Category: ID Theft

New Year's Resolution Dept. — Protecting Against Identity Theft

identity-theftIt’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions!

If yours is to get better control over your information privacy, particularly as it relates to identity theft, here are some effective steps you can take:

  1. Buy a shredder. Ninety percent of information theft is still low-tech and comes from dumpster-diving, etc. When we infosec people go on and on about breakins and disclosures, we are the equivalent of transportation safety wonks talking about airline safety. It’s an exciting spectator sport, but for real safety, just internalize that when that traffic light turns green, it means that someone in a hurry has floored it and is about to enter the intersection.
  2. Drop off your outgoing mail at the post office, not in your home mailbox. The reason is the same. The best way for someone to get valuable information about how to pretend to be you is to rob your outgoing bills.
  3. Consider on-line bill-paying. As I said above, worrying about on-line security as opposed to paper security is like worrying about aviation security as opposed to automotive security. On-line bill paying moves you to a lower risk activity that is perhaps scarier because it’s less in your control, but it is genuinely safer.
  4. Get rid of extra credit cards. It lowers your vulnerable profile.
  5. Don’t perform financial transactions on your mobile phone in a public place. I have never been fond of mobile phones, but I’ve adapted. I travel a lot and often hear what people say loudly into their phones. Don’t recite your credit card number loudly, or your brokerage account number. Keep an eye on who can see your laptop screen, too. As a wise man once said, there are vultures everywhere.
  6. Lastly, there’s the whole issue of password security. While this could start a whole debate by itself, don’t use the same password for junk sites as for financial ones.

Photo courtesy of motoed.

Credit Card Data Over AOL IM

From the files of “too good to make up”, reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data to a friend who had one who would then run the credit card info for him.
[Via NoticeBored]

What Congress Can Do To Prevent Identity Theft

Larry The Lender
Seventy Percent of Americans think we need more laws to protect them from identity theft and all that.

I can think of a situation we need protection from. Here is a scenario. Let us take the case of a lender, Larry. We need a law to make it so that if Larry lends money to Alice, he cannot try to collect it from Bob. That’s all we need. If we have that, we’ll have all the legal protection we need to solve identity theft.

The threat of identity theft comes from Larry’s business practices. Larry wanders around hawking credit. “Yo, Alice, Bob, either of you want to borrow some money for lunch? A car?” There are a lot of advantages to easy credit, but disadvantages as well. In addition to the usual ones of people amassing too much debt (whatever that means), identity theft is actually the result of easy credit.

Perhaps Larry is nearsighted, perhaps Larry is stupid. Perhaps Larry is dumb like a fox. However, what happens is that Alice borrows money from Larry and says, “I’m Bob.” Larry marks that down, and then goes and hits up Bob for payment. Bob is understandably confused.

That’s it, that’s the security scenario of identity theft. We’re going about solving it the wrong way, because the real cause of identity theft is Larry’s business practices. I can (and probably will, in a future post) tell you how to reduce the chances of identity theft. These are actionable suggestions; they are things you can actually do. None of us can presently deal with the real problem, so we have to make do.

There is nothing in law, morality, or ethics that requires Bob to pay up when Larry lends to Alice. Unfortunately, we’ve all let Larry get away with it. We’ve made it be Bob’s problem, when it isn’t. Let’s make no mistake here, Alice is committing fraud. But Larry is the enabler, and really not only owes Bob setting the record straight, but reimbursement for the trouble Bob had to go to because Larry is stupid (even if it’s stupid like a fox).

If Congress wants to do something for consumers, it would be to require lenders to be responsible. Yes, this would crimp their style. For example, one bank sends my household mail for pre-approved credit cards at a rate of more than one per day. We used to shred them, but now we package everything up in the business reply envelope and send it back to them. Perhaps it would be part of the slow slide into tyranny for the nanny-state to effectively prevent banks from sending 400 credit-card offers to a single household per year, but the right to swing your arm stops at my nose, and the right to beg, plead, whine, and wheedle me to borrow more stops when you can’t tell Alice from Bob.

An alternative solution would be for some ambulance-chaser to file a class action lawsuit. I think that it could be extremely successful, properly done. Contract law covers these cases, or at least it’s mystifying to me why it doesn’t.

Apparently, however, it seems that our current legal system does not support this intuitively obvious notion that bad business decisions do not create liability on some third party. If Congress wants to help people, it will do something simple and sane. It’s not Bob’s fault that Larry is stupid.
Photo of Larry The Lender courtesy of jonmc.

That’s Funny….

picture of chopped sock that is illustrative of non-amputated foot
Over the last week, I’ve read several things involving poor Lind Weaver. In case you missed it, she’s a 57-year-old owner of a horse farm. She got a bill for the amputation of her right foot. As you should expect if you’re a regular reader here, it wasn’t her. Comic hijinks ensue which conclude with

After weeks of wrangling with the hospital’s billing reps, Weaver finally stormed into the facility and kicked her heels up on the desk of the chief administrator. “Obviously, I have both of my feet,” she told him.

She’s either the victim of an incredible records screw-up, or (cue dramatic organ chords) Healthcare Identity Theft. The articles I’ve read state that it’s the latter, and in fact while it may be comic, it’s no laughing matter. This sort of thing is going to get someone killed.

Many years ago, Stan Kelly-Bootle told us that GIGO means Garbage In, Gospel Out. This is the tendency that data, having passed through a computer, is sanitized and made holy and incorruptible. The Pope is only infallible when he’s speaking ex cathedra, but the an Excel spreadsheet — there’s no arguing with that.

I just have to blink several times that in this day and age when a middle-aged woman calls a hospital up and says, “excuse me, there must be a mistake in this bill for an amputation” that no one thought there might be something wrong. This is the power of the GIGO principle. The old saw that the computer doesn’t make mistakes is still there, people just bite their tongues when they think it.

We also have a Digital Confidence Survey from the Cyber Security Industry Alliance (CSIA) that has lots of pretty graphs and things that I have trouble making sense of.

The Digital Confidence Index is 57. Um, okay. I’m not sure what that means. The CSIA thinks that that means people want more laws about this. I’m not disagreeing, I have my own ideas on what those ought to be.

There’s a nice chart there that tells us that 50% of Internet users “avoid making purchases because I’m afraid my information could get stolen.” There isn’t enough context here. There are plenty of times I have avoided buying something on line for more or less that reason. But if you dig deeper, it was because they wanted me to register and create an account, not because of my personal information itself. I don’t want to have a relationship with them, I want to buy something. Maybe if I buy a number of things, I’ll want to proceed with a relationship, but not on the first date.

Nonetheless, I don’t think this is exactly what is behind that datum. People are still being afraid of the wrong things. Network security could be a lot better, but the best thing you can do to avoid identity theft is to buy a shredder. I don’t have the reference at hand, but last year, 90% of identity theft was from dumpster-diving and so on, not computer problems.

As bad as network security is, the real danger is elsewhere. It’s the same problem as worrying about airline safety as you drive without a seat belt.

But really, isn’t it better that people lose confidence in computers and networks? The way I see it, we have a surfeit of belief that whatever that screen says is right. Identity theft problems can be helped more by realizing that every business process in the world is screwed up and the ones that are computerized are going to be screwed up in zanier ways because there is no human oversight.

Discoveries don’t from from flashes of insight, but from a mutter that starts with, “that’s funny….” We need fewer people in charge of these systems saying not, “our records show you had an amputation on April 31st” and more people saying, “that’s funny….”

Photo courtesy of drea.renee.

Information Exposed For 800,000 At UCLA

Apparently it’s Identity Theft Tuesday here on Emergent Chaos.
CNN reports that a “Hacker attack at UCLA affects 800,000 people”, which includes current and former faculty, students and staff. The initial break-in was apparently in October of 2005 and access continued to be available until November 21st of this year. I am stunned that it took so long to be noticed, especially in light of Chancellor Abram’s letter which states:

We have a responsibility to safeguard personal information, an obligation that we take very seriously…I deeply regret any concern or inconvenience this incident may cause you.

It’s a real shame they didn’t have more effective security controls and monitoring systems in place. Maybe then this incident wouldn’t have happened or been detected and stopped much earlier.
[edit: fixed link to article]

When The Fox Is In The Henhouse

Protectors, Too, Gather Profits From ID Theft” in today’s New York Times tells the tale of woe of Melody and Steven Millett and her husband who despite a subscription Equifax’s Identity Theft protection service still had Steven’s SSN readily abused. Privacy consultant Robert Gellman summed up one of the problems with these services nicely:

Identity theft has essentially become a business — not just for bad guys but for good guys, too…A lot of the people that are involved in profiting legally from identity theft are direct participants in the whole credit system that doesn’t have the protections in place to prevent identity theft in the first place.

So essentially, the credit monitoring services are selling a service that to cover the fact that they don’t have a good process to begin with. And given that fraud is generally the liability of the merchant and banks/credit card companies and not the end user there is little to no incentive for folks like Experian, Transunion and Equifax to actually do much in the way of due diligence on either end. When the folks who control your private information are also charging you to “protect”, they have a serious conflict of interest.
What’s actually needed is a service like Debix. In the interest of full disclosure, I have a fiduciary relationship with Debix. I was also one of their first customers. Why? Because I think it’s important to have someone whose only interest is the protection of my personal information on my side, not someone whose job it is to also sell it to the right people.
[Image is “Fox food” by Bob Hallinen / Anchorage Daily News]

Because That's Where The Money is: Ethan Leib's ID Theft

Ethan Leib blogs about being the victim of a fraudster:

An individual in California posing as “Ethan Leib” (with phony ID to match) has been walking into branches of my bank across the state and taking all my money — despite a fraud alert on my accounts. They even stole thousands from my 6-week old daughter’s college fund. How mean! The tellers and “credit fraud analysts” are not doing their jobs so I am poorer and less “Ethan Leib” than ever. Even though many credit agencies and banks have measures in place to prevent identity theft, they all still rely on tellers, banks, and others being properly trained.

I’m sorry this happened to Ethan, who I don’t know, but whose blog posts I’ve enjoyed for a while.

I’m curious, and maybe Ethan (as a lawprof) can answer this: At what point do the bank’s actions cross the line into negligence? There’s clearly an epidemic of fake and fraudulently issued IDs; there’s clearly an epidemic of fraud by impersonation. If banks have measures in place to prevent it, and those measures are ineffective, as they clearly are, when can a customer sue?

Another form of this fraud is mortgage fraud, where a fraudster takes out a new mortgage-backed line of credit on property, and absconds with the cash, or land title fraud, which Schneier talks about in “Land Title Fraud.”

Much of the problem with identity theft has been the exceptions to libel laws under which the credit agencies don’t have to take responsibility for their statements, and the trouble involved in cleaning up those statements. These emergent forms of fraud could be a lot worse.