Identity Theft Explosion

How to Avoid Cons That Can Lead To Identity Theft

noreply@blogger.com (Professional One Real Estate) — Thu, 01 May 2008 15:41:00 +0000

By WALTER S. MOSSBERG
May 1, 2008; WSJ

When most people think about Internet security problems, they focus on viruses and spyware -- technological attacks that can usually be mitigated by technological defenses. But the most insidious Internet security problems today rely on human gullibility, not tricky software. While technological defenses can help you fend off these newer types of attacks, your best weapons against them are common sense, alertness, and careful email and Web-surfing practices.

These types of attacks are called "social engineering," and they are used by criminals to steal your money and identity, and to plant on your computer malicious software that can be used to keep ripping you off. Social engineering is the online equivalent of an old-fashioned con game, in which a crook frightens people with false warnings, or tempts them with false promises, and then robs them.

While viruses and spyware overwhelmingly afflict Windows users and spare users of Apple's Macintosh computers, social-engineering schemes can ensnare Mac users as well. There's nothing inherent in Macs that makes their owners more resistant to falling for social-engineering scams.

The most common form of social engineering is called phishing, a one-two punch using both email and Web browsing to trick people into typing confidential information into Web sites that look like the sites of real companies, especially financial institutions. But these phishing sites are actually skillfully designed fakes that transmit your sensitive data to criminals, often in distant countries. Once these creeps have your passwords and account numbers, they can loot your funds and steal your identity.

Here are some tips to help you avoid being the victim of social engineering, updated from a similar column I wrote in 2006. It includes information on some antiphishing software that wasn't available back then. But remember: Security software alone can't save you from scams.

1. Never, ever click on a link embedded in an email that appears to come from a financial institution, even if it's your own bank or brokerage and even if it looks official right down to the logo. The same goes for payment or auction services, like PayPal or eBay. Don't do this even if the email asserts that your account has a problem, or that the bank has to verify your information. And certainly don't enter any passwords, Social Security numbers or account numbers directly in an email.

These types of emails are almost always fakes, and the links they contain almost always lead to phony Web sites run by criminals. The only exception might be a confirmation email from a brokerage firm concerning a trade you know you made minutes before. Even legitimate-looking addresses in emails or in the address bar of Web browsers can be fakes that hide the crooks' true Web addresses. The lock icon on a Web site can also be falsified.

If you are truly worried about your account, call the bank or company, or go to its Web site by manually typing in its address or by using a well-established bookmark in your browser that you created yourself.

2. Don't click on links to offers for free software or goods that you receive in an email, especially from a sender or company you've never heard of.

3. Never download software from unfamiliar Web sites unless you are absolutely sure you need it and it's legitimate. Even if it claims to be a useful program, it may very well be a malicious application like a "key logger," which can report back to crooks everything you type into your computer. If you really want the program, do a Web search on it first, to see if others have reported it as a malicious fake.

4. If a Web site tells you that you need to download special viewing software to see its videos, don't do it. Even if it claims to be giving you legitimate viewing software, like Microsoft's Silverlight, Adobe's Flash or Apple's QuickTime, don't download it there. Go to the official Microsoft, Adobe or Apple Web sites to get these viewers.

5. Use a Web browser, like Internet Explorer 7 on Windows, or Firefox 2.0 on Windows or Mac, that includes built-in features to warn you about, or block access to, known phishing sites. The next versions of these two browsers will have even stronger features that will detect sites that are not only fake, but which are known to distribute malicious software.

Unfortunately, the third major browser, Apple's otherwise excellent Safari for Mac and Windows, lacks any such antiphishing detection, though I expect Apple to add the feature in a future version. So, for now, Mac users worried about phishing should rely on Firefox.

6. Consider security software that tries to detect and block phishing sites. McAfee's free Site Advisor and paid Site Advisor Plus products do a good job. Symantec has similar features built into its large security suites, Norton 360 2.0 and Norton Internet Security 2008.

7. Educate yourself by reading about social engineering and phishing and how to avoid being a victim. Microsoft has a very good guide at: microsoft.com/protect/yourself/phishing/identify.mspx and Symantec has one at: symantec.com/norton/clubsymantec/library/article.jsp?aid=cs_phishing.

Follow these tips and you'll be a happier -- and safer -- surfer.

Credit-Card Security Falters

noreply@blogger.com (Professional One Real Estate) — Tue, 29 Apr 2008 18:44:00 +0000

Industry Standard
Hasn't Prevented
Recent Breaches

By JOSEPH PEREIRA
April 29, 2008; WSJ

Despite efforts by the credit-card industry to force retailers to protect their customers' data, several recent security breaches suggest that current requirements aren't enough.

Hannaford Bros., a unit of Belgium's Delhaize Group SA, says it received a certificate on Feb. 27 stating it was fully compliant with the credit-card industry's security protocols. But that same day, the New England supermarket chain was informed by its card-transaction processor that there appeared to be a problem with its customers' credit-card accounts. The chain soon learned that data for 4.2 million cards may have been stolen.

Until now, most known retail-data breaches occurred at companies that failed to comply with steps mandated by a credit-card industry group called the Payment Card Industry Security Standards Council, or PCI, in Wakefield, Mass. The Hannaford attack -- and another disclosed last month at Okemo Mountain Resort, a ski operator in Vermont -- has prompted retailers to seek security systems well beyond PCI standards.

Hannaford last week announced the adoption of two such measures. The company installed a round-the-clock security monitoring-and-detection service provided by International Business Machines Corp. to track all user log-ins. The chain has also begun to encrypt all its customer card information immediately from the time the card is swiped at the cash register, so that data is scrambled all the way to the company's corporate servers, from where it is sent to the credit-card company. "PCI is a good place to start but retailers are going to have to go above and beyond PCI," said Bill Homa, Hannaford's chief information officer.

Says Bonnie MacPherson, a spokeswoman for the ski resort, which lost card data for nearly 50,000 customers, "We did everything we were supposed to." The company says it doesn't know whether the breach resulted in any theft.

Joshua Jewett, information chief at Family Dollar Stores Inc. in Charlotte, N.C., plans to beef up the cash register systems at about 2,500 of the company's stores by August with more data encryption than mandated by PCI. Both Hannaford and Family Dollar are purchasing security systems from Verifone Holdings Inc. of San Jose, Calif.

Until two years ago, retailers faced a cacophony of security requirements, with each of the major credit-card brands -- including Visa Inc., MasterCard Inc. and American Express Co. -- issuing their own set of standards. Then the credit-card industry established PCI, and consolidated the best data security practices into a single, unified code.

The compilation, called PCI Data Security Standards, requires such things as encrypting or masking customer data, regularly updating antivirus software, restricting access to card data to only certain authorized personnel and protecting stored information with firewalls, among other things.

Retailers that fail to meet the requirements are subject to fines.

In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.

Credit card-related fraud grew to $5.49 billion in 2007 from $1.46 billion in 1997, according to industry tracker Nilson Report. Law-enforcement officials attribute the rise to new technological applications as well as increased participation by international organized-crime groups.

Bob Russo, PCI's general manager, says PCI believes its standards -- derived with input from more than 500 data-security specialists -- are adequate, but he adds that PCI is still awaiting the results of investigations into the Hannaford and Okemo breaches. "If there is something that's lacking in the standards, then we'll address it immediately," he says.

In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable -- a company's private internal computer network. Many previous breaches involved wireless network systems.

PCI mandates that all transaction data sent over networks that are publicly accessible -- such as in coffee shops -- be encrypted, but it doesn't require that for transmissions over internal private lines.

At Hannaford and Okemo, hackers managed to install malicious software into the companies' private networks to steal credit-card information being transmitted to processors for approval.

"This kind of attack would not have been possible if the credit-card data had been encrypted," says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.

Michael Cherry, an online-security consultant, says companies can encrypt credit-card data at cash registers, which PCI doesn't require, at minimal cost. "You can be worry free for less than $100 per cash register," says Mr. Cherry.

Two companies that provide such technology -- called personal identification number pad encryption -- are courting new customers, playing up Hannaford and Okemo's vulnerabilities.

Verifone Holdings is promoting its VeriShield system, which was purchased by Family Dollar. A similar product, called MagneSafe, is offered by MagTek Inc., of Carson, Calif.

Rob Caulfield, chief executive of TrustCommerce, an Irvine, Calif., credit-data processor that works with MagTek's clients, says he knows of about two dozen retailers currently using MagTek encryption and about 300 others that "are queuing up to become clients."

Meanwhile, PCI has been upgrading its requirements for retailers as more information about vulnerabilities is gleaned from data breaches. In February, PCI required merchants to ensure that PIN pads are tamper proof and their credit-card data are rendered useless if they are opened. The requirement follows a theft last year where thieves stole PIN pads from Dutch retailer Royal Ahold NV's Stop & Shop stores in the Northeast U.S. and accessed customers' debit-card passwords.

As of June 30, retailers must install firewalls that prevent hackers from accessing internal company files through software programs that are exposed to the Internet, such as applications that handle online credit-card transactions. PCI also plans to toughen its standards in September in the areas of wireless transmissions, card-preauthorization procedures and software applications that handle credit-card data. "From all the data breaches we've seen, we're quickly learning that the point-of-sale is our weakest spot in the payment chain," says Mr. Russo.

Are Your Medical Records at Risk?

noreply@blogger.com (Professional One Real Estate) — Tue, 29 Apr 2008 18:41:00 +0000

Amid Spate of Security Lapses,
Health-Care Industry Weighs
Privacy Against Quality Care

By SARAH RUBENSTEIN
April 29, 2008; WSJ

When it comes to protecting the privacy of patients' computerized information, the main threat the health-care industry faces isn't from hackers, but from itself.

In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised. The incidents have included the theft of an unencrypted laptop from an employee of the National Institutes of Health and the inadvertent posting of personal data unsecured on the Web from insurers WellCare Health Plans Inc. and WellPoint Inc. At the UCLA Hospital System, several employees were fired or disciplined recently for sneaking peeks at Britney Spears' computerized medical files.

In another recent incident, a former patient-admissions employee at NewYork-Presbyterian Hospital/Weill Cornell Medical Center was arrested this month for allegedly selling at least 2,000 patient identification records, according to the U.S. Attorney for the Southern District of New York. The employee improperly accessed nearly 50,000 patient records in a computer system storing names, Social Security numbers and addresses, court documents allege. Hospital spokeswoman Myrna Manners says some patients have told the hospital they suspect their information had been "used," though it wasn't clear for what purpose or whether identity theft had occurred.

Health care isn't the only industry whose slip-ups can upset consumers or expose them to identity theft. But hospitals are notable for the sheer number and types of employees -- including billing staff, nurses, doctors, researchers and lab technicians -- who have quick access to individuals' private information. A number of hospitals have been installing controls that limit by job function the types of data that employees can see. But institutions also are reluctant to control access to patients' private data too tightly, for fear that doing so could get in the way of patient care, especially in emergencies.

"There are just thousands of people who have access -- and need to have access -- to confidential information, and to try to change their behavior is a challenge," says Donald Bradfield, a senior counsel for Johns Hopkins Health System.

The steady stream of privacy breaches threatens to undermine the health-care industry's effort to adopt electronic medical records. That push is meant to make medical care both safer and more convenient for patients, but a major barrier to health-care digitization has been anxiety about preserving the security of such sensitive data.

"What patient is going to want their data to be transmitted electronically if they can't trust the system to keep their data safe?" says Jill Dennis, a senior vice president at the American Health Information Management Association, a professional organization. "The internal mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system."

Patient advocates criticize as too lax institutions' enforcement of a federal privacy law that restricts health providers, insurers and certain other entities from allowing access to private health information to those who don't need to see it. Since the privacy provisions of the law, the Health Insurance Portability and Accountability Act, were implemented in 2003, some 35,000 reports of privacy violations have been submitted to the Department of Health and Human Services. But the department has not levied a single civil fine.

Instead, the department says, it has sought and gained "voluntary compliance" with the law in 6,000 cases. An HHS spokeswoman said the department's approach has led to "improvements that were constructive and were achieved more quickly than through imposition of monetary penalties." Those actions have often involved educating employees about what the law says and how to follow it.

HHS says several hundred reports of violations have been referred to the Department of Justice for criminal prosecution. A DOJ spokeswoman says the department has filed around 200 criminal cases since the 2003 fiscal year under a statute that includes HIPAA, but didn't have a breakdown of just HIPAA-related cases.

David Feinberg, chief executive of the UCLA Hospital System in Los Angeles, calls the celebrity snooping incident "almost mind-boggling," considering that employees had been repeatedly warned not to look at patients' files. Prior to the privacy breaches, UCLA had a computer system that audited who was looking at information on a handful of patients. The hospital permits any patient to request auditing, though high-profile patients more commonly do so.

In the coming months, UCLA plans to start using a new system that will block certain details of patients' records, depending on who is accessing them. For instance, a lab technician would get only lab results, rather than a full medical chart that may also contain radiology reports and notes from doctors and nurses. The system will also allow for auditing on a larger scale, and will include features that require all employees to list their relationship to the patient and will warn them if they're entering "an especially protected chart," Dr. Feinberg says.

Another health system beefing up security is Johns Hopkins, in Baltimore, which has increased employee education on privacy and started adding encryption software to its computers. The action comes after an embarrassing episode last summer, when a computer chained to a desk at Johns Hopkins was pried loose and stolen by a Hopkins employee and an outside vendor's employee. The computer, which was password-protected but not encrypted, had information on about 5,800 patients who were in a registry for people with tumors, including their names, addresses, dates of birth, Social Security numbers, genders, races, medical record numbers and cancer diagnoses.

In another incident involving Johns Hopkins, a deliveryman for a vendor of computer storage devices in late 2006 lost a shipment of the devices on a loading dock at a florist, where he was picking up flowers that he needed to deliver for another client. The misplaced storage devices contained the names, dates of birth, genders, races, mothers' maiden names, fathers' names and medical record numbers of more than 83,000 Johns Hopkins patients.

The hospital also has made other adjustments. Nurses affiliated with Johns Hopkins who are making home calls sometimes used to carry files with them on a "whole roster of patients," not all of whom they were visiting that day, or had extraneous information on those they were visiting, says Mr. Bradfield, the senior counsel. Now, nurses are supposed to carry only what's essential. Johns Hopkins has also instructed its departments to monitor more closely when packages leave their premises and arrive at their destination.

Many hospitals are reluctant to control access to data too tightly for fear that it will create red tape in emergency situations. "We have to be able to take care of patients, too," says Wendy Mangin, president of the American Health Information Management Association and director of medical records and privacy officer at Good Samaritan Hospital, in Vincennes, Ind., which audits clinical staff's access to medical data but doesn't block it.

Most health organizations that have experienced recent privacy breaches say they haven't received reports of identity theft related to the incidents. A report from the U.S. Government Accountability Office in June 2007 said there is little evidence that identity theft has resulted from data breaches in a variety of industries, including health. But the GAO added that it's hard to find the original source of data used in identity-theft cases.

More than identity theft, some patient advocates worry about emotional trauma. "Monetary damages don't really get at the sense of invasion that people experience when their privacy has been breached," says Ms. Dennis of the health-information management association. Patients may also worry about their medical information finding its way to a potential health insurer or employer.

In another recent incident, health insurer WellCare said a Web developer inadvertently made the Social Security numbers, dates of birth, names and medical details of about 10,500 Georgia patients publicly available through Internet searches while sending the data to state regulators. More limited information on as many as 71,000 other patients may also have been made publicly available.

WellCare learned of the problem March 20, when a health-plan member called customer service to complain, but company employees assumed the state was responsible. Only after the same health-plan member contacted the company again did WellCare shut down online access to the information, on April 2.

And in February, a laptop with information from MRI reports, names and dates of birth of about 3,200 people enrolled in a cardiac-imaging clinical trial at the National Institutes of Health was stolen from the car trunk of a researcher who'd taken it along to his daughter's swim meet. The laptop -- which was password-protected but not encrypted, contrary to government policy -- also had Social Security numbers for 1,281 of the participants whose records had been sent to the National Death Index, which keeps track of vital statistics including whether trial participants are still alive.

Patients who are worried their medical records may be accessed inappropriately can take some limited steps to try to prevent it. Denver Health in Colorado, for instance, allows patients after receiving care to be informed of every person who has accessed their information. And some hospitals grant patient requests that access to their records be restricted more than is normal.

Patients whose health-insurance identification numbers have been compromised should monitor the "explanations of benefits" statements that insurers send home to make sure a criminal isn't using their stolen account information to obtain insurance coverage.

Going back to traditional paper records, as some patients advocate, wouldn't necessarily solve the problem. Recently, a schoolteacher buying a box of scrap paper in Utah discovered that it contained patient medical records from Central Florida Regional Hospital that were destined for a Medicare auditor in Las Vegas. The hospital says shipping via UPS is typically "secure and reliable." But UPS spokeswoman Lynnette McIntire cautioned: "In general, we don't recommend that those kinds of paper records be sent."

Looking out for identity theft, fraud

noreply@blogger.com (Professional One Real Estate) — Wed, 23 Apr 2008 14:14:00 +0000

BY SUSAN TOMPOR • FREE PRESS COLUMNIST • April 23, 2008

Retired teacher Donna St. John's hand shot up the minute the workshop instructor asked if anyone ever had his or her identity stolen.

St. John recalled the time several years ago that somebody tried to buy a refrigerator, washer and dryer with one phone call to Sears after opening a credit card in her name. The store caught it. But St. John, who used to teach at Sterling Heights High School, never forgot how quickly trouble could start.

About 50 people attended the two-hour identity theft seminar sponsored by Michigan First Credit Union in Lathrup Village on Monday. The event was one of more than 300 classes, seminars and activities scheduled in Michigan during Money Smart Week this year. See www.moneysmartweek.org/michigan for other events.

Crooks' tricks

On Monday, about 15 in the group raised their hands after David Waxer, a financial counselor for GreenPath Debt Solutions in Southfield, asked people if they ever experienced identity theft or fraud.

Some spotted fraudulent charges on a credit card after renting a car or going to a restaurant. One man signed up for a trial promotion that cost $4.95 online. He canceled the service before the trial was up. But later, he was wrongly charged $140 twice for that service.

One man's wife pulled out a card one day and it wasn't hers. Somehow, somebody slipped her another card, letting her think she still had her own plastic and then used her card without her knowledge.

Somebody stole a child's Social Security number.

We're all vulnerable to identity theft. We all need to protect our information.

"Keep a close watch on every electronic transaction -- every bank statement," Waxer told the group.

How to fight back

Other suggestions:

• Study your credit report to see if someone has opened credit cards using your name.

See www.annualcreditreport.com. That is the only central site that enables you to request a free report once every 12 months from Equifax, Experian and TransUnion. You can request all three reports at once. Or you can monitor your credit by staggering requests -- say getting one report from Experian in January, another from TransUnion in May and one from Equifax in September.

• Avoid carrying too many credit cards or other ID.

If you've got a pocket-size birth certificate, keep it at home. Don't carry your checkbook on daily errands. Do not leave a car rental agreement in a rented car. Do not carry your Social Security card.

• Be aware that some crooks use cell phones to take pictures of card numbers.

• Pay attention to when certain bills arrive in the mail. Some crooks complete a change of address form so your mail is forwarded to another address where they have access and can buy more goods using your card.

And read every statement. You could find somebody trying to charge $1,000 in Christmas decorations to your bill. One man in the group said that's what happened when somebody got access to credit by stealing his personal information.

Identity Thieves Target Tax Refunds

noreply@blogger.com (Professional One Real Estate) — Wed, 12 Mar 2008 14:45:00 +0000

Scammers Snag Personal Information to File Bogus Returns;
Florida Girl Scout Troop Falls Victim to 'Hotmama983'

By Tom Herman
March 12, 2008; WSJ

Doing your taxes is painful enough. But it can be especially so when a scam artist files a phony tax return with your name, Social Security number and other personal information in an attempt to collect a refund.

Growing numbers of victims are complaining to the Internal Revenue Service and the Federal Trade Commission about this and similar scams, and one senior IRS official is urging the agency to do more to help victims.

Identity theft has become one of the "most serious problems" facing taxpayers, said IRS National Taxpayer Advocate Nina Olson in a report to Congress early this year. Among the major problems that can arise are delays or denial of refunds, the report said. Taxpayers could also face "the assessment of tax debts resulting from income" reported on the fraudulent return. Ms. Olson is scheduled to testify about the subject tomorrow at a hearing of a House Ways and Means subcommittee.

The Federal Trade Commission received 20,782 complaints on tax-related identity-theft issues in 2007, up from 15,442 in 2006 and 8,041 in 2003. But Ms. Olson of the IRS believes those numbers "significantly understate" the size of the problem and the number of taxpayers hurt by it because, she says, the agency doesn't have a comprehensive method of tracking the various types of identity-theft cases.

In one recent case in Pensacola, Fla., Holly M. Barnes, a former Girl Scout troop leader, was sentenced to 10 years in federal prison after pleading guilty to multiple counts of identity theft and filing "false and fictitious" claims for tax refunds, according to the U.S. attorney for the Northern District of Florida. Ms. Barnes created a bogus Girl Scout medical-release form to get sensitive information, including children's Social Security numbers, the U.S. Attorney's office said. She then used the information to prepare and file electronic federal income-tax returns using the screen names "Hotmama983" and "Freewoman74."

The phony refunds were transferred into five different bank accounts she controlled. She "filed false claims totaling more than $187,000, from which she obtained more than $87,000" from the government "as a result of fraudulently using the identity of these children, including her own children," according to the U.S. attorney's office. At the sentencing, the judge ordered her to pay $87,976.70 in restitution to the IRS. Ms. Barnes's lawyer, Thomas Keith, says the sentence is being appealed.

Separately, a Connecticut woman who prefers to remain anonymous was recently notified by a New York bank that her application for a refund anticipation loan had been rejected. "That blew my mind," she says -- because she hadn't applied for such a loan and hasn't yet even prepared her tax returns for 2007. She also recently received a letter from the New York state tax department questioning her 2007 return, which she hasn't yet filed. She notified her accountant and the IRS of the situation.

"It's horrible," she says. She has no idea how her identity was stolen -- but adds that "I now shred everything that comes to my house with my name on it" before throwing anything away.

In another recent case, the victim was a 53-year-old Michigan woman named Marie Mendoza. Early last month, Ms. Mendoza received a call from a representative of a nearby office of H&R Block Inc., the tax-preparation firm that had prepared her returns for the past decade or so. She says the Block representative asked her to bring back some paperwork she accidentally had taken with her two days earlier when she was there to file her return for 2007.

"I said, 'What, are you kidding?' " Ms. Mendoza says. She replied that she hadn't been to the Block office at all this year, hadn't filed her tax return for last year -- and isn't planning to use Block because she feels they charged too much last year.

Ms. Mendoza soon discovered that someone had filed a fraudulent return in her name. The thief had arranged to collect $4,005 through an instant loan and already has pocketed the money. "It was very upsetting," she says.

Ms. Mendoza says Block has assured her she will not be held responsible for the loan, but her woes are far from over. When she tried filing her tax return electronically, the IRS rejected it. That rejection was "very stressful," she says, because she needed that refund to pay her bills. Since then, she says, she has had to borrow money, mainly from friends. She recently filed her federal income-tax return on paper but doesn't know when she will get her refund. She has hired an attorney, Adam G. Taub, and Detroit TV station WXYZ reported on her story.

H&R Block says that it is "working closely with local authorities to assist them in their investigation" and will "continue to offer assistance to the taxpayer who was the apparent victim."

Refund fraud isn't the only type of tax-related identity theft. In other cases, the thief uses a stolen Social Security number to get a job in the U.S. In a typical case, that person's employer later files a Form W-2 reflecting the wages, and IRS data systems attribute those wages to the rightful owner of that Social Security number. Victims discover the problem after getting a startling notice from the IRS asking about unreported income.

IRS officials say they have taken steps to combat the problem. But the agency "has not done enough to improve identity theft procedures for victims of identity theft or to secure its filing system from fraudulent filers," Ms. Olson said in her report to Congress. IRS procedures "are reactive rather than proactive and assume taxpayers will have the wherewithal to contact the IRS and work their way through layers of employees until they reach someone with the authority to adjust the accounts," she said.

"Too often, victims of identity theft receive more scrutiny from the IRS than the perpetrators of identity theft," Ms. Olson said.

If you're stung by tax-related identity theft and are tied up in red tape, here's one suggestion: Contact the IRS's Taxpayer Advocate Service (www.irs.gov/advocate). That's the organization within the IRS, headed by Ms. Olson, designed to rescue people encountering "economic harm," people who already have tried resolving their tax problems through normal IRS channels or those who think an IRS system or procedure isn't working as it should. Each state and IRS campus has at least one local taxpayer advocate, who is "independent of the local IRS office and reports directly to the National Taxpayer Advocate," according to the IRS Web site.

"There is no sure way to prevent" getting hit by identity-theft criminals, says Brian Lapidus, chief operating officer of the fraud solutions division of Kroll Inc. But here are a few common-sense tips that may reduce your chances:

Beware of phony emails that appear to be from the IRS. "Phishing" scams can appear in many different forms and guises, but the basic purpose is to trick you into revealing personal and financial data, such as Social Security, bank-account or credit-card numbers. In a typical case, the email says you're entitled to a refund for a specific dollar amount. But first you have to click on a link in the email to get a special claim form, which asks you for personal information.

The IRS says it "does not send unsolicited email about tax account matters" to individuals, businesses, tax-exempt groups or others.

If you hire someone to do your taxes, be sure you know and trust that person well and have checked out his or her credentials carefully. You're handing over sensitive information that you don't want to fall into the wrong hands.

"Ask a trusted friend to introduce you" to an expert tax preparer, says Kroll's Mr. Lapidus. Or check with a certified public accountant, enrolled agent or tax lawyer.

In general, make every effort to protect the confidentiality of your key personal information, especially your Social Security number. Be careful to safeguard the privacy of sensitive personal data you store on your computer or your PDA. When choosing your password, don't use the word "password" or your birthday. And check your credit reports regularly to see if anything looks odd or suspicious.

If you do encounter tax-related identity theft problems, report them not only to the IRS but also to the FTC (www.ftc.gov).

Brochure has tips on identity theft

noreply@blogger.com (Professional One Real Estate) — Wed, 27 Feb 2008 16:32:00 +0000

BY SUSAN TOMPOR • FREE PRESS COLUMNIST • February 27, 2008

A handy brochure on how to stop identity theft is popping up in mailboxes nationwide, courtesy of the U.S. Postal Service and the Federal Trade Commission. And frankly, I'd hang on to this one.

"Identity theft is something that gives consumers a fair amount of anxiety -- and the best way to deal with anxiety is information," said Betsy Broder, assistant director for the FTC's division of privacy and identity protection in Washington, D.C.

This brochure is packed with Web sites, phone numbers and plenty of tips on how to "Deter-Detect-Defend" and fight identity theft.

The brochures are being sent to every household in the United States as a way to educate consumers about various scams and the ways to prevent identity theft.

Keep tabs on bills

Some helpful resources listed in the brochure:

• Get your free credit report each year at www.annualcreditreport.com or call 877-322-8228. The law requires major nationwide consumer reporting agencies -- Equifax, Experian and TransUnion -- to give a free copy of your credit report (not the credit score) each year if you ask for it.

You may have to navigate through ads for other services at the free site, but if you pay attention you do not have to buy other services.

If you're a baby boomer who is taking care of an older parent, help your parent get a copy of his or her credit report, too. There have been cases in which a caregiver has stolen personal information.

• To report ID theft, file a police report with local law enforcement. You also should report the theft to the trade commission. You can go online to www.ftc.gov/idtheft or call the FTC identity theft hotline at 877-438-4338. • Never click on links in spam e-mail, you know, e-mails that supposedly come from your bank, the Internal Revenue Service or your credit card company. You can see www. onguardonline.gov for more information.

"Your bank has your information. They don't need it from you," Broder told me by phone on Tuesday.

She suggests that consumers can minimize the damage if they scrutinize their bills each month, too.

You want to be able to spot if anyone has access to your bank account or credit cards.

Other big red flags: Bills that do not arrive as expected; calls or letters about purchases that you did not make and statements for credit cards that you never opened.

"The longer it takes to discover it, the more difficult it is to resolve," Broder said.

Thieves tactics' subtle

Sometimes, consumers know if a credit card is stolen. Or they know if someone broke into the house.

Yet some crooks are getting sneaky. Some have walked into offices and lifted a credit card or two from several individuals. They leave the entire wallet or purse behind, so you may not even realize for a while that a credit card was stolen. You may only know you've been scammed once you go to a restaurant or store.

"In half of the cases, people don't know how their information was compromised," Broder said.

It's Hard to Hide From Your 'Friends'

noreply@blogger.com (Professional One Real Estate) — Wed, 30 Jan 2008 15:56:00 +0000

By VAUHINI VARA

January 30, 2008; Wall Street Journal

In November, users of social-networking site Facebook Inc. started seeing updates on what their friends had bought online. Last month, users of a Google Inc. news service began receiving lists of articles their friends and acquaintances had read online. And earlier this month, Sears Holdings Corp. let people type anyone's name, phone number and address on a Web site to learn about their Sears purchases.

All three examples have one thing in common: The companies allowed Web users to access personal information about other people they know -- sometimes without the knowledge of those people.

Online-privacy debates used to center on how Web sites share their users' information with the government, advertisers or complete strangers. But in recent months, a new question has emerged: How much should your friends and acquaintances really know about you?

Internet-privacy experts, and in some cases the users themselves, are demanding more controls on how information is shared with so-called friends. Web sites, in turn, are taking steps to make it easier for users to change their privacy settings and determine exactly which friends see what information.

The data-sharing issues grow as more companies take a page from popular social-networking sites like MySpace and Facebook that let their users create pages full of details like where they live and work, who they are dating, and what their weekend plans are. People can share that information with other people by adding them as "friends," a term usually taken to describe anyone they know. As that idea has caught on, Internet companies have taken it further. If people like sharing basic information, the thinking goes, they'll love sharing even more particulars -- like their shopping and reading habits.

"These companies think, 'Oh, neat, look what we can do,' but some consumers respond by saying, 'Wait, we didn't want you to do that,'" says Lillie Coney, associate director of the Washington D.C.-based Electronic Privacy Information Center.

No Easy Solution

For consumers, there is no silver bullet to solving these privacy issues because each Web site shares information differently. So right now the onus is on individuals to protect themselves by painstakingly visiting each site to change their settings.

Facebook in November introduced a marketing program called Beacon to keep their users on the site longer. In this feature, Overstock.com Inc., Fandango Inc. and dozens of other companies agreed to notify Facebook every time one of its users made a purchase on one of their sites. In turn, Facebook began notifying those users' friends of the purchases.

Rachel Hundley, a law student in Chapel Hill, N.C., experienced this firsthand. After the 24-year-old bought a dress and some shoes on online retailer Overstock, the online retailer notified Facebook of the purchase. Facebook in turn sent a message telling several of Ms. Hundley's friends about it. The next day, a friend commented on her "cute dress." Ms. Hundley says she was "disgusted" by the experience, saying she wanted more control over how her information was shared.

When she tried to fix the situation, she faced hurdles. She first checked a box on Facebook asking the site never to tell her friends about her Overstock purchases. But when she later looked over her privacy settings, she realized she also needed to check a separate box to keep the Web site from telling her friends about activities on other sites outside of Facebook.

Responding to criticism from Ms. Hundley and others, Facebook changed its privacy settings in December, making it easier to opt out of the program altogether. Still, because of the backlash, Overstock.com pulled out of the arrangement, although other retailers remain.

Jennifer King, a privacy researcher at the University of California at Berkeley, suggests several privacy-strengthening steps for people who use services like email, photo-sharing and social-networking sites that allow users to create lists of "friends." Ms. King recommends adding someone to your list of "friends" only if you really know them. She also advises considering how sharing a message, photo or personal detail online could later embarrass or harm you.

"Pretend you're sharing it with everyone at a party -- and that they're all holding video cameras," Ms. King says.

Here is a guide for some ways to take control of your information on some of these services:

On Facebook, start by clicking on the "privacy" link at the site's top right-hand corner. You can click on the links to "profile," "search" and so on to determine who can see your information. A surefire way to avoid showing information to strangers is to choose "only my friends." But if you want to hide details even from some friends, put them on what's known as a "limited profile," a bare-bones version of your profile.

To stop Facebook Beacon altogether -- as Ms. Hundley did -- click the link to the privacy page. Then click on "External Websites" and check the box labeled "Don't allow any Websites to send stories to my profile." ("Stories" are Facebook-speak for "updates about me.")

Tackling Privacy Concerns

Facebook plans to let users organize their friends into groups and choose exactly which information each group gets to see, says Chief Privacy Officer Chris Kelly. He says about 20% of Facebook users have tweaked their privacy settings in some way but declines to say what percentage has opted out of Beacon. "People have different tolerance levels, and the best way to address that is to give them more transparency about what's being shared and more control over what's being shared," he says.

News Corp.'s MySpace, like Facebook, notifies its users when one of their friends has a birthday, posts new photos or adds new information about themselves to their profiles -- though it doesn't tell users what their friends do on sites outside of MySpace, as Facebook does with Beacon. MySpace has its own privacy settings, which it details in the privacy page accessible via a link in the top right-hand corner of MySpace. The company declined to comment on privacy policies.

Review Privacy Settings

Beyond these companies, there are scores of other sites that allow users to share personal information, from photo-sharing sites like Hewlett-Packard Co.'s Snapfish to Amazon, which lets people share details with others about what they've been reading. Be sure to review your personal profile and read the sites' privacy policies.

Established Web companies like Google are also adding features to let people share their online activities with others. In December, Jonathan Rawle, a 28-year-old physics researcher in Didcot, England, logged onto Google Reader, a service that lets users keep track of new articles and blog posts and read them without leaving Google's service. The service also lets users "share" items with certain friends by clicking a button.

This time, Mr. Rawle saw a list of items that someone named Roger, who he didn't know, was sharing with him. Google had recently begun guessing who its Google Reader users' friends are, by tracking their habits in Google's instant-messaging service, Google Talk, and then automatically sharing items with those people. That meant if Mr. Rawle clicked the "share" button to send a news item to his real friends, Roger might see it, too. Mr. Rawle says he now refrains from sharing items altogether.

A Google spokesman says the company is considering adding more privacy controls, but for now, the only way to avoid sharing with a specific person is to delete that person from your address book in Google Talk. The company doesn't share the data with third-party companies.

At Sears, a spokeswoman says the purchase-tracking service -- which was available at ManageMyHome.com -- "was added to provide our customers with easy access to useful information about products they have purchased from Sears." Sears took down the feature, she says, after the company received privacy complaints.

How to Protect Your Private Information

noreply@blogger.com (Professional One Real Estate) — Fri, 18 Jan 2008 19:22:00 +0000

Your life is an open book online. It doesn't have to be.

January 29, 2007; WSJ
By MICHAEL TOTTY

"On the Internet," as a New Yorker cartoon famously observed, "no one knows you're a dog." Thanks to the ease of finding personal information online, that may be the only thing about you they don't know.

Indeed, for anyone who knows where to look, your address, phone number, birth date and more are only a few clicks away. Dedicated searchers can easily turn up property records, unlisted or cellphone numbers, and even more sensitive information such as Social Security, credit-card and bank-account numbers. In Broward County, Fla., a simple search through pet licenses can in fact tell whether you're a dog -- or at least whether you have one.

It's enough to make anyone feel...exposed. Do we really want our friends, our neighbors, our colleagues -- or any stranger, for that matter -- knowing so much about us? Do we want them to know even the small stuff: where we've lived, how much we paid for our house, how old we are, how they can reach us?

For many of us, the answer is no.

The semi-good news is that our lives don't have to be quite such an easily opened book. Privacy advocates and professional investigators say people can shield at least some personal information from online snoops.

"There are things individuals can do," says Charles Wood, an information-security consultant in Sausalito, Calif. "You're going to have to work on it, it's going to take some time, and we're going to have to wait for better laws. This isn't something they need to throw their arms up about."

The semi-not-so-good news is that it may not be possible to erase completely your online traces. Many details are contained in public records, like voter lists, property records and court filings that increasingly are being placed online. Trying to keep these records private could take more time or money than many people are willing to spend.

To make sure that these documents can't be used by identity thieves or stalkers, privacy advocates are promoting legislation requiring states to remove or block out especially sensitive facts, such as Social Security or bank-account numbers that might end up in bankruptcy filings, property deeds and other public documents. For instance, after it was discovered that Florida counties had put documents online containing Social Security numbers, including that of Gov. Jeb Bush, the state adopted a law requiring counties to remove those numbers before posting documents online.

But such laws may be slow in coming, if they come at all. And they go after only a small portion of our online tracks. What follows is a guide based on recommendations from privacy advocates, investigators and others for taking control of one's online information.

KNOW THYSELF

People vary in how sensitive they are about others being able to see their personal information. Just as businesses should assess their actual risks before spending time and money on security measures, individuals need to do the same before beginning to clean up their online identity.

Some people may not care if some of the personal details of their lives are online, or they figure there aren't enough details available to worry about. For others, the risk of identity theft or the desire to limit email spam and other marketing pitches are enough reason to make some effort to get a handle on their online information. Then there are those people, such as high-profile executives or celebrities, as well as victims of domestic violence and stalkers, who may want to take stronger measures to shield their private details from online snoops.

People "really need to be clear about what they want to achieve, and the rest will be a function of that," says Mr. Wood, the security consultant.

KNOW WHAT'S OUT THERE

Privacy advocates advise those worried about identity theft to monitor their credit reports regularly. The same is true about one's online identity.

Beth Givens, the director of Privacy Rights Clearinghouse, a San Diego-based advocacy group, says most of the consumer complaints her group receives come from people who have suddenly found details about themselves during a routine online search. "People are just really shocked that anyone can sit down at a computer" and find personal information, Ms. Givens says.

Indeed, an "ego search" for one's own name on any of the popular search engines can be an eye-popping experience for most people, turning up newspaper articles, postings to Internet discussion groups, professional licenses or a passing mention in a friend's blog.

Of course, any simple search will turn up a lot of other people with the same names, especially for those with common names. Given how widespread it has become to "Google" prospective dates, the parents of children's playmates or new neighbors, it's just as worthwhile to uncover such cases of mistaken identity.

For instance, a recent Google search for my own name, "Michael Totty," mostly returned the kind of results expected for a journalist -- reprints of published articles.

But it also contained an Amazon.com profile and "wish list," which I had created for people who know me, not for the world to see. And it turned up the owner of a private airport in northern Arkansas, an English worker who was seriously injured during the construction of the Channel Tunnel and an appeals-court ruling from Tennessee concerning the case of a Michael David Totty who was convicted of theft and burglary. Will people who look me up, I wonder, think I am the Michael Totty convicted of theft? Sometimes, a mistaken identity can be as problematic as a stolen identity.

But a basic search is only a start. The Web features dozens of sites where you can hunt for personal information about people -- from addresses and phone numbers to a full background check that covers criminal and sex-offender records, bankruptcies, liens, and relatives and associates. Most of these "people search" sites charge fees for a detailed background check, but a surprising amount of personal information can be uncovered at no charge.

One of the most widely used is two-year-old ZabaSearch, a free, advertising-supported site from Zaba Inc. Type a name into its simple Google-like search box, narrow the search by state, and the site comes back with a list of names and addresses -- and in many cases phone numbers and year of birth. The site also contains paid links to services that provide more-detailed background searches for a fee.

For instance, an all-state query for "Michael Totty" turned up 50 listings, including my current and previous two addresses and phone numbers and the correct birth year. Some of the listings weren't about me, but the site found quite a bit of personal information about me that was accurate.

The spread of blogs and social-networking sites such as MySpace.com provides a treasure trove of information for snoops, and a nightmare for the privacy-conscious. Cynthia Hetherington, managing director of the corporate strategic intelligence unit of Aon Corp.'s consulting practice, advises high-profile executives on managing their online identities. She tells of a job candidate for a Wall Street investment group who was rejected after recruiters discovered comments on his wife's blog about allegations of sexual harassment at his previous employer.

COVER YOUR TRACKS

It is possible to clean up many of these online traces, but it can be a difficult and time-consuming task. And, privacy experts warn, there's no assurance that everything will be removed.

Many sites make it possible to have one's name removed from their search results, though it usually isn't easy. Intelius Inc., Bellevue, Wash., will let anyone "opt out" of the company's online people-search results by mailing or faxing a letter with the person's name and address as it appears on the site. But Intelius cautions that the request doesn't remove the person's information from its public-records database, so the person's information might reappear when Intelius refreshes its listing with new records -- requiring another request for removal.

"If you're going to ask us to suppress this information, we have to make sure you're who you say you are," says Ed Petersen, Intelius's executive vice president of sales and marketing. To that end, Intelius requires anyone requesting removal to verify his or her identity -- for instance, by faxing a copy (with the photo blacked out) of a driver's license or other government identification.

US Search, a unit of First Advantage Corp. in St. Petersburg, Fla., says on its Web site it will make "good faith efforts" to remove personal information when requested, but requires that you mail a signed letter complete with full name, email and mailing address, Social Security number and other personal details. (The Privacy Rights Clearinghouse Web site contains a comprehensive list of data brokers and their opt-out policies.)

While repeatedly removing your name from these sites can become tedious -- after all, it may involve dozens of sites -- it eventually will pay off. "This is a short-term fix, but when monitored every few months becomes effective in keeping your name out of their search engines," says Ms. Hetherington. "Getting to this point is a big win for the [person] who wishes to preserve a little privacy and avoid old college chums they'd sooner forget."

At least one service has sprung up to assist people who want to remove their names from these people-finder sites. MyPublicInfo Inc. in May began offering its IdentitySweep service, which for $4.95 a month will comb about 50 different directory sites for personal information. At the consumer's request, the Arlington, Va., company will then fill out all the required opt-out forms and will monitor the sites to make sure the information stays removed.

Chris Mueller, a marketing consultant in Northern California, signed up for the IdentitySweep service because she was worried about identity theft. Since starting the service this spring, she has used it to remove her name from a handful of online directories. "It's one of those 'sleep a little better at night' things," Ms. Mueller says.

In some cases, it pays to go directly to sites to ask that they remove personal or otherwise embarrassing information. One of Ms. Hetherington's clients, a rising investment banker who previously had been a beauty-pageant winner, found her swimsuit-competition photos in a Google search. The client sent several requests to the Web site that hosted the photos, asking to have them removed. She succeeded only after promising the site's Webmaster an autographed picture -- in an evening gown.

Removing personal information from public records can be more difficult, but states are becoming more cognizant of the easy availability of sensitive information in electronic documents. In Florida, where counties have been required for years to make official records available online, people can request to have sensitive details blacked out in posted documents. This system was in place before the law requiring counties to remove the details took effect.

GUARD YOUR INFORMATION

Most privacy advocates say the best way to shield your online identity is to avoid giving out personal information in the first place.

"Once it's out, it's impossible to rein in," says Chris Hoofnagle, senior fellow at the University of California's Berkeley Center for Law and Technology. "It can be recontextualized and used for purposes not anticipated by the individual."

This can be as simple as not signing up for supermarket loyalty cards, mailing in those ubiquitous warranty cards that come with new purchases (the information is frequently sold to marketers and ends up in online databases) or entering sweepstakes. Be especially careful about disclosing personal information in discussion groups, chat rooms or blogs. Limit exposure to spammers by not including your email address on Web sites. If you do include it, try to present it as a button or some other graphical element -- regular text can be read by automated programs ("bots") that scour the Internet looking for information.

Getting an unlisted phone number can partly shield it from prying eyes, but not completely. Unlisted numbers can still end up in online databases because marketers and investigative firms can buy unlisted numbers from outfits such as toll-free services and pizza-delivery companies. Mr. Hoofnagle also recommends that privacy-conscious consumers request that wireless and land-line phone companies not resell their calling information.

Protecting Social Security numbers is probably most important, since identity thieves can use the data to get credit under victims' names. Privacy advocates advise job hunters not to include the numbers when posting résumés online.

Mr. Hoofnagle and other privacy advocates recommend that consumers give out the numbers only for tax, credit and unemployment purposes. "There are four things you should ask when someone asks for a Social Security number," says Diane Stubbs, a private investigator in Scottsdale, Ariz. "How will you use it, how will you protect it, is it really necessary for this transaction, and what if I don't give it to you?"

Since much information comes from such common sources as property records and utility-service requests, security consultants advise those who are really serious about protecting their privacy -- high-profile businesspeople or victims of stalking or domestic abuse -- to take more-aggressive measures.

For instance, many executives and celebrities set up special land trusts that enable them to buy property and start utility service anonymously. Although typically used to shield landlords and other property owners from litigation, Ms. Hetherington and others advise clients to use land and other trusts to keep names and addresses out of public databases.

START YESTERDAY

Unfortunately, all these efforts take time to bear fruit, while information already online remains available to anyone with time, a computer and an Internet connection.

"If someone wanted to limit this kind of information," says Ms. Stubbs, the private investigator, "they should have started years ago."

AT ISSUE: SMART PHONES

noreply@blogger.com (Professional One Real Estate) — Sun, 06 Jan 2008 14:17:00 +0000

Handheld devices are a security risk

Workers' remote wireless access to documents lets hackers grab data

January 6, 2008

By WAILIN WONG
CHICAGO TRIBUNE

Smart phones are poised to become the next major security challenge for businesses.

For now, a good rule of thumb for on-the-go workers is: "If you don't need to do it, don't do it," said Aaron Cohen, chief executive of the Hacker Academy, a Chicago-based firm that provides security training for companies and government agencies. Cohen warned against idly checking e-mail or opening sensitive documents on a handheld device unless it's absolutely necessary.

Security experts say that, in general, business-oriented smart phones come from the manufacturer with decent built-in safeguards, such as encryption and firewalls.

But consumer-oriented mobile phones, which have far fewer safety features, are increasingly taking on such PC-like characteristics as Wi-Fi connectivity, making them attractive to people who want to use them for work.

In a Computing Technology Industry Association survey conducted this year of 1,070 small businesses in North America, 60% of firms said they've seen an increase in the past year in security issues related to the use of handheld computing devices.

Chris Nickerson, a Denver-based security specialist at Alternative Technology, said the concern for businesses is whether these phones "will cause so much of a risk that they will eventually ... just be banned from corporate environments."

Laptops, smart phones and PDAs give employees the ability to work from home or travel far from the office, all while transporting the information they need on their mobile devices. But the increasing ease of working remotely is creating a growing set of security concerns for companies.

Workers on the go "still want access to the same data applications that they have if they're sitting at their desk in their office," said Steven Ostrowski, spokesman for the Computing Technology Industry Association. "Mobility is a great thing ..." but "every one of those individuals that's accessing the network remotely is a security risk."

So far, there haven't been any high-profile epidemics of mobile viruses like the "I love you" worm for PCs that spread rapidly around the world in 2000. But developers have demonstrated the destructive potential of such worms.

The "Cabir" virus, which first appeared in 2004, used Bluetooth technology to jump from phone to phone. Another virus, known as "Commwarrior.A," replicated itself by sending a picture or text message to people in the infected device's contacts list.

Theft is a bigger issue now.

Nickerson said he walked through an airport carrying a suitcase that contained a device that sucked up hundreds of megabytes of contact information and other personal data through unprotected Bluetooth connections.

Nickerson has used the same machine in the offices of his corporate clients. The gadget searches for Bluetooth devices for which users haven't changed the manufacturer-provided default passwords. The machine enters the default password and accesses information through the open Bluetooth connection.

"You'll be amazed," said Nickerson, who is featured in a cable TV program that follows his team as it infiltrates corporate security systems. "You'll look at this hard drive when you're done, and you'll see everything from pictures of people's families to user names and passwords and financial data."

Someone using a company laptop to send data from a nonsecure Wi-Fi hotspot could unwittingly have that information monitored. Neglecting to set new passwords on phones and other devices leaves them vulnerable. Companies also face the headache of theft or misplacement of phones, external hard drives and pen-size flash drives.

While hacking once was about bragging rights or cyber vandalism, security industry officials say profit now largely drives attacks, as the kind of information traveling over wireless networks grows in volume and value.

Terry Kurzynski, CEO at Chicago-based Halock Security Labs, said a stolen credit card with an accompanying security code can fetch at least $9, compared with $1.50 for just the number and its expiration date.

Ostrowski, of the CompTIA, said a greater emphasis on training will help companies communicate to their employees that there's a trade-off between convenience and security risks.

"Security has to come out of the IT department," Ostrowski said. "It can't be relegated to the geeks anymore. It has to be part of the corporate culture."

Passport Technology Draws Security, Privacy Concerns

noreply@blogger.com (Professional One Real Estate) — Sat, 05 Jan 2008 15:14:00 +0000

ASSOCIATED PRESS
January 2, 2008

WASHINGTON -- Passport cards for Americans who travel to Canada, Mexico, Bermuda and the Caribbean will be equipped with technology that allows information on the card to be read from a distance.

The technology was approved Monday by the State Department, and privacy advocates were quick to criticize the department for not doing more to protect information on the card, which can be used by U.S. citizens instead of a passport when traveling to other countries in the Western Hemisphere.

The technology would allow the cards to be read from up to 20 feet away. This process only takes one or two seconds, said Ann Barrett, deputy assistant secretary for passport services at the State Department. The card wouldn't have to be physically swiped through a reader, as is the current process with passports.

The technology is "inherently insecure and poses threats to personal privacy, including identity theft," Ari Schwartz, of the Center for Democracy and Technology, said in a statement. Mr. Schwartz said this specific technology, called "vicinity read," is better suited for tracking inventory, not people.

The State Department said privacy protections will be built into the card. The chip on the card won't contain biographical information, Ms. Barrett said.

The card vendor -- which has yet to be decided -- will also provide sleeves for the cards that will prevent them from being read from afar, she said.

A 2004 law to strengthen border security called for a passport card that frequent border crossers could use that would be smaller and more convenient than the traditional passport. Currently, officials must swipe travelers' passports through an electronic reader at entry points.

Data Security Breaches Reach a Record in 2007

noreply@blogger.com (Professional One Real Estate) — Mon, 31 Dec 2007 13:30:00 +0000

ASSOCIATED PRESS
December 31, 2007

The loss or theft of personal data such as credit-card and Social Security numbers soared to unprecedented levels in 2007, and the trend isn't expected to reverse anytime soon, as hackers stay a step ahead of security and laptops disappear with sensitive information.

And while companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment is often too little, too late.

"More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be," said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity-theft victim herself.

A growing number of states require businesses and institutions to publicly disclose data losses. Thirty-seven states and Washington, D.C., now have such requirements.

Ms. Foley's group lists more than 79 million records that were reported compromised in the U.S. alone through Dec. 18 -- almost four times the nearly 20 million records reported in all of 2006.

Another group, Attrition.org, estimates that more than 162 million records were compromised through Dec. 21 -- both in the U.S. and overseas. Attrition reported 49 million last year.

"It's just the nature of business, that moving forward, more companies are going to have more records, so there will be more records compromised each year," said Attrition's Brian Martin. "I imagine the total records compromised will steadily climb."

The biggest difference between the two groups' record-loss counts relates to the breach at TJX Cos. Attrition.org estimates that 94 million records were exposed in the theft of credit-card data at TJX, the owner of discount stores including T.J. Maxx and Marshalls.

The Identity Theft Resource Center counts about 46 million -- the number of records that TJX acknowledged in March were potentially compromised. Attrition's figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit that banks filed against TJX.

On each list, though, the TJX breach represents more than half the total records reported lost this year.

The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami -- an entry point that led the hackers to eventually break into TJX's central databases.

TJX has said that before the breach, which was revealed in January, it invested "millions of dollars on computer security, and believes our security was comparable to many major retailers."

With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, said Jay Tumas, the head of Harvard University's network operations, at a recent conference for information-security professionals.

"Within a year or two, these folks are catching up," Mr. Tumas said.

The two nonprofit groups' 2007 data also show rising numbers of incidents in which employees lose sensitive data, as opposed to cases of hacking.

In addition to the theft at TJX, major 2007 breaches include lost data disks with bank account numbers in Britain, a hacker attack of a U.S.-based online broker's database and a con that spilled résumé contact information from a U.S. online jobs site.

"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," Ms. Foley said. "This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system."

Attrition.org and the Identity Theft Resource Center have been keeping track of data breaches for only a handful of years, with varied and still-evolving methods of learning about breaches and estimating how many people were affected.

Despite those challenges, the two nonprofits say it is clear 2007 will end up a record year for the amount of information compromised, because of greater data loss and increased reporting of breaches.

The two groups acknowledge that many breaches may be missing from their lists, because they largely count incidents reported in news outlets that they consider credible. Media coverage has risen in part because of the growing amount of legislation.

Lessons Learned

noreply@blogger.com (Professional One Real Estate) — Wed, 12 Dec 2007 16:30:00 +0000

A hacking spree demonstrates how not to become a victim

By BEN WORTHEN
December 11, 2007; Page R4

Michael and Ruth Haephrati were successful hackers, stealing company secrets from dozens of businesses in Israel before they were finally arrested in London in May 2005 and later pleaded guilty to industrial espionage.

Their story serves as a window into the targeted, sophisticated attacks that are becoming more prevalent and the defenses that companies can put in place.

The following reconstruction of the Haephratis' hacking spree is based on court documents. David Cole, director of security response at Symantec Corp., a computer-security company based in Cupertino, Calif., offers tips on how to protect your company from hackers like these, from preventing an attack to recognizing a breach of security to limiting the damage.

The Pitch

Mr. Haephrati, an Israeli citizen living in London, wrote a Trojan horse, a type of software that sends information from the computer system it infects back to the hacker who placed it there. The Haephratis and several private investigators they worked with embedded the software in emails or on computer discs sent to companies they were hired to spy on. Messages in the emails and accompanying the discs invited the recipients to open what appeared to be a business proposal from a company the victims would trust. Mr. Haephrati or his associates would follow up with phone calls to make sure the victims opened the proposals; when they did, the Trojan horse was loaded onto their system.

An attack like this is designed to defeat the conventional advice that many companies give employees: Don't open attachments or click on links sent by strangers or reply to requests for sensitive information. But companies can help protect themselves against more-sophisticated pitches like this, Mr. Cole says, by training employees to recognize the signs that malicious software has been planted on a computer. The company can then use its security software to conduct a scan of its system so that it can find the invasive program and remove it.

For instance, Mr. Cole says, employees should watch for unusual behavior by their computers when they open an attachment, like error messages, applications crashing or windows quickly appearing and then disappearing -- anything that doesn't normally happen when an attachment is opened. A slowing of the system is another warning sign.

Finding the Bug

Once the Haephratis' Trojan was installed, it scoured the computer for sensitive information like passwords, emails and files. It wasn't detected by the victims' security software, because those programs could only recognize known threats.

Today, more-sophisticated security software is available. It doesn't just spot previously known Trojans and viruses. It's able to detect programs that are similar in some way to past attacks -- perhaps bits of their code are the same, for instance. Businesses can help protect their systems by making sure their security software is up-to-date, says Mr. Cole.

The leading makers of security software include Symantec, McAfee Inc. and Trend Micro Inc. Businesses can buy the latest basic antivirus software with support from Symantec for just over $33,000 for 1,000 people. Prices go up from there.

Blocking the Flow

In addition to finding files, Mr. Haephrati's Trojan took screenshots of the victims' computers at regular intervals. All of this information was sent back to nine servers, the back-office computers that store and process data, operated by the Haephratis and their cohorts.

Even if a business's security software has failed to detect a break-in, a so-called intrusion-prevention system can limit the harm. This type of system, which consists of both hardware and software, can detect unusual traffic on a computer system, in this case files being shipped to an unfamiliar server.

It can also prevent infections from entering the system. For example, it can stop a Web site from delivering code that looks different from normal Web traffic to a company computer. One way a hacker can plant malicious software is by directing victims to a Web site that transmits the software to their computers.

Cisco Systems Inc., Juniper Networks Inc. and International Business Machines Corp. all sell intrusion-prevention systems. Depending on the size of the business buying the system, it can cost in the millions and take a year or two to fully deploy.

Beyond the Firewall

noreply@blogger.com (Professional One Real Estate) — Wed, 12 Dec 2007 16:27:00 +0000

As a new breed of professional hacker emerges,
companies are finding new tools to protect their networks

By BEN WORTHEN
December 11, 2007; WSJ

Breaches of corporate computer security have reached epidemic proportions. So far this year, more than 270 organizations have lost sensitive information like customer credit-card or employee Social Security numbers -- and those are just the ones that have disclosed such incidents publicly.

While lost laptops and misplaced or misdirected files are partly to blame, many breaches have a more sinister culprit: the professional hacker.

There's a thriving black market for the kind of information companies keep about their customers and employees. Hackers can sell a credit-card number for up to $5 or a Social Security number for up to $7, and a bank-account number can be worth as much as $400, according to Symantec Corp., a provider of computer-security software based in Cupertino, Calif. This has led to an increase in the number of hackers and to more-sophisticated attacks.

The new breed of hacker has a bag full of tricks to get around the technology that companies historically have relied on to keep them safe, so-called firewalls that act like a fence around the company network. Security today requires a new generation of tools designed to keep a company's data safe even if a hacker has gained access to the network.

Unfortunately, there's no silver bullet. "No one technology can address all your security needs," says Andy Spiers, information-security officer for National Life Group, a financial-services company based in Montpelier, Vt. Security now requires companies to think like a hacker, and find a way to counter each kind of attack. While there's no way to make a company 100% secure, "you can make it difficult enough for hackers to say 'It is not worth my time,' " says Mr. Spiers.

Here's a look at some of the challenges companies are facing and how they're responding.

Email Scams

Most people know not to respond to an email asking for their ATM password or to open attached pictures of Angelina Jolie; many of these scams get caught by email filters before they reach their targets anyway. But hackers have responded to improved filtering software and a savvier population by aiming their attacks at specific individuals, using publicly available information to craft a message designed to dupe a particular person or group of people.

Fred Danback, chief information officer and managing principal at New York-based Integro Insurance Brokers, nearly fell for one of these targeted attacks recently when he was trying to sell tickets to the Broadway show "Wicked" on eBay from his home computer. Someone sent him an email asking if his tickets were the same ones the emailer had seen listed elsewhere on the site. The emailer provided a link, and Mr. Danback clicked on it.

The Web page asked him for his eBay username and password, which Mr. Danback entered before he noticed the site was a fake -- it didn't have the little lock icon in the corner that indicates a legitimate site. He didn't hit the "Enter" key, so the scam was foiled.

Mr. Danback presumes that the hacker who sent the email was planning to use the requested information to steal his credit-card number and other information from his eBay profile. But the link just as easily could have been used to install malware -- computer code that a hacker plants on someone's machine to do things like steal passwords, release a virus or give the hacker control of the computer. And such emails are being sent to people at work, not just on their home computers.

Even though Integro trains employees to spot emails that might be from hackers, Mr. Danback knows how easy it would be for one of these scams to work. That's why he uses antivirus and antimalware software from four different providers to protect his company: Software from Sophos PLC of Abingdon, England, and from Sybari Software Inc., a unit of Redmond, Wash.-based Microsoft Corp., monitors email traffic, while software from Symantec protects the company's workstations from attack and software from McAfee Inc., Santa Clara, Calif., does the same for the company's servers, the back-office computers at the heart of the system. This way, if a virus or some other code written by a hacker gets by one company's product, it will get caught by another, says Mr. Danback.

Key Loggers

One common form of malware is a key logger, which captures the usernames and passwords that an unsuspecting computer user types, and then sends these to a hacker. The hacker then uses these credentials to log into and pilfer a company's database.

Doug True, senior vice president in charge of technology at Forum Credit Union, Fishers, Ind., installed software from BioPassword Inc., of Issaquah, Wash., on the credit union's network in order to prevent a hacker from using a key logger to steal his company's information. The BioPassword software records each employee's typing rhythm and uses that as an extra means of authentication. So even if someone logs into a system with the right username and password, if he types them too fast or too slow the system will deny access.

Forum is also using BioPassword's software on its online banking site, which 60,000 of its customers use. Forum doesn't have any control over what its customers do or don't do with their computers. But Mr. True knows that if someone's account is broken into over the Internet -- no matter whose fault it is -- that customer could blame the credit union. With the BioPassword protection in place, even if someone's online banking information falls into the wrong hands, the bad guys probably won't be able to access the account, because they're unlikely to be able to mimic the typing rhythm of the person they stole the information from.

Patrolling the Network

Lloyd Hession, the New York-based chief security officer for London-based BT Group PLC's global financial-services unit, compares a corporate network protected by a firewall to a hotel: Once someone gets through the front door, he can go anywhere he wants. One way to counter that threat is to limit people's ability to move around the network.

Mr. Hession uses hardware and software from ConSentry Networks Inc., Milpitas, Calif., that allows him to impose tight controls over where on his network each person can go. Someone who tries to access a part of the network he isn't authorized to will be turned away, even if he has a valid login. So a hacker who has stolen an employee's login won't be able to roam freely around the system.

The system also tracks where a computer is accessing the network from, and will block someone from accessing information from an unapproved location. For instance, someone from the human-resources department could access employee information from his office, but not from another location in the building -- a conference room, say, or from outside the building. So if his computer was stolen, the thief would be denied access.

The ConSentry system also helps protect BT Group against a hacker who has taken over someone's computer. Most people use the network in a predictable way, accessing the same few systems over and over again. A hacker, on the other hand, needs to discover where the most valuable information is kept, and is likely to snoop around the network trying to find it. Mr. Hession says the ConSentry system can detect when someone is behaving in a suspicious manner, similar to the way a good security guard can tell when someone is casing a building.

Policing the Police

ConSentry's system also helps protect a company's computer system against dishonest employees. Other products offer similar protection in different ways. Ed Lipson, a vice president at Bank of New York Mellon Corp., worries that one of the bank's 65 database administrators -- the people hired to keep the bank's computer systems up and running -- or other employees might try to sneak information out about customers and their accounts.

Mr. Lipson uses software from New York-based Application Security Inc. that monitors who accesses each database and can tell if they make any changes to it. If there is suspicious activity -- someone trying to access information that he or she shouldn't, or repeated failed login attempts that suggest someone is fishing for the right combination of keystrokes -- the software notifies the database's designated security manager. The software also sends an alert if someone makes an unauthorized change to a system.

The Application Security software also helps find databases that the information-technology department isn't aware of, maybe something created by someone outside the IT department or by an employee who has since left the company. Such databases might not have the proper security measures in place, Mr. Lipson says, and could be easy prey for a hacker -- or someone on his staff.

"I know all these guys," Mr. Lipson says. "It would be very surprising to see one of them steal the information. But it happens."

ID Theft and Data Breach Costs Soar

noreply@blogger.com (Professional One Real Estate) — Wed, 05 Dec 2007 18:45:00 +0000

November 29, 2007, WSJ

By Ben Worthen

Two new studies on data breaches and identity theft send a clear message: The number of these incidents is rising, and so are the costs – both to the victims and the companies who suffer the breach.

The Federal Trade Commission, the government agency that’s nominally in charge of identity-theft issues, found that 8.3 million American adults – about 3.7% of the adult population – were victims of identity theft in 2005. (The findings are based on a survey of close to 5,000 adults taken between March and June 2006. We have no idea why the results weren’t released until now.) The most common incidents involved fraudulent use of a credit or debit card. Most of these incidents were detected quickly and resolved with little cost to the victim. However, 17% of identity-theft victims said that thieves opened new accounts with their information, and that these incidents were harder to resolve. More than 75% of these victims had trouble getting loans, had their utilities cut off, were investigated by law enforcement or suffered similar disruptions.

While the cost in dollars to individual victims may be negligible, the cost of a data breach to companies is rising. The Ponemon Institute, a privacy think tank, studied the costs incurred by 35 organizations that experienced data breaches in 2007 and found that on average, the companies spent $197 per record lost, up from $182 last year and $138 in 2005. (Registration required to read the report.) That brought the average cost per breach to $6.3 million for these companies.

Forty-nine percent of the breaches involved a lost laptop or other device, in 9% of the incidents an outsider broke into the company, and 9% were caused by a malicious insider who willfully stole the data. This partly explains why investigating the cause of the data breaches only made up 6% of the cost incurred. Conversely, 56% of the cost came from a drop in business that could be tied to the breach. The companies studied reported a 2.7% customer churn rate as a result of their breach.

The average cost per record lost was $239 for financial services companies compared to $145 for retailers, suggesting that customers hold companies to whom they entrust their personal information to a higher standard.

Assessing Identity-Theft Costs

noreply@blogger.com (Professional One Real Estate) — Wed, 05 Dec 2007 18:43:00 +0000

Scam Victims Lose
Billions of Dollars;
Progress Questioned

By CHRISTOPHER CONKEY
November 28, 2007; WSJ

WASHINGTON -- Identity thieves continue to victimize millions of people each year and cause billions of dollars in losses, a new government survey suggests, but it is unclear whether the problem is getting better or worse.

Some 8.3 million people, or 3.7% of the adult population, were victims of identity theft in 2005, according to a consumer survey released yesterday by the Federal Trade Commission. The typical loss was $500, but 10% of consumers said criminals obtained $6,000 or more. Overall, fraudsters caused $15.6 billion in identity theft-related losses in 2005.

The report indicates that identity theft, which ranges from standard credit-card fraud to bank-account takeovers and new accounts created fraudulently, remains a major threat in the digital age. Indeed, the FTC gets 5,400 identity theft complaints each week from consumers, far more than other scams.

But the FTC report also has significant limitations, and leaves several important questions unanswered. Among them: Are these crimes still growing or are preventive efforts reducing their impact? How much does identity fraud cost businesses each year?

Identity theft has often been referred to as the country's "fastest-growing" crime since the FTC released its first consumer survey in 2003. But there is actually a rancorous debate among security experts as to whether it is growing at all, given the heightened awareness of consumers and the extensive resources businesses are taking to prevent it.

Some studies have even suggested the incidence of identity theft has fallen in recent years, but many experts have been waiting for the FTC to weigh in on the matter with its new survey.

Aware of its impact, the FTC delayed releasing the results of its report -- which shows a slight decrease in the prevalence and cost of identity theft -- after a similar survey conducted by the same sampling firm in 2006 showed a drastic increase.

In the latest report, the FTC said a change in methodology renders comparisons with its 2003 study useless. Avivah Litan, a fraud specialist at research firm Gartner Inc. who hashed out the issue with FTC officials, calls the FTC's numbers "unreliable."

Betsy Broder, assistant director of the FTC's division of privacy and identity protection says in the future her agency plans to gauge identity theft trends by relying on a Department of Justice survey that samples a much larger group of households.

Beyond the question of whether the crime is growing, consumer surveys can only capture a small slice of identity-theft crimes since businesses bear most of the losses incurred. Some variants such as synthetic identity fraud, in which fraudsters mix real and fake data together to open new accounts, can be impossible for consumers to detect.

Yet lenders, merchants and many other businesses are secretive about their fraud losses, making it difficult to measure the full extent of the problem or track its evolution. Some consumer advocates are pushing banks to be more transparent. "Information could be used by policymakers, companies making investment decisions and consumers," said Ed Mierzwinski of the U.S. Public Interest Research Group, a consumer-advocacy organization. "We'd be able to rank companies on their quality of information protection," the PIRG official said.

Some lawmakers yesterday seized on the report to emphasize the need for enhanced consumer protections and data-security requirements. The Senate passed a bill beefing up law-enforcement powers earlier this month, but prospects in the House are uncertain. Broader bills are bogged down among jurisdictional spats and debate among consumer and industry lobbyists.

Identity Theft Targets Children

noreply@blogger.com (Professional One Real Estate) — Wed, 05 Dec 2007 18:40:00 +0000

By JILIAN MINCER
November 21, 2007; WSJ

NEW YORK -- While only a small percentage of identity-theft victims are children, the number is growing, and the impact on the victim's credit, confidence and relationships could be devastating.

The crime can go undetected for years and is most commonly committed by a family member, according to a report released this week by the Identity Theft Resource Center, a San Diego nonprofit organization.

Fortunately, simple precautions, such as keeping your child's Social Security number secret, can prevent some of the abuse. For instance, you can check your children's credit reports at credit bureaus to nip identity theft in the bud.

The Federal Trade Commission estimates that 5% of identity-theft cases involve minors. Other groups believe the number is closer to 10%, but no one knows for sure because the crime often goes unreported or takes decades to discover.

That is because most people don't realize that someone has been illegally using their identity or Social Security number until they apply for their first job, a driver's license, a student loan or a mortgage. They can also be denied phone service or federally provided services. Sometimes victims find out at a younger age if a bill collector tracks them down for an account that the child never opened. Some are even blamed for an act they never committed.

"Parents don't often check their children's credit history because they don't think they have one," says Rachel Kim, an associate analyst at Javelin Strategy & Research, a financial-services and payments research firm in Pleasanton, Calif.

Linda Foley, founder of the Identity Theft Resource Center, says there are two types of child identity theft: one when the child is younger than 18 years of age, and the other when they are older than 18.

"It's easy," she says, "to prove that a 5-year-old didn't sign anything in crayon." It is a little harder to rectify when the person already is an adult.

The Identity Theft Resource Center report found that more than half the child identity-theft victims surveyed first became victims between birth and age five. Most of the cases occurred when a person, often a family member, used the child's Social Security number for work and credit.

The research also found that 69% of the victims said the thief was one or both of their parents or a step-parent. Ms. Foley says that in some cases, immigrants who don't have a Social Security number use their children's identity.

Some people, she says, also use the number to create a new identity, especially if they have ruined their credit or owe money. They get away with it because credit issuers typically don't need to verify the applicant's age. Additionally, the credit-reporting agencies don't necessary know the age of the applicant.

"In some cases, the parents don't understand that they're causing any harm," says Ms. Foley. "They say: 'We'll pay off the bills before they reach 18.' "

She adds: "But we've seen fathers and mothers use a child's Social Security number when applying for a job to avoid paying child support."

Pam Dixon, executive director of the World Privacy Forum, a San Diego research group that focuses on privacy issues, says thieves also use children's birth certificates and Social Security numbers to purchase prescriptions.

The victims must eventually contact the three credit-reporting agencies, law enforcement and credit issuers to clear their records.

Unfortunately, because the perpetrator is often a family member, law enforcement frequently doesn't want to get involved, and children often don't want to prosecute their relatives.

Tips for a Scam-Free Holiday

noreply@blogger.com (Professional One Real Estate) — Wed, 05 Dec 2007 16:07:00 +0000

By JOSEPH DE AVILA
December 5, 2007 WSJ

Online shopping is an easy way to shop for sales and avoid crowds at the mall. It is also an easy way to get ripped off.

And because online shopping spikes during the holiday season, scammers enjoy a larger pool of potential victims. "They see it as an opportunity to defraud consumers," says Ron Teixeira, executive director of the National Cyber Security Alliance, a nonprofit group that educates consumers and businesses.

Online-security experts say consumers should stay alert on auction and classified-ad sites, where a lot of the fraudulent activity takes place. And phishing activity -- say, bogus email from charities that is used to fish for consumers' financial information -- tends to increase during the holiday season.

The Internet Crime Complaint Center, a partnership of the Federal Bureau of Investigation and the nonprofit National White Collar Crime Center, tracked $198.4 million in losses due to Internet fraud last year. That was up from $183.1 million in 2005. Under federal law, credit-card customers are liable for only $50 for unauthorized charges and some issuers don't even charge the $50. But the customer first has to notice the bogus charge and report it to the card issuer.

By conducting a little research and using a few basic tools, you can limit your vulnerability to scams and fake e-commerce sites. Free software can alert you when you are at a fraudulent Web site, like one used for phishing. And financial institutions offer temporary account numbers so you don't have to fork over useful financial information to online merchants.

Here are a few ways to shop safely:

• Update your security software

The first thing you need to do before you even begin shopping is protect your computer. That means getting updated versions of a firewall and antivirus and antispyware software, Mr. Teixeira says. Many computers come with such software preloaded. But if the user doesn't pay roughly $50 to $150 when the trial period is up, often after 90 days, the software expires.

Only 22% of Internet users say they have the core protection recommended by Mr. Teixeira, according to a study released in October by the security alliance and online-security company McAfee Inc. The most common reason users didn't have the protection was because they failed to keep their security software up to date, he says.

If you're online, click on the periodic update alerts that flash on your screen.

• Determine if the store is legit

Before buying from a company you've never heard of, find out as much as you can about it.

Look for the business's physical address, a telephone number and an email address in case you need to contact the company if something goes wrong, says Steve Salter, vice president of the Better Business Bureau's BBBOnLine division. If the information isn't on the vendor's site, that doesn't necessarily mean the site is fraudulent, Mr. Salter says. But resolving any problems after you've made your purchase will be more difficult.

You can also find information about a company by checking with the Better Business Bureau Web site (www.bbb.org). Plug the vendor's Web address into the bureau's database to see if any complaints have been filed.

Shoppers should also check to see if the site is certified by an online-security certification company, Mr. Salter says. Network Solutions has a certification program called SiteSafe (www.networksolutions.com), and ScanAlert runs a program called Hacker Safe (www.scanalert.com). The companies run daily checks on Web sites to hunt for vulnerabilities and confirm that transactions are secure.

Web sites vetted by programs like these typically display certification logos on their home page. When you visit a new site, click on any such logo to make sure it's real, Mr. Salter says, because it is relatively easy to duplicate these images on fraudulent sites. When you click on the logo, you should see information about the site's certification status.

While certification programs add a layer of security about a Web site, they don't guarantee it is hack proof.

McAfee (www.mcafee.com) offers a free add-on for your Web browser, SiteAdvisor, that rates the safety of each Web site that turns up in search results. Next to each result is a colored icon: green for safe, yellow for suspicious and red for potentially dangerous. If you click on a yellow or red icon, SiteAdvisor will provide an explanation. For example, the site may be known for downloading spyware or adware. McAfee cautions, though, that it can't guarantee it will catch every hazardous site and that SiteAdvisor users must still exercise caution.

• Avoid crazy deals

Auction and classified-ad sites, like eBay and Craigslist, are some of the riskiest places to shop online, says Susan Grant, director of the fraud center for the National Consumers League. Complaints about general merchandise, which includes classified-ad and e-commerce sites, were the No. 1 grievance the league received about Internet fraud from January to Sept. 15, accounting for 27% of the roughly 8,400 complaints. Auction sites came in at No. 3, making up 19% of the complaints.

A new scam is advertising purebred puppies for an absurdly low price or free if the buyer pays for the shipping, Ms. Grant says. The scammers keep the money sent to them and never deliver the dog. "If somebody is offering something for way cheaper that it normally costs, I would be suspicious of that," Ms. Grant says.

Sometimes, scammers will ask for payment via a wire service. "There is no reason why somebody would ask you to wire the money to them. That's how crooks want money," Ms. Grant says.

Craigslist places antifraud warnings on all of its home pages and at the top of each for-sale posting. "Craigslist users can avoid virtually 100% of fraud attempts by following one very simple rule: Deal locally with people you can meet in person," says Jim Buckmaster, chief executive for Craigslist. The site constantly works on new technical measures to deter fraud, he says.

On eBay, the advice is to comparison shop not just for prices, but for sellers as well, says Jim Griffith, dean of eBay education. If the seller has poor feedback from other buyers or little feedback at all, you should reconsider buying from that seller. Also check to see if the seller gives refunds or insures items. Mr. Griffith says only a small percentage of eBay sellers engage in fraud. And once an eBay member is kicked out of the site for fraudulent behavior, eBay's tracking measures make it "next to impossible" for that person to reregister with the site, he says.

• Try a temporary card number

There are new payment options for users wary of putting their credit-card information on the Web.

Citi, Bank of America and Discover offer temporary account numbers for their cardholders. These services will generate a random number that you can paste into a merchant's payment form. This limits exposing useful financial information to thieves and hackers. The merchant can't tell that you're using a temporary number, and the charge appears on your credit-card statement like a normal purchase. You can request a new number every time you shop or use the temporary number for multiple purchases, though each number can be used with only one merchant.

PayPal (www.paypal.com) has a free add-on tool for your browser that works in a similar way. PayPal account holders can use this tool to make online payments at any vendor that accepts MasterCard. The tool will generate a unique MasterCard account number for the purchase.

One drawback is that you probably can't use these offerings for all purchases. For example, they typically won't work for items like concert tickets you have to pick up in person because the temporary card number will differ from the one on the card you present at the box office for verification.

• Verify your bank's emails

The holiday shopping season "is a fertile time for the phishers to attack" since more shoppers are online, says Frederick Felman, the chief marketing officer for MarkMonitor, a brand-management company. Increased shopping also boosts the chance a consumer will respond to a phishing email that appears to come from a bank or credit-card company, especially if the email comes soon after a purchase, Mr. Felman says. Often a consumer might be multitasking when responding to email and not notice that he has clicked a bogus link.

If you receive an email about a transaction, call the number on your bank statement or credit card, rather than clicking on a link or using a phone number in an email.

Charity-related phishing also pops up during the holidays. In these scams, you receive an email with a link to a fake charity soliciting a donation. Enter your financial information and "that credit card is up for grabs," says Bari Abdul, vice president of Worldwide Consumer Marketing for McAfee.

"We tell people not to click on those links unless you have signed up to receive those charities' newsletters," says Sandra Miniutti, vice president of marketing for Charity Navigator, an online charity evaluator. Be wary of using search results to find a charity's Web site. Or go to Charity Navigator's Web site (www.charitynavigator.org), which links to 5,000 charities, she says.

The Better Business Bureau's Web site also has reports on hundreds of charities.