Previous month:
March 2008
Next month:
May 2008

24 posts from April 2008

CNN Data Doctor: When Criminals Take Over Your Web Mail Account

I'd like to thanks Bruce for alerting me to this CNN video.

A lot of people use Web mail because of its convenience. Criminals use Web mail too, but not in the way you might expect. Criminals will try to take over your Web mail account. Why? One, they can use it to send spam. Two and more likely, they hope to use your sign-in information (e.g., Web mail username and password) to access your financial and bank accounts. Simply, that's where your money is... and many people use the same sign-in information for several accounts.

The CNN video includes advice about how to prevent criminals from taking over your Web mail account, and what to do if they've already taken over your account. So, a word to the wise:

There are several posts in I've Been Mugged that can help you with each item listed above.


How To Protect Yourself When Using A Public Computer

You've left your laptop computer at home. Now, that public computer is looking very appealing. It could be a public computer in a library, in a hotel lobby, or an Internet cafe. You know that computer presents a risk. You don't know if the anti-virus software on it is up-to-date or not. There's some risk, but you really need to go online. Now. How do you protect your identity and personal data?

In her Ten Things blog at TechRepublic, Jody Gilbert listed 10 things you should do to protect your identity and your personal information when you use a public computer:

  1. "Delete your Browsing History
  2. Don’t save files locally
  3. Don't save passwords
  4. Don't do online banking
  5. Don't enter credit card information
  6. Delete temporary files
  7. Clear the pagefile
  8. Reboot the computer
  9. Boot from another device
  10. Pay attention to your surroundings and use common sense"

Sounds like excellent advice to me.


8 Of 10 Americans Worried About Identity Theft

According to a recent poll by Bankrate, 8 of 10 Americans are worried about identity theft, spcifically having their identities stolen. This concern is based upon:

"... personal knowledge of a victim. One-third of Americans (34 percent) know someone who has been a victim of identity theft. In the Northeast, it's closer to one in four (28 percent) while in the West almost one in two people (44 percent) know an ID theft victim."

The survey results were part of a broader study of Financial Literacy about identity theft. Bankrate had engaged Gfk Roper America to conduct a random survey of American households to understand consumers understanding of identity theft. Interviewers questioned 1,006 adults -- 524 women and 482 men. The report found that consumers' worry increased with their personal knowledge of identity theft victims. Basically, people who knew ID-theft victims were more worried than people who didn't.

The numbers could be much higher (or lower), due to consumers' varying definition of identity theft. According to Avivah Litan, vice president and analyst at Gartner:

"Everyone has their own definition of 'identity theft... For some it means wholesale identity hijacking. For others it could mean credit card theft. So it's hard to know what the respondents were thinking; thus the results could be skewed either way."

What are consumers doing to address their ID-theft concerns? Survey respondents reported the following activities:

Participants' Response to ID-Theft
(Bankrate - GfK Roper survey -
North America - April 2008)
Concerned
About
ID-Theft
Not
Concerned
About
ID-Theft
More likely to shred documents with sensitive personal data 82% 52%
Use a secure snail-mail mail box (at post office or a locked box at home) 63% 51%
Avoid online banking 54% 55%
Check credit reports regularly 53% 30%
Refuse to shop online 42% 47%
Requested a Security Freeze on their credit reports 23% 6%
Only pay bills online 16% 13%
Haven't made any changes to avoid identity theft 35% 19%

I find the 35% statistic in the last row astounding. These people practice the "head in the sand" approach. These are people who personally know ID-theft victims, but still refuse to do anything to avoid identity theft. Maybe they have given up, or maybe the problem seems overwhelming.

My impression: some companies probably rely upon this "head in the sand" attitude after a data breach. After a data breach, these companies rely on many ID-theft victims (e.g., employees, former employees, retirees, contractors, etc.) to "keep their heads in the sand" and not take advantage of the company's credit monitoring service offer... which is often free for a year or two. It lowers the company's post-breach costs. Companies know this, and are less likely to enact stronger data security measure when they know consumers don't do all they can to protect their sensitive personal data.

The survey results by gender:

  • Women were more likely than men to shred documents
  • Women were more likely than men to use a secure mailbox
  • Men were more likely than women to avoid online banking
  • Women were more likely than men to check their credit reports regularly
  • Men were more likely than women to request a Security Freeze on their credit reports
  • Men are more likely than women to practice the "head in the sand" approach

Now that you know what other consumers are (and are NOT) doing, I hope that more people will take action to avoid identity theft, and after a data breach will accept the company's credit monitoring service offer.


Jury Convicts New Jersey Man Of Identity Theft

I am pleased to forward news when an identity thief receives what they deserve. Empire State News reported:

"The jury convicted Lamar Whitehead, 29, of stealing the identities of local and out-of-state residents and businesses. The scam involved Whitehead’s stealing of identities and applying for loans from online banks using his victims’ names. The defendant often used the loans to buy luxury automobiles, or open equity lines of credit. Whitehead was convicted of 14 counts of first degree identity theft, a felony punishable by 2 1/2 to seven years in prison; three counts of identity theft in the third degree, a misdemeanor, and one count of scheme to defraud, a felony punishable by a prison term of 1 1/3 to four years."

Newsday also reported about the conviction:

"... prosecutors, who portrayed Whitehead as a criminal "ringleader" who used his ex-girlfriend to obtain credit information from a Patchogue car dealership, said the partial verdict showed the jury's diligence in weighing each count. The verdict came after four days of deliberation. Prosecutors said Whitehead's victims stretched as far as Tennessee and Georgia."

The only problem I see with the conviction is that Whitehead should have also been forced to make restitution to his ID-theft victims.


Monthly Update From The Suze Orman Identity Theft Kit (TrustedID)

When you sign up for a credit monitoring service, most provide a monthly report via e-mail about the status of your credit information and files. A coworker of mine signed up several months ago for the Suze Orman Identity Theft Kit. My coworker shared the latest report she received via e-mail:

Monthly Update - Suze Orman Identity Theft Kit

Monthly Update - Suze Orman Identity Theft Kit

Monthly Update - Suze Orman Identity Theft Kit

The report is simple and easy to understand. The message make it clear and easy what the consumer should do next, if there is a problem. My coworker seems to be very happy with the service she receives from Suze Orman. If you have a different credit monitoring service, you can compare the monthly message you receive from your service with the message above.


Seattle Man Sentenced To 51 Months In Prison For Identity Theft

I am pleased to forward news when identity thieves receive what they deserve. The Seattle Post-Intelligencer reported:

"Kopiloff pleaded guilty to aggravated identity theft, mail fraud and accessing a protected computer without authorization to further fraud. He victimized more than 50 people and caused about $70,000 in losses, according to court records."

Readers should also note:

"The peer-to-peer network Kopiloff exploited is the type that is used to swap music online. Kopiloff used software such as LimeWire to search the computers of members of the file-sharing network for federal income tax returns, student financial aid applications and credit reports, according to prosecutors. The stolen merchandise would be shipped to mailboxes around the Puget Sound region, then sold for about half its retail value."

This story should be a warning to consumers about both the risks with file-sharing software, and the need to properly configure home firewall, wireless network, and anti-virus software.


Security Freeze: Peace Of Mind And Protection For Your Credit Reports

Since I started this blog in July 2007, I've learned a lot about identity theft. I had to after IBM exposed my sensitive personal data. First, I placed a 90-day Fraud Alert on my credit reports. Then, I signed up for the free credit monitoring service IBM provided from Kroll. 90 days later, I renewed my Fraud Alerts.

So far, so good. No problems with identity fraud.

Given the ongoing risk, I wanted more protection for my credit reports than what the credit bureaus provide with their Fraud Alert tool. The fact is, the credit bureaus just append the alert to your credit report whenever they sell it to a potential creditor. A shady creditor could still issue new credit in my name to an identity criminal. So, I placed a Security Freeze (also called a "Credit Freeze") on my credit reports at the three national credit bureaus.

While the Fraud Alert tool is free, that didn't seem to be a good value for me given the risk. The free credit monitoring service IBM arranged with Kroll was only for one year, and it did not provide an automatic Fraud Alert renewal service. While I could have continued to renew my Fraud Alerts every 90 days, stronger protection was more important to me than a freebie.

I didn't want to pay a credit monitoring service (e.g., LifeLock) to renew my Fraud Alerts because this is an easy task any consumer can do by their self -- for free. I've done it and I know. More importantly, I wanted stronger protection for my credit reports. The Security Freeze option fills that need.

To place the Security Freeze, first I visited each credit bureau's web site and printed their Security Freeze instructions page. All three credit bureaus have similar instructions. You have to provide them with documentation verifying, a) who you are, b) your current residential address, c) valid payment; and send a letter via snail mail (or overnight express) requesting the Security Freeze. You can't place a Security Freeze over the phone, via e-mail, nor via text messaging.

While all three national credit bureaus offer the Security Freeze option nationwide, the fees vary by state. According to Massachusetts law, each credit bureau can charge a Massachusetts resident a maximum of $5 to place, lift, and remove a security freeze. Each credit bureau's web site lists the fees for your state. If you are an identity theft victim (e.g, you can prove so by providing a copy of a filed police report), then the Security Freeze is usually free. In many states, the Security Freeze is free for residents 65 years of age or older.

Should IBM have paid for my Security Freeze fees? That's a discussion I'll save for another post. For me, the $15 total fees is a good investment for both protection and peace of mind. I'd like to thank my state's legislators and Governor Patrick for keeping the Security Freeze fee low for Massachusetts residents.

Next, I assembled my Security Freeze letters. Some credit bureaus require a photocopy of your Driver's License, and/or an insurance or bank statement. This was time consuming, but easy to do. The whole process took me about 4 hours.

At the post office, I mailed all letters via Certified Mail - Return Receipt. While this cost a little more, it is a smart investment because it minimized my worries. The Return Receipt notice informed me when each credit bureau received my Security Freeze letter. About 8 business days later, I received confirmation letters from the credit bureaus.

Each confirmation letter included an explanation of that credit bureau's Security Freeze process, additional instructions, and my personal PIN number. You'll need this PIN when communicating with the credit bureau to temporarily lift or remove your Security Freeze. I stored these confirmations in a secure location.

Will a Security Freeze prevent all types of identity theft and fraud? No. A Security Freeze is not a cure-all. I don't have any illusions about this. While a Security Freeze will prevent criminals from opening new credit and new financial accounts in your name, it won't stop criminals from committing a crime in your name, if your personal data has already been stolen or exposed -- like IBM exposed mine. Nor will a Security Freeze prevent criminals from breaking into my financial accounts. There are other things consumers must do like use rotating and stronger passwords, and set up e-mail or text messaging alerts for your financial accounts.


Harris Interactive: Most U.S. Adults Uncomfortable With Web Sites That Customize Content Based On Visitors' Personal Profiles

If you have followed the prior posts on behavioral targeting (a/k/a behavioral advertising), then I think that you, too, will find the results of this recent Harris Interactive poll very interesting:

"A majority of U.S. adults are skeptical about the practice of websites using information about a person's online activity to customize website content. However, after being introduced to four potential recommendations for improving websites privacy and security polices, U.S. adults become somewhat more comfortable with the websites use of personal information."

The nationwide survey included 2,513 U.S. adults, and was performed between March 11 and 18, 2008 by Harris Interactive, in collaboration with Dr. Alan F. Westin, Professor of Public Law and Government Emeritus at Columbia University, Principal of the Privacy Consulting Group. Additional key findings:

"A six in ten majority (59%) are not comfortable when websites like Google, Yahoo! and Microsoft (MSN) use information about a person's online activity to tailor advertisements or content based on a person's hobbies or interests. A quarter (25%) is not at all comfortable and 34 percent are not very comfortable..."

Westin and the researchers reported:

"Websites pursuing customized or behavioral marketing maintain that the benefits to online users that advertising revenues make possible -- such as free emails or free searches and potential lessening of irrelevant ads -- should persuade most online users that this is a good tradeoff. Though our question flagged this position, 59 percent of current online users clearly do not accept it."

Ha! Good for consumers! The promise of free content and only relevant ads isn't the strong magnet that companies and advertisers would like to believe. Plus, after showing the survey participants a list of potential policy and security policies, based on self-regulatory guidelines by the FTC, the adults changed their opinions slightly:

  • "By 55 to 45 percent, a majority of U.S. adults indicates that they would be more comfortable with companies using information about a person's online activities to provide customized advertising or content;
  • Interestingly, once the privacy/security policies were presented the percentages of those who are very comfortable increases only very slightly to 9 percent from 7 percent. The percentage who are somewhat comfortable given the privacy/security policies increases more significantly to 46 percent from 34 percent;
  • Similarly, those who are not at all comfortable decline to 19 percent from 25 percent, and those who are not very comfortable decline to 26 percent from 34 percent."

Adult consumers are beginning to place a higher value on their personal data, combined with an approach that companies must first earn their trust before sharing confidential personal data. I encourage you to read the complete Harris Interactive press release.


Women More Likely Than Men To Give Passwords To Strangers For Chocolate

When I read this news story, at first I thought that it was a humorous hoax. But, it's no joke. This is serious. According to InformationWeek:

"Women are four times more likely than men to surrender their computer passwords for chocolate, according to a survey of 576 office workers conducted outside Liverpool Street Station in London by Infosecurity Europe. According to the survey, 45% of women revealed their passwords to strangers posing as market researchers for a chocolate bar, compared to 10% of men. Apparently the overall percentage of password-yielding respondents this year (21%) represents an improvement over 2007, when 64% of respondents traded their security for a few moments of chocolaty goodness."

I spent part of a summer in 2004 living and working in London. I found the people there very friendly and a wide variety of great pubs. I'd love to visit London again. In fact, my photo in the right column is from my London Tube pass.

Claire Sellick, Event Director of Infosecurity Europe, emphasized the consequences of a lax attitude towards the security of personal data:

"... that promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud."


Hannaford Issues An Apology

Hannaford Brothers I recently read this Associated Press news story:

"Hannaford supermarket shoppers are getting an apology in their shopping bags for a security breach that was announced two weeks ago. CEO Ron Hodge sent a message to customers online and through leaflets left in grocery bags. In the note, he apologizes for the "concern and inconvenience" that was created when 4.2 million credit and debit cards were potentially compromised. At least 1,800 cases of fraud have been reported. He says Hannaford stopped the theft and brought in top security experts to help us guard against any further attacks."

Since I don't shop at Hannaford, I read Hodge's apology at the company's web site. ""Concern and inconvenience?" That seems to be an attempt to minimize a major data breach... to make it sound non-threatening or insignificant.

If your credit card number was stolen, then you probably got it replaced by your credit card issuer. Little problem there for consumers, but a major expense for credit card issuers.

If your debit card number was stolen, your bank probably issued a new checking account. There's the direct expense to the bank to issue a new checking account and debit card. There's also the time and work impact, since consumers have to set up their online banking with their new checking account. Plus, their bank may or may not have replaced any monies stolen from their checking account. I wouldn't describe that as "concern and inconvenience." And I doubt the identity theft victims view the incident as only a "concern and inconvenience."

At least Hodge had the good sense not to use in his statement the typical corporate double-speak (e.g., a lie) of "we have no indication that the personal data has been used for any improper purpose." There's no way to spin 1,800 fraud cases. Plus... theft is theft, and criminals will always attempt to use (or resell) stolen identity data.

The apology is nice but not enough. I understand a retailer's desire to do anything to get shoppers to continue shopping at their store. How about free credit monitoring and credit resolution for 10 years for identity theft victims? How about publication of Hannaford's revised data security processes so customers can feel confident about data security improvements so this doesn't happen again?

What a company does is more important than their words.

Apparantly, several consumers agree. There are several class-action lawsuits claiming Hannaford didn't do enough to protect consumers' personal data. From the Times Hearald-Record:

"Lawyers are seeking to consolidate about nine lawsuits into one federal class-action suit against Hannaford Bros... The motion to consolidate, which was filed in U.S. District Court in Bangor, Maine, on behalf of Greg Doherty and 'all others similarly situated,' charges Hannaford was negligent in not providing adequate data security and did not inform customers of the breach quickly enough. It seeks credit monitoring or similar protection, unspecified damages and attorneys' fees. Attorneys will have a better idea of the scope of damages when they nail down exactly how many card numbers were stolen, which may take some time, said Jon Lambiras, an attorney with the Philadelphia-based law firm Berger & Montague, one of several plaintiffs' firms involved in the lawsuit."

And, there are parallels to the TJ Maxx data breach:

"Hannaford's lack of proactivity is not unusual. Framingham, Mass.-based TJX, which owns stores such as TJ Maxx and Marshalls, offered no credit monitoring after a data breach exposed the personal information of some 45 million customers. It took a class-action lawsuit, filed by the same firm now suing Hannaford, to get credit monitoring."


'Income Tax Return Identity Fraud' Scam Threatens Some Taxpayers' Refund And Stimulus Checks

Now that April 15 has passed and you have filed your income tax returns, you are probably thinking about how you are going to spend your tax refund checks and stimulus check. Well, most of you will receive your checks, but some may not.

Just when you thought that nothing else could go wrong with identity theft, Phuong Cat Le at the Seattle Post-Intelligencer blog reported about income tax return identity fraud:

"Earlier this week, one of my colleagues sat down at her computer to file her income tax return electronically using TurboTax. Twice, her return was rejected. The message she got back was startling: the IRS already had a tax return filed under her Social Security number. How could this be? She hadn't filed yet."

Phuong's colleague did what any of us would do, and called both the Social Security Administration and the Internal Revenue Service to resolve the problem and receive her checks. Apparently:

"A thief had filed a fraudulent tax return under her name, and would likely get her $1,000 refund, not to mention her $600 economic stimulus payment. Thus began her tedious task of clearing her name: filing a police report, filing a complaint with the Federal Trade Commission, putting a fraud alert on her credit report and mailing in her tax return with copies of her driver's license, police report and other documents to prove her identity."

More importantly, this scam appears to be on the rise:

"... complaints about this type of theft jumped 579 percent, from 3,000 to more than 20,000, between 2002 and 2007, according to an audit released this week by the Treasury Inspector General for Tax Administration. Not only are fraudulent returns on the rise, so are cases where thieves use another person's Social Security number to gain employment."

The IRS has promised a better response to identity theft/fraud, but seems to have started too late and from way behind:

"Finance Committee Chairman Max Baucus, D-Mont., said that on average it takes almost a year for the IRS to sort out who is the real taxpayer when there is an identity issue. "In the meantime the victim's tax accounts get frozen. The IRS issues no refund," he said. 'The taxpayer waits in tax limbo for months and months.' "

The Post-Intelligencer also reported:

"The IRS does not keep track of identity theft incidents and investigates and prosecutes identity theft cases only if they occur in conjunction with other criminal offenses having a large tax impact, according to a report this week from the Treasury Inspector General for Tax Administration."

This is great news for identity criminals, and very troubling news for consumers, especially if you are due a refund. It definitely reinforces the impression that the IRS is focused only on tax collections and not on data security, while it is entirely possible and appropriate to focus on both.

This situation infuriates me. If it infuriates you too, I encourage you to write to your elected officials today and demand that they act immediately to fix data security at the IRS. For those that are interested, read the full report of the audit of IRS tax collection.

Until the IRS fixes its data security holes, it may be a good idea to consult with a tax accountant to adjust your withholding to minimize the chances of a large refund check which could be stolen (and which gives the government an interest-free loan).


Blogging For Civil Liberties Workshop at the ACLU of Massachusetts Conference

On Saturday January 26, 2008, I attended the first ACLU Massachusetts conference on Reclaiming Our Civil Liberties. The conference was a real treat for me, since I'd only read about Daniel Ellsberg, the keynote speaker. It was great to hear him live and hear his experiences about the Pentagon Papers. (See also the National Security Archive at GWU.) Ellsberg also discussed his views on the Bush administration, U.S. foreign policy, the Iraq war, the "Blue Dog Coalition" (for perspectives, see C-Span, Common Dreams , and the New York Times), and the oath of government officials to the Constitution (and not a personal oath to the President). Much of today's policies of expansive Executive privilege by the Bush administration are rooted in VP Cheney's tenure in President Nixon's administration.

I attended the conference both as a member and as a panelist. There were over 400 attendees, by my rough count. I spoke at a workshop titled, "Blogging for Civil Liberties." Christopher Ott, the Communications Manager of the ACLU of Massachusetts, chaired the panel. The other panelist was Charles Blandy, Co-Founder and Co-Editor of BlueMassGroup.com.

Workshop panelists Charles Blandy and George Jenkins at the Massachusetts ACLU Conference. January 2008. Waltham. Photo by Marilyn Humphries. The workshop went smoothly. About 35 people attended this workshop. Charles spoke first and reviewed many of the well-known sites political blogs (such as Daily Kos and TPMmuckraker) consumers can use to learn about civil liberties and to participate in the blogosphere. My talk focused more narrowly on Ive Been Mugged as an example of citizen journalism, consumers' rights about identity protection, and notification laws after a corporate data breach. About 30 people attended this workshop and at least 400 attended the conference.

If you missed the conference, you can listen to the "Blogging For Civil Liberties" podcast (52 minutes, MP3 file, 23 MBytes). You can list to the podcast on any MP3 player, including the iPod. I'd like to thank Christopher Ott and the Massachusetts ACLU for making the podcast available. Thanks to Marilyn Humphries for the photograph.

[Note to readers: Sorry for the delay publishing this post. I would have published it sooner, but the podcast was only recently available.]


CVS And The State Of Texas AG Reach An Agreement Regarding Information Security

CVS Pharmacy KLTV reported that the Texas Attorney General's office and CVS Pharmacy, Inc. agreed to a settlement to protect CVS customers from identity theft:

"The settlement resolves the state's April 2007 enforcement action against the nation's largest retail pharmacy, which was charged with violating state laws that govern the disposal of customer records containing sensitive personal information. Under an agreed final judgment obtained by the Attorney General, CVS will overhaul its information security program. The program must be fully documented in writing and contain administrative, technical and physical safeguards designed to protect the personal information of CVS customers. CVS also will pay $315,000 to the State of Texas, which will be appropriated for the investigation and prosecution of other identity theft cases, pursuant to the Identity Theft Enforcement and Protection Act."

The Attorney General's office took action after hundreds of documents containing customers' sensitive personal information (e.g., credit card numbers and expiration dates; prescriptions with date of birth, doctors names, medication type) were unlawfully dumped behind a CVS store in Liberty, Texas. The state will use the money to prosecute other identity theft cases.

Details about the settlement:

"... CVS must implement a new training program to inform its Texas employees about the company's enhanced information security procedures. The employee training program must provide employees with a review of CVS' privacy procedures and a review of state laws governing the disposal of customer records. The training program also must explain identity theft, its costs to individual consumers and businesses, and the importance of abiding by the company's disposal program."

Only Texas employees? This sounds to me like sensible and appropriate data security actions any and all companies should implement nationwide, without waiting for a state AG to sue them to comply. Forbes Magazine reported:

"... the improper disposal of this information was a violation of [CVS'] record retention and privacy policies, and CVS took appropriate disciplinary action,' the statement said. When the suit was filed last year, CVS said the store manager had been fired. Earlier this month, CVS Caremark agreed to pay almost $37 million to nearly two dozen states and the federal government to settle claims it billed Medicaid programs for a more expensive formulation of an antacid."

When disposing of customers' and employees' records, companies would be well advised to follow the advice in this National Law Journal article: "Shred It Or Regret It."


TJX Companies Agrees To A Settlement With MasterCard

MasterCard The financial consequences for TJX Companies after its data breach still keep mounting. Recently, CNN Money reported:

"Discount retailer TJX Cos. could pay as much as $24 million in a settlement Wednesday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers... The TJX agreement, which follows a similar $40.9 million pact in November with Visa Inc., hinges on banks that issue MasterCards agreeing to waive rights to sue TJX in exchange for being paid for breach-related costs.

It isn't over for TJX/TJ Maxx:

"Issuers of at least 90% of the MasterCard accounts identified as possibly being compromised in the breach must approve the agreement by May 2 for the settlement to take effect, Purchase, N.Y.-based MasterCard and Framingham, Mass.-based TJX said in separate news releases."

This should be a clear reminder to other retailers: adequately protect the personal data you collect about consumers!


ID-Theft Protection May Not Provide The Protection You Need

I'd like to thank my friend Michael in Oakland for alerting me to this article. Dow Jones MarketWatch reported the following about the current state of credit monitoring and credit resolution services for consumers:

"Plenty of products promise to help consumers avoid identity theft, but none of them is foolproof. If a product claims to prevent identity theft, that should raise red flags for consumers, said Linda Foley, founder of the Identity Theft Resource Center in San Diego. "You can't protect a person from identity theft. It's impossible. All we can do is minimize our risk." And, while these products can reduce your likelihood of becoming a victim, many employ methods that consumers can use on their own, for free."

Finally, somebody is telling it like it is. After IBM exposed my sensitive personal data, I took that as an opportunity to learn about data breaches and the current identity theft marketplace. Since then, I've looked at many of the credit monitoring services for consumers which are available from banks, independent companies, and the credit bureaus. I've reached the same conclusion as the ITRC: there's some protection to reduce a consumer's risks.

The MarketWatch article also discussed the new Security Freeze tool, which is available nationwide from the national credit bureaus:

"Consumers can freeze their reports by calling each of the three agencies. It generally costs $10 to place a freeze ($30 to freeze all three major reports) and $10 to lift each freeze (these costs are sometimes waived.) For more details, visit FinancialPrivacyNow.org. Or, you can pay for a product that includes a credit freeze, such as offered by TrustedID and others."

Well, that's mostly accurate. The fees vary by state. In my state, Massachusetts law limits the Security Freeze fees to $5.00 at each credit bureau; and Security Freezes are free for ID-theft victims (who can prove this with a copy of a filed police report). While a Security Freeze provides consumers with stronger protection than a Fraud Alert, there clearly are limits.

First, the Security Freeze tool from credit bureaus does not cover C.L.U.E. insurance reports.  Consumers must do business separately with Choicepoint, a major provider of C.L.U.E. reports. Choicepoint offers Security Freezes in only about eight states: CO, DC, DE, ME, MT, NH, NJ, and NC. Naturally, you'd expect Choicepoint to offer a nationwide Security Freeze like the credit bureaus, but they don't. Consumer-focused doesn't appear to be a priority for Choicepoint. Second:

"Freezes don't stop thieves tapping existing credit or bank accounts, nor do they address other identity theft, such as when a thief provides your name as his identity when pulled over for a traffic violation."

The use of stolen identities during a crime is a huge problem which the identity protection industry hasn't solved. When criminals use stolen identification during a crime, it's that ID-theft victim who suffers, not just the criminal when (and if) caught. The victim may be jailed temporarily while identification mistakes are resolved, fined, or both.

Plus, this can happen in any country, since stolen identities are sold online worldwide. For example, look at the global trail of stolen credit cards numbers after the TJX/TJ Maxx data breach. Or, read about this ID-theft victim who was jailed after a criminal used his stolen identity during a crime. Consider this: the next time you travel abroad you could be detained by Customs in another country if a criminal has used your stolen identity during a crime in that country. I haven't read a news report (yet) about this, but the risk to consumers is real since stolen identities are traded online worldwide.

If you think that existing identity protection insurance and resolution services will help in these instances, think again:

"Identity-theft insurance helps cover the costs associated with the crime. Your homeowners or renters insurance, or your bank account, may include such insurance already, so check before purchasing. Consumer advocates say the value of such insurance is debatable, since financial losses are often not extensive and credit-card companies generally cover consumers' losses. Still, insurance could be useful if the policy covers debit-card losses and lost wages due to your time spent resolving the crime... As for victim resolution services, some nonprofit and state agencies will help for free, though the services companies sell may offer valuable convenience."

This situation will only improve when consumers pressure their elected officials to enact stronger laws about identity theft which hold companies accountable for data breaches, the punishment and sentencing of identity criminals, and legislation which covers new forms of identity theft such as skimming and house stealing. It will also require some coordination between countries.

If you are detained or jailed in a foreign country due to identity theft, I don't see any of the current ID-theft resolution services helping consumers. If you agree that this situation is scary and unacceptable, write to your elected officials today.


Discover Changes Its Credit Monitoring Service Vendor -- Is It An Improvement?

Discover Financial Services Since 2004, I have used the credit monitoring service offered by my Discover Card issuer. Recently, I received this notice with my monthly Discover bill:

"For Discover Identity Theft Protection members who receive membership materials through the Internet: This is to inform you that we are in the process of changing the service provider of the Discover Identity Theft Protection product. Effective on or after September 1, 2008, the provider of Identity Theft Protection will become ConsumerInfo.com, Inc. an Experian company. Experian is one of the three major U.S. credit reporting companies."

Well, that seems innocent enough. Discover is definitely free to switch service providers, especially if Experian gave them a better deal. Similarly, I am free to switch credit monitoring service s too, to get the best deal possible. Several years ago, Discover called its credit monitoring product ProfileProtect. I checked my documentation from 2005, which listed Intersections, Inc. of Chantilly Virginia as the credit report services administrator for Discover's program.

The printed paper notice from Discover also said:

"In an effort to ensure that your Identity Theft Protection membership continues without interruption, the following changes will occur:"

  • "Our new provider of Identity Theft Protection will obtain and monitor your credit report(s) beginning June 1, 2008 to ensure that you receive your Quarterly Updates without interruption.
  • During your membership, you elected to access your Identity Theft Protection services through the Internet. Effective on or after September 1, 2008, we will no longer be able to offer this product to you through the Internet. Please note you will receive all materials via First-Class, but you will no longer have access to the online Credit Analyzer.
  • You will begin receiving your membership materials from our new provider on or after September 1, 2008.
  • If for any reason you do not want your Identity Theft Protection membership to be serviced by our new provider, which will require that they obtain your credit report for continuous monitoring, please call Member Services at 1-866-329-5760."

Experian This presents a problem. I signed up for Internet access for a couple reasons. One: Internet access provides greater security than updates via snail mail. Two: Internet access provides fast e-mail alerts about my credit reports. E-mail alerts alerts are important because the sooner a consumer discovers abuse on a financial account, the sooner you can take action and the less money you are likely to lose.

Three: it seems that Discover and Experian are unable to agree to provide me with uninterrupted service via the Internet. This vendor change smells more like a hand-off than a true swapping of vendors. I expect uninterrupted service given the money I am paying monthly. Four: Experian already makes money by selling my credit reports, so I am reluctant to give them more money. The combination of credit reports and a credit monitoring service in a single company is something I don't find attractive, while Experian tries to restrict independent credit monitoring service companies.

Five: Experian operates several consumer credit monitoring services besides ConsumerInfo.com. Experian operates FamilySecure.com, which offers several features not found in ConsumerInfo.com. This makes me wonder why this vendor swap included ConsumerInfo.com and not FamilySecure.com. Was it Discover's choice? Was it Experian's demand? Or was it based on cost?

A comparison on price: FamilySecure is $19.95 per month, ConsumerInfo is $11.95 per month, and I have been paying $9.99 a month for Discover's existing credit monitoring service. Discover's notice didn't saying anything about price, so I assume the monthly price remains the same. But that isn't a good value for me, because I'd be paying the same monthly amount for fewer services. In plain English, that's a price increase. And I lose access to online updates, online features, and the Credit Analyzer.

I wonder what brainiac at Discover Financial Services negotiated this agreement with Experian.

Regardless, I had planned this Spring to evaluate my credit monitoring services, since my year of free credit monitoring services with Kroll (thanks to IBM) ends in June. My ultimate choice for a credit monitoring service is not based on price alone, but on value: the balance of features, benefits, and price. Discover's vendor change just added another item to my existing list of reasons to evaluate the available credit monitoring services.


Washington State Passes RFID Anti-Skimming Law

There's some really good news about identity theft. The legislators in the State of Washington are keeping up with new technologies. During the last week of March 2008, ComputerWorld Magazine reported:

"Washington Gov. Chris Gregoire this week signed a bill making it a Class C felony to use radio frequency identification (RFID) technology to spy on someone. The bill was signed about a week after the Washington State Senate unanimously passed Bill 1031, which makes it a crime to intentionally scan people's IDs remotely without their knowledge and consent, for the purpose of fraud, identity theft or some other illegal purpose. The bill specifically cites RFID and facial recognition technology. Violators face a prison sentence of up to 10 years. In addition, if the illegally gathered data is used in a separate crime, up to 10 years could be added to whatever sentence violators receive for the second crime."

Why is HB 1031 important? First, according to the Seattle Times:

"The Senate took out an 'opt in' provision that would have made it illegal for any company or person to slip an RFID chip into objects such as loyalty cards or cellphones without consumer consent, said state Rep. Jeff Morris, D-Anacortes, the bill's sponsor. "This is a technology that the consumer is clearly unaware of unless it's pointed out to them," he said."

In other words, it is difficult to impossible for the average consumer to look at a credit card and tell if it is a standard card or an RFID card. When I've discussed RFID cards with most people, 99 out of 100 are  unaware of the RFID technology and its associated data security issues. Some type of legislation is sensible and appropriate. Plus, consumers need notification from card issuers.

Second, other federal legislation requires states to use RFID technology in identification cards. In Washington, HB 2729 governs the use of RFID in driver's licenses:

"As a state with many travelers who cross the border frequently, Washington has become a test bed for RFID. It's one of four states that have signed agreements with the U.S. Department of Homeland Security to use RFID technology in optional-enhanced driver's licenses that became available in January."

Third, most states do not have any laws about skimming for identity theft. So, criminals can steal identity data from RFID cards via skimming today with little risk. Fourth, there needs to be some type of coordination across countries because identity theft skimming poses risks for travelers.

If this situation is scary and unacceptable to you, I encourage you to write to your elected officials.


Consumer Reports On LifeLock

Many consumers consider Consumer Reports a trustworthy source of independent product and service information, in order to make smart purchases. As a child, I remember watching my parents read Consumer Reports' product testing results before buying a car and expensive household appliances. I currently subscribe to Consumer Reports' On Health publication.

Last month, Consumer Reports reviewed LifeLock, a credit monitoring service:

"LifeLock spent $5 million on TV and radio ads nationally in the first half of this year and claims to have 300,000 subscribers. It has been endorsed by actor Fred Thompson (before he officially became a presidential candidate) and radio personalities Rush Limbaugh, Sean Hannity, and Paul Harvey. But as Harvey might say, now here’s the rest of the story."

What LifeLock does to protect your sensitive personal data and credit reports:

"For $10 a month or $110 a year, LifeLock instructs the top three credit-reporting agencies Equifax, Experian, and TransUnion to place fraud alerts on your credit reports and renews them every 90 days. The service also tells the three bureaus that you opt out of receiving preapproved credit offers and asks the Direct Marketing Association (DMA) to remove your name from mailing lists. Of course, you can do those things yourself free. And fraud alerts are no guarantee against ID theft. Some lenders don’t see them and allow crooks to open accounts in other people’s names anyway."

If you are like me, then you've already done most of this on your own -- for free. I placed Fraud Alerts on my credit reports, and later renewed them. I have already opted out of pre-approved credit offers and telemarketing lists -- again, for free. Is there anything LifeLock provides that we consumers can't do ourselves? Perhaps it's their credit restoration services:

"... the company guarantees against all losses and expenses a client incurs up to $1 million. LifeLock’s guarantee will restore stolen funds to your bank accounts, get fraudulent credit accounts closed, pay lost wages, hire credit-repair firms, and do "whatever it takes to get your life back..."

While that sounds really appealing, Consumer Reports also wrote this:

"But the customer agreement doesn't actually bind LifeLock to much of what Davis promised us. It specifically says that the company will not reimburse "consequential damages, such as lost wages." [LifeLock CEO] Davis says customers should ignore the fine print: "The lost-wage clause is there because insurance commissioners wanted to be sure we’re not an insurance company. We’re not." The contract, meanwhile, is vague about reimbursing stolen money: "We will pay professionals to assist in restoring any such loss." The guarantee hinges on "the failure or defect in our service," which the contract defines as initiating requests with credit bureaus and the DMA. But Davis says the contract really means something else: "If the fraud alerts did not do what they were intended to do, then the service failed. I don’t just mean that my system didn’t send them correctly," he says.

If you are considering LifeLock to protect your identity, I strongly encourage you to read the entire Consumer Reports review of LifeLock first. Then decide if LifeLock is for you.