Search This Blog

Saturday, November 24, 2007


PRIVACY ON THE WEB MAY NEVER BE THE SAME


Google is after DoubleClick as an acquisition for two reasons according to Business Week magazine: One, for banner advertising, videos and other display ads; Two, to keep DC out of the hands of one of their biggest search engine competitors, Microsoft. But the privacy community is taking legal action against the acquisition, not due to the loss of competitiveness, as would be signified by addressing the Clayton Antitrust Act, but as a matter of the loss of privacy. The general consensus of that group is that "[t]he combination of DoubleClick's Internet surfing history generated through consumers' pattern of clicking on specific advertisements, coupled with Google's database of consumers' past searches, will result in the creation of "super-profiles," which will make up the world's single largest repository of both personally and non-personally identifiable information." This is a quote from the litigation which was taken from a letter to the FTC from the New York State Consumer Protection Board. Further apprehension by the board cited the possibility of our sensitive data being released to third-parties, and, of course, the chance of data breaches. Google keeps the record of your Web searches for 18 to 24 months, and also has private information such as name, address, phone number, lifestyles, employment, credit card number and card verification code. Privacy concerns are that, although Google isn’t selling personal data now that could change in a heartbeat, particularly by acquiring DoubleClick with their consumer private information. Back in late 1999, DC acquired a junk mail database company by the name of Abacus with names and personal data from 62 million households with plans to merge that data with DC’s 100 million private Internet profiles. The whole idea tanked when privacy advocates went postal, even the junk mail community. Eventually Abacus was sold to Epsilon, a high-tech company with data on 250 million consumers including demographics and lifestyles. Epsilon is owned by Alliance Data Systems. Whether or not there was actually any transfer of data from Abacus for merging to DoubleClick will probably never be known. This does point out one significant deficiency in laws like the Clayton antitrust Act. When they were passed, there was no concept of the magnitude of the current information revolution, nor its potential nemesis, identity theft. With today's law, or even that which is in the making, there is no solution to the problem. However, the identity crisis could be solved tomorrow with the right kind of legislation, and that would be to grant consumers control over their names and personal data, and compensate them when it is used. If you need more reason why this is a bad merger, here’s something else straight from the lawsuit. It is alleged that “Google fails to follow generally accepted privacy practices such as the OECD Privacy Guidelines.” The Organization for Economic Co-Operation and Development (OECD), an international group established in 1961 to promote the protection of privacy and personal data, is highly respected throughout the world.

Friday, November 23, 2007


MASSIVE DATA BREACH HITS UNITED KINGDOM, AND WHY AMERICANS SHOULD TAKE NOTE


In the International Herald Tribune, British Prime Minister Gordon Brown begged the pardon of the Brits involved in the loss of 25 million personal records that included bank account numbers. Based on the devalued U.S. dollar ($1 = £2), some of those victims are probably here in the U.S. trying to shop with maxed out credit cards because of the breach. The fact that it has taken this long for something this colossal speaks well of the U.K.’s Data Protection Act of 1998. In Great Britain, it is the consumer’s fault if they don’t know how their names and private information are being used. The Act provides them the right to be informed by any data broker (data controller as they call them) when their sensitive data is used, for what purpose, the specific information to be revealed, to whom it will be disclosed (sold); and with a written request from the individual, the data controller must provide all the above in writing, in layman’s language. After thoroughly reviewing the Act, there is no provision to exempt the government that I can find. Therefore, it is hard to understand how a “junior” staff member from the Revenue & Customs agency was allowed to copy “sensitive personal details” on nearly half the population of Britain, and place it in the mail to another agency. If it is lost, it sounds like there isn’t even any tracking, and making matters worse, it was only password protected, not encrypted. Is this a flaw in the Act, or just another stupid data handler’s stunt? Kinda like the guy in the U.S. who took home the personal records of 26.5 million veterans which ended up being stolen. Also not encrypted. The Brits had a law in place, though, so why didn’t it work? U.K. information commissioner, Richard Thomas says it is because he doesn’t have the right to audit organizations processing people’s private information without first getting their consent. Go figure. This is the guy who enforces the UK DPA. So back in the USA, a Republican Rep. by the name of Tom Davis from Virginia tries to convince Rep. Henry Waxman, a Democrat from California, to “pay attention to information technology security issues.” In consumer-speak that is get off your butt and pass a data breach bill. This coming from the GOP side of the aisle, directed at a politician who knows his way around Washington, and apparently wants some rightful retribution against a President that has led this country to the precipice in the loss of individual privacy. Unfortunately Davis’ bill pertains only to federal data; one of the provisions would require federal agencies to account for and secure their sensitive information, as reported by FCW.com. You mean they aren’t required to do that now? On the other hand, Waxman has a commendable record in his voting in favor of consumer privacy, so perhaps we could hear more on this issue from the seasoned Democrat. All you California readers take note: let Representative Waxman know that you would like control over your names and personal data, and want to be compensated when it is sold. Contact Rep. Waxman here.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

Wednesday, November 21, 2007


IS BARACK OBAMA THE PRESIDENTIAL CANDIDATE MOST LIKELY TO PROTECT YOUR PRIVACY?


Yes, says The Ponemon Institute research firm, according to a poll of the American public, and Rudy Giuliani is least likely. The study also found that 40 percent of you say that protection of your privacy rights is either important or very important in deciding your choice for president. (See MSNBC article) On the Democrats’ side, it seems that survey participants favor Obama over Hillary Clinton and John Edwards almost 2 to 1; 43 percent for Obama, 25 percent Edwards, 23 percent Clinton. Larry Ponemon thought that a little strange since Clinton is the only Senator from the three sponsoring privacy legislation. I did a post on March 9, 2006, titled: “Why the Democratic Party is NOT the Party of Privacy.” (Scroll half way down page) In that piece which was done over 18 months ago, I exclaimed that Republicans have not, nor would they ever address the issue of individual privacy. The privacy of business, yes, but the little guy, no. I also quoted a 2000 article from ZDNet.com that was optimistic over what the Democrats would do, but it was obvious at the time they hadn’t done it. And, they still haven’t. I wrote a letter in late 2005 to Howard Dean, Chairman of the Democratic National Committee. In it I outlined my concept that could stop identity theft at its birth, putting a whole new face on the privacy issue. It would also include an option to participate in a program that could serve as a supplement to retirees’ Social Security or pension plan. Simply stated, the concept is to grant consumers control over their names and private information, and compensate them from the $4 billion the junk mail list industry makes from their sensitive data each year. Bold, original, even outrageous to some...but a workable plan. This would require federal legislation, and this is what I suggested to Governor Dean, as well as making privacy an important plank in future platforms of the party. Never heard from Howard. What did happen later is a mailing they sent me with a survey of important issues including: the economy, Social Security, foreign policy, education, the environment and health care. Agreed, these are all extremely important, but shouldn’t privacy be in their somewhere? I sent the same appeal to Barack Obama in the early stages of his campaign. Now we all know the Senator does not have the time to reply personally to specifics of my concept, maybe not even top staffers, but someone down the line should have at least gotten back to me and said we think your idea has merit, or you’re nuts and we’re not interested. Otherwise, why encourage responses on the Obama ’08 Website? Since they established an Arizona presence, I get phone calls on a weekly basis, none of which addressed my concept, and my reply has been that if the Senator is willing to consider my approach to the identity crisis, I would consider supporting him, and work for the campaign. From my conversations with the volunteers, it would appear they are looking for warm bodies to do what they want me to do, like, perhaps, door-to-door canvassing. I tried to offer my services once before in predictive modeling to the Arizona Democratic Party, but after weeks dealing with a floundering staff, I gave up. Maybe it’s time for candidates of all kinds to understand that they need to view some volunteers as specialists when they are trained for a certain kind of job. There are some who simply want to lick envelopes because they don’t want to get too involved. However, I do want to get involved, but only with the right candidate.

HAPPY THANKSGIVING! The Dunning Letter will return Friday.

Tuesday, November 20, 2007


FINANCIAL JUNK MAILERS DETERMINED TO FIND YOU


When they took away the ability of the credit bureaus to sell lists specific to consumers’ credit history and scores to junk mailers, at first it was like when they thought TV would replace radio. The latter didn’t happen, and neither did the banks and insurance companies give up on finding a way to reach you without credit data. I was a list/data broker at the time this happened in 2002. It all centered around a Federal Trade Commission (FTC) case against TransUnion, which the credit bureau lost on appeal in a lawsuit filed against TU by the FTC in 2000. A three-judge panel in agreeing with a lower court ruled that the individual’s credit history is protected against being sold by the Fair Credit Reporting Act (FCRA). Selling this most sensitive of data was also an obvious violation of the Gramm-Leach-Bliley Act passed in 1999. In their litigation, TransUnion charged that your Social Security number is not “financial” information; therefore, its sale should not be prevented or regulated. This is one of the dumbest statements I have ever heard from a data broker, particularly one that is also a credit bureau. The Social Security number, along with only a name and address, will open the door to identity thieves with the utmost of ease. But TransUnion and the other data brokers found a way around the regulation as usual, using aggregated data to produce models that would predict a household’s credit worthiness. This was, and continues to be, a major factor in determining your risk when it comes to auto and homeowner insurance. On the other hand, other companies in the field like Genworth Financial Inc. decided the red tape was too complicated, and has begun to rely on non-credit based junk mail. They are a part of General Electric, and I bring them up because I have a life insurance policy with the company, and am aware of their collection and sharing of my personal data. They send out 50 million pieces of junk mail each year, focusing on predictive modeling techniques, according to industry publication, DM News. But once they have captured you as a life insurance customer, here is what they ask for and share where permitted by law. They have my name/address, SS#, income and assets, other credit accounts in my name including payment history and medical data. This is used in the normal manner for eligibility, claims, etc., but it also can be shared with outside “affiliates” to sell us something. And there lies the hitch, since releasing this private information—even though Genworth exclaims the “affiliates” are required to protect our data—is just another location where it sits, waiting to be harvested by the ID theft bad guys. I put affiliates in quotes because companies never explain to you just what that means, or who it includes. I may be paranoid, which I am about my privacy, but this indicates to me there is something to hide.

Monday, November 19, 2007


IDENTITY THEFT WITH A HOOK: COUNTERFEIT CHECKS


There are so many ways to steal your identity that it is near impossible to remember the accumulation of possibilities, or just what the next invention of this kind of fraud might be. In late 2006, the counterfeit check con from overseas began to take its place as the latest ploy in stealing your identity, according to a release by the Federal Trade Commission (FTC) in January of 2007. It started with foreign lottery winnings that you could claim by depositing the cashier’s check you receive through the mail, and then wiring money to the sender to pay the taxes and fees. Of course, the cashier’s check is no good, and you are out the amount you wired. I don’t know who was receiving this early version of the scam, but our household has never had the honor of being contacted. My gut feeling is that the crooks used what is known in the junk mail industry as “gullibles” lists. That is not necessarily a derogatory term, but rather a means to identify people that reply to advertising that literally promises something for very little or nothing. Sorry, those of you who bite, but in most cases it is obvious you are being taken. Like all identity theft hoaxes, this one has proceeded through its evolution to a new stage that is reported by MSNBC. The latest approach in the counterfeit check deception is using name brands like Publishers Clearing House and Readers Digest to front for a crooked sweepstakes, along with retaining the demand for the prey’s check to cover shipping and taxes. On another note, a Richmond, Virginia business woman who had an apartment to rent in Chicago, fell for the subterfuge of taking a United Kingdom man’s “relocation package” check, depositing it in her account, and then wiring the man back the difference between the $25,000 and the amount he owed her, which was around $4,000. When the bank found out the check was no good, they reversed the deposit and this “business woman” was out $4,000. It just so happens that the average victim of counterfeit check losses is about $4,000, which is $2,200 less that the typical identity theft victim in 2006. No wonder it works, some bank tellers cannot even tell that the checks are phony. The U.S. Postal Service is cracking down by seizing more than a half-million counterfeit checks worth $2.1 billion between January and August of 2007. They came from such far-reaching places as Nigeria, the Netherlands, England and Canada. What worries me most is that this is one method of swindling the consumer that I haven’t yet figured out a way to cover in my mission to grant consumers control over their names and personal data. But I am working on that problem as I speak.

Saturday, November 17, 2007


AT LEAST SOME DEMOCRATIC PRESIDENTIAL HOPEFULS WANT TO PROTECT OUR PRIVACY


The Bush/Cheney clan is once again pursuing the right to spy on innocent Americans by trying to force changes in a new version of the surveillance bill already overwhelmingly approved by the Senate Intelligence Committee. You remember all this Big Brother stuff from the NSA scrutiny of telephone calls in the U.S. starting in 2001 and reported by MSNBC at the end of 2005. AT&T and Verizon were eventually cited as providing personal customer data to the Bush administration without having been served legal warrants as required by the Foreign Intelligence Surveillance Act (FISA). According to a Newsweek article, “The Politics of Eavesdropping,” Sen. Chris Dodd of Connecticut said in October of 2007 that he would filibuster against this legislation, and USA Today says Dodd “will use his senatorial ‘hold’ power to prevent the Foreign Intelligence Surveillance Act legislation from being considered by the full Senate. The move would effectively stall a measure that President Bush and Director of National Intelligence Mike McConnell have said is essential to protect national security.” MoveOn.org and DailyKos stepped in to pressure more Democrats to step up to the plate and Sens. Barack Obama and Joe Biden did just that falling in behind Dodd. Hilary Clinton wants to study the bill “very hard.” The bill is designed to update and extend the Protect America Act, which gives the intelligence guys more authority. Just what we all need. In the new Senate bill, any electronic eavesdropping has to be approved by FISA, which is good. What is bad is the fact that Bush is demanding that AT&T and Verizon, plus all other communications companies who cooperated in the surveillance program, get blanket immunity from lawsuits which number over 40 at this time. The litigation states that companies like AT&T and Verizon violated their customers’ privacy, but I have what I feel is possibly a parallel interest that could impact the dreaded, long-term contracts that we are required to sign for wireless service. Did AT&T, Verizon and the others, by releasing customers’ private information, violate the terms of the cell-phone contract? If so, does that give the individual who wants out of a bad contract the right to cancel? It would be great to hear the opinions of attorneys on this issue. I am a Verizon wireless customer, but so far I am happy with my contract. However, what I am not happy with is their latest privacy notice which states that I must physically and personally opt-out of allowing them to share my private information with affiliates, agents and company subsidiaries. Wrong! It should be on an opt-in basis only, and this is the major problem today with companies sharing our names and personal data. Opt-in is a form of trickery with the assumption that most folks won’t take the time; much akin to an old junk mail philosophy that, even if customers didn’t like the merchandise they ordered, they wouldn’t take the time and spend the money to return it. The Verizon print in this matter is so small you almost need a magnifying glass to read it, but I did catch the phrase that specifies “they can disclose my personal data “to comply with any laws, court order or subpoena,” none of which were exercised by the government in the NSA incident. The ultimatum in Verizon’s privacy notice was that unless I replied in the negative in 30 days, they were free to share this sensitive information with those designated. I’m letting it ride for the time being, because I monitor the activities of every company we deal with that collects our private information. Somewhere in the future, I might decide I don’t like the Verizon contract, and could have the ammunition to opt out of everything, including their service.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

Friday, November 16, 2007


IT’S FRIDAY MORNING. DO YOU KNOW WHERE YOUR NAME IS?


With over 50,000 lists on the market being sold hourly by the junk mail industry, I feel it is important that you know something about the kinds of lists where you might find your name and private information. Until consumers are granted control over this sensitive data, there is really nothing you can do to prevent its sale, except put your name on the Direct Marketing Assn.’s (DMA) “Mail Preference List (MPL),” and the FTC’s “Do-Not-Call” list for telephone solicitation. The FTC’s DNC list seems to be working, but I am not so sure of the DMA’s MPS, based on reactions of people who are on it. Besides, the FTC requires all telemarketers to use the DNC, but the DMA’s control over use of the MPS list is limited to their membership. However, some large and well-known junk mailers are not even members, as well as hundreds of smaller companies. When I was still working as a list/data broker, I even ran into the head of a computer processing facility who recommended mailing the Mail Preference List to his clients; the reasoning was these people were receiving very little mail by being on the list. He was also a member of the DMA. This will become a regular feature of The Dunning Letter, based on lists that are applicable. To start, there is a new list by the name of “America’s Wireless/Cell Phone Owners With Opt-In E-Mail Addresses,” that claims to have a universe of over 103 million. You have given this list owner the right to sell your name for e-mail advertising and for telemarketing, and you have identified your wireless carrier. In addition to normal junk mail marketing, the list is being recommended for debt collections and skip tracing; the latter being a method to harvest an individual’s personal data. They know your age, the age of your children, date of birth, income and your lifestyle habits. Next is the “Consumers With High FICO Scores” list which reflects your credit score used for applying for mortgages or other means of credit. There are 431,000 individuals captured from—and this comes straight from the list owner—credit applications you made for high dollar, re-finance or mortgage loans, sold to them by the three credit bureaus, Experian, Equifax and TransUnion. The list is broken down by the typical FICO ratings of 800+, 750-799, 700-749, and 661-699. By the way, they also have a list of those of you with low FICO scores starting with 650 down. I can see a potential problem of “low scores” getting in the wrong hands, since restraints on renting this list would probably be much less stringent than obtaining your FICO score from the credit bureaus. And finally, the “Revolution Automotive Data” list. Take away one source for names, and junk mailers will always find a new one. This was the case when a law prompted by the shooting death of actress Rebecca Schaeffer in 1989, was passed in 1994 preventing states from selling motor vehicle records. Schaeffer’s killer obtained her address from the California Dept. of Motor Vehicles. The law was the “Driver’s Privacy and Protection Act of 1994,” which virtually closed down a complete division of R.L. Polk which compiled and sold the list. The list contains more than 25 million names with the type vehicle owned from Acura to Volvo, including your name/address, telephone number and e-mail address. They also know your age, income and lifestyle habits. It is my opinion as a former list/data broker for 35 years that there are some lists you may choose to be on because you want the latest gardening or apparel catalogs, but there are some you probably don’t want to be on. My guess is the above three fit in the latter category.

Thursday, November 15, 2007


KEN MAGILL IS A JERK! DON’T KNOW WHO HE IS? READ ON, IT’S WORTH IT


Junk mail trade publication, Direct Magazine, has an article by a blow-hard that is typical of some people in this industry. His name is Ken Magill, and although I don’t normally read much of his stuff, this one is a doozy. He calls the proposed Internet “Do-Not-Track” list (See Washington Post article) that would allow consumers to opt out of having their online habits monitored and stored in a database, the “Mother-of-all-Cockamamie ideas.” I covered this briefly not too long ago thinking I would pick it up again when the legislation was actually introduced. But I just couldn’t wait after reading Magill’s piece, “Do-Not-Track list: Dumbest Idea Ever,” while thinking how lucky I am to no longer be a part of the junk mail business. 35 years as a list/data broker convinced me that consumers should have control over their names and personal data. But preposterous commentaries like this, if representative, proves to me that junk mailers aren’t even close to giving up on their premise that they own your name and private information, along with the right to do with it as they please, including selling it all over the world. More of Magill’s absurdity: “When you visit a Web site, the information surrounding that foray is not your personal information. It’s the site owners’ information, too. You’re on their property; you’re using their resources. Telling them they can’t monitor you on property they own is akin to telling a retailer to shut the store cameras off.” What the hell does that mean? The American public does have the right to decide if they want someone looking over their shoulder when they are surfing the Internet. As a matter of fact, the more pragmatic junk mail publication, DM News, in an article by Dianna Dilworth, reports that AOL has actually designed technology that will allow their online customers to opt out of behavioral targeting. And Magill’s ridiculous raging over environmentalists wanting to get rid of all catalogs is also ludicrous. Environmentalists, and privacy advocates like myself, only want junk mailers to figure out a better way to get responses, based on the fact that they currently have to mail 100 catalogs to get no more than two orders, the rest ending up cluttering the environment. From my experience, most junk mail companies were either too cheap to do the predictive modeling that would have at least eliminated some of the 98 percent excess, or they just were too unsophisticated to understand the benefits. He says he’s “sick to death of so-called privacy advocates who don’t hold down real jobs making ludicrous demands on those who make the Internet economy work.” The “so-called privacy advocates Magill refers to that are supporting the Do-Not-Track bill are prestigious organizations like Consumer Federation of America, Electronic Frontier Foundation, Privacy Rights Clearinghouse and World Privacy Forum. He mentions behavioral targeting, a term used to define your daily habits based on what you search for on the Internet, and how the loss of this would doom e-mail advertising. Most people I know would welcome the loss of unsolicited (spam) e-mail advertising, but that’s not the point here. To track a person’s online habits on a regular basis and commit this data to memory that is eventually sold by data brokers is plain and simple an invasion of their privacy. It is laughable diatribes like Magill’s that keep junk mail from progressing into the advanced advertising medium it could become. It is time for this industry to start being up front with the consumer, and level with them re. how their names and personal data are manipulated and sold. It could start by releasing actual figures on just how much revenue is realized annually from the sale of our private information. I estimate it is over $4 billion, so here’s your chance to prove me wrong.

Wednesday, November 14, 2007


ANOTHER BUSH MINION TELLS US TO KISS OFF PRIVACY


In yet another “I can’t believe he said that” statement, Donald Kerr, principal deputy director of national intelligence, said that “it is time that people of the United States changed their definition of privacy.” In other words give it up because you’ve either lost it or are in the process of losing it anyway. On the latter, we are dangerously nearing the edge, but I for one am not anywhere close to changing my mind about the privacy protections I expect from business and government. We may be over the line now, but a consumer revolt is in the making, and I have faith that the American public will stand up and demand their rights. In Pamela Hess’ Associated Press article, “Intel official: Expect less privacy,” she quotes Kerr, while bringing us up to date on Congressional activity in regard to the Foreign Intelligence Surveillance Act (FISA). This is the law that required court permission to spy on innocent Americans until Bush came along. Dubya backed off temporarily, but now wants to go ahead again full-bore with surveillance activity comparable to what he gave us in the NSA incident. The Seattle Post-Intelligencer did an excellent editorial on Kerr’s statement discounting his commentary on typing your name into Google being a loss of privacy with the retort: “Google is not comparable to the government sifting through one's private records and listening in on one's phone conversations without going through the proper channels.” The SP-I added: “Even more laughable is the assertion that we should just trust the government and businesses to safeguard their information.” I don’t know about you, but any person as high as Kerr is in the intelligence community that starts musing over the individual’s future privacy expectations makes me very suspicious of what the administration’s next move might be. Big Brother Bush, along with Little Brother Cheney, still have a year to unleash whatever they can conjure up to bring Orwell’s threat to our doorstep. And with a stalled Congress on this issue, including the Democrat majority that has always stood for protecting our individual rights, consumers can only depend on the power of their numbers. You can use those numbers first by contacting your congressional representatives and tell them just how you feel about maintaining your privacy, and if they don’t do something soon, let them know your displeasure when you vote in 2008. Kurt Opsahl, senior staff lawyer with the Electronic Frontier Foundation, a privacy advocacy group, says "Anonymity has been important since the Federalist Papers were written under pseudonyms." I researched the Federalists Papers, which were written to garner support for the new U.S. Constitution in 1787, and as is the case in the Constitution itself, there is no specific use of the word “privacy.” Maybe the time has come for a constitutional amendment that would make privacy a guaranteed right of the people, laying the groundwork for granting consumers control over their names and personal data.

Tuesday, November 13, 2007


VISA KNEW TJX HAD SECURITY PROBLEMS


The Visa credit card company knew in late 2005 that TJX (TJ Maxx, Marshalls) had “extensive security problems,” but made the decision to allow the retail chain to remain non PCI compliant until 2009. This meant that TJX did not have to meet the payment card industry security requirements at that time. In a eWEEK.com article by Evan Schuman, a Visa VP wrote the conceding letter in December of 2005, months after the bad guys had hacked into the TJX system. Whether or not the retailer was doing their best to mitigate the problem remains to be seen, but what is for sure is the fact that this turned into the largest data breach that this country has ever experienced. 94 million credit card numbers are out there, and they are there because the ID thieves planned to use them to steal consumers’ names and private information. I did a post on this in late October which you can see here. The theme of that article was that we cannot depend on business to protect our names and personal data, and this latest disclosure of Visa’s earlier decision on TJX PCI compliance supports that premise. TJX said in their original announcement that “only” 45.6 million credit card numbers were stolen, adding that 75% were unusable. Let’s hope this applies to the 94 million figure as well, but, regardless, even at the lower number, there will still be 11.4 million usable credit cards in the hands of the crooks. You can read more about this in a ComputerWorld article where a lot of the current litigation against TJX by several banks, including a class-action lawsuit, is covered. The 94 million figure is based on information from the bank litigants, but TJX is sticking to its original number. A leading technology expert says the reason for the discrepancy is the fact that TJX probably didn’t have the necessary records for complete analysis of the incident. Steven D. Bearak , chief executive of Identity Force in Framingham, Mass., also where TJX is headquartered, comments: “"Customers are at a high risk. This was an intentional, malicious intrusion into TJX's system. This appears to have been an attack, well thought out, well planned, and well executed." I emphasize this point again to convince the American public that there is money behind the madness of these identity thieves…the consumers’ money. Stealing your sensitive data for profit is a business, a very sophisticated one, and it’s not going to go away any time soon. There are band-aids to prevent further harm after the initial damage is done, but none of these will guarantee your security unless you literally shut down your credit access. There is only one way that the consumer can live his or her normal lifestyle and maintain a level of security for their names and private information that is totally secure. That is to have control over this sensitive data, and while we’re at it let’s compensate the name-holder when it is sold. And you will continue to hear this until it sinks in.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

Monday, November 12, 2007


QUESTIONABLE REPORTS STILL COMING IN ON THE SEVERITY OF ID THEFT


The latest report to be published on whether identity theft is a “real” threat to consumers says that the victims of the smaller data breaches are more likely to suffer harm than the larger ones. Wal-Mart and the banks issuing the credit cards used from the biggest ever breach, TJX (TJ Maxx, Marshalls) resulting in 94 million lost credit card numbers, may not agree. They were out over $8 million in a Florida crime spree, according to InfoWorld. Businesses are victims, but unlike the consumer, they have the ability to pass these losses on to their customers. So it’s the little guy who eventually pays the bill, and the one who ends up saying, “where the hell do these people get their conclusions?” ID Analytics, a company in San Diego who analyzes identity risk through identity scoring for the financial community, retail trade, telecommunications, e-commerce, insurance and government, as well as a program to alert consumers of their potential for ID theft, just released a new study on the issue. (See article) All of this obviously requires a huge database—yes, another one—of public and private information which includes three billion identity elements allowing them to evaluate more than 700 million events for identity risk. There is a daily addition of eight million new data elements that continually update their analyses. I don’t know over what period of time their scrutiny has taken place, but their report states the crooks move through stolen data quickly, moving on to the next breach within two weeks. From what I know, and there is agreement here from several other privacy advocates, the bad guys have become so sophisticated they are now building databases of the spoils of their theft of personal data so that they can use it at the opportune time. Like one year later once credit monitoring is over. Matt Hines in the InfoWorld article comments on another of ID Analytics’ conclusions that “there is no evidence that fraudsters misusing breach data have been selling the information broadly, or distributing it over the Internet.” Hines takes issue with this conclusion and asserts: “Almost every data security expert you talk to will tell you that these underground ID data marketplaces exist, but, clearly in the case of the 10 million records that ID Analytics researched, there wasn't much evidence of this trend.” Apparently no one at ID Analytics looked at Chris Hansen’s two-part NBC “Dateline” show (Episode 1, Episode 2) back in July where they intentionally exposed personal data including a Social Security number, which ended up for sale on the underground Internet in less than an hour. Perhaps ID Analytics would like to reply to these allegations since there seems to be such wide disagreement with their results. My concern is that we are hearing too many reports of this nature, when the majority of business and government are even admitting that we have an identity crisis, and that there is yet no clear solution. But there really is: Give consumers control over their names and personal data.

Saturday, November 10, 2007


BEWARE THE NIGERIAN 419 SCAM…ESPECIALLY IF YOU ARE AN ANIMAL LOVER


We were formally introduced to Nigerian ID thieves with the ChoicePoint breach in February of 2005, when 163,000 of your personal records were heisted from CP by Oluwatunji Oluwatosin, a Nigerian living in Los Angeles. He was sentenced to 16 months for this back in 2005, and the FTC has recently announced they have identified at least 3,800 ID theft victims from the fraud. (See article) But the latest scam involves puppy love, and the Nigerian clones’ ability to con you by using a cute little dog that needs a home that only you can give it by sending your money that will also save it from a “horrible” death. As Helen Popkin reports on MSNBC.com, the Nigerians are able to adjust to just about any need or lifestyle to get your money. And, unfortunately there have been suckers, which I fault not only for the fact that by now the public should be aware of this method of swindling people, but also because—as Popin indicates others have voiced—why not help dogs, and cats, in this country by adopting through the SPCA or your local humane shelters? The 419 is a straight-forward pitch that takes no pains to achieve grammatical accuracy, and wants to give you a huge amount of money for your bank account number, and they could take the approach of a missionary, religious appeal, the love of your life, and now the puppy of your dreams. I receive them regularly in my e-mails, 20 in the last five months, one in bold caps, and one purportedly from Publishers Clearing House. Some even clearly state their Nigerian origin, which means some people either don’t read the whole message, or they just don’t get it. Or maybe some of us are too greedy to overcome the realization that the crooks have found a goldmine in the stealing of our names and personal data. In one case Popkin recounts an occurrence where a hitman offers to cancel the hit on you if you pay him enough. And her doctor fell for it. So where do the crooks get the names of their potential victims? According to some experts, names are obtained from industry trade journals and professional directories, newspapers, libraries and mailing lists. In the latter case, it is obvious the junk mailers could be duped into releasing lists of names and e-mail addresses to the wrong people, based on the ChoicePoint incident, above. In my former life as a junk mail list/data broker, it was not that difficult to slip a bogus offer past the list manager who approved all mailings, not that I ever even considered doing this. This has changed somewhat since the CP fiasco. The University of Pennsylvania has some excellent information on the 419 Scam with additional insight into where the ID thieves get your names. They buy lists like other spammers while also exchanging names with the spammers. Other sources include Usenet Internet discussion systems, probably similar to looting from file-sharing programs; searching online directories; and just using the old numbers trick of trying every 8-character e-mail address on a mail host until you get a hit. As we have said repeatedly in this blog, create a new database of names and private information, and the bad guys will figure out a way to steal it.

Friday, November 09, 2007


MORE CONGRESSIONAL RUMBLES THAT NEVER GO ANYWHERE


Congress is at it again, this time raising concerns over cybercrime. Sound familiar? Let’s see now, how many data breach laws did they propose that went nowhere when that was the popular issue, and still is, by the way? The last count was around six in 2007 alone, according to Consumers Union, with several more introduced in 2006. One House member said: “There is a rising debate in Congress on how to best combat the growing cyberthreat.” I looked up the definition of “debate” in the online Dictionary.com, and there were 13 meanings for the word. If debate is the first step, it is suggested that the U.S. Congress click on this site and learn what the term entails, and proceed to get something passed for a change. In Government Computer News, William Jackson tells us: “During the past few years a score or more bills have been introduced in both houses on subjects such as computer crime, infrastructure protection, spyware and data breaches. A number of them now are pending. Few have made it to floor votes, let alone into law.” Jeannine Kenney, senior policy analyst at Consumers Union says industry and government are not investing in cybersecurity, and I doubt that comes as a surprise to anyone. Further, she thinks they need incentives to do something that would secure our sensitive data, which is pathetic since the consumer ends up being the one who suffers in the end. ZDNet/Government reports that the Russian Business Network in St. Petersburg is the world’s hub for phishing, spam, identity theft, as well as child porn. Why hasn’t Bush asked Putin about that? The Washington Post thinks that these guys might be responsible for half of the phishing incidents in 2006. And they are “connected”…like in the Mafia, and most likely bribing the government. But here’s the statement to end all stupid data breach statements. Stuart Pratt, president of the Consumer Data Industry Assn. and Hugo Teufel III, Homeland Security Dept.’s chief privacy officer both indicated in the article that “collecting personal data can improve security and resulting risks to privacy are an acceptable trade-off.” Try running that one by the 8.9 million victims of identity theft last year, costing them an average of $6,278. Pratt goes on to say that the American public has become used to certain invasions of their privacy today because of the risks involved in the marketplace. And that is true but it doesn’t excuse the fact that the majority of consumers have become “Apathetics” toward the misuse of their private information. It is quite obvious that everything we do today is becoming more and more dependent on the Internet, and, with that, we can expect more cybercrime. We just have to decide if we are going to give in and accept the inevitable, or stand up and take control over our names and personal data.

Thursday, November 08, 2007


DUMBING DOWN ON PRIVACY


Here’s a question for which there is an easy answer. Should we have a “Do-Not-Track” list for people who do not want their Internet habits collected and stored? Of course! Look at the success of the Federal Trade Commission “Do-Not-Call” list; over 145 million have signed up. The Washington Post has an article exclaiming the support for the Do-Not-Call list by privacy, consumer and technology groups, while Internet companies are doing their best to increase tracking. Modeled after the FTC’s DNC registry, registrants would already be familiar with the sign-up process, making it an almost effortless procedure. One group says the industry regulates itself by allowing people to opt out of cookies, but privacy advocates have said self-regulation doesn’t work because the opt-out process is too complicated. We’ll keep a close eye on this one. The Seattle man, Gregory Kopiloff, who heisted $73,000 from 50 people by using online file-sharing programs to commit identity theft, made a plea agreement acknowledging his guilt. (See MSNBC) Kopiloff used the programs to access victims’ computers for their personal information including tax returns, credit reports, bank statements and student financial aid applications. It’s pretty simple to get into your system if you are a part of the file-sharing network, but, interestingly, Kopiloff also took the old-fashioned approach of stealing mail and searching in trash cans to get his information. The guy could get up to 20 years in prison and a fine of $250,000 for his shenanigans. Just one more example of the sophistication of the identity bad guys. Credit card mailings are down somewhat in 2007, according to junk mail industry publication, Direct. However, the year is still projected to produce the third largest volume since 1988. The figures for 2007 are forecasted to be 5.3 billion pieces of unsolicited credit card mail, each of which is one of the best sources available to ID thieves to steal your identity. This will in turn produce some 32 million applications, and with each new approval will come an onslaught of credit card advance checks, again, a primary stockpile of resources for the crooks. Although TV and the Internet are stealing some of junk mail’s glory, the frightening fact is that for the foreseeable future, more than 50 percent of unsolicited credit card solicitations will continue to come to your mailbox. Thought you were safe in front of that webcam? Think again, says Popular Mechanics. Like the PM piece explains, you’re connected to a computer. Anything can happen, including a hacker invading your machine and looking at you. However, your virus protection should help prevent this along with a good firewall, but both must be up to date. Your credit score, or rather a reasonable facsimile, is being sold by a major junk mail data broker. Focus USA has come up with over 62 million names they have scored with a system they say is “created to identify FICO-like industry credit scores using historical patterns of credit usage and payment behavior.” The list name is “Credit Score Index,” (CSI) and it is based on individual data but aggregated to the zip+4 level (grouping of 5 to 10 households) to allow the data broker to sell it to junk mailers for all types of offers except firm offers of credit. But it can be used by credit card companies to solicit new accounts, and this additional source could push the 5.3 billion figure, above, for unsolicited credit card mailings much higher.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

Wednesday, November 07, 2007


THE OPEN DOOR TO DATA BREACHES


As of November 1, 2007, there have been 718 data breaches since January 2005, outing almost 216 million personal records to potential ID thieves, according to Privacy Rights Clearinghouse Chronology of Data Breaches. So far in 2007, there have been 288 breaches, compared to a total of 336 in 2006, with 2007 on target to surpass that. 2007 has also accounted for the largest data breach ever with the TJX (TJ Maxx, Marshalls) loss of 94 million records, and then there was Monster.com’s releasing of 1.6 million e-mail addresses which were a mouthwatering treat for the phishing community. State governments, we have a problem, and I defer to the states because Congressional leaders cannot get their act together to come up with even the simplest of identity protection for the American consumer. Meanwhile, the breaches are in bountiful supply. In October, Home Depot had a laptop stolen with 10,000 employees’ names/addresses and Social Security numbers. However, it included no customer data. Boston-based Iron Mountain Inc.—get this, a data protection and storage company—lost ten year’s worth of bank account records and Social Security numbers for nearly all of Louisiana college applicants and their parents. (Read the story) Also in October, the TSA lost or had stolen the personal data (name/address, birthday, driver’s license number, and some SS#s) of 3,930 truckers who handled hazardous waste. Back in May the TSA lost a hard drive containing private information on 100,000 government workers. (See article) Still in October, ComputerWorld reported a laptop stolen with the unencrypted personal data of 159,000 former and current employees. The breacher was Administaff, a Houston-based provider of outsourced human resources services. And then there are three colleges/universities that continue the dangerous trend in this field. Fact: over 25 percent of all data breaches come from higher education. The three losing personal data including Social Security numbers are Dixie State College of Salt Lake city; Bates of Lewiston, Maine, and the University of Nevada in Reno. Ohioans are now suffering from the Hartford Financial Services Group’s three “misplaced” backup tapes containing the private information of 230,000 customers. An interesting announcement by a company spokesman said that the “information could only be read by extremely sophisticated equipment.” Don’t know what closet he’s been in, but the sophistication of the ID thieves far surpasses that of today’s security industry. And finally back to the medical community, where Clarian Health Partners of Indiana “misplaced” a mobile device that allows organ transplant teams to contact patients waiting for an organ. It includes name/address, SS# and certain medical information. Clarian assures its patients this does not affect their ability to make the necessary contacts to perform the transplant. Fact: Over 14 percent of all data breaches come from the medical field. There isn’t much chance this will slow down. In fact, the crooks are finding new sources every day, and new means to milk those sources for their individual sensitive data. My concern is the “Apathetics” who are in the majority, and how they will influence those who are genuinely troubled over the security of their identity.

Tuesday, November 06, 2007


ADDING $145,680 TO YOUR RETIREMENT BY DOING WHAT YOU ARE DOING NOW


If you are a normal junk mail shopper, you could receive an additional $607 monthly in your retirement years. If you aren’t, this may be the time to look at this method of shopping, and join my movement to give consumers control over their names and personal data and compensate them when it is sold. The major problem with the junk mail industry is that it has complete domination over your sensitive data, and can do with it as it sees fit. If you are a regular reader of this blog, you know that I want to take away this control from junk mail and give it to the individual name-holder. By doing so you would approve all transactions relating to your name and private information, and share in the $4 billion the list industry grosses each and every year. I am proposing a federal law that would grant these rights to consumers, but considering Congress’ inability to even pass a data breach law, it will probably take a series of state laws to get the ball rolling. I have already contacted the state legislatures of California where they are very favorable toward consumers, and my home state of Arizona. If you are willing to contact your state’s legislature on behalf of your identity rights, please e-mail me at: jack.dundiv@cox.net for more details. We don’t have much time because pension plans are drying up or at least cutting back benefits (currently covering only 20% of private sector), and Social Security (one-third of elderly rely on it for 90% of their income), with all the mystery of its condition, could use a significant increase regardless. Robert Ball, former commissioner of Social Security under Kennedy, Johnson and Nixon, said recently in a Washington Post article: “Social Security has never been more important to more Americans than it is now.” Ball cites three “revenue-enhancing changes” to save Social Security which are good, particularly the second one which suggests investing 20 percent of SS assets in equities. Interesting, since my plan is to invest the name-holder portion of what is made from selling our names and personal data by junk mailers at simple interest. Producing an average of $607 monthly (actual amount based on amount of junk mail buying activity), and assuming you live to the ripe old age of 85, retiring at 65 you’ve banked an additional $145,680, and it didn’t cost you anything. Of course if you take a more aggressive approach to investing, you could probably double the $607 figure. The option to the retirement income is to take an annual payout of approximately $65. You can read some past posts on this subject: one, two, three, four, five. To sum up, there are two major points to be made. The first, consumers should have the right of control over their sensitive data, a step that could halt identity theft immediately. Second, the individual should participate in the revenue producing; after all, he or she is the name-holder and without them junk mailers would have nothing to sell. Think about it and let me have your comments.

Monday, November 05, 2007


WHERE IDENTITY “WENT WRONG” AND WHO DID IT


Steven Gal is an expert in identity management and information privacy, who did a recent article on News.com. I am always looking for someone with a similar viewpoint to my concept that consumers should have control over their names and personal data, and in Gal’s piece he says: “identity needs to be re-engineered around the demands of its logical owner--consumers--providing them more control, transparency, privacy, and security.” I doubt that he means individuals should literally “own” their sensitive data, because, according to Beth Givens, founder of Privacy Rights Clearinghouse, that would open the door to countless scams, particularly with senior citizens. He also indicated that the Internet is responsible for the identity crisis. Included in Gal’s re-engineering of identity are several components of ID theft consisting of our name/address, date of birth, Social Security number, credit reports, even lifestyle habits, financial, government and medical data, and something he calls our marketing identity. I’m assuming the latter refers to the basics of mailing list selections in junk mail such as when you last purchased, how many times you have purchased, dollar amounts of each purchase and the total purchased, along with other information like your e-mail address. Your private information is separated into three “silos,” as Gal calls them. They are your financial identity, your government identity, and your marketing identity mentioned earlier. I agree with Gal on government and marketing being broken and in great need of repair. Federal agencies are losing personal data regularly, and apparently cannot get their security act together, even after an edict from a White House that could still be considerably more favorable to the consumer. Marketing, particularly in junk mail, is my field of expertise, and if you read this blog frequently, you know that this is an area that is completely busted, and outrageously out of control. Gal mentions the data brokers collecting our names and personal data and selling them for billions; let me confirm that that figure is $4 billion each year and growing. He adds they give us no rights to see what they sell, and that is because junk mail is still a cryptic business to consumers, and the companies don’t want the American public to know what they know about us. Also, the list/data brokers and those who send out all the junk mail do not want anyone, including government, non-junk mail businesses, certainly not the beleaguered customer without whom this industry could not exist, to know how fast and furious they suck up their private information. But Gal and I differ somewhat on the financial identity, with which he is pretty comfortable. Although we have closer and more regular contact with this medium, it also has a propensity toward breaches just like government and marketing. According to Privacy Rights Clearinghouse Chronology of Data Breaches, there was data lost at 29 banks from Feb. of 2005 to Nov. of 2007, including some of the biggest like Bank of America, Wachovia, CitiFinancial, J.P. Morgan/Chase and Wells Fargo. BofA had five breaches, one for 1,200,000 personal records; J.P. Morgan Chase 4 breaches ; Wells Fargo, two breaches; CitiFinancial in one breach lost 3,900,000 personal records; even the Federal Deposit Insurance Corp. (FDIC) had a breach. This group may not be as irresponsible as higher education accounting for over 25 percent of total breaches, and medical data, 14.5 percent of the total, but when the financial people do it, they do it big. Ponemon Research lists the top five banks trusted for privacy in 2006, as National City and U.S. Bank tied for first place, thenFifth Third Bank, Wachovia, PNC Bank, and Washington Mutual. You’ll note the big four, above, are missing. However, Fifth Third handled some of the transactions in the TJX (TJ Maxx, Marshalls) loss of data which has turned out to be the worst ever at 94 million personal records lost, and in the PRC chronology, Wachovia lost 676,000 records to dishonest insiders. But overall I am in agreement with Steven Gal about what needs to be done, and that is consumers should figure significantly in the equation. And we need to get started putting them there right now!

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

Saturday, November 03, 2007


CREDIT BUREAUS, DATA BREACH LEGISLATION AND MISSED OPPORTUNITIES


New York Senator Charles Schumer, a Democrat, just threatened legislative action if credit bureaus make consumers pay for credit freezes. The big three credit bureaus, Experian, Equifax and TransUnion are charging $10 each, thus, a total of $30 to cover all three, according to junk mail publication, DM News. OK, let’s do some math. Remember ChoicePoint—it’s almost as familiar as "Remember the Alamo" these days—and their breach of 163,000 individual records back in February of 2005? This was a result of Nigerian ID thieves heisting the sensitive data for the purpose of stealing consumers’ identities, resulting in potentially 3,800 victims of ID theft based on FTC figures. Our first mathematical equation multiplies 163,000 times $30.00 equaling $4,890,000, which is the amount paid by Consumers and revenue received by credit bureaus for credit freezes in just the ChoicePoint breach. The second equation which multiplies 3,800 times $5,720 (fraud amount lost per victim) equals $21,736,000 total victim loss just for the CP breach. So the American consumer who did absolutely nothing wrong in this incident ends up spending a total of $26,626,000 for future protection, and to clean up someone else’s mess. Pathetic. And on the legislative front, the data breach Bobsy Twins, Senators Patrick Leahy and Arlen Specter, have introduced yet another bill, the Identity Theft Enforcement and Restitution Act, which would allow consumers to seek relief from costs involved in an identity theft. (See article) How many times have we been to this well before with no results? Leahy and Specter appear to have the consumer’s best interest at heart, but they can never get the job done, and that is the history of the U.S. Congress we are saddled with now. The author of the arstechnica.com piece above relates to William Faulkner in describing the issue. He confirms that congressional leaders do make a lot of noise over the problem, but he adds: “Unfortunately for residents of the US, the legislative branch of our government has proven itself to be full of sound and fury, signifying nothing when it comes to this issue.” Very well said. Now, how many of you have heard that an appeals court has dismissed a lawsuit that would have compensated certain data breach victims? Affected would be those who have not actually suffered economic harm from the breach, but who had to spend time and money, like credit monitoring or freezes, to prevent potential losses. It was class action litigation against Old Nat’l Bancorp. which operates a Web site for individuals looking for financial services. The data breached from Bancorp.’s hosting facility was name/address, Social Security number, driver’s license number, date of birth, mother’s maiden name and some other financial account information. What more could ID thieves ask for? The Seventh Circuit Court in its decision said that emotional damages suffered over the breach weren’t actual out of pocket losses, thus, they didn’t count. I have talked to one very sharp legal mind that doesn’t necessarily agree with this assumption. However, the problem rests with the Indiana law on which the case is based. The court says basically that the state law, as it is written, did not intend for this type of victim to have a cause of action against the breaching company. Just another example of weak state law when it comes to the identity crisis and another missed opportunity for the consumer.

Friday, November 02, 2007


E-MAIL ADDRESSES: LATEST—AND POSSIBLY THE RICHEST—GOLDMINE FOR ID THIEVES


I hate to keep belaboring the fact, but the identity crooks are improving their technology and strategies significantly faster than the security forces employed to outwit them, putting the consumer behind the proverbial eight ball. Phishing fraud has been around for awhile now; the act of receiving an e-mail posing as a reputable company which usually directs you to another site where you are asked to give them your sensitive data to update your account. The bad guys use banks, PayPal, supposed lottery winnings including Publishers Clearing House, even the FTC and IRS, and a host of other gimmicks. A recent MSNBC article portrays the use of government entities to pull off the deception, but it also has some dark statistics. The number of phishing sites more than doubled between May of 2006 and 2007, according to the Anti-Phishing Working Group. And Consumer Reports says consumers have lost $630 million to phishing scams in 2005 and 2006. CR also estimates that 8.2 percent of online households have given up their private information to fraudulent e-mailers in the last two years. But this is only the tip of the database. You may recall giving your e-mail address to several companies you deal with regularly, like your bank, your pharmacy, your doctor, loyalty programs at the super market; just about every business you deal with today at least asks for it. Obviously the address is stored for immediate access when needed, but it does not carry the same level of security as, say, your Social Security number. In a recent incident reported by The Washington Post, a vendor for SunTrust Bank, Salesforce.com, had a database of 40,000 e-mail addresses and other contact information stolen, which have been used by phishers to contact SunTrust customers. A bank spokesperson says around 500 customers received phishing e-mails, and a “handful” fell for the scam. That handfull has already lost $9,000, and, based on experience, there will be more. The WP article raises a serious question that should be dealt with by Congress immediately: Should we make e-mail addresses the kind of private data that requires companies to notify the owner when there is a breach? My answer is yes, and here is why. Compared to the average phishing fraud where the recipient has no connection with the bogus organization used, a stolen e-mail address, particularly with other contact information, can personalize the con and make the individual targeted really believe it is coming from a company with which they have a trusted connection. Junk mailers have been personalizing mail to its customers for years, so it is only natural the bad guys would pick up on something that does work well. On the other hand, e-mail addresses are just like Social Security numbers; they are everywhere and generally easy to get. But the big difference is the connection between the address and a company which lends it the necessary credibility, and that is why we need to begin to secure this medium before this newest hoax gets out of hand.

Thursday, November 01, 2007


CHOICEPOINT SUBSIDIARY RESORTS TO “FEAR FACTOR” TO DUPE SENIORS


The Wall Street Journal had a front page exposé about what is currently being called “lead cards” which are used to bypass the FTC Do-Not-Call list, and dupe seniors into making bad investments. (Read article) You’ve seen them; approximately 4 inches by 6, two-part, with one section detachable to return to the sender for more information. They may indicate a relationship with the U.S. government, or a large organization like AARP. We called them “lead generators” when I worked in the junk mail industry, a legitimate means then to develop new business, like a catalog request. But a ChoicePoint company—you remember the folks that sold your names and personal data to Nigerian ID crooks and were stopped in their tracks by new California notification law—has decided this handy gimmick should be utilized to get a commitment from seniors that could be used as an excuse to ignore the DNC list. The ChoicePoint company has decided that if you return the card, you give them the right to call you, even if you are on the DNC list. It’s a sleazy loophole that is typical of some junk mailers but, unfortunately, it has worked in several cases, and families have been bilked out of their life savings. The Williams’ card came from America’s Recommended Mailers Inc., located in a Texas strip mall. After returning the card, Horace Williams, 83, from North Carolina, had a visitor he thought was from AARP. Before he knew it, what was actually an insurance agent talked him into moving much of his $179,000 savings into annuities he couldn’t touch until age 90 without paying high penalties. Fortunately, after hiring an attorney, the Williams family got their money back, and America’s Recommended Mailers Inc. is now being sued by the Texas Attorney General. The WSJ piece quoted internal ChoicePoint e-mails that attributed the lead cards’ success in producing responses to their “fear-factor,” and indicated that response rates fell drastically when AARP’s name was removed. AARP did win an injunction against the CP company from referring to AARP on its cards, which also used a Washington, D.C., return address, apparently without an actual location there. There were other victims such as Jeanne Blom, 81, a widow in Minneapolis, and Mary Menges, 70, from Illinois. Menges transferred $170,000 from her IRA to an American Investors deferred annuity, where she could withdraw only 10 percent a year without paying a 17 percent penalty. The Illinois Attorney general finally got her money back. What is missing in the Wall Street Journal article is from where they obtained the Williams, Blom and Menges names to mail them the lead card in the first place? I can answer that question from my 35 years as a list/data broker. The names of senior citizens are available from a number of junk mail data compilers. But what these companies probably did was to select what is known in the industry as the over age 65 “gullibles.” It is no reflection on any of these families because the term actually refers to individuals who are overly active in responding to junk mail offers, particularly where the pitch is for something free, like more information. The rest is up to the process of follow-up, in this case an insurance agent posing as the bearer of complimentary information, but actually with the intent of the hard sell. It is deception on two fronts, and directed to one of the most vulnerable groups…our senior citizens.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.

Wednesday, October 31, 2007


HIGHER EDUCATION ACCOUNTS FOR OVER 25% OF ALL PERSONAL DATA BREACHES


The figure is frightening. 25.6 percent of total personal data breaches occur in higher education. A recent survey by CDW Government (CDWG) of 151 college and university IT directors and managers called the rise in data loss “alarming,” in an InformationWeek article. CDW sells computer equipment and technology, and their CDWG subsidiary provides services to colleges and universities. Also from the report, less than 50 percent of campus networks are safe from attack, and 58 percent said they’d had at least one security breach in the past year. And this is all a 10 percent increase over last year. Even scarier, only 8 percent of the respondents felt they had “very secure” networks. I went back to our standby, Privacy Rights Clearinghouse Chronology of Data Breaches, to update the latest in higher education. As of October 30, there have been a total of 714 breaches since the first recorded in January of 2005. Of those, 183 have occurred in colleges or universities for a whopping 25.6 percent of the total. Medical data breaches come in second at around 14 percent. The educational community cites “Lack of staff resources” as the biggest obstacle to securing their systems. Ah yes, protecting our names and private information seems to always be the step-child when it comes to funding programs. CDWG rates the administrations at these schools a “B” for their support of IT security, but the faculty and students get a “C” because of a lack of awareness. As we know, apathy prevails in the public’s mind when it comes to their privacy, particularly for something like ID theft which they feel could never happen to them. But the worst finding of all in the CDWG report was that during the three years they have been conducting the survey, there has been no improvement. On another front, the Miami Hurricane Web site exposed their administration giving up student personal data, including Social Security numbers, to Sallie Mae, one of the largest providers of student aid loans in the U.S. In the online article, “the university confirmed that they had sent the personal data of students to private lender Sallie Mae, even though these students had not authorized them to do so.” There is some confusion as to whether the student application for eligibility counts as an actual loan application, which the U. of M says allows them to provide the data to Sallie Mae. Not so says John Beckman, dir. of financial aid for New York U. And according to Jim Bradshaw, a Dept. of Education spokesperson, the U. of M. may have violated the Family Educational Rights and Privacy Act, which protects student private information. OK folks, here’s the big question. Did the University of Miami get paid for the sensitive data they gave to Sallie Mae? If so, it is just one more example of the manipulation of our names and personal data in an attempt to exploit the American public. In this case the victims are young people who could be devastated at this age with the loss of their identity. If not, it still qualifies as reckless handling of our sensitive data.

Tuesday, October 30, 2007


JUST WHEN YOU THOUGHT YOU’D SEEN THE WORST BAD TASTE, LOS ANGELES JUNK MAIL LIST BROKER TRIES TO CAPITALIZE ON THE CALIFORNIA FIRES


The graphic you are viewing to the left of this post is part of an e-mail blast that was sent out by Southern California junk mail list broker, Fasano and Assoc. to promote some of its “hot lists,” as the headline screams. (See article) Patricia Fasano, who founded and still runs the firm, has been around some 25 years and is a respected professional in the industry. During my 35 years as a junk mail list/data broker, I had dealings with the company, and found the personnel reasonably competent in handling their jobs. But the one weak link in an organization—which is all it takes for an incident like this or worse yet, the loss or misplacement of consumers personal data that can end up exposing the private records of thousands—is exactly what I have been blogging about for almost three years. It is judgment of this type that leads to the mishandling of sensitive data in the junk mail business that has eventually ended up being sold by the identity theft underworld. Fasano has never misplaced or lost data that I know of, but she has also not said that she is firing this moron for sending the e-mail. To show their commitment to fighting the fires, the firm made a donation three days before the e-mail to the California Firefighters Association to buy various equipment. The overall intentions are good, but on this one dumb occasion nobody was watching the store, and that is precisely the kind of situation where your personal data can easily fall through the cracks. A New York public relations firm said Fasano should have had “checks and balances” in place for this kind of incident. They added that they had “never encountered a company without some approval process for ad and public relations copy.” Unfortunately we are experiencing weekly accounts of questionable judgment when it comes to companies managing our names and private information. The most flagrant are those who allow employees to haul off a laptop with all kinds of individual sensitive data and take it home with them, invariably leaving it in their car while they run errands or just leave the machine completely unprotected. Yes, it is more obvious to a person like me who sold your names and personal data, and witnessed episode after episode of incompetence in the junk mail list industry, including multiple examples of this data being exposed to almost anyone who might want to steal it. Fortunately, most of my 35 years were before the identity crooks discovered just how valuable this private information is, but that has changed significantly today. It does mystify me, however, that if these bad guys can recognize what a gold mine consumers’ sensitive data is, why can’t the consumer whose name and personal data it is figure that out? My new motto is: Hold on to your apathy and lose your identity!

Monday, October 29, 2007


TJX DATA BREACH MORE THAN DOUBLES, PROVING THE EXPERTS RIGHT AGAIN


There are two things that the privacy community has been saying for some time now—and that includes this blog—re. announcements of data breaches. First, the number of personal records lost that is quoted by the company is probably less than it really is. Second, the selling of the stolen information by the ID theft underworld will continue for months to come. And that is exactly what has happened in the TJX (TJ Maxx, Marshalls in the US, Winners and HomeSense in Canada) case which originally reported 45.7 million credit and debit card numbers stolen, but according to recent court documents in lawsuits against TJX, the new number is officially 94 million. Second, fraud-related cases from the breach involving Visa cards alone already range from $68 to $83 million spread across 13 countries, and, according to Visa USA’s VP of investigations and fraud management, this will continue for who knows how long. (See MSNBC story) One of the reasons the Visa executive, and other privacy activists like myself are so sure the stealing of victims’ private information will continue is that it has happened before. Another is that the identity crooks were cruising around the Marshalls’ parking lot in 2005, able to access what they wanted using a directional antenna to download the data. And what they wanted was customer sensitive data to sell. eWeek.com breaks the total down to 29 million MasterCard victims, and 65 million Visa victims, these figures also taken right from the same court files in Boston. The breach continued undetected for seventeen months, during which time the hackers had a field day in TJX’s central database. Legal action has also been filed against Fifth Third Bancorp which processed some payment card transactions, and banks affected are seeking class action certification so others can join in the complaint. From our neighbors up North, all news radio 680 reports that there is a new survey that says the Canadians “are very nervous about their personal information.” That can be attributed to the fact that Canadian privacy law is much stronger than here in the US. (See earlier post on TJX) There’s a good chronology of incidents from the TJX breach, also on eWeek.com, that follows how the bad guys moved 80GB of data and remained undetected for seven months. First of all, TJX was found not to be PCI compliant. The Payment Card Industry (PCI), including Visa and MasterCard, require merchants to protect cardholder information by adhering to a set of security standards. Therefore, it was rather simple through a high-speed connection for the intruder to transfer the data to another site on the Internet in California. Even in 2004 before the breach, TJX had several security deficiencies identified that included specific violations. This was confirmed by a company consultant who added that he had never seen such a void of monitoring in a company this size as he saw at TJX. It’s like the old saying, the gift that keeps giving. Well, this is the kind of breach that keeps taking…your money and time.

FOCUS ON PROTECTING YOUR IDENTITY


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail (jack.dundiv@cox.net) with any questions.