Thursday, June 30, 2005

Senators data-security & Privacy bill


Senators propose sweeping data-security bill. Finally Federal lawmakers are grappling with the difficult issue of leaked data flowing from aggregator, broker and reseller databanks that have turned into a flood since California required public notice of data breaches. This is likely to be a thorny issue plagued with re-writes and amendments for years as it affects so many sources.

One truly difficult issue is the requirement being discussed that would make it mandatory for small and microbusinesses that hold data on more than 10,000 individuals to disclose data breaches of stored customer financial and SSN information.

But finally data security is being taken very seriously and we'll all need to pay attention to protecting every source of possible leaks of sensitive customer information.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:24 PM 0 comments

Wednesday, June 29, 2005

Feds Lag On ID Theft Notification


CBS News Says Federal Lawmakers are Lagging On ID Theft Notification Rules 'Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly. Consumers' personal and financial data has become the gold of the 21st century and we need to protect it accordingly,' said Sen. Charles Schumer, D- N.Y.

Schumer has introduced legislation on identity theft with Sen. Bill Nelson, D-Fla. His comments came last week after the credit-card breach was made public.

But to date no bill has reached the mark-up stage, which means that with Congress about to leave for its summer recess, it will be the fall, and maybe well after that, before any measure advances.

Such legislation may only be passed if Washington lawmakers can stand up to pressures coming from the financial services industry.

While many groups in that sector say they support rule changes, they are pushing to keep some control over what circumstances would trigger a notification requirement. They say there is a risk of flooding consumers with warnings, making them numb to the most serious threats."

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:39 AM 0 comments

Monday, June 27, 2005

Pentagon Privacy Invasion of 16 to 25 year olds


16 to 25? Pentagon
Has Your Number, and More - New York Times
So now the Pentagon is collecting information on 16 to 25 year old Americans including sensitive SSN's, driver license info, grade point averages, email addresses and phone numbers using an outside marketing company under contract for over three years since 2002. When they "discover" they have not filed a Privacy Act Notice - two years into the illegal action in May of 2004, they wait for over another year to file that notice as required?

BeNOW Inc. of Wakefield, Mass., a marketing company that uses personal data to concentrate on customers, holds that data under contract with the Pentagon. Are those records and data secure, encrypted and stored safely to avoid another large scale data breach? Will they compensate anyone on that list if the data is compromised, lost or stolen? Are they restricted from making further use and profit from that data?

"Oops we forgot to file a Privacy Act notice and even after we figured it out, we still didn't do it. Well, now we've filed so you can go back about your business and forget about our illegal action. The information will be really valuable a few years down the road and we'll be sure to profit handsomely from that, thank you very much."

Fascinating stuff this.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:22 PM 0 comments

Identity Theft Consumers, retailers data theft


Consumers, retailers grapple with data theft It appears that the major credit card companies affected by that major data theft from CardSystems Solutions last week are digging in their heels and refusing to notify consumers whether specific accounts were compromised.

Chase, Citigroup and MBNA have all said they'll notify consumers ONLY if those accounts appear to be at risk. Translate that to say they will only notify you once you've lost money and have to cancel your account yourself. This stance is taken simply because retailers are usually the ones to bear the brunt of fraud as consumers only have to claim fraud to get a refund.

Retailers must eat the loss and card issuers stand back and say to those retailers, "You accepted that charge, and you are responsible for the sale to that criminal" So the consumer is refunded only after discovering fraudulent charges - if they are alert enough to notice them - the retailer must absorb the loss and the card issuer passes blame.

This all means that the criminals get away with the fraud and card issuers bear no loss. It also means that cards that were compromised, but issuers don't want to spend the average $30 per card to replace them for consumers.

" If the credit card companies were to replace all 40 million cards that may have been stolen, it might cost more than $1.2 billion." according to the linked news.com story here.

Card issuers are passing the buck here. CardSystems is to blame for the data breach, but card issuers are refusing to protect consumers who hold their cards.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:32 AM 0 comments

Wednesday, June 22, 2005

US follows California on data-theft notification


(registration required to read online)U.S. follows California lead on data-theft notification according to this Sacramento (California State Capitol) newspaper story. Sacramento Bee staff writer Deb Kollars argues that if not for the California laws, that the data security breaches that have emerged in the last few months would never have come to light. I agree.

She then adds a more telling bit to her story, suggesting that the impetus for identity theft notification laws was given a surge when California lawmakers were victims themselves. Kollars wrote:

"In the spring of that year, a hacker broke into state computer files at the Stephen P. Teale Data Center in Rancho Cordova and acquired the personal information of 265,000 state employees. Among the potential victims: 120 startled state legislators.

"The data break-in occurred in early April but was not publicly reported for almost two months. The delay infuriated senators and Assembly members, including two Democratic legislators with consumer privacy on their minds."


The country can thank that hacker who hit the state employees for pushing them over the edge to pass strict data security and protection laws.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:11 PM 0 comments

California to close loophole in state ID theft law


California aims to close loophole in state ID theft law Wow, this is an example of how slimy businesses can be when left to the corporate lawyers interpretation of identity theft laws. California state Senator Debra Bowen told Reuters that the state assmbly has found it necessary to put together an amendment to previous laws that require data brokers and handlers to notify the public of loss of electronic data. Soooo, businesses assumed that meant that they weren't required to notify anyone of the loss of PAPER records or backup tape they lose with precisely the same information. Next they'll have to go back and make another law requiring businesses to disclose the loss of any VERBAL financial information. If that is a bit too broad, they may have to require that none of the SAME information has to be reported lost if if was SUNG to somebody. Clarity or obfuscation? Wow.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 5:40 PM 0 comments

UBS loses 15,500 customers data


UBS loses 15,500 customers' data - silicon.com "Japanese banks have recently lost a lot of information. We've been asking why they lost the disk, what information was on it and what methods they have to prevent this. We've requested a report.'" ... according to this Silicon.com article reporting on UBS lost a hard disk containing confidential data on 15,500 customers. In March, Japanese bank Mizuho admitted losing details of 270,000 customer accounts.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:50 PM 0 comments

MasterCard hack spawns phishing attack


MasterCard hack spawns phishing spam showing how agile in reacting to news of security breaches spammers are. Poorly spelled spam flooded the inbox of unsuspecting MasterCard customers asking them to click links in the phony emails that take them to spoofed web sites that appear legitimate, where they are asked to enter their personal information into web forms that provide the spammers with private personal information which would allow them to empty bank accounts and ring up false credit card charges.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:44 PM 0 comments

Private Investigators Fear Limits On Social Security Numbers


Private Eyes Fear Limits On Information Access according to this linked Washington Post article. Private dicks are stomping through the halls of congress demanding that laws being drafted to limit their access to social security numbers be amended to allow them complete access to full SSN's. They fear they'll be put out of business without the ability to find and use those critically important 9 digit numbers. Congress is restricting use and sale of Social Security numbers by data and information brokers and credit bureaus. ChoicePoint and Lexis/Nexis now provide only partial SSN's to detectives since the major breaches of both of those organizations.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:06 PM 0 comments

FDIC Alerts Employees of Data Breach


Privacy Breach for FDIC employees went for a year and a half without disclosure according to this Washington Post article. Last Friday, the same day a loss of 40 million credit card numbers was disclosed, this smaller incident was quietly revealed in letters to victims of the employee records theft and abuse. This case proves clearly that disclosure laws are mandatory by demonstrating the delays in discovering security breaches. Many leaks and thefts are not discovered immediately and once they are known, they must be made immediately disclosed to identity theft victims or potential victims.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:03 AM 0 comments

Personal Data Trade Buys & Sells Your Information


Who buys and sells your personal private information?This story discusses the absurd merry-go-round of data sales from credit bureaus to information brokers to government to employers to private investigators to information brokers and back again. The information is sold and resold without your knowledge, consent or confirmation of erroneous data included in those multiple sales.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:38 AM 0 comments

Privacy experts' wish list


Privacy experts' partial wish list discussed in this linked article is a proposal from privacy advocates that consumers be provided full notice of all information purchased and traded on them by data brokers and credit bureaus. Also included is a requirement that all breaches be fully disclosed to affected consumers along with copies of complete information that was compromised in any hack or illegally obtained personal information that is discovered. Many also propose that credit report monitoring and compensation from time lost from work be provided to identity theft victims.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:32 AM 0 comments

Data Breaches Rampant


Data Breaches Rampant again in this CNN Money article it is pointed out how easy it should be to PROTECT data and PREVENT breaches of credit card and social security information. The warehousers and sellers of personal financial information need to protect it and appear not to take that responsibility seriously. Card issuers bear little of the cost of identity theft and merchants take the worst hit. Until credit card companies must absorb the losses, they won't worry about those losses.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:24 AM 0 comments

Tuesday, June 21, 2005

Feds collect data on air travelers


Feds collect data on air travelers according to this USA Today Travel section story. A vendor working for the Transportation Security Administration used commercial data brokers to collect and append vital stats in June on fliers including gender, second and third addresses, zip codes and latitude and longitude of addresses. That data was compiled and sorted and burned to CD's presented to the TSA in a "test" program for "Watch List Match Testing" in terrorist screening for the "Secure Flight" program. This after the TSA said publicly that they wouldn't do it after being told by Congress not to do so. The data was on all fliers apparently and not limited to suspected terrorists or those already on "Watch Lists".

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:34 PM 0 comments

Black Market in Stolen Credit Card Data Thrives on Internet - New York Times


"'Want drive fast cars?"'asks an advertisement, in broken English, atop the Web site iaaca.com. "Want live in premium hotels? Want own beautiful girls? It's possible with dumps from Zo0mer." A 'dump,' in the blunt vernacular of a relentlessly flourishing online black market, is a credit card number. And what Zo0mer is peddling is stolen account information for Gold Visa cards and MasterCards at $100 apiece. It is not clear whether any data stolen from CardSystems Solutions, the payment processor reported on Friday to have exposed 40 million credit card accounts to possible theft, has entered this black market. But law enforcement officials and security experts say it is a safe bet that the data will eventually be peddled at sites like iaaca.com."

Black Market in Stolen Credit Card Data Thrives on Internet - New York Times Now identity theft is being discussed in national media for the first time in a substantial way. Internet trafficking in stolen credit cards is the inevitable result of lax security policy and easy access to credit information. Paper shredders are a huge and booming new market and we're suddenly being more careful who gets our social security number and learning to say no to sensitive information requests from sources unlikely to need that info. I wish it hadn't taken the recent losses to wake the us up, but I'm glad the slumbering giant is awakening at last.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:52 AM 0 comments

How much more data loss can we stand?


Saturday, MasterCard blamed a vendor of ALL credit card providers called CardSystems Solutions, Inc., a third-party processor of payment card data, as the source of loss of 40 million consumers credit card information.

As is pointed out by the Silicon.com story and hundreds of other newspaper and web articles over the last few weeks, each recapping long lists of financial information data breaches, something's gotta give before we entirely lose trust in financial institutions, data brokers and credit bureaus. How much privacy loss can we take without acting?

These types of data loss were very likely common and have very probably been going on for a very long time. The difference is that now, THEY ARE REQUIRED BY LAW TO DISCLOSE THOSE LOSSES - not just in California, but in many states. National disclosure laws on data security breaches are being considered in Congress.

I suggest that these breaches of data security all came to light due to the California law requiring disclosure from companies suffering hacking loss or leaks or social engineering or crooked employees or organized crime rings posing as "legitimate" customers. All of the above have been given as reasons for security lapses or poor security policies.

About three or four years ago, a friend told me his paycheck deposit to Bank of America went missing from account records after he took his check to the bank on Friday. By Monday, Bank of America was in the news claiming a computer glitch had disappeared the entire day's deposits. I mumbled to myself, "I'll bet that was a hack and that hacker just made a huge offshore banking deposit with B of A depositors' money."

But we didn't find out why it happened in that particular case because there was no disclosure law in place at the time. Now we have disclosure laws that mandate notice of security breaches. Now suddenly - huge financial services hacks and devious criminal social engineering outfits posing as legitimate customers and apparently "innocent" losses by transport companies of backup tapes begin to come to light.

This spate of data loss incidents is proof of the need for corporate "sunshine laws" that make public notice mandatory of those data losses that threaten customer information.

Who is going to lose here - the public, the corporations, the criminals, or the government? I'd prefer that the bad guys get the shaft and take down crooked company insiders that either facilitate data loss by underfunding security and encryption or participate in data theft or loss in any form - even if that participation is security negligence.

Financial companies and data brokers have been covering up the losses and keeping quiet about hacks so as not to worry or frighten their customers. But that practice is essentially ended now that they must notify the public and disclose those losses instead of hushing them up.

Keeping the breaches hidden from public view is bad practice as it maintains the status quo. Disclosure will facilitate internal corporate lockdowns on the data and all access to it. Disclosure will educate the public to the lack of security and danger to the sensitive information we all provide rather casually and routinely to businesses.

As the above link to a silicon.com story suggests, we cannot take much more of this lack of regard to privacy and must lock down financially sensitive data securely and must begin to hold data brokers, bureaus and handlers VERY accountable.

Insist to your elected representatives that your financial data be locked down, encrypted and guarded by those entrusted with storing, transporting and using it. Since our financial, medical and legal lives are increasingly being housed in digital form and transmitted between data centers of multiple handlers - we need to know it is secure. We also need to know when that security has been breached and our data compromised or lost.

Thieves are becoming more aware of the ease with which they can find and access financial data. Hacking is not the source of the greatest losses.

Organized crime has easily found their way into our financial records by simply paying for it by posing as "legitimate" business customers of information brokers such as ChoicePoint and Lexis/Nexis. Any business can buy financial and credit information from those information bureaus and credit reporting agencies by meeting rather lax requirements for "need to know" that data.

As long as it is possible to purchase our sensitive data from brokers and bureaus, organized crime will "legitimately" buy it from those sources, then ruin our credit by selling that information at a higher price in identity theft schemes.

Since disclosure laws have come into effect, those breaches have been made public, credit cards cancelled before losses can occur and credit reports monitored to watch for suspicious activity. The bad guys activities are squelched because we are made aware of the possibility our information has been compromised.

Not all blame can go to financial institutions and data brokers. Protect your own private data by protecting your computer records at home, in the office, on your laptop and in your PDA by using basic keyword security and locking down files. Use built in encryption on your operating system and your home network to keep data secure. Then be certain to clear that sensitive data off the computer when you sell it or throw it away.

Data security is something we all need to take seriously and the corporate breaches are dramatic illustrations of how important it has become to build digital fortresses around our critical financial, legal and medical information.

Mike Banks Valentine is a privacy advocate and blogs about privacy issues at His Blog You can read more about identity theft issues at:
Publish101

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:51 AM 0 comments

Monday, June 20, 2005

MasterCard Press Release Financial Data Breach


MasterCard Identifies Breach at CardSystems Solutions

MasterCard International Identifies Security Breach at CardSystems Solutions, A Third Party Processor of Payment Card Data

Purchase, NY, June 17, 2005 - MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards.

MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.

Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor's systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.

CardSystems has already taken steps to improve the security of its system. However, MasterCard is giving it a limited amount of time to demonstrate compliance with MasterCard security requirements.

Importantly, in keeping with its standards that focus on consumer protection and the safeguarding of sensitive information, MasterCard immediately notified its customer banks of specific card accounts that may have been subject to compromise so they can take the appropriate measures to protect their cardholders.

In the event of a cardholder data breach, MasterCard always takes this precaution regardless of whether there is any indication that fraud has resulted and whether or not there has been a final determination that a security breach has or has not occurred. Upon receiving notice from MasterCard, banks are able to take the appropriate steps to protect their cardholders from potential fraud. No highly sensitive information, such as social security numbers or dates of birth or the like, are stored on MasterCard cards.

Consumers have strong protection if unauthorized charges are made on their MasterCard cards. In the U.S., MasterCard cardholders are protected by MasterCard's Zero Liability policy for unauthorized transactions on their accounts. If MasterCard cardholders have any reason to believe that their cards were used fraudulently, they should contact their issuing bank.

Protecting cardholders, preventing fraud, and safeguarding financial information are top priorities at MasterCard. The company maintains a global team of experts devoted to maintaining the integrity and security of its payment systems and who work closely with federal, state, and local law enforcement agencies to help in the apprehension of fraudsters and other criminals.

Federal Regulation of Data
While Congress continues to consider data breach notification standards, MasterCard urges them to enact wider application of Gramm-Leach-Bliley, the act that includes provisions to protect consumers' personal financial information held by financial institutions. Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers.

About MasterCard International

MasterCard International is a leading global payments solutions company that provides a broad variety of innovative services in support of our global members' credit, deposit access, electronic cash, business-to-business and related payment programs. MasterCard International manages a family of well-known, widely accepted payment cards brands including MasterCard®, Maestro® and Cirrus® and serves financial institutions, consumers and businesses in over 210 countries and territories. The MasterCard award-winning Priceless® advertising campaign is now seen in 96 countries and in 48 languages, giving the MasterCard brand a truly global reach and scope. For more information go to www.mastercardinternational.com or refer to our filings with the U.S. Securities and Exchange Commission.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:08 PM 0 comments

Saturday, June 18, 2005

40 Million MasterCard Hacked - ID Theft


MasterCard Open Book For ID Theft with over 40 Million Credit Cards Hacked.

This is the beginning of the end for lax data security and will be the start of endless credit report fiasco's and related law suits against those who hold the keys to the financial privacy vault.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 8:27 AM 0 comments

Thursday, June 16, 2005

Data Retention Law Means ISP Spying


Your ISP as Net watchdog is the proposal being circulated by the Federal government. Requiring Internet Service Providers to keep log files, chat transcripts, sites visited and email records for ALL customers, thus bypassing the need for government provided tracking machines or chips at service providers.

Those have included the ill fated Carnivore email monitoring box suggested by the FBI and the wildly overoptimistic concept proposed by the DARPA a few years ago called Total Information Awareness, the failed concept proposed by the Justice Department Clipper Chip to allow eavesdropping on electronic communications if illegal activity was suspected. Now there are simply passing on the responsibility for monitoring all web traffic information to the service providers - with "Data Retention Laws" that require ISP's to retain all traffic records and make them available to law inforcement.

The Federal government has a huge hunger for information and keeps prodding in all directions to establish an electronic spy network. Does anyone doubt they will (or have already) establish massive e-spying? They want SO bad to be Big Brother, but the public keeps saying no. Eventually they'll simply do it anyway and justify it all somehow when caught in the act by whistleblowers or leaks.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:50 AM 0 comments

Friday, June 10, 2005

Zero Web Privacy - China cracks down


China cracks down on Web and expats This Christian Science Monitor article linked above makes me eternally grateful for living in a society that at least gives a passing nod to privacy protection. China has now officially decided to become big brother of the web. Wow. Scary stuff.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:15 PM 0 comments

Wednesday, June 08, 2005

IDentity Theft: Privacy & Data Loss


Identity Theft: Count the Ways

by Daryl Campbell

I received an e-mail message from "Paypal" not too long ago. The e-mail stated that PayPal needed me to update and verify my security information for their database. I didn't. One of the sentences in the e-mail read:

"Complete the necessary verification tasks within 5 days, or your account might get temporarily suspended."

That didn't sound like the PayPal I've been doing business with for several years. The grammar of "your account might get temporarily suspended" raised an alarm bell. Also the logo while quite professional looked odd.

But the obvious giveaway was knowing Paypal would never contact me at an e-mail address I never gave them. I could have become a victim of a technique called phishing. Just another form of identity theft.

The effort criminals put into stealing your identity staggers the imagination.

With Phishing, also called brand spoofing, criminals set up phony but legitimate looking websites then spam you with e-mail like the one described above in the hopes of catching a percentage of Internet users. No reputable business will ever ask for your personal information via e-mail information.

Phishing just became a parent to a newborn child called "pharming". Hackers plant phony information into DNS servers. This allows them to match domain names with the database of IP addresses maintained by various web hosting companies. In other words, you type in a web address, press enter and get rerouted to bogus websites where identity thieves are waiting to grab any of your information.

2003 saw identity thieves target Ebay account holders; this year it's Paypal's turn, but any company with a database of information remains a target.

Choicepoint, a veritable clearinghouse for the insurance industry, finds themselves trying to explain how identity thieves tapped into their system to defraud 145,000 customers across the U.S. Investigators in California place that number closer to a half a million.

The hackers apparently used previously stolen identities to apply for and receive business licenses then bought information from ChoicePoint whose database totals 19 billion public records.

The FTC estimates that this year alone identity theft will cost the business community 4.2 billion dollars and 8 billion by the end of 2006.

Easy access to computers provide more chances for identity theft but the majority of cases according to the Better Business Bureau happen offline. Mail fraud public spying known as "shoulder or telephone scams that target the elderly surfing" contribute greatly to this epidemic.

Unfortunately senior citizens face another threat known as the "sweetheart scam" in which a criminal offers to run errands or do chores around the house for the express purpose of taking control of the victim's finances.

Taking control of someone's finances can also happen in a restaurant, department store or any legitimate place of business. When a clerk swipes your card twice without your knowledge then stores the information for later use, this is known as skimming. Often the clerk will make a duplicate card with your info to go on a buying spree or sell it on the black market. The illegal selling of credit card information as you might have already guessed is big business.

Identity theft has forced many financial institutions to revamp their ATM's due to criminal rigging. A person uses the ATM but after putting in the pin# the machine keeps the card. Usually when the person goes to report it, the thief strikes, taking card, pin # and most importantly the victim's identity.

The methods of madness can include something simple like going through your trash known as dumpster diving or an elaborate hoax similar to the one reported by the Associated Press.

A family in the Pacific Northwest posed as tax preparers and used stolen identities to go on buying sprees across several states that included million dollar homes and luxury vehicles. According to authorities, since the thieves stole the social security # of children as well as adults, the damage won't be fully known until these young people start applying for credit later on.

Law Enforcement officials believe the next step with this criminal outfit involved applying for health care positions. Hospitals and doctor offices provide a wealth of personal information. Perfect for Identity thieves

These methods, along with old fashioned robbery, show why identity theft according to the Department of Justice maintains its ranking as the number one and fastest growing crime in the US for 5 consecutive years. Unfortunately, it will maintain that status for the near future.

Copyright © 2005 Daryl Campbell

About Daryl:

Daryl Campbell owns and operates WintheMarket.com (http://www.winthemarket.com). Identity theft can be devastating. Restoring your good name can be overwhelming and costly. If identity theft happens, you need more that do it yourself information. Let the experts do the work for you. For free information go to http://digbig.com/4cmcg now.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:47 AM 0 comments

Monday, June 06, 2005

Identity Theft Recovery


Identity Theft Recovery: The Road Back

by Daryl Campbell

Not too long ago, a friend of mine mentioned that one of his coworkers recently recovered his stolen identity. I asked how long the process took. "Only two years" he replied.

Compared to my business partner's six year nightmare "only" maybe appropriate but like most victims of identity theft, he probably thought "when". As in, "when will I get my life back?"

Privacy Rights Clearinghouse, a consumer nonprofit organization, reported that victims spend on average 175 hours trying to recover their identity, often over a period of years. Factor in out of pocket expenses, (usually over $1,500 according to the Federal Trade Commission) and recovery gets painfully magnified.

What are the steps to identity restoration? It starts with obtaining a police report. That report doesn't mean other law enforcement agencies have been contacted. Yet, you must do a complete search of local and federal law enforcement databases to find out if anything else, including criminal activity exists on your identity.

You're also going to need the police report to contact the many and I mean many different agencies and organizations, including the Social Security Administration, The Federal Trade Commission, all of your financial institutions, the 3 major credit bureaus, the Passport Office,The Department of Motor Vehicles, the Post Office, as well as the Medical Information Bureau. All of these places must be sent a fraud notification alert.

Concerning your financial institutions, get them to cancel your credit cards and close your bank accounts. Find out from your bank about any suspicious activity, such as accounts tampered with or opened fraudulently. Reopen new bank accounts with password verification.

Know your rights. According to the Fair Credit Reporting Act of 1992, you must be told not only what's in your file but if that information is being used against you. The Federal Trade Commission recently expanded the rights available to victims of identity theft, including your right to get negative information due to fraud blocked from your records.

This brings us to the credit bureaus. Make sure your credit report reflects the identity theft and gets flagged with a fraud alert. Many victims have received assurances that the matter would be resolved, however months and sometimes years later, the credit bureaus have not cleared their records. This without a doubt ranks as THE biggest headache for identity theft victims.

Once a negative gets put on your record, it seems the credit bureaus refuse to remove it, in spite of the countless documentation you provide to them. This can affect you well into the future when buying a house, car or any other big ticket item. If you are going to do this by yourself, constant follow up is critical. That goes for all the organizations but especially the credit bureaus. Be diligent until the matter gets resolved. Getting a lawyer wouldn't be a bad idea.

Stay Away from "credit repair companies". No matter what they advertise, there's usually nothing they can do to help you with identity theft. Some of them even offer to help you apply for credit under a new identity. Hello? When trying to eliminate fraud from your record you don't want to create more fraud.

Advise the utility companies. It's not just bank accounts and credit cards. Many identity thieves commit fraud by opening telephone accounts, purchasing cable television or establishing credit with the gas & electric companies, in the hopes it will go unnoticed for as long as possible.

If necessary get counseling. Identity theft can be a shattering experience mentally and emotionally. Victims and family members often feel violated. It's not their fault of course but the feelings remain. A network of support groups and counselors exists if you need it.

The road back from identity theft can take years, cost a lot of money,and cause much stress and pain . But with follow up, support and belief that the nightmare will end...the nightmare WILL end.

Copyright © 2005 Daryl Campbell

About Daryl: Daryl Campbell owns and operates WintheMarket.com (http://www.winthemarket.com). Identity theft can be devastating. Restoring your good name can be overwhelming and costly. If identity theft happens, you need more that do it yourself information. Let the experts do the work for you. For free information go to http://digbig.com/4cmcg now.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 8:45 AM 0 comments

Thursday, June 02, 2005

Bushwhacking privacy


Privacy and Civil Rights Oversight Board created by President Bush to mollify Privacy Advocates, is toothless entity that is established in name only - unfunded and with no board to run it. Existing on paper only, this agency was created by Congress last December as part of intelligence-reform legislation.

Bush has nominated no members to the board and has signed no funding. Simple solution again, give the public what they want, when they ask for it, but ignore it later until it dies. More BushCo tactics for getting what the administration wants without delivering promised reforms to satisfy critics of any move. Promise, but never deliver. Standard operating procedure for Big Brother apparently.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:46 PM 0 comments

Wednesday, June 01, 2005

National ID Cards Coming Soon?


National ID Cards? have now been mandated by Congress as a last minute amendment to an emergency spending spending bill for military needs in Afghanistan and Iraq.

Politicians know how to sneak in the things they know will never be approved without serious debate and public discourse. Slide it into another bill that can't possibly be defeated and do it at the last minute.

Way to go Rep. James Sensenbrenner (R-Wisconsin) - you win the underhanded award this week. At least it was noticed by someone and reported on. There may be a way to back it out of approval if the public truly cares about privacy.

The requirements for national ID are vague and mandate "machine readable" information that may be either magnetic stripes like those on many current state driver licenses or possibly RFID tags that require no contact to be read at a distance.

The worst part of the law is the requirement for linking of all state DMV driver license databases to each other and availablility to the Federal government. This means we effectively have a national database with thousands of entry points and thus vulnerabilities to hackers and thieves.

It's fascinating how this was snuck in the back door in the US without debate or discussion when Britain is currently in the midst of a long national debate on the same issue of National ID. Everyone points to 9-11 as the proof of necessity for a national ID card and suggest that, had this scheme been in effect back then, we would not have seen any terrorist attacks.

Will we have a national uproar or will this sneaky move pay off for big brother? Contact your state representatives to Congress and make your views known!

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:28 PM 0 comments

Phishing: An Interesting Twist On A Common Scam



Phishing: An Interesting Twist On A Common Scam

After Two Security Assessments I Must Be Secure, Right?

------------------------------------------------------

Imagine you are the CIO of a national financial institution and you've recently deployed a state of the art online transaction service for your customers. To make sure your company's network perimeter is secure, you executed two external security assessments and penetration tests. When the final report came in, your company was given a clean bill of health. At first, you felt relieved, and confident in your security measures. Shortly thereafter, your relief turned to concern. "Is it really possible that we are completely secure?" Given you're skepticism, you decide to get one more opinion.

The day of the penetration test report delivery is now at hand. Based on the previous assessments, you expect to receive nothing but positive information...

The Results Were Less Than Pleasing

-----------------------------------

During this penetration test, there were several interesting findings, but we are going to focus on one that would knock the wind out of anyone responsible for the security of online systems. Particularly if you are in the business of money.

Most people are familiar with the term "Phishing". Dictionary.com defines the word Phishing as "the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords". Although SPAM / unsolicited e-mail and direct web server compromise are the most common methods of Phishing. There are other ways to accomplish this fraudulent activity.

Internet Router Compromise Makes For A Bad Day In this case, the Internet router was compromised by using a well-known CISCO vulnerability. Once this was accomplished, the sky was the limit as far as what could be done to impact the organization. Even though the company's web server was secure, and the Firewall that was protecting the web server was configured adequately, what took place next made these defense systems irrelevant.

Instead of setting up a duplicate login site on an external system, then sending out SPAM in order to entice a customer to give up their user ID, password, and account numbers, another approach, a much more nefarious approach was taken.

Phishing For Personal Or Financial Information

----------------------------------------------

You remember that router that was compromised? For proof of concept purposes, the router configuration was altered to forward all Internet traffic bound for the legitimate web server, to another web server where user ID, password, and account information could be collected. The first time this information was entered, the customer would receive an ambiguous error. The second time the page loaded, the fake web server redirected the customer to the real site. When the user re-entered the requested information, everything worked just fine.

No one, not the customer, nor the company had any idea that something nefarious was going on. No bells or whistle went off, no one questioned the error. Why would they, they could have put the wrong password in, or it was likely a typical error on a web page that everyone deals with from time to time.

At this point, you can let your imagination take over. The attacker may not move forward and use the information collected right away. It could be days or weeks before it is used. Any trace of what actually took place to collect the information would most likely be history.

What Do You Really Get Out Of Security Assessments

--------------------------------------------------

I can't tell you how many times I've been presented with security assessment reports that are pretty much information output from an off-the-shelf or open source automated security analyzer. Although an attacker may use the same or similar tools during an attack, they do not solely rely on this information to reach their goal. An effective penetration test or security assessment must be performed by someone who understands not only "security vulnerabilities" and how to run off-the-shelf tools. The person executing the assessment must do so armed with the tools and experience that meets or exceeds those a potential attacker would have.

Conclusion

----------

Whether you are a small, medium, are large company, you must be very careful about who you decide is most qualified to perform a review of your company's security defense systems, or security profile. Just because an organization presents you with credentials, such as consultants with their CISSP..., it does not mean these people have any real-world experience. All the certifications in the world cannot assure you the results you receive from engaging in a security assessment are thorough / complete. Getting a second opinion is appropriate given what may be at stake. If you were not feeling well, and knew that something was wrong with you, would you settle for just one Doctor's opinion?

Quite frankly, I've never met a hacker (I know I will get slammed for using this term, I always do), that has a certification stating that they know what they are doing. They know what they are doing because they've done it, over and over again, and have a complete understanding of network systems and software. On top of that, the one thing they have that no class or certification can teach you is, imagination.

About The Author

----------------

Darren Miller is an Information Security Consultant with over sixteen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. If you would like to contact Darren you can e-mail him at Darren.Miller@ParaLogic.Net. If you would like to know more about computer security please visitus at http://www.defendingthenet.com


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:47 AM 0 comments

HP and Microsoft Planning Identity Systems Dominance



Who Do You Want To Be Today? - HP and Microsoft Planning Identity Systems Dominance


Dennis Miller once said that "Bill Gates is a monocle and a Persian cat away from being a bad guy in a James Bond movie." Last week, Hewlett-Packard announced that it, along with Gates' Microsoft, is getting set to make a push into yet another market currently dominated by small niche players and Unix-based software platforms -- identity management systems at the national level.


It makes you feel all warm and fuzzy doesn't it? The idea of building a national identification system on a software platform whose best claim to fame is its legendary lack of security seems ludicrous at best; but there it is. Hewlett-Packard's release of its National Identity System is based on Microsoft software such as Microsoft Server 2003 Enterprise Edition, Microsoft BizTalk Server 2004, Microsoft SQL Server 2000 (64-bit), the Microsoft .NET Framework and Microsoft Services with HP providing the hardware, integration and support.


The basic idea, according to the UK IT-tabloid The Register (http://www.theregister.co.uk/2005/05/31/hp_id_system/) is to provide a modular structure for controlling access to electronic government services and securing transactions (such as voting!) between citizens and governments using plug-in features like the ability to interface with various biometric systems.


The focus, for the moment, is on the world outside the United States. Existing customers for the technology are the Italian Interior Ministry, which is supplying all Italian citizens with smart electronic national identity documents, and the governments of Israel, Poland, Slovakia and Bulgaria. The announcement seemed particularly relevant in England, which is embroiled in a controversy over compulsory identification cards.


So What's This About?


We can almost hope that this is about nothing more than money. To be sure, there is lots of it involved. Industry analysts at Morgan Keegan estimate that the identity market is expected to grow from $4.8 billion last year to nearly $11 billion by 2007, and those numbers may be conservative. A London School of Economics study concluded that the rollout of a biometric ID card system in the UK could cost as much as 18 billion pounds (in excess of $32 billion), up sharply from the 5.8 billion pounds previously estimated by the Home Office.


But there are bigger issues involved. These are issues of trust and power relationships between governments, citizens and corporations. A key player in all this is a privately-held Swiss startup company (definitely one to watch) called WISeKey, a pioneer in the field of Public Key Infrastructure (PKI) and such esoterica as Quantum cryptography. WISeKey has set itself up very quickly and firmly as one of only a few "global trust providers", forging relationships with technology giants like HP and Microsoft as well as with other organizations, such as the HRD International Group, that facilitate global trade.


WISeKey prides itself on its status as a "technodemocratic" global trust provider, even capitalizing on its location in Geneva, Switzerland, a country known for zealous neutrality and overarching concern with privacy. Its appeal to Microsoft, a company with commitment issues in the trust-relationship department, therefore, is understandable. But what is the benefit to you in putting so much trust in a private company you've never heard of?


Who's Trusted in Trusted Computing?


Microsoft's efforts in the Trusted Computing initiative (code-named "Palladium" and expected to be rolled out as part of the long-awaited Longhorn update of Windows XP) have gotten off to a rocky start. The Electronic Privacy Information Center (EPIC) (http://www.epic.org/privacy/consumer/microsoft/palladium.html) maintains a good resource on the subject, and the opposition to it seems to be having an effect.


Briefly, "Trusted Computing" seems to refer to the efforts of large media and technological concerns to put in place controls whereby they can trust each other, primarily, and also trust you. Your trust for them is not at issue. Hard-shell Open Source evangelists like Richard M. Stallman, however, aren't amused.


Stallman's essay "Can You Trust Your Computer" (http://www.gnu.org/philosophy/can-you-trust.html) is a look at some logical extremes that must really be examined to gain a full understanding of what's at stake. Stallman argues that "treacherous computing", as he calls it, is fundamentally about the development of unprecedented notions of control and ownership of information and the overturning of the whole body of legal and ethical ideas about that information.


He, of course, argues that Open Source alternatives like the GNU/Linux operating system are the way forward, providing real trust through transparency and open collaboration rather than by obfuscation and grand security schemes. Stallman is well-known for such pronouncements for the simple reason that he is quite often right.


But this is not to say that a middle way is not available. We use Microsoft's improving products at Cafe ID (http://www.cafeid.com) and do so, at least for now, without a deep sense of dread. WISeKey's technology is superior, indeed; but we see it as part of our job to insist that such technology is used to provide real privacy and security to the end-user, and not from the end-user.


Certainly, when it comes to implementing e-government's information services, that principle should be the first requirement and should be emphasized above all others. As long as the technology makes the opposite approach feasible to implement, however, our role in this borderless technodemocracy is to see that that doesn't happen.


-----


About the Author


Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:49 AM 0 comments

Public Record Privacy


A Matter Of Public Record according to this Washington Post article in which Privacy Advocate BJ Ostergren campaigns to have social security numbers and other sensitive personal information removed from public websites, it's becoming increasingly easy to find sensitive information on you and I. Ostergren is finding the SSN's of public officials and posting them on her web site in the hopes that those politicians will legislate away, not only the posting of new public records online, but the removal of already posted public information.

She displays the SSN of Florida Governor Jeb Bush on her web site because when she found it elsewhere online, it somehow got blacked out on the public record she found online. So ... she posted it publicly on her web site because she figured we all need the same protection that Bush got. Our SSN's won't be removed from Public records, but public official's info will be? Not fair she says.

She also links to a 1980 tax lien filed against House Majority leader, Tom Delay of Texas, which shows his Social Security Number just as clearly as many other citizens records. Ostergren claims that her public posting of politicians information should alert them to the ease with which that information can be found and used for nefarious purposes and she hopes it will lead to removal of existing public records online.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:05 AM 0 comments