Search This Blog

Wednesday, April 30, 2008


LOSING YOUR CREDIT STANDING TO IDENTITY THEFT IS BAD ENOUGH, BUT LOSING YOUR HOUSE?


You know it had to happen, with all the problems in the housing industry. People are desperate and will do anything to save the roof over their heads. Including placing their confidence in the hands of con artists who claim to have a way to save the homestead, but really plan to sell it right out from under you. According to the Boston Herald, “house stealing,” as it is now referred to, combines identity theft and mortgage fraud that could leave you walking the streets.

In an article from NetworkWorld, they actually outline the scam, as follows: 1) the crooks decide to steal your house; 2) next, they heist your identity, readily available in public records and on the Internet; 3) forms are purchased from an office supply store to transfer your property; 4) By forging your signature, your house becomes theirs to sell. If it’s not your regular residence, it could be an empty house, vacation home, or second home like a summer place on Cape Cod. A ConsumerAffairs site adds a fifth step, one where the homeowner loses everything: “Once those papers are filed, the deed to the house transfers to the con artists. And the home belongs to them.”

A trio of thieves including a man and two women stole the identity of 65 year old Judy Melody in Dorchester, Massachusetts, then they attempted to buy two homes in Brockton and Halifax. They were finally caught when trying to sell Melody’s home. This seems almost as bizarre as yesterday’s post on “The Great Impostor of Identity Theft.” According to the FBI, there were 46,717 incidents of mortgage fraud in 2007, but there have already been 30,000 so far in 2008, an escalation which seems to mirror the general trend in ID theft.

The FBI reports in the Boston Herald that the schemes are most prevalent in real estate boom states like Florida and Nevada, but Massachusetts gets its share where Wells Fargo and four other lenders agreed to pay $1 million to victims of a foreclosure-rescue scam. The agency says that “Thieves are preying on people not paying attention to their financial statements.” If homeowners were given control over their names and personal data, much of this problem could be solved through transaction verification that would at least alert the victim to what is taking place.

In a case the FBI and IRS investigated last year, homeowners were targeted who were in foreclosure with a promise to refinance loans. Los Angeles real estate agent Martha Rodriquez used “straw buyers,” individuals who are paid for the illegal use of their personal information, to file fraudulent documents to buy 100 homes, making $12 million dollars in the deal. Rodriquez was caught and prosecuted, but the owners lost the titles to their homes and banks lost the money loaned to fake buyers.

ConsumerAffairs suggests consumers be aware of all material they receive from their mortgage company that looks suspicious, and periodically check the recorder of deeds to make sure the information is correct. The question is, where will they strike next?

Tuesday, April 29, 2008


THE GREAT IMPOSTOR RESURFACES…THIS TIME IN IDENTITY THEFT


You remember The Great Impostor, Robert Crichton’s book about Ferdinand Waldo Demara, who created and lived identities from deputy sheriff to Benedictine monk. Tony Curtis played the part in the 1961 movie which also starred Edmond O’Brien, Raymond Massey and Karl Malden. Demara actually tried to enter a Trappist monastery but failed, then joined the Army but ended up going AWOL.

Fast-forward almost 50 years and enter the female version of Demara/Curtis in Esther Reed, a country girl from Montana, with a good enough intellect to bamboozle the best. She first appeared on America’s Most Wanted in November of 2007, and after a nine year run was captured on February 2, 2008, in suburban Chicago. Esther was an above average student, loved to debate, but following her Mother’s death from cancer in 1998, turned to a life of crime. The question, of course, is who will play her part in the movie.

Whoever that is will have a wealth of profiles to explore, according to the Greenville News. Like stealing the identity of Brooke Henson, a Travelers Rest woman who disappeared nine years ago and whom Police believe to be dead; the latter not considered tied to Reed. Or using her above average intellect to hustle over $100,000 in student loans, and using a Pennsylvania woman’s date of birth and Social Security number to get a fake driver’s license, hit on a West Point cadet, then passes herself off as a chess champion.

Next, on to Los Angels where she convinced a Cal State Fullerton professor to recommend her to Columbia University, claiming to have changed her name because she was in the witness protection program. Returning to Henson’s name, she earned a GED in Ohio, passed a SAT college admissions exam in California that got her into Columbia, where she got the $100,000 student loans.

But she wasn’t through with Henson, using her birth certificate and an Ohio identification card to get a job at Columbia U. in the Vice President University Development Alumni Relations office. In New York a year later, Reed confirmed her identity as Brooke Henson to police, even coming up with answers to personal family questions. She refused to take a DNA test and took flight once again. When they finally caught her in Chicago, she was using yet another identity created from an Iowa driver’s license, compliments of a Kentucky birth certificate and marriage license from Nevada. During all this time, which took place in multiple cities in multiple states, Reed was also using illegally obtained credit cards to charge with. Thanks to Eric Connor of the Greenville News for this running commentary.

As a result of all her escapades, Esther could get up to 47 years in the slammer, and more than $1 million in fines. This is obviously one of the most bizarre cases you will ever hear about, but it points out to just what length an individual will go to steal your identity.

Monday, April 28, 2008


FEDERAL TRADE COMMISSION TARGETS TARGET ADVERTISING – PART 2


Picking up where we left off in the last post on the invasiveness of behavioral marketing (AKA predictive modeling/target advertising), the position of Internet marketers, and other junk mailers as well, is that you, the consumer, want to receive more advertising in keeping with your interests. The question that arises is whether or not you are willing to give up your right to privacy in return?

I take the position that you should not be singled out individually putting all your personal data in the mix to get you that perfect ad. And there is a way to accomplish this by the advertiser focusing on aggregate households of 300 to 500 with the same demographic and lifestyle profiles, resulting in the same goal. Some marketers are even satisfied to work at the zip code level containing 2,500 to 3,000 households, but all of this becomes irrelevant in today’s methods since the individual household data must be used to create the groupings of zips.

You could solve the problem by creating an anonymous geographic cluster, but wait; doesn’t that also require the use of individual private information? The answer, of course, is yes. So what is the solution? Give consumers control over their names and personal data, and let them opt in to its use in situations such as this. Mission accomplished for business and the name-holder.

In yesterday’s post, the two companies working on systems to track every move that the Internet user performs as he or she surfs, is supposedly employing anonymous private information. But according to Saul Hansell of The New York Times, there were “a lot of questions he [Robt. Dykes, CEO NebuAd] wouldn’t answer.” Among them, not revealing the Internet service providers or Web sites he is working with, and he declined to identify what information he uses to determine how the ISP changes your address, both of which impact on what is being used to identify you.

Hansell also echoes my concern that, although personal data isn’t involved now, it could be at any time.

TRUSTe, the Internet version of the “Good Housekeeping” seal of approval, in a study conducted by global market insight and information group TNS, says: “Overall results indicate a high level of awareness that internet activities are being tracked for purposes of targeting advertising, and a high level of concern associated with that tracking, even when it isn’t associated with personally identifiable information.” This from Internet users asked about their reactions to behavioral targeting.

In the results from the survey, “71 percent of online consumers are aware that their browsing information may be collected by a third party for advertising purposes, but only 40 percent are familiar with the term ‘behavioral targeting.’ 57 percent of respondents say they are not comfortable with advertisers using that browsing history to serve relevant ads, even when that information cannot be tied to their names or any other personal information.”

“An overwhelming majority (91 percent) of respondents expressed willingness to take necessary steps to assure increased privacy online when presented with the tools to control their internet tracking and advertising experience…” I have placed the last sentence in bold type for emphasis on what the public is obviously willing to do to protect their privacy on the Internet. It confirms to me the willingness of the American consumer to take control over their names and personal data in all situations when granted that right. If only business, government agencies and Congress would realize that.

Friday, April 25, 2008


FEDERAL TRADE COMMISSION TARGETS TARGET ADVERTISING


For over twenty years the junk mail industry has had an on and off love affair with predictive modeling, which is a sophisticated way of targeting a customer by using technology to predict his or her habits. As a former list/data broker and database consultant, I have been in favor of this in aggregate geography, but never on an individual household basis. Anything to conserve paper and help protect the environment.

To explain aggregate geography; that means a cluster of households, from 300 to 500, where demographics and lifestyles are very similar. Enough so that a junk mailer can profitably send the same offer—say for young, upscale households that drink good wine—to the entire group. My objection to targeting individuals is that this uses the Big Brother approach which employs revealing everything there is to know about the consumer which is available to all concerned in the modeling process. A blatant invasion of the person’s privacy.

Now the Federal Trade Commission has decided to “aggressively” enforce Section 5 of the FTC act—which prohibits unfair or deceptive practices—by “encouraging” business to self-regulate itself in the area of behavioral marketing. That’s the latest buzz word for targeting and predictive modeling. By combining demographics and lifestyles using advanced technology, you come up with the actual behavior of an individual; like what books they read, what prescriptions they take, and whether or not they drink or gamble.

In a recent article from 26econ.com, a new term, to me at least, “deep packed inspection,” means the Internet service provider can “view every bit of data sent to and from a particular user.” Two links from that site, here and here, are pieces by Saul Hansell of The New York Times. He thinks the technology will become “the mother of all privacy battles.” Two guys with two companies are behind the concept: Robert Dykes, CEO of NebuAd, and Kent Ertugrul, CEO at Phorm. The pair thinks privacy advocates will eventually embrace what they are doing, because they claim their programs give Internet users complete anonymity.

Perhaps, but with this software in place, there is the ability to add private information to the mix later, and somehow data collectors just can’t resist the urge. With an established broad group of categories, these systems build a profile on your surfing habits—they say without even your name or address—documenting everything you do. Apparently our ISPs are enabling all of this data collection because they receive a big cut of the advertising. Once again, the person supplying all the information is left out of the action.

And that brings us back to the FTC new proposed guidelines for behavioral targeting of online advertising. Like most other government agencies, the decision makers at the Federal Trade Commission haven’t an inkling of what predictive modeling/behavioral marketing is all about, so most new rulings will probably be in favor of business, not the consumer. Particularly while Bush is still in office. More on this next week.

Thursday, April 24, 2008


WHO DO YOU TRUST? ALMOST NO ONE WHEN IT COMES TO YOUR NAME AND PERSONAL DATA


There is a site, darkReading, you may or may not have heard of. They say they aren’t licensed therapists, but that they do “deal with an astonishing variety of insecurity each day.” They are talking about the personal data kind that end up in breaches by business and government we hear about almost on a daily basis. In a recent darkReading, they use the headline for a article, “2008 Could Be Record Year for Breaches,” that reveals the latest results from the Identity Theft Resource Center; the fact that in the first three months of 2008, there have been 167 incidents of compromised data, twice the first quarter of 2007.

What worries me most is that I have been predicting for the last year that 2008 will be a record year for identity theft victims, due primarily to the fact that much of the free credit monitoring offered by “breachers” will expire in 2008, leaving the ID thieves open to use the private information they have stolen. If this year will set a new record for breaches, what will the number of victims look like in 2009? Fortunately, many of the companies responsible for losing your sensitive data are now offering two years of free credit monitoring, so, if you do become a victim, demand it.

ITRC also reports that those receiving letters of notification indicating their private information has been exposed have been “given incorrect directions or not enough information,” on what to do. The combination of having your personal data breached, along with the fact that the business responsible doesn’t really know how to help you, has shaken the confidence of the American consumer to the point where they are legitimately refusing to give up any private information. See my earlier post on Safeway.

In another darkReading piece, 31 percent of customers who have become breach victims stopped doing business with the company; 55 percent were notified twice in two years; 8 percent four times or more. These are figures provided by a new study from the Ponemon Institute.

On March 7, of this year I did a post on what we might expect in 2008: “One More Outlook for Data Loss Prevention in 2008.” What it flatly says is that we cannot protect our names and personal data with the means that we have today. That includes both the business or government agency collecting the data, as well as the individual from whom the data is sourced.

Consumers have lost control over their names and private information at a time when the outward appearance is that data collectors do not know how to protect what they collect but continue to collect it, nevertheless, at an alarming rate One of the primary reasons to expect record breaches in 2008. This opinion, shared by many privacy activists, stems in part from a recent statement from a VP of Marketing and Security working at a database security company: "People are saying 'let's step back and realize our data is under siege, what's of value that we need to protect and where is it?'" We’ve waited until now to do this?

If you want to see the number of victims from identity theft drop drastically in 2008, leading eventually to a zero factor, we need to give consumers control over their names and personal data, and compensate them when it is sold to provide incentive to assume this responsibility. Otherwise, I can’t imagine where the ID crisis will have risen to in 2010.

Wednesday, April 23, 2008


CALIFORNIA SENATOR TALKS BIG BUT DOES LITTLE FOR CONSUMER PRIVACY


Dianne Feinstein, the U.S. Senator from California, a Democrat, thinks Americans need identity theft protection after the person has already become the victim of a breach. She said so in an opinion piece to the California Sacramento Bee newspaper. She isn’t alone, either on the state or federal level. Every piece of legislation out there, whether introduced or passed, even the landmark California law that exposed the ChoicePoint breach in February of 2005, is designed to pick up the pieces after your sensitive data has been stolen or lost. If this were the only option, I would say go ahead now and make the legislation federal which would give business and government uniform guidelines to work with. But it isn’t. Feinstein says, “It's time for Congress to take action and give Americans the tools they need to protect themselves.” The problem is, the legislation she introduced five years ago, which still hasn’t passed—having tenure both before and after Democrats took over Congress—works just like all the rest, kicking in only after the damage is done. There’s some good stuff in her bill, just like many others introduced since the data hit the fan in 2005. Requirements like telling victims exactly what happened, and notification of the breach. And she does want to tighten up the controls on government agencies. However, unless the victim is notified immediately—and that is never likely to happen—a stolen Social Security number could be sold by the identity thieves within the hour, and used by the underground buyer to open new credit accounts or drain the resources of current accounts before the company or government agency even discovers the breach. This is exactly what happened in the TJX (TJ Maxx, Marshalls) incident. I’m sorry but I agree with other privacy advocates that even one breach of your private information is too much. The part of the Senator’s opinion piece I like most is when she puts the monkey on the right back…George W. Bush. She commented about the administration’s instructions to federal agencies about breach notification, the culmination of which resulted in Hillary Clinton’s passport file being breached with months passing before she was notified. GWB will go down in history as perhaps our worst president ever for many reasons, not the least of which will be his desertion of, and arrogance toward, the average consumers’ privacy needs. But Democratic Senators like Feinstein could have done much more to help the consumer’s plight. She could have introduced legislation to grant consumers control over their names and personal data, while compensating them when it is sold to offer incentive to shoulder this new responsibility. I even suggested this to her three years ago. No reply.

Tuesday, April 22, 2008


WORK-AT-HOME SCAMS COULD TURN INTO IDENTITY THEFT FRAUD


They have been around for years, and have improved in the sophistication of their approach, but the newest twist is frightening. I am talking about the work-at-home schemes that lure people into thinking they have found a way to make easy money at home. It’s not possible, and I can tell you that from 35 years as a junk mail list/data broker that all of the services these scams are selling you to do at home are done by machines in large facilities run by people trained for the jobs. There are ways to supplement your income, but this isn’t one of them. Actually, I am surprised that after all the bad press on this subject over the years, there are still so many who bite. However, these are days of desperation, and the crooks know it. Unfortunately, the bad guys have found a new way to pull off the fraud that just adds to their total take. In an MSNBC article, work-at-home scams are documented about real people who have suffered real losses. One actually landed a guy in jail because he was accepting and forwarding stolen merchandise. Another is the ploy to deposit the firm’s check as a mystery shopper, and send a portion back to the company. Of course their check is no good, and you are out the amount you sent. As the MSNBC piece indicates, the criminals are often from Soviet Bloc nations who use services such as Western Union to forward payments. In the current scam, you are asked for your bank account number they allegedly need to send you a direct deposit; instead they clean out your account and you never hear from them again. And this is where your identity can be compromised. It is only a matter of time until the ID theft underground connects work-at-home to the art of stealing your identity, both real and synthetic. That will come when they begin to ask you for, in addition to your bank account number, your credit card numbers, driver’s license number and your Social Security number. Of course the crooks will still attempt to make you pay up front for materials necessary to complete the work-at-home jobs as in the past, which you might do by using your credit card or a direct deposit from your bank. There is always a purpose to their madness. In the heat of the moment, you are focused on that extra income you are being promised, and you don’t weigh the circumstances in which you are giving out all this private information. But the old saying still applies: When it sounds too good to be true, it probably is. I have a plan that won’t put a lot of extra money in your pocket now, but could provide help in the future. If you had control over your name and personal data, and if you were compensated when it is sold, many of you could add an average of $607 a month to your retirement income. And you don’t even have to work at home to do it. You can read more about this concept in an earlier post from June 28, 2005.

Sunday, April 20, 2008


PENNSYLVANIA VOTER SITE SENSITIVE DATA LEAK FIXED OR JUST IGNORED?


All is quiet in the Pennsylvania primary regarding the voter registration data leak that was reported back in March. The state had to halt access to the online registration site where some 30,000 personal voter records were made available for all to see. According to Computerworld, it was the online application form designed for simplification that contained a Web programming error which released the voter’s name, date of birth and driver’s license number. In some cases, even the last four digits of the individual’s Social Security number. The primary is tomorrow, and the question arising from this now is how many of the 30,000 will be spooked into a reluctance to vote as a result of the incident? Of course, the damage is already done so that should not be a factor in the decision to go to the polls. But I am sure the citizens of Pennsylvania would like to know if their private voter information is secure once again. Sunday’s edition of The Philadelphia Inquirer, the state’s largest newspaper, had no mention of the data leak on their Web site. If things are back to normal, you would think that headlines would be blasting the fact that voters should feel secure in both the registering and voting event. Beth Givens of Privacy Rights Clearinghouse even said: "When word gets out, it will be one of those things that will deter people from registering to vote." Computerworld points out that in the past voter databases have been made available to political parties for mailings, but all the sensitive data was removed. Today, with it available online, mistakes are bound to happen and obviously it did. It is bad enough to have your private information outed with the chance you could become a victim of identity theft, but when it is done in connection with your right to vote, and it could have an affect on your decision of whether or not to exercise that right, there is real damage done. Maybe I missed it somewhere in my research, but after Googling every search phrase I could come up with relating to the issue, there is no mention of assurances from the state of Pennsylvania that the voting system is now secure. And that reeks of recent personal data breaches in the private sector where TJX (TJ Maxx, Marshalls) and Hannaford Bros. super markets delayed releasing information. This only makes potential victims worry that much more, and delay any necessary protection strategy that might prevent fraud. Incidents like this are being reported on a daily basis, which is currently resulting in business and government simply applying band-aids instead of fixing the problem. The only answer to this dilemma is for the American consumer, and voter, to demand that Congress pass federal legislating to grant individuals control over their names and private information, compensating them when it is sold to provide incentive to take on this new responsibility. If anyone has a better idea I would like to hear about it, but if not, it is time to seriously consider this concept.

Thursday, April 17, 2008


DUMBING DOWN ON PRIVACY


LifelLock, the identity protection company whose CEO, Todd Davis, flaunts his Social Security number before the public to prove that his service works, is being sued in a class-action suit. The litigation alleges deceptive marketing, according to Reuters.com, and comes less than two months after the Experian Credit Bureau sued LifeLock for false advertising. See my Feb. 25 post. The New Jersey Pasternack family who filed the suit says LifeLock “misled them about the limited level of identity protection the company provides, and failed to warn them about the potential adverse impact those services could have on their credit profiles.” The complaint adds that Davis’ style of advertising “lulls” potential subscribers into a false sense of security by misrepresenting the degree of protection they will receive. The company charges $10.00 a month for services that consumers can do on their own free of charge. Maybe if we get these people fighting among themselves, Congressional leaders will finally realize that something needs to be done, and now. South Carolina decides to get tough with identity theft by passing a stringent law to better protect its citizens. The state becomes one of only two stipulating that residents can place or lift security freezes on their credit reports at no charge, based on a report in the SC Morning News. Additions to the bill include penalties for credit bureaus who don’t correct incorrect information, and a 15-minute lift on a credit report freeze with the consumer’s pin number. States continue to show the federal government how to do it, but an inept Congress can’t see the breaches for the business lobbyists. In another state, Colorado, Jefferson County DA, Scott Storey, also understands the identity crisis and is doing something about it. Based on a piece in YourHub.com, Storey’s fraud alert team is advising consumers to buy a paper shredder, the diamond cut kind which is supposed to be the best. Colorado ranks eighth in the U.S. for ID theft, which is apparently enough to get this DA to start an awareness campaign that is sorely needed across the country. He shows the county residents just how the crooks do it by exposing methods like fake driver’s licenses or chemically altered checks. A local project director for crime prevention, Cary Johnson, holds seminars on the subject and makes an excellent point. The crooks know our lifestyle habits, like writing a check and putting it in the local neighborhood postal box. He also made the comment that, based on Federal Trade Commission statistics indicating that 5 percent of Americans become victims of identity theft each year, in the next ten years 50 percent of the U.S. population will have succumbed. The junk mail whiners are at it again. They are questioning the motives of a New Hampshire state representative who introduced a bill to establish a statewide do-not-call registry on behalf of those who find unsolicited mail intrusive. I looked up “intrusive” on Dictionary.com and found the following definition: “tending or apt to intrude; coming without invitation or welcome.” If that isn’t the perfect description of junk mail, I don’t know what is. The industry article says junk mailers find it “mystifying” why Rep. Suzi Nord would call their work intrusive. After spending 35 years in the business as a junk mail list/data broker, I find it exasperating that these people cannot figure out that when 98 percent of what they produce goes in the trash, what is it if not junk? The feds are still not addressing the problems that caused data breaches like the 26.5 million records lost by the Veterans Administration. MSNBC says that the General Accounting Office has found that most of the two dozen federal agencies examined still haven’t initiated five federal recommendations to protect private information. Eighteen other agencies had complied “to varying degrees.” This is important to the American public because over 20 percent of all data breaches originate in the government sector. We certainly won’t see much shoring up of this issue by the Bush administration, and it is beginning to look like the Democrats have put consumerism on the back burner, perhaps for the upcoming election. It seems to me that the timing is perfect for an Independent candidate to step in and show that he or she will put consumers out front again. Go to Committee for a Unified Independent Party (CUIP) for more on the Independent movement. Any suggestions for candidates?

LATEST PLOY IN DATA COLLECTION: WORK A “JIGSAW” PUZZLE


On the day we made the discovery that names and personal data were worth more than the paper they were printed on—and back in those days the information was typed, sometimes even hand-written, on pieces of paper—a profit-center was created that will someday likely surpass the world’s largest industries. When I entered the junk mail business back in the late sixties, many smaller companies were still maintaining their customer lists on index cards. When it was time to do a mailing, the cards were distributed to home typists who would transcribe the information onto labels or direct to an envelope. Today, everything is computerized to the highest standards of technology, and every aware business spends much of its time figuring out how to capture your private information. The primary reason for that is to sell it; junk mailers alone realize over $4 billion every year in the list business. Now, there’s a new kid on the block with an approach that is unique, although questionable by at least one privacy advocate, Susan Pierce, exec. Director of non-profit PrivacyActivism, according to ERE.net. Jigsaw.com professes to have more than 8 million business contacts on file to be used by sales people, recruiters or marketers; this includes the contact’s full name, title, postal address, e-mail address and telephone number. Their privacy policy mandates the same stipulations as most, meaning they won’t share “personally identifiable information” with anyone but law enforcement, and necessary third parties such as service providers. Included would be the above, plus your credit card number (it’s a paid service), your Internet address and provider, and a profile of your online preferences using the Jigsaw system. There is no indication that they will ever sell this information, but nowhere do they say that they never plan to. In the company’s “Legal Disclaimer,” there seems to be concern that the anonymity set up to protect customers could be jeopardized by “illegal use” of the system. Further, under “Information Security” Jigsaw says it uses “accepted industry standards” to protect all information, but admits that they “cannot guarantee its absolute security.” Of course they can’t, and no business can if the bad guys want to get in and steal your sensitive data bad enough. Pierce says, “The seven-million business cards is causing disruptive change in the way corporate information is gathered because recruiters can buy and sell contact information on people -- who may not have given permission to be contacted.” Jim Fowler, Jigsaw.com founder and CEO, apparently justifies it all with the statement, “You would be amazed how many databases you live on, and you have no clue you're on there.” I am all for the free-enterprise system, but if something isn’t done soon to regulate how names and personal data are collected and used in the marketplace, the identity crisis could reach proportions that no American wants to experience. All you need to do is visit George Orwell’s 1984 novel again to see the possibilities. If you don’t have a copy, go to The Literature Network here. Just search “Big Brother” and read some of the passages. You can also go to the "Search" box at the top of this blog and enter "Big Brother" to read some of my past posts on the subject. And when you’re done, hopefully, you’ll agree that consumers should be granted control over their names and private information as the solution to this issue.

Wednesday, April 16, 2008


TECHNOLOGY PRO SAYS “WE” ARE THE CYBERTHREAT, NOT BIN LADEN


Charles Cooper has covered technology for over 25 years, working with such organizations as PC Week, ZDNet News and now, CNET News.com. So you figure he has the right to some opinions on the subject, and his latest is that “Mr. & Mrs. Computer User” has replaced bin Laden as our biggest cyberthreat. We are the ones who “keep goofing up,” as Cooper puts it, quoting the experts from the 2008 RSA conference on information security in San Francisco. He likens the problem to the movie, Groundhog Day, where Bill Murray keeps waking up to the same morning. Which is precisely what is happening with business and government committing the same mistakes every day with our names and private information resulting in a steady stream of data breaches. And the consumer compounds the problem by not taking proper precautions, and remaining apathetic over the state of their privacy. Some RSA conference highlights:

• 65% of the new code being released into the market is malicious
• The U.S. was the top country of attack origin in the second half of 2007
• The education sector accounted for 24 percent of data breaches that could lead to identity theft
• Government was the top sector for identities exposed, accounting for 60 percent of the total
• The United States had the most bot-infected computers worldwide

Much of this we already knew, but it just points out the fact that it has to be said again at major conferences like RSA to an audience that, based on the organization’s findings, won’t be taking their privacy seriously any time soon. “Apathetics” I call them. Symantec’s CEO, John Thompson, confirms what most privacy advocates have known for some time. The fact that rather than an attack on the infrastructure itself, all the attention has now shifted to just getting the personal data any way possible and rushing it to the underground market in private information. As an example, in a Symantec report, bank accounts are the most promoted for sale in this manner, accounting for 22 percent of activity tracked. And Homeland Security Secretary Michael Chertoff’s appearance at the conference didn’t really add confidence to the possibility there would be any help from the current administration. Cooper sounds skeptical over how many Silicon Valley technologists Chertoff would enlist to come to Washington to work on cyber-security because, as he comments about the Secretary’s department, “Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.” Not that I want to get into politics now, but it is clear that nothing will be done that will enhance consumer privacy until George W. Bush is history. That in itself will be welcomed by many, but, unfortunately, I am not at all sure whoever takes over the Whitehouse and Congress in November will supply the solution the privacy community is looking for.

Monday, April 14, 2008


EUROPEAN UNION CONTINUES TO LEAD THE WAY IN PROTECTING CONSUMER PERSONAL DATA


Just a little over 18 months ago, The Register in London published an article, "Google vows: We’ll keep hoarding your porn queries,” which wasn’t about the pornographic industry, but rather your personal privacy. While AOL, MSN and Yahoo had given in to government demands to hand over your search habits, Google said no to the Justice Department. But the number one search engine didn’t do it for you; they did it because their software—or algorithms, as they are referred to—could be “compromised.” Knowing Google’s track record on privacy, it is my opinion that the logistics of the situation was far more important than the protection of your privacy. The Register seems to agree. And on another front, following the release of 20 million keyword searches performed by over 500,000 AOL customers from March to May in 2006, privacy advocates concluded that the only safe search engine is one that deletes your search criteria immediately. AOL says they did it to help researchers and that the data was anonymous. “But some privacy experts said scrutinizing a user's searches could reveal information to help deduce the person's identity,” according to a piece in The Washington Post. When will these companies realize that they should not be recklessly tinkering with our sensitive data? Jump forward now to April of 2008, and the European Union’s decision to try and limit the time search engines can keep our private information. You can see the opinion here. The report says that data should be kept “no longer than necessary,” in an account on MSNBC. The keywords here are “no longer than necessary,” and are a symbol of the loopholes in legislation that is enacted today for consumer causes. You’ll find it in most state data breach laws—of course you won’t find it in federal bills because there aren’t any—and even in HIPAA, the Health Insurance Portability and Accountability Act. I plan a post later based on how this thinking re. limited accessibility to our private information extends far beyond search engines, and should apply to other collectors of personal data, particularly in the junk mail and non-junk mail industries, as well as the government. A Web marketing consultant asked the question of MSNBC: “Where’s the Harm?” referring to whether or not search engines keep data 6, 9, or 12 months. I won’t give you his name since it is so inane a question the asker doesn’t deserve credit. I can provide some facts that illustrate just how ridiculous his point is. "The 2007 Internet Crime Report" from the Justice Department received 206,884 complaints from January through December 2007 with a vast majority alleging fraud with a financial loss. The total dollar loss was almost $240 million (an increase of 20 percent over 2006) with a median loss per complaint of $680. That’s the harm! Although all of it obviously did not come from search engine search criteria—and I do not know just how much did since I don’t believe this is broken out—It proves the propensity of widespread Internet fraud. So why hang on to something that could pose a major problem if this isn’t “necessary?” There’s that word again, and it is time that both business and government define exactly what their parameters are for maintaining this data for several years, and then let the regulators decide if it is valid. I know, I know, that poses yet another problem.

ILLEGAL IMMIGRATION…NOT ONLY A POLITICAL ISSUE – PART 3


In Part 1 and Part 2 of this series, I covered how identity theft can be traced back to the illegal immigration movement, where stolen identities are used by workers to obtain jobs. Because the Social Security Administration does not check on the use of valid SS#s in multiple workplaces—in fact it is illegal for SS to even let the victim know this—the stolen ID can be used for months before the fraud is detected. This will either happen when the business finally confirms the SS#, or there is a raid like the one on the Swift & Co. meatpacking plants in 2006. If the worker also decides to open credit accounts using the same SS#, and then doesn’t make payments, the victim’s credit is damaged as with any ID theft. Michael Chertoff, Homeland Security Secretary, and Julie Myers, Asst. Secretary, both agree that illegal immigration is helping to amplify identity theft, even accounting for the increased activity we have seen lately. So why haven’t Congressional leaders seen this as an opportunity to try and solve both of these issues at a time when each is nearing a state of calamity? Janet Napolitano, Governor of Arizona, said it best: “Immigration is a federal responsibility, but I signed HB 2779 because it is now abundantly clear that Congress finds itself incapable of coping with the comprehensive immigration reforms our country needs. I signed it, too, out of the realization that the flow of illegal immigration into our state is due to the constant demand of some employers for cheap, undocumented labor.” Congressional incompetence has been evident in the identity theft issue by their failing to pass legislation that would give American citizens control over their names and personal data. The bill Napolitano refers to, HB 2779, is Arizona’s new tough law that imposes penalties on employers who hire illegal immigrants; the most stringent passed in the U.S. The New York Times did an editorial on the issue, which warns that by purging illegal immigrants in the Southwest, you threaten Arizona’s economic future by cutting off the supply of workers in a state with unemployment of 3.3 percent. But this is a political matter, and we are concerned in this blog with how illegal immigration impacts ID theft. Identity Theft 911, a Scottsdale, Arizona firm, has just released a new report with some chilling results. More than 293,000 Arizona residents were victims of identity theft in 2007, according to the Phoenix Business Journal. That’s 4.6 percent of the population, compared to the national rate of 2.7 percent. Over one third of stolen IDs in Arizona are used for fraudulent employment. The report indicates one of the possible reasons for this outsized identity theft problem being the state’s high rate of illegal immigration. There are 891,000 legal and illegal immigrants in the state, 29 percent of its population. I am using Arizona as an example because I live here, and can confirm this problem from a local level. But regardless of what triggers the bad guys to steal our identity, they will find loopholes through security measures like they have been for the last three years. The American citizen’s identity has become a commodity that has surpassed many of those traded over the major stock exchanges. And the crooks will continue to traffic in its spoils until that ability is severed by granting consumers control over their names and personal data.

Friday, April 11, 2008


ILLEGAL IMMIGRATION…NOT ONLY A POLITICAL ISSUE – PART 2


Back to 2006 and the raids on companies that had hired illegal immigrants, and how this impacts on identity theft today. Called Operation Wagon Train, which could be interpreted as a bit derogatory, Homeland Security found 1,282 individuals, 65 of which were arrested on charges that included ID theft. In a USA Today article, Michael Chertoff said, "This is not only a case about illegal immigration, which is bad enough, It's a case about identity theft and violation of the privacy rights and the economic rights of innocent Americans." I wasn’t aware the Bush administration cared about the privacy rights of Americans. Earlier in the year, 1,187 illegal workers were arrested at IFCO Systems, a company that makes pallets. Chertoff used W’s favorite scare tactic on national security citing potential terrorist activity as a threat against our safety. But this time it is a valid point, because insurgents could use stolen identities to board airplanes. In my concept of granting individuals control over their personal data, a system of checks and balances could be incorporated to trigger a validation check when the ticket is purchased. When contacted, and if the real name-holder did not buy the ticket, the impostor could be arrested at the gate, if not before. In The Christian Science Monitor, Julie Myers, asst. sec. of Homeland Security—certainly not an identity theft expert—does say she thinks illegal immigration “may be a driving force behind this growth,” [in identity theft]. The article also mentions a couple of men living in Phoenix, who came into the country illegally, but gained legal status. However, the two of them are now in the business of helping newly arriving illegal immigrants to get fake documents. It works like this: A coyote calls looking for papers for workers he has smuggled in. One of the Phoenix guys contacts the false document person and has the goods within 45 minutes. It’s so blatant that sometime these people even have business cards. Well meaning perhaps, but at the same time it provides the opportunity for a terrorist to slip across the border and take advantage of these guys’ good will. And that is not acceptable. In May of 2005 in Mississippi, Cedric Carpenter and Lamont Ranson were caught trying to sell fake IDs to members of Abu Sayyaf, a Philippines-based Islamist terrorist group. To give you an idea of the vastness of this problem, the Castorena family organization of Mexico’s organized crime families ran a fraudulent documents ring that controlled cells in 33 U.S. states until a lieutenant, 50 members and the leader, Pedro Castorena-Ibarra, were caught. I doubt seriously if this bunch screened prospective customers to weed out terrorists. In yesterday’s post, I mentioned the bogus document business that supports the identity thieves by providing false identification. Like the ID crooks themselves, you will never stifle this business, but you can thwart their actions by giving the consumer control over their sensitive data, which makes illegitimate IDs worthless. Next post: More from Arizona on this issue.

Thursday, April 10, 2008


ILLEGAL IMMIGRATION…NOT ONLY A POLITICAL ISSUE


The threat started back in 2005, possibly even earlier before identity theft was so prevalent in the media and on the minds of most consumers. Illegal immigrants were stealing the identities of American citizens in order to get a job, according to Homeland Security Secretary Michael Chertoff in a December 2006 New York Times article. Homeland Security agents had just raided Swift & Company meatpacking plants in six states, arresting 1,282 workers, which turned out to be 10 percent of the company’s workforce. Regardless of your political beliefs, this is a problem that reaches down to the individual level. Chertoff said that illegal immigrants stole the identities of hundreds of American citizens just to get jobs. Like the Secretary promised, this has caused a ripple effect throughout the U.S. Because the Social Security Administration does not track the use of valid SS#s in multiple workplaces, the crime continues. Actually, it is illegal for the SSA to notify victims that their SS# is being used by someone else. This fact, along with several others on the subject can be found on Scambusters.org, where they quote an interesting scenario. MSNBC reported how a legal resident from a Chicago suburb went to a Target store to apply for a job and was turned down because someone with her SS# already worked there. Not bizarre enough, she found out her SSN had also been used by 37 other employees to get work, most of which were illegal immigrants. Scambusters tells us that this kind of occurrence happens on average 30 times with a single Social Security number. Other facts reveal that seven million illegal immigrants are currently using stolen SSNs, even paying SS tax. They consider this the price they pay for working in this country. Because many children don’t use their SS# until they are 18, an illegal immigrant can have a field day with their identity for years. If they don’t pay for the credit accounts they have opened in the victim’s name, the 18 year old starts right off with a bad credit report. This also applies to adults whose SS# has been stolen, although most illegal immigrants are probably just interested with getting work. In another article from MSNBC, payments to a SS# with a name that is likely an illegal immigrant, called a “mismatch, come most frequently from the agricultural and restaurant industries. The MSNBC piece says that we are “na├»ve” or “foolish” if we think the issue will be solved by getting rid of the illegal immigrants, or opening the doors to all who want to come in. But as long as you have crooks that will provide bogus Social Security cards and other means of identification, the problem will continue to get worse. However, if the American citizens who have suffered from this crime had been granted control over their names and personal data, their credit would still be safe, and the employer would have been unable to hire the illegal immigrant. This concept of identity control is a valid solution to the problems with securing private information that face this country today and it is time that the Congress and business start considering their options. More on this in the next post.

Wednesday, April 09, 2008


2008 PRESIDENTIAL CANDIDATES’ REACTIONS TO THEIR PASSPORT FILES BEING BREACHED, AND WHAT IT MEANS TO THE VOTERS


Barack Obama and John McCain’s passport records were illegally accessed by government employees earlier this year, and Hillary Clinton’s were breached in the summer of 2007. We didn’t find out about any of it until March of 2008. I was thinking when this happened—and have been waiting to hear since the announcement—this is the perfect chance for one of the candidates to take a firm stand on individual rights for the privacy of their constituents’ names and personal data. Of course it didn’t happen. I say “of course” for at least a couple of reasons. One, it is an election year. And two, the presidential hopefuls depend on a lot of their support from those same corporations that are responsible for the data breaches. But one can hope. Barack Obama’s campaign came the closest to taking a “firm” stand when his spokesperson, Bill Burton, said, "This is an outrageous breach of security and privacy, even from an administration that has shown little regard for either over the last eight years.'' Burton added, "This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama's passport file, for what purpose, and why it took so long for them to reveal this security breach. Our government's duty is to protect the private information of the American people, not use it for political purposes.'' Obama reacted saying, "It is deeply disturbing, what's happened. I talked to Condoleezza Rice this morning. She called me and offered her apologies, which I appreciated. But I also indicated that this is something that has to be investigated diligently and openly. One of the things that the American people count on in their interactions with any level of government is that if they have to disclose personal information that [it] is going to stay personal and stay private.” Democrat, Joe Biden, of the Senate Foreign Relations Committee was “deeply troubled” and ‘urged” Sec. of State Rice to investigate, something that no doubt won’t happen until after Bush is out of office. In a Washington Post article, Under Sec. of State Patrick Kennedy said he didn’t know if laws were broken, or if the passport information was shared. The incident was discovered when a computer-monitoring system put in place to protect politicians and celebrities was triggered and the culprits were caught. Two employees were fired and one disciplined. Interestingly, the program was developed after Bill Clinton’s passport records were accessed when he was the 1992 presidential candidate. If you are curious about what the State Dept. workers were curious about—or worse—go to Computerworld’s site where you can learn just what is in a passport record. There are juicy items that could be used against the candidates like investigative reports on why someone had been denied a passport, medical information and arrest warrants. That is, of course, if the candidate had any of these. Everything is there to steal their identity: name/address, date of birth, Social Security number. But can you imagine someone walking into a store using a credit card with Hillary R. Clinton’s name on it? The point here is that, with the perfect opportunity to move forward with a proposal for solving the identity crisis by recommending protections for the consumer for their sensitive data, we got the same old hype of being disturbed over what happened and a call for investigations. It is really up to the individual voter to change this “business as usual” crap by demanding some form of consumer protections against data breaches in the candidate’s platform, or else. Tell them you want them to propose control over your name and private information, or you’ll find a candidate who will.

Tuesday, April 08, 2008


SYNTHETICS ARE EVERYWHERE…EVEN IN IDENTITY THEFT


Although it isn’t any easier to fix, it is much simpler to detect. I am talking about “real” ID theft where the thieves steal the credit history you have established over the years and drain your bank accounts or max out your credit cards. Because the data is all authentic, the transactions go right to your credit report which, if you are monitoring as you should be, alerts you immediately to what is going on. That is also the easiest method for stealing your identity for the crooks. But there’s another way, according to the experts, that is much tougher to pull off, but just as hard for you to detect. It’s called “synthetic” identity theft—as compared to “real”—and it involves assembling data with a falsified name and address, but a valid, stolen, Social Security number. The crooks might even add fictional credit history or other characteristics like your bank account number—if they know it—to apply for new credit accounts, according to Arian Eigen Heald in IT Knowledge Exchange. See Part 1, Part 2. Thanks to Bankrate.com, here is an excellent description of synthetic identity theft: “A type of ID fraud in which thieves literally create new identities either by combining real and fake identifying information to establish new accounts with fictional identities or create the new identity from totally fake information. In typical synthetic fraud, a fraudster uses a real Social Security number and combines it with a name other than the one associated with that number. The combination often doesn't hit the consumer's credit report.” ID Analytics, a company providing identity fraud prevention for individuals and business, says “synthetic fraud is quickly becoming the more common type of identity fraud, surpassing ‘true-name’ identity fraud.” Best Security Tips, a site with generous input to this issue, gives a hypothetical scenario that explains synthetic identity fraud through stealing somebody’s medical records. They mention another company in the same field as ID Analytics, and with a wealth of information for consumers. It is Identity Theft 911, and you should visit this site and check out the options from “Avoiding Identity Theft” to “Facts and Resources” on the subject. This scheme works because credit bureaus are fixated on procedures that produce automatic output like your credit score, which can be measured instantly and supply a reasonable answer—at least to credit providers—to say yes or no. Because of those kinds of algorithms which allow variations in input—as Heald describes it—the fraudulent data is added to the credit report of the person whose Social Security number was used, and treated as additional information for that record. When the bad guys fail to pay the bills of the newly opened account, the negative data also ends up on the credit record as if it actually belongs there. All because of procedures by the credit bureaus that obviously should have better protection against counterfeit credit information. I hesitate to keep belaboring the same theme over and over, but there is really no other answer to correct this situation. Consumers should be given control over their names and personal data, and be compensated when it is sold to provide incentive to accept this responsibility.

Monday, April 07, 2008


SAFEWAY CROSSES THE LINE ON PRIVACY BY DEMANDING DRIVER’S LICENSE NUMBER TO INPUT TO THEIR DATABASE


First it was Albertsons/OSCO who asked for my Social Security number to add to their corporate database, just so I could refill a prescription. I refused and they finally gave in. Soon after, an Albertsons check out clerk wanted to input my wife’s driver’s license number to the same system to cash a check for groceries and we declined and walked out with what we came for. And then Office Max said they needed to capture my wife’s driver’s license number into their database in order to honor a return, for which we had the receipt, just because it was over 30 days. Frustrated because it was a sizeable amount of money, my wife gave in because the store manager said it was Office Max policy. The same day I fired off a complaint to the retail chain’s president and learned it is not the policy of the company to do this, and that they would make that store’s management aware of their mistake. They also assured me my wife’s driver’s license number had been deleted from their system. All these three incidents were blatant attempts to acquire personal data intended for inclusion in corporate databases that are similar to those that are being compromised on a daily basis. 8.3 million private records breached already this year, according to the Identity Theft Resource Center from a column in the Washington Post by Brian Krebs. No real harm done from Albertsons or Office Max so why should we worry, you might ask. I found out after researching the latest attempt to jeopardize our privacy which was when Safeway demanded my wife’s driver’s license number, once again to transfer directly into their database. Again, she declined, and the assistant store manager said he would let it go, but for this time only. What that tells me is that they don’t really need it; they just want it. Fired up once more, I went on the Internet and searched for incidents relating to Safeway and privacy, and you won’t guess what I found. Philip Scott Lyons of Tukwila, Washington was arrested for attempted arson last August, accused of setting fire to his own house while his wife and children were inside. Lyons, a firefighter himself, had used his Safeway loyalty Club Card when he bought fire starters similar to those used in the arson attempt. See story. All charges were dropped when the real culprit finally admitted to the crime, but in the meantime Lyons had been put on administrative leave for 5 months. It’s hard to tell who is the dumbest; the Police department who obviously didn’t do a thorough investigation or Safeway for giving up Lyon’s private information before they were sure their customer was a valid suspect. Lyons had to suffer through media accusations like “Firefighter Arrested For Attempted Arson,” and Fireman attempted to set fire to house, charges say,” before being completely exonerated. When you realize the whole thing happened because of the personal data that Safeway was collecting on Lyons, and compounded by the fact that, if he had had control over it, the whole episode could have been prevented.

Friday, April 04, 2008


IT PAYS NOT TO BE A CELEBRITY WHEN IT COMES TO YOUR MEDICAL RECORDS


First it was George Clooney’s medical records that were breached at the Palisades Medical Center in North Bergen, NJ. As a result, 27 staffers were suspended without pay for taking a sneak peak at the information. Clooney and his girlfriend had had a wreck on his motorcycle and were treated for a cracked rib and broken foot, respectively. And to add insult to injury, another 13 employees were being investigated in the incident. Perhaps it was only curiosity but the hospital is being questioned over whether or not it could have better protected Clooney’s records. Accessing this information without authorization is a violation of the Health Insurance Portability and Accountability Act (HIPAA). That was in September of 2007. And then in March of 2008, Britney Spears goes to UCLA for a Section 5150 in California where the hospital has the right to hold her against her will for potential danger to herself and others. Now this is information that Spears and any person would like to keep under cover, but naturally the paparazzi was hounding her most likely right up to the emergency room door, so it was inevitable that someone inside would get curious . UCLA fired 13 employees and suspended 6 others for unauthorized access to the pop star’s medical records, according to SCMagazine. Beth Givens of Privacy Rights Clearinghouse said, "It's hard for me to comprehend -- apparently stardom is such a strong magnet that some employees will simply ignore penalties and sanctions and access medical records without authorization." Jobs were lost by 13 people who chanced a glimpse at this troubled woman after having signed a confidentiality agreement that they must have known could doom their jobs. If an employee would jeopardize their employment on a frivolous notion like the Spears’ incident, how far would they go to steal insurance ID numbers that could be sold for large sums of money? But it doesn’t stop there. Another UCLA Medical Employee was disciplined for snooping into Farrah Fawcett’s medical records, as reported on CNN.com. Apparently details of her cancer condition were being leaked to the National Enquirer, and the LA Tines said UCLA had even fired an employee. The rumor was Fawcett had given up and wanted to die, which was denied by Kim Schwartz, her attorney. It’s bad enough that the medical data is stolen, but when it’s embellished with innuendo, the crime is maliciously compounded. In the March 2008 AARP Bulletin, the subject of health information technology (HIT) is discussed, and how the medical data breaches have stalled Congress’ efforts in the implementation of electronic records nationwide. There is a genuine perceived need because up to 98,000 Americans die every year due to medical errors with an additional 1.5 million caused harm, based on Nat’l Academy of Science Institute figures. In other words, security first, then comes the technology. How many more people will die before the U.S. wakes up to the need to protect individual privacy?

Thursday, April 03, 2008


CONFUSION IN JUNK MAIL INDUSTRY OVER ENVIRONMENTAL ISSUES CONFUSING TO ALL


This past Monday I did a post about junk mailers whining again over do-not-mail state legislation. Suggesting the industry should get out in front of the issue of unwanted mail—in many cases leading to identity theft—the implication was that rather than complain they should take action in policing themselves. It all stems from environmentalist ForestEthics who recently launched a Do Not Mail campaign. I decided to dig deeper into the background of this non-profit, but in the meantime found an editorial by Ray Schultz, editorial director of Direct magazine, in the April 2008 issue which vilifies ForestEthics for trying to destroy junk mail. Schultz puts out some questionable statistics on his medium’s contribution to landfills, but one fact is for certain. Approximately 98 out of 100 pieces of junk mail are discarded by recipients, and it has to go somewhere. My guess is that most eventually end up in the trash. Returning to ForestEthics, I checked into junk mail companies that work with the organization and found the following listed on their site: Dell, Home Depot, Victoria’s Secret, Lowe’s, Norm Thompson, Staples, and one of the largest mailers in the country, Williams Sonoma. All of these companies—many of which are members of the Direct Marketing Assn. (DMA)—support ForestEthics. but Ray Schultz, Editorial director of Direct magazine doesn’t. I realize editorials are a matter of opinion, but the indication here from this industry publication would lead us to believe that ForestEthics is wrong in their environmental campaign, whereas at least seven major junk mailers think the organization is doing the right thing. Does this mean that all of the hundreds of other catalogs out there do not agree with ForestEthics? The non-profit also charges Sears/Lands’ End for mailing over 400 million catalogs a year with virtually no recyclable content, using paper from endangered forests. Schultz claims junk mail going into landfills amounts to “maybe 1 %.” Another environmentalist, 41 pounds.org claims 44 percent goes to the landfill unopened. That may end up being 1 percent of the total, if that is what Schultz is referring to, but any way you look at it, it’s too much when it was unwanted in the first place. Click here to see ForestEthics report on the junk mail catalog environmental scorecard that will tell you who are the good guys and who are the bad guys. The “naughty” ones include Neiman Marcus, Talbots, Eddie Bauer, Office Max, Sharper Image and of course Sears/Lands’ End. So how is it possible to solve a problem that creates this kind of confusion among the very companies that are at the center of this issue, compounded by industry publication editorials like Schultz’s, and the DMA’s president, John Greco, who said, “the environmentalists and privacy advocates ‘distort the facts in their efforts to eliminate advertising mail to consumers?’” The answer is to take the high road and focus on the ones who provide the names and personal data that is being collected and sold…the name-holder. The American consumer. Give that person control over their name and private information, and compensate them when it is sold to provide incentive to shoulder this responsibility. Issue resolved.

Wednesday, April 02, 2008


ANOTHER HUMONGOUS PERSONAL DATA BREACH WITH ONLY QUESTIONS AS TO HOW IT HAPPENED


Unless you are from the northeast you probably have never heard of the Hannaford supermarket chain. Based in Portland, Maine, they are now the not-so-proud owners of the largest personal data breach of 2008. The loss of 4.2 million credit card and debit card numbers took place while shoppers were swiping their cards in checkout lines. See MSNBC story. There have been at least 1,800 cases of fraud already since the breach began on December 7, 2007. No additional private information was lost like name/address, Social Security number, etc. Hannaford discovered it on February 27, 2008, but did not disclose it until the week of March 17. During that period the crooks made off with about $10.3 million of the victims’ money based on Javelin’s 2007 research figures of $5,720 per victim. According to E Commerce Times, malware was installed on the company’s servers, but the folks at Hannaford have no idea how it got there. If you don’t know, Microsoft/TechNet defines “malware” as short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, etc. However, Hannaford claims to be in compliance with the Payment Card Industry Standard, a security program that is supposed to protect customer personal data like this, which leads me to believe that PCI is not worth the paper it is printed on. Beth Givens of Privacy Rights Clearinghouse warns that debit card holders are most at risk because they aren’t covered by banks from fraudulent charges. Had the company notified customers earlier, who knows how many of those 1,800 cases of fraud could have been prevented. Brian Krebs of the Washington Post, commenting on Blogger News Network, describes a typical scenario of how this could happen where the hackers by eavesdropping on a network such as Hannaford’s using “sniffer” programs, could extract credit and debit card data that is not encrypted, as it moves across the wire, and even before it leaves the store. The New York Times said it “appears to be the first large-scale piracy of data in transit.” Two points need to be made re. what has happened at Hannaford. First, only numbers were released; no name or address to connect to the card numbers. The fact that there have been at least 1,800 cases of fraud against card-holders indicates the persistence and ingenuity of the ID thieves. Second, this breach was committed intentionally for the purpose of compromising customers’ personal data to be used to steal money from them, as, again, evidenced by the 1,800 fraud cases. These guys don’t give up and until consumers realize this and demand protection against identity theft, it will continue and just get worse. Computerworld reports that class-action lawsuits have been filed against Hannaford as a result of the breach which alleges inadequate security and a failure to notify victims promptly. In yesterday’s post I quoted from the legal blog, Ephemerallaw, that litigation is not the answer. The answer is regulation that spells out the parameters to control sensitive data, and that is consistent in enforcement. Why is this so hard for lawmakers to understand?

Tuesday, April 01, 2008


LITIGATION WILL PROBABLY NOT SOLVE CONSUMER PROBLEMS IN A PERSONAL DATA BREACH…SO WHAT IS THE ANSWER?


We are a litigious society, and in some cases it is appropriate to take legal action against a company for reasons that have precedents in law. Unfortunately, the identity crisis has exploded so fast that regulations or laws, must less legal precedents, have not kept pace. The Ephemerallaw blog has covered this recently in response to several cases that have been filed recently. Mention was made that the typical victim would probably not take the time to file a lawsuit, even if it might result in meaningful compensation. On the other hand there was the woman who spent 20 minutes filing a victim’s claim with the FTC and felt it was a waste of time. Which proves my continuing point that we are also an apathetic society full of “Apathetics” that want what is rightfully theirs but for whatever reason won’t do the right thing to get it. Until we get by that, neither laws nor litigation will be meaningful. The fact that one of the largest depositories of our names and personal data—the junk mail industry—has indicated that we don’t even have the right to control what mail we receive—certainly not take control over our names and private information—should raise the ire of every consumer in this country. See yesterday’s Dunning Letter. If this industry continues to build its person databases at the rate it is going today without control over how your sensitive data is used, we are headed for disaster. And there are also the non-junk mail businesses—pharmaceutical and mortgage companies, Super markets, insurance companies, health care providers, loyalty programs to name a few—that have learned just how valuable this private information is, and are in a frenzy to collect all they can. If we are talking about compensation, businesses who sell our names and personal data should share the proceeds with the name-holders—without which there would be nothing to sell—and from the junk mail industry alone, the average retiree could supplement their Social Security or pension with $607 a month. And this doesn’t even include the revenue from non-junk mailers. Ephemerallaw says, “So what is enough?” in answer to the fact that litigation is not likely to work. Regulation is the answer, “clearly written and consistently enforced.” Amen! Continuing, the blog points out that most businesses want clear guidelines on how sensitive data should be collected and used. I have always thought this could be established by passing federal legislation that would grant consumers control over their names and private information. However, we’re in a presidential election year where most Congressional leaders are frightened of their shadows with the possibility they wouldn’t even get that vote. Besides, when this whole thing started back in February of 2005, there was a rash of activity in Congress to pass data breach legislation that has gone absolutely nowhere. Three years later and zilch, so one might expect that, even after the November election, the “do-willies” from Washington would just piddle away another three years. My opinion is that state laws to create this regulation would be a nightmare for business and government, which would eventually place a burden on the consumer. So what we need is for California to step up to the plate and pass a law that gives consumers control over their names and personal data; that’s where the identity crisis started with CA SB 1386 that brought ChoicePoint to their knees. Then, maybe Congress will wake up and do the right thing.