Friday, February 25, 2005

Choicepoint ID theft victims face lifetime of vigilance


ID theft victims face lifetime of vigilance after Choicepoint admitted that it had potentially lost over 145,000 American's data to identity thieves that had somehow "Legitimately" gained access to the Choicepoint database by opening business accounts with the data aggregator/reseller. Once the thieves had a so-called "legitimate account" with Choicepoint, they needed only to search the database that is open to all business customers of Choicepoint. This exposed potentially the entire available database to the crooks because they were seen as "legitimate" by Choicepoint.

This is absurd on it's face. Just because a company is able to open a Choicepoint account, does not guarantee that the company or it's representatives with access have pure motives or that they won't abuse the information they gain access to by searching Choicepoint data on consumers. Even if Choicepoint and other database marketing companies like them were to root out all existing criminals in their client roster, more would come flooding in as "legitimate" customers under additional business names or through companies the crooks may "legitimately" work for.

The fact that they are refusing to tell any of those 145,000 people anything more than it is "possible" that your name address and social security number were "compromised" is obscene and inexcusable. The fact that monstrous database companies gather information on consumers and resell it "legitimately" is a foul and grotesque distortion of "public records" which are obviously not "public" at all if held by a company that resells them.

Here's hoping that exposure of this identity theft by organized crime will make everyone aware that it was always possible to raid the database by simply "legitimately" opening a Choicepoint account. It will not become more difficult to open a Choicepoint account, so nothing will change until Equifax, and other database marketers are shut down or have strict government oversight imposed.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:17 PM 0 comments

Thursday, February 24, 2005

Identity Protection is Up to You



Identity Protection is up to You


Last week, Atlanta-based Choicepoint http://www.choicepoint.com, a giant consumer information clearinghouse revealed that some of the massive amounts of personal data the company stores on virtually every American citizen was compromised. We found out about this because some 30,000 Californians received mail warning them that the personal information in question may have belonged to them. That was the tip of the iceberg.

Since the initial story broke, we have found out that the compromised information was not restricted to Californians. Only the notification was. Why? California is the only state where the law requires such notification. The company says it sent out an additional 110,000 letters when investigators told them that people outside California may have been affected; but the Los Angeles County Sheriff's office investigating the incident suspects that the number of people affected may reach half a million nationwide.

What is ChoicePoint?

ChoicePoint is a data broker holding some 19 billion records obtained from government, insurance and business sources. The Electronic Privacy Information Center EPIC - http://www.epic.org describes the company this way: "According to a recent quarterly statement filed at the Security and Exchange Commission, ChoicePoint sells: 'claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches...print fulfillment, teleservices, database and campaign management services...'".

Since its spinoff from Equifax in 1997, the company has built its massive databases through the strategic acquisition of some 60 companies, among them: Pinkerton, Inc., a pre-employment screening company; Bridger Systems, a USA Patriot Act compliance company and Bode Technology Group, a DNA identification company. According to EPIC: "At Privacy International's Big Brother Award ceremony held in Cambridge, MA on March 7, 2001, ChoicePoint received the 'Greatest Corporate Invader' award 'for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials.'" Powerful stuff.

What happened?

The ChoicePoint website points out (in boldface): "This incident was not a breach of ChoicePoint’s network or a 'hacking' incident, and did not involve any of ChoicePoint’s customer information." They're right. The data wasn't stolen. It was sold. And we can safely say that with a 22% growth on net sales of $918 million and 4% year-over-year growth in net profit, the company came out pretty well on the transactions.

Sometime last year, about 50 companies were set up for the specific purpose of accessing ChoicePoint data and defrauding private individuals, and these businesses became ChoicePoint customers in their own right with working logins and passwords. They proceeded to guzzle and exploit ChoicePoint data; and in only a few months, at least 750 cases of actual identity theft originated in the abuse of this data. Organized crime has taken on new dimensions in the age of the Internet, and to say that this was "not a breach of ChoicePoint's network", while technically true, leaves the most important things unsaid.

As the infamous computer hacker Kevin Mitnick http://www.defensivethinking.com points out in his book on "social engineering" _The Art of Deception: Controlling the Human Element of Security_, a determined criminal need not be technologically-inclined to help herself to the data she wants. ChoicePoint's failure was in doing the very thing it claims to enable its customers to do -- verify that their customers are who they say they are.

What should you do?

Everyone is potentially impacted by this incident. As private individuals, you must be ever more vigilant of your personal identity.

Some of the best ways to do that are outlined at the EPIC site above. Your credit report is usually the first indicator that something has gone wrong, and checking it rigorously and regularly for unusual queries, account activity, etc. should be your first order of business. Mechanisms are finally being put in place to allow you to do so free of charge, and details are available at

http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm

When using the Internet, always be wary of phishing schemes designed to lure you into supplying your personal information to illegitimate businesses masquerading as banks, eBay or even the IRS and FBI. Protecting your computer against spyware and viruses is getting easier now that Microsoft is supplying free software for doing so. But the key to computer security is keeping yourself educated and paying attention to security warnings, certificate verifications and unrequested changes to your system configuration and preferences. At Cafe ID http://www.cafeid.com, a portion of our website and our time is dedicated to keeping our customers up-to-date on the latest information regarding these threats.

As business owners, you must be able to verify that the account you're opening is really for Mrs. Elder and not for a 41-year old Nigerian man. This is apparently so difficult that not even ChoicePoint can manage it, and it has billions of records and powerful databases at its disposal? Business owners must demand more accountability from these private, profit-driven data brokers, and that, too, is a tall order given that ChoicePoint claims as customers at least 35 Federal government agencies and numerous state and local agencies. The SBA http://www.sba.gov and the FTC http://www.ftc.gov are excellent resources to help you find out what you need to know and who you need to contact with your concerns.

Establish policies governing interactions with potential customers, and don't waver from them. Be suspicious of requests to do things differently for people, even if they sound like they know the jargon or things that maybe only the right people should know. Such manipulation is at the heart of social engineering. Do everything you can to establish your business identity and secure it with digital certificates and strong passwords. Your company website may be the most visible and the most vulnerable aspect of your Online Identity, so make sure you're dealing with reputable hosting companies. And don't attempt to conduct official transactions via e-mail. Addresses are easy to spoof, as the myriad phishing schemes illustrate.

If you think you already may be a victim of identity theft, there are several steps you should take immediately. Write to your creditors and inform them of what's going on, and use registered mail. Keep paper records of everything. Law enforcement is keenly aware of and interested in this problem, and they should be among the first people to know if you feel your identity has been stolen.

Those are great starting points, but the road is long and winding. Failure to walk it, however, can be disastrous to you, your family and your business.

-----


About the Author



Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:47 PM 1 comments

Monday, February 21, 2005

Parent power detags US schoolkids | The Register



Parent power detags US schoolkids
as described in this linked Register article. A legal challenge by the ACLU along with press coverage brought down a plan by a local school district to RFID tag all of the children in their school. The Sutter, California school (near state capitol, Sacramento) had a profit sharing plan with the company making the tags and hoping to sell them to other schools through this school. In exchange for the profit sharing scheme, the school was provided with free RFID tags for all of it's children. Amazing what will drive absurd plans! Turning children into cattle, to be inventoried and tracked seems to be one thing we won't stand for. Thank goodness for that.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:40 PM 0 comments

Tuesday, February 15, 2005

Big Brother Pizza Parlor


Big Brother Pizza Parlor a humorous look at the loss of privacy we are experiencing as we progress toward a database nation. This humor suggests that even the local Pizza parlor will know nearly everything about you if something isn't done to reduce incursions into your personal and financial privacy by business and government. Flash required to view. Sound required to listen. Action required to stop this from happening.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:48 PM 0 comments

Guardian Unlimited | Online | Coming to a bin near you, the spy that tells how much rubbish you create


Spy tells how much rubbish you create. OK, so now RFID is being used to monitor trash? Wow! Microchips are being inserted into trash bins to tell city officials how much trash is produced by British citizens. This is clearly getting way out of hand. What CAN be done with microchips WILL eventually be done by entrepreneurs seeking ways to make their products and service better. In most cases, that will involve monitoring and tracking behaviors of consumers. When the government gets involved in that monitoring and tracking, we will have big brother claims and fears and abuses. Gotta love it.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:12 PM 0 comments

Digital Water Marks Thieves - And The Innocent


Digital Water Marks Thieves New technology used to track, arrest and convict British criminals may be promising if not abused by courts to claim that being present equals guilt. smaRight now this technology uses specially encoded water spray in suspension to mark criminals (or anyone present) with a spray, supposedly when the criminal lifts property from the scene of a crime. That spray is claimed to have a chemical fingerprint that is created by SmartWater to belong only to the property owner and no other.

A video at the SmartWater.com web site shows a folksy bunch of brits in dodgey neighborhoods telling how comfortable they are knowing their homes are protected by little yellow stickers that warn criminals they will be "marked" with SmartWater if they dare break in and steal anything. Another video shows the method of application of SmartWater to property with a paint brush. The solution supposedly fluoresces under a special light source and apparently cannot be removed from clothing and skin, even with severe scrubbing.

Now all is well and good if nothing is assumed beyond a person being in contact with the stolen goods when they glow under black lights. What is it that says they stole the item? If anyone touches these Smartwater coded goods, they will glow just like the owner, the thief, the fence, the pawn broker and the police chief who touches the item, no? Why does touching mean anything beyond contact with the Smartwater coated object? It will be interesting to see if this stands up in court when it reaches US criminal cases.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:05 PM 0 comments

Friday, February 11, 2005

EFF Urges Congress to Vote "No" on Real ID Bill


* EFF Urges Congress to Vote "No" on Real ID Bill

Standardizing driver's licenses has long been recognizedas a bureaucratic back-door to a national ID system - the hallmark of a totalitarian state. With its required linking of databases and ability of the Secretary of Homeland Security to establish a single format forlicenses, the "Real ID Bill" (HR 418) takes us well along that road. Yet it fails even to pay lip service to civil liberties and privacy concerns.

This week, EFF joined a diverse left-right coalition of privacy and civil liberties organizations including the American Civil Liberties Union (ACLU), the ElectonicPrivacy Information Center (EPIC), the Privacy Rights Clearinghouse, and the Gun Owners of America (GOA) in sending a letter urging Congress to reject the bill.

"This bill would create a single nationwide database of every driver by forcing all states to link their DMV records, while repealing existing requirements for privacy-respecting procedures," said Lee Tien, EFF's senior privacy attorney. "It's a toxic concentration of data."

Coalition letter opposing HR 418


GOA action alert


More about national ID proposals


Bruce Schneier's Crypto-Gram: "National ID Cards"

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:49 AM 0 comments

EFF Announces New Privacy Tool


EFF Announces New Privacy Tool


Logfinder Helps Eliminate Unwanted Logging of Personal Data


San Francisco, CA - Today the Electronic Frontier Foundation (EFF) released logfinder, a software tool to help people reduce the unnecessary collection of personal information about computer users. Often computer network servers automatically log information about who has visited a website and when, or who has sent and received email. Such data tells a lot about a user's browsing and email habits and could be used in privacy-invasive ways. Moreover, log data must be turned over to government entities with court orders and can be subpoenaed by opposing sides in court cases.


By finding unwanted log files, logfinder informs system administrators when their servers are collecting personal data and gives them the opportunity to turn logging off if it isn't gathering information necessary for administering the system.


Logfinder was conceived by security consultant Ben Laurie and written by EFF Staff Technologist Seth Schoen. It's intended to complement EFF's recent white paper, "Best Practices for Online Service Providers," in which the organization argues that administrators should remove as many logs as possible and delete all personally identifying data from them.


"People who choose to follow our recommendations in the white paper might not know what kinds of logs they have," said Schoen. "Logfinder is an example of one way a system administrator could become aware of the presence of logs, as well as discover sensitive information being collected in known logs."


Download logfinder.


Contacts:


Seth Schoen

Staff Technologist

Electronic Frontier Foundation

seth@eff.org


Chris Palmer

Technology Manager

Electronic Frontier Foundation

chris@eff.org


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:36 AM 0 comments

Children Tracked With RFID in Schools


February 07, 2005


Mandatory Student ID Cards Contain RFIDs



Parents and Civil Liberties Groups Urge School District to Terminate Use of Tracking Devices



NOTE: This is a press release from the ACLU of Northern California that EFF is recirculating for your information.



San Francisco - Parents in a northern California public school district and civil liberties groups are urging a school district to terminate the mandatory use of Radio Frequency Identification tags (RFIDs) by students. Several civil liberties groups, including the ACLU of Northern California (ACLU-NC), Electronic Frontier Foundation (EFF), and the Electronic Privacy Information Center (EPIC) sent a letter today expressing alarm at the Brittan School District's use of mandatory ID badges that include a RFID device that tracks the students' movements. The device transmits private information to a computer on campus whenever a student passes under one of the scanners. The ID badges also include the student's name, photo, grade, school name, class year and the four-digit school ID number. Students are required to prominently display the badges by wearing them around the neck at all times.



"Forcing my child to be tracked with a RFID device – without our consent or knowledge – is a complete invasion of our privacy," said Michael and Dawn Cantrall. "Our 7th grader came home wearing the ID badge prominently displayed around her neck– if a predator wanted to target my child, the mandatory school ID card has just made that task easier." The Cantralls filed a formal complaint against the Brittan Elementary School Board in Sutter, California on January 30th after meeting with several school officials.



In a letter dated February 7, sent to the Brittan Board of Trustees, the civil liberties groups "urge the school board to recognize the serious safety and civil liberties implications" and call the for the School Board to "terminate this ill-advised test immediately."



"We are sending the letter today because a School Board meeting is scheduled for tomorrow night and we want to make sure that the District reconsiders the issue," said Nicole Ozer, Technology and Civil Liberties Policy Director of the ACLU-NC. "RFID technology is inappropriate for use in schools. The badges jeopardize the safety and security of children by broadcasting identity and location information to anyone with a chip reader and subjects students to demeaning tracking of their movements."



"The monitoring of children with RFID tags is comparable to the tracking of cattle, shipment pallets, or very dangerous criminals in high-security prisons. Compelling children to be constantly tracked with RFID-trackable identity badges breaches their right to privacy and dignity as human beings. Forcing children to wear badges around their necks displaying such sensitive information as their name, picture, grade and school exposes them to potential discrimination since the name of their school may disclose their religious beliefs or social class," said Cédric Laurant, Policy Counsel with EPIC.



Jeffrey and Michele Tatro, parents of a thirteen-year-old student at Brittan Elementary School, added: "It is our goal that no child in the United States be tagged or tracked. We want it to be stopped here, in Sutter California, and we don't want any child to be tracked anywhere. Our children are not pieces of inventory."



"It is dehumanizing to force these children to wear RFIDs, and their parents are rightfully outraged," said Electronic Frontier Foundation senior staff attorney Lee Tien. "We are doing everything we can to support the parents in this fight to protect student privacy."



Get more information about RFIDs in schools.



Contacts:



Stella Richardson

Media Relations Director

ACLU of Northern California

srichardson@aclunc.org



Annalee Newitz

Media Coordinator/Policy Analyst

Electronic Frontier Foundation

annalee@eff.org


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:36 AM 0 comments

Wednesday, February 09, 2005

Mega-surveillance project World Cup 2006



World Cup 2006 'abused for mega-surveillance project'
: "Germany's football authorities have been accused of Big Brother tactics over their decision to incorporate RFID chips into tickets for World Cup 2006.

Around 3.7 million tickets are to be sold in four online sale rounds, the last on 15 April, 2006. In the first sales round,Around 160,000 fans applied for one million tickets covering all 64
matches.

To apply for a ticket you have to give your name, address, nationality, which team you want to support and your bank details. You must also supply your ID or passport number and your birth date."

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 7:28 AM 0 comments

Wednesday, February 02, 2005

PayPal Phishing Attack


PayPal Phishing Attack was reported in this linked EWeek article and apparently involved users Paypal linked email addresses, making them available on the web. The culprit was a third party partner of Paypal that handles unsubscribe requests for them.

Paypal claims that they are contacting all of their affected users and that it was a small number, although a small number to Paypal may be huge by the standards of smaller companies.

I recieve a dozen Paypal spoof emails Phishing for my username and password. I fell for it once, way back when it was less common a couple of years back. I now routinely send those phishing email attacks with full headers exposed to the recommended Spoof@PayPal.com email address.

Always get a form letter email in return thanking me for helping them reign in this criminal activity. I have started to just delete them lately as there are so many, I don't have time to send them all in. It's easier to see which ones are risks now because I've adopted a single specific email address that is only used for email payments.

I get tons of phishing emails for Washington Mutual Online Banking as well. Those are easier to delete without looking at them as I don't bank with WaMu any more, so know that they have no reason to contact me. Sure gets tiresome to deal with crooks so routinely though.

I recently had trouble with Paypal on another front when a client filed a fraud report because they saw a charge from eBay on their credit card statement after paying my fees through PayPal with their credit card - an option offered through my online billing provider.

The client wasn't aware that PayPal was owned by eBay and made that fraud claim because they hadn't purchased anything at eBay. Seems quite understandable and reasonable and makes me wonder why PayPal doesn't make changes to reflect the destination of the payment, not eBay OR PayPal in the records reflected on credit card statements.

The resulting deficit in that account cost me dearly in multiple blocked transactions related to the fraud complaint and tied up my funds for nearly two weeks. Multiple phone calls, emails, online forms and client contacts took nearly 4 hours of my time as well. PayPal needs to tighten up!

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:46 PM 0 comments