Search This Blog

Wednesday, September 28, 2005

ChexSystems: Another Lurking Database

If you buy your checks from Deluxe Corporation, the largest of the check printers, there are some facts you should know about this company. CardReport.com, a site packed with good information for your credit needs and woes, provides insight into ChexSystems, a Deluxe subsidiary that maintains negative information on your checking and savings account habits.

These include accounts closed for reasons of insufficient funds (bounced checks) or ATM overdrafts. Deluxe claims 80 percent of all banks will contact ChexSystems re. new checking and savings accounts, according to CardReport. The database comprises some 19 million old accounts listed as “Closed For Cause” by the bank. And there you have that dirty word again…database.

Personal data incorporated into this database includes your name, address, Social Security number, driver’s license number, and more. Deluxe also owns Shared Check Authorization Network (S.C.A.N.), which verifies checks for over 77,000 retail locations nationwide. And not to be denied the junk mailer’s devious craft of selling your name and private information for a profit, they have another company by the name of Deluxe Data Resources, which sells detailed consumer demographic data on 100 million households.

Bankrate.com, one of the most comprehensive sites for credit info I’ve run across, confirms that 80 percent of U.S. banks do belong to the ChexSystems network. They also recount grass-roots efforts against ChexSystems by Web sites such as PassChecking.com, set up entirely to help consumers fight the system. Later in this post, I will show you other sites that either report on ChexSystems or are activists against the company.

Bankrate questions why a few overdrafts should place you on the blacklist for five years and goes on to note that it is the bank that actually causes that to happen. ChexSystems merely provides the database—there’s that dirty word again—that allows the bank to act. If you end up on its list through error, ChexSystems professes to help correct this both within their company and with the participating banks.

Let me say that I don’t believe most consumers would condone the flakes that regularly write bad checks or hit the ATM for cash that is not in their account. I know I don’t. It is dealing with these individuals, compared with those innocent souls that found their way on to this list erroneously, that bothers me. That and the resulting monstrous database. ChexSystems is regulated by the Fair Credit Reporting Act, so, at least, you do have the right to a free report.

If you Google ChexSystems, you come up with a site named Consumer Debt Resource, which apparently is the company, minus the bad-press name. In all fairness, there is an abundance of consumer credit information available, but you won’t find any details on the personal data that is compiled by ChexSystems, or its parent, Deluxe Corporation.

You won’t see another Deluxe company on the site: Checks Unlimited, formerly known as Current Checks. Checks Unlimited is a junk mail supplier of checks, with 8.3 million customers whose names are sold along with their lifestyles—forty-three, based on their check purchases—from book readers to pet owners to gardeners, environmentally conscious, investors, Republican prospects, to young children and teens. That’s database number four for Deluxe, with individual household, private information.

And now on to the Web sites I promised earlier that attempt to deal with ChexSystems (CS), each in its own way. First, ChexSystems Bites! places the company in its HALL OF SHAME for “developing and profiting from the terribly flawed system known as the ChexSystems Network.” The National Check Fraud Center provides a running commentary about CS, of benefit to anyone on their list. Carreon and Associates’ Better Credit-Better Life site has an in-depth report titled, “Getting Around ChexSystems,” which seems to speak for itself.

Yahoo! has a page listing other sites that deal with CS, one of which is “Fight Back Against ChexSystems.” Consumeraffairs.com has a short blurb called Chex Imbalances that compares CS with ChoicePoint and Bank of America, exposing CS’s freedom from public oversight, although its “practices have spawned a Web-based subculture of horror stories…”

Finally, there’s the “Mother” of all anti-ChexSystems sites: ChexVictims. You have to sign up to get the best information and participate, but it’s FREE and takes only a couple of minutes. From finding the 20 percent of banks that do not cooperate with CS, to joining in on discussions and telling your personal story, this site means business. ChexVictims even gets into general credit problems that can result from being a CS victim.

With all the animosity toward ChexSystems, it makes you wonder where all this momentum comes from, and I think I have the answer. That’s right, the dirty word…database. Just another collection of your names and personal data that is probably ripe for the picking and somewhere on the priority list of ID thieves. Well, consumers are dead-tired of this and they aren’t going to take it much longer!

Saturday, September 24, 2005

Colleges & Universities: Another Break in the Social Security Dike

I found an article on MSNBC recently about a stolen laptop computer with personal information on more than 98,000 California university students and applicants. “Stolen Berkeley laptop recovered; arrest made,” reported by Reuters, states that the university is “uncertain whether the information had been tapped…” Berkeley officials also confirmed a man was arrested and charged with possession of stolen property, which was allegedly bought over the Internet.

There’s more, but my first question would be, what is this sensitive data doing on a laptop? The second question is, why does the California university system require Social Security numbers for identification?

I searched for over a half-hour for Berkeley’s Privacy Policy with no success. I was able to find something from Long Beach, a part of the California university system, stating that CA Code (Section 41201, Title 5) and the Internal Revenue Code (Section 6109) “require you to provide the university with your correct Social Security number.” The Long Beach policy states further, “The university uses your Social Security number to identify your academic records and to collect any debts you may owe to (the school) CSULB.”

I am not familiar with the California Code, but I did check the IRS Code 6109 on the Department of the Treasury site, and in its summary it clearly states that the “regulations affect individual preparers who elect to identify themselves using a number other than their SSN.” It appears to be concerned with tax refunds more than anything else and almost always refers to the “preparer” as the subject of attention.

It’s hard to understand the state of California, one that is probably the most consumer-oriented in the nation, still requiring Social Security numbers in their universities for identification. The state of Arizona, certainly not a leader in consumer rights, enacted law in 2002 prohibiting universities and colleges from using Social Security numbers to identify students or faculty. This was the result of an earlier data breach at the University of Arizona in Tucson. It also refutes California’s IRS requirement.

There is also another site, “Social Security Numbers and Student Privacy,” that debates the issue of protecting students from the fraudulent use of Social Security numbers. It discusses the increasing number of students that are revolting against using this information for identification, with students knowing full-well that their personal data is already plastered throughout databases all over the country. The feedback is interesting and worth your time if you are a college student or his/her parents.

And, once again, Privacy Rights Clearinghouse provides the best information for students and faculty in protecting their personal data. Their page, “My Social Security Number: How Secure Is It?” is a huge aggregation of pointers about the nine digits and how to keep them safe. It includes a section, “How Can a School Use My Social Security Number,” that explains compliance with the Family Education Rights and Privacy Act, which “requires written consent for the release of educational records or personally identifiable information…”

On another page, “A Chronology of Data Breaches Reported Since the ChoicePoint Incident,” details thirty-nine colleges and universities, and one high school, that have experienced personal data breaches in the amount of 1.7 million individuals. ALL IN THE YEAR 2005. And one, Georgia Southern University, not included in this number, reported “tens of thousands.” Most were the result of hacking, some stolen laptops, and one “dishonest insider.”

Folks, we’re talking about this country’s largest and most prestigious schools of higher learning, and even one high school. Institutions like Berkeley, Boston College, Northwestern, Carnegie Mellon, Michigan State, Oklahoma State, Purdue, Stanford, Duke, U. of Connecticut, Ohio State, USC, U. of Colorado and the U. of Florida, to name only a few.

According to the National Center for Education Statistics, there are approximately 16.7 million students attending college in 2005. Based on the Privacy Rights Clearinghouse figures, above, over ten percent of the students have had a breach of their personal data. The students also represent over three percent of the total data breaches since ChoicePoint. A small figure to some, perhaps, but still yet another tragic statistic that needs immediate attention.

Thursday, September 22, 2005

DMA Protects Deceased Families...AT a Price

The Direct Marketing Association (DMA) has just started its new Deceased Do Not Contact List. With the success of the telemarketing Do Not Call list, now almost numbering 100 million households, and the numerous calls from grieving families, the DMA felt it necessary to give another ultimatum to its 5,200 members. According to the DMA, they are “required to eliminate these individuals from their prospecting campaigns.”

You will, however, have to pay $1 for this right, giving the DMA your credit card number, name, relationship to the deceased, and e-mail address; the deceased’s, full name and address, all telephone numbers, their e-mail address, and month and year of death. They claim the buck is a verification fee, and I quote here, “to make sure we have a permanent record of the credit card information of those who did the registering; and to help prevent misuse of, or fraud against, this system.”

This is patently ludicrous. How does $1 stop misuse or fraud? Are they going to report violators to the FTC Death Squad or send you harassing e-mails because you were a bad boy or girl? “CTO” from the VoIP Blog has the right idea. He considered using each of his thirteen credit cards to add all members of his family to the list. Stopping their junk mail, he felt, would be the best Christmas gift he could give.

As if the total absurdity of the idea wasn’t enough, the DMA is quietly collecting another database with personal information—including your credit card number—flying in the face of so many recent data breaches from junk mail companies, data brokers and banks. What makes them think they can keep their data secure with the recent announcement that ChoicePoint has had another breach of 5,103 customers, as reported in the Atlanta Journal-Constitution?

The number isn’t as important as the fact that this is yet another trespass on private information, added to the one last February, which was reported only because of a 2003 California law requiring notification. COMPUTERWORLD stated in an April article by Grant Gross that ChoicePoint discovered 45 to 50 more data breaches that hadn’t been reported. But if you are counting, that’s over 150,000 customer records revealed by ChoicePoint.

There are some in the industry that aren’t completely sure of the effectiveness of the Deceased list. Geoffrey W. Peters, Pro Bono General Counsel to American Charities for Reasonable Fundraising Regulation in Vienna, VA, likes the DMA’s effort but harbors some skepticism. In an article by Dan McNamara in The NonProfit Times, Peters recounts an incident a few years ago where he inadvertently mailed a suppression list and got a 6 percent response from supposedly dead people. His point is that all those included in the Deceased list might not be deceased.

I can go one better. I am personally acquainted with the actual mailing—not suppression—of the Direct Marketing Association’s Mail Preference List by a couple of supposed junk mail professionals. That’s the list you get on when you contact the DMA telling them you don’t want any more junk mail.

The two culprits, a junk mail computer facility owner and a catalog entrepreneur, got together on a lark to test how the response to the list would be, and were pleasantly surprised with the results. Yes, folks, they really did mail to the list that is supposed to be used to eliminate people who do not want junk mail.

Although this was several years ago, it shows a certain arrogance, and the clear disregard for rules and ethics, for some in this industry.

Friday, September 16, 2005

Identity Theft, Junk Mail and Your Mailbox

An advertisement ran in major print media last June stating that, “…the majority of identity theft still takes place in low-tech ways—stolen purses, wallets and stolen mail…” There was a large picture of the rural type mailbox, front open, with the word “Database” pointing to the inside. A headline exclaimed: “Most identity thieves don’t gather their data from a computer.” The implication, of course, is that ID thieves rely on this source most often to steal your name and personal data.

In a response to the ad by the U.S. Postal Service, reported by DM News, leading junk mail industry publication, their position was that the ad was not true. They quoted an FTC report that found that stolen mail only accounted for 4% of identity theft in the U.S. Further, that 53% of identity theft is from online activities.

The ad in question was run by a group called Your Credit Card Companies, identifying the following financial institutions: Citibank, MasterCard, MBNA, Discover Card and Chase. If you go to their site, YourCreditCardCompanies.com and click on Media Center/Materials, then click on Advertising, and finally, on the ad headline, “Most identity thieves don’t gather their data from a computer,” you’ll find they’ve changed the picture from a mailbox to two garbage cans. The basic ad stays the same. Oh, the power of the U.S. Postal Service.

But when you analyze the total problem, and where the easiest link to your name and personal data is, I think the mailbox, and the garbage can, do rank right up there at the top. Here’s why.

According to Synovate, a research company that is part of the Aegis Group, US households received an estimated 5.23 million credit card offers in 2004, up 22% over 2003. Percentage of homes receiving a credit card offer was 71% with an average per month of 5.7. The financial junk mailers are blanketing almost three-quarters of the country and hitting on these households almost six times per month—which is, in itself, enough to become alarmed over—but they still wonder why ID theft is rampant…?

Tell the truth. How many of you shred the info page of credit card offers, and I don’t mean just tearing it into even small pieces? Our household does, and, knock on wood, we’ve never had an incident. We were getting well over 5.7 mailings a month, enough to stack two feet high in a short period of time when I measured it. So get on the band wagon and get yourself a shredder and at least you have done all you can.

Let me leave you with some startling facts. Eighteen percent of the population has been victim to identity theft. That’s almost one in five…52 million consumers. Eleven percent, or, almost 32 million senior citizens, those most vulnerable, are in that figure, representing over 61% of the total. You can go to the Experian-Gallup Personal Credit Index and see all the data.

There are two sites and the second, headlined, “21 percent of victims say theft of personal or financial information was done by someone they knew,” is a shocker, but, once again, confirms my belief that identity theft can be stopped only by giving consumers 100% control over their names and personal data.

Wednesday, September 14, 2005

Kids, Guns and Junk Mail

I just read an article from MSNBC titled, “1.7 million kids live in homes with loaded guns” and over 42,000 of those households reported having loaded, unlocked firearms around their children. Alabama had the highest proportion with 7.3%, Alaska next with 6.6%, followed by Arkansas, Montana and Idaho with similar figures. I’m sorry, but this sounds to me like either the parents are morons or unconscious beyond help.

After the assassination of President John F. Kennedy, who was killed by a mail order gun owned by Lee Harvey Oswald, they passed the Gun Control Act of 1968. The major force in this act was the prohibition of mail order sales of rifles and shotguns. In 1999, Senator Charles Schumer of New York introduced the Internet Gun Trafficking Act, which attempted to restrict the sale of firearms on the Internet. As far as I can tell, it is still in the Judiciary committee, or worse…forgotten.

I tried placing an online order for a gun on the Internet and the requirement is that any firearms must be delivered through a licensed dealer, subject to the gun laws of your state. Even if we don’t have an Internet law in place, certain procedures seem to dictate that firearms are not readily available to just anyone on the Internet. Of interest to me was the fact that when I Googled “mail order guns,” 6.6 million sites came up. With “Internet guns,” the number was 12.4 million.

A report was done by the Department of Health Behavior and Health Education from the University of North Carolina to evaluate just how much Internet firearms vendors encourage purchasers to conform to firearms laws. The study, “Ready, aim..click: An exploration of firearms sales practices on the Internet,” concludes that online selling of guns is extremely aggressive and easily accessible but fails in its obligation to encourage buyers to abide by firearms laws. One of the findings was a shock to me: none of the sites posted a warning on its homepage about not selling guns to juveniles. Click on the study, above, for more startling facts.

An excellent site for information on gun laws relating to juveniles is CNN.com, “State by State Look at Gun Laws in the U.S.” You can search by state with documentation of laws relating to children plus general information such as permits, registrations, etc. As we know, Alabama is on the bottom, but my state, Arizona, falls short in its lack of the Child Access Prevention law which requires adults to use a gun-locking device or store guns in a secure location. Washington, DC, and New York seem to rate highest.

There are fifteen mail order lists on the market, according to Standard Rate & Data, the bible of the list industry. They range from magazine subscriptions to hunters to parts & accessories catalogs. I tried Googling “gun parts & accessories catalogs and came up with 2.5 million sites. One of them, Numrich Gun Parts Corporation, states that they can …”supply everything from pins & springs to barrels and stocks.” Their inventory features over 180 thousand individual items from an inventory of over 650 million parts and accessories. They even supply schematics with the parts layout of firearms.

I don’t know much about guns, but I do know that general parts and accessories are not covered in the normal firearms protection laws. However, the 1968 Gun Control Act does prohibit the sale of parts or “conversion kits” used to make semiautomatic firearms fully automatic. You can get unlimited information on this subject at the Brady Campaign To Prevent Gun Violence site, and I recommend a visit there when you have time to spend.

So, we are left with a lot of facts, some protective measures, but still one major problem: kids with access to firearms. I can’t do anything about those parents who are too numb to keep their guns out of the reach of their children. And, I know it’s far-fetched but they are also likely to be the same households where a kid would order the parts and assemble a rifle or handgun. It’s the inherent mentality that worries me, and I feel we should stop this potential threat before it becomes a reality…again.

Please give me your COMMENTS on this.

Friday, September 09, 2005

The Mysterious Provision in the Highway Bill

They’re at it again. Spending our money needlessly and skirting the real issue of protecting our names and personal data. It’s the new Federal-Aid Highways law that took effect May 17. It was passed, “To authorize funds for Federal-aid highways, highway safety programs, and transit programs, and for other purposes.” It’s the “…and for other purposes” that worries me.

An obscure provision (Section 7139), will force state motor vehicle departments to use the very data brokers that have had recent breaches, and who we now know to have inaccuracies in their records, for the authentication of commercial driver’s licenses. You can read the complete article, “Highway bill has identity check provision” by Shaun Waterman on Monsters and Critics.com. The question arises, are we trying to prop these companies up now after their fall from grace?

Two immediate reasons for Section 7139 come to mind: one, to get the monkey off the back of Congress so if something else does go wrong they can say they tried. Two, another gift to big business by this administration, which, apparently, the Democrats fell in line with.

The provision is very expensive for the states, and all but promises that the imperfections in data being used will produce unlimited problems. Situations like wrongful license denials and abuse by illegal immigrants, possibly terrorists. But, as the article points out, “…a huge windfall for the databrokers…” and further, “…a cost that would have to be borne by state authorities, or passed on to applicants.”

And, of course, the data brokers had their eye on the new information that would be produced as a result of the state queries, which they could re-sell as a new commodity. Anything to add to that $4 billion that the junk mail industry is reaping annually from the sale of our names and personal data. However, a Democrat, Senator Russ Feingold from Wisconsin, stepped in with an amendment to disallow the sale of this new, private information. At least that, and, perhaps, a forecast of more restrictions on the sale of private information in the future.

Waterman points out in his article that the REAL ID Act passed earlier this year supposedly provides the authenticity that Section 7139 requires in the new bill. He goes on to cover another method of confirmation that has existed since 1992, using the applicant’s Social Security number and date of birth. With all these restraints already in place, the mystery of Section 7139 just gets deeper. This is an excellent article and a must read for anyone sick of Congressional incompetence and favoritism.

I did a piece on the REAL ID card back in May: BLOG Bulletin : National ID Card Promises to Expose Largest Amount of Personal Data, Ever, In One Location. There are two major points in that post: one, by linking all state databases, this provides one-stop shopping for identity thieves. And two, in keeping with the latter, skepticism that the Homeland Security Department could keep the data secure, with four scores of “F” in a row from the Federal Information Security Management Act (FISMA). Of course, we now have experienced HSD’s performance in the wake of Katrina.

It’s all very discouraging and just seems to be getting worse, with no improvement in sight. Unless…the American public takes a stand on the issues they feel are important to themselves and this country. This is not a partisan thing, and we just may be in the throes of spawning a new independent political party that will provide those solutions.

Tuesday, September 06, 2005

Katrina and Potential Identity Theft

We stayed quiet this past week in the aftermath of Katrina. I felt it was time to take a backseat to this natural disaster of epic proportions and let the bloggers who could, provide online aid and assistance. We’re back now, and the emphasis is on the numerous ways your personal data can be breached and you could fall victim to identity theft from the storm.

This is directed not only to residents of the New Orleans area, although one might wonder if they are even connected to the Internet, or if they care about cyberspace at this point, but to anyone doing business with a firm located in the disaster area. We’ll start with…what kind of personal information is in their files relating to your household?

As an example, you could have just moved to Arizona, selling your home in New Orleans. Local mortgage offices are one of the largest repositories of personal data in the country with everything from your IRS returns to your complete credit report. There are also records in the realtor’s office that sold your home. Most of these records are on paper and could have been strewn anywhere in the disaster zone. And then you might live in Vermont and have your life insured by a New Orleans company or have your auto insurance with a large firm that has regional offices in the area.

Of course, the banks have a carload of personal information if you bank and do financial investments in one location. Hopefully, most of this data is computerized—although there is always the paper trail used for input—but this isn’t even secure from determined looters and ID thieves.

If one is able to break into the Tucson, AZ, CardSystems Solutions computers and access 40 million debit and credit-card accounts, they are probably qualified to mount an assault on unmanned equipment, possibly unsecured, definitely not protected, and physically steal the data, no matter what form it is in. Folks, this is just how organized identity theft is, and my perception is that the planning phase began about the time Katrina passed over Florida into the Gulf and began to gain strength heading toward the Big Easy.

The last collection facility I can think of right now that could be effected in the disaster area is the smaller, local credit bureaus used regularly by the realtors and mortgage companies. A treasure trove of private information is here just like it is in the big three: Equifax, Experian and TransUnion. If the mortgage company pulls your credit report, it is probably produced at least once on paper.

Just where is all this paper or other structures of data now? The obvious answer is, I do not know, but suspect that at least some of it is in the hands of some pretty sophisticated data thieves. If I am wrong, I apologize for being the alarmist, but doubt if this is an inaccurate assumption. Some may think it is farfetched but so did we, when the bad guys were getting our private information from ChoicePoint, LexisNexis, TimeWarner, Bank of America, and the list goes on.

So what do we do about it? In Louisiana and Texas, you can freeze your credit report so that no transactions can take place without your knowledge. Go to Bankrate.com for instructions on how to follow this procedure, and all the states where it is available. It is not offered in Mississippi or Alabama. Louisiana allows you to do this without any breach of your personal data; Texas requires that you be an identity theft victim already. My gut feeling is there will be some waiving of the latter with the credit reporting agencies in response to Katrina’s havoc.

Otherwise, systematically check your credit report in stages that will thwart the ID thieves, starting with your FREE report. They are available in all states now. Request the first report within the next couple of weeks. Get the second, which you will have to pay for, thirty days later. Wait another thirty days for the third. This is only if you are affected in some way as mentioned above. Go to AnnualCreditReport.com for instructions and each paid report will cost $9.50, regardless of the credit bureau you use.

You can also call a toll-free number: 1-877-322-8228 for the report.

The local, state or federal authorities do not have the time or resources now to help in this matter. You must bear the burden to protect yourself from identity theft. If you haven’t already accessed your free credit report, your investment is only $19.00, an amount well-worth spending to prevent thousands in legal fees to get your personal identity back.