Posts Tagged ‘id theft prevention’

The Houston Family Examiner has written an article entitled “Tips to protect senior citizens from elder abuse identity theft”. In this article, I was pointed to the AARP as one of the sources for information on identity theft for the elderly. There, I found a wealth of useful information to pass along.

The AARP writes articles regulary on Identity theft, such as this one. This article suggests great preventative measures for identity theft including: checking your credit report once a year, never giving out your Social Security Number, shredding personal information (including credit offers), cutting back the number of cards you carry, hiding your PIN when you key it in, keeping information in your home secure (consider a safe) and never giving out your credit card or banking information to anyone unless you independently can confirm they are a legitimate business.

The AARP also offers an Identity Theft Course to help you understand and identify identity theft. The course will help you:

• Know what identity theft is
• Do a wallet check to protect yourself from identity theft
• Take steps to protect yourself from identity theft in your home and on the road
• Recognize early warnings of identity theft
• Take the first steps if you’re a victim of identity theft
• Have the numbers to call to get help or more information

Start the course here!

Hat tip to I’ve Been Mugged

Two researchers at Heinze College, Carnegie Mellon University, were able to successfully predict Social Security Numbers using only publicly available information. The study by Alessandro Acquisti and Ralph Gross, Predicting Social Security Numbers from Public Data, will be published in the ‘Proceedings of the National Academy of Sciences‘ and will be presented this July at the BlackHat convention.

Social Security Numbers (SSNs) are a primary piece of personal information sought by identity thieves, so it has always been cautioned that individuals and companies protect this sensitive information closely. However, this new study indicates that SSNs can be predicted from publicly available data.

Based on patterns in SSNs visible in the “Death Master File” (a database with SSNs of people who have died), Alessandro and Ralph were able to determine that date of birth and state of birth could be used to predict a narrow range of values likely to contain the individual’s assigned SSN. This information becomes more accurate for individuals born after 1988.

Within 2 attempts, the researchers were able to correctly guess the first 5 digits of SSNs for 60% of deceased individuals; within 1000 attempts, they could identify all 9 digits for 8.5% of the group (a number that would inevitably go up with more attempts). A hacker could then create a process to exploit existing services to test and verify SSNs.

Since SSNs are considered a primary form of identification, upon which you can apply for additional identification or for credit, there are troubling consequences to this discovery. From the executive summary of the study:

Since SSNs are predictable from public data, identity theft could occur even without events such as data breaches. Some of the implications are that 1) the SSA should randomize the entire SSN assignment process; 2) current policy initiatives in the area of SSN and identity theft should be reconsidered: most policy-making currently focuses on removing SSNs from databases or redacting their digits, so that they can still be used as “confidential information” – however, since SSNs are predictable from otherwise publicly available data, SSNs cannot be kept confidential even if they are removed from databases, and therefore those initiatives may be ineffective; 3) since SSNs can be predicted and are therefore, in a sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication.

The report makes some recommendations to government agencies, policy-makers, credit and financial institutions, online services and consumers regarding SSNs. You can read them here.

Via Wired ; Image: imelenchon

Robert L. Mitchell of Computerworld decided to tackle his own identity online to see just what information about himself he could dig up. After a privacy activist was able to retrieve his Social Security number, full name, address and a digital image of his signature online, Robert was both concerned and intrigued about what else could be out there.

Robert spent a few weeks combing through public and private resources (some paid) on the web to build up a dossier on himself. He spoke with everyone from private investigators to privacy experts. And in the end, Robert found that there was a vast amount of information about him online, and not all of it accurate. Many states have not taken adequate steps to redact sensitive information from the documents, such as mortgage documents, they make available to the public.

Robert put his full findings online, also breaking down the information by type of source. His first source was government records, that let him pull up his full legal name, address, Social Security number, spouse’s name and Social Security number, price paid for home, mortgage documents, and signature. Robert continued his search with free people searches, search engines, image searches, social network searches, and paid searches. And that may only be the “tip of the iceberg”, in terms of what else is easily accessible.

“Of the information available about me on the Internet, the most troubling was my Social Security number, blatantly posted online by my own county government, for the convenience of lawyers, insurance agents — and petty criminals interested in identity theft. Today, you need more than just a Social Security number to commit identity fraud, but a criminal who has that number is off to a great start.”

I was surprised to learn from this article that public records that contain Social Security numbers are not well regulated, and that if the government makes those records public, it can open that information to republishing without repercussions. You can read more about that in the call-out box at the bottom of this page. 

Robert’s search was very revealing, and certainly had him reviewing all the information available about him online. He’s taken steps to redact his Social Security number from government records online and has gone so far as to call his credit card and bank companies to test their authentication policies. In some cases, he was authenticated using this information he found online and, to his credit, he’s suggested those companies review their authentication protocols. We mostly consider identity theft the result of lost or stolen information, but this exercise shows that you may be at risk already.

Have you found your Social Security number or other sensitive information online? Let us know in the comments.

Also check out this 3D artistic representation of security threats. Makes all these horrible threats seem almost beautiful!

image: mconnors @morguefile

I know you’ve seen the advertisements for “FreeCreditReport.com,” the catchy commercials prompting people to avoid being victims of identity theft by monitoring their credit reports. The catch – that site wasn’t free, the credit report came free in exchange for a monthly credit-monitoring cost from Experian. According to the Fair Credit Reporting Act, all the consumer reporting companies (Equifax, Experian, TransUnion) are required to provide you a free credit report upon request every year. As the FTC notes:

The Federal Trade Commission has received complaints from consumers who thought they were ordering their free annual credit report, but instead paid hidden fees or agreed to unwanted services. Don’t be fooled by TV ads, email offers, or online search results. Go to the authorized source when you request your free report.

Well, the Federal Trade Commission (FTC) decided to start up their own service, a free one, no catches. Their website? AnnualCreditReport.com. Yeah, if that’s not enough, their ads also parody the Experian ones.

Here’s the same FreeCreditReport.com ad overlaid with warnings to be aware of deals like these:

Checking your credit once per year gives you an opportunity to make sure the information is accurate and up-to-date. Not only that, it helps you spot identity theft. Because your credit is used to evaluate insurance, employment and more, it’s an important step to take in safeguarding your identity.

Via dunning letter, philly.com

Javelin Strategy & Research have released the results of their 2009 Identity Fraud Survey Report. The result confirms that the number of identity fraud victims rose by 22% to 9.9 million adults in the US for 2008. The total annual fraud amount, the amount criminals were able to obtain illegally, went up to $48 billion.

The report, which is based upon a survey of 24,000 US respondents, aims to help understand identity fraud and the success rates of methods in prevention, detection and resolution. Highlights from the study include:

• Identity fraud incidents increased by 22% to 9.9 million victims, levels not seen since the survey began 2004 (attributed to economic uncertainty)
• Cost to consumers for identity fraud is down to $496 (from $718)
• 71% of fraud incidents began occurring less than 1 week from when the data was stolen (up from 33%)
• Women were 26% more likely to be victims of identity fraud; it also took women nearly twice as long to catch fraud. This points to a lack of education of fraud detection.
• Lost or stolen wallets, checkbooks and credit/debit cards were most likely avenues of attack (43%), when access was known
• Average fraud amount, per incident, is $4,849 (the amount criminals obtained illegally)

As the result of better means of fraud detection and resolution, fraud is being detected and resolved more quickly. Thus, although the identity fraud victims went up (a bad thing), the consumer cost per incident went down by 31% to $496 per incident. I think consumers would agree that this is still a high cost and one which doesn’t even account for the time and anxiety such an incident would cause.

The Javelin report is available in two versions, one for consumers and one for industry professionals. The consumer report offers best practices for protection while the professional report looks at trends and on impacts to consumer behavior. You can download either report here.

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

Bruce Schneier has put together an excellent post about why we need Federal breach notification laws (something I stand behind as well). His post opens up with 3 reasons why we should have breach notification laws:

1. It’s polite to tell someone if you lose something of theirs
2. It provides stats to security researchers about the scope of the issue
3. It forces companies to improve security

The third point is based upon the premise is that companies who are forced to bear the costs of data breaches (both intangible in loss of trust and tangible in costs of notification) would take extra steps to protect said data. Schneier references a study done by researchers at the Carnegie Mellon University that seeks to determine if data breach disclosure laws have reduced identity theft. The study found that there was only a 2% decrease, on average, in identity theft for states with disclosure laws vs those without disclosure laws.

Bruce Schneier points out that the study can’t be relied on for this type of data. Since more data breaches are being reported now vs five years ago, notification laws or not, it’s difficult to compare “before and after” data. However, he also brings up a number of other issues: ineffective security improvements, types of data breaches, the reduction of the ’shaming’ effect, and more.

A recent study by the Ponemon Institute, which was sponsored by PGP, now puts the cost of a data breach at $202 per record. However Schneier believes that the hard cost to breach notification is not as effective an incentive as it used to be. Yet he argues that the other points still merit the law:

“Disclosure is important, but it’s not going to solve identity theft… The reason theft of personal information is common is that the data is valuable once stolen. The way to mitigate the risk of fraud due to impersonation is not to make personal information difficult to steal, it’s to make it difficult to use.”

Breach notification laws only deal with one side of the identity theft problem. Schneier argues that further laws are necessary to prevent financial institutions from granting credit to someone with minimal personal information.

—

And if you’ve ever left your computer on while you stepped away from it, or if you’ve ever forgotten to log out of secure systems, this should stop you from that habit. Someone like Jeff may be nice enough to teach you a hard lesson – but more than likely, someone will do something far worse.

Image: xenia / morguefile

The Federal Trade Commission (FTC) has released a report on Social Security Numbers (SSNs) and their correlation with Identity Theft. The report, which can be downloaded here [PDF], is a follow-up to a 2007 workshop on the same topic and the continued work of the President’s Identity Theft Task Force that was established in May 2006.

In the report, the FTC makes 5 recommendations to reduce the role of SSNs in identity theft. One of the recommendations is that Congress take action to strengthen procedures that private-sector organizations use to authenticate identities; they are pushing for nationwide standards in authentication. The task force believes that stronger authenticaton would make it more difficult for criminals to use stolen information, SSNs included, to impersonate consumers. As the report notes:

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The Commission’s five recommendations are:

• Improve consumer authentication
• Restrict the public display and the transmission of SSNs
• Establish national standards for data protection and breach notification
• Conduct outreach to businesses and consumers
• Promote coordination and information sharing on use of SSNs

The task force believes that better authentication will make it more difficult to use SSNs to open new accounts or access existing accounts or services. They hope that this will, in turn, limit the demand for SSNs by criminals. Currently financial institutions that are federally regulated by banking agencies are the only private companies subjected to nationwide authentication standards.

You can continue reading more about that here, or read the more comprehensive Task Force Report here [PDF].

Via data breach watch

A number of great articles for consumers, about technology, security and identity theft, caught my eye this week. Rather than talk only to one or two of these articles, I wanted to point to some of them for you to check out:

• ConsumerReports.org creates 7 online blunders that can ruin your computer or identity
• Network World warns – beware of Obama spam
• CNet’s podcast – what’s next for net neutrality?
• Chris Pirillo’s 10 tips to keep your notebook safe when traveling – though Chris forgot to mention LoJack for Laptops, he’s previously spoken very highly of it!
• eSchool News – Florida considers virtual school
• Another great tip – how to protect yourself against identity theft over the phone

Also, given the recent elections, you may wish to read Barack Obama’s Information Security plans here.