Saturday, June 09, 2007

The Virginia Watchdog - one woman making a difference in the war against Identity Theft

*Cartoon courtesy of the Virginia Watchdog site.

BJ (Betty) Ostergren a.k.a. “the Virginia Watchdog” is ONE woman making a difference on a daily basis. The way she makes a difference is by stopping our personal information from being plastered all over the Internet by local governments.

Most of these records have been sitting in different county offices for a long time, however in the past ten years; many of them have gone online.

These records contain everything a criminal would need to commit identity-theft -- or even scarier -- everything a more twisted person would need to track someone down with a more sinister intent than stealing money.

Since children’s information is on these sites, this information could even be used by pedophiles.

The reason this information has been placed online is because special interests have been pressuring legislators to make it easier for them to data-mine information. Data brokers have a vested interest in having this information VERY easy to get at.

They are making billions of dollars selling people’s personal information.

Data brokers sell this information to just about anyone -- as evidenced in a recent New York Times story -- where one of these brokers, InfoUSA, sold lists of information used by Internet scam artists to target senior citizens.

Smart Money did a story on BJ, which shows how this information is being made available, worldwide. Smart Money correspondent Aleksandra Todorova quoted David Bloys, a title examiner as saying:

Once a county's records are digitized, it's very easy — and incredibly cheap — for data compilers like Axciom and DataTrade to purchase the files and sell them to information brokers like Choicepoint, says Bloys. That's because under most states' Open Records laws, counties cannot charge more than the cost of copying the documents — which means a computer disk containing 10,000 records can be hadfor as little as a few dollars. What's more, Bloys explains, the companies that actually scan the documents for the county — the so-called wholesalers — often ship the images to foreign countries, like India or China, where outsourcers index the records much more cheaply than could be done in the United States. "[Our public information] is being distributed instantly all over the world," says Bloys.

The Smart Money article also pointed out a site, which proves this point:

To see for yourself, take a look at the web site of String Information Services, an outsourcing data digitalization and processing company in India, which boasts of its ability to provide you or your business with "online access to [lien and judgment] records of more than 200 counties."

BJ was kind enough to spend a little time with me and demonstrate exactly what she is talking about. We got on the Internet together, and she was able to find a lot of personal information on people I know in the greater Washington D.C. area (Maryland Suburbs).

BJ has been able to access a lot of people’s personal information on these sites. Some of the people's information she has found include politicians, crime fighters and celebrities. Personal information on Wolf Blitzer, Donald Trump, Rudy Giuliani, Jeb Bush, Colin Powell, Leonardo DiCaprio and Robert De Niro - to name a few - have all been found online by BJ.

There is little doubt all of us are at risk when personal and private information is available to anyone, but some are at more risk, than others.

BJ was quoted in the Washington Post as saying something, which should scare all of us:

Don't you think if I can get Tom DeLay's Social Security number . . . that some guy in an Internet cafe in Pakistan can, too?" she asks, her voice rising with indignation. "It's just ridiculous what we're doing in this country."

This struck me as particularly chilling, in the post 9-11 world. Think about what a terrorist, or other fiend could do with some of this information, which can be accessed by anyone!

To me, BJ is a real American hero and deserves of all of our support. She is not compensated in any manner for what she is doing, and has spent a lot of her own money on this NOBLE effort. She also spends a lot of her PERSONAL TIME letting people know they are exposed.

Although, this story is being covered in a lot of places -- including this humble blog -- there are some, who think she should be featured on a big show like Oprah.

Bill O’Reilly lobbied long and hard to get on Oprah, and she finally put him on. This is an important story, perhaps Bill should consider doing a segment on the Virginia Watchdog, also.

Recently, Oprah did a show about Internet fraud, after her name was being used in some Internet scams. There is little doubt that the Internet has enabled a lot of fraud, making it too easy to do with the click of a mouse from just about anywhere.

You can write Oprah to ask her to put BJ on her show, here.

BJ's site, which has a ongoing chronology of her efforts, can be seen, here.

The Smart Money article, I quoted can be viewed, here.

Tuesday, June 05, 2007

Spear phishermen target executives to steal company information

Shamus McGillicuddy of CIO News highlights an interesting fact, which is you never know, who is going to fall for a phishing scam.

The phishermen normally send out a lot of bait (spam) in the hopes of hooking a few phish.

Shamus writes:

Over the last week and a half, spam messages purported to be from the Internal Revenue Service and the Better Business Bureau have been specifically targeting senior-level corporate executives with phishing scams.

Experts say these targeted phishing attacks, sometimes called "spear phishing," are nothing new, but they illustrate that spammers are getting more adept at targeting sophisticated email users who have access to the most sensitive data within their companies.
Spear phishing is simply a more focused form of phishing, which uses more personal touches, such as a person's real name, and or title.

With all the information plastered over the Internet, or available for sale; it isn't hard for phishermen to get what they need (personal information) to go spear phishing.

Many private companies and government organizations recognize the danger phishing poses in the workplace. To counter this, and raise awareness; they are phishing their own employees.

Recently, I did a post about this, which revealed more employees fall for this, than many would like to admit:

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

There seems to be more and more phishing out there, which might be inspired by DIY (do it yourself) kits being sold over the Internet. DIY kits make it easy for not very sophisticated criminals to become expert phishermen.

The only good news about phishing is that with a little awareness, most people can spot this activity, because the phishing ploy doesn't make much sense, or is too good to be true.

CIO News story, here.

BBB Alert, here.

IRS Alert, here.

Merchants demand their rights from the payment (credit/debit) card industry!

Not very long ago, credit and debit (payment) card fraud was considered a cost of doing business. With carder forums and data breaches, the cost of payment card fraud has reached billions of dollars, and merchants, especially smaller ones, are being impacted in a negative manner.

There seems to be a looming battle on the horizon over, who is going to pay for all the fraud. Recently, in light of the TJX breach, legislation was introduced to charge more of the costs off to merchants.

Merchants have always been charged for a lot of fraud in the form of chargebacks. When I saw the proposed legislation, my first thought was how it would impact the smaller merchants, pretty harshly.

Additionally, merchants aren't only becoming more alarmed by fraud, but also by a perception that current fee structures are unfair, and deceptive. Interestingly enough, a lot of consumers feel the same way, also.

Today, I read an interesting press release about a movement to adopt a "Merchants Bill of Rights."

Recently, supporters of this bill did a survey of merchants, where they discovered:

  • Only 26 percent of participants believe they are being treated fairly by the debit/ credit/prepaid card processing industry.

  • Only 32 percent understand unfair card processing practices and how they impact their business.

  • Only 21 percent understand the rates, fees and surcharges they pay.

  • Only 15 percent believe they are charged the same as larger businesses.

The survey was sponsored by Heartland Payment Systems, who processes payment card transactions and payroll.

Heartland's CEO and Chairman, Bob Carr stated:

It’s clear that many owners of small and mid-sized businesses don’t understand the complexities of card acceptance. Yet, card acceptance is often one of the three largest expenses they incur. Business owners need to educate themselves so they can manage these costs. What they don’t know may be hurting their bottom line.

According to the press release, the bill of rights promotes fairness and transparency in card processing by identifying 10 fundamental rights:

The right to know the fee for every card transaction – and who’s charging it.

The right to know the markup of Visa and MasterCard fee increases.

The right to know all Visa and MasterCard fee reductions.

The right to know all transaction middlemen.

The right to know all surcharges and bill-backs.

The right to a dedicated local service representative.

The right to encrypted card numbers and secure transactions.

The right to real-time fraud and transaction monitoring.

The right to reasonable equipment costs.

The right to live customer support 24/7/365.

The effort has a home page, which can be viewed, here.

The page has a video for merchants to see if their rights are being violated, here.

The Association of Certified Fraud Examiners recognizes that small businesses suffer greater losses than larger ones do. I did a post on this subject, with the some tips on how to avoid becoming a victim, here.

In January, I did a post about how both consumers and merchants are calling for some reforms:

Congress needs to take a hard look at credit practices

In this post, I mentioned the Merchant's Payment Coalition, which is calling for greater oversight on some of this. Their page on unfair credit card fees can be viewed, here.

Even if you aren't a merchant, the truth is that these costs have to be passed off somewhere; otherwise merchants would go out of business. Who do you think ultimately pays for all this?

Monday, June 04, 2007

Is LifeLock an identity theft protection service people can trust?

Ray Stern, of the New Phoenix Times, published a scary story about an identity theft protection service, called “LifeLock.”

The article suggested that LifeLock was founded on stories that are questionable, and run by a Robert Maynard Jr., who seems to have a few skeletons hiding in his closet.

Not all identity theft services are 100 percent effective, or worth the money they charge (my opinion). Many require their customers to surrender all the same personal information a criminal might use, which will be stored in a database.

Databases are targeted by common thieves, hackers, and even dishonest insiders for their personal and financial information. Even if the information is protected, all it takes is one person with access, or who is tricked into giving up their access to compromise it.

Besides being stolen, information from data bases is bought and sold, frequently. It's a billion dollar business, itself.

Another problem is that even the best computer security can be compromised and has to be updated, frequently. Even encryption can be compromised by someone, who has the time and necessary knowledge to do so.

Many of these services require that their customers provide them with a power of attorney. Couple a person’s complete personal and financial information with a power of attorney – and a lot of subsequent damage can occur.

A lot of people are trying to make money off the current identity theft phenomenon. When choosing any service the term, "caveat emptor," or "buyer beware," certainly applies.

Robert Maynard Jr. is a person making a lot of money from the identity theft phenomenon, but should people trust his service? Before coming up with LifeLock, he was banned from ever working in the credit industry. Here is what the New Phoenix Times article said about this:

His credit-repair company was shut down by authorities in the early 1990s for false advertising and deceptive practices. Forced closure means that a federal court order has banned Maynard from working in the credit-repair industry — forever.

The FTC judgement against Maynard and his business partners can be read, here.

Maynard is fond of telling a story, where he was the victim of identity theft. He claims this experience gave him the inspiration to start LifeLock. BUT the story of how someone else used his identity to take out a $16,000.00 marker at a casino isn’t very credible.

The New Times interviewed Bernie Zadrowski of the Clark County District Attorney’s Office about this story.

Here is what they quoted Mr. Zadrowski as saying, which is a lot different from the story Robert Maynard Jr. uses to sell his identity theft service:

Not once did anybody ever suggest, in this particular case, that this was a case of stolen identity," he says.

Maynard never filed a police report for identity theft, or it would be part of the D.A.'s office file, Zadrowski says.

"The only call we received while he was in jail was from his girlfriend. She wanted to know how to get him out of jail," he says.

Zadrowski pulled the Arizona driver's license submitted to the casino by the person who took out the loan and e-mailed a copy to New Times.

Although the resolution quality is poor, the man in the picture looks like Maynard.

Zadrowski says the man pictured is Maynard.

There is also the matter of an American Express Card, taken out in Robert Maynard’s father’s name (Robert Maynard Sr.), but sent to a previous business address of Robert Jr., himself.

Here is what the New Times article has to say about this matter:

Records show that someone with Maynard Sr.'s personal information ordered the card. But that someone didn't have the bills sent to Maynard Sr.'s home. Instead, the bills went to a company called Netshield, at a Phoenix address used by one of Maynard Jr.'s former firms.

Though Maynard Sr. says he never asked for the card, he settled with the company. Coincidentally, Maynard Jr. has $170,000 in debt to American Express listed on his 2005 bankruptcy paperwork — and his father is named as a co-debtor.

If Maynard Jr. ordered the card using his dad's data, without his dad's knowledge, that would make him — you got it — an identity thief.

Apparently, Maynard has been able to sell his victim story numerous times to the mainstream media and pays bloggers to write about him.

During one attempt by the New Times to interview him, Maynard backed out at the last minute, claiming he had to meet with shock jock Howard Stern to discuss advertising. Maynard does take out advertising on Stern's show, among others, but Ray Stern (New Times) noted that his office appeared to have been vacated minutes earlier.

To date, there have been no complaints of wrongdoing at LifeLock, but if you read the New Times article, it would make someone like me think "long and hard" before handing over my money and information to them.

There are a lot of identity theft services out there. Most of them including LifeLock offer services that most of us could do by ourselves, if we had the knowledge.

Simply stated, the reason identity theft gets worse all the time -- is because of too much information is being bought and sold -- then maintained in too many (some not very secure) different places. The more places your information is stored, the more likely you are to become a victim.

New Times article, here.