Identity Theft Awareness

In a recent letter to several congressional committees, Equifax shared that out of the 146+ million records that were hacked in last year's breach: all contained consumers' dates of birth,  nearly all contained Social Security Numbers,  99 million had address information,  209,000 contained credit card data including expiration dates,  38,000 contained driver's license info, 3,200 contained passport information. While some identity fraud incidents have been traced back to the Equifax breach, most of these records have not yet been used in a fraud.  However, since the data is not likely to change (other than credit card info), it is assumed that eventually the stolen information will be sold in the dark web and misused.  Just a matter of time.  My advice: do what you can to minimize your exposure and certainly stay on top of your credit reports, but since things like passports, driver's licenses, and Social Security Numbers can be used in non-financial identity

Orbitz, a division of Expedia, has announced it was hacked last October, 2017, revealing credit card information of 880,000 customers, including names, birth dates, mailing and email addresses, dated between January and June, 2016. The current Orbitz website was not hacked, according to the company. One article on the breach: http://www.zdnet.com/article/orbitz-says-hacker-stole-customer-data/

166 of the 167 Applebee’s restaurants have been hit with payment card malware that exposed card numbers, names, card verification numbers, and expiration dates. Here is a breakdown of restaurants by state: Alabama: 2 Arizona: 23 Florida: 4 Illinois: 14 Indiana: 21 Kansas: 3 Kentucky: 14 Missouri: 2 Mississippi: 1 Nebraska: 11 Ohio: 44 Oklahoma: 6 Pennsylvania: 1 Texas: 15 Wyoming: 5 More details, including restaurants by city within states, at this article: https://tinyurl.com/ya2tkusw

Fox News has reported that a Mexican national assumed a false identity of a Texas resident 37 years ago. He was able to generate a false birth certificate, then got a California driver’s license, a Social Security number, and a passport. With this created identity, he was able to receive over $361,000 in government benefits during those 37 years.  The identity thief Andres Avelino Anduaga, 66, is a repeat felon who used the false ID to go in and out of Mexico several times a week. The real owner of the identity, who now lives in Florida, had no idea his identity was being misused. (This is very common, unless the thief does something to bring attention to the identity.) More details are in the article here: http://www.foxnews.com/us/2018/03/04/illegal-immigrant-from-mexico-pleads-guilty-to-using-fake-identity-to-steal-361000-in-government-benefits.html

Last week, Equifax announced that they have discovered an additional 2.4 million consumers were victimized by the breach last year, bringing the number to 147.9 million.  Equifax says this information includes partial driver's license data, but does not involve Social Security numbers, unlike the earlier announced exposures. The interim CEO Paulino do Rego Barros Jr. Says this is not newly discovered stolen data, just a "sifting through the previously identified stolen data." There are several articles about this announcement.  Here is one: https://www.npr.org/sections/thetwo-way/2018/03/01/589854759/equifax-says-2-4-million-more-people-were-impacted-by-huge-2017-breach

Interesting fact: during last year's record number of data breaches, 40% of the complaints to the FTC about losing money to fraud were made by millennials, whereas only 18% of the complaints came from folks 70 years old and older. An article in Market Watch also states that while this may be true, older folks seem to suffer the greatest financial loss, perhaps because they have a little more readily available money.  The infamous "senior scam", where a con artist poses as a grandchild needing financial help, may be the key scam tool. The article lists several top scams being used to separate people from their money. Here is a link to the article: http://tinyurl.com/ybcn7tbq #idtheft

As I mentioned in a previous post, I've found that most people equate ID theft only with their finances -- their bank and credit accounts.  They don't see a need for paid protection services, relying instead on bank- or card- or insurance-provided free services.  Or they put fraud alerts on their credit report every three months. While useful, these free services rarely look beyond the finances or offer much in the way of restoration.  I advise people to get all of the reliable free coverage they can, but recognize their limitations, and understand that real identity theft is much more than their finances. Take for example something called criminal identity theft.  This is where someone pretends to be someone else, hiding their own identity, when caught in the act of a crime, such as illicit drug dealing or breaking and entering.  Often this is pulled off by first obtaining driver's license info either through direct theft or through a breach and then modifying it with

The latest word from the Identity Theft Resource Center (ITRC) is that the reported data breach number is about 14% lower so far this year than last year's record number of breaches.  As of February 16, that there have been 124 data breaches reported, with  nearly 3 million records exposed since the beginning of the year.  This is certainly good and welcome news, but "the barn door has already been left open." Our personal information has been exposed multiple times over in recent years, most notably in the Equifax breach last year. Still, I'll take the good news; better than 14% higher. Looking at the ITRC numbers just reported, the business sector continues to lead the breach count with 40% of the breaches (and 74% of the records exposed), but medical breaches have risen to nearly 1/3 of the breaches.  I'm very worried about the medical numbers, because so much critical data, including medical insurance data and medical conditions are stolen. This inform

Staybridge Suites in Lexington, KY, has announced a data breach that exposed some customer data, such as names and credit card data.  This brief article --  http://www.wkyt.com/content/news/Lexington-hotel-says-customer-credit-card-numbers-exposed-in-data-breach-474199803.html  -- doesn't go into a lot of detail, but it sounds like some kind of credit card skimmer device.  If I find out any more on this, I will add a comment to this post.

On May 25, 2018, t he European Union is implementing some privacy laws that may help to improve the security of US businesses. The new laws require any US company doing business in the EU to comply. Some US companies are complying completely, while others are building two compliances, one for the EU and another for the US. Still, the effect is likely to improve privacy protection overall, as the EU laws seem to be being adopted worldwide.  These laws include tightening up the breach notification window to 72 hours of being discovered, giving users the right to request to see the data being held and have their data removed, and require the companies to have a data protection officer who will not be part of the operations and responsible for the compliance to the privacy laws.  I’m sure there will be kinks that need to be worked out, but on the surface this looks hopeful. It is going to be difficult to get similar laws passed in the US, because of the structure of federal and sta

Last September, the credit bureau Equifax announced that their database of consumer information had been breached, exposing about 145 million records, including names, birthdays, Social Security numbers, and some drivers licenses. Most of this information doesn’t change, meaning that the data will stay valid for years, so the thieves can take their time selling off the information to the highest bidder.  As bad as this was, Equifax has just announced that the breach was broader in scope than originally disclosed. While the number of stolen records has not changed, Equifax now reveals that the data points include  tax identification numbers, email addresses, phone numbers, the expiration dates for credit cards, and issuing states for driver's licenses. (Tax Identification numbers, or TINs, are used by non-US residents to report income from earning accounts.) This announcement reveals the extent of information held by the credit bureaus that, at least to me, seems unnecessa

Article says it best: https://t.co/5UH5WMfIyi #idtheft #identitytheft

As an identity theft risk management specialist, I speak to various groups about identity theft awareness and prevention. My biggest challenge is to get people to realize that true identity theft is much more than financial theft.  Always at some point in the Q&A time of the presentation, someone will mention that they have had their credit card stolen or that they have had bogus charges show up on their credit card statement.  Does that mean, they ask, that their identity has been stolen? The accurate but not-very-helpful answer is "not necessarily".  Credit card fraud by itself is not defined as identity theft by the Federal Trade Commission (FTC).  It can be an indicator of identity theft, but more often than not, it is just a case where a criminal has obtained a credit card number through a data breach or pickpocketed the card, either physically or by using RFID technology. That may be as far as the theft goes. Sometimes the issuing credit card company will sp

With every year setting new records for data breaches (nearly 1,600 last year alone), I'm wondering if the public is becoming fatigued and numb to the news of another breach. Even the massive Equifax breach, which compromised very personal and critically non-changing information of at least half of the adult population, I've found people not knowing about it and even more not understanding what it means.  That may change after people start filing their taxes, only to find that someone else has filed a false return ahead of them. Studies from social media activity are being reported, showing that people who have been notified of a data breach that affects them are simply ignoring the notice. They aren't changing passwords or enrolling in protection services, just hoping nothing happens. If their credit cards are compromised, they are inconvenienced, but they get a new card and never check to see if anything else is amiss.  The winners are the thieves, because there is litt

Every year, tax experts and the IRS have cautioned us to file our tax returns early. Not only does it help to get any refunds back to us quicker, there has been a history in recent years of tax identity fraud — thieves filing returns in our names and getting our refunds. Basically, file before the bad guy files. Whoever gets there first gets the refund.  While this has been true for several years, it is even more applicable this year, because of the Equifax breach last year. Remember that at least half of the adult population in the US have has very personal data stolen: names, dates of birth, addresses, Social Security Numbers — more than enough to create fake W-2’s and file false returns.  If you have been following the Equifax breach in the news, you may have wondered why so few cases of fraud have shown up yet. Quite likely, this tax filing may be a key reason the thieves have been sitting on the data.  Whether you use a tax prep service or do it yourself, get going as

The Identity Theft Resource Center says that there have been 69 data breaches reported as of 1/24/18.  This is a decrease of 9% from last year's 76 breaches at this point, but breaches in the business sector accounts for 48% of these 69. Last year, by the way, was a huge record number of breaches -- 1,579 -- up nearly 45% over 2016's pace. Like this year, the business sector led the way with 55% of the reported breaches.  Hacking was the predominant cause of the breaches. Here is the article from the ITRC: https://tinyurl.com/y6vryz4w #idtheft #identitytheft

A former Boston, Massachusetts, clerk at its Registry of Motor Vehicles was sentenced to one year in prison for creating a false drivers license.  Three other former clerks were also charged. According to an article ( https://tinyurl.com/ycbcwqj7 ), they were making the IDs for illegals in exchange for cash, using stolen data of US citizens. I share this to show that our identities are not safe even from government agencies, as if you didn't know that already. #idtheft #identitytheft

I have long cautioned parents that the identities of their children are prime targets of identity thieves. Think about it -- someone getting an infant's Social Security Number has use of that number for years before a parent (or the child) discovers it, perhaps when the child gets a job or applies for financial aid for college. The thief can open credit card and bank accounts, get jobs, or maybe even buy/rent housing. Personal example: I have a friend who is an illegal alien. He is working, paying taxes. I asked how he was being employed, given his illegal status. "Oh," he said, "I bought this card when I crossed the border, and it makes me legal."  What kind of card was it?  Likely a Social Security card, perhaps a child's, or an adult, or even a deceased person. Recently, I have read an article where there is a website on the dark web marketplace discovered to be offering infant's data for sale. The website's ad says, "get em befor tax

#idtheft #identitytheft Nearly everyone has at least one credit card these days, if not multiple cards, and we depend upon them to buy everything we use on a daily basis.  Think of the last time you wrote a check for groceries.  Most people don't even carry enough cash to buy a burger at a drive-through! Thieves and identity thieves know this and are targeting the retail industry with renewed vigor (see http://www.darkreading.com/endpoint/lockpos-malware-sneaks-onto-kernel-via-new-injection-technique/d/d-id/1330757). For most of us consumers, we are not aware of -- nor need to be aware of -- the "back office" workings of the industry, yet we ultimately are the ones affected by these dangers and have to be proactive in protecting our credit. While I'm quick to encourage you to enroll in an identity theft protection service, why wait until your account is compromised? These services, while they might ward off a compromise, have their strength and main value in pr

In my last posting, I mention about a CPU chip flaw in nearly all computers -- Apple, Google, and Windows alike -- that can be exploited by quasi-viruses called Meltdown and  Spectre that steal data from devices. The theft process is very complicated and technical, so if you want to know the details, search for it. I'm avoiding that here. Suffice it to say that this is a serious enough exposure that every chip maker, computer maker, and browser developer is working on solutions, and will likely be a rollout of solutions over time.  Already, Microsoft, Google, and Apple have released OS patches, so you need to apply these as soon as you can.  Down the road, expect even more updates. I call these exploitations "quasi-viruses" because these aren't viruses in the traditional sense and therefore aren't being picked up by regular antivirus programs. I've put a request in to PCMatic, since they block by whitelist instead of blacklist (can't install app unless

Being an iPhone user for many years, I must start off this post with a disclaimer that I am out of my comfort zone talking about Android phones.  I just know that historically Android-based phones have a significantly higher incidence of viruses than Apple iPhones.  In fact, there has not been any easily available antivirus apps for the iPhone -- just not needed -- whereas there are several for Android devices. Why is that, you may ask?  I believe it has to do with Apple's tight control of the architecture and what is allowed to be added to the App Store. Recently it has been discovered that iPhones and Androids as well as most PC and Mac CPUs are vulnerable to a chip flaw that allows quasi-viruses like Spectre and Meltdown. Apple is working on some solutions, as other chip venders like Intel and AMD are doing, so that isn’t what I’m addressing with this post. Regardless, I have recently read an article that discusses in extreme and painful detail why Android phone apps can e

Have you shopped at Forever 21 apparel retailers?  The company announced last November that they had been hacked between April 3, 2017, and November 18, 2017.  Yesterday, the retailer announced the findings from a third-party team, saying that in some stores, the encryption technology was not active, which exposed customer point-of-sale (POS) payment card data -- names, credit card numbers, expiration dates, and internal verification codes -- certainly enough to make online purchases or recreate credit cards. Obviously, if you made any purchases at any Forever 21 store between these dates, you should consider contacting your credit card supplier and getting a new card, even if the local store says they weren't hacked.  Just a safe plan, in my opinion. More on this at https://tinyurl.com/yd5mjwyb #idtheft Before any identity fraud with your card is confirmed, you might want to consider getting a protection plan from IDShield.  As you know, my site is http://IDT.nscky.com.

This isn’t about identity theft, but I thought it worthwhile to share anyway. One of LegalShield’s competitors in the legal industry is LegalZoom. An interesting article has appeared where they are being sued for using non-attorneys for some of their forms. Of course you pay extra to speak with an attorney. LegalShield let’s you always speak with a legitimate and highly rated attorney, and our forms are free with a membership. Here is that article about LegalZoom: http://www.abajournal.com/news/article/LegalZoom_UPL_lawsuit_trademark