Identity Theft Prevention & Recovery

Moving ...

noreply@blogger.com (Doug Pollack) — Tue, 29 Apr 2008 21:08:00 +0000

by Doug Pollack

Our ID Experts blog is moving to a new home. Please check out the latest in identity theft and data breach news, advice and other happenings at our new address www.blog.idexperts.corp.com.

We are also sponsoring a new, informational data breach news site providing articles and news events specifically focused on data breaches. Please visit often or subscribe to this site at www.databreachwatch.org.

Both sites will continue to provide you with current and helpful information in the areas of identity theft and data breaches.

Independent Risk Analysis Presented at FOSE Conference April 1, 2008

noreply@blogger.com (Rick Kam) — Fri, 04 Apr 2008 00:30:00 +0000

by Rick Kam
April 3, 2008

This conference is one of the largest IT conferences for public agencies with attendance approaching 20,000 professionals. Leading educators and technology solution providers focused on security, privacy, and "green" IT solutions.

Keynote speakers from Google, Sun Microsystems and others talked about the future of computing and how public agency IT professionals can create a more productive and secure computing environment.

I presented for ID Experts on the topic of how an "Independent Risk Analysis" provides public agencies a more effective solution to mitigate risk when they have a data breach (i.e. when the best security measures fail, what next). Highlights from my presentation included:

1. The requirements that prompted congress to enact public law requiring independent risk analysis
2. When an agency would implement an independent risk analysis
3. What are the benefits of doing an independent risk analysis
4. How to initiate an independent risk analysis
5. How to be better prepared before an agency has a breach

ID Experts was one of two companies awarded a government contract to provide Independent Risk Analysis to public agencies in the U.S. This was a great opportunity for us to explain to public agencies how our solution helps them assess and certify the level of risk for an affected breach population and develop an effective risk mitigation plan.

LifeLock Class Action Lawsuits

noreply@blogger.com (Doug Pollack) — Tue, 01 Apr 2008 23:59:00 +0000

by Doug Pollack

This past week, there were two class action lawsuits filed against LifeLock, one in its home state of Arizona and one in New Jersey. Following on a recent lawsuit filed against LifeLock by Experian, one of three US credit bureaus, these class action lawsuits also assert that LifeLock is engaged in deceptive advertising relative to the level of protection provided by their service against identity theft. The LifeLock offering depends almost entirely upon the placement of perpetual fraud alerts as the means for protecting their subscribers from identity theft.

As noted by David Paris, an attorney involved in this matter, in an article on the CNBC website titled "N.J. Class Action Lawsuit Filed Against LifeLock Alleging Deceptive Marketing Regarding Limited Level of Protection Against Identity Theft":

" 'While fraud alerts may be effective in limited instances, they certainly cannot provide the comprehensive identity protection that LifeLock deceptively advertises,' said Paris. 'For instance, fraud alerts cannot stop the use of existing account numbers, and contrary to LifeLock's advertisements, lenders are certainly not required to contact the subscriber before extending credit to a potential identity thief.' "

The article and comments from Mr. Paris also address the alleged deceptive nature a severe limitations on the highly publicized $1MM LifeLock Guarantee:

"According to the Complaint, LifeLock also misleads subscribers by advertising its $1 million service guarantee. 'Potential LifeLock subscribers are enticed by the 'safety net' of what appears to be a one-million dollar insurance policy against any losses sustained as a result of identity theft,' said Paris. 'In actuality, once you get beyond the limitations and disclaimers, you find that the guarantee is limited to fixing failures in LifeLock's services and paying third-parties to attempt to restore subscriber losses.' "

Hopefully these lawsuits will help bring visibility and clarity to consumers as to the differences in identity theft protection services. Most services, including those provided by the company that sponsors this blog, ID Experts, do not rely on fraud alerts as a primary or sole means of protection, nor do they make questionable or misleading large dollar guarantees. It is unfortunate that brash marketing tactics have made it difficult for consumers to make an informed product decision based on the facts related to differences in these services.

ID Experts Launches New Data Breach Services

noreply@blogger.com (Doug Pollack) — Wed, 26 Mar 2008 01:47:00 +0000

by Doug Pollack

Tomorrow at the International Association of Privacy Professionals (IAPP) conference in Washington, D.C., we will announce our new ID Experts Data Breach Services.

Developed to resolve the growing consumer dissatisfaction with current breach notification and response methods, these services include breach assessment, notification and communications, monitoring and identity theft recovery components. Tailored to meet the individual needs of the private sector and government agencies, ID Experts is delivering a comprehensive approach to responding to data breach events that alleviates legal liability, manages public perception, and protects and restores individuals’ identities from identity theft.

We have also released a preview of the results from a study that we recently commissioned with the Ponemon Institute, the leading privacy and information management research firm, to be released in April 2008 . The study delves into how consumer victims of corporate breach events are terminating their business relationships because of a lack of responsiveness.

“Our research shows that consumers are growing increasingly dissatisfied with the way they are being treated following a data breach,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “The manner in which breach notification communications are often conducted fails to appropriately convey what the consumer needs to make an informed decision about protecting their personal information and, as such, does not succeed in being the first step in helping to repair a breakdown in trust.”

You can download a pre-release copy of this Ponemon report at our website at www.idexpertscorp.com.

ID Safeguards now ID Experts(tm)

noreply@blogger.com (Doug Pollack) — Tue, 25 Mar 2008 17:12:00 +0000

by Doug Pollack

ID Safeguards is changing its name. ID Safeguards will become ID Experts(tm). Founded in 2003 with a mission to protect Americans from identity theft, we have grown into a leader in identity theft protection. Today, we apply best practices to protect over three million Americans from this growing problem.

Our team of experts is passionate about helping victims of identity theft. We are one of the only companies in the industry that provide fully-managed recovery services, in other words we do all the work for victims of identity theft in order to restore them to pre-theft status. We are also trusted by some of our country's largest and most prominent companies to provide a full spectrum of data breach response services.

As our market and our services have evolved, we have found that the common thread across all aspects of our business is our people and the expertise they provide in addressing the problems associated with identity theft. For this reason, we feel that the name ID Experts expresses more clearly and appropriately who we are today.

So ID Safeguards is now ID Experts. But rest assured, we still provide the best in identity theft protection services for individuals and families, and we provide leading corporations and public sector organizations with the most complete and tailored data breach services.

Visit us on the web at www.idexpertscorp.com, and continue to visit our blog for the latest in news and advice on identity theft.

Is the U.S. Losing the Information War?

noreply@blogger.com (Rick Kam) — Mon, 17 Mar 2008 22:20:00 +0000

By Rick Kam

In a March 13, 2008 article in GovernmentExecutive.com by Gautham Nagesh titled "Feds losing war on information security, senators told",

"The federal government is losing the battle to keep its information systems secure, according to expert testimony at a Senate hearing on Wednesday."

Why?

Protecting information has become a significant challenge for all organizations large or small, in pubic or private industry. The amount of personal information any organization has on its customers and employees and the many ways they are stored; both in electronic and paper form, make protecting information from thieves a daunting task.

What are these organizations trying to protect?

There is value in information considered personal or health related. Your name, address, SSN, mother's maiden name, and yes, even the name of your favorite pet (if you use it as a password recovery keyword) has value to ID thieves who utilize it to access your bank accounts, set up new accounts using this information, or use you to mask their criminal past.

Think about the places you have your information stored in your home like files in your kitchen or home office, boxes in the garage, utility bills, and explanation of benefits statements posted on the refrigerator awaiting payment.

Now think about where you work, whether in health care, insurance, government agencies, car dealerships, accounting firms, etc. You may see a lot of this information accessible to anyone, including ID thieves. There in lies one of the biggest challenges. Protected information is easily available to anyone everywhere you look!

What do you do about it?

In your home, secure this information in a locked file cabinet and away from people who may see it and decide to use. At work, let your supervisor know that there is information that you think should be protected so the organization can secure it properly.

Is this a losing battle?

No. We can win the information war by each of us making an effort to do our part to protect our information and alert others when we see possible exposures. You can make a difference.

SEC Proposal to Amend Data Breach Regulations

noreply@blogger.com (Doug Pollack) — Fri, 14 Mar 2008 00:09:00 +0000

by Doug Pollack

The Securities and Exchange Commission (SEC) is proposing amendments to the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) that would create more specific requirements for safeguarding information and responding to information security breaches.

"Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information."

The amendments are currently open for comment. If they go through in substantially their current form, the SEC will be requiring public companies to analyze each data breach for the risk of exposure of personal information, and then, if their determination is that the risk of unauthorized access is "reasonably possible", notify all individuals affected by the data breach.

Currently, there are no federal regulations that require notification of individuals affected by a corporate data breach. There are however numerous states that have notification laws with varying provisions.

It would be a very positive step for all of us if there are federal laws and regulations that would ensure that those affected by data breaches are notified on a timely basis and provided with useful, instructive information. All too often, individuals (millions of them each year) are notified of a data breach in such as way that it causes them great concern, but provides them with little help.

More on Experian vs. Lifelock

noreply@blogger.com (Doug Pollack) — Thu, 13 Mar 2008 00:32:00 +0000

by Doug Pollack

There is a growing amount of legal commentary emerging in the discussion surrounding the Experian vs. LifeLock lawsuit. This week, Peter Bronson from The Union.com published an article titled "Business Law Bulletin: Experian vs. LifeLock Heats Up".

Relative to the false and misleading advertising issue, Mr. Bronson notes that:

"According to Experian's lawsuit, at least one Lifelock ad claims that the company's services make it virtually impossible for identity thieves to strike, but that fraud alerts are only effective against those particular types of fraud that require accessing a credit report. In other words, says Experian, Lifelock cannot protect against such forms of identity theft as an undocumented worker using someone's Social Security number to obtain a job; or against unauthorized use of a credit card."

It is interesting to see a credit bureau that advertises their credit monitoring services as a means to help deter identity theft relentlessly (who hasn't seen the FreeCreditReport.com ads on TV?) make the case for the inherent limitations in this area.

Mr. Bronson goes on to point out the ambiguities with LifeLock's famous $1 million guarantee:

"Lifelock does offer a $1 million guarantee that if a customer's identity is compromised, Lifelock will help restore the customer's credit standing and pay the cost of doing so. However, Lifelock's web site states that the guarantee comes into effect when a customer's identity is compromised "due to a failure or defect in our Service", a phrase that seems open to more than one interpretation. (If the service offers protection against only certain types of identity theft, does the guarantee only cover those specific types?)"

This is the first instance where I've seen someone dig into the specifics of this guarantee. The "service defect" provision certainly provides LifeLock with a get-out-of-jail-free card. Not to mention, given that it is the financial institutions who provide most of the financial fraud protection, how valuable really is a $1 million guarantee other than as a marketing gimic. I guess we'll all find out as this lawsuit unfolds.

Putting LifeLock to the Test

noreply@blogger.com (Doug Pollack) — Wed, 27 Feb 2008 01:41:00 +0000

by Doug Pollack

Right on the heels of the lawsuit filed by Experian against LifeLock, the self-proclaimed leader in identity theft protection, which asserts that LifeLock uses deceptive advertising and misleading claims in advertising their service, as well as illegal means of setting fraud alerts on behalf of their customers, now a CBS news report by Jim Benemann has put LifeLock to the test, along with two other companies, Debix and TrustedID, that rely on credit bureau fraud alerts or freezes for protecting their customers.

It seems that based on this test, these products do not prevent identity theft as you might be led to believe based on LifeLock's advertising. So on to the test. The first thing he did was have three of his colleagues, Tom, Jillian, and Kristine, each sign up for one of the three services. Then...

"With their permission, CBS4's Jim Benemann took all of Tom, Jillian and Kristine's personal information including their social security numbers and dates of birth. Using that information, Benemann applied for the same major credit card in each of their names. The only little thing he changed was the address. Benemann asked for those credit cards to be mailed to his home address. Essentially, he stole Kristine's, Tom's and Jillian's identities.

The three testers weren't worried. They all figured they would get that phone call telling them that someone was applying for credit in their name and they would put a stop to it immediately. Tom waited, Jillian waited and Kristine waited close to their phones. They waited 24 hours, then 48 hours and then a week. Not one of them got a phone call from any creditor even though they had paid companies for credit protection."

It is worth noting, that a fraud alert can easily be placed by an individual for free, just by contacting the credit bureau. Unfortunately services like these make the fraud alert seem like a "silver bullet" for preventing identity theft. As this test proves, nothing could be further from the truth. The reporter goes on to note:

"And remember Kristine who signed up with LifeLock? A little more than a week after Benemann applied for a credit card in her name, that card arrived, mailed to him, at his home address. And that had Kristine all the more interested in finding out about LifeLock's $1 million guarantee...Here is what LifeLock had to say:

'The credit card companies have a contract with the credit bureaus that say they must honor fraud alerts. The fact that they chose not to is proof that the fraud alerts are not bulletproof. The good news is that this is where the LifeLock $1 million guarantee is most effective. LifeLock is not a credit monitoring service but a protection service in the event a fraud alert proves to be ineffective.' "

Having said that, LifeLock didn't clarify how they then provide "protection" for the victim of ID theft. In the past, LifeLock had outsourced victim recovery services to other companies. It would be instructive to know what they do for their victims today.

Experian vs. LifeLock Lawsuit

noreply@blogger.com (Doug Pollack) — Fri, 22 Feb 2008 02:12:00 +0000

VS.
by Doug Pollack

The Red Tape Chronicles yesterday reported on a recently-filed lawsuit by Experian, a major US credit bureau, against Lifelock. This lawsuit represents the first "shot across the bow" for vendors of credit services that rely on placing continuous fraud alerts on consumer accounts with the credit bureaus.

About.com's identity theft site defines a fraud alert as a "flag that is put on your credit report through the consumer reporting agencies. This flag establishes that as part of any credit approval process, you need to be notified."

Lifelock's consumer service, which they tout as providing guaranteed protection against identity theft, relies solely on the setting of fraud alerts to provide consumers with the stated protection. The Experian lawsuit brings into question the efficacy of fraud alerts as a means to prevent identity theft.

The Red Tape Chronicles article highlights that a key assertion of the lawsuit is that LifeLock is using deceptive advertising practices and making misleading claims in order to persuade consumers to subscribe to their service. The article notes that the "credit bureau Experian is suing the identity theft prevention firm LifeLock, accusing it of deception and fraud in its familiar advertising campaign, which includes a spot in which CEO Todd Davis reveals his Social Security number and then brags about the effectiveness of the company’s protections. In the lawsuit, filed in U.S. District Court on Feb. 13, Experian contends that LifeLock's advertising is misleading and that the firm is breaking federal law in the way it goes about protecting consumers."

The Experian lawsuit also brings into question the legality associated with firms placing fraud alerts on behalf of consumers. The Red Tape Chronicles article notes that "Experian contends that LifeLock's chief ID theft prevention tool -- the placing of continuous fraud alerts on consumers' credit files – is illegal because, under the Fair Credit Reporting Act, fraud alerts can only be requested by the individual consumer or an individual acting on behalf of the consumer."

ID Safeguards provides corporations and consumers with identity theft services. Among these services are those that assist victims of identity theft with recovery of their identities taking a "fully managed" approach to recovery. Coincidentally, the company has handled identity theft recovery efforts for numerous LifeLock members who became victims of identity theft, despite the placement of fraud alerts by LifeLock.

The fact that LifeLock members do fall victim to identity theft should not be surprising. Fraud alerts do not prevent an identity thief from co-opting and using one of your credit cards. They also don't prevent someone from using your social security number to work. They further don't prevent thieves from signing up for utilities of telecommunications services using your identity. And they don't stop someone from using your personal information to get access to health care services.

Fraud alerts also don't prevent inquires for credit from showing up on a victims credit report. These "little dings" can have a detrimental effect on an person's credit score. Fraud alerts do have their place in dealing with a threat to your financial identity, but they are not a silver bullet and certainly are not a guarantee that individuals won't fall victim to identity theft.

The Indirect Costs of a Data Breach

noreply@blogger.com (Doug Pollack) — Mon, 11 Feb 2008 23:35:00 +0000

by Doug Pollack

A recently published article in E-Commerce Times concerning the costs of corporate data breaches titled The Cost of ID Theft, Part 2: Fixing the System written by Andrew Burger, highlights the staggering economic impact of the increasing number of data breaches by America's corporations.

The article notes a statistic from the Ponemon Institute that pegs the average cost of a data breach at $197 per record compromised.

"The stakes are already quite high when it comes to data loss: According to Gartner and the Ponemon Institute, the loss of a single record -- not financial fraud -- is around (US)$197. If you take the extremely conservative estimate from the same research that said that in 2007, 127 million records were lost, you get around $25 billion in direct losses noted Uriel Maimon, senior researcher for security firm RSA."

Ponemon further explores these costs, finding that around two-thirds of the cost of the data breach is associated with the loss of customers or reduction of corporate reputation.

"The cost of lost business is likely to be larger and more significant than actual cash losses and expenses related to remediation, however. The average customer churn for businesses surveyed that had suffered a breach was 2.67 percent, noted Kevin Bocek, director of product marketing for encryption firm PGP."

With this in mind, companies should plan as part of their data breach response plans to explicitly focus on elements of their response that will engender customer goodwill. While this may seem difficult to achieve in such circumstances, every opportunity to reach out and touch your customers creates an opportunity to increase retention and brand loyalty.

Are You Well Protected?

noreply@blogger.com (Doug Pollack) — Sat, 26 Jan 2008 00:28:00 +0000

by Doug Pollack

As we look forward to what is in store for us in 2008, The Identity Theft Resource Center is projecting an increase in both the number of security breaches and incidents of identity theft.

With this as a backdrop, we've developed a set of recommendations for people to protect themselves. As part of our ID Self-Defense Academy, a component of our subscription services member website, this Self-Defense Checklist includes both common sense suggestions that you are likely to be familiar with, as well as others that are new this year given the evolution in the use of the internet and computers in identity theft.

Some of the items you may not have thought about include using a "wipe" utility on your computer hard drive to make sure all of your information is permanently erased before disposing of the computer, and checking the annual earnings statement that you receive each year from the social security administration for any discrepancies in earnings or work history.

The complete checklist follows.

Self-defense Checklist

Protect Yourself At Home

Switch to a mailbox with a lock.
When you're away from home, place a hold on your mail (online at www.usps.com or with a Hold Mail form at the post office).
Use a cross-cut shredder to shred documents containing financial or other personal information.
Secure important documents in a safety deposit box or a fire-proof safe hidden at home.
Stop newspaper delivery and garbage service if you're leaving town.
Set up lights on timers to make your home look occupied when you're away.
Have a neighbor you trust keep an eye on your home, and leave a number where you can be reached.
Immediately notify the post office and anyone you do business with if you change your address.
Place outgoing mail in a post office mail slot or hand it to a postal worker instead of leaving it at your home mailbox for pick-up.
Review your credit card, bank account, and cell phone statements regularly to make sure there are no unauthorized charges.

Protect Your Computer and Internet Access

Protect your computer with a password.
Never provide personal information in response to an unsolicited e-mail.
Avoid viruses and other scams by frequently updating your browser and e-mail software.
Use and regularly update your firewall and anti-virus/anti-spyware software.
Change your passwords often, and use letter and number combinations that are difficult to guess.
Never have your computer remember your password.
Don't respond to instant messaging from unfamiliar users, and avoid instant message offers.
To ensure the authenticity of e-mail requests for personal information, type the company's Web site URL directly into your browser instead of clicking on a link in the e-mail. (The real destination of the link may be different than the URL that you see.)
Don't ever send personal or financial information via e-mail.
Don't open e-mail attachments or download files from strangers.
Before doing business with any company, ask for and verify its name, street address, and phone number.
Choose an Internet Service Provider and browser that use filtering software to limit spam in your e-mail inbox.
Never respond to email asking for your help in getting money out of a foreign country.
Encrypt your wireless network as soon as you set it up.
When using Ebay, Craigslist, or other sites linking buyers and sellers, use PayPal for transactions. Don't ever wire money via wire service, and don't accept cashier checks or money orders, as these can be forged.
Review your credit card, bank account, and cell phone statements regularly to make sure there are no unauthorized charges.

Protect Yourself On the Road

Carry only the credit cards and checks you absolutely need when traveling.
Keep identification and credit cards in a secure wallet or purse on your person (and out of pickpockets' reach) where you can keep an eye on them.
Make photocopies of the fronts and backs of your credit cards, driver's license, and passport and store the copies someplace other than your wallet in case of theft.
Program the toll-free numbers for your credit card companies into your mobile phone in case of theft.
Never leave valuables, phones, receipts, or other papers containing financial or personal information in your car, even if it is locked (and always lock it).
Keep receipts in a safe place until you can cross-shred or safely store them at home.
Always keep your mobile phone in a secure place on your person to avoid losing it. Activate the lock feature when it's not in use so that it can't be used and any stored information can't be accessed if it is stolen.
If you must discuss personal or financial information over the phone, do so in your hotel room or another private place where you won't be overheard.
Avoid downloading attachments from your e-mail account onto a computer other than your own. Erase your browsing history and discard any personal files in the computer's trash or recycling bin, then empty it before logging off.
Never enter or access personal information from a public-access computer or one in a hotel business center, as these can be fitted with hard-to-see key loggers that record your information.
Be sure to eject any personal CDs, DVDs, or jump drives at the end of a session on a computer that isn't your own.
Especially after you travel, dealing with merchants you don't know, remember to review your credit card, bank account, and cell phone statements regularly to make sure there are no unauthorized charges.

Data Breaches Reach Record Levels in 2007

noreply@blogger.com (Doug Pollack) — Tue, 08 Jan 2008 18:04:00 +0000

by Doug Pollack

According to a December 30, 2007 AP article written by Mark Jewell, the trend in data breaches continues on the upswing. He reported that:

"The loss or theft of personal data such as credit card and Social Security numbers soared to unprecedented levels in 2007, and the trend isn't expected to turn around anytime soon as hackers stay a step ahead of security and laptops disappear with sensitive information."

This of course is bad news for consumers who have also experienced meteoric rates of identity theft in 2007. It has been estimated that over 9MM US citizens fell victim to identity theft in 2007. If you're counting, this averages out to one every three seconds. And the growing adoption of new technologies such as wireless internet and devices by businesses and consumers, provides new ways for technically-savvy criminals to circumvent data security measures.

"With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, said Jay Tumas, the head of Harvard University's network operations, at a recent conference for information security professionals."

Research Groups estimate that between 50MM and 80MM records of personal information were breached during 2007. These breaches were caused both by hackers whose intent is to steal and exploit this personal data, as well as by unintentional human error such as in the loss or misplacement of a laptop computer with sensitive personal data residing on its hard drive.

Predictions by industry groups suggest that breach numbers reported will continue to rise given a growing trend requiring disclosure of breaches and notification of affected individuals by organizations that experience a data breach.

ID Theft During the Holiday Season

noreply@blogger.com (Doug Pollack) — Tue, 11 Dec 2007 18:40:00 +0000

by Doug Pollack

Unfortunately, ID thieves don't take time off during the holidays. Because people are out and shopping (or on the web and shopping) more actively during December, there is an even greater risk of identity theft.

Christine Arevalo, an ID theft expert and head of data breach services at ID Safeguards, discusses ID theft during a recent edition of AM Northwest.

When shopping online during the holidays, remember to look for the "lock" icon and "https:" address in your browser when entering your credit card or other personal information. Also, she suggests that you dedicate just one credit card for your online purchases in order to make it easier to keep track of the charges in January. And never use a debit card for online buying since it directly accesses your checking account funds.

The Bad Check Boomerang

noreply@blogger.com (Anonymous) — Tue, 04 Dec 2007 21:06:00 +0000

By: D. Jones, Recovery Advocate

Have you recently received a collection notice in the mail and don’t know why? Collection notices can be for outstanding balances on credit cards or for outstanding, uncollected checks. Those pesky notices are one of the main ways the average consumer discovers the theft of their identity.

When a check has been written, whether a forgery (signing a name that isn’t yours) or a counterfeit check (a false check created with accurate or completely inaccurate information or a mixture of both) it goes through a few steps before its final destination.

Ever notice those little machines or attachments to the register that scan your check when you present it to the merchant? Those are usually linked to larger check verification companies. The four major ones are: Telecheck, CheckRite, SCAN/ChexSystems and Certegy. The system used either denies or accepts the check and the merchant goes from there.

If the check is denied, it means there is a check collection or an alert out with the particular bureau the merchant uses. The merchant will often give the consumer a card with contact info for the bureau used. However, if the check clears, either the name, driver’s license number or checking account information is not on file with the bureau as being in “negative status”. When a check is verified as “no negative status” it doesn’t mean the check is good – it means there is no record of the check being bad. Not as easy as it sounds.

Back to those check collection notices in the mail – if you've received one it means your personal information (bank info, name, driver’s license number) was used to write a check to a merchant.

If the information used was your account info, you notice unauthorized debits exiting your checking account and alert the bank. If it does not belong to your bank, and here’s the frightening part, you may not know about it for a while.

Once the check doesn’t clear it goes back to the merchant to collect the amount. Often they use those same verification bureaus to collect for them and record the information as “negative” which means the victim is unable to present checks validly – another way a victim discovers the theft of their identity. Enter the appearance of the check collection notice in the mail.

Remember that frightening delay mentioned earlier? If incorrect address or fake address information was used the notice may not get back to you for some time, and identity thieves count on this delay to utilize the checks as long as they can.

Thieves obtain our info through various illegal methods including mail theft, purse/wallet theft, dumpster diving, or corporate breach compromise and black market dealings.

Sometimes the victim attempts to resolve the situation themselves but the collection notices can often be the tip of a very nasty iceberg. We’ve all heard about collection bureaus and their practices - dealing with these guys can run the gamut from irritating to abusive. So if you ever get one of those notices call the check collection bureau and ask them to provide verification of the debt – it’s your legal right!

Credit Union Customers Targeted with Latest Scam

noreply@blogger.com (Heather Wells) — Tue, 04 Dec 2007 19:00:00 +0000

by Heather Wells (Recovery Advocate)

What could be worse than having your bank account or good credit history hijacked around the holidays? Picture yourself at the register attempting to pay for gifts using your debit card and being told that there are insufficient funds in your account. Or imagine checking your credit reports only to discover dozens of new maxed out lines of credit that you did not know about.

The identity thieves are getting increasingly clever with their scams. They have realized that consumers are becoming less willing to respond to “phishing” emails that direct them to decoy websites asking for personal banking information or a social security number. Most folks delete these sorts of emails suspecting foul play, which is the smart thing to do. The newer version of this phishing scam is known as “vishing,” or “voice phishing.”

An article from consumeraffairs.com dated December 3, 2007 states that “sophisticated criminals now send emails instructing consumers to call a telephone number instead of clicking on a link. This tactic, known as ‘vishing’ can be especially effective because consumers who encounter a live person are much more likely to let down their guard.”

Read more from the article and view a recently circulated vishing email here.

Consumers who receive one of these bogus emails should contact their credit union directly by using the phone number on their monthly statement or by obtaining the number from the financial institution’s official website. It’s also a good idea to report this scam to the Federal Trade Commission at http://www.ftc.gov/.

The Missing Ingredient in Most ID Theft Services. Personal Help.

noreply@blogger.com (Doug Pollack) — Fri, 16 Nov 2007 23:55:00 +0000

by Doug Pollack

There has been a great deal of attention recently paid to the actions by credit bureaus enabling consumers to use credit freezes as a tool to avoid or deal with identity theft events.

In a recent New York Times article titled "In ID Theft, Some Victims See Opportunity", the author highlights several companies, like ours, that provide ID theft protection services. Several of these companies see the use of credit freezes and credit fraud alerts as a panacea for eliminating the threat of identity theft. This is a position that we do not subscribe to. We believe strongly in encouraging consumers to use all appropriate best practices to avoid identity theft, and we provide a product, FraudStop, that provides broader prevention from ID theft by addressing not just credit records, but also other records including real estate, motor vehicles, utilities and the like, all of which can be used by identity thieves.

"Among its peers, LifeLock has attracted the most attention--much of it negative. In radio and television ads, Todd Davis, chief executive of LifeLock, gives out his Social Security number to demonstrate his faith in the service. As a result, he has been hit with repeated identity theft attacks, including one successful effort this summer in which a check-cashing firm gave out a $500 loan to a Texas fraudster without ever checking Davis' credit report. Last summer, The Phoenix New Times, an Arizona paper, reported that LifeLock's co-founder, Robert Maynard, had a criminal past. Maynard later resigned."

But despite the best protection, ID theft does and will occur. Which is why the consumer is best served by a company that can provide them with an expert to handle any identity theft issues. Which is what we do with our staff of personal recovery advocates. Most identity theft protection services companies do not provide recovery services. They do not have teams of trained professionals. They do not see this as important. We obviously do. And so do the over 2.5 million people that rely on our recovery services.

Among other things, the author highlights that identity theft services whose only value is in setting fraud alerts or credit freezes for consumer, are vulnerable to potential legislation.

"[This] business [specifically mentioned were LifeLock, TrustedID, and Debix] is vulnerable if Congress succeeds in pressuring the three major credit agencies to make these theft-fighting measures cheaper and more accessible to consumers. Sen. Charles Schumer, Democrat of New York, criticized the credit companies last month for making identity theft freezes too cumbersome to set and lift. Each of the three credit agencies recently bowed to public pressure and made freezes available in all 50 states."

But this article is silent on the consumer need for professional ID theft recovery services. It is projected that over 10MM people in the US will fall victim to identity theft in 2008. Identity theft protection services such as ours, and those provided by others in this space, will help in turning this trend. But consumers should be told the truth. There isn't a silver bullet that will guarantee that you won't become a victim of identity theft. ID thieves are using increasingly more sophisticated means to steal from you. Which is why if you opt for an identity theft protection service, it should include expert, professional, personal recovery assistance.

Experian, Equifax and TransUnion Offer Credit Freeze to All Consumers

noreply@blogger.com (Heather Wells) — Tue, 13 Nov 2007 02:10:00 +0000

by Heather Wells (Recovery Advocate)

Starting this month, all consumers will be able to place a “security freeze” with the three major credit reporting agencies. This press release sent on October 31, 2007 details who is eligible to freeze their credit files for free and which folks may need to pay fees to each of the credit bureaus for this service. These fees are for "freezing" and "thawing" your credit files.

Before November 1st of this year, there were 39 states (and DC) that had laws on the books stating that their residents could freeze their credit files. Some other states had adopted freeze laws that applied to victims of identity theft only. With this new law, everyone is eligible, whether they are victims of identity theft or not.

A security freeze (a.k.a. credit freeze) prevents creditors and other entities from viewing your credit report without your express permission. When you apply for credit with a freeze in place, you must use a PIN provided by the bureaus to temporarily lift the freeze. The temporary lift lasts 2-3 days and the entire process adds a few extra days to the application process. The freeze is in place indefinitely until you decide to permanently lift it. Much has been written about the benefits and drawbacks of the freeze. If you are thinking about placing a security freeze, be sure to take into consideration all of the negative consequences as well as the positive.

For example, with a freeze in place, you may be denied employment because your potential employer is unable to conduct a background check. I have personally worked with victims of identity theft who were unable to purchase a new car at a "super sale" rate because they did not time the "thawing" of their credit files just right. On the other hand, there are many id theft victims who enjoy the peace of mind that the freeze offers them, and are more than willing to put up with any potential inconveniences or out-of-pocket expenses.

The three credit bureaus have more information on security freezes at their websites, www.experian.com, www.transunion.com and www.equifax.com.

Warning: Be on High Alert for Fake FTC Email Containing Virus

noreply@blogger.com (Heather Wells) — Wed, 31 Oct 2007 15:25:00 +0000

by Heather Wells (Recovery Advocate)

An online article from Reuters dated October 29, 2007, details the latest alarming scam aimed at the unsuspecting public. Reuters reports that an unknown number of consumers may have received a bogus email that appears as though it was sent by the Federal Trade Commission (FTC). The emails are not from the FTC and are instead designed to lure an innocent victim to click on attachments and links that could leave them vulnerable to Identity Theft.

“'The e-mail says it is from ‘frauddep@ftc.gov’ and has the FTC's government seal. But it was not issued by the agency and has attachments and links that will download a virus that could steal passwords and account numbers, the agency said.

'It's a treasure trove for identity theft," said David Torok of the FTC's Bureau of Consumer Protection. ‘We're concerned. The virus that's attached to the e-mail is particularly virulent.’”

Unfortunately, this isn’t the first time the Federal Trade Commission has had to issue a warning regarding bogus emails. In June of 2007, consumers were also under attack from fraudulent emails that looked like legitimate correspondence from the FTC.

The Federal Trade Commission is encouraging consumers to forward the email to spam@uce.gov, an FTC database, for investigation and then to delete the email. For more official information and instructions, go to the FTC website.

Synthetic ID Theft

noreply@blogger.com (Doug Pollack) — Tue, 30 Oct 2007 23:06:00 +0000

by Doug Pollack

The Wall Street Journal this week published an article on synthetic identity theft titled "The Borrower Who Never Was" (Christoper Conkey, October 29, 2007).

It describes how an identity thief named James Rose would create synthetic identities, those that appear real on paper, but were actually used by him in order to trick financial institutions into making loans or issuing credit cards.

"Working with a partner, Mr. Rose tricked the guardians of the credit system -- lenders and the three big credit bureaus -- into treating his fake identities as if they were real, creditworthy consumers. He obtained several hundred credit cards in the names of Mr. Gregory and as many as 500 other fake personas over two years, filching around $750,000 over a two-year period."

Unlike more common identity theft, synthetic identities are used primarily to defraud financial institutions without affecting individuals. Mr. Rose noted that their goal was to "make a lot of money without actually hurting people."

Despite protestations to the contrary, some feel credit bureaus aren't doing enough to deter identity theft. In the case of synthetic identity theft, it is the knowledge of credit bureau procedures that enable criminals to create and exploit synthetic identities. Evan Hendricks, editor of Privacy Times, notes that "the credit bureaus are at the epicenter of identity theft and there's no pressure at this point to force them to make changes."

Business breaches a source of identity fraud

noreply@blogger.com (Doug Pollack) — Tue, 23 Oct 2007 21:45:00 +0000

by Doug Pollack

A recently federally funded study on identity fraud by Utica College's Center for Identity Management and Information Protection "paints a complex portrait of the signature crime of the digital age, one that has been the top consumer fraud complaint to federal authorities for six consecutive years."

As described in a recent article titled In Many Major Cases ID Theft isn't Personal (Joseph Menn, LA Times-Washington Post, 10-22-07), this study challenges a widely held perception that a majority of identity theft cases occur with people that are known to the victim.

Based on 500 individuals arrested by the US Secret Service over the last several years, only 8% were relatives of or acquainted with their victims. The most common tool for identity theft based on this study was any of a variety of technology devices, including credit card encoders, computer printers and telephones, which contributed to 37% of the cases.

This study further reinforces the need for individuals to be very careful with their personal information, and how and when and to whom they disclose it, but also highlights that identity theft can occur even to those people that are consummately careful.

Clark Howard on ID Theft Services

noreply@blogger.com (Doug Pollack) — Thu, 18 Oct 2007 16:29:00 +0000

by Doug Pollack

I've been a long time listener of Clark Howard. It is hard not to appreciate the solid advice on how to save money and not "get ripped off".

With the expansion of competing services targeted at consumers to protect from identity theft, it can be difficult knowing who to trust or what criteria to use in selecting a service. He has commented extensively on identity theft, and provided the following advice to his listeners:

"Clark gets tons of calls about identity theft. It has remained a real aggravation for people, especially when they have been a victim. ...The only time he would recommend paying for a service is if a human being comes with the deal, and that person is going to clean up your credit for you. "

After 4 years in the ID theft protection business, ID Safeguards launched a new consumer identity theft protection service earlier this week called FraudStop. FraudStop is distinctive in that it provides exactly this kind of personal service to victims of identity theft. The company has a team of experienced "recovery advocates" that, if a FraudStop member falls victim to identity theft, will personally take on their case and do everything necessary on their behalf to restore them to pre-theft condition.

While I realize that Clark Howard doesn't endorse products, which is part of his appeal, I am pleased that the FraudStop offering from ID Safeguards is in alignment with the advice that he gives to his listeners.

ID Thieves Steal Medical Services, Cause More Pain

noreply@blogger.com (Rick Kam) — Sat, 13 Oct 2007 15:36:00 +0000

by Rick Kam

In an article written by Victoria E. Knight on October 11, 2007 in the Wall Street Journal, Escalating Healthcare Costs Fuel Medical ID theft, Victoria explains:

"One of the biggest threats posed by medical identity theft is that victims can receive the wrong medical treatment based on the fraudulent information in their medical records. (You are allergic to penicillin, the impostor isn't.) In addition, theft can cause victims to fail pre-employment medical exams or become uninsurable."

What is Medical ID Theft?

Medical identity theft is when someone uses your name and health insurance without your knowledge or consent to obtain medical treatment, prescription drugs or goods. At least a half-million Americans have been affected, according to Pam Dixon, Executive Director of the World Privacy Forum, a San Diego research group that focuses on privacy issues.

What can be done to protect yourself from Medical ID theft?

Like protecting yourself other forms of ID theft, we suggest being aware of potential misuse of your personal data. Check those explanation of benefits statements you get after visiting the doctor to make sure the medical services you received are accurate, and that you were the one that received them.

There are new identity monitoring solutions in the market that detect both financial and non-financial fraud (i.e. medical ID Theft). Credit monitoring is not effective in detecting this issue or many other issues involving non-financial crimes.

Would You Notice $400,000 Missing From Your Checking Account?

noreply@blogger.com (Rick Kam) — Wed, 10 Oct 2007 00:30:00 +0000

by Rick Kam

In an article published in the New York Times by Sewell Chan on October 2, 2007, Chan reports that Mayor Bloomberg fell victim to Identity Theft.

"In early June, Mr. Bostic deposited a $190,000 forged check into the Sovereign account and a $230,000 forged check into PNC account, according to prosecutors. Both of the forged checks were drawn on Mr. Bloomberg’s personal account at the Bank of America and were issued in the name of the mayor’s financial manager, Geller & Company."

You might ask could this happen to me?

The answer is yes. There are many types of financial and non-financial ID theft. Credit card fraud and someone withdrawing money from your checking account happens a lot.

You might say, "I have a service that freezes my credit or automatically sets fraud alerts to guarantee against ID theft". The answer is, these solutions will prevent the issue that happened to Bloomberg - an ID thief stealing money being taken from his checking account.

There are new services on the horizon that monitor credit, checking, and other forms of financial and non-financial personal data to detect misuse of your information and provide 360 degree protection. You will see these new services become available in the market and be more effective, but cost roughly what consumers pay today for less effective solutions. More on this in a future post....

Gap Reports Theft of Laptop Containing Personal Information

noreply@blogger.com (Heather Wells) — Wed, 03 Oct 2007 23:26:00 +0000

by Heather Wells (Recovery Advocate)

800,000 applicants for employment with the Gap may have had their personal information compromised, according to a September 29, 2007 article in SFGate.com written by Carolyn Said.

“The San Francisco retailer on Friday reported the theft of a laptop containing unencrypted personal information for 800,000 job applicants. The data, stolen from the offices of a third-party vendor, covered job seekers in the United States, Canada and Puerto Rico who applied online or by phone between July 2006 and June 2007. Most of the applicants were seeking jobs at Old Navy, although some applied for jobs at Gap, Banana Republic and Outlet stores."

A majority of people think that it’s required to put their social security number, date of birth, and other personal data on an application for employment or on a resume. This is a common misperception that makes job applicants extremely vulnerable to Identity Theft. So, what are some items that DO NOT belong on a resume or job application?

1) Your Social Security Number
2) Date of Birth
3) Driver’s License Number

If a company requests any of this information simply write “see below” and then add a note at the bottom of the application stating that you would “be happy to give this information during the interview process.” Explain to your potential employer that you are simply protecting yourself from the threat of Identity Theft.

In general, employers do not make a hiring decision based solely on looking at an application or resume and they do not need this info unless they are truly interested in hiring you. The same goes applying for a job over the phone. Explain to the person taking down your name and work experience that you don't feel comfortable giving up so many other personal details on the telephone. You never know where your information could end up, on an unsecured computer or desktop, in a trashcan, or even worse, in the hands of an id thief!