Identity Theft Blog by Truston
New CA Law Expands ID Theft Protections
Jul 3, 2008 by Tom Fragala
Gov. Arnold Schwarzenegger signed new California identity theft legislation on July 2nd. The compact legislation, SB 612, amends Section 786 of the Penal Code. It was backed by the Privacy Rights Clearinghouse and California District Attorneys Association. According to the Consumer Federation of California it will:
...expand these provisions to include unauthorized retention and transfer of personal identifying information. It would also add the county in which the victim resided at the time the offense was committed to the jurisdictions in which a criminal action may be brought for commission of these crimes.
See the full text of the law here, and its history here.
Privacy-friendly Search Engines
Jun 30, 2008 by Tom Fragala
Most of the leading search engines like Google, MSN, and Yahoo keep your search data for a long time; Google 18 months and Yahoo 13 months. There is an alternative for the privacy-conscious called Ixquick, which is based in Holland. It actually pulls search results from the other major search engines, but deletes search queries after just 48 hours. Ask.com (formerly AskJeeves) has a privacy feature called AskEraser which will deleted your search activity from their system on demand.
Info from Privacy Rights Clearinghouse.
My Two Hours With Bill Gates
Jun 27, 2008 by Tom Fragala
This is a story of how I once spent two hours sitting with Bill Gates and his wife Melinda. Since Bill retired today as a full-time employee at Microsoft, I thought I would finally recount it here. It was not a Microsoft event. There were no PR people or other staff around. I simply had a unique opportunity to observe Bill and Melinda by themselves.
This took place around the time Microsoft's anti-trust problems were just erupting. In hindsight, what I observed that day has even more significance.
It was a splendid day in May 1998. I was in San Diego to attend the graduation of a friend from University of San Diego. The event took place outdoors. There were three sections of seats in front of a stage, a large one in the middle, and two smaller on either side. I was sitting in the smaller section stage right, in the second row. The first row was empty and had a small "VIP" sign on it.
Sitting in the sunshine waiting for the festivities to begin, I saw to my left a man and woman walking towards the front row. I immediately noticed the man was Bill Gates, CEO of Microsoft. Having been employed by Microsoft in Ireland a few years prior, and working in the tech space for years, I was pretty excited. Stepping towards their chairs, Bill sat down immediately in front of me. He was so close I could tap him on the shoulder without moving in my seat. It was just the two of them, no one else sat in the VIP row with them.
Prior to their arrival, I was frankly expecting the next couple of hours to be quite boring. But now I was delighted to have the chance to observe an industry titan, the world's richest man (or, close to it, in those days) and his wife. It felt like an exclusive opportunity--no one seemed to know he was there except me. I leaned over and whispered to someone near me "that's Bill Gates" but the blank stare told me he had no idea who it was. I looked around and no one else appeared to care either.
Bill was wearing a decent business suit, not flashy (Bill Gates ain't a flashy guy), and carrying a huge book. Melinda was resplendent wearing a flowery dress and one of those classic summer hats (think Pretty Woman at the polo match). When I saw her I thought "Hey, ole Bill did pretty well for himself!"
Something about Bill caught my eye--he had rather bad case of dandruff. Little white specks were all over his shoulders. Also, his glasses were a wreck. The plastic sheath that goes over the ears was hopelessly tattered. On both ears, plastic was hanging off in several long pieces. I couldn't help but think, "The guy's a billionaire and he doesn't have decent pair of glasses."
Immediately after sitting down, Bill opened the massive book and started reading. He read non-stop, barely moving, except perhaps to cross his legs, and never lifting his head. He didn't speak a single word the entire ceremony. He just stayed buried in that book. After maybe 15 minutes, I started to wonder what the hell this book was that would keep him so glued. I craned my neck to see the title to no avail. A few times I pretended to drop my program, so I could have a reason to peer up to see the book title. But damn! the book had no dust cover. The title was only on the spine, which I couldn't see. Leave it to Bill Gates to dispense with something as inefficient as a dust cover.
Ever since they had arrived, Bill hadn't moved. A half-hour passed, and then another, with Bill hunched over the tome. And I continued to fail in my quest to discover the title.
Meanwhile, Melinda was the perfect lady. Sitting upright, she paid rapt attention to the proceedings, always politely clapping at the right time. She seemed genuinely interested in what was being said. She was as classy as could be and had an air of intelligence (she was high school valedictorian and has an MBA from Duke). I bet that afterwards she could have given a detailed, enthusiastic summary of the entire graduation.
Bill continued his reading undisturbed for maybe 90 minutes, then something uproarious happened. It was while diplomas were being handed out. Streams of students had lined their way up to the stage. I noticed that one of the students returning from the stage changed his course and came walking towards us. Clearly this was the guy the Gates were here for. Melinda rose to greet the young man. Melinda fired a glance at Bill but he remained engrossed in his book. Realizing he wasn't moving, she bent down, cocked her arm and gave Bill an almighty whack in the ribs. Bill leaped up, dazed and startled, and while I laughed out loud, he and Melinda shook the student's hands.
Before jumping up, Bill had put the book down on the ground. It was leaning against his chair leg. Seeing my chance, I quickly bent down and observed the title:
TITAN: THE LIFE OF JOHN D. ROCKEFELLER, SR, by Ron Chernow.
Although I did find it somewhat ironic, at the time, that he was reading about Rockefeller, I didn’t realize until much later how remarkable it was that he was reading that book at that time. Rockefeller founded Standard Oil and became the world's richest man--just like Bill. And Standard Oil was convicted in Federal Court of being an illegal monopoly--just like Microsoft*. In fact, the case against Microsoft by the U.S. began in May 1998. So here we had the founder and CEO of Microsoft reading a book about the founder and CEO of Standard Oil, just a few months before his deposition to the Justice Department in August 1998.
And read this excerpt from a New York Times book review published in, get this, May 1998:
''Titan'' has an eerie timeliness. Today's Standard Oil, Microsoft, is under investigation by the Justice Department for its alleged monopolistic practices in the software industry. One strategy the company has pursued, as detailed in The New Republic, amounts to emulation by Bill Gates of Rockefeller's unparalleled instrument of competitive cruelty: ''Microsoft,'' the journalist David Shenk writes, ''was able to establish MS-DOS and subsequently Windows as the standard PC operating system by exacting a royalty for every PC sold regardless of whether its operating system was installed.'' In words echoing those of the Cleveland refiner crushed by Standard Oil, Andrew Shapiro, a fellow at the Harvard Law School's Center for Internet and Society, told Shenk, ''The basic model in the industry today is to be bought by Microsoft or to go out of business.'' The 20th century is ending as the the 19th century did, with the representative corporation of the age seeking to escape the untamable risks of competitive capitalism.
"Eerie timeliness"? I'll say.
Now, what did I take away from my two hours? Well, in some ways, Bill Gates was certainly still a geek. It was clear he has an incredible ability to deeply focus. Of course, there was the serendipity of him reading a book about Rockefeller at that time. But my final, and most profound, take away is that William H. Gates III, billionaire and CEO of the world's largest software company had, indeed, married "up." Good for him. •
* The conviction was overturned on appeal and Microsoft later settled the case with the DOJ.
Tom Fragala is the CEO and founder of Truston. Truston is dedicated to protecting people from identity theft and improving their credit without requiring their personal information. The company has a white-label partner-ready online platform for membership marketing companies, identity theft service providers, banks, and credit card companies. Truston's consumer direct service was awarded 4 stars from PC Magazine in 2007 and its Software-as-a-Service platform won a 2008 Product Innovation Award from Network Products Guide. Truston also received a 2008 Hot Company award, was named one of the 2008 10 Companies to Watch by the Pacific Coast Business Times and identified as an industry leader by Javelin Strategy & Research in their December 2007 identity theft market report.
Filed under: Truston
Tags: bill gates, identity theft, microsoft, mytruston, retire, retirement, truston
HR Outsourcer Colt Has Data Stolen, Leaves Victims Cold
Jun 24, 2008 by Tom Fragala
According to PC World, a human resources outsourcing firm called Colt Express Outsourcing, suffered a data breach when thieves stole a number of computers from their offices. Incredibly, Colt did not have an alarm security system (they installed one four days after the theft).
Because Colt handles health benefits, the data stolen was highly sensitive--names, addresses, SSN's, birth dates, and employment information. The mother load. There were a number of employers effected by the theft, including CNET Networks.
Not only was there no alarm system, it appears that victims are being offered no ID theft protection services by Colt Express. In fact, it seems the company is simply shutting down. I suppose the employers themselves are left to decide if they should provide ID theft restoration help to those effected. According to PC World,
Four days after the break-in, Colt Express installed an alarm system, and the company is "looking into what additional steps may be taken to provide enhanced security," Colt wrote in his letter.
Customers looking for free credit-monitoring services from Colt Express should not get their hopes up, however...Colt is now in the process of going out of business.
Strangely, HR outsourcing giant Ceridian announced it had planned to acquire Colt in February 2008. It must be that the acquisition never happened. If it did happen, why isn't Ceridian stepping forward to help? The Colt web site is down, with just the cryptic statement "home page will be reconstructed - June 2008".
I found more from PogoWasRight. An excerpt of the notification letter sent from Colt Express CEO Samuel G. Colt III to CNET Networks:
By this letter and enclosures, we are providing you with all of the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further. Towards the end of last year, our customer base was reduced to an unsustainable level. colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions. Those decisions are now final.
So it seems this is the deal: Colt, after their own computers were stolen from an office with no security system, is going out of business, leaving customers and thousands of victims with no resources to assist with identity theft protection.
Truston Wins 2008 Product Innovation Award
Jun 17, 2008 by Tom Fragala
I am pleased to announce that Truston received a 2008 Product Innovation Award from Network Products Guide for our myTruston Software-as-a-Service (SaaS) platform.
The Network Products Guide said, in giving the award,
“Truston's innovative SaaS platform offers an organized approach to getting a stolen identity back and keeping it safe.
myTruston is the only ID theft product that does not require sensitive data, is the only SaaS product in the space, supports virtually all fraud types, has unlimited content extensibility, is built on a patent-pending task management engine and allows for seamless integration with partner's web sites.”
Other recognition we have received includes 4 Stars from PC Magazine, a 2008 Hot Company award, being named one of the 2008 10 Companies to Watch by the Pacific Coast Business Times and identified as an industry leader by Javelin Strategy & Research. See all our awards.
Read the press release.
Alaska Law Loaded with Identity Theft Protections
Jun 13, 2008 by Tom Fragala
Alaska has a new identity theft law with protections including privacy of SSN's, credit freezes and data breach disclosures.
Alaska’s HB 65 restricts the request, collection, sale, and sharing of Social Security numbers by both private parties and government agencies. The new law contains limited exceptions for specific purposes such as for insurance, medical services, fraud prevention, law enforcement, or when the use of Social Security numbers is required by law.
HB 65 also gives consumers the right to freeze or lock access to their credit files against anyone trying to open up a new account for credit or services in their name.
Alaska’s new law, which passed with bipartisan support, contains other protections aimed at reducing identity theft, including a requirement that businesses notify consumers of data security breaches, a new court procedure to enable victims of identity theft to remove criminal charges from their records that stem from the conduct of the identify thief, and rules for how sensitive information must be treated when it is discarded.
Read more at ConsumersUnion.
Protect your vehicle from identity thieves
Jun 7, 2008 by Tom Fragala
Your automobile is a target of thieves--that is obvious. Of course, thieves will steal the car itself or valuable items inside, like your cell phone or iPod. That is bad enough. But the information inside your car--not just the car or the items themselves--can be of great value to identity thieves.
Your wallet or purse has everything from credit cards to insurance cards. You may have a laptop, PDA or sensitive papers like a checkbook or financial statement--these are treasure troves of sensitive data. But even if your car is free of all these things, think about what is in your glove compartment. Your insurance card and the car's ownership papers/title can also prove valuable. These have your insurance company, policy number, name, home address and more. Armed with that information a motivated thief could pull mail from your mailbox to build a larger personal profile or get auto insurance in your name.
A friend of mine parked his car in a driveway obscured by hedges and plants, on a quiet, safe street in a relatively low-crime town. He left his wallet and bag in the car, and sure enough, they were stolen that very evening. You never can be sure when a thief is sniffing around so don't take any chances.
Take away: always lock your vehicle, even if you are parked in a "safe" location or leaving for just a minute. And leave nothing of any value visible in your car.
Can you opt-out from credit reporting?
May 30, 2008 by Tom Fragala
Have you ever thought about this: Is it possible to opt-out from having your personal data sent to, and compiled by, the consumer reporting companies (including the "credit bureaus")?
No. There is no law that provides you an opportunity to opt-out of information reporting or sharing with consumer reporting agencies. This includes Experian, TransUnion, Equifax, Choicepoint or other consumer credit or specialty reporting agencies.
What about a credit or security freeze? That is not an opt-out. Creditors, banks and insurance companies with an allowable purpose are still able to share information with credit bureaus and information gatherers. A freeze, in states where it's available, does prevent many (but not all) entities from pulling your credit report.
A few facts about credit card networks
May 15, 2008 by Tom Fragala
I thought it might be interesting to give you a rough idea of the immense size of the credit, debit and prepaid card processing market. Here is some data (2006 figures) on the top 3 operators of retail electronic payment networks, Visa, Mastercard, and American Express. These three are the networks, which essentially do data processing, not the actual issuers (cardholder's bank) or acquirers (merchant's bank).
- Visa: $2.1 trillion in payments volume, 44 billion transactions, and 1.2 billion cards
- Mastercard: $1.4 trillion in payments volume, 23 billion transactions, and 817 million cards
- American Express: $550 billion in payments volume, 4.5 billion transactions, and 78 million cards
American Express is a "closed-loop" network, meaning they issue cards and serve merchants directly. Hence the large payments volume for the relatively smaller number of cards. Visa and Mastercard neither issue cards nor maintain accounts with merchants.
Visa and Mastercard are "open-loop" networks, meaning they operate a system that connects two banks--the issuer (cardholder) and the acquirer (merchant).
Data from Visa Inc.
Is Identity Theft a Bigger Threat Offline vs Online?
May 9, 2008 by Tom Fragala
From Javelin Strategy:
We are not saying (online access and data breaches) are not significant factors,” said James Van Dyke, Javelin’s president and founder. “But the point is that it has really been overblown. I think it is to the detriment of consumers to focus exclusively on these electronic methods of communication. Criminal don’t have a (bias) toward technology. They will use any channel that works.”
My first thought is to ask what does the empirical data say? Let's see what our tax dollars bought us. I opened my copy of the FTC 2006 Identity Theft Survey Report (yes, that's the most recent). See the chart (click for full-size). 56% of respondents did not know how data was taken. For the remaining 44% here's the breakdown as I see it
- Offline: 16% know thief personally, 5% from wallet, 2% from the mail
- Online: 1% Hacking into computer, 1% Phishing.
- Unsure: 7% Some other way, 7% purchase or other transaction*, company that had information 5%*.
* These two categories are questionable, as it's difficult to determine exactly what is meant.
As you can see, the data is difficult to categorize. But it's pretty clear that offline is simply more prevalent than pure online. However, you could argue that there are vast numbers of online thefts that go unreported and so fall under the "don't now how info was taken" 56%. I certainly think the data backs up Javelin's assertion that one shouldn't blow the online threat out of proportion. From personal experience, offline is what has nailed me on more than one occasion.
Take away: protect yourself offline
- Protect your mailbox: lock it or stop account statements, pre-approved offers and "convenience" checks
- Protect your personal belongings: remove unnecessary items from wallet/purse, lock away your check book, protect sensitive documents at home (anything with SSN or account numbers).
Frankly, most people don't go to these lengths.
Truston Named One of Leading Start-up Companies
May 1, 2008 by Tom Fragala
Truston has been named one of the 2008 10 Companies to Watch by the Pacific Coast Business Times.
This was part of the Business Times' annual awards program called the 101 One Hundred Awards. The 10 Companies to Watch were selected because they are the fastest growing and most innovative start-up companies in California's Central Coast--covering Ventura, Santa Barbara and San Luis Obispo counties.
This recognition comes on the heels of being named a 2008 Hot Company and receiving a technology award from the Info Security Products Guide.
See the Truston press release.
Military ID cards will finally have SSN blocked
Apr 26, 2008 by Tom Fragala
ITRC points out that the Department of Defense will finally begin blocking out Social Security numbers on military ID's, dog tags, clothing and military records. About time don't you think? Just imagine the number of cards, documents, and more that have full SSN's on them, putting every military member at serious risk of identity theft.
More from the Leaf-Chronicle:
According to an American Forces Press Service report, military IDs will soon be reconfigured without the cardholder's full Social Security number.
The plan, the report said, is to remove the numbers from ID cards issued to family members by the end of the year, but the sponsor's number would still be displayed for now. Between 2009 and 2010, all department-issued identification cards will feature only the last four digits of a cardholder's Social Security number, the report stated.
Sign the Back of Credit Cards or Not?
Apr 24, 2008 by Tom Fragala
One common tip I have heard is that you should not sign the back of your credit cards or write something in its place asking that ID be checked. What should you do? Well, the right question to me is "Is this an effective fraud deterrent?" Frankly, it doesn't do much. While existing credit card fraud (unauthorized charges on a bona fide account) is a serious issue, you are afforded the most protections by law, as long as you are diligent in checking your account statements.
You may hear people, who write "check ID" in place of their signature on a credit card, raising a stink that cashiers so rarely look and request ID. While strictly speaking these businesses are violating their merchant agreements with the payment card processors (i.e. Visa, Mastercard), let's be practical. I don't think this is a gigantic scandal we need to focus on. There are far bigger fish to fry. Do you really expect MacDonald's to get in people's faces over a $2 purchase?
Recently, Lifehacker had a post on this topic with quite a few comments (with a lot of misinformation and poor advice in the comments). Some people make the point that signing your credit card makes it easy for a thief that steals your card to forge your signature. That's silly -- criminals don't use stolen cards to get your signature. They steal cards to use them ASAP and then get rid of them. Besides, you are required to have a signed credit card according to payment card industry rules. Here is an excerpt right from Visa merchant rules:
While checking card security features, you should also make sure that the card
is signed. An unsigned card is considered invalid and should not be accepted. If a
customer gives you an unsigned card, the following steps must be taken:• Check the cardholder’s ID. Ask the cardholder for some form of official
government identification, such as a driver’s license or passport. Where
permissible by law, the ID serial number and expiration date should be
written on the sales receipt before you complete the transaction.• Ask the customer to sign the card. The card should be signed within your
full view, and the signature checked against the customer’s signature on the
ID. A refusal to sign means the card is still invalid and cannot be accepted.
Ask the customer for another signed Visa card.• Compare the signature on the card to the signature on the ID.
If the cardholder refuses to sign the card, and you accept it, you may end up with
financial liability for the transaction should the cardholder later dispute the charge.
Moreover, Visa goes into even more detail about those who write "See ID" or something similar in place of a signature. Here are guidelines from Visa about this and when merchants should be asking for ID:
“See ID”:Some customers write “See ID” or “Ask for ID” in the signature panel, thinking
that this is a deterrent against fraud or forgery; that is, if their signature is not on
the card, a fraudster will not be able to forge it. In reality, criminals don’t take the
time to practice signatures: they use cards as quickly as possible after a theft and
prior to the accounts being blocked. They are actually counting on you not to look
at the back of the card and compare signatures—they may even have access to
counterfeit identification with a signature in their own handwriting.See ID” or “Ask for ID” is not a valid substitute for a signature. The customer
must sign the card in your presence, as stated above.Requesting Cardholder ID
When should you ask a cardholder for an official government ID? Although Visa
rules do not preclude merchants from asking for cardholder ID, merchants
cannot make an ID a condition of acceptance. Therefore, merchants cannot
refuse to complete a purchase transaction because a cardholder refuses to
provide ID. Visa believes merchants should not ask for ID as part of their
regular card acceptance procedures. Laws in several states also make it illegal
for merchants to write a cardholder’s personal information, such as an address or
phone number, on a sales receipt.If you are suspicious about the transaction or feel you need additional information
to insure the identity of the cardholder, make a Code 10 call.
Take away: stop trying to be clever. Sign your credit or debit cards. There are many other more effective means to reduce fraud.
Fraud alerts do NOT require lenders to contact you
Apr 13, 2008 by Tom Fragala
The misconception that fraud alerts by law require that you be contacted continues on unabated. In fact, a fraud alert is just words on your credit report. Can it be effective in some cases? Yes. Are fraud alerts some kind of "system" that connects lenders and the credit reporting companies together in some automated fashion to protect consumers? No.
It is dismaying that even leading experts like Javelin Strategy & Research make significant errors that perpetuate the misunderstandings about fraud alerts. In their research report entitled "Identity Fraud Protection Services: Double Digit Growth to Continue", they write on page 8 about fraud alerts: "Requires lenders and merchants to confirm an applicant's identity to open a new line of credit." (my emphasis). This is not accurate. There is no law, either federal or state, that requires any lender, bank, credit card issuer, or merchant to pay heed to a fraud alert. Do some of these companies pull a credit report and check to see if the individual has reported fraud (or suspected fraud)? Yes. Is it compulsory? Absolutely not.
Update: Are fraud alerts a good idea of you are a victim of identity theft? Yes, depending on what has happened (i.e., if your personal credit or Social Security number were compromised). Can fraud alerts help you detect identity theft fraud if you use them as a prevention tool? Yes, they may help (however, they don't always work and only help with credit-related identity fraud). This is why you get fraud alert assistance as part of our MyTruston Plus package, along with several other tools to help prevent/detect ID theft (and recover afterwards). Fraud alerts are a nice option to have, yet their effectiveness is overrated.
Update 2: Luke at Javelin (and Mary in the comments below) pointed out to me that in their report, page 19, Figure 11, in reference to the "Fraud Alerts" type of services, Javelin says "Eager lenders may not always verify the applicant's identity before granting credit." This is accurate. I'd like to expand on that: lenders may even check the identity, pull a credit report and still not see the fraud alert (or ignore it).
Non-profit data breach tracking site ends service
Apr 11, 2008 by Tom Fragala
Attrition.org, a non-profit hobby site, has shuttered its news service. They had become one of the "go to" information sources on security and data breaches. Here is an excerpt of their explanation for the shut down (although they leave the door open for occasionally posting news):
In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren't familiar with Attrition, we're a non-profit hobby site that takes on "projects" as we see fit, when we want to, and when we have time. For those who *are* familiar with Attrition, you probably know that we don't take kindly to being dealt with unfairly. Commercial entities, including "identity-theft prevention" upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don't pimp our resources to others; they come to us. Unfortunately, more often than not, they won't even send us a "thank you".
I can't blame them. Although we at Truston have never contacted them, or used their information to sell product, I can understand their position. I thank them for their unpaid dedication and service to the industry and consumers. I've been reading their site for a few years now and appreciate what they have done. Thank you guys.