Previous month:
June 2009
Next month:
August 2009

20 posts from July 2009

After 35 Years, Oregon ID-Theft Victim Happy With Arrest

This Forbes magazine story is a reminder that identity criminals will use stolen data as long as they can get away with it:

"An Oregon man who was the victim of a 35-year-long identity theft said Thursday he's so happy about an arrest in the case... Tom Lesh, 66, said he's known since the 1970s that his brother's friend stole his identity, and he appealed to everyone from the IRS to the suspect's own mother for help - to no avail. As the decades wore on, he said, he spent "thousands of hours" writing letters to credit card companies, banks, insurance companies and government agencies, trying to clear his name..."

This year, a Premera Blue Cross insurance fraud investigator named Sandy Larson started investigating and contacted Lavelle, a special agent with the Social Security Administration's Office of the Inspector General:

"... Lavelle tracked down the suspect, a 58-year-old truck driver whose real name is Clark Mower, and arrested him Wednesday near his Seattle home. He was charged in U.S. District Court in Seattle with aggravated identity theft, Social Security number misuse and unlawful production of an ID."

In my mind, restitution and prison time are appropriate. This incident offers several reminders:

  • Companies must investigate ID-theft and medical ID-theft compalints
  • Inisder identity theft can often include relatives and "friends"
  • The SSA offers instructions for consumers to report fraud
  • A one- or two year-offer of free credit monitoring by companies after a data breach is woefully too short and insufficient.

Canadian Commissioner Says Facebook Has 'Privacy Gaps"

Facebook logo From time to time, I've written about Facebook due to its privacy and potential data breach risks. reported:

"Canada's privacy commissioner on Thursday ruled that Facebook is in violation of the country's privacy law, citing "serious privacy gaps" in the way the popular social networking site treats its 12 million Canadian users. And if the California-based company doesn't comply with Jennifer Stoddart's directives within 30 days, Facebook will likely be hauled to Federal Court to face a judge with the power to order the company to implement the recommendations."

About 12 million Canadians use Facebook. The probe found four problems:

"In addition to an "overarching" concern relating to the "confusing" or "incomplete" way in which Facebook provides information to users about its privacy practices, the report concluded Facebook's policy to keep indefinitely the personal information of people who have deactivated their accounts is a violation of the privacy law. But the biggest sticking point has to do with the practice of sharing users' personal information with third-party developers that create Facebook applications, such as games and quizzes."

Experts estimate that there are maybe a million Facebook application developers scattered across 180 countries. I'd have to agree. When you launch an application like a quiz, it is unclear exactly what information is or will be shared and specifically to whom. For this reason, I don't use Facebook applications.

Quite predictably:

"... Chris Kelly, Facebook's chief privacy officer, said the site is continually refining its privacy controls and "certainly, we think that our approach right now is compliant with Canadian law... The probe began last year after the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa filed an 11-part complaint, alleging Facebook violated key provisions of Canada's Personal Information Protection and Electronic Documents Act, the country's private-sector privacy law."

David Fewer, acting director of the University of Ottawa law clinic that filed the complaint, said this about Facebook's third-party applications:

"This is black-letter law they're applying here... Facebook can't say the law is wrong here, or is being misinterpreted. Instead, what they need to do is go back and re-engineer how they do third-party apps. I think they rolled out third-party apps out without figuring privacy obligations into the design. There was a fork in the road early on in the design. They went left and they needed to go right. And left is where the money tree is..."

For these reasons, I don't use thrid-party applications at Facebook. It's imply impossible to tell exactly what data a consumer is releasing, who the application developer is (e.g., some are more trustworthy than others), and what other companies that application developer will share consumers' personal data with. Regardless of Facebook's new privacy policy, the site seems intent on operating with an opt-out-driven ad system which places far too much burden on consumers to constantly monitor their privacy settings to ensure that Facebook hasn't started some new program that harvests and syndicates personal data.

A Combustible Combination: Race, Class, Testosterone, And Differing Expectations

During the past week, I have thought long and hard about whether or not to write this blog post. I decided to write it partly because the Gates-Crowley event occurred close to home (I live in Boston about 4 miles from Cambridge where the event happened), and also because some citizens have been mistaken for criminals by police due to identity theft.

Yes, Professor Gates and I are both African-American men aged 50-plus. Yes, I used to work at Harvard during the 1990's. I do not know him, nor the officer. Regardless, this post is not about what you're probably guessing it's about.

The President, Sergeant Crowley and Professor Gates are arranging a meeting in Washington during the next few days, and many pundits and citizens advocates have debated whether or not the incident and arrest was racial profiling, Some people are quick to blame the professor. Others are quick to blame the officer. I see a far more complicated situation. It’s about how we communicate with each other.

A police stop can be a very tense and scary event for everyone; for both the officer and the citizen. I'm not talking about police stops for speeding or traffic violations while driving, but stops where a crime may be involved. A police stop is a highly charged event where everyone involved doesn't know what they will get from the other person. To me, the appropriate question to ask is: what is proper decorum during a police stop?

In her column, Maureen Dowd tackled part of the problem in a column titled "Bite Your Tongue:"

"Gates told me Crowley was so “gruff” and unsolicitous “the hair on my neck stood up.” Crowley says Gates acted “put off” and “agitated... A police officer who’s proud of his reputation for getting along with black officers, and for teaching cadets to avoid racial profiling, feels maligned to be cast as a racist white Boston cop. A famous professor who studies identity and summers in Martha’s Vineyard feels maligned to be cast as a black burglar with backpack and crowbar."

Could it be that Crowley and Gates are both right? I think so.

Part of the problem starts with the nature of a police stop. It's a tense situation for all involved. I know because I have been stopped by the police. I am not discussing police stops for speeding or violating a traffic law. I'm discussing police stops where the police are investigating a possible serious crime and the person stopped is considered a possible suspect.

You just don't know how tense and scary a police stop is until it happens to you. So, I am not quick to judge anybody involved in a police stop. In the heat of the moment, it's easy for anything said or any movement to be interpreted in a way different from the way intended.

portable hairdryer In 1978, I was stopped by two plain-clothed detectives while I was walking down a Chicago street with my girlfriend's hairdryer -- one of those old, heavy bulky kind. (The photo on the right will give you an idea, but it was an older model before the hand-held hairdryers became popular.) We were both graduate students at the University of Chicago, and were house-sitting during a school break in Hyde park for a friend who was away on vacation.

My girlfriend left her hairdryer in her dorm room and asked me to retrieve it. While walking from the campus back to the apartment with the hairdryer, the two plain-clothed detectives stopped their car on the sidewalk in front of me, exited their car, drew their guns, and yelled at me to, "Freeze."

Thankfully, I had the presence of mind to stay calm with guns pointed at me. I froze and responded politely with, “Hello officers. How can I help?” This response helped diffused a tense situation and let them know I was cooperative. The officers asked me for identification, reviewed my school I.D., made a general statement about there being burglaries in the area, and then waved me on.

My point is this: even when you are innocent a police stop can be a harrowing event. Some of you might say that was 30 years ago, so get over it, George. Well maybe, but that was the only time in my life that I have had guns pointed at me. I could have twitched with fear and easily been shot. Some memories fade more slowly than others.

Maybe, that was how Chicago police officers felt that they had to respond to situations. I don't know. I've never been a police officer. Police officers work in a profession where their lives are at risk at times, so maybe this is how they feel they must act to stay safe. I didn't know if they were responding to a 9-1-1 call or not. Maybe I was wearing similar clothes as a thief they may have been pursuing. I don't know and they didn't say.

My point is: until it happens, you don't know how scary and tense a police stop can be. And until it happens, you don't know how you'll respond. My impression is that most Americans have not been stopped besides a speeding or traffic violation. The police have definite expectations about how you should act: remain calm. That means speaking only when directed to, and moving only when directed to. It means that your questions probably won't be answered, too.

To remain calm, when you know you are innocent while others treat you like a criminal, can feel frustrating, humiliating and insulting. When you try to comply and don't get your questions answered, that can intensify those feelings. Some people might call being calm in such a situation being docile. Many people probably have the opinion that it should be easy to be calm if you are innocent, and obey the police no matter what. Yes, we all want the same thing... for the police to protect us. Having been stopped, I can tell you that it's a difficult situation -- a situation I think most Americans don't really know and don't pause to consider how tough it can be.

I learned about the expectations police have for police stops while growing up in Harlem. When I was a youth, there wasn't an Internet or online search sites to find out the proper decorum during a police stop. You learned it from whomever you trusted: your parents, a teacher or a relative. My dad told me.

While in college, in 1974 I had a summer job selling students dictionaries and home repair manuals door-to-door in Oklahoma City. The job was to show residents the books for students, collect deposits, and deliver the book orders at the end of the summer. This was long before Wal-Mart stores were everywhere, long before the Internet and online shopping, and before many supermarkets sold books. While selling books in Oklahoma City, Del City, and Midwest city, the police stopped me several times to check for a selling license, which I made sure to have.

During one stop, the police said that they had received complaints from some neighbors who thought that I was casing the homes to rob people. I was just going about my summer job door-to-door, trying to sell as many books as I could. Along the way, I asked questions about which homes had school-aged children so I could stop at the right homes.

In one incident, the police shuffled me into the backseat of their squad car while the neighbors screamed for the police to arrest me. I showed the police my selling license and explained how I was complying with their local laws. This time, the police drove me to the edge of town where I was released. Before I got out of the car, they tore up my selling license for that town -- a clear signal for me not to sell there anymore.

Based on my experiences, during a police stop it's easy for mistrust and poor communication to happen.

Was my experience in Oklahoma City in 1974 racism? Or was it because I was different: a sales person, from the North with a different accent, who happened to be Black? Hearing the “N” word was a clue. Having the police tear up a legal seller’s license was another clue. I tried to sell by their rules, and was still being treated harshly. Was it fair? No. I bit my lip, cried in the safety of a local gas station bathroom, and then moved on to sell in the next town.

Are things better today than they were in the 1970's? Of course things are better. That's not the point. My point: nobody likes having their credibility and integrity questioned. Nobody. The police don't like it and neither do citizens. We need to remember that about each other. The Gates-Crowley incident is a clear reminder.

Remaining calm, when you know you are innocent and while others treat you like you are a criminal, can feel frustrating, humiliating and insulting. You want to demand that they treat you with respect since you know you are innocent and are not a criminal, but at the same time they don't know who you are. It's a difficult situation filled with tension and uncertainty -- a situation I think most Americans don't really know or don't pause to consider how tough it can be.

So, what is proper decorum for citizens during a police stop?

This weekend, I did a few searches and was surprised at how many towns and cities don't publish local law enforcement's expectations of proper decorum for citizens during a police stop. Maybe the police feel like we citizens will learn what their expectations are through police shows on television and cable. To me, this is too important to leave to chance or to fictional television shows. Make it clear: publish your expectations online with sufficient detail for the different types of police stops. And citizens share the responsibility -- attend local civic association meetings, where law enforcement representatives visit and share important information.

Some people can remain calm more easily than others during a tense situation like a police stop. Thankfully, I was able to do so in 1974 and 1978 and not get shot. But I do know this... when you are innocent and the police stop you as a possible suspect in a crime it is very tempting to ask, "What's going on? Why are you stopping me?"

My point: an innocent question like "Why are you stopping me?" can be easily be interpreted during a tense situation as "Why are you stopping me?" or "Why are you stopping me?" It's easy for an innocent question to be interpreted as a confrontation or challenge to authority. It's easy for words and actions to be interpreted in different ways. Everyone involved in a police stop has expectations about how they wish to be treated, and the answers they expect to have answered. A simple question like "Why are you stopping me?" can easily be heard as, "How dare you stop me?"

The news reports have often provided some (but not all) facts about the Gates-Crowley incident. Facts continue to emerge. A wise person once told me that, "an expectation is a planned resentment."

It's easy for me to imagine a scenario where the officer asked professor Gates for identification and the professor would assume that his school I.D. was sufficient, while the officer's I.D. expectations included verification of his residential address. It's easy for me to imagine a scenario where the professor asked the officer for identification and the officer provided his name and precinct; something the officer felt was sufficient while the professor felt was insufficient. If either of these happened, it's easy to see how the situation escalated.

My point: none of us were in the Gates' home to see and hear exactly what was said. Words, tone, and inflection all matter. We only have both individuals' reports after the fact... a he-said versus he-said situation. So, it's difficult to know exactly what happened.

Based on everything I have read, my opinion is that both men probably over-reacted... but that's easy to do in a situation filled with tension, ambiguity, and uncertainty. Words and actions are interpreted, then egos get in the way. So, I'm willing to give both men some slack.

President Obama says he hopes that this can be a teachable moment. I agree. I hope that the teachable moment includes a discussion about law enforcement's expectations of citizen decorum during a police stop. In my opinion, this event is not about racial profiling, but about the decorum and expectations during a police stop.

Hopefully, local law enforcement across the country will make more efforts to make it clearer to citizens what their expectations are during a police stop. Baltimore County, Maryland has a pretty good Web page that clearly explains local law enforcement's expectations of citizens during the different types of police stops: in your car, on the street, and at your home. There are important details between each type of police stop. I wish that more cities and towns published clear statements online like this.

I'd like to see these online pages cover appropriate decorum during a police stop where a citizen is mistaken for a criminal due to identity theft. That's a situation that is ripe for conflict, since the police are pretty sure they know who the suspect is, while the victim is both certain they are innocent and unaware that their identity has been used by others during a crime.

Also, I think that citizens' expectations of local law enforcement are changing. This experience will illustrate what I mean.

After a drive-by shooting on my street, my neighbors and I formed a neighborhood watch group with the assistance of the Boston Police Department. The BPD came to meetings in our homes and taught us how to form a successful neighborhood watch, what is suspicious behavior, and when to call 9-1-1. And, there is a big difference between "suspicious people" and "suspicious behavior."

That was an enlightening process, since like most people I thought that I knew when to call 9-1-1. We learned to call 9-1-1 and to recognize suspicious behavior (not people) that we want investigated. All of this is training that I believe more citizens should get. My point is this: during the training, the local police representatives shared their names and office e-mail addresses, so we could contact them for a variety of follow-up reasons.

I can tell you this: if I invite a police representative into my home, I will expect to know their full name and contact information (not necessarily a badge number). It doesn’t mean there is a problem. It does not mean I question the officer’s authority or integrity. It simply means that I want to know exactly who I am doing business with, in case I need to contact them again for some reason requiring follow-up.

I hope that this incident becomes a teachable moment that includes a discussion about law enforcement's expectations of citizen decorum during a police stop. And since data breaches soared by 47% in 2008, it'd be great if this teachable moment covered the decorum for mistaken identity police stops due to identity theft.

Former Councilman Gets One Year In Prison For Computer Spying

I think that it is important for criminals to experience consequences. The ends do not justify the means. The Greenville News (North Carolina) reported:

"A federal judge sentenced former Greenville County councilman Tony Trout to one year in prison on computer spying charges on Wednesday, telling the former police officer that he violated the public's trust... Trout told U.S. District Judge Henry Floyd that he was wrong to implant a bug on County Administrator Joe Kernell's computer that allowed him to access Kernell's personal emails... A jury convicted Trout in April on four counts of computer spying and wiretapping after Trout testified in his own defense that he didn't know that it was illegal to intercept Kernell's personal e-mails through the administrator's computer and private Yahoo account. Trout's stated intention was to expose what he saw as government corruption and that he thought county employees had no right to privacy on work computers..."

Trout's actions violated the Electronic Privacy Communications Act.

Facebook Does It Again

Facebook logo This morning, I received the following status message from Kaitlin, a friend I'm connected to on Facebook:

"PASS IT ON: your face may be soon appear in the ads your friends see. Facebook agreed to let third party advertisers use posted pictures without permission. Want to stop it? Click SETTINGS at the top by the Search box. Select PRIVACY SETTINGS. Then select NEWS FEEDS AND WALL. Next, select the FACEBOOK ADS tab. In the drop down box, select NO ONE. You have to SAVE CHANGES or it won't work."

As I wrote in my reply to Kaitlin's FB status: Geez! Could this opt-out mechanism be any more difficult to find?! This is is a good example of the problem with opt-out driven ad programs, where consumers are automatically included. It places the burden on consumers to constantly stay informed and to take action. As soon as Facebook changes its ad program (e.g., revised guidelines, new advertisers, etc.), Facebook could easily undo everyone's opt-out selections.

It would seem that the executives at Facebook still don't get it about privacy and users' control of their information. Yes, things are somewhat better since the Facebook-Beacon debacle. Don't include me automatically in your ad programs unless I specifically opt-in. These opt-out driven ad programs are infuriating!

Experian Informs Maryland Consumers Of Data Breach

Experian logo I write frequently about the major credit reporting agencies since they collect and archive the most sensitive personal and financial data about consumers. Given that, this is a data breach that shouldn't have happened.

In many states, companies are required by state law to report data breaches. Maryland is one of the few states that publishes these breach letters online so that its residence can easily confirm any breach notification letters received (and make sure that the letters aren't phishing attempts). The June 26, 2009 breach notification letter from Laura Mundy, Vice President of Regulatory Compliance at Experian:

"In accordance with state law, I wish to inform you that Experian, one of the nationwide credit reporting agencies intends to notify twenty Maryland residents about unauthorized access to their personal information. The residents will be notified by US mail this week and will be provided credit monitoring services. A copy of the written notification is enclosed.

Experian, one of the nationwide credit reporting agencies identified that consumer information was recently accessed online after methods to authenticate their identity were completed successfully by unknown individuals. The consumer information consists of information typically found in a consumer credit report. Such information includes the consumer's name and address and one or more of the following: Social Security Number or date of birth. Experian is actively working with law enforcement to investigate this matter."

In my opinion, never has so many words said so little. This letter says the absolute bare minimum about the breach -- when it happened, why it happened, and what Experian is doing to prevent a similar incident in the future. A breach notification letter's contents should not vary whether the breach affected 20, 200 or 2 million consumers.

Experian's breach notification letter did a good job of directing consumers to if they have questions, and to to learn more about the post-breach credit monitoring service offered. The letter should have also:

  • Explained why the free credit monitoring services offer is only for one year and not longer, since the risk to the consumer is longer
  • Provided a description of any credit resolution services included in the credit monitoring services offer
  • Offered to cover the cost of consumers' Security Freeze fees to protect their credit reports
  • Offered to reimburse consumers for the annual cost of free credit monitoring period if the consumer already has a credit monitoring service in place. Otherwise, these consumers get nothing from Experian.
  • What Experian is doing so a breach like this doesn't happen again

Documenting Opt-out Driven Ad Network Failures

Over at his blog, Christopher Soghoian has documented some major failures of advertising networks that employ the opt-out method. These are targeted advertising programs that automatically include consumers, and place the burden on consumers who don't want to be tracked to opt-out of the program. Some of Chris' findings:

"In the 100+ online advertising firms whose opt-outs I have requested, this is the only one that I've found that requires a CAPTCHA in order to opt-out. By itself, this would merely be an annoyance. However, the CAPTCHA code on their opt-out page is broken, and thus even correctly entered answers are rejected as invalid. Thus, it is impossible to ever successfully receive an opt-out cookie from their site."

And there is another gem:

"Their privacy page makes all kinds of bold promises, such as the fact that their cookies comply with the Platform for Privacy Preferences (P3P). The buttons to opt-in and opt-out are fairly easy to discover, and clearly labeled. Unfortunately, both the opt-in and opt-out buttons link to non-existent pages on their website. Anyone wishing to opt-out is thus met with a 404 error."

Excellent analysis Chris! He rightly concludes:

"... the industry is not doing a good job of policing itself, companies are not performing the most basic form of quality assurance and testing, and it is clear that they are not hiring outside auditors to independently verify that the opt-outs are working properly. This industry is big enough, and profitable enough to not need to depend upon a single motivated graduate student to discover and police its broken opt-outs."

When Vinny Met Sally (Lexis-Nexis' Data Breach And Organized Crime)

Lexis Nexis logo This Information Security Resources article titled, "He’s Not After Your Heart, Just Your Data" documented a new threat which is the intersection of dating, insider identity theft, and organized crime:

"Lexis-Nexis made public notification of a data breach that federal authorities say is tied to a New York mafia crime family. The New York-based company has sent more than 13,000 letters to former customers whose personal data may be at risk. The 13,000 customers may have been targeted for extortion and identity theft. Earlier in May, the U.S. Attorney General’s office in Southern District of Florida handed down an indictment charging 11 men with racketeering conspiracy. The 11 had ties to the Bonnano organized crime family."

How the operation worked:

"The alleged suspect, Lee Klein, one of the 11 charged in the indictment, “was an employee of a former Seisint customer who misused his employer’s Accurint access... Accurint is used by law enforcement and other entities to verify identity and locate people... Klein worked for the criminal “crew” of Thomas Fiore, an associate of the Bonanno organized crime family. The indictment alleges that Klein illegally used “information obtained from computer databases in order to acquire identification information regarding potential victims of extortion” and people suspected by Fiore’s criminal organization of being involved with law enforcement."

How the dating connection figures into all of this:

"One of the “old school” tactics that the organized crime figures use, says [Avivah Litan, an analyst at the Gartner Group], is going to the local watering holes and seducing young girls and finding out where they work. The mob’s tactic of dating new employees who work at companies that have access to customer data leads to Litan’s warning, 'He’s not after your heart; he’s after your data.' ”

The "I.Q. Test" Scam on Facebook: How To Protect Yourself

Last week, WBZ-TV 4 in Boston reported on the "I.Q. Test" scam currently on Facebook. Some consumers received robo-phone calls; others had fees applied to their phone bill; and other consumers were tricked into disclosing sensitive personal and financial data. I strongly suggest that you watch this video so you don't get 'e-mugged" or scammed. The "I.Q. Test" scam can be found on other social media sites besides Facebook.

[Editor's Note: after a recent redesign of its website, it appears that the WBZ-TV video from 2009 is no longer available online. Instead, I suggest this video from WDTN in Dayton, Ohio.]

Investigators Uncover a New Source of Data Breaches: Home Workers

The Irish Times recently reported:

"Forensics experts at the Dublin office of consultancy Ernst & Young have found evidence that prominent companies in Ireland are allowing home-based employees to download sensitive company and client data to their personal computers. Second-hand computer hard drives containing sensitive information - including hundreds of customer bank, Laser and credit-card account details, car registration information, staff PPS numbers, internal corporate information and e-mail details - were purchased on Irish auction website from owners who, in most cases, had not even bothered to erase the drives."

Some countries call home-based workers "teleworkers." In some instances, it is employees who work both at home and at the office. Regardless, there's every reason to expect that data breaches via home-based workers happens in the USA, too:

"In addition to exposing their employers to litigation, and customers and employees to potential fraudulent use of their data, the failure of employees to protect such data is a violation of European data protection legislation... We found very sensitive corporate information about customers, transaction levels and volumes, company and personal e-mails, customer lists and, in one case, a plan for the technical architecture of the company's network... For the investigation, several drives were bought on eBay's Irish website from random individual owners for as little as €5. The purpose was to analyse what type of documents might be found on second-hand computers..."

Experts caution that a simple reformat of a hard drive is not enough. Forensics tools can recover files through that. Companies often use stronger erasure techniques that consumers don't have access to. Some experts advise companies to encrypt files that are made available to employees' home computers. Is employee training relevant? Absolutely.

I shudder to think what sensitive personal data is stored on the laptops of human resource department employees.

Now that investigators know that there is plenty of sensitive company information and sensitive consumer personal data on used computers and hard drives sold via auction sites, one should expect identity criminals to capitalize on this opportunity, too.

Security Hole And Poor Customer Service At Credit Reporting Agencies' Security Freeze Processes

In April, I discussed Janet's story. A quick summary of the facts:

  • Janet's sensitive personal and financial data was stolen during the Heartland data breach, and her credit union provided a replacement debit/credit card
  • To protect her privacy, Janet asked me not todisclose her real name
  • Janet already has a Security Freeze on her credit reports at the three major credit bureaus,
  • Experian notified Janet of an attempted change of address submitted for her credit report,
  • Janet tried calling Experian, but was unable to speak to a representative. She filed a report with local law enforcement, who had the same difficulty calling Experian,
  • Janet checked her credit reports and noticed a fraudulent SSN added to her Experian credit report, while a Security Freeze was supposedly in place
  • To date, Janet's situation is unresolved since Experian has not responded.

While discussing this with Janet, I began to wonder how the major credit bureaus handle address changes for consumers who have a Security Freeze on their credit reports. My take on Janet's story: the attempted address change indicates that identity criminals were trying to take over her financial accounts and/or reroute her postal mail. Other I've Been Mugged readers commented on my April 27 post about receiving similar address change notifications about their credit reports.

To investigate this, first I reviewed the Security Freeze documents I received from the three major credit bureaus when I established a freeze on my credit reports. These print documents clearly explained how to lift or remove a Security Freeze,, but none mentioned an address change policy or instructions.

Second, I visited the Web sites for all three major credit bureaus to see if they mentioned an address change policy or process for consumers with a Security Freeze on their credit reports. None of the sites stated an address change policy for Security Freeze customers. This was a surprise. I expected the credit bureaus to have a policy because:

  • Consumers were promised that nobody can access their credit report with a Security Freeze in place,
  • Consumers paid a fee (varies by State) to place a Security Freeze on their credit reports,
  • The Security Freeze instructions clearly explained to consumers to use their Personal ID Number (PIN) in correspondence when temporarily lifting or removing a Security Freeze
  • Consumers need to know how to communicate an address change so that future Security Freeze lift or removal requests are processed smoothly and quickly without interruption

Third, I sent the letter below (via Certified, Return Receipt) postal mail to Experian, Equifax, and TransUnion asking them to explain what policy they might have about address changes for Security Freeze customers. I included my Security Freeze PIN within each letter:

"Dear Sir (Miss):

I need your help. I currently have a Security Freeze on my [credit bureau] credit report and may be moving my home residence soon. I need to know your policy about submitting a change of address when a Security Freeze is in place.

I assume that I need to submit a change of address to you so that any future request by me to temporarily lift my [credit bureau] Security Freeze will be honored by you. (If this assumption is incorrect, please tell me.) I read the documents you sent to me when a Security Freeze was placed on my [credit bureau] credit report. Those documents did not mention your policy about how to submit a change of address. I also checked your web site and dialed your toll-free number. The toll-free number did not contain an option about how Security Freeze customers should submit a change of address. Nor did your web site list a policy for consumers with an [credit bureau] Security Freeze to submit a change of address.

My specific questions I need answers to:

- Do I need to submit a change of address so that I can temporarily lift my Security Freeze at my new address?

- Do I need to submit my Security Freeze personal information number when submitting a change of address?

- Do I need to submit proof of my old address when submitting a change of address? (If so, please explain what documents you require.)

- Do I need to submit proof of my new address when submitting a change of address? (If so, please explain what documents you require.)

- What methods does [credit bureau]n use to prevent an identity thief from submitting a fraudulent change of address? My personal information was exposed/stolen during the IBM data breach in 2007.

- I would have preferred to submit this inquiry online via your web site for a faster reply, but could not find an option to do so. If there is an option to submit inquires like this at your web site, please tell me.

Thank you in advance for your prompt attention to this letter.


George Jenkins
Enclosed: proof of address
Security Freeze Personal Identification Number: XXXXXXXXXX

This letter seemed clear enough. Think of it this way: Security Freeze customers need to know whether or not to submit an address change, and whether or not to include their Security Freeze PIN. If the credit bureaus do not require the submission of a Security Freeze PIN with an address change submission, then there is no real "security" on the Security Freeze tool, since anyone could then submit an address change from any address.

I eagerly awaited detailed replies from Experian, Equifax, and TransUnion describing their address change policies for Security Freeze customers. Instead, I received form letters that didn't answer any of my questions. Equifax's reply:

"We have received your request concerning an Equifax security freeze. Unfortunately, your request did not include the following required item(s) we need to process a request for initial placement, temporarily life or permanently removal of a security freeze..."

Huh? Was my letter that difficult to understand? I want to know what your address change policy is. I did not request to place, lift, or remove my Security Freeze. And, I supplied my Security Freeze PIN. Wasn't that enough documentation? TransUnion's reply:

"We have received your request for a copy of your TransUnion Credit Report. However, the current mailing address you provide is not listed in our records..."

Huh? I sent my letter from the exact same address I established my TransUnion Security Freeze at in 2008. I was starting to feel frustrated with the non-responses to my inquiry. Experian's reply:

"We were unable to honor your request because you did not provide sufficient identification information for us to verify your identity. Please read the information below if you would like to order a copy of your personal credit report..."

Huh? My Experian Security Freeze PIN number was not enough identification? A copy of my current driver's license was not enough? These inadequate responses were becoming very frustrating. None answered my direct questions about their address change policy for Security Freeze customers. I didn't want a credit report. I didn't want to place, lift, or remove my Security Freeze. I just wanted an explanation of their address change policy for Security Freeze customers.

After thinking about this some more, I concluded that one of three things was possible:

  1. Experian, Equifax, and TransUnion operate a poor Security Freeze administrative process. Maybe some minimum-wage clerk didn't read my letter and handled it in a bureaucratic fashion. My letter should have been routed to a manager for a detailed reply. This was not good customer service.
  2. Experian, Equifax, and TransUnion don't have an address change for Security Freeze customers (and perhaps, don't want to admit it).
  3. Experian, Equifax, and TransUnion have an address change policy for Security Freeze customers and choose not to disclose it.

So what is going on? Consumers want to know and deserve an answer.

At best, possibility #1 applies. At worse, possibility #2 applies and there is no security for consumers with Security Freezes on their credit reports. A really bad scenario would be that possibilities #1 and #3 both apply.

Fourth, I made one last attempt and called the Public Relations departments at Equifax, Experian, and TransUnion. It should not be this difficult for consumers to get an answer. At press time, neither Equifax nor Experian had replied. Steven Katz issued the following reply by TransUnion:

"The unique PIN# provided to the consumer at the time that the security freeze was established is required to modify an address in a file with a security freeze in place. If for any reason the consumer is unable provide the issued PIN#, TransUnion will use proprietary authentication procedures to ensure that the individual requesting the address change is, in fact, the "owner" of the corresponding credit file."

So, at least TransUnion had an address change policy for Security Freeze customers. TransUnion's address change policy should be disclosed for consumers in both their print and online Security Freeze materials. Consumers need clear guidance.

However, TransUnion's Security Freeze PIN isn't as powerful as consumers might think or expect. I expected the TransUnion Security Freeze PIN to be as powerful as the PIN I used at my bank ATM machines. It isn't. Steven Katz added:

"Regardless of whether we are able confirm the individual's identity via the PIN# or our via our authentication procedures when the consumer does not have the PIN# available, if the new address is not already being reported by one or more of the consumer's creditors, [TransUnion] will require documentation verifying the actual existence of the consumer at that address be forwarded to us either by fax or mail. Examples of documentation would include: bank statement, utility bill, driver's license or mortgage statement in consumer's name listed at that address."

In other words, if a bank or loan company (e.g., a creditor the consumer has an existing account with) reports an address change, TransUnion will apply that change to the consumer's credit report. If that existing creditor has been compromised by a data breach or fraud, then (fraudulent) errors could still make their way into consumers' credit reports -- and consumers could encounter experiences like Janet's.

I know that I expected something far more secure... closer to bullet-proof.

Consumers need to know that changes to their credit reports still happen with a Security Freeze (and PIN) in place. A Security Freeze stops the credit bureau from selling their credit report to new creditors. A Security Freeze does not stop the credit bureau from applying changes to the consumer's credit report.

So, your TransUnion Security Freeze PIN isn't the as powerful as you'd think. You might expect the PIN to make life easier and faster for consumers. It doesn't. It's far less powerful than the PIN consumers use with their bank ATM card. WIth a bank PIN, nobody gets in to your account without a PIN. Nobody. With a credit bureau PIN, well some (existing creditors) can still get in without a PIN.

This means that consumers with a Security Freeze in place still need to monitor their credit reports for accuracy. It means that conflicting or erroneous address information will require TransUnion Security Freeze customers to submit additional documentation. That could cause delays if you need credit quickly when lifting or removing a TransUnion Security Freeze.

This isn't the streamlined, efficient TransUnion security freeze process I expected. My guess, many consumers have the same opinions.

Maybe Equifax and Experian will clarify in the Comments section below if they have an address change policy for their Security Freeze customers; and if so what it might be. If they don't have an address change policy, then it seems there is a security hole in how address changes are applied.

Regardless, all credit bureaus need to disclose their address change policy for Security Freeze customers in both their print and online materials. Consumers need to know what's expected with appropriate instructions. Experian, Equifax, and TransUnion also need to re-evaluate their Security Freeze administrative process and improve their customer service quality. Inquiry letters like mine should be handled properly. Mine was not handled properly and it indicates poor customer service.

If you have had correspondence with the credit bureaus about an address change policy for Security Freeze customers, we'd love to hear about your experiences.

Last, if I know about this security gap with the credit reporting agencies' Security Freeze administrative process, then you can bet that identity thieves know about it, too.

For Social Media Users: How To Protect Your Online Reputation

Plenty of people use social media sites. Over 200 million people use Sometimes what is posted is accurate, and other times it isn't. What's a person to do about it? Some highlights from a recent Forbes Magazine article about how to protect your online reputation:

"The best way to manage your online reputation is by generating positive search results that will rank as highly as possible in a Google search and edge out anything negative on the list of search results... Much as you would protect your credit, check for activity connected to your name. Set up a news feed for your name so you can monitor when and if you pop up on blogs or in news stories... register your name as a domain name, and sign up for every social network that you can think of. Those moves will ensure you have a presence and won't be mistaken for someone else. Then, take seriously what you post on the Web... Just because you can tell the world what you're doing doesn't mean you should... 35% of recruiters say they have eliminated a candidate because of something they found on the Web..."

Well, that is excellent advice. Read the Forbes article for details.

Add This New Site To Your Bookmarks: TOSBack

On June 4, 2009, the the Electronic Frontier Foundation (EFF) launched TOSBack to help consumers understand and track the changes in the terms of service (TOS) at major Web sites. The list os current sites is small -- about 35 -- and includes well-known sites such as Facebook, Google, AT&T, and eBay.

What I like about TOSBack:

  • It begins to address a need to monitor companies' Web-site TOS documents, especially when they become consumer-unfriendly. Remember the Facebook TOS fiasco
  • It shows you how a site's TOS changes over time
  • It displays old and new TOS versions side-by-side with highlights so consumers can easily see the changes
  • It offers an RSS feed to alert consumers of changes

What I don't like about TOSBack:

  • Coverage does not include banks
  • The RSS feed is in its infancy. I'd like the capability to "mash-up" or select RSS feeds only for selected companies, not all of them.
  • Sites vary in their TOS complexity. Some TOS documents vary by country, by product or service, and/or by sub-site. (Consider: AT&T has about 17 different privacy policies for various prodcuts and services: general Web site, wireless, landline phone, DSL, behavioral advertising, etc.) It's unclear how TOSBack will accommodate this.
  • TOSBack performs a service which each company should be doing: make their TOS easy to read and to understand. I fear that TOSBack will remove the pressure off companies to take responsibility to make their TOS documents easier to read, easier to understand, and incorporate clear, conspicious opt-in mechanisms

Companies I'd like to see TOSBack monitor: Equifax, Experian, TransUnion, Phorm, and all of the major banks.

Overall, TOSBack is a good first step in the right direction. I'd love to see consumers demand TOS-tracking features at the Web sites they visit and shop at.

The FTC To Rigorously Study Fraud

In his Bizop News blog, attorney Michael Webster wrote:

"The FTC has finally decided to start studying fraud and not simply rely upon the discredited notion of disclosure for prevention. The FTC held a workshop earlier in the year about consumer fraud. From that workshop, the FTC made a decision to try empirically understand the determinants of consumer fraud."

The FTC program was announced in the U.S. Federal Register (PDF). This is clearly good news since:

"The [FTC] Commission has also conducted telephone surveys in 2003 and 2005 designed to measure the proportion of the U.S. adult population that has fallen victim to various consumer frauds. Despite this, surprisingly little is known about what determines consumers' susceptibility to fraud. For example, the 2003 and 2005 FTC Consumer Fraud surveys found that education was not a significant predictor of fraud victimization. Understanding when and why people are vulnerable to fraud would better inform the FTC's substantial, ongoing efforts to fight fraud through law enforcement and consumer education... study results may aid the FTC's efforts to better target its enforcement actions and consumer education initiatives, and improve future fraud surveys."

The FTC's approach towards a rigorous study of fraud:

"Economic and psychological experiments have identified several decision-making biases, such as impulsivity, over-confidence, overoptimism, and loss aversion, that can cause inaccurate assessments of the risks, costs, and benefits of various choices. FTC staff proposes to conduct an economic laboratory experiment to study whether these types of decision biases are related to consumer susceptibility to fraudulent or deceptive marketing claims. Staff intends to study consumers’ assessment of potentially deceptive advertisements... The FTC proposes to conduct an experiment in a university’s economics laboratory with 250 subjects drawn from the campus community. A sampling of 250 persons enables random assignment of subjects into different experimental conditions..."

According to the Federal Register, interested consumers and companies can submit written comments
electronically or in paper form about proposed study approach. Comments should refer to the "Fraud Susceptibility Experiment, FTC File No. P095501," and include your name and state. You can submit comments online at the FTC Web site on or before August 10, 2009. Comments will be made public so do not disclose any sensitive personal or financial information.

5 Tricks Banks Use To Charge Consumers More Overdraft Fees

I've Been Mugged warned its readers in February about higher credit card interest rates and lower card limits by banks which followed during March and in April. Unfortunately, banks haven't given up. They still seek ways to increase their revenues, which means new and higher fees for you.

WalletPop has a good list of five tricks banks use to charge you overdraft fees more often and with greater amounts. Follow their advice and you can avoid these tricks. One trick banks use is "Reordered Transactions:"

"Just because you bought a smoothie in the morning with your debit card and paid your rent in the afternoon doesn't mean that's the order in which your transactions will be cleared. Banks often change the order in which debit transactions clear – and tend to clear debits before clearing any deposits made – from highest to lowest amounts. By doing so, the customer's account is depleted more quickly and they'll incur more overdraft fees..."

Part of the problem is that banks don't disclose the order that they process transactions. Another trick to watch out for is "High Daily Maximums:"

"With many banks, there's no limit to the number of overdraft fee-triggering transactions you can charge. Bank of America, HSBC, Chase and Wells Fargo have no limit per day, while Citibank permits four (for a total of $136). Some banks use a tiered overdraft system that increases charges for subsequent overdrafts. Chase charges $25 for the first offense and $32 to $35 apiece for subsequent charges. At PNC Bank, the first three offenses cost $31 a pop, the fourth through sixth each cost $34 and seven times or more costs $36."

Experts advise that you keep at least a $100 minimum in your checking account to avoid overdraft fees. Experts advise consumers to ask your bank to set the debit overdraw amount on your account to zero, so it will reject transactions instead of incurring overdraft fees

Another trick is "Holding Deposits For Clearance:"

"Take a close look at your bank account. Just because it shows that your paycheck was deposited doesn't mean you have complete access to those funds. When paychecks are deposited, the bank can take two to five days to clear them..."

What consumers can do: contact your elected officials and demand legislation to protect consumers:

"... the Consumer Overdraft Protection Fair Practices Act, legislation that aims to prohibit overdraft fees unless the consumer opts for "courtesy" overdrafts. Even if a consumer opts for overdraft protection, they must receive a warning of an impending fee before they finalize a purchase that may trigger the overdraft fee."

I strongly encourage you to read the detailed WalletPop article.

Social War Dialing: A New Identity Theft Scam. How To Protect Yourself

Identity thieves and fraudsters constantly develop new ways to trick consumers into revealing their sensitive personal data and financial information. WindowsITPro described the latest scam:

"... called Social War Dialing also known as “Vishing”. Like its cousin Phishing, this con attempts to talk unsuspecting victims out of their account numbers, passwords, etc. However instead of using email or the computer which many of us have been trained to not trust, they use the good ole telephone... Those picking up the phone hear a prerecorded message from their friendly local community bank that their account has been compromised. They need to change their PIN code immediately to avoid any unauthorized charges. They are directly via a menu to enter their account number, their old PIN and a new PIN. Of course, this isn’t the bank calling but rather a sophisticated overseas ID theft gang using VOIP technology. Caller ID shows the name of the bank giving further credibility to the attacker. Once they have the card number and PIN, they can quickly generate a fake ATM or debit card and start either withdrawing cash or making purchases."

Variations of this scam use text messaging via cellphones and smartphones. The scam also targets consumers who are not familiar with computers and Internet. Experts advise consumers to hang up and direct dial your bank or financial institution to verify the phone call. Do not respond to the call by entering your bank account information. Do not rely on Caller ID to verify the caller's identity. hang up and call your bank to verify if they called you.

What Sensitive Personal Data Is The Adobe Flash Player On Your Computer Sharing With Other Companies?

Download Adobe Flash Player It seems that the Adobe Flash Player stores a lot more sensitive personal data about consumers than many people realize. A technology consultant (and former coworker of mine at Digitas LLc), Steve Brennan wrote:

"Check out the Flash Privacy and Settings "Control Panel" - only viewable on their website. A shocking amount of info is stored by the Flash player on your computer (also note those sites are not deleted when you clear your browser history). Check out the last tab in the interface. I don't like this one bit from a privacy perspective, I've never heard of this control panel before, feels like a sin of omission."

I hadn't heard about this either. I looked at the settings for my Flash player with IE. It is very important for consumers to set their Flash Privacy settings, since some of the settings allow sites to take over the microphone and/or camera on consumers' computers. Privacy settings let consumers specify whether you want applications from a particular Web site to have such access.

It seems that I have to access this Control Panel separately for each browser I have Flash player with. What a pain! This is so consumer-unfriendly because it requires consumers to be experts about the various technologies used on their computer. Steven also wrote:

"I really am shocked by how much info Flash appears to be holding onto, without informing the user or providing an easy way to clear it out. I want to dig deeper and see if it is also storing any info that were entered into flash forms."

I am shocked, too. The storage of personal data and the lack of notice by Adobe feel like an e-mugging to me. This is a data security hole when consumers switch computers. I'll bet that nobody clears out their Flash settings and stored data before they discard an old computer.

Besides the data privacy issues, the Flash development approach by many companies and digital agencies may contribute to the problem:

"One of the larger issues here IMHO is that Flash "programmers" are, by and large, not classically trained programmers and data privacy isn't on their radar. Many are more focused on getting it done and making it look good, which is fine as long as the user is protected. The flash authoring tools don't help on this front either they neither inform nor enforce any best practices with respect to data and privacy."

Adobe should be more vocal and transparent about notifying consumers about their Adobe Flash Player privacy and settings "Control Panel."

Have A Safe, Enjoyable July 4th Holiday Weekend

I'm taking a break. Posts will resume sometime next week. Meanwhile, feel free to read some of my favorite I've Been Mugged posts:

Or, browse the ID-Theft Humor section.

Celebrating Two Years Online!

Two years ago today, I started the I've Been Mugged blog. Since then, I've learned a lot about identity theft, fraud, privacy, and data breaches. This blog has been a good tool to organize my thoughts, learnings, and the online resources I've found. During the past year, a new Twitter feed and Facebook page have helped I've Been Mugged reach new readers.

Some thank-you messages are definitely called for. First, I'd like to thank I've Been Mugged readers. Weekdays, the I've Been Mugged blog gets about 350 - 400 hits daily. I am grateful for our readership and for the comments you have submitted. W have explored together many interesting topics, and I look forward to more exploration.

Second, I'd like to thank the bloggers and the consumer advocates I've met online. Without their suggestions and encouragement, The quality of I've Been Mugged posts wouldn't be as high as it has been. Some bloggers I'd like to thank by name: John Taylor, Lori Magno, Diane Danielson, Michael Krigsman, Chris Ott, Drew McLelland, Ryan Barrett, Ronni Bennett (who leads by example far more than she realizes), and Jonathan Feeley.

Third, I'd like to thank my guest author, Bill Seebeck, for his insightful and controversial posts.

Fourth, I'd like to thank the Privacy Crusaders. If you know who they are, then you know the good they've done.

Fifth, I'd like to thank IBM for losing my sensitive personal data during their February 2007 data breach. That incident caused me to start blogging. The more I learned about data breaches and the way companies assist (or don't) their data-breach victims, the more I realized that I had to do something. Rather than be angry, blogging seemed like a healthy and appropriate response.

If you haven't noticed yet, I named this blog in honor of IBM's data breach = I've Been Mugged.

And, I especially want to thank my wife, Alison. Without her support and flexibility, I couldn't write I've Been Mugged.

What's next for the coming year? We'll continue to write about identity theft topics, data breaches, and areas where corporate responsibility is lagging. Of course, we'll follow hot topics such as medical identity theft and fraud, behavioral advertising, and identity-theft legislation.

We'll continue to report on emerging issues that affect consumers; like our February 2009 blog posts about higher credit card interest rates by banks in March and April that affected consumers. And, we'll sprinkle this blog with plenty of ID-theft humor, since it's never all doom and gloom.

When it comes to identity theft, data breaches and corporate responsibility, there seems to be plenty to write about.