Identity Theft Blog by Truston
A few facts about credit card networks
May 15, 2008 by Tom Fragala
I thought it might be interesting to give you a rough idea of the immense size of the credit, debit and prepaid card processing market. Here is some data (2006 figures) on the top 3 operators of retail electronic payment networks, Visa, Mastercard, and American Express. These three are the networks, which essentially do data processing, not the actual issuers (cardholder's bank) or acquirers (merchant's bank).
- Visa: $2.1 trillion in payments volume, 44 billion transactions, and 1.2 billion cards
- Mastercard: $1.4 trillion in payments volume, 23 billion transactions, and 817 million cards
- American Express: $550 billion in payments volume, 4.5 billion transactions, and 78 million cards
American Express is a "closed-loop" network, meaning they issue cards and serve merchants directly. Hence the large payments volume for the relatively smaller number of cards. Visa and Mastercard neither issue cards nor maintain accounts with merchants.
Visa and Mastercard are "open-loop" networks, meaning they operate a system that connects two banks--the issuer (cardholder) and the acquirer (merchant).
Data from Visa Inc.
Is Identity Theft a Bigger Threat Offline vs Online?
May 9, 2008 by Tom Fragala
From Javelin Strategy:
We are not saying (online access and data breaches) are not significant factors,” said James Van Dyke, Javelin’s president and founder. “But the point is that it has really been overblown. I think it is to the detriment of consumers to focus exclusively on these electronic methods of communication. Criminal don’t have a (bias) toward technology. They will use any channel that works.”
My first thought is to ask what does the empirical data say? Let's see what our tax dollars bought us. I opened my copy of the FTC 2006 Identity Theft Survey Report (yes, that's the most recent). See the chart (click for full-size). 56% of respondents did not know how data was taken. For the remaining 44% here's the breakdown as I see it
- Offline: 16% know thief personally, 5% from wallet, 2% from the mail
- Online: 1% Hacking into computer, 1% Phishing.
- Unsure: 7% Some other way, 7% purchase or other transaction*, company that had information 5%*.
* These two categories are questionable, as it's difficult to determine exactly what is meant.
As you can see, the data is difficult to categorize. But it's pretty clear that offline is simply more prevalent than pure online. However, you could argue that there are vast numbers of online thefts that go unreported and so fall under the "don't now how info was taken" 56%. I certainly think the data backs up Javelin's assertion that one shouldn't blow the online threat out of proportion. From personal experience, offline is what has nailed me on more than one occasion.
Take away: protect yourself offline
- Protect your mailbox: lock it or stop account statements, pre-approved offers and "convenience" checks
- Protect your personal belongings: remove unnecessary items from wallet/purse, lock away your check book, protect sensitive documents at home (anything with SSN or account numbers).
Frankly, most people don't go to these lengths.
Truston Named One of Leading Start-up Companies
May 1, 2008 by Tom Fragala
Truston has been named one of the 2008 10 Companies to Watch by the Pacific Coast Business Times.
This was part of the Business Times' annual awards program called the 101 One Hundred Awards. The 10 Companies to Watch were selected because they are the fastest growing and most innovative start-up companies in California's Central Coast--covering Ventura, Santa Barbara and San Luis Obispo counties.
This recognition comes on the heels of being named a 2008 Hot Company and receiving a technology award from the Info Security Products Guide.
See the Truston press release.
Military ID cards will finally have SSN blocked
Apr 26, 2008 by Tom Fragala
ITRC points out that the Department of Defense will finally begin blocking out Social Security numbers on military ID's, dog tags, clothing and military records. About time don't you think? Just imagine the number of cards, documents, and more that have full SSN's on them, putting every military member at serious risk of identity theft.
More from the Leaf-Chronicle:
According to an American Forces Press Service report, military IDs will soon be reconfigured without the cardholder's full Social Security number.
The plan, the report said, is to remove the numbers from ID cards issued to family members by the end of the year, but the sponsor's number would still be displayed for now. Between 2009 and 2010, all department-issued identification cards will feature only the last four digits of a cardholder's Social Security number, the report stated.
Sign the Back of Credit Cards or Not?
Apr 24, 2008 by Tom Fragala
One common tip I have heard is that you should not sign the back of your credit cards or write something in its place asking that ID be checked. What should you do? Well, the right question to me is "Is this an effective fraud deterrent?" Frankly, it doesn't do much. While existing credit card fraud (unauthorized charges on a bona fide account) is a serious issue, you are afforded the most protections by law, as long as you are diligent in checking your account statements.
You may hear people, who write "check ID" in place of their signature on a credit card, raising a stink that cashiers so rarely look and request ID. While strictly speaking these businesses are violating their merchant agreements with the payment card processors (i.e. Visa, Mastercard), let's be practical. I don't think this is a gigantic scandal we need to focus on. There are far bigger fish to fry. Do you really expect MacDonald's to get in people's faces over a $2 purchase?
Recently, Lifehacker had a post on this topic with quite a few comments (with a lot of misinformation and poor advice in the comments). Some people make the point that signing your credit card makes it easy for a thief that steals your card to forge your signature. That's silly -- criminals don't use stolen cards to get your signature. They steal cards to use them ASAP and then get rid of them. Besides, you are required to have a signed credit card according to payment card industry rules. Here is an excerpt right from Visa merchant rules:
While checking card security features, you should also make sure that the card
is signed. An unsigned card is considered invalid and should not be accepted. If a
customer gives you an unsigned card, the following steps must be taken:• Check the cardholder’s ID. Ask the cardholder for some form of official
government identification, such as a driver’s license or passport. Where
permissible by law, the ID serial number and expiration date should be
written on the sales receipt before you complete the transaction.• Ask the customer to sign the card. The card should be signed within your
full view, and the signature checked against the customer’s signature on the
ID. A refusal to sign means the card is still invalid and cannot be accepted.
Ask the customer for another signed Visa card.• Compare the signature on the card to the signature on the ID.
If the cardholder refuses to sign the card, and you accept it, you may end up with
financial liability for the transaction should the cardholder later dispute the charge.
Moreover, Visa goes into even more detail about those who write "See ID" or something similar in place of a signature. Here are guidelines from Visa about this and when merchants should be asking for ID:
“See ID”:Some customers write “See ID” or “Ask for ID” in the signature panel, thinking
that this is a deterrent against fraud or forgery; that is, if their signature is not on
the card, a fraudster will not be able to forge it. In reality, criminals don’t take the
time to practice signatures: they use cards as quickly as possible after a theft and
prior to the accounts being blocked. They are actually counting on you not to look
at the back of the card and compare signatures—they may even have access to
counterfeit identification with a signature in their own handwriting.See ID” or “Ask for ID” is not a valid substitute for a signature. The customer
must sign the card in your presence, as stated above.Requesting Cardholder ID
When should you ask a cardholder for an official government ID? Although Visa
rules do not preclude merchants from asking for cardholder ID, merchants
cannot make an ID a condition of acceptance. Therefore, merchants cannot
refuse to complete a purchase transaction because a cardholder refuses to
provide ID. Visa believes merchants should not ask for ID as part of their
regular card acceptance procedures. Laws in several states also make it illegal
for merchants to write a cardholder’s personal information, such as an address or
phone number, on a sales receipt.If you are suspicious about the transaction or feel you need additional information
to insure the identity of the cardholder, make a Code 10 call.
Take away: stop trying to be clever. Sign your credit or debit cards. There are many other more effective means to reduce fraud.
Fraud alerts do NOT require lenders to contact you
Apr 13, 2008 by Tom Fragala
The misconception that fraud alerts by law require that you be contacted continues on unabated. In fact, a fraud alert is just words on your credit report. Can it be effective in some cases? Yes. Are fraud alerts some kind of "system" that connects lenders and the credit reporting companies together in some automated fashion to protect consumers? No.
It is dismaying that even leading experts like Javelin Strategy & Research make significant errors that perpetuate the misunderstandings about fraud alerts. In their research report entitled "Identity Fraud Protection Services: Double Digit Growth to Continue", they write on page 8 about fraud alerts: "Requires lenders and merchants to confirm an applicant's identity to open a new line of credit." (my emphasis). This is not accurate. There is no law, either federal or state, that requires any lender, bank, credit card issuer, or merchant to pay heed to a fraud alert. Do some of these companies pull a credit report and check to see if the individual has reported fraud (or suspected fraud)? Yes. Is it compulsory? Absolutely not.
Update: Are fraud alerts a good idea of you are a victim of identity theft? Yes, depending on what has happened (i.e., if your personal credit or Social Security number were compromised). Can fraud alerts help you detect identity theft fraud if you use them as a prevention tool? Yes, they may help (however, they don't always work and only help with credit-related identity fraud). This is why you get fraud alert assistance as part of our MyTruston Plus package, along with several other tools to help prevent/detect ID theft (and recover afterwards). Fraud alerts are a nice option to have, yet their effectiveness is overrated.
Update 2: Luke at Javelin (and Mary in the comments below) pointed out to me that in their report, page 19, Figure 11, in reference to the "Fraud Alerts" type of services, Javelin says "Eager lenders may not always verify the applicant's identity before granting credit." This is accurate. I'd like to expand on that: lenders may even check the identity, pull a credit report and still not see the fraud alert (or ignore it).
Non-profit data breach tracking site ends service
Apr 11, 2008 by Tom Fragala
Attrition.org, a non-profit hobby site, has shuttered its news service. They had become one of the "go to" information sources on security and data breaches. Here is an excerpt of their explanation for the shut down (although they leave the door open for occasionally posting news):
In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren't familiar with Attrition, we're a non-profit hobby site that takes on "projects" as we see fit, when we want to, and when we have time. For those who *are* familiar with Attrition, you probably know that we don't take kindly to being dealt with unfairly. Commercial entities, including "identity-theft prevention" upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don't pimp our resources to others; they come to us. Unfortunately, more often than not, they won't even send us a "thank you".
I can't blame them. Although we at Truston have never contacted them, or used their information to sell product, I can understand their position. I thank them for their unpaid dedication and service to the industry and consumers. I've been reading their site for a few years now and appreciate what they have done. Thank you guys.
What steps to take if you are a victim of identity theft?
Apr 11, 2008 by Tom Fragala
Wrong question. If you are expecting to see a list here of several things to do if you are a victim of identity theft, look elsewhere (although you'll probably get bad advice). Why? Because asking what steps to take if you are a victim of ID theft, is like asking me what steps to take if you feel sick. No generic list of steps will ever come close to helping you properly address an identity theft issue.
First, the term "identity theft" is broad and ill-defined. Some people don't even consider existing credit card fraud identity theft. Second, it depends on what specifically is wrong. I'm surprised that in 2008 there are still so many experts that attempt to answer that question with a short list--and without explaining that it depends on what has happened. Credit card account takeover is very different from ATM/debit card fraud, for example.
If someone says you should file a police report, or contact the FTC (useless), or even contact the credit bureaus (a better term is "consumer credit reporting companies"), you are getting the wrong answer. The correct answer is a question, such as "what has happened?" or "what type of personal, credit or financial information has been compromised?" If someone has stolen your checkbook, contacting the credit bureaus might be a dangerous waste of time--distracting you from taking steps you must perform immediately. However, it might be the right thing to do if the thief also took your social security number.
Take away: no static list of steps or printed boilerplate ID theft "kit" can provide you an appropriate response to most identity theft situations.
Truston Wins Info Security Products Guide Award
Apr 9, 2008 by Tom Fragala
After being named a 2008 Hot Company in January, we just received another industry award. This time it is specifically for our patent-pending myTruston web-based technology and was given by the Information Security Products Guide.
This program is called the 2008 "Tomorrow's Technology Today" Awards and they are given to a select number of companies that have truly cutting edge technology in the security market. We won in the identity theft category. Other 2008 winners in other categories include Alacatel-Lucent, LogMeIn, Webroot, Network Appliance, Imprivata, NEC and Hitachi.
Congratulations to our engineering team!
See the Info Security Products Guide Awards page and the Truston press release.
ConsumerSay: Just Say No?
Apr 2, 2008 by Tom Fragala
Consumerist has a blog post about a service called ConsumerSay that pays you $20 to hand over a lot of sensitive personal information, including credit card accounts. They use this data to track your habits and understand consumer behavior and opinions. At a glance, it does not appear that ConsumerSay is a "scam" (although that depends on your definition). It is run by a company called Lightspeed Research, which appears to be a subsidiary of WPP, one of the world's largest marketing and advertising companies.
Joining and participating in ConsumerSay is free. Please be assured that your credit card account(s) will not be manipulated or altered in any way. You are simply granting us permission to view your transactions. You will not see any charges on your credit card as result of your participation on ConsumerSay.
Anybody out there think this is a good idea?
FTC reaches settlement with TJX
Mar 27, 2008 by Tom Fragala
So the settlement is that TJX has to submit to a total of 10 security audits over the course of 20 years. Which is something they would do anyway most likely. Now, the FTC has limited powers under the FTC Act and it isn't a law enforcement agency. Still, I expect a lot of people will see this as a soft slap on the wrist.
In two unrelated Federal Trade Commission actions, discount retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges that each engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.
According to the FTC complaint, TJX, with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX’s stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.
Specifically, the agency charged that TJX:
- Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
- Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
- Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
- Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
- Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.
Read the FTC press release here.
Did security provider to Hannaford try to erase ties?
Mar 20, 2008 by Tom Fragala
My favorite ID theft/security/privacy blog, Fraudwar by Ed Dickson, has a post about a security company that has Hannaford as a customer. Hannaford being the folks that just suffered a data breach of 4.2 million credit/debit accounts. In typical blog fashion, I write a provocative title and link to another blog, which links to another blog. Apparently the controversy may not be what it seems, but it makes great copy.
Trust but verify: Keep your receipts
Mar 18, 2008 by Tom Fragala
After you purchase a product/service, keep the receipts. That way if you need to return a product, or cancel a service, or file a complaint, you have a record of things like the order number. And if you do return goods via the mail to get a refund or credit, I recommend spending a bit more for proof of delivery and, sometimes, insurance.
Then remember to double check that the retailer or service provider actually DID process the credit or refund. And don't trust implicitly that they will, just because someone says it has, or will be, done over the phone.
I know this is absurdly obvious advice. Yet, something that happened to me recently raised my awareness again. I ordered a pet product from entirelypets.com. It didn't fit, so I called, got an RMA number, and mailed it back--with delivery confirmation. Over two weeks after the shipment was received, no credit had been applied yet to my credit card. So I called again 5 days ago. The phone rep said, "We've had it here for 6 days, but we haven't processed the refund yet. We'll do it now and it will take up to 3 days to appear on your credit card account."
I checked my credit card account this morning, and there was still no credit. I called the retailer this morning and spoke to the same phone rep. He said (no apology) that the credit had not been applied, but now, it would. During this chat, he yelled over the phone to a "supervisor" in the background (it sounded totally contrived, frankly.) He assured me that this time the credit would be applied.
I can only assume this entire episode was a purposefully clever and deceptive kind of "customer service". The idea is that people will just get so tired of calling, or will forget to double check, resulting in getting the product back plus keeping the original amount paid. Sweet deal for the retailer, rotten deal for the consumer.
So, keep your receipts and use them to remind you to check that the entire billing process goes as it should. Keep them in a folder or drawer and clean them out once or twice a year.
Supermarket company Hannaford reports data breach of 4.2 million accounts
Mar 17, 2008 by Tom Fragala
The Hannaford Bros. supermarket chain said a breach of its computer system led to the theft of about 4.2 million credit and debit card numbers from its Hannaford and Sweetbay stores and other locations.
Hannaford, based in Maine, said about 1,800 cases of fraud have been tied to the breach, but no personal information -- such as names or addresses -- was accessed, and it has contained the breach.
More from The Boston Globe.
A common misconception: different credit scores exist
Mar 14, 2008 by Tom Fragala
The Red Tape Chronicles, a popular blog on MSNBC, has a post about credit scores. Looks like he doing a series on them. It's a topic that always raises people's ire and is a constant source of confusion and irritation.
There is one very common misconception and issue that is essential for people to understand. That is, there are different credit scores out there. People seem to think there is some government agency or golden rule that decides what your credit score is. In fact, there is really just a "de facto" standard: usually when you are talking about your credit score, you really mean your FICO Credit Score. That is what most banks, lenders and mortgage companies uses to determine your credit worthiness and ability to repay a loan. FICO is a creation of a for-profit, publicly traded company called Fair Isaac. And the formula for computing your FICO score is private--they protect it because it is something they developed and make money from.
You should be aware that there are MANY other providers of credit scores out there and they are NOT ALL EQUAL. That is worth repeating: there is no single credit score and all credit scores are not created equal. To be safest, make sure you are seeing or purchasing a FICO Credit Score. Yes, that benefits a for-profit company, but for now they are the "true" credit score in most cases.
The other most common providers of credit scores are the three consumer credit reporting companies themselves (i.e. the credit bureaus Experian, TransUnion and Equifax) and a company called CreditXpert. See, a credit score is always computed using your credit report, which these three bureaus maintain or "own." Fair Isaac, through their own business acumen, built the de facto standard FICO score and the bureaus don't like paying Fair Issac for this score. So the credit reporting companies are fighting back by selling their own credit scores to consumers, using their own formulas. These formulas are similar but not exact to what Fair Isaac uses. So a non-FICO credit score may be a very different value than your FICO score. In other words, it might not be the same number a bank or lender is looking at.
And you may be wondering, how do I get my free credit score? Well, if you apply for a mortgage or other loan product, and a score is used, the lender is required to provide it to you if you ask. Often, you will find a "free" credit score bundled with other services like credit reports or identity theft protection. You should check to see if what you are getting is a FICO score or not. I'm not saying that non-FICO scores are necessarily bad or useless in all cases. But most people want the see the same number lenders look at, which means a FICO score.
Note: the chart above shows you the five categories Fair Issac uses to determine your credit score and how heavily it weights each category.