Archive for 'Identity Theft'

Data Privacy Day 2009

Wednesday, January 28th, 2009

Last year on January 28th, the first annual Data Privacy Day celebration was held in the United States at Duke University. Today marks the second annual Data Privacy Day, and the celebration has grown dramatically.

Last year, Governor Easley proclaimed January 28th as Data Privacy Day for the state of North Carolina. This year, he proclaimed January Data Privacy Month. North Carolina, Washington, California, Oregon, Massachusetts, and Arizona have also declared January 28th to be state-wide Data Privacy Day. Last but certainly not least, Congressman David Price and Congressman Cliff Stearns introduced House Resolution 31 which was passed on January 26th with a vote of 402 to 0 to make today National Data Privacy Day in the United States. It is truly outstanding to see such strong support in the form of resolutions and proclamations.

The best way to support or celebrate Data Privacy Day is to take action. Since the goal of Data Privacy Day is to promote awareness and education about data privacy, one easy way to act is to check out all the great educational resources made available in conjunction with Data Privacy Day. For example, Google has posted about what it has done to protect privacy and increase awareness of privacy. Microsoft is holding an event tonight and has more information on data privacy on their website.

Here at The Privacy Place, we were once again pleased to have the opportunity to celebrate Data Privacy Day at Duke University by attending the panel discussion on Protecting National Security and Privacy. The panel discussion was extremely well-attended and well-received. This event had a number of sponsors, including Intel who has a fantastic website with extensive information on Data Privacy Day. If you weren’t able to make it to the panel, I would strongly encourage you to check out Intel’s site.

Lastly, Data Privacy Day is all about awareness and education, so be sure to spread the word!

[Update: Fixed the link to the House Resolution that passed on Monday.]

More at Stake Than Just Your Password

Tuesday, September 23rd, 2008

By Jeremy Maxwell and Dr. Annie I. Antón

Hackers recently broke into Governor Palin’s personal Yahoo email account and, subsequently, several of personal emails and family photos were posted on the internet [See: BBC Article].
This recent case reminds us that we must be careful with the information we divulge online as well as the information that is requested of us online. Consider that the responsible hacker was able to guess Governor Palin’s answers to the security questions that Yahoo used by doing some simple Internet searching [See: PCWorld].

This attack could be considered a social engineering attack [See: Social Engineering Fundamentals]–– social engineering attacks are not technical attacks, but instead aim to trick the victim into divulging personal information. Phishing and trojan horses are also examples of social attacks. The Governor Palin attack, however, is similar to the attack described by Herbert Thompson, where an attacker can gain access to user accounts simply by using information available on the internet, usually using some sort of password resetting service that asks personal questions to validate the identity of the user. If this private information is well known, than anyone could impersonate the identity of the victim. Sources of information can include public records such as driving or court records, blogs, social networking websites, personal websites, etc. The lesson here is to avoid posting private information in a public setting. Most people would not post their Social Security number or the password to their email account on their blog, but the information they do post might be enough.

So before you post the name of your first pet on Facebook or MySpace or on your blog, think about whether it can be used to fraudulently impersonate you at a later date.

[Update: Fixed minor grammar error]

The Real Lesson Behind Laptop Loss

Monday, March 27th, 2006

Ernst and Young is the latest company to fall into the data breach spotlight due to a lost laptop. An E&Y laptop was lost which had the personal information of over 38,000 British Petroleum employees. BP officials began notifying their employees that their personal information may have been exposed and may put them at risk of identity theft. In this particular case, social security numbers were among the personal information on the laptop.

The UK IT Trade web site, The Register, had the following headline:

40,000 BP workers exposed in Ernst & Young laptop loss

Read the rest of this entry »

NC Law Helps Fight ID Theft

Friday, December 2nd, 2005

According to a Raleigh News & Observer article, North Carolina passed a law that allows people to freeze their credit reports to thwart identity thieves. Essentially, by freezing their credit reports, the person creates a shield around their credit report so that companies attempting to view their credit report are denied. Since creditors generally will not grant credit to people when they cannot access their credit report, this keeps identity thieves from applying for credit cards, loans, etc. under the victim’s name. This is one of 40 laws that North Carolina is enacting in order to combat a problem that carries a national cost of $48 billion a ear for businesses and $5 billlion for consumers.

Read more about this by accessing the N&O article here.

What is Identity Theft, exactly?

Tuesday, November 15th, 2005

The fears and discussions of identity theft have increasingly flooded news sites and blogs in 2005, yet it is not always clear exactly what constitutes identity theft when data breaches and frauds are discussed. For example, the oft-discussed ChoicePoint data breach involved the fraudulent acquisition of over 145,000 people’s personal information, yet less than 1,000 individuals have been reported to have suffered any direct losses as a result. Back on February 18, Cox News Service reported that “the criminals collected enough financial data to begin buying everything from jewels to consumer electronics … at least 765 such crimes have come to light so far” (the article, “ChoicePoint boss keeps low profile amid crisis”, is available on Lexis/Nexis). So is it proper to say that 765 people were identity victims, or 145,000? The media has not particularly attempted to distinguish the 765 victims from the 145,000 exposed to risk. To the media, all have been victims of identity theft – is this an accurate claim?

Wikipedia defines identity theft as “the deliberate assumption of another person’s identity, usually to gain access to their finances or frame them for a crime.” The same Wikipedia entry goes on to quote Javelin Strategy & Research founder James Van Dyke as arguing for two separate terms:

  • identity theft: unauthorized access to personal records;
  • identity fraud: unauthorized use of personal records.

This distinction helps to explain how a data breach can lead to identity theft, which may or may not result in identity fraud for each victim. Given Van Dyke’s interpretation of identity theft and identity fraud, I think we can more accurately express the various elements of data privacy. A data breach, such as the one befalling ChoicePoint, has undoubtedly led to 145,000+ victims of identity theft, where at least 765 of those people also suffered identity fraud.

A recent AP article highlights how the term ‘identity theft’ has been “too broadly defined and often misunderstood.” The risk, according to the article, is that “lawmakers and companies might be misdirecting their anti-fraud energies” and that consumers end up overly fearing Internet activities. The biggest problem with the term ‘identity theft’ ends up with how the misuse of an existing credit card is classified. If a criminal simply getting your existing credit card number and embarking on a shopping spree is identity theft, then 40 million people were put at risk of identity theft by the CardSystems breach. If instead, we limit identity theft to the exploitation of personal information (more in line with the Wikipedia entry), then those victims become simply inconvenienced individuals. While they may face fraudulent charges on their account, U.S. citizens rarely have to pay up for those charges: there is a $50 limit on personal liability, regardless of the amount fraudulently charged. Instead, it is when criminals possess enough information to obtain a new credit card that we are victims of identity theft and threatened by identity fraud.

ID Theft — Online Threat?

Wednesday, October 12th, 2005

A recent study by Javelin Strategy & Research has found that in 26 percent of all ID theft cases, the victim knew the person responsible for the theft. The same study explains that online identity theft isn’t the largest threat. For those users who are afraid to make purchases online, you may be interested to know that you are more likely to be at risk from dumpster divers. Still, identity theft has tripled in the past couple of years, so make sure you continue to shred personal documents, give out your personal information sparingly, and regularly obtain your credit report.

Click here to read this article.

North Carolina Consumers Gain New ID Theft Protections

Wednesday, September 28th, 2005

North Carolina Governor Mike Easley signed into law Senate Bill 1048, “The Identity Theft Protection Act of 2005” on September 21, 2005. Under this bill, businesses are prohibited from using Social Security numbers to identify customers. The measure requires businesses not to print Social Security numbers on documents, such as health insurance cards. The bill also restricts businesses from selling or displaying SSNs to a third party without an individual

Aladdin Study Uncovers Increase in Crime-Related Spyware

Monday, September 19th, 2005

Security company Aladdin’s eSafe Content Security Response Team (CSRT) found that 15 percent of spyware threats succeed in copying a user’s passwords, usernames, hashes of an administrator’s passwords, instant messaging usage, email addresses and other sensitive information. The two-month analysis of top 2,000 known spyware threats shows that there is a growing amount of spyware specifically designed for identity theft. These spyware poses tremendous threats to both personal and commercial privacy, with potentially dangerous effects for large organizations in need of protecting proprietary information. Read a full article of this story.

Author’s recommendation:
For Windows users, please download ALL of the following three antispyware tools and run them once a WEEK on your personal computer. All these three tools are free for personal use:
Spybot Search and Destroy
Microsoft Windows AntiSpyware

The Identity Theft Resource Center reports 102 data breaches since Jan. 1, 2005

Wednesday, September 14th, 2005

The Identity Theft Resource Center reports 102 data breaches in the U.S. since Jan. 1, 2005, potentially affecting more than 56.2 million individuals. Most of the incidents could have been prevented with safe data handling practices, for example, sending postcards with Social Security numbers on them or requiring students to place name and SSN on rosters that are passed through classrooms or placed on papers or tests. See a most updated list of 2005 Disclosures of U.S. Data Incidents (PDF). An interesting observation is that a lot of these incidents happened in universities.

Hurricane Katrina and ID theft

Tuesday, September 13th, 2005

The reports of devastation and tragedy coming out of the areas affected by Hurricane Katrina have dominated the news for the past week and a half now. Many of the stories have centered around the outpouring of aid and personal efforts to rescue and restore survivors to some semblance of normalcy. Amidst these efforts, however, have cropped up some stories about the risk of identity theft and the efforts of some to defraud the victims of the storm.

Last week, experts (such as the FTC ID theft program head) were already warning the public of the high risk of identity theft tied to the hurricane’s aftermath. An AP story noted that “Social Security cards, driver’s licenses, credit cards and other personal documents are literally floating around New Orleans.” The risk of credit card fraud and identity theft is clear, as the information leakage was certainly not the first thought of survivors escaping their homes and being rescued from rooftops.

The same article notes that some 2,000 web sites popped up related to Hurricane Katrina relief efforts, but about a dozen are under investigation for potential fraud. Not only is there a risk from completely fraudulent web sites, but also from phishers spoofing major relief efforts such as the Red Cross or Salvation Army. This article notes the email scams already observed and the risk of such phishing attacks increasing in the coming weeks. According to the article, VeriSign has gotten involved in hunting down such phishing efforts and took down two such sites already as of last week.

Some unscrupulous individuals have already been arrested for attempted ID theft. Three people in Mississippi went to a shelter and posed as FEMA officials in an effort to obtain personal information – such as names, birthdates, and SSNs – from evacuees. The AP broke this story on Saturday.