You Can Never Be Too Careful

In the past few weeks I have been traveling quite a bit.  Therefore, I have been spending a lot of time in airports, car rental offices, Super Shuttles, and hotels.  When I travel by myself, I am a fan of reading, listening to music, and people watching.  It is this last activity that has prompted me to write this blog. 

While at the airport, I realized that several people were holding their driver’s licenses (for security screening purposes).  The problem however, was that had I been a more dishonest person, I could have easily recorded the names and addresses of several people for future use.  One person sat down next to me at the airport, put down his bags, ticket, license, and credit card, then turned to his back on all of it to talk to his travel partner.  While waiting in line at the car rental office, I listened to one person read off their entire credit card number, including the three-digit security code on the back, over their cell phone.  In the hotel restaurant, while I was having dinner, I watched a woman walk off and leave her purse sitting at the table unattended, and before she returned to the table, the server brought back her check with her credit card sitting on top.  During check-in at the hotel, had I wanted to, I could have documented one gentleman’s information from both his driver’s license and his American Express card, as he left both sitting on the counter next to me. 

With all the information out there about identity theft, credit card fraud, health insurance fraud, and more, why are people still being so careless with their personal information?  NCPC has an entire campaign on identity theft, which tells us, among other things, that according to the U.S. Postal Service, in 2004 consumers spent $5 billion to resolve identity theft problems, and almost 10 million people were victimized.   So here is your reminder: be careful with your personal information!  And just in case you need a refresher, check out this guide on preventing identity theft (PDF).

Stay Vigilant During Tax Season

It’s the middle of tax season, and you may have noticed more junk mail in your mailbox than usual or more phishing emails in your inbox.  Perhaps you’ve even experienced an increase in those pesky telemarketing calls lately.  As a fellow NCPC blogger pointed out last month, tax season can offer more opportunities for scammers trying to rip people off.  These criminals trust that the average American taxpayer is stressed at this time of year, and hope that we might be more prone to slip up and make mistakes under the additional pressure associated with preparing our sensitive tax documents.

That is why, as you finish preparing your taxes, it is important to be vigilant in protecting your personal information.  Don’t let your guard down in the home stretch and allow identity thieves to exploit you. Luckily, organizations such as the National White Collar Crime Center release information to keep consumers aware of some of the scams in circulation. Recently, they warned of a certain telephone-based phishing scam (PDF) in which data thieves impersonated IRS officials. Be sure to read the press release, and keep an eye out for similar ruses over the next couple months.

But, be careful not to limit your scope. Just because there is an influx of tax-related scams doesn’t mean that scammers have stopped coming at you from other angles as well.  Check out this recent Washington Post article about another bizarre phishing scam.  If you receive that one, you will have plenty of reasons to report it to the authorities. Just keep your eyes open and always think twice before opening emails from unknown or unfamiliar sources!

Protecting Your Identity Can Be Very Taxing This Time of Year

Tax season: the most wonderful time of the year—for identity thieves. While you are at home filing forms and gathering all of your personal information, thieves are scheming to get a hold of your identity.

Tax season leaves many vulnerable to identity theft. Just think about it. Everything from your Social Security number to your employer and income information is written down for the entire world to see. Ok, well, maybe not the “world” per se, but it is important that you treat this valuable information with care. Identity thieves hope that stress, combined with that dreaded April 15th deadline, will act as their allies and cause you to be hasty and irresponsible with your important information.

Don’t give thieves the chance to steal your identity this tax season and take these precautions.

• Keep an eye on your mailbox, especially during tax season. Your mailbox can be a gold mine for  identity thieves. Don’t leave your mail sitting in your mailbox and retrieve it as close to its delivery as possible.
• When you’re out of town, have the post office hold your mail for you or have someone you trust pick it up every day.
• Don’t put outgoing mail in your mailbox. Use United States Postal Service mailboxes instead, or better yet, drop off your mail inside a post office.
• Use a locked mailbox with a slot at home, if at all possible.
• Don’t put your outgoing mail in an unguarded “outbox” at work.
• If you are filing taxes online, be sure that you are using a reputable and secure website.
• Be cautious of who helps you prepare your taxes. Make sure they are trustworthy and credible.
• Don’t fall for scams. This year the government is sending out rebate checks. The only thing you need to do in order to receive the rebate is file your taxes. They will not contact you and ask for any personal information.

Although tax season heightens the threat of identity theft, it is important to take the necessary precautions and protect your identity all year round. To find more helpful tips on how you can keep yourself safe, visit www.ncpc.org, www.usdoj.gov, and www.ftc.gov.

Will the REAL ID Have Real Effects?

Last month, the Department of Homeland Security (DHS) announced its long-awaited rule establishing uniform standards for drivers’ licenses and other state-issued identification cards. According to Michael Chertoff in DHS’ press release, “REAL ID will give law enforcement and security officials a powerful advantage against falsified documents, and it will bring some peace of mind to citizens wanting to protect their identity from theft by a criminal or illegal alien.”

Originally conceived as a response to the September 11th hijackers, who used no fewer than 30 government-issued driver’s licenses to board planes, REAL ID is set to address document fraud by setting specific requirements that states must adopt for compliance, such as additional security features, standardized proof of identity, and verification of the source documents provided by an applicant. DHS has expressed the need for a nationwide identification card by quoting the rise of identity theft by nearly 800 percent from 2000 to 2006 as well as the use of fraudulent drivers’ licenses in 35 percent of identity theft cases pursued by the Secret Service during that time.

The question remains whether another national identification card will realistically prevent significantly fewer instances of identity theft. Most other forms of nationally issued identification, such as Social Security cards, “green cards,” and passports, are also falsely reproduced throughout the country by minors, illegal immigrants, and identity thieves. Critics say that the new licenses could still be forged. An article in the Washington Post says that 17 states have already said that they would either refuse to issue the new licenses required by DHS or have asked Congress to repeal a 2005 law that requires states to collect and store additional data on driver’s license applicants. Under REAL ID, all new licenses would be machine-readable and contain personal information that could be scanned by governments and potentially by corporations. If corporations can access the personal data of most U.S. citizens through this type of scan, identity thieves may have even more access to valuable information if the card system is breached.

The card would be unwieldy if used as part of our travel industry. It is unlikely that the airline industry would allow the federal government to prevent citizens of noncompliant states from getting on airplanes. The security standards of the Transportation Security Administration only require that the name on an identification card match the boarding pass. The REAL ID will only protect our national security if TSA safety regulations are changed to include the inspection of the ID itself. As a proponent of crime prevention, I believe that the REAL ID regulation has some major flaws, including its promise to help prevent identity theft. 

What do you believe? Will the changeover to REAL IDs make a significant difference in identity theft prevention, or will the use of private data storage only assist criminals in their efforts? Will it improve our safety in the skies?

To read the Final Rule, please visit the DHS website.

Understanding the Parts of a Criminal Ecosystem

I realize I’ve been on a serious cybercrime and identity theft kick lately, but so much of interest has been published on these topics lately, it’s hard to resist. Thanks to an article on Help Net Security, we can get a much more nuanced look at the world of phishing, which is more of an ecosystem of bumbling bad folks than several separate super hackers.

From the article, you can get a good sense of how many people are actually involved in identity theft. Help Net Security gives a good overview of the identity theft ecosystem with an interview with two security researchers who infiltrated a phisher community. As opposed to what one might fear — a scrum of computer experts bent on our destruction — the researchers instead found a complex community of people who write “kits” to make phishing sites, scam artists who deploy them (who often cannot read the code that make the kits go), and then a market of people who buy the stolen identities, create fake credit cards from stolen data, and trick others into laundering money from the accounts of identity theft victims. What surprised the researchers most was the lack of savvy of most members of the community; as the article explained, “Maybe a few phishers out there are skilled, but the majority are clueless.” Many of the kits that the scammers deploy have simple “back doors” in them that allow the authors of the kits to steal information from the identity thieves who use the kits. Additionally, according to the researchers, the phishers steal from one another.  “These shady characters may work with each other but they sure don't trust each other, that's for sure,” the article said.

The article itself is well worth the read, especially if you find Internet security research as fascinating as I do. Personally, it’s hard to decide whether I’m more hopeful or insulted that the phishers are so disorganized. For crime prevention practitioners generally, though, the research shows us a path to more successful prevention; the better we understand the parts of a criminal ecosystem, the more opportunities we have to prevent the crime by breaking down the system itself.

Hat tip to slashdot.

Internet Scams Continue

One thing we are told over and over is to be aware of Internet scams. But a lot of scams can be defeated with a little common sense. For instance, recently I have received numerous emails from various banks and credit unions. It only takes a second for me to read the name of the institution and realize I do not, nor have I ever, had any account with these banks or credit unions. So without hesitation I hit delete and move on.

However the other day I received an email from Pay Pal telling me my account had been compromised and they needed some information verified. As an avid Pay Pal user, this email got my attention. It looked authentic when I initially viewed it. But I became suspicious when I clicked on other tabs such as “Contact Us” and “Site Map,” and each selection just took me to the credit card verification page. I again looked at the email, and I still thought that it looked like the real thing.

Next, however, I went to the Pay Pal website and logged into my account. The sites were very similar except the real site showed the last four digits of the credit card I had on file, whereas the emailed version did not. When I selected “Contact Us” and “Site Map,” this time I was directed to those pages of the site.

At this point I assumed the email was a fake and deleted it. However, this experience stayed on my mind for some time. After a while I realized that the purported Pay Pal email was sent to me through an email address that I have never even used in connection with my Pay Pal account. I had already decided that if there actually was a problem with my Pay Pal account, then Pay Pal would surely let me know the next time I tried to use their service. To me, this was just another lesson to always be cautious and err on the side of keeping your finances safe and secure. You simply can’t trust what you come across in Cyberspace.

What’s in your Router?

Attentive Prevention Works readers doubtlessly know lots about phishing, and how it uses fear and uncertainty to trick people into giving up sensitive personal information.  And, of course, our readers know the common prevention techniques for phishing: don’t click on links directly in email (type the URL in your browser yourself), always carefully check the URL of any site to which you are providing personal information to confirm that it is legitimate, and call customer service when in doubt.

What do you do when you can’t trust your browser, though? What if, when you tell your browser to go to www.example.com, it instead takes you to www.badphishingsite.com, and doesn’t even know to tell you about the bait and switch? Unfortunately, this is a scenario that may be facing us shortly. In a practice called drive-by pharming, cybercriminals attack the part of the Internet’s infrastructure (the Domain Name System) that tells your computer how to locate the servers for www.example.com. Then it secretly replaces the real record for example.com with one that will direct the victim’s computer to whatever site the criminal may want. Although only theoretically possible until recently, according to slashdot, there are reported cases of an attack against a large, Mexican bank, wherein victims received an innocuous greeting card email that then changed their router’s settings so that when they tried to access the bank, they instead ended up at a cloaked phishing site that harvested their personal information. Even worse, once a router is compromised, every user who connects through it will be a victim of the same scam, with no reasonable way to tell that he or she is being taken advantage of. Because many families share their broadband Internet connections through a router, one member of the family could compromise all with one unlucky click.

Drive-by pharming is a scary practice, in part because it subverts common anti-phishing strategies. Suddenly, you can’t trust your browser’s location bar to tell you where you really are, meaning typing a URL in directly may not prevent identity theft. Thankfully, prevention strategies already exist. If you have a router, be sure to change the administrator password, and use a good one. Also, just as there are updates for your computer, there are also updates for your router — read your instruction manual for how to update it. It is paramount that you keep each piece of hardware you use up-to-date with software updates to prevent malicious users from taking advantage of you and your family. For even more tips, see InformIT’s Home Network Router Security Secrets and Symantic’s Drive-by Pharming blog entry.

The Most Important Person

Over this past weekend, a Washington Post staff writer published a very interesting and informative article about identity theft.  It was especially interesting because she had, in fact, become the victim of identity theft recently.  In her article, she details the entire process she endured — from receiving the first phone call from her bank to her current situation — and provides some tips for the millions of other consumers who find themselves victim to this crime each year.  She captures the “headache” of the whole process, but also passes on some very helpful tips.  Above everything, she drives home what we have been saying about this crime from the beginning: Identity theft is still a new, evolving crime with almost no guaranteed, protective safeguards. When it comes to protecting your private information, the most important person still is you!

Simply put, our personal data is simply not secure these days.  Consumers’ private information continues to be displayed online, giving criminals countless opportunities at theft.  It’s essential that we all take steps to monitor our own credit, keep a close eye on our bills, and protect our personal information as best we can.  Betsy Broder, assistant director in the FTC’s Division of Privacy and Identity Protection, was quoted in the Post article as saying, “There are a lot of ways that consumers can minimize their risks, but I would hesitate to say that someone can completely immunize themselves from identity theft.  That’s because you’re not the only one that has your data.”  The truth in her words has become painfully obvious these days.  So when it comes to identity theft, only you can protect yourself.

A Cluttered Digital Landscape

Just one week into 2008, the persistent problem of identity theft has already been grabbing the headlines.  It seems that the web-based technology associated with this crime is allowing more opportunities for criminals than it is for law enforcement agencies and the courts.  Basically, the Internet is a vast, digital landscape, cluttered with an immeasurable amount of information, and it is easier for thieves to mine the data for peoples’ private information than it is for anyone to clean it up and secure or remove that private information.  But this is not a battle our society can afford to lose if we hope to continue sharing personal information in any capacity, let alone if we hope to salvage consumers’ trust in e-commerce.  To that end, I am dedicating this blog article to the many recent interesting and helpful articles I have read regarding online safety.

The Washington Post published an article last week about the proliferation of online record keeping, and the effects it’s had on identity theft.  The article paints a disturbing picture in which American citizens, particularly those involved with court cases, often have their personal information, including their Social Security numbers, published online and made publicly accessible without their knowledge.  Since the laws protecting this data and criminalizing identity theft vary greatly from state to state, and often within the states themselves, it falls heavily onto American citizens to vigilantly protect this kind of information. 

If you notice that your personal information is published on a website, immediately read that website’s privacy policy and contact them to remove the data.  There’s no guarantee that they will comply, but you should certainly make the effort.  The organization Computer Professionals for Social Responsibility offers some helpful information on its website regarding this action.  After that, since the data has been visible to the public, it would be smart to follow these instructions provided by the Federal Trade Commission.  Also, keep in mind that you may request a free credit report from each of the three national reporting companies each year in order to monitor your credit yourself.  Just remember that there is only one authorized online source for you to request a free credit report under federal law.

Also worthy of note recently: The New York Times published an extremely interesting article that reports the tale of a homeless man who had his identity stolen.

The Washington Post and the New York Times have also recently published articles that describe some of the efforts being made to safeguard children using the Internet.  Both of them are worth a read. 

For now, what else can I say?  If you, like me, are unhappy with this current state of affairs online, demand more legislation from your local lawmakers to address these issues and call out loudly for tougher penalties for cybercriminals.  The future of online privacy is very uncertain.

All That Data…

First, happy new year to all of you. I hope your year is off to as safe and happy a start as ours is at NCPC.

It may make me seem like a geek, but I have a secret love for this time of year because of all the data that become available. Right about now, all kinds of retrospective information appears about various crimes and prevention efforts, informing us of trends and the effectiveness of our efforts. And relevant to my love of data is a recent article from Wired about data loss in 2007; if you guessed it was banner year for data theft, you’d be right. To me, the problem is a common one: too little prevention too late.

According to the article, somewhere between 49 and 79 million records were lost last year, depending on how you count. That’s a lot of lives interrupted and identities stolen. According to the article, companies lost the data to the sources we have talked about in the past: hackers and lost hardware. In the largest reported case of identity theft last year, TJX’s loss, hackers found a weakness in the retailer’s wireless network and extracted data directly from TJX’s central database. Other cases were more mundane: as explained by Linda Foley of the Identity Theft Resource Center, “A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost …. This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system.” Indeed, Foley claims that “More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be.”

Prevention is critical in data loss, and it will only be more so. Businesses are not going to stop putting information online; having information about customers available over the Internet is simply too valuable. However, unless prevention is a part of the system from the ground up, data loss will only get worse. Security needs to be a part of software projects just as much as features — if you’re designing new business software, have a security plan from the beginning. Employees are going to need to understand secure data handling as well as they understand their core job functions — if you carry equipment carrying anyone’s personal information, find out how to secure the system in case you lose it. Consumers are going to have to be involved, asking questions and challenging the process at every step. And everyone should remember this rule: If someone asks you for identifying information, ask them why they need it and what they are going to do with it.