Search This Blog

Friday, February 27, 2009

Grant Hall’s e-book, Privacy Crisis, shows readers “where to get the goods and services to remain invisible.” Grant is a hardcore privacy advocate who portrays the personal data collection system as completely out of control, and provides consumers a way to solve their individual situation. This is a continuation of a series of guest articles in which I feel readers will have interest.


By Grant Hall

One in twelve women will be stalking victims during their lifetimes and most stalkers are ex-husbands and previous boyfriends (Ohlson).
More than eighty percent of women who are stalked by ex-lovers are assaulted by their stalker and thirty-one percent of these women are sexually assaulted. Seventy-six percent of the women murdered each year were previously stalked by their killers according to Ohlson who wrote Stalking the Divine: Contemplating Faith With the Poor Clares.
Since the odds of being stalked and harmed by a tormentor increase when accessible information is readily available, a prudent plan to avoid these dangerous individuals would be the implementation of a high-level privacy plan.


One’s home address is the quickest link to their physical location-unless privacy tactics are in place.
Homes can be owned anonymously through the use of a Trust and an Administrative Trustee can sign any and all required forms on behalf of the Trustee-the manager equivalent of the trust (Hall).
Mail drop nominees can be used to receive and forward mail thereby avoiding the use of a home address for mail communication purposes.
Only trusted friends and relatives should have access to a privacy seeker’s home location.
Without a link to a victim’s home address, a stalker’s efforts toward harassing a victim at their physical location will be thwarted.


The importance of separating one’s name and home address from their car is a necessary privacy tactic to avoid having the normal driver’s name and address surface when data bases are searched.
A trust is the most private entity as only those forming the document and those included in the trust documents have a need to have knowledge of the provisions of the trust. A trust does not have registration requirements.
Trust owned automobiles are more easily insured than those owned by Limited Liability Companies and Corporations in most cases. And when the trust owned car is registered properly with the Department of Motor Vehicles or other state agency, there will be no mention of the trustee and normal driver on the automobile registration. This important detail assures the driver absolute and total privacy as he or she travels.
Stalkers frequently hire individuals who have access to automobile registration data bases in order to locate their victim’s car and address.


Today, many states allow for the freezing of a consumer’s credit files. This is a huge privacy advantage and should be accomplished in order to preserve privacy.
Once credit files are frozen, only the consumer’s release of a password allows for the viewing of the credit file.
Serious privacy advocates never provide their home address to anyone except those in their close circle of friends and relatives-and this includes the credit bureaus and ALL businesses.

Part II of “Stalking Solutions” in my next post. In the meantime, visit Grant Hall’s site for lots of free information and his e-book, Privacy Crisis.

Wednesday, February 25, 2009


They are lurking out there again as they always do around tax time. Although we have gone through the attacks before, we will suffer and encore of identity losses between now and April 15 that makes me wonder what it will take to convince consumers never to give up their personal data unless they are sure who they are giving it to. Maybe we could enlist all of you that were made victims in 2008 to spread the word around that this is a fraud.

The Dept. of Homeland Security has taken notice of what’s going on and issued a bulletin on the scam from its U.S. Computer Emergency Readiness Team (US CERT). Just scroll down and click on “Feb. 6, IRS Stimulus Package Phishing Scam” to get the details. You’ll be asked in an e-mail to provide your private information by following a link to the crook’s website, or to complete an attached document. No matter how much they are offering you in a refund, don’t do it. The IRS never corresponds with taxpayers for matters like refunds or asking for personal data by e-mail. They only do it by regular mail.

Homeland Security gives a link and encourages users receiving fraudulent e-mails to forward the message to their e-mail: There are also four points supplied to help the public mitigate the risks. If you read this and have a friend or relative, or business associate you know to be somewhat apathetic about the possibility of someone stealing their identity—and there are hundreds of thousands out there—I urge you to suggest that they visit this site.

As always, you can depend on MSNBC’s Consumer Man to cover the latest scams. Herb Weisbaum’s article, “Latest 'phishing' scam lures you with tax return,” talks about how the bad guys suck you in with a promised tax rebate. And who can resist that? Unfortunately, a lot of “gullibles.” That’s my term, and I’m sorry, but after years of grinding away at what to avoid on this issue, there are still those who bite. Someone should do research on the victims so we might begin to realize just how to solve the problem.

As Weisbaum indicates, the scam does deal with a substantial refund, and these are tough times when you just hope that today will bring better news, and, then, there it is. The author calls it a “sense of desperation” that is known to exist by the crooks, and which they prey on with the utmost sophistication.

They ask for your Social Security number, date of birth, mother’s maiden name, credit card information, even your ATM PIN number. First of all the IRS already has your SS#, and why could they possibly need the PIN for your ATM card? Red flags are hoisted all over, but all the victim is thinking about is the promise of something they probably already know they don’t have the right to. As the article indicates, the IRS does not send refunds by e-mails, don’t audit people by e-mail, and don’t collect taxes by e-mail.

CAUTION: If you get one of these e-mails, first, forward it to the IRS e-mail, above, then DELETE it at once, and never look back. Then help everyone you know to avoid the scam.

Monday, February 23, 2009


“For the first time in the past five years, identity fraud rates increased over the prior year. Yet during the same period, average consumer costs decreased sharply, according to the new Javelin report on identity theft.” Discouraging, yet somewhat encouraging. But some figures in the “Executive Summary” are downright frightening.

• Identity Fraud Victims Increased 22% to 9.9 Million in 2008
• Existing Credit Card Frauds Drive Expanding Incidence Rates
• Economic Downturn Historically Results in Increased Domestic Fraud
• Traditional Access to Private Data Continues to Be Commonplace
• Social Security Numbers/name and address Top Compromised Data among Victims

Let’s explore each of these points with hard figures. 1.8 million more ID theft victims in 2008 over 2007 means an additional $892,800,000 out of the consumers’ pockets, and $7.8 billion lost by business. Total loss for 2008 is $48 billion compared to $45 billion in 2007.

Annual credit card fraud grew by 16 percent from $19 billion to $22 billion in 2008. New credit card accounts fraud also rose by 20%, from $15 billion to $18 billion. For four years now, I have been expressing my concerns over unsolicited credit card mailings in this blog, one of the vehicles the crooks use to open new accounts.

With the unemployment rate topping 7 percent and thousands more jobs lost each month, there is desperation in the air in this economic downturn that is not likely to end any time soon. It provides the perfect environment for fraud, and today the fraud of choice seems to be stealing someone’s identity with whatever financial gain the crooks can extort. This demands the closest scrutiny ever for any transaction involving personal data.

While online access to private information remains at 11 percent according to the 35 percent of victims knowing who accessed their data, traditional access is still extensive. Things like the losing or stealing of your wallet, checkbooks or credit cards, totaling 43 percent of incidents where access is known. And here’s the kicker…a point I have been harping on for two years. There was an increase in data used that had been stolen and held for use until the one and two-year time periods ran out for free credit report inspections given by the breachers. I still believe this is the biggest threat to the security of our sensitive data.

Don’t give away the bank…in this case your Social Security number. In 38 percent of Javelin’s survey respondents, the data compromised was SS numbers. Name and address accounted for 43 percent, and when you add date of birth to the latter, that is all that’s necessary to wreak havoc with your credit.

Along with all the above, when you consider that the resolution time to correct the problem climbed again to 30 hours in 2008 from 26 in 2007, it should be obvious to all that protection is the way to go, and I don’t mean paid protection but simple preventive measures consumers can use on a daily.

An interesting point: with the millions of individuals buying protective ID theft services in 2008, we still had a 20.7 percent increase in fraud victims as a percent of U.S. population. From 3.58% in 2007 to 4.32% in 2008. Think about it.

If you want solid, thorough and concise information on how your identity can be breached, and how you can protect yourself from fraud, go to the Javelin 2009 Identity Fraud Survey Report – Consumer version. There is no easy way to handle this dilemma, and until the American public realizes that they must take responsibility in the protection of their names and personal data, we won’t see an end to the identity crisis.

Friday, February 20, 2009


Based on my 35 years as a list/data broker, I have tried to convey to readers the danger of how junk mailers, and non-junk mail companies, recklessly collect, manipulate, and sell your names and personal data. It is rare that I can digress and talk about a junk mail company other than to criticize.

Vermont Country Store has been around for 64 years doing what most good catalogs do best: unearth the unusual for its customers. But Lyman Orton, the proprietor, resurrected an item recently that is sure to spice up the demure Vermont company, and bring back memories of my catalog days. I’ll explain the resurrected part later.

Lyman, age 64, added sex aids to the pages of his catalog known for selling heavy-duty toenail clippers and pine tar soap, according to an article on MSNBC. Items like pleasure gels, arousal creams and a six-speed vibrator. In case you aren’t familiar, that’s another name for dildo. But six-speeds? And that is where the “resurrected” part comes in.

When I was director of marketing for the Sunset House catalog some 30 years ago, we received a letter from one of our female customers who exclaimed that we had saved her marriage by introducing a six-inch vibrator to our catalog. In over two pages of hand-written copy, she praised this new item as if it saved her life, not her marriage.

The letter was circulated among top executives with everyone, of course, adding their own personal comments. The episode was talked about for a while, then forgotten. That is, until we received a second letter from the same customer. It was much more serious.

She started by thanking us again profusely for selling the six-inch vibrator in our catalog. She even stated that her marriage was still as healthy as before, but she did have a request. She had heard somewhere there was a nine-inch vibrator available. She implored us to please include this new version in our next catalog.

The catalog’s merchandise people had already reviewed the item and it was front-and-center in the next edition. Needlessly to say, we were thanked for coming through again.

It’s nice to write a feel-good story like this, and there will be a follow-up in the future reporting on how Vermont Country Store eliminates junk mail through predictive modeling, a practice that many junk mailers shun. In the meantime, visit their site here.

Wednesday, February 18, 2009


It would seem Facebook founder, Mark Zuckerberg never learns. Once again he changed policy granting the social networking site the ability to control users’ information forever, even if you cancel your account. Zuckerberg apparently did not take heed after the 2007 debacle where he had to back off a tracking tool called “Beacon” that displayed customers’ shopping habits and activities all over cyberspace. In another article on MSNBC, he recanted again just a day after the latest boondoggle, when apparently tens of thousands of users complained. Zuckerberg said the move was temporary, until the company develops new terms defining its privacy policy. What that means to me is that Mr. Z hasn’t yet comprehended the right of the individual to maintain control over their names and personal data, and, believe me, this is not only a Facebook problem. This is the dilemma of the entire data collection business. On the other hand, Maine police credit Facebook in the solving of a crime by posting pictures of teenagers who vandalized a crime caught on surveillance cameras. President Obama reneges, somewhat, on “open government” policy. It seems Justice has decided to retain some Bush policies on keeping the data collection and secret surveillance of U.S. citizens. They want to determine whether it will conform to the rewrite by the new administration of the Freedom of Information Act guidelines. After former Attorney General John Ashcroft supported Bush’s warrantless domestic wiretapping, Obama pledged “an unprecedented level of openness in government.” Several requests are pending based on the FOIA re. the former administration’s tactics, and there is some doubt if these will ever be satisfied. I think most everyone agrees we should look to the future and not belabor the past, but when the American public has just experienced the worst case of Big Brother since Orwell’s 1984, many agree that we should at least know what really happened. The question today is who we can trust to define what information is too sensitive for release to the public? Opinion piece in junk mail industry publication, DM News, promotes respecting consumer privacy. David Henkel, President of Johnson & Quin, specializing in printing, mailing, and database management for junk mailers, says “Consumer privacy must be respected.” He talks about personalization in the business of reaching the right customer with the right offer, and how it must not be carried too far. Targeting is good if it does not get into individual household personal data that clearly invades the person’s privacy. Things like whether or not you gamble or drink, what specific ailments you suffer from, and what medications you are taking. Targeting can be accomplished at acceptable levels larger than the individual household. But Henkel really caught my eye when he started talking about how customers’ credit card numbers are stored by junk mailers, those you buy from, even if you haven’t made a purchase for years. As the director of marketing for a large catalog company, I can confirm that the credit card number was maintained as a normal part of the customer’s record. That was awhile ago, and it occurred to me that we need to know what junk mailers are doing about this today in a much more volatile marketplace. Report on this later.

Monday, February 16, 2009


If your income is less than $100,000 annually, you received 26 percent less credit card offers in 2008, compared to 2007. A prime example of how the junk mail industry manipulates your personal data to maneuver consumers to respond the way they want them to. According to Mintel Comperemedia, who does research for junk mailers, announcing in a ConsumerAffairs report, funds for lending were down, and with the credit card companies already losing on current loans—apparently from those with incomes less than $100,000—they cut mailings back significantly.

Does that halt the barrage on our mailboxes? Not really. They just found another surrogate: businesses you are already dealing with that veil the solicitation under their name, hoping you will make the assumption they endorse the credit card offer. Of course, the business gets a cut from each application returned.

It goes like this. Holland America Line’s headline exclaims: “Presenting the Holland America Line Rewards Visa Card…Your next cruise is closer than you think.” We are cruisers but we have never been on Holland America, so why would I feel any relationship toward them. This is relationship marketing, or affinity, or third party, meaning the company uses their relationship with the customer to sell you something they have absolutely no control over if something goes wrong.

On the other hand, we have been on Princess Cruises, from which we have received two offers in the last couple of weeks. U.S. Airways has hit us twice in the same period of time, and the list goes on. This has been going on in junk mail for at least 35 years, and in bad economic times can be a boon to both of the businesses involved. By sharing the cost of the mailing, or riding piggyback in the company’s regular mail, everyone wins, except the consumer.

I say that because a 2009 survey just released by Javelin Strategy & Research says that 33 percent of the respondents reported that new credit card accounts were opened fraudulently in their name in 2008. That’s an increase of 27 percent over 2007. It only takes the crooks a few minutes on the underground Internet to buy your personal information like Social Security, date of birth, etc., and they are on their way.

You may eventually prove to the credit card provider that you weren’t the bad guys, but you will have a much larger battle convincing the three credit bureaus, Equifax, TransUnion and Experian, to correct your credit history, especially Experian. As an example, the average resolution time to fix your credit in 2008 was 30 hours, up from 26 in 2007.

In the near future I am going to review the complete Javelin 2009 Identity Fraud Survey Report. Here’s a preview of what they found. Identity fraud victims increased 22 percent to 9.9 million in 2008. Economic downturn historically results in increased domestic fraud. Traditional access to private data continues to be commonplace (emphasis added by me). For the consumer version—which I highly recommend reading for some great insights into preventing or dealing with ID theft—go here.

Friday, February 13, 2009


Wikipedia defines the “inside job” as “…a crime, usually larceny, robbery or embezzlement, committed by a person with a position of trust who is authorized to access a location or procedure with little or no supervision, e.g., a key employee or manager.” It goes on to identify former employees knowing the company’s layout as potential perpetrators. In Wednesday’s post, “IDENTITY THEFT INCREASES 47 PERCENT IN 2008 OVER 2007,” I quoted a just published report by Identity Theft Resource Center (ITRC) finding that Insider theft doubled in 2008 over 2007. When the times get bad, the bad get smarter.

At the end of 2008, there was an article from MSN Money with some facts that are both scary and eye-opening. It stated that 18 percent of the corporate world saw an increase in monetary theft among employees, with another 41 percent unsure. Here’s a statement that should jar any company: “Employers are hot targets for theft because workers "…know their systems, controls and weaknesses, and they can bide their time waiting for the right opportunity." This from Jack L. Haynes Int’l, supplier of workplace crime-prevention services.

And the employees guilty of the biggest heists frequently are the most highly trusted. These are the ones who can get into company computers and make off with your names and personal data. They are close to it every day, often with unlimited access. I am not just talking about junk mail databases of millions of names and private information, but also non-junk mail companies that also warehouse your sensitive data. Folks, there are few corporations out there that don’t maintain thousands of personal records on their customers and/or employees.

A Pricewaterhouse study even found that senior-level workers that had been around over seven years were responsible for 25 percent of all reported internal fraud. Most are men and they are well educated. Jack L. Haynes Int’l reports that about one out of every 28 employees was apprehended for stealing in 2007. Combined, these are all the ingredients for a disaster if the downturn in the economy gets worse and more people get desperate.

TechNewsWorld said it back in 2007: “A ticking time bomb of sorts is hidden away in the cubicles and workstations of many businesses. When it goes off, the personal financial information of customers and workers could be laid bare.” Yet one more survey provided some of the most significant findings. A Compuware commissioned study by Ponemon Institute revealed that 75 percent of all breaches in the U.S. were caused by insiders, while only one percent by external hackers.

So what’s the solution?

Bring the consumers of this country together to demand that Congress and the new administration get together to pass legislation that gives consumers control over their names and personal data. In the same bill, allow for compensation to the name-holder when it is sold to encourage individuals to assume this new protective responsibility. Now is your time to be heard. Contact your U. S. Representative; your Senator; The White House.

Wednesday, February 11, 2009


If you thought you had seen the worst of the identity crisis, think again. A report just released by the Identity Theft Resource Center (ITRC) shows 656 breaches disclosed in 2008 compared to 446 in 2007, a whopping increase of 47 percent. Like The Dunning Letter has been saying since mid 2008, the bad guys are just getting started, and, unfortunately, they are getting better. ITRC breaks the breaches down into five groups: Business had 36.6%; Education 20%; Government 16.8%; Healthcare 14.8%; and Financial Institutions 11.9%. While Government improved from first to third, Business took over this unenviable position.

The most frightening figures proving the sheer recklessness of all data collectors is that only a pitiful 2.4 percent of all breaches had encryption, and just 8.5 percent had password protection. Folks, we are in year three of this identity dilemma which started when the ChoicePoint data hit the fan in February of 2005 and brought this whole mess out into the open. Apparently the term “what does it take” is completely lost on those who collect, manipulate and sell our names and personal data.

ITRC breaks data loss down into five methods: insider theft; hacking; data on the move; exposure; and subcontractor. Further, they divide the latter by financial institutions, general business, education, government and healthcare. In last Monday’s post, “JUNK MAIL NEEDS REGULATION…AND NOW!” I talked about data on the move in the junk mail industry, specifically from mailing list/data brokers. Hundreds of thousands of names and private information sent to the wrong address and never retrieved. It would be an ID thief’s dream if he or she knew how to locate this gold mine…and eventually they will learn.

Electronic breaches still maintain a significant lead over paper breaches: 82.3% versus 17.7%. Insider theft has doubled in 2008 over 2007, which leads me to believe that more employees are discovering the value of the sensitive data they handle. Although I have absolutely no confirmation that this has ever happened, it seems to me that it would be terribly easy, and almost impossible to detect, an intentional shipment of a storage disk with consumers’ private information to a pre-arranged “wrong address,” delivering it right into the hands of identity thieves.

ITRC reports that 41.9 percent of data breaches in 2008 went unreported; down from the last figure I could find where a 2006 Ponemon Research survey said it was 79 percent. The current estimate means that hundreds of breaches not being reported could be yielding the loss of millions of consumers’ personal records that we do not know of. When you combine that with the number of ID theft victims that do not report their loss, the results could be astronomical.

One of the recommendations from ITRC is that when sending data from one location to another, it should be encrypted. When only 2.4 percent of 2008 breaches had encryption, their suggestion sounds like a cry in the wilderness. Like we have learned over the last eight years, business is not going to regulate itself. Only federal legislation is going to get the job done, and we are fast running out of time.

Monday, February 09, 2009


Two articles recently from junk mail industry publication, Direct, caught my attention, because they forecasted the possibility that more data breaches could eventually originate within that business. The first, “Why Direct Marketers Switch Jobs-Often,” quotes a recent study that says “…entry-level people work for 10 to 12 companies.” These are the folks that actually handle the processing of your names and personal data for junk mailers’ advertising campaigns. The typical employee spends about 2.8 years with a company, which isn’t unusual in the current marketplace.

So how can this potentially affect the mishandling of your names and private information? Part of the problem is obvious with the regular turnover of people serving in that capacity; training is limited and experience is short. In my 35 years as a list/data broker, I personally witnessed situations where data storage devices were laying out in the open at catalog companies, list/data brokers, and computer facilities where millions of consumer records were processed daily.

There is no doubt in my mind that security has increased at every level since the 2005 ChoicePoint debacle, but this is still an entry-level clerk’s position, and you do get what you pay for. Privacy Rights Clearinghouse (PRC), one of the country’s leading privacy advocates, has “A Checklist of Responsible Information-Handling Practices” on its website. The Direct Marketing Assn. (DMA) has its own “INFORMATION SECURITY GUIDELINES“ Any company, junk mail or non-junk mail that follows these guidelines would have a reasonably secure environment for its personal data.

As an example, they both recommend establishing a center for privacy control and putting one person in charge. PRC suggests doing penetration studies regularly to determine if the crooks can get through your security network. The DMA advises that junk mailers should insure that all third-party handlers of their data take responsibility for securing their data. Both PRC and the DMA stress making sure private information is secure in transit from one location to another. And herein lays one of the biggest dilemmas in junk mail.

Once again during my tenure as a list/data broker, although the clerk handling our list order(s) had a typed “ship to” address right in front of them, somehow in the process of transferring that to their list order instructions, they sent it to the wrong address. Since by the time we received confirmation of this it was out of their door into the hands of UPS or FedEx, it was impossible to stop. It was re-shipped but on occasion when we asked the clerk if they found the other data storage device, the answer was almost always no.

The second article from Direct was just as unnerving since it stated that nearly half of all junk mail companies have a hiring freeze, and 20 percent of them are planning to reduce staff. Obviously this is happening in all industries and cannot be helped in the down economy. Which brings me back to the headline, above, that accentuates the need for regulation. The government should establish guidelines for the handling of names and personal data by the mailing list business, much more stringent than those already on the books.

Billions of sensitive data records are handled by junk mailers each year, yielding these companies $4 billion of revenue on an annual basis. It’s time to put some of this back into protecting the consumer.

Friday, February 06, 2009


As a sign of the times, a recent headline on MSNBC said: “Even porn industry hit by slumping economy.” Currently residing in Arizona where golf courses are as plentiful as convenience food stores, I had heard from a friend that golfing has followed the trend. But I was more than amused when Worldata, a large junk mail list/data broker, published the results of its latest List Price Index, which is a survey documenting how much junk mailers pay for mailing lists with your name and private information. There was a significant decline across major categories of lists such as books, CDs, consumer magazines, and general merchandise buyers.

If you want to see the full report of to what degree your sensitive data is precariously peddled around the U.S., even around the world in some cases, go here. If you want me to paint the poignant story for you, read on. Almost four years ago when I launched The Dunning Letter, I contacted a number of sources from the Direct Marketing Assn. (DMA) to junk mail industry publications like DM News and Direct to learn the total revenue the list business raked in from your names and private information. Not only did they not know—or, at least, they weren’t telling—but they suspiciously wanted to know why I wanted to know.

In most cases it was made clear to those asked that the information was for a piece I was writing on the industry. Doors slammed shut and telephones went “click,” which basically ended my efforts to acquire this figure from those who could most accurately determine the annual results. After a couple of months assembling numbers from a conglomeration of reports provided to the public by the DMA, and doing research through the archives of DM News and Direct, I was able to create my own formula and arrive at the total. It was determined that every year the junk mail list business grosses around $4 billion from the sale of consumer names and personal data.

I am all for free enterprise, but why is this a one-way path to the pockets of junk mailers when they would have nothing to sell if not for the name-holder? That’s YOU, of course. Most of my regular readers have heard this over and over, but why not share the wealth with those without which no revenue would be possible? Another interesting formula I have come up with reveals that if half the $4 billion was placed in a simple interest-bearing account for the name-holders, at age 65 they could supplement their retirement with an additional $607 monthly.

Getting back to a sign of the times, with pension plans and Social Security in jeopardy as they are, has someone got a better idea? If so, please come forward. My contention is that with a new administration in Washington, it is time to get back to individual rights, and there is nothing more individual than our sensitive data.

Wednesday, February 04, 2009


Continuing with the Liz Pulliam MSN Money column, red flags should have gone up all over the place when the crooks were developing their latest method of stealing our sensitive data. They would have if we had a CIA-type surveillance of the Internet underground. And why not? With the economy tanking, and identity thieves rushing to take advantage of the situation, this would be the perfect time for industry to step in and form a consortium to infiltrate the bad guys. The cost would be small across the board, and the results could be significant. It’s an idea that could happen; that is, if business is really serious about securing our private information.

Vishing is the latest consumer scam that is a spin-off from phishing, which is when the ID thief sends you an e-mail, claiming to be a legitimate company with the idea of heisting your sensitive data. Vishing, on the other hand, uses the telephone or cell phone to do the same thing by leaving a voice or text message that says your bank or credit card account has been compromised. Recipients are told to call a toll-free number where they are instructed to dial in credit card or bank account numbers, including PIN numbers.

It suddenly occurred to me while writing this article that one of the most unique factors in the identity crisis is the number of names we have had to come up with, almost on a daily basis, just to keep up with the spate of consumer scams.

Vishing has been around for a while, but has recently picked up speed according to a December 2008 FBI report identifying new techniques exploiting the software used in the scam. Asterisk is free software used with Voice over Internet protocol (VoIP), which allows the bad guys to call multiple numbers leaving their automated messages. You should never reply to these calls; neither banks nor credit card companies use this form of communication to contact customers. One documented incident as late as mid-January 2009 used American Express as the target company.

In another article in The Washington Post by computer security columnist, Brian Krebs, he outlines “The Anatomy of a Vishing Scam.” Krebs leads with a reality that has been troubling to Internet providers and users for some time; the fact that there are gaping holes in our technology that allow these breaches. It could lead one to believe that the scam artists are much smarter than the technicians that maintain our names and personal data. The piece confirms the use of the VoIP software, and documents the sophistication used by the crooks.

As an example, one group of attacks were directed to financial institutions’ customers’ cell phone numbers, but restricted to only the geographic area served by the bank to maintain credibility. After compromising a web site to serve as their host, they downloaded the phone numbers that would receive the vishing messages and they were on their way. What is frightening is the fact that Lawrence Baldwin, who was brought in to investigate the attacks, learned that from one server alone about 4,400 people actually called the bogus number, and worse, 125 of those (2.8 percent) entered their full credit/debit card number, expiration and PIN.

Like P.T. Barnum said: “There’s a sucker born every minute.”

Monday, February 02, 2009


If you think the heisting of our sensitive data has already been as bad as it can get, then think again. Preying on the elderly and the suckers among us is bad enough, but taking advantage of bad economic times—which much too often still involves the elderly—is a step that establishes the identity thieves as the worst of the scumbags. But this is the normal approach for the greedy, and we should have anticipated their plans. However, their tactics and modern technology seem to move at a pace just ahead of law enforcement, which is unfortunate for the consumer.

Liz Pulliam Weston’s column on MSN Money, as usual, does an excellent job of taking us from the present into the future of where we can expect to go with the identity crisis. Yes, we had fewer victims in 2007 (2008 results are not out yet) by .67 percent. The Javelin Research report goes on to recount just where your private information breaches are coming from: 33 percent lost or stolen wallets; 23 percent lifting your pin or credit number while looking over your shoulder during a transaction; 17 percent by your family or friends; 12 percent online; and 7 percent resulting from data breaches.

Pulliam has indicated in her piece the fact that ID theft resulting from data breaches ranks last, but let me point out that, even in last position, it produced just-under 600,000 victims in 2007. At $5,720 each, that’s $3.3 billion lost by consumer fraud, and 14.7 million hours wasted by them in repairing their credit. Of course this is only one method of stealing your stuff. One can only wonder if all this has taken its toll on the productivity of the American worker. It has certainly established its position in whittling away at the family budget of those affected.

The article has some good points on how to protect your personal data from maintaining a file of credit card telephone numbers in case of loss, to whether or not you should freeze your credit. I strongly urge you to read this piece in its entirety for a wealth of facts that will help keep your identity safe. In particular is a section on ATM use, and the protection of your pin numbers due to the fact that the crooks are increasingly targeting bank accounts. You close one door they open a new one immediately in their quest to steal our private information. What Pulliam is saying—as is about every privacy advocate in the world—be vigilant any time you are in the process of a financial transaction.

Pulliam also covers the latest twist on “phishing,” which is when the bad guys send you an e-mail, claiming to be a legitimate company with the idea of heisting your sensitive data. The new spin on this is called “vishing,” which involves leaving a voice message on your telephone landline or cell phone, or text messaging your cell phone. That’s next time.