Identity Theft Blog by Truston

California data breach law updated and strengthened

Thu, 08 Sep 2011 10:15:56 -0800

A new California law, Senate Bill 24, introduced by Sen. Joe Simitian, D-Palo Alto, requires organizations experiencing a data breach provide more detailed information to those affected. The law, which affects notification of breaches involving financial, healthcare and other personal information, goes into effect Jan. 1, 2012.

This new law updates AB 700, or SB 1386, adopted in 2003, which requires organizations to notify individuals after a breach of personal information. The landmark law - one of the first state breach notification laws in the nation - didn't indicate what information needed to be included in the notification. But it required breaches to be reported to individuals affected "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement ... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

The new law requires organizations that experience a breach to provide more detailed information to breach victims. The law requires that breach notifications:

+ Be written in plain language; + Include the name and contact information of the agency breached; + Provide a list of the personal information reasonably believed to have been subject to the breach; + Spell out the date of the breach, the estimated date of the breach or the date range within which the breach occurred; + Specify whether the notification was delayed as a result of a law enforcement investigation; + Offer a general description of the breach incident; + Provide toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a Social Security number or a driver's license or California identification card number; + Include information about what the organization has done to protect individuals whose information was breached; + Outline steps individuals may take to protect himself or herself.

B2C and B2B ID theft space

Mon, 22 Aug 2011 10:06:41 -0800

As I'm sure our readers are aware, Truston hasn't been in the direct to consumer (B2C) space for years, as our plan all along was to be a "back end" white label identity theft provider (B2B). So it is interesting for us to watch the goings on in the the consumer ID theft protection area. Of course, a large portion of this market is banks and credit unions that offer their own branded services. All of those financial institutions, however, use a third-party provider to deliver a private label solution; they don't build it themselves. The biggest players in this arena are CSIDentity, Affinion, Intersections and the three credit reporting companies. Truston offers it's technology through some of these companies, who in turn sell it to banks and credit unions. Our proprietary myTruston product is in use at over 250 banks and credit unions, including American Express, FifthThird Bank and Pentagon FCU. The biggest B2C players are Lifelock and the three credit reporting companies. As the most visible player in the B2C space, it's interesting to note that you can get Lifelock data security for your business to deal with data breaches. Some of the B2C companies are looking for a more stable revenue stream by moving into the B2B market and offering ID theft services for (1) data breaches and (2) employee benefits. We've also seen pure white-label companies like Intersections, grab a significant portion of the B2C space with their Identity Guard product. So two of the largest companies have both reached in opposite directions to grow revenue. It's a potentially lucrative strategy, although not without risk. It can be challenging to straddle two very different sectors and B2C customers might be unhappy with their provider being a competitor (aka channel conflict.)

Shocking insider data theft at Bank of America

Thu, 26 May 2011 09:12:35 -0800

The far-reaching fraud serves as a cautionary tale for all consumers who entrust virtually their entire financial lives to major companies. A BofA employee apparently leaked confidential information about his and hundreds of other customers' accounts to scammers, resulting in more than $10 million in losses. According to the Secret Service, 95 suspects have been arrested so far in connection with the case, which is only now coming to light as BofA finally informs customers that their accounts were compromised. Read more at LA Times

More proof debit cards are riskier than credit cards

Mon, 16 May 2011 09:41:41 -0800

We've been saying this for years.

For the roughly 185 million U.S. consumers with debit cards, the recent security breach at arts-and-crafts retailer Michaels Stores offers yet another cause for concern. The reports allege that the thieves did more than simply steal debit-card information from stores in 20 states they used it to take money from customers' bank accounts. This isn't the first time debit-card information has been stolen, but these kinds of crimes are becoming more common and more serious. The Michaels thefts follow a similar case last summer at Aldi Inc. grocery stores that reportedly led to customer reports of debit-card fraud. Year-to-date, debit and credit cards make up 20% of all consumer data breaches, up from 11% during the same period last year, according to the Identity Theft Resource Center. Debit-card fraud losses incurred by banks hit a record $788 million in 2008, according to the latest estimates from the American Bankers Association, due mostly to stolen and counterfeit debit cards. "This is going to get worse you're going to see more bad guys out there looking for debit card information," says Jay Foley, executive director at the ITRC.

President Announces Cyber-Security Plan

Thu, 12 May 2011 13:17:30 -0800

The White House today unveiled a cyber-security proposal that it hopes Congress will use as a framework for legislation. Among other things, the plan includes national data breach reporting, increased penalties for computer crimes, rules that would allow the private sector to commiserate with the Department of Homeland Security on cyber-security issues, and cyber-security audits for critical infrastructure providers. More from PC Magazine

USPS launches new ID theft information site

Thu, 10 Mar 2011 14:59:30 -0800

A new web site has been launched by the U.S. Postal Service. Loaded with free videos, it's goal is to help people protect themselves against identify theft and especially con artists and criminal scams. It features information on identity theft, work-at-home scams, Internet fraud, foreign lottery schemes. Visit the U.S. Postal Inspector site here.

Cord Blood Registry Customer Data Breach

Thu, 03 Mar 2011 22:22:28 -0800

Cord Blood Registry (CBR) suffered a data breach in December 2010 of apparently all its customer data including SSN, credit card and driver's licenses--effecting over 300,000 people. Customers were informed of the breach on February 14 2011. Read more.

Experian reporting rent history on credit reports?

Fri, 21 Jan 2011 09:54:56 -0800

According to the California Credit law blog:

Experian has announced it will be reporting "positive" rental data from its RentBureau® division into the traditional credit files. Experian states this will help the 50 million underbanked consumers, such as college students and recent immigrants, to build credit with on-time rental payments. Query what happens when someone falls behind in their rent. Will that be a ding on their credit?

Identity theft can cut both ways sometimes

Tue, 11 Jan 2011 17:27:13 -0800

This story shows how twisted ID theft can become:

Mario Miramontes figured during the traffic stop that he could conceal his arrest warrant by giving the police officer the name of his cousin – a 25-year-old husband and father who he believed had no scrapes with the law. After all, he had used the name before when in a legal bind. But Miramontes' plan backfired badly when it turned out the cousin also had a warrant – on charges that he had fondled an underage relative. Still, Miramontes, 22, of Dallas, felt that the error would be discovered when his fingerprints were run at the jail. His parole violation would result in some time behind bars and then he would be released. It didn't happen that way. Instead, Miramontes spent 13 months in the Dallas County Jail without access to a lawyer or court hearing for almost the entire time before the mistake was discovered. He is now suing the county, Sheriff Lupe Valdez and District Attorney Craig Watkins for ignoring his repeated pleas for help after the 2007 arrest.

Consumers Can Dispute Credit Reports with Creditors

Mon, 29 Mar 2010 10:17:59 -0800

The FTC recently testified before Congress and stated that starting July 1st, consumers will have a right to dispute credit reports directly with the creditor, also called a "furnisher" because they furnish the data to the credit reporting companies. Two examples of a creditor are a credit card company or mortgage lender.

In the past, the FTC only required consumer credit reporting companies (Experian, Equifax and TransUnion) to handle credit report disputes (they would in turn communicate with the furnisher directly).

This is a substantial change, at least on paper, to one of the biggest areas of consumer credit problems and identity theft. How it will work in practice, and whether it will improve things for consumers, remains to be seen.

From FTC.gov:

Furnisher Rules: These rules call on companies that furnish information to consumer reporting agencies to improve the accuracy of information they provide. They also give consumers the right to dispute errors in their credit reports directly with the furnishers of the information, in addition to disputing errors with consumer reporting agencies. The rules take effect July 1, 2010.

Tags: credit+report, dispute, furnisher, creditor, FTC

Javelin 2010 Identity Fraud Survey Report

Mon, 15 Mar 2010 11:07:56 -0800

Javelin released their 2010 Identity Fraud Survey Report back in February. As usual, there is plenty of room for people to spin the data. It's a mixture of positive and negative news.

Identity fraud still grew by 12% in 2009, although less quickly than in 2008 (22%). However, cases are also getting reported and resolved more quickly. Javelin reports 11.1 million U.S. adults were victims in 2009 and the total fraud amount increased by 12.5 % to $54 billion. Average fraud resolution time dropped 30% to 21 hours, and nearly half of the victims file police reports, resulting in double the reported arrests, triple the prosecutions, and double the percentage of convictions in 2009.

Note that Javelin differentiates between identity theft (the loss of data) and fraud (the misuse of the data), which is the optimal way to look at thing.

Huge Security Breaches Discovered

Thu, 18 Feb 2010 14:21:30 -0800

Computerword is reporting:

Security researchers at a company called NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.

The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday

My reading of this is that these breaches are much bigger and worse than they've even discovered so far. And this is the new normal we can expect for some time. Huge amounts of attacks and breaches going after corporate and government secrets originating from criminal gangs or governments.

IRS introducing truncation of SSN on some returns

Sat, 05 Dec 2009 10:39:57 -0800

File this one under "About Time!" The IRS is going to test a program that will let filers on a few limited informational returns truncate their SSN.

The IRS has released Notice 2009-93, announcing a pilot program allowing filers of information returns to truncate an individual payee’s identifying number on paper statements for calendar years 2009 and 2010. An individual identifying number is a social security number, individual taxpayer identification number or adoption taxpayer identification number. The provision applies only to information returns in the 1098, 1099, and 5498 series. It does not apply to employer identification numbers (EINs) in the format xx-xxxxxxx. The notice also requests public comments by May 1, 2010.

Under this optional program, payers may replace the first five digits of identifying numbers with asterisks or the letter x. For example, a social security number could appear as xxx-xx-1234. This will enable better protection of personal identifying information for the recipients.

To see the requirements for participating in this pilot program, see Notice 2009-93. The notice also contains instructions on making public comments.

Of course, all this won't solve the problem that full SSNs are often a deterministic number, within a range, if one knows the last four digits.

Tags: IRS, SSN

Close a huge loophole for credit card fraud

Sat, 18 Jul 2009 12:14:55 -0800

There is a huge loophole for criminals that want to take over your credit card account. They can get your account number and change your home address and phone number; redirecting all future statements and calls from customer service. Any calls alerting you to fraudulent transactions will go to the crook, not you! It costs them nothing, even the dumbest crook can do it, and it allows them to do it even if you put a PIN/password on your account. They never have to go online or call the credit card company. It's so simple you're going to laugh. It's also very effective.

The thief just needs to reach into your mailbox (if you have a "rural mailbox" that is standalone) and grab one statement. Now they have your name, address and account number. The real trick comes next: they turn your statement over, fill in the change of address form on the back and mail it in! There is NO authentication by the credit card compainies for this change of address and telephone. Any idiot can do it and it has zero security. If the thief tried to call to change your address, they'd have to enter your SSN, possibly mother's maiden name, and a PIN/password (if you have one and you should). That's too many hoops for the typical thief to jump through. But using the change of address form on your paper statement is as easy as it gets. I don't know of a single credit card company that notifies you when you change your address using that form (if you do, please let us know in the comments). Frankly, it should be a best practice to notify the cardholder before changing the addres, or at least sending a postcard to the OLD address after changing it.

So, the takeaway is this: go to paperless statements (or get a locking mailbox). I know many of you use the paper statement to remind you to pay your bills. I empathize with that need. But nearly every card issuer has an online service that will 1) send you an email notifying you that your statement is available, and 2) notify you several days before the payment is due (if you haven't paid yet).

I know this first hand because it has happened to me and it is no fun trying to unwind the mess.

Tags: USPS, change+of+address, credit+card

Truston Profiled in ID Theft Service Provider Report

Sat, 20 Jun 2009 11:10:05 -0800

Truston was profiled, for the second year in a row, in the Javelin Strategy & Research research report on identity theft service providers, entitled "2009 Consumer Identity Protection Services Scorecard". The report has an analysis of the top identity theft protection services and is based in Javelin's well-respected consumer ID theft survey.

Other companies featured include Equifax, Experian, TransUnion, Affinion, and Identity Guard (Intersections, Inc.)