Posts Tagged ‘Identity Theft’

The number of users affected by identity theft through malware has jumped by 600% in comparison with the data from this time last year.   The increase could be the result of the current economic crisis with so many people being affected by the crunch.

The numbers are staggering.  Every day, PandaLabs gets almost 37,000 samples of various types of internet threats and a whopping 71% are Trojans designed to steal banking and credit card information as well as passwords for commercial services.  An estimated three percent of users have been victimized by these silent threats since they normally don’t have any idea they’ve been affected until it’s too late.

There are some steps that users can take to protect themselves:

1. Be wary of any requests for personal data since most banks, payment services (i.e. Paypal) or social networks would never ask for that type of information in an informal way.  Never respond to requests for login information, for example, if they came in the form of an email or text message.

2. Avoid looking up your bank or online store websites through a search engine.   Type the address directly into your browser and double check that it is correct before hitting “enter.” 

3. Verify that the page has valid security certificates which are typically easy to identify by a “locked padlock” icon somewhere in the browser.  Banking websites might have the padlock image right beneath the login fields (see image below at left) whereas the little symbol appears at the end of the address bar in Internet Explorer (image at right). 

Sites like Paypal might also have the padlock above the login fields but you can also look for Verisign Identity Protection icon at the bottom of web pages.

4. Arm your computer with up-to-date security solutions such as Computrace LoJack for laptops.

5. Trust your instincts.  If something looks suspicious, contact the site’s customer service line.  Never enter your personal information if you think something looks wrong.

6. Look into getting identity theft insurance if you regularly shop or bank online.  This will provide coverage if you become the victim of identity fraud.

The Houston Family Examiner has written an article entitled “Tips to protect senior citizens from elder abuse identity theft”. In this article, I was pointed to the AARP as one of the sources for information on identity theft for the elderly. There, I found a wealth of useful information to pass along.

The AARP writes articles regulary on Identity theft, such as this one. This article suggests great preventative measures for identity theft including: checking your credit report once a year, never giving out your Social Security Number, shredding personal information (including credit offers), cutting back the number of cards you carry, hiding your PIN when you key it in, keeping information in your home secure (consider a safe) and never giving out your credit card or banking information to anyone unless you independently can confirm they are a legitimate business.

The AARP also offers an Identity Theft Course to help you understand and identify identity theft. The course will help you:

• Know what identity theft is
• Do a wallet check to protect yourself from identity theft
• Take steps to protect yourself from identity theft in your home and on the road
• Recognize early warnings of identity theft
• Take the first steps if you’re a victim of identity theft
• Have the numbers to call to get help or more information

Start the course here!

Hat tip to I’ve Been Mugged

Two researchers at Heinze College, Carnegie Mellon University, were able to successfully predict Social Security Numbers using only publicly available information. The study by Alessandro Acquisti and Ralph Gross, Predicting Social Security Numbers from Public Data, will be published in the ‘Proceedings of the National Academy of Sciences‘ and will be presented this July at the BlackHat convention.

Social Security Numbers (SSNs) are a primary piece of personal information sought by identity thieves, so it has always been cautioned that individuals and companies protect this sensitive information closely. However, this new study indicates that SSNs can be predicted from publicly available data.

Based on patterns in SSNs visible in the “Death Master File” (a database with SSNs of people who have died), Alessandro and Ralph were able to determine that date of birth and state of birth could be used to predict a narrow range of values likely to contain the individual’s assigned SSN. This information becomes more accurate for individuals born after 1988.

Within 2 attempts, the researchers were able to correctly guess the first 5 digits of SSNs for 60% of deceased individuals; within 1000 attempts, they could identify all 9 digits for 8.5% of the group (a number that would inevitably go up with more attempts). A hacker could then create a process to exploit existing services to test and verify SSNs.

Since SSNs are considered a primary form of identification, upon which you can apply for additional identification or for credit, there are troubling consequences to this discovery. From the executive summary of the study:

Since SSNs are predictable from public data, identity theft could occur even without events such as data breaches. Some of the implications are that 1) the SSA should randomize the entire SSN assignment process; 2) current policy initiatives in the area of SSN and identity theft should be reconsidered: most policy-making currently focuses on removing SSNs from databases or redacting their digits, so that they can still be used as “confidential information” – however, since SSNs are predictable from otherwise publicly available data, SSNs cannot be kept confidential even if they are removed from databases, and therefore those initiatives may be ineffective; 3) since SSNs can be predicted and are therefore, in a sense, semi-public information, consumers should not be required by private sector entities to use SSNs as passwords or for authentication.

The report makes some recommendations to government agencies, policy-makers, credit and financial institutions, online services and consumers regarding SSNs. You can read them here.

Via Wired ; Image: imelenchon

Robert L. Mitchell of Computerworld decided to tackle his own identity online to see just what information about himself he could dig up. After a privacy activist was able to retrieve his Social Security number, full name, address and a digital image of his signature online, Robert was both concerned and intrigued about what else could be out there.

Robert spent a few weeks combing through public and private resources (some paid) on the web to build up a dossier on himself. He spoke with everyone from private investigators to privacy experts. And in the end, Robert found that there was a vast amount of information about him online, and not all of it accurate. Many states have not taken adequate steps to redact sensitive information from the documents, such as mortgage documents, they make available to the public.

Robert put his full findings online, also breaking down the information by type of source. His first source was government records, that let him pull up his full legal name, address, Social Security number, spouse’s name and Social Security number, price paid for home, mortgage documents, and signature. Robert continued his search with free people searches, search engines, image searches, social network searches, and paid searches. And that may only be the “tip of the iceberg”, in terms of what else is easily accessible.

“Of the information available about me on the Internet, the most troubling was my Social Security number, blatantly posted online by my own county government, for the convenience of lawyers, insurance agents — and petty criminals interested in identity theft. Today, you need more than just a Social Security number to commit identity fraud, but a criminal who has that number is off to a great start.”

I was surprised to learn from this article that public records that contain Social Security numbers are not well regulated, and that if the government makes those records public, it can open that information to republishing without repercussions. You can read more about that in the call-out box at the bottom of this page. 

Robert’s search was very revealing, and certainly had him reviewing all the information available about him online. He’s taken steps to redact his Social Security number from government records online and has gone so far as to call his credit card and bank companies to test their authentication policies. In some cases, he was authenticated using this information he found online and, to his credit, he’s suggested those companies review their authentication protocols. We mostly consider identity theft the result of lost or stolen information, but this exercise shows that you may be at risk already.

Have you found your Social Security number or other sensitive information online? Let us know in the comments.

Also check out this 3D artistic representation of security threats. Makes all these horrible threats seem almost beautiful!

image: mconnors @morguefile

A new survey from Nationwide indicates that consumers impacted today from identity theft may not have enough money in reserve to get through the recovery process.

The survey, conducted with 400 adults in December of 2008, looked both to identity theft victims and to unaffected consumers in equal proportion. According to the survey, 10% of identity theft victims polled missed payments due to the crime. 80% say that they suffered serious repercussions as a result of identity theft, including lower credit scores, utilities shut off, bankruptcy, vehicle repossession, home foreclosure or jail time.

A previous survey talked about here indicates the average consumer cost per fraud incident was $496, but this does not include the time needed to recover from the fraud, which is likely increasing the odds of not being able to financially cope with the burden.

“If the identity theft involves your credit cards you can often resolve the problems quickly. However, if the fraud involves a debit card, a loan or your health insurance, the impact can be costly and time consuming. With so many Americans losing their savings and investments, people have less money to fall back on during the time it takes to stop the bleeding.” – Kirk Herath, Chief Privacy Officer for Nationwide Insurance

The survey found that most identity theft victims surveyed tend to be Caucasian, female, ages 35-54, college-educated, married, and employed full time. Those separated or divorced, and in high income households, are more likely to be affected.

Previous Nationwide surveys found that victims spend an average of 81 hours recovering from identity theft, with some going much longer. Other surveys have found similar average resolution times

Hat tip to George ; Image: clipart

I know you’ve seen the advertisements for “FreeCreditReport.com,” the catchy commercials prompting people to avoid being victims of identity theft by monitoring their credit reports. The catch – that site wasn’t free, the credit report came free in exchange for a monthly credit-monitoring cost from Experian. According to the Fair Credit Reporting Act, all the consumer reporting companies (Equifax, Experian, TransUnion) are required to provide you a free credit report upon request every year. As the FTC notes:

The Federal Trade Commission has received complaints from consumers who thought they were ordering their free annual credit report, but instead paid hidden fees or agreed to unwanted services. Don’t be fooled by TV ads, email offers, or online search results. Go to the authorized source when you request your free report.

Well, the Federal Trade Commission (FTC) decided to start up their own service, a free one, no catches. Their website? AnnualCreditReport.com. Yeah, if that’s not enough, their ads also parody the Experian ones.

Here’s the same FreeCreditReport.com ad overlaid with warnings to be aware of deals like these:

Checking your credit once per year gives you an opportunity to make sure the information is accurate and up-to-date. Not only that, it helps you spot identity theft. Because your credit is used to evaluate insurance, employment and more, it’s an important step to take in safeguarding your identity.

Via dunning letter, philly.com

Despite the fact that the Garter study showed that only 5% of Americans report cases of fraud to the Federal Trade Commission (FTC), that’s still enough data for the FTC to release a report of their own. They put out the Top Consumer Complaints in 2008 showing that the top complaint was identity theft. You can imagine how much higher the figures would be if consumers reporting were higher.

The FTC report showed that, for the 9th year in a row, identity theft was the number one consumer complaint category. Of the 1,223,370 complaints received, 26% were related to identity theft.

The report breaks down the identity theft complaints into type. The most common form of reported identity theft is credit card fraud (20%) followed by government document/benefits fraud (15%), employment fraud (15%), phone or utilities fraud (13%), bank fraud (11%) and loan fraud (4%).

If you are a victim of identity theft, learn how to file a complaint with the FTC here.

In related news, research in the UK indicates that 1 in 3 Britons is expected to be a victim of card fraud in 2009 – a 33% increase over 2008. You can read more about that here.

Image: Clipart

Javelin Strategy & Research have released the results of their 2009 Identity Fraud Survey Report. The result confirms that the number of identity fraud victims rose by 22% to 9.9 million adults in the US for 2008. The total annual fraud amount, the amount criminals were able to obtain illegally, went up to $48 billion.

The report, which is based upon a survey of 24,000 US respondents, aims to help understand identity fraud and the success rates of methods in prevention, detection and resolution. Highlights from the study include:

• Identity fraud incidents increased by 22% to 9.9 million victims, levels not seen since the survey began 2004 (attributed to economic uncertainty)
• Cost to consumers for identity fraud is down to $496 (from $718)
• 71% of fraud incidents began occurring less than 1 week from when the data was stolen (up from 33%)
• Women were 26% more likely to be victims of identity fraud; it also took women nearly twice as long to catch fraud. This points to a lack of education of fraud detection.
• Lost or stolen wallets, checkbooks and credit/debit cards were most likely avenues of attack (43%), when access was known
• Average fraud amount, per incident, is $4,849 (the amount criminals obtained illegally)

As the result of better means of fraud detection and resolution, fraud is being detected and resolved more quickly. Thus, although the identity fraud victims went up (a bad thing), the consumer cost per incident went down by 31% to $496 per incident. I think consumers would agree that this is still a high cost and one which doesn’t even account for the time and anxiety such an incident would cause.

The Javelin report is available in two versions, one for consumers and one for industry professionals. The consumer report offers best practices for protection while the professional report looks at trends and on impacts to consumer behavior. You can download either report here.

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

The Federal Trade Commission (FTC) has released a report on Social Security Numbers (SSNs) and their correlation with Identity Theft. The report, which can be downloaded here [PDF], is a follow-up to a 2007 workshop on the same topic and the continued work of the President’s Identity Theft Task Force that was established in May 2006.

In the report, the FTC makes 5 recommendations to reduce the role of SSNs in identity theft. One of the recommendations is that Congress take action to strengthen procedures that private-sector organizations use to authenticate identities; they are pushing for nationwide standards in authentication. The task force believes that stronger authenticaton would make it more difficult for criminals to use stolen information, SSNs included, to impersonate consumers. As the report notes:

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The Commission’s five recommendations are:

• Improve consumer authentication
• Restrict the public display and the transmission of SSNs
• Establish national standards for data protection and breach notification
• Conduct outreach to businesses and consumers
• Promote coordination and information sharing on use of SSNs

The task force believes that better authentication will make it more difficult to use SSNs to open new accounts or access existing accounts or services. They hope that this will, in turn, limit the demand for SSNs by criminals. Currently financial institutions that are federally regulated by banking agencies are the only private companies subjected to nationwide authentication standards.

You can continue reading more about that here, or read the more comprehensive Task Force Report here [PDF].

Via data breach watch

A number of great articles for consumers, about technology, security and identity theft, caught my eye this week. Rather than talk only to one or two of these articles, I wanted to point to some of them for you to check out:

• ConsumerReports.org creates 7 online blunders that can ruin your computer or identity
• Network World warns – beware of Obama spam
• CNet’s podcast – what’s next for net neutrality?
• Chris Pirillo’s 10 tips to keep your notebook safe when traveling – though Chris forgot to mention LoJack for Laptops, he’s previously spoken very highly of it!
• eSchool News – Florida considers virtual school
• Another great tip – how to protect yourself against identity theft over the phone

Also, given the recent elections, you may wish to read Barack Obama’s Information Security plans here.