Identity Theft Up, But Costs Fall Sharply

The number of Americans ensnared by identity theft is on the rise, but victims are striking back more quickly and limiting how much is stolen.

In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident – including unrecovered losses and legal fees – fell 31 percent, to $496.

One reason for the spike in cases is likely the worsening economy. Just last month, 598,000 jobs were slashed across the country and unemployment jumped to 7.6 percent.

“The short story is that criminals are getting more desperate,” said Jim Van Dyke, spokesman for Javelin, which started tracking identity theft cases in 2003. Last year marked the first time the number of cases rose.

Crimes of opportunity, such as stolen wallets, were linked to 43 percent of cases last year, up from 33 percent in 2007. That might be why women were 26 percent more likely to be victims of identity theft; they reported more cases of lost or stolen information during in-store purchases.

Online access accounted for only 11 percent of cases, according to the survey.

Despite the growing number of victims, the total fraud amount edged up just 7 percent to $48 billion over the previous year. That’s because victims are uncovering cases faster to limit losses. Another reason is that financial institutions are taking more steps to thwart thieves, according to the Javelin study.

For instance, more banks now send change of address confirmations to the original address, Van Dyke said.

This prevents identity thieves from rerouting mail to different addresses and delaying victims’ awareness that their accounts are being siphoned off.

The Javelin study also found identity theft went undetected longer and cost twice as much when victims knew their attackers. More than 10 percent of victims knew their identity thieves.

Despite the rise in cases, there are simple steps people can take to prevent becoming a victim.

To start, leave personal checks and Social Security cards at home and be aware of who’s around when giving personal information in public.

Some types of ID theft aren’t preventable, however. Someone could get your personal information by hacking into a retailer’s database, for instance.

So even if you’re careful about protecting your information, monitor financial accounts regularly.

“Identity fraud is all about prevention and detection,” Van Dyke said. alerts users to third data breach in less than 2 years

As if job searching in this economy isn’t discouraging enough, those seeking jobs through have been notified that yet another data breach has put users at risk of identity theft. posted a warning to their users on their website Friday. Hackers were able to access user IDs, passwords, names, e-mail addresses, birth dates, gender and ethnicity were exposed. In some cases the users’ state of residence was also exposed. doesn’t collect Social Security numbers or resumes, so neither of those could have been exposed. also, the federal government’s website for job openings, and users of that site were also affected.

In the security warning, recommended users voluntarily change their passwords now, and alerted them that they would soon be required to change their passwords and login information. also told their users that they would not contact them via e-mail, and advised them to delete any e-mails from senders posing as because they are most likely phishing attempts to obtain personal information.

This is the third monstrous data breach for the job search giant. Hackers attacked with a Trojan horse to steal the personal information of 1.6 million users and send it on to remote server. Later that same year, hackers attacked again with malicious code that infected visitors’ computers with a virus. said in their warning that they have not yet found any evidence of identity theft resulting from the data breach.

Payment Processor Breach May Be Largest Ever

A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today.

If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.

Robert Baldwin, Heartland’s president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.

Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach.

Baldwin said it would be unfair to mention any one of his company’s customers.

“No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair,” he said. “Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know.”

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”

The company stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were jeopardized as a result of the breach.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”

In many cases where a processor experiences a breach, the affected banks may simply re-issue new cards to some customers. In other cases, consumers may spot the first signs of fraudulent activity by reviewing their bank statements. It is unclear whether consumers who receive new account numbers from their bank will ever be able to definitively tie the re-issuance to the Heartland breach.

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services.

“Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible,” he said. “In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers.”

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland’s disclosure — a day in which many Americans and news outlets are glued to coverage of Barack Obama’s inauguration as the nation’s 44th president.

“This looks like the biggest breach ever disclosed, and they’re doing it on inauguration day?” Litan said. “I can’t believe they waited until today to disclose. That seems very deceptive.”

Officials from the U.S. Secret Service could not be immediately reached for comment.

Baldwin said Heartland worked to disclose the breach last week.

“Due to legal reviews, discussions with some of the players involved, we couldn’t get it together and signed off on until today,” Baldwin said. “We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility.”

The Heartland disclosure follows a year of similar breach disclosures at several major U.S. cards processors. On December 23, RBS Worldpay, a subsidiary of Citizens Financial Group Inc., said a breach of its payment systems may have affected more than 1.5 million people.

In March 2008, Hannaford Brothers Co. disclosed that a breach of its payment systems — also aided by malicious software — compromised at least 4.2 million credit and debit card accounts.

In early 2007, TJX Companies Inc., the parent of retailers Marshalls and TJ Maxx said a number of breaches over a three-year period exposed more than 45 million credit and debit card numbers.

In 2005, a breach at payment card processor CardSystems Solutions jeopardized roughly 40 million credit and debit card accounts.

Unemployed A Big Spam/Phishing Target In 2009

Expect more sophisticated spamming in 2009. And thanks to the economy, an increase in scams targeting the down and out, the tax-rebate hopeful, and the noble yet digitally naïve pull-yourself-up-by-your-bootstraps market.

Also likely on the increase is abuse of free web-hosting and blogging services like Google’s Blogspot, according to McAfee’s January Spam Report, which analyzes trends from 2008 and predicts how they will continue in 2009, to be issued next week.

The earliest spam and phishing attempts expected in 2009 will target taxpayers expecting both tax refunds and tax relief under President Obama’s proposed stimulus package. “Until we have a tax system that doesn’t involve the collection of personal data, this will remain a very exploitable vector for criminals,” the report reads.

In addition, McAfee expects junk email and target websites to appear more professional and more corporate to present an air of legitimacy. “With the improving professionalism in scam corporate fronts they are likely to be very effective this year, unless consumers and enterprises are protected by a web security product or service that employs a reputation system.”

With the jobless rate rising, an increase in spam targeting the unemployed is also expected. Recipients should be wary of mail offering low-cost diplomas and certifications, money for school, home-business scams, and also of offers of credit or debt help.

Based on relative successes of some campaigns in 2008, McAfee also expects these tactics to increase in 2009:

Abuse of free web-hosting and blogging services like geocities, Blogspot, and Live.

Targeted phishing and corporate blackmail (pay us or we’ll release this information to the black market)

Abuse of free email services like Gmail, Hotmail, Yahoo, etc. “Shared SPF and SenderID records call to question the purpose of having them in the first place. The need for Domain Keys Identification Mail (DKIM), PGP key signing, and secondary authentication mechanisms will become more important to a basic business security model.”

Reformation of McColo-type hosting companies.

Luring web users with naked celebrities, gambling, and pills.

More professional looking phishing websites and emails.

Email Scam Leads To Phony CNN Site

Hackers have launched a new email scam that attempts to lure unsuspecting users to a bogus news site using the Gaza conflict in an effort to steal passwords.

The RSA FraudAction Research Lab discovered the scam and says the result of the attack is the infection of computers with a Trojan.

The RSA blog offers more details. “The fake webpage designed and hosted by the online criminals, is embedded as a link within the spam attack email. This fake webpage includes another link to what appears to be a legitimate video but is actually a form of crimeware. When visitors click on the video, they get an error message asking them to install Adobe Flash Player 10 in order to play the video, and a link is provided.”

RSA says that a Trojan is launched when the link to the phony software is accessed called a Trojan “SSL stealer” that grabs financial and personal information of the infected user found on their computer.

Gary Warner, Director of Research in Computer Forensics at the University of Alabama at Birmingham (UAB) recommends that users do not open any emails received from an unknown source and to visit and click on news stories from the official site.

Identity Theft: My Tale from the Other Side

Submitted by Tara1902

Ten years ago, I knew a couple who had their identities stolen. Just watching what a hassle their life became (and the plethora of out of pocket expenses they had to incur) was enough to convince me that I needed to invest in a paper shredder—and take the time to use it. What I didn’t realize then, though, was that shredding wasn’t enough to protect my identity. Unfortunately, identity theft has only progressed in the last ten years and novice thieves aren’t only concerned with gathering information left behind by an unguarded paper trail. Our electronic, cashless, society plays right into the hands of identity thieves and makes the personal information of millions of unsuspecting people readily accessible.

That was my case. Last year I was traveling on business and quickly working my way through O’Hare airport on a layover. My time in Chicago totaled less that two hours, but that was all it took for someone to steal my identity. Desperately needing fresher breath (and an excuse not to talk to the poor soul sitting next to me on my next flight) I stopped into the airport gift shop to grab a pack of gum and a magazine. Without even thinking twice I handed the clerk my debit card and by the time I landed back in California, a few days later, fraudulent charges had been made.

Thus began the process of researching and reporting the crime. Upon calling my bank I learned that I needed to file a police report before the matter could be handled. The first question I was asked was, “Were you in Chicago when the crime was committed?” Apparently they were trying to determine whether the crime fell under federal or state jurisdiction. But by the way they presented the question I assumed they were accusing me of having made the fraudulent charges myself. They assured me that wasn’t the case, but I still felt like a criminal.

Now, I’m a family woman. A churchgoing family woman. I have values, and lots of them. So, imagine my embarrassment when I discovered that an identity thief had used my bank account to purchase internet porn. Every conversation with every law enforcement agency, bank or credit bureau always included an awkward pause when I was asked, “And what was fraudulently purchased with your debit card?”

That definitely isn’t an experience I want to repeat again. I wish had been around a year ago. If they had, I might have been better protected. This website and this blog are great FREE resources geared toward helping you protect your good name and your good reputation (no embarrassing purchases to ruin your clean record).

Wells Fargo: Identity Theft Stories & ATM Skimmers

Submitted by Keith843

Over the last two weeks, I went to my local Wells Fargo bank branch twice to place electronic wire orders. These wires usually take a little time to complete and I was in the branch for approximately 20 minutes each time I visited. The banker did all the work of inputting the information I provided from a print out while I was left staring at the back of the banker’s Dell monitor. My mind, searching for something to do, focused on the goings on in the bank.

On my first visit I overheard a young woman (mid 20’s) talking with several tellers and a banker. The gist of the conversation was that the woman had received an email requesting her to send money by wire. She claimed the recipient would then be able to access some frozen bank account with a large balance which they would in turn split with her.

She asked the teller if this seemed like a legitimate scenario because a follow-up email asked her to send money to China.

The banker told her that this was very likely a scam and that if she sent money from her own account to the recipient that there was nothing they could do to protect her.

Obviously, the woman had almost fallen for a 419 scam (but based out of China instead of Nigeria).

The woman graciously declined to wire any money and I could tell from the look on her face that she was a little embarrassed from being almost being duped.

One week later, I was in the same Wells Fargo bank branch and an elderly woman sitting with the banker at the desk next to my banker’s was closing her account and opening a new one due to someone gaining access to her account. It became obvious that there was a lot of money in her account as there were two bankers helping and assuring her of the new account’s safety.

I wondered out loud if there is a lot of identity theft related crimes at Wells Fargo.

My banker rolled her eyes and answered “unfortunately, there is really a lot of that going on.”

I had just seen this video on ATM skimmers:

So I asked her if she had heard of any of their ATMs having skimming devices attached to them. She gave me a blank look and finally said, “I don’t know. What do you mean?”

I explained how a small skimming device is placed over a legitimate ATM’s card slot and how it collects credit card data which thieves later use to steal money from the cardholders account. She had not heard of ATM skimmers.

Frankly, her answer was a little unnerving coming from someone in her position at a bank as large and well respected as Wells Fargo.

I don’t have any wires which I need to go to the bank branch for again anytime soon, but I will certainly be sending her a link to the skimming video above.

Identity theft accelerated in 2008, and experts fear it will worsen in ’09

dentity theft became the fastest-growing crime in the United States in 2008, affecting more than 10 million Americans, according to the Federal Trade Commission, the agency that enforces ID theft laws.

Hundreds of data breaches exposed sensitive information, and victims spent countless hours on the phone talking to banks, fraud investigators and credit bureaus. Businesses suffered millions of dollars in losses.

So, what’s the outlook for 2009?

Identity theft experts predict more sophisticated schemes targeting unemployed people, consumers with poor credit and homeowners facing foreclosure, according to a report issued this month by the Identity Theft Resource Center, an advocacy group based in San Diego, Calif.

“Identity thieves learn all the tricks of the trade,” said Linda Foley, one of the founders of the Identity Theft Resource Center. “This is a job for them.”

Many real estate-based schemes have been reported nationwide this year. This trend, the report says, will carry into 2009 with more sophisticated schemes, such as those involving bogus mortgage-rescue outfits that target homeowners facing foreclosure.

Adam Levin, chairman of Identity Theft 911, a company that educates and helps consumers keep their information safe, predicts more economic crimes as the economy continues to falter, giving ID thieves more opportunities.

“We are in the midst of a perfect storm,” said Levin, citing the combined effects of a down economy, unemployed people struggling financially, and homeowners facing foreclosure. “So people need to be more careful than before and try to minimize exposure of personal information.”

The Identity Theft Resource Center report also predicts an increase in schemes that attempt to trick unemployed people into giving out sensitive information with the promise of a job.

Also, as companies reduce staff to cut expenses, some disgruntled employees — including those who work in information-technology fields — may turn against former employers and hack information for profit.

“There’s more data on the move that is not being guarded, and human errors happen,” Foley said. As of December, 638 confirmed data breaches had been reported this year, compared with 446 in 2007, according to the ITRC.

“You’vegot companies that can’t afford to spend on a security system, and also businesses that don’t care, so they will use this as an excuse,” said Levin, adding that he expects to see more data breaches next year.

Other predictions include:

Credit cards: Consumers with poor or no credit may become a target of fraudulent deals that offer a credit card regardless of credit history, and schemes promising to consolidate credit card debt or to renegotiate interest rates. Also, a fraudulent technique known as “skimming” — a duplicate scanning of credit cards or debit cards that are later used by thieves — will become increasingly common.

Check fraud: As credit becomes less available to consumers, identity thieves may carry out more check fraud schemes by using stolen checks or using checks thrown into the trash by unsuspecting consumers.

Cyber crime: Experts said the Internet would continue to be ID thieves’ favorite playground. Cyberspace is now used to transport and sell large amounts of stolen personal information, including stolen credit card numbers. This trend will continue next year, Foley said.

from the Sun Sentinel

Real ID mandate resisted in Virginia

Some legislators want to join the growing chorus of states that have defied the federal government by refusing to participate in a national identification program billed as a way to fight terrorism and identity theft.

Two pieces of legislation for consideration when lawmakers return to Richmond on Jan. 14 call for Virginia to ignore the federal mandate to come into compliance with the Real ID Act by the end of 2009.

Similar bills went nowhere last year, but supporters say the looming deadline gives the issue new urgency.

“Basically, this statute that I put in is one to let the feds know that, one, the way you’re going about this we have problems with, and two, if you intend to enforce this, we intend to challenge it,” said Delegate Robert G. Marshall, Prince William Republican and one of the sponsors.

Since the law’s enactment in 2005, at least 42 states have considered anti-Real ID legislation, and more than half have passed measures either forbidding their states from participating or urging Congress to amend or repeal the law.

At least five states have gone in the other direction, passing bills bringing their programs into compliance.

Critics say they expect other states to join Virginia this year to fight against Real ID.

The program was born out of the commission that looked into the terrorist attacks of Sept. 11, 2001. It recommended that the U.S. improve its system of issuing identification documents because the hijackers had numerous licenses and state IDs. Congress approved legislation requiring states to issue licenses and ID cards that meet certain security standards.

The new IDs will be required for federal purposes, such as boarding an airplane or entering a federal building. Other federal identification, including passports and military IDs, also will be accepted.

“The bottom line is that citizens of states who do not move forward with the Real ID mandate from Congress will see real consequences,” said Laura Keehner, a spokeswoman for the Department of Homeland Security, which is in charge of the program.

States had until May 2008 to implement Real ID, but the department extended that until Dec. 31, 2009. If they need more time and have met certain benchmarks, states can request an extension until May 11, 2011.

“The fact that Congress passed this and could not figure out the prudential question of when the states could actually do this tells me that it wasn’t thoroughly vetted,” Mr. Marshall said.

The opposition has centered around cost and privacy concerns.

Homeland Security originally estimated it would cost states $14 billion to implement the program, but in January it loosened the restrictions and said the added flexibility would bring the cost to under $4 billion.

Homeland Security and other agencies have given out about $500 million in grants, but state officials say that’s not enough.

Critics also claim that Real ID diminishes privacy, and they object to a national ID that would have to be shown for everyday identification purposes.

“Certainly people should be identified by high standards when that’s called for, but it’s not called for when you’re going to buy beer,” said Jim Harper, director of information policy studies for the Cato Institute, a libertarian think tank.

“If we’re going to have our identity recorded every time we buy beer or use a credit card or buy gas, that turns into one big surveillance system,” he said.

But Ms. Keehner said the identification cards will increase, not decrease privacy by preventing identity theft.

She said claims that the program creates a national database are incorrect. There is a hub where each state Department of Motor Vehicles will check to ensure that an individual has only one ID, but states will not have access to other states’ data.

Police officers rewarded for identity theft investigation

There was a point during Sgt. Tony Frisbee and Sgt. Shaun Devlin’s identity theft investigation earlier this year where new victims were coming in almost daily.

Most of the cases had similar characteristics: Victims’ Social Security numbers were used to file false tax returns, the returns were sent to Texas and the victims all belonged to the same healthcare provider.

While the UCI detectives weren’t over their heads yet, the case threatened to become almost too much to handle.

“In the beginning, the size of the case, the amount of victims we had, it was like ‘Wow,’” Devlin said. “Tony and I felt like we had to get a jump on this.”

And jump they did, headfirst as one investigator put it, into the world of fraud investigation.

Through a five-month investigation that took UCI officers halfway across the country on multiple occasions, authorities managed to net half a dozen indictments and several arrests that revealed an identity-theft ring that victimized nearly 200 UCI graduate students earlier this year.

Devlin and Frisbee, the two lead detectives on the case, were recognized as the 2008 Investigators of the Year by the Orange County Financial Crimes Investigator Assn. last week. They credited their team, Det. Caroline Altamirano, Sgt. Manse Sinkey and IT Manager Isaac Straley for their efforts as well.

“We felt as a committee they certainly did deserve a lot of recognition,” said Meloni McMinimy, a board member on the association. “Bottom line, it was their tenacity.”

Damon Tucker, a 10-year veteran of law enforcement, nominated the men after working with them.

“It seemed like a pretty big and sophisticated case, and seemed to be a daunting task for an agency that size,” Tucker said. “They went beyond the call of duty on this one. We could have simply said we don’t have the resources or technical ability to do something like this.”

The men had to work out logistics with Texas law enforcement so they could operate on their turf, and in some cases ask for help, officers said. Getting to that point was a hassle too, officials said. An exhaustive search for a breach in UCI’s student databases turned up empty. From there, all signs pointed to the United Healthcare in Texas, UCI’s third-party healthcare provider.

“They were met with hurdle after hurdle with where the breach was,” Tucker said. “These cases are kind of like icebergs. The people who do these crimes, you see a tip of it, and underneath it there’s a whole bunch more.”

Thousands of UCI graduate students’ Social Security numbers were compromised, with nearly 200 being victimized in the end, police said. Most have received their tax returns with school, police and government help. Police arrested who they believe was the inside-man who stole the numbers, Michael Tyrone Thomas, earlier this year.

Thomas and his several co-defendants will appear in federal court early next year.

Devlin and Frisbee said they’re humbled by how much praise they’ve received, especially because some detectives out there handle these cases on a daily basis.

For them, they said they were just doing their job and trying to help students.

“We’re a small department. Here at UCI, we’re tight-knit, we tend to jump on things pretty quick,” Devlin said.