Sunday, January 07, 2007

With all the data breaches - something needs to be done!

There have been a lot of large data breaches in the past year, where anonymous sources pointed to a retailer (merchant) as the point-of-compromise. Of course - as in most data breaches -rumors are often "downplayed" and in some instances, denied.

Card processors have been accused of maintaining information they shouldn't have, also.

The Privacy Rights Clearinghouse maintains a chronology of these incidents data breaches since 2005, which can be viewed, here.

And a business would have good reason not to disclose everything. It could create a lot of negative publicity, which would have a negative impact on their bottom line.

This is probably one of the better arguments for legislation requiring full disclosure, when people's personal information is compromised.

Could it be that a lot of these data breaches are being enabled by storing too much information in point of sale systems, which is poorly protected, and therefore - easily compromised (hacked) by criminals?

Last month, Visa International issued a press release offering $20 million in incentives to what they term Level 1 and Level 2 merchants to assist them in becoming compliant with the existing standard. It also mentions sanctions (fines) that will be imposed on merchants, who decide they aren't going to conform.

The press release states:

Locking down cardholder data is an important security component that will benefit financial institutions and merchants, and is equally important to maintain consumer trust in Visa," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA. "By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce."

According to the press release, "current PCI compliance among Level 1 merchants is at 36 percent and 15 percent among Level 2 merchants, with the majority in both levels actively working toward compliance."

The bottom line is that it appears the card issuers (themselves) are getting pretty sick and tired of all the data breaches. My guess is that the banks -- who deal with the customer fall-out -- are getting pretty tired of it, also.

After one of the many posts, I've written about data breaches, I came into contact with a company called Security Metrics. Security Metrics provides a service to assist merchants in protecting their information.

Wen Free (Director of Business Development) told me that he believes breaches at the merchant level are becoming an "all too common" problem. Wen also told me that I would be shocked at how many merchants aren't in compliance, and are storing information - which isn't protected properly.

Wen pointed me to a tool developed by SecurityMetrics and MasterCard, where a business can run a Free-Scan (https://www.securitymetrics.com/eval_scan.adp) of their systems, to determine how compliant they actually are.

If these deductions are correct, it makes these merchants lucrative targets for hackers in search of people's financial information.

The fact that only 36 percent of the level 1 merchants and 15 percent of the level two merchants at Visa are "compliant" supports his contentions. And we have to remember that Visa isn't the only major issuer in the game and that most merchants offer multiple ways to pay for their goods and services.

With all the recent large-scale attacks on payment systems, it's going to be harder and harder for businesses to absorb losses from data breaches. Recent stories of carder forums - where this information is bought and sold on the Internet - point to the fact that there seems to be an abundance of (already breached) information available.

How the losses are allocated is normally kept pretty quiet, but my guess is that if the banks can charge back a merchant, they are doing so. But if the truth were to be told, these losses are eventually being charged back to all of us in the form of higher prices.

There are also customers stating that their fraud claims have been denied, and they are stuck with the loss. This can be especially true with debit-cards, if the loss isn't reported promptly.

Should everyone involved fail to solve this problem by themselves, my guess is that legislation will be the next step. After all, one of the most important asset in any business is the "trust and confidence" of their customers.

Here is a previous post, I wrote on this subject:

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?

Saturday, January 06, 2007

Is Bashing DHS for the Swift Raids Fair?

Suad Leija (courtesy of YouTube)

Recently, there were a lot of people bashing DHS because of the raids at the Swift meat packing plants. There were allegations that only 65 of those "detained" were charged with crimes, and that everyone else was "hard working and innocent." Of note, the associated press just reported that this number is up to 220, and DHS is still investigating. Just being here "illegally" is considered an "administrative matter," and not a "crime."

AP update, here.

Could this mean that some of the "fake identification" is of such "high quality" that it's taking time to establish criminal activity? It also might point out that the rights of those being charged are being considered, carefully.

After all, we live in a country, where people have rights.

DHS has maintained that the raids were part of a much larger investigation into organized crime and the mass production of fake identification.

I've always taken the stance that I have nothing against hard working people trying to make a better life for themselves, but that we can no longer afford to let criminals control our borders.

And besides hard-working citizens having their identities stolen, and used for illegal purposes, we have to consider the threat to national security. In 9-11 - several of the terrorists involved - used forged documents to enter the country and obtain legitimate identification.

In July, I did a post about how organized the mass production of fake identification is. According to the stepdaughter of one of the ringleaders of the organized crime ring behind it - they consider terrorism an "American problem."

The stepdaughter (Suad Leija) is now making the "YouTube" arena, and you can hear what she has to say, here.

CNN also did an interesting story (available on YouTube), which shows how easy it is for "anyone" to get fraudulent identification, here.

Also included is a lot of evidence that some of this fake identification is so good, it easily passes muster at a border crossing, or airports. Of note - the video shows card reading technology used a liquor store - which catches a lot of these fakes and points out that it isn't in use at our airports, or borders?

Maybe this is something DHS could look into, further?

I also did a post - where a writer from Colorado - who is an identity theft victim wondered aloud - if she was one of the people arrested at Swift?

I wonder if any of the critics of the Swift raids has had their identity stolen, and if this became the case, they would be so quick to judge the actions of DHS?

Thursday, January 04, 2007

Should cats be issued credit cards?

In order to protect her privacy, my daughter used to use the dog's name to register on websites fond of data mining personal information (smart kid). Shortly thereafter, our dog (Oliver) started receiving a lot of junk mail. Included were pre-approved offers for credit-cards.

All of this correspondence went directly into a shredder and we had a good laugh about it. I had to "coach" my daughter not to use our "actual address" and the problem stopped.

Now Reuters is reporting that a woman in Australia used her cat's name to apply for a secondary credit-card, and was able to get a new account for the feline. The stated reason she did this was to prove that it's too easy to commit credit-card fraud.

Reuters quoted the woman (Katherine) as saying:
You don't need to hack into the internet when you can just steal someone's credit card number and create a card for yourself."

In fact, had Messiah been a fraudster - and not a feline - Katherine wouldn't even have known the card existed.

I wasn't notified that a second card had been issued. Messiah could have put a different address and the card would have been sent there and I wouldn't have known. If it's that easy for a cat to get credit, imagine what a dog could get.
Reuters story (courtesy of IBN), here.

There was another story, I blogged about, where journalists tested how much security there is when a credit card is issued:

Ever Wonder How Well the Credit Card Companies Protect Your Personal Information?

But my favorite story about credit being issued "too easily" (along with pictures) comes from Rob at Cockeyed.com, which can be seen - here.

Credit card fraud is a serious problem, which causes a lot of "pain and suffering" to anyone unfortunate enough to be impersonated.

Wednesday, January 03, 2007

Medical Identity Theft Could Kill

Recently, I've seen a lot written about Medical Identity Theft. There seems to be a lot of people getting bills for medical procedures they never received and subsequently going through a lot of "pain and suffering" to clear their good names.

And (it seems) organized criminal are getting involved in the activity, probably because it's a "profitable" enterprise with little danger of getting caught.

BusinessWeek online did an interesting article about this, where they said:
Yet the thief isn't always an individual desperately needing medical care. In some instances, the perpetrator can be a doctor hoping to pad his or her income by filing fraudulent claims. Even worse, law enforcement authorities say that more and more frauds are being perpetrated by organized crime rings who steal dozens, and sometimes thousands, of medical records, as well as the billing codes for doctors. The rings then set up fake medical clinics—offering free health screenings as a ruse to draw in patients—that submit bogus bills to insurers, collect payments for a few months, and then disappear before the insurers realize they've been had. (Dixon notes that health records now fetch $50 to $60 each on the black market, vs. a mere 7 cents for stolen résumés.)

BusinessWeek online article, here.

The BusinessWeek article quotes Pam Dixon, executive director of the World Privacy Forum, and rightfully so. The World Privacy Forum (to the best of my knowledge) was the first to call out this growing problem and has done quite a bit of work to determine the extent of it.

They have an entire page devoted to it on their site, here. I highly recommend it for anyone, who is, or might become a victim of this growing trend.

Based on their research, they have presented some key recommendations:

  • Individuals’ rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
  • Victims of medical identity theft should have the right to receive one free copy of their medical file.
  • Individuals should have expanded rights to obtain an accounting of disclosures of health information.
  • Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
  • All working prototypes for the National Health Information Network need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy.

The World Privacy Forum has also presented their finding to several government agencies, including the FTC.

This problem goes beyond the financial implications of identity fraud because it could cause great harm to victims, who have had erroneous medical information put in their medical histories. People could be improperly diagnosed, which might (in an extreme case) lead to their demise.

I did a previous post:

Tell it to the Identity Theft Task Force

Since the Federal Identity Theft Task Force is soliciting information from the public - this would be an appropriate place for someone to voice their thoughts (recommendations) about medical identity theft.