Previous month:
January 2008
Next month:
March 2008

26 posts from February 2008

2008 Identity Theft Survey - Javelin Research (Part Two)

Yesterday's post discussed the results of the latest identity theft and identity fraud survey in the USA by Javelin Research. In it's report, Javelin recommended the following for consumers to detect identity theft and identity fraud:

  • Monitor your bank and credit card account activity regularly. Check the activity online, via phone, or via ATM machine
  • Use e-mail or telephone alerts to monitor activity on your accounts. Activity can include deposits, withdrawals, balance transfers, specific charges, address changes, new names added to your accounts
  • Javelin emphasizes that the longer it takes a consumer to detect fraud, the greater the amount stolen

Javelin recommends the following for consumers to resolve identity theft and identity fraud:

  1. Contact your bank or credit card company immediately
  2. Close any accounts that have been compromised
  3. Ask your financial provider about fraud resolution teams or services to help you fix your credit and recover any money lost
  4. Place a Fraud Alert on your credit reports at all three credit bureaus
  5. Know the data breach notification rights in your state. When an employer or prior employer  loses your personal data (or it is stolen), in many states that company is required by law to notify you of that loss/theft. Other rights, such as free credit monitoring services, may also be available to you in your state
  6. Consider placing a Security Freeze on your credit reports at all three credit bureaus. this will prevent criminals from opening new accounts and obtaining credit in your name. Some states require a Security Freeze to be free to identity theft victims
  7. File a report with the local police
  8. Notify the U.S. Federal Trade Commission (FTC). The FTC tracks complaints and identity theft activity
  9. Consider signing up for a credit monitoring service, which can help you monitor your credit reports at the three credit bureaus

While all of the above items are solid and valuable recommendations, they focus on financial identity fraud. Unfortunately, there are so many ways criminals can abuse stolen personal data. They can use it to commit medical identity fraud, insurance identity fraud, criminal identity fraud, obtain a fraudulent driver's license, or apply fraudulently for a job, and none of these activities will show up on your credit report.

If that sounds awfully scary, it is. And it should scare you. This is the current state of U.S. business and government systems. A good first step would be to write to your elected officials and ask them what they plan to do about it.

2008 Identity Theft Survey - Javelin Research (Part One)

Last week, I spent some time reading the "2008 Identity Fraud Research Report" by Javelin Strategy And Research. Javelin survey about 5,000 adults and identity-theft victims in the United States. Key findings from the survey:

  • There is a difference between "Identity theft" and "Identity Fraud." Identity Theft is when, "your personal information is accessed by someone else without your explicit permission. Identity Fraud occurs when a criminal takes the illegally-obtained information to use it for financial gain."
  • The most common ways criminals steal consumers' personal data: lost/stolen wallets (33%); "shoulder surfing" while conducting a transaction (23%); "friendly" theft by family members oro others you know (17%); online (12%); and data breaches (7%).
  • Vishing is on the rise. Vishing is a phone-based version of the phishing scam. Vishing is when criminals attempt to trick a consumer into providing personal data over the phone. In some instances, criminals contact consumers fist via e-mail with a bogus phone number for replies

So, what can consumers do to protect themselves? Javelin recommends a 3-step approach (e.g., Prevention, Detection, Resolution) similar to the U.S. Federal Trade Commission (e.g., Deter, Detect, Defend). The basic idea is that consumers should use a range of methods to protect their personal data, since criminals use a variety of methods to steal personal data.

Javelin recommends the following to prevent identity theft and identity fraud:

  • Protect your personal computer, laptop, PDA, and mobile phone with paswords
  • Do not use PIN numbers or passwords that are easily guessed (e.g., birthdays, your maiden name, your kids' names, your pet's name, etc.)
  • Shred sensitive documents before placing them in the trash
  • Use a locked mailbox or a Post Office Box for your snail mail
  • Do not leave documents with your personal data laying around, especially documents with your bank account numbers or social security number
  • Monitor your online accounts (e.g., bank, credit card, retirement, and othe financial accounts) for suspicious or unauthorized activity
  • Move your paper financial statements to online accounts. Avoid paying bills with checks, and instead pay via online banking
  • Review your credit reports at least once a year. You can visit or call toll-free at (877) 322-8228

Tomorrow: more recommendations by Javelin.

2008 Consumer Fraud and Identity Theft Complaint Data (FTC)

Last week, I took the time to read the latest 90-page identity theft report from the U.S. Federal Trade Commission. The FTC issued the "Consumer Fraud and Identity Theft Complaint Data" report in February 2008. The report covers consumer complaints submitted to the Consumer Sentinel database during January through December 2007. Highlights:

  • During 2007, the FTC received 813,899 consumer fraud and identity theft complaints; up 21% over 2006
  • During 2007, consumers reported losses of $1.2 billion, slightly more than in 2006
  • 3% of consumers lost more than $5,000. About 10% lost between $1,001 and $5,000
  • The 5 leading complaint categories were Identity Theft (32%), Shop-at-home/Catalog Sales (8%), Internet Services (5%), Foreign Money Orders (4%), and Prizes/Sweepstakes/Lotteries (4%)
  • The payment methods in these complaints included credit cards (33%), wire transfers (28%), bank account debit (17%), personal checks (10%), money orders (7%), and cash advances (3%)
  • Total complaints by the age of the consumer: 40 - 49 (23%), 30 - 39 (21%), 50 - 59 (20%), and 20 - 29 (16%)
  • Identity theft complaints by age of the consumer: 18-29 (28%), 30 - 39 (23%), 40 - 49 (19%), and 50 - 59 (13%)

It's important to emphasize that the above is based on actual complaints submitted by consumers, and not a survey. In my experience, most consumers do not file complaints with the FTC, so the above numbers are probably far higher.

Regardless, identity theft seems to be a growing problem since both the number of complaints and the amount of losses have increased.

Two really sad aspects to this report are a) the lack of involvement by consumers, and b) the lack of consistent response by law enforcement. 65% of victims did not file a police report. That is both sad and unacceptably high. 27% of victims did file a police report which was accepted by local law enforcement. 8% of victims tried to file a police report and it was not accepted.

Identity criminals probably feel encouraged by those results. Almost two-thirds of victims don't both filing a police report, which could aid inthe capture and prosecution of identity thieves. And, 8% of victims tried to get help from local loaw enforcement and couldn't get that help.

The report also provides statistics for identity theft victims by state:

  1. Arizona - 137.1 (identity theft complaints per 100,000 population)
  2. California - 120.1
  3. Nevada - 114.2
  4. Texas - 107.9
  5. Florida - 105.6
  6. New York - 100.1
  7. Georgia - 91.6
  8. Colorado - 89.0
  9. New Mexico - 87.5
  10. Maryland - 85.8

My state, Massachusetts, ranked #23  with 66.5 identity theft complaints per 100,000 population. North Dakota was #50 with 28.5 identity theft complaints per 100,000 population.

I'm not sure how relevant these numbers are since Internet-based identity thievery is largely geography independent

Experian Sues LifeLock

Last week, things really heated up in the credit monitoring and identity theft industry. Forbes magazine reported that Experian, one of the three major credit bureaus, had filed a lawsuit in California against LifeLock. According to the news report, Experian accused:

"... LifeLock of placing bogus 90-day fraud alerts on hundreds of thousands of credit files maintained by Experian. In the complaint, Experian says it has suffered "millions of dollars" in damages from being forced to process large numbers of initial fraud alerts and mail mandatory notices to customers."

What? Bogus fraud alerts? An increasingly large number of fraud alerts should not be a surprise to anyone in the identity theft/fraud business, given the steady number of corporate data breaches. 2007 was a record year with corporate data breaches. Depending upon the source you use (e.g., Attrition, the Identity Theft Resource Center, or Privacy Rights Clearing house), the number of records lost or stolen in 2007 ranged from 49 to over 100 million. Any source you pick documents an increase in data breaches in 2007 over 2006.

It seems to me that an increasing number of consumers are starting to read and follow the advice available in industry products and services. One of the first steps after a data breach or identity theft event is for the consumer to place a Fraud Alert on their credit reports. This was one of the first steps I took after my data was "lost" (probably stolen) during the February 2007 IBM data breach incident, along with the sensitive data of thousands of current and former IBM employees. Some consumers are willing to pay for convenience; to pay for a service to help them protect their sensitive personal data.

The Forbes news story goes on to report:

"Experian claims that LifeLock keeps its clients' files in a perpetual state of alert by repeatedly "crying wolf" on behalf of its clients. Its suit questions whether LifeLock has the legal right to request the 90-day alerts, which it maintains are meant to be placed only by individuals who have a reasonable suspicion that fraudulent activity has occurred."

Perpetual state of alert? Come on, Experian. That seems to be a far overstatement of the situation.

When a company suffers a data breach and loses the sensitive personal data of employees, former employees, and/or customers the risk of identity theft and fraud doesn't disappear in a few months. The risk doesn't dissolve when the company issues a press release claiming, "there's no evidence that the data was stolen."

The consumers' sensitive data is out there... period... permanently. So, we consumers are forced to continually monitor our accounts and our credit reports for theft, abuse, or unauthorized access... permanently. We consumers are learning to better protect our sensitive personal data. Establishing repeated fraud alerts is one tool; a first step.

The Forbes article also reports:

"In the suit, Experian also charges that LifeLock has used false and misleading advertising to entice consumers into buying its protection, and is exploiting the system by acting as a middleman for services that the credit companies are required to provide to consumers for free, including annual credit reports, removal from mailing lists and fraud alerts."

That may be. I am not a subscriber to LifeLock since I have done by myself the identity-theft deterrence steps LifeLock charges a fee for. I must admit that LifeLock's advertising is everywhere... on radio, television, print ads, and around the web at social bookmarking sites. LifeLock seems to be doing a better job of promoting their service than Experian does of promoting its Family Secure credit monitoring service.

In his blog The Dunning Letter, Jack Dunnning wrote this about Experian:

"Back in August of 2005, the Federal Trade Commission settled a case with Experian Consumer Direct, a subsidiary of the credit bureau, for deception in advertising “free credit reports” by failing to add the customer would be automatically signed up for credit monitoring services costing $79.95 each year. The FTC ordered Experian to give up $950,000 of its “ill-gotten gains."

Regarding deceptive advertising, Experian's history is not squeaky clean either.

I wonder if Experian sees the handwriting on the wall. As more consumers "lock down" their credit reports with Security Freezes, it becomes harder for credit bureaus like Experian to make the same profit amounts by selling only credit reports to potential lenders and creditors. Consumer credit reports with Security Freezes on them are credit reports Experian (and the other two credit bureaus) can't sell to potential lenders.

Combine this with the trend by more consumers to opt out of pre-approved credit offers, and the market for credit reports has to be negatively affected. So, to make the same profit amounts, Experian probably recognizes that it has to expand into new markets for more revenues. One of those new markets is the growing credit monitoring services market.

Fortunately for consumers, there are many choices today for a credit monitoring service. A consumer can monitor their credit report on their own, or subscribe to a credit monitoring service. These services are available from banks, credit card companies, credit bureaus, and independent companies... like LifeLock.

The wide range of choices is good for consumers, but is probably viewed negatively by Experian. The credit monitoring services market is filled with competitors offering a variety of services because the rise of identity theft has changed the marketplace. Consumers are slowly becoming educated about the scams, threats, and the value of theft-deterrence solutions. And companies have rushed to meet that need.

Consumers have also begun to realize that they want more control over who has access to their credit reports. The Security Freeze tool is a key tool for consumers to exercise control over their credit reports. The Security Freeze tool seems far stronger and more secure than the Fraud Alert tool. Starting with California in 2003, many states passed laws giving consumers the right to this Security Freeze tool. By the end of 2007, all three credit bureaus offered the Security Freeze tool nationwide, without waiting for states to pass more legislation.

So, the identity theft marketplace is changing at a fairly rapid pace. Previously, Experian competed against 2 other credit bureaus (e.g., Equifax and TransUnion) to sell consumers' credit reports. Now, Experian has a whole new set of competitors who offer credit monitoring services similar to Experian's credit monitoring service.

Is the lawsuit only about false/deceptive advertising? Maybe. But it may also be about intimidating or limiting competition, given the rapidly changing identity theft/fraud marketplace. What do you think?

What To Do When Your Debit/ATM Card Number Is Stolen

Every few weeks, I get an e-mail from a somebody who has had their personal data stolen. When the stolen data includes a bank account number, the identity thief usually attempts to empty the victim's bank account.

Recently, a coworker (Scott) had his debit card number stolen. When I saw Scott, he was rushing to his bank to discuss and fix the problem. Scott had that frazzled look of "oh crap, what do I do now?" on his face. A couple days later, I contacted Scott via instant messaging (im) to see what had happened. Our instant messaging thread:

George: how did it go the other day at the bank?
Scott: hey George! they were very cool about it
Scott: it was obvious by looking at my transaction activity that something funky was going on

George: did u file a police report?
Scott: i didn't
George: u should

Scott: should i do it here in Boston or in Baltimore where the purchases were made?
George: first, do it here. it will help should the thieves do more damage
George: second, call one of the credit bureaus and place a Fraud Alert on your credit report
Scott: i def will... hadn't even thought about it. think i was more concerned bout the bank
Scott: great suggestions

George: they charged stuff to your credit card, right?
Scott: debit/credit
George: sh--
Scott: a [bank name suppressed] bank account
George: def file a police report. now that the thieves know your debit/checking acct number, they can do more damage
George: did the bank give you a new checking acct number?
Scott: yea
George: third, change all of your passwords on your bank accts
Scott: i'm in there now, so i'll do it right away
George: remember to use a strong password: mix of caps and lower case... mix of numbers and text
Scott: covered

George: leave work today and go file a police report at the police station closest to where you live... ask them how to handle the balt location
Scott: you got it...
Scott: thanks for the suggestions. i'll call one of the credit bureaus too
George: now that the thieves know your debit and bank information, they may try to a) reroute your snail mail, b) break into your online accts, c) try to apply for credit in your name
Scott: oh man
George: d) create a phony ID and visit your bank branch to try to get the bank to disclose your SSN or other personal data
George: so, be alert that you get all of the mail you expect
Scott: for sure

George: yes, this sucks. welcome to identity theft in 2008. check my blog for tips
Scott: i certainly will
George: click on one of the right column categories to learn more about that subject (e.g., fraud alerts, credit monitoring services). u should check your credit reports at all 3 credit bureaus... that is your first line of defense should somebody try to apply for credit in your name

Scott: if i call one of the credit bureaus will all 3 somehow be notified or do i have to call all 3?
George: for a Fraud Alert, if u call one, it notifies the other 2. For a Security Freeze, you have to contact each credit bureau independently
George: my blog explains the difference between a Security Freeze and a Fraud Alert

George: Last... DON'T shop with your debit/ATM card. It doesn't give you the same protections as a credit card. I only use my debit/ATM card at my bank's ATM machines. I have a blog post about why shopping with an debit/ATM card is a bad idea
George: call or im me if u have more questions

George: but do the police report today
Scott: will do. thanks for all the great info
George: call and place the Fraud Alert today
Scott: totally appreciate it
George: u r welcome

[Editor's note: I should have also advised Scott to file a complaint with the Federal Trade Commission.]

One Year Anniversary of IBM Data Breach

First, I'd like to welcome the many new I've Been Mugged readers. Daily readership has grown five-fold since I started this blog. Hopefully, you have learned plenty about tips and advice to protect your identity and personal data. I've Been Mugged readers have learned how companies archive the personal data of employees, former employees, and customers; and how some companies fail to implement strong, state-of-the-art data security processes.

I started this blog in July 2007 after a former employer, IBM, exposed my personal information during a data breach. The IBM data breach occurred exactly one year ago today. The beginning posts in this blog present my conversations with IBM and the free credit monitoring service IBM arranged for it's ID-theft victims.

So far, I haven't experienced any more identity-theft problems as a result of this data breach. But, my sensitive personal data is still out there on IBM's "lost" or stolen data tapes for identity thieves to sell and abuse. I realize that the risk to me has not decreased because my data is still out there. At some future point, the thieves will crack the data encryption on those data tapes and then the "fun will begin."

Is it fair that IBM's free credit monitoring offer ends in June while the risk IBM created with its careless data handling continues indefinitely? Nope. But this is the way many companies deal with identity theft... shift the burden and risk to consumers. Companies would like consumers to believe that the risk ends before the free credit monitoring period ends.

Judge Hands Identity Thief The Maximum Sentence

From the St. Louis Today newspaper:

"A federal judge handed down a maximum sentence Friday to an identity thief who authorities said began a new scheme while still serving time in a halfway house for a previous one. The thief, Robert Unique Haines, 43, of the St. Louis area, must serve 14 years in prison, the U.S. attorney's office said. He pleaded guilty in October of conspiracy, aggravated identity theft, fraud with identification documents and escape."

Apparently, Haines recruited employees at an Old Navy store and at United Healthcare to steal customers' personal information. The thieves used the personal data to open credit accounts in the customers' names or take over their accounts. The theft was pretty extensive:

"The shoppers got cash and permission to use the cards for their own purchases, officials said, while Haines and others would sell the merchandise at a discount for cash. Investigators located 58 customer victims and $150,000 in fraudulent purchases or charges, although the companies notified more than 15,000 that their information was at risk.

The conspirators also received prison sentences:

"Former United Healthcare employee Clare Hungerford, 37, of the 11000 block of Hidden Lake Drive in St. Louis, was sentenced last month to four years in prison in the case. Former Old Navy employee Timothy Short, 32, of the 900 block of Concordia Lane, was sentenced in November to two years in prison. Six others have also pleaded guilty to related charges and were ordered to serve sentences of probation to 75 months in prison."

While the good news in this story was that the thieves were caught and sentenced, there is a cautionary message. The thefts relied on employees working inside the companies. This should be a signal to companies everywhere that security checks both before and during employment are necessary.

More About Sidejacking

After I wrote my first post about sidejacking, I did some more online research. A post at The Consuming Experience blog offered information about sidejacking:

"You're at risk from sidejacking when you use the internet via a free, or even paid-for, unsecured public wi-fi or WLAN (wireless networking) hotspot. That could include just accessing your Hotmail or other webmail, or your Facebook or MySpace or other social networking account, your Amazon account, etc. An attacker on the same wifi network could "sniff", steal and use login details and info of users of that open WLAN - such as "AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth."

Since many web sites do not encrypt every site page, identity thieves can:

"... intercept the unencrypted information, particularly the "cookie" files saved with your browser and sent between it and the site - and which are often used to log you in."

And there are other ways your laptop can disclose your personal data:

"... all sorts of other unencrypted info can be intercepted and copied, and used to deduce details about you or your accounts which can then be used by the thief... when you power-on your computer. It will broadcast to the world the list of WiFi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to."

What's a person to do to keep your personal information safe?

"Before you login to a website, at least make sure that the page where you enter your details, the one with the boxes for your login info before you hit Submit or OK, is a secure page - i.e. starts with "https". But that's not enough, it has to be SSL all the way."

The post at The Consuming Experience blog post offers more tips and solutions, for people who are technology-savvy and for those that aren't. There are also some solutions in my prior post about sidejacking.

Clients Should Be Informed By Companies of Data Breaches

From the Charleston Daily Mail:

"A survey of AARP members in West Virginia shows that a majority of them want laws requiring companies to notify clients of security breaches on their personal information. Under existing law, businesses do not have to contact clients if they lose or compromise any of their personal data."

The survey by AARP West Virginia included 1,000 members, of which 90% participated in the survey. Additional survey results:

"... 70 percent of members would be likely to vote for a candidate supporting such a measure, said Ginger Thompson McDaniel, associate state director of AARP West Virginia."

About 40 states have data breach notification laws requiring companies to notify consumers. Many feel there should be a national law requiring both breach notification and penalties. This makes sense to me, since state laws vary regarding penalities.

Verizon FiOS Lax On Consumers' Data Security

How would you feel if every time you accessed your account profile from your Internet Service Provider, you saw somebody else's sensitive personal data? And how would you feel if that person saw your sensitive personal data, at the same time?

The Consumerist blog reported that this happened with a Verizon FiOS customer. FiOS is Verizon's new fiber high-speed Internet service:

"Andru had this problem where whenever he logged into his Verizon FiOS account, he saw the personal information on some other guy's account. When he contacted the guy, the other guy said he saw Andru's info as well. Over eight months of broken promises by Verizon and the problem wasn't solved. So Andru blogged it. Once it started getting internet attention, Andru got two calls and several emails from Verizon people and a Verizon exec ended up having a tech stay on the line with Andru for an hour getting it fixed."

Wow! What sloppy and shoddy customer service! Events like this reinforce the perception that companies don't take consumers' data security seriously enough. Yes, Verizon finally fixed the problem, but it took them eight (8) months. Yeah, you read that correctly. 8 months, not 8 weeks, and definitely not 8 days.

Yes, Verizon finally compensated Andru for his troubles with 10 months of free FiOS service (worth about $1,500), but a consumer should not have to go to this much effort to get a company to fix a data security problem.

TJX Creates New Executive Position For Privacy

The Boston Globe newspaper reported that TJX, the parent company of TJ Maxx and Marshalls retail stores, has created a new senior executive position for consumers' data privacy. Apparently, TJX has:

"... given the title of "chief privacy officer" to one of its senior executives and is looking to fill the position of "privacy director," according to a memo circulated by its search firm, Heidrick & Struggles. TJX spokeswoman Sherry Lang declined to provide more details yesterday except to note that senior executive vice president for administration and business development Jeffrey Naylor also gained the title of chief privacy officer within the past year."

TJX is recently known for its massive data breach where identity thieves stole millions of consumer credit cards and sensitive data facilitated by lax data security measures by the company. Want to learn more about the TJX data breach debacle? Click on "TJX / TJ Maxx" in the topic section in the column on the right.

File this organizational move under the "too little way too late" category.

Top 10 Strangest and Funniest Data Disasters

From the Ontrack Physorg site:

"10. PhD Almost an F -- A PhD candidate lost his entire dissertation when a bad power supply suddenly zapped his computer and damaged the USB Flash drive that stored the document. Had the data not been recovered, the student would not have graduated."

"9. Suffering from Art -- While rearranging her home office, a woman accidentally dropped a five pound piece of clay pottery on her laptop, directly onto the hard drive area that contained a book she'd been working on for five years and 150 year-old genealogy pictures that had not yet been printed."

"7. Bite Worse than Bark -- A customer left his memory stick lying out and his dog mistook it for a chew toy. Ontrack was able to recover all of the data despite teeth marks all over the stick and a hole that went completely through."

Enjoy! Do you have a funny or strange ID-theft story or lost data story? We'd love to hear it.

Suze Orman Identity Theft Kit Debuts

Recently, I was talking with a coworker who had purchased the Suze Orman Identity Theft Kit. In January 2008, the TrustedID blog announced:

"Financial expert Suze Orman and TrustedID have launched Suze Orman’s Identity Theft kit, the first identity theft protection solution that protects the financial and personal information of all members of a household. Shortly after launching on QVC, the kit will be available online at and TrustedID.comas well as through leading retailers nationwide."

I checked and consumers can purchase the kit online. At the site, click on "Identity Theft Kit" in the left column navigation area. According to the site, the kit contains the following:

  • Two People Protection
  • Medical Record Protection
  • Anti-Spyware Software
  • Lost Wallet Protection
  • Address Scanning
  • Enhanced Junk Mail Reduction
  • Credit Card No. Scanning
  • Annual Credit Reports
  • Bank Account No. Scanning
  • $1 Million Service Warranty
  • Child Identity Theft Protection
  • Fraud Flag Placement
  • Elderly Parent Identity Theft Protection

At first glance, the service seems to have a lot of value. It definitely seems worth consideration for consumers who have no identity protection in place today. However, I found the web site content very thin. The site did not explain many of the kits features. So, it's hard to tell exactly what is offered for "Medical Record Protection," "Address Scanning," "Bank Account Number Scanning," and the "$1 Million Service Warranty." Unfortunately, the QVC page didn't supply any more detail either. Maybe the actual television pitches explains these features, but I rarely watch QVC.

There are about 46 user-submit product reviews at the QVC page. You may find some of these helpful. Most of the reviews are positive, but the negative ones seem to be where consumers encountered technical problems installing the kit software and returned the product. Some of the reviewers noted that the kit does not cover department store charge cards.

For me, the kit provides services I already have from other credit monitoring services. Regarding Fraud Alerts, I added those to my credit reports on my own. I already have anti-spyware software for my home computer from McAfee. To reduce spam and junk mail, I have already signed up at several free opt-out resources for consumers.

Later this Spring, I plan to post a detailed comparison of several of the leading identity protection solutions for consumers. The comparison will definitely include Orman's Identity Theft Kit. I've Been Mugged readers would love to hear the opinions or experiences anyone has had with the Suze Orman Identity Theft kit.

Credit Monitoring Service Arranged By Horizon BCBS of New Jersey Covers Minors

An I've Been Mugged reader sent me this notice from Horizon Blue Cross-Blues Shield of New Jersey. While there seems to be a corporate data breach every month involving laptop computers, this notice caught my attention because it is the first credit monitoring service I've seen after a corporate data breach which covers minors.

Recently, there have been several high-profile data breaches where the sensitive data of minors was stolen or exposed, along with the sensitive data of the adult employees, former employees, and/or customers. In  January 2008, InformationWeek magazine reported the data breach at Horizon BCBS of New Jersey involving yet another stolen laptop computer:

"Horizon Blue Cross Blue Shield of New Jersey has notified its members that an employee laptop computer containing personal information -- including Social Security numbers -- for about 300,000 individuals was stolen in early January... On its Web site, the company says a "security feature was initiated" on Jan. 28 that "destroys all the data on the stolen computer." Horizon Blue Cross Blue Shield of New Jersey says the personal information contained on the computer also included names and addresses of members, but no medical data."

Why do employees insist on placing such large amounts of sensitive data on laptops? This is not a good data security habit. I can't imagine what application requires 300,000 customer records on a single laptop. 30 records sounds reasonable. 300 records sounds like a stretch. 300,000 records is just ridiculous. It gives the impression that Horizon does not (and has not) train its employees on effective data security practices.

The good news here is that Horizon notified its members promptly, within 30 days. (Contrast that with IBM, which took over 2 months to notify me and others.) And parents can monitor their children's credit reports. Sadly, identity thieves abuse minors' sensitive personal data in the same ways as adults'.

However, like most other companies, Horizon offered its ID-theft victims, including minors, only one year of free credit monitoring service. Horizon arranged its credit monitoring service offer with the Family Secure service, operated by the Experian credit bureau.

While Horizon is free to arrange credit monitoring service with whichever provider it chooses, some may consider one year of free credit monitoring service an example of good corporate responsibility, I do not.

The risk period where identity thieves can abuse this personal information is far longer than one year. Regardless of what Horizon says in its data breach letter, the ID-theft victims have to plan for the worse and monitor their credit reports indefinitely... far longer than one year.

Horizon's ID-theft victims should also place a Security Freeze on their credit reports. (Not a Fraud Alert, but a Security Freeze. There is a huge difference.) With only one year of free credit monitoring, Horizon has shifted the risk and financial burdens from itself to its members.

That's an example of not being a responsible corporate citizen.

California Senate Approves Two Measures To Strengthen Identity Theft Laws

California has always led the way with strong identity-theft laws to help consumers. Recently, SC Magazine reported:

"The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft."

California legislators are trying to make it much clearer what the contents of a breach notification letter must contain. SB364 requires:

"... that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches... a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected."

This is great news! When IBM notified me of the IBM data breach, their notification didn't disclose the number of persons affected, nor did it disclose much describing the breach. After I called and spoke with IBM, they didn't disclose much more. The above law in my state would have been a big help.

California's legislators went even further with a second proposed law:

"... SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now... The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home."

This too is great news, since it facilitates prosecution of the identity thief, who usually doesn't live in the same town or jurisdiction as the identity-theft victim.

However, these two bills are not law yet. Both bills must be acted upon by the California State Assembly. If you are a California resident, I encourage you to call your California State representatives and ask them to pass these two new laws. If you live elsewhere,  you should contact your state representatives and ask them why your state doesn't have strong laws like the ones California is considering.

Wachovia Conspires With Telemarketing Fraudsters?

Thanks to Catherine for sharing this New York Times article. This news story caught my eye, not because Wachovia is the fourth largest bank in the USA, but because later this Spring I plan to review and compare the credit monitoring services offered by the major banks.

Anyway, according to the New York Times article, Wachovia did business with (and made big profits from) several telemarketing firms even though the bank allegedly knew in advance that these telemarketers had received numerous complaints:

"Last spring, Wachovia bank was accused in a lawsuit of allowing fraudulent telemarketers to use the bank’s accounts to steal millions of dollars from unsuspecting victims. When asked about the suit, bank executives said they had been unaware of the thefts. But newly released documents from that lawsuit now show that Wachovia had long known about allegations of fraud and that the bank, in fact, solicited business from companies it knew had been accused of telemarketing crimes. Internal Wachovia e-mail, for example, show that high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts."

Telemarketing fraudsters are usually companies that contact consumers via phone offering a service or product that may not ever be delivered, and/or the consumer is overcharged. And, it gets worse:

"Moreover, executives at other banks, including Bank of America, Wells Fargo, Citizens Bank, the Social Security Administration, and the Justice Department Federal Credit Union also warned Wachovia multiple times that its accounts were being used for fraud, according to the lawsuit against the bank."

A judge will likely rule on this class-action lawsuit during the summer. Want to read more? The Boston Globe and Reuters also covered the story. The Street called the Wachovia story one of the "Five Dumbest things On Wall Street."

Banks handle and store our money. We consumers place a lot of trust in them. So, banks should operate in a manner that is transparent and reinforces consumers' trust. It seems that Wachovia either forgot this or ignored it during its rush to make money.

A New Kind Of Identity Theft?

Last Friday, the CBS television affiliate (WBZ-TV) in Boston ran a news story about, "A New Form of Identity Theft." Apparently, an identity thief targeted and stole money from several women with the same name:

"The identity thief was posing as Lisa White. White never even owned a credit card until someone stole her identity and opened up 17 accounts using her Social Security and drivers license numbers. Now comes Lisa White, of Monson. She too is a victim of identity theft and is trying to cancel some $13,000 of debt someone spent on store accounts using her Social Security and license numbers... Then there's Lisa White from Somerset, who is also stuck with a pile of mystery credit cards. A thief stole her identity and wracked up about $35,000 of dept that she had nothing to do with."

The police haven't caught the identity thief yet, but they do have the thief on video tape. reportedly, about ten people in Massachusetts with the same name have reported problems.

My guess: this isn't a new type of identity theft. Rather, the police haven't yet discovered the connection, which may be very subtle. If all of the victims use the same bank, the police aren't saying. If not that, then it may be an inside job at the Social Security Administration or another equivalent state agency, like the Registry of Motor Vehicles or the Massachusetts Department of Revenue. That would explain why the thief did not steal the victims' existing credit card numbers, but instead opened new lines of credit with the victims' social security numbers.

Why Real ID Is A Flawed Law

At the ZDNet News blog, Sophia Cohen wrote:

"The government claims that driver's license "reform" will help combat illegal immigration and generally protect national security, but it fails to acknowledge that the Real ID Act seriously threatens privacy and civil liberties on a national scale."


"The final regulations, released January 11, strongly support leveraging existing technology by expanding the central database for commercial drivers to include all drivers and state ID card holders--that is, virtually every American. Following this path of least resistance fails to acknowledge that the security risks of a central ID database are enormous, as is the potential for abuse by government and business. Security experts agree that creating a "one-stop shop" of highly sensitive personal information on millions of Americans, not just a relatively small pool of commercial drivers, is a bad idea. It would be an irresistible treasure trove for identity thieves, terrorists, and other criminals."


"The ostensible purpose for a centralized repository of ID information is to enable states to more easily check whether new applicants already have a driver's license from another jurisdiction, thereby ensuring "one driver, one license." But this can be achieved without creating a central ID database that puts Americans' privacy and civil liberties at risk. Building a distributed system that stores ID information in different locations, such as state motor vehicle databases, makes more sense."

And there's always the critical questions government rarely wants to answer:

  • Who has access to this database?
  • How are corrections made to the database?
  • What rights do citizens have to challenge the accuracy of their record in the database?
  • What portions of the law are unfunded?
  • What are the costs to my state?
  • What are the direct costs to me? (Higher fees, taxes, etc.)
  • The federal government has a habit of subcontracting work to private companies. Which private companies, if any, should have access to this database?
  • How does this protect us when not everyone has a drivers license today?

I grew up in New York City. While I got my drivers license at 18, many of my peers didn't until well into their late 20's. My mother didn't get her license until she was in her 60's. How does this database help us in these instances?

If you have already reviewed your credit report at any of the three national credit bureaus, then you know mistakes happen... mistakes which can directly affect your life and finances. All of these critical questions need to be resolved first, before this Real ID database is built, not on the fly afterwards.

I encourage you to ask yourself these questions and the answers you'd prefer for each question. Then discuss your concerns with your Congressional representative. There are too many unanswered and poorly answered questions as part of the Real ID Act.

Want to learn more? While you can always start at the DHS site, I advise you to read the analyses here, the NCSL site, and the Bruce Schneier blog.

CIA Monitors YouTube For Intelligence

Here's a most interesting news item from InformationWeek magazine:

U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. In keeping with its mandate to gather intelligence, the CIA is watching YouTube.

Is there that much intelligence at the YouTube site? Who knows. The Wall Street Journal also blogged about it and the Secrecy News post with a link to the CIA speech document. The WSJ article also highlighted the fact that other countries' intelligence agencies probably monitor phone and Internet communications, too.

There are a couple implications. First, it means that the intelligence community monitors other social networking sites, too. Second, it demonstrates that whatever information (e.g., blogs, journals, photos, etc.) consumers post online about themselves is online forever and may be analyzed in some country's government mainframe computer.

In an unrelated matter, a check of YouTube found that somebody posted a CIA recruitment video.

The Wall Street Journal Complete Identity Theft Guidebook (Book Review)

Recently, I read "The Wall Street Journal Complete Identity Theft Guidebook: How to protect yourself from the most pervasive crime in America" by Terri Cullen. I found the book to be an easy read and appropriate for consumers who know nothing about identity theft and consumers who know a little about identity theft.

Cullen has organized the material into two broad sections:

  1. Preventing Identity theft
  2. Life After Identity Theft

The first section is packed full of tips about how consumers can protect themselves. Cullen weaves into the text both explanations of important terms and actual stories of consumers who were identity-theft victims. The second section is targeted for consumers who are identity theft victims. It provides practical and usable advice about what to do given your specific situation.  This makes it easy for readers to find the information relevant to their specific situation.

Based on the book's content, Cullen wrote most or all of it in 2006. Much has changed since. For example, I found the book a little weak on Security Breaches. While Cullen explains very well the functions (and biases) of the national credit bureaus, Cullen should provided a better explanation of the differences between a Fraud Alert and a Security Freeze. Yes this is difficult since state laws are changing quickly, but it is critical information for consumers.

Cullen has provided several sample letters (mostly snail-mail) for dealing with identity theft. These letters are mostly identity theft victims who must correspond with banks, credit card issuers, lenders, collection agencies, and credit bureaus. The book includes these letters in print format. A better presentation would  have been  a CD with the sample letters in electronic format.

You can buy Cullen's book locally at many booksellers, or online at at As you'd probably expect, there's an article excerpt of the book at the Wall Street Journal web site.