' credit card (and debit card) data via the retail stores' wireless data connections:

"When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls."

The segment did a good job explaining how identity thieves steal data:

"[60 Minutes Correspondent] Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data."

When retail stores use unsecure or poorly protected wireless connections, stealing data is easier than you think:

"We can just pluck it, is what you're saying, right through the wall," Stahl remarked. "Absolutely," Harms replied. All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results. "Right now, we're right in front of Best Buy," Stahl remarked. "Right so, Best Buy has a wireless network," Harms explained. The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.

What I found most irritating was the segment reported that many retail stores still refuse to invest in effective and current data security methods, while being fully aware of the TJX/TJ Maxx data breach debacle. In an attempt to cut costs and save money, retail companies still install and use obsolete encryption methods for their wireless transmission of your (and mine) credit card information:

"WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes. Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded."

More about TJX / TJ Maxx:

"At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP. "Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart...  TJX did know, but in a letter told 60 Minutes - in their defense, that they believe 'our security was comparable to many major retailers.' "

So, the retail chain with the largest data breach in USA history admits that their wireless security was no better (or worse) than other retailers! That's pretty damning evidence about the retail industry, which seem more interested in making money that providing secure transactions for consumers.

To me, this is a clear reminder that you should never use a debit card at a retail store. It's best to shop with cash until retailers improve their data security. If you haven't seen this 60 Minutes show, you can watch the 60 Minutes video online.

Wildfire Victims Targeted By Identity Thieves

As if the wildfire victims didn't have enough bad news. The Redlands Daily Facts reported:

"Redlands fraud investigators are warning of an increased risk of identity theft targeting victims of the recent wildfires. Following the Old Fire in 2003, Redlands police saw an increase in identity theft among those who had homes damaged or destroyed in the fires and those who were evacuated from their homes... looters often sift through damaged property or homes under evacuation orders, making off with bank and credit card statements, tax documents, and other financial information. The information is then used or sold to others to access victims' accounts or rack up thousands of dollars in debt charged to the victim."

According to the Earth Times on November 13, 2007:

"TrustedID, a leading provider of proactive identity theft protection solutions, today announced it will offer free identity theft protection services to families affected by the California wildfires to prevent identity theft while they recover and rebuild. During the month of November, residents can call TrustedID's special hotline to receive three months of free coverage under TrustedID's IDFreeze service, which offers the strongest proactive identity theft protection available today for families."

According to a news release at PR-USA:

"... AxcessPoints is offering a free year of service for its secure, online repository through Nov. 30, 2007. AxcessPoints is $9.95 per month. AxcessPoints, a highly secure online planning resource for organizing and retrieving critical personal, medical and financial information, said disaster victims often suffer a second tragedy following a catastrophe by failing to have key financial records and other critical data readily available to work with insurance companies, banks, utilities and other service providers."

Note: the I've Been Mugged blog does not endorse the above services. I do not have a business relationship with either company. Like any other services, consumers should research the company, its services, and shop around to compare services before making a purchase decision.

Top 50 Cities For Identity Theft

This is a list your city doesn't want to make. The Uni-ball company, a manufacturer of writing pens, has published at its web site the list of Top 50 ID-Theft Cities, as part of its Secure Your Signature program. The top 10 worst cities:

1. Phoenix, AZ
2. Riverside, CA
3. Las Vegas, NV
4. Miami, FL
5. Dallas, TX
6. Sacramento, CA
7. San Francisco, CA
8. Los Angeles, CA
9. Houston, TX
10. San Antonio, TX

The ranking is based on complaints in the 2006 FTC annual report. What's Uni-Ball's angle in this? The company's web site pitches a pen featuring an ink that imbeds itself in the paper, so identity thieves can't wash the ink from real checks and then make out your check to a different payee with a greater dollar amount... and in effect, steal money from your checking account.

By the way, Boston ranked #40 on the list.

Rising Cost of Data Breaches For Companies

From the Washington Post newspaper:

"Financially motivated data breaches are set to cost businesses 20 percent more each year until 2009, according to Gartner. John Pescatore, VP at Gartner, said the biggest risk to organizations came from targeted attacks. He said that "phishing and identity theft attacks have caused the rise of 'credentialed' attacks, in which the attacker uses the credentials of a legitimate user."

The good news in this is that the increased threat may push companies to better protect the personal data they archive of customers, employees, contractors, and former employees. This implication consumers: it's critical to protect home computers with both anti-virus software and anti-spyware software.

Fake Microsoft Anti-Spyware Scam

Identity thieves seem to be always trying new methods to trick Internet users to disclose personal data. This time, the scam is an attempt to get credit card numbers. From InformationWeek magazine:

"This Fake Microsoft AntiSpyware Center page purports to be an 'Online Security Scanner' which scans the system for viruses and spywares," said Mohandas. "After the dupery scanning, the user will be presented with a dubious and falsified list of Trojans after which the user will be prompted to download and install an ActiveX Control to remove the threats."

"As it turns out, the ActiveX Control is a Trojan that hijacks Internet Explorer's home page, displays phony alerts and makes wild security threats in order to encourage the site's visitors to download AntiSpyStorm. Once installed, AntiSpyStorm offers a free security scan, which reports exaggerated threats to prompt the user to enter a credit card number and order the full version of the product."

All of this is a reminder to never click on e-mail attachments and to only visit sites you know.