by Doug Pollack

This week President Bush signed into law the Identity Theft Enforcement and Restitution Act of 2008.  As reported in the Washington Post, this law will:

“make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.”

It can take the victim of ID crime hundreds of hours to restore themselves to pre-theft condition. This law enables them to be compensated for this time at a level:

“equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense.”

The FBI has set up a clearinghouse for addressing cybercrime complaints called the Internet Crime Complaint Center. It works closely with a range of law enforcement agencies and private sector organizations.

by Heather Wells

As someone who works on behalf of victims of id theft, I have seen the cases of medical identity theft increase over the past few years. It’s hard to tell whether this is because medical id theft is becoming more well-known and therefore reported more often by the public, or if this type of fraud is actually growing in number. I think it’s a little of both.

In a recent article from the Chicago Tribune, reporter Judith Graham interviews several id theft experts including Pam Dixon from the World Privacy Forum. Dixon describes most medical id theft perpetrators as “people working in the health-care sector” who have access to people’s social security numbers, insurance information, and health records. According to Dixon, these id thieves sell this type of stolen data for cash or use it themselves to commit fraud upon private health insurance companies and federal programs such as Medicare and Medicaid.

Graham also interviews James Quiggle from the Coalition Against Insurance Fraud in DC, who says that “with almost 50 million people considered uninsured today, medical identity theft may become a growing problem as more people become desperate enough to turn to crime to find treatments that they cannot otherwise get.”

I’ve personally seen victim’s credit reports with collection accounts for ER visits, cancer treatments, and children’s medications. It’s paints a sad story for all involved parties, including the id theft victim, of course.

So, whether it’s done for profit or out of desperation, consumers need to be aware that medical id theft can happen to them and be informed and remain vigilant. People should continually check their credit reports, insurance benefit statements, and health records for discrepencies and fraud.

The World Privacy Forum website has some great information on this topic.

by Doug Pollack

Most of us are unaware of the severe emotional stress that can come about as a result of identity theft. It is gratifying to see the Wall Street Journal exposing this issue so dramatically in today’s article titled “How to Make Identity Theft Worse“.

Ms. Jordan’s article describes poignantly how commonplace it is for illegal aliens to use a citizen’s name and social security number in order to appear legal to their employer. But also how difficult it is and how long that it can take in order to rectify this type of identity theft.

“Audits from the Internal Revenue Service are never welcome. But when Emerita de Jesus received a letter for failing to report earnings at a North Carolina poultry plant, it had a particularly unpleasant twist: The California housewife had never worked at the facility. Instead, a Mexican worker there had used Ms. de Jesus’ name and Social Security number to get hired. The situation caused years of grief for Ms. de Jesus, who fought a protracted battle beginning in 2003 to clear her name with creditors, the IRS and the poultry plant, House of Raeford Farms Inc. The case, which was finally solved a few months ago, isn’t isolated. It is an example of an unexpected consequence of the government’s crackdown on undocumented workers: a surge in identity theft.”

And while this type of identity theft is now on the rise, partially due to more rigorous government requirements that workers provide valid name and social security credentials in order to be employed, the mechanisms to deal with this type of identity theft do not seem to be working. The article goes on to describe what Ms. de Jesus, a legal US resident, went through and how long that it took, to identify and resolve all of the dimensions of this ID theft. Her husband describes how:

“In 2004, however, his wife received another letter from the IRS regarding yet another year’s income that hadn’t been reported. The couple hired a private detective who confirmed a woman continued to work at the House of Raeford under Ms. de Jesus’ name. “We contacted 50 senators, 30 government departments and two governors,” says Ms. de Jesus, who declined to be interviewed but provided a written statement. “The system did not work.”

With 8 million illegal immigrants in the US workforce, this problem is not likely to get better any time soon. We can only hope that the IRS puts in place systems and procedures that enable US citizens and taxpayers to more easily and permanently resolve the effects of this type of identity theft.

by Heather Wells

In a recent article dated June 20, 2008 from npr.org, writer Dina Temple-Raston reports on the arrest of hundreds of people believed to be guilty of scamming the public out of millions of dollars of hard earned home equity.

She writes, “instead of stealing an identity to secure a credit card, scammers have been zeroing in on people they think have a lot of equity in their homes. They steal their identities, then go online and get a home equity line of credit on that person’s house and take the money.”

It’s a terrifying scenario for consumers who have worked hard for years to establish good equity and credit. As someone who works directly with victims of id theft, I know how frustrating it is for victims when the person who stole their identity is never caught or prosecuted. I am hoping that the news of these crooks getting arrested will bring about a feeling of justice for victims; that something is being done and people are being punished.

Temple-Rason concludes her piece with this warning, “the FBI is sending a specific message: If you are involved with mortgage fraud — whether on Wall Street with high-level investors, or on Main Street with ordinary homeowners — the bureau intends to catch and prosecute you.”

Score one for the little guy. For more, check out this video:

by Doug Pollack

The Identity Theft Resource Center (ITRC) today released its annual survey  looking at the impact of identity theft crimes on the victim. This is the  fifth  of these annual studies  titled “Identity Theft: The Aftermath 2007″ .

The authors encourage readers to note that:

“It is critical that we remember these numbers are people. These are people with lives that have interrupted, altered, torn apart and/or impacted for years to come. They are people with feelings and emotions whose outlook on life and interactions with others may change due to the invasive nature of this crime.”

Some of the key findings of this study include:

- 62% of the people responding said that the thieves had committed financial crimes resulting in warrants issued to the victim, two-and-a-half times more than the prior year

- While a third of identity theft cases are perpetrated by persons known to the victim, in 2007 there was increase in ID theft due to scams

- Victims spend and average of 116 hours repairing damage done by an ID thief to an existing account, and 158 hours when dealing with a new account that was created with their identity

The ITRC is a non-profit organization that is “dedicated exclusively to the understanding and prevention of identity theft”.

by Doug Pollack

We all hear about how more and more identity theft is now being done with the internet. What you don’t hear as much about is how an increasing percentage of US-based identity theft is perpetrated by organized crime overseas.

A recent FBI press release titled “38 Individuals in US and Romania Charged in Two Related Cases of Computer Fraud Involving International Organized Crime” describes a frightening phishing scheme that:

“uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers and Social Security numbers.  Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions or other companies.”

The level of organization of this criminal enterprise and effectiveness of their efforts is remarkable.  According to the indictment:

“The Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack.  Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information.  The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet “chat” messages.  The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys.  Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs.  The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point of sale terminals that the cashiers had determined permitted the highest withdrawal limits.  A portion of the proceeds was then wire transferred to the supplier who had provided the access device information.”

As organized crime becomes increasingly sophisticated in using our affinity for online commerce to their advantage, we should all be extra cautious, especially in watching out for something that has become as commonplace as the phishing scam.

by Doug Pollack

This past week there have been a flurry of articles about the state of litigation pending against LifeLock. An AP article titled “ID protection ads come back to bite the pitchman” is illuminating relative to how this situation has expanded. The “pitchman” noted in this article is Todd Davis, CEO of LifeLock who proudly displays his real social security number in ads that run on TV, newspapers and elsewhere.

Per the article,

“Now, Lifelock customers in Maryland, New Jersey and West Virginia are suing Davis, claiming his service didn’t work as promised and he knew it wouldn’t, because the service had failed even him. Attorney David Paris said he found records of other people applying for or receiving driver’s licenses at least 20 times using Davis’ Social Security number, though some of the applications may have been rejected because data in them didn’t match what the Social Security Administration had on file.”

As one can discern reading this article, Mr. Davis remains totally unrepentant. He defends their advertising, the nature of the $1MM guarantee that is at issue as part of the “deceptive practices” claim in the lawsuits, and the efficacy of their identity theft protection product even in the face of evidence that brings into doubt its effectiveness.

In an interview yesterday with Matt Lauer on the NBC Today Show, he was asked about whether LifeLock does anything for their customers that they can’t do themselves. While acknowledging that consumers can set fraud alerts and “opt out” of credit card offers pretty easily on their own, he defended what LifeLock does do that consumers can do for themselves, noting that it monitors numerous databases on the internet, for instance in chatrooms, where identity theft can occur. What he didn’t mention is that this capability was only added to the LifeLock offering very recently. Since the class action lawsuits were filed.

So it would appear now that the courts will help assess whether LifeLock has engaged in deceptive advertising practices and made misleading claims about its identity theft service.

by Doug Pollack

We know that over 10MM Americans this year will far victim to identity theft. But a recent survey by Bankrate asks people whether they are worried about this problem. The results indicate that people who personally know a victim of identity theft tend to be both more worried about this and also more proactive about protecting themselves.

The poll titled “Americans worry about ID theft; but consumers may be confused about the most effective strategies to protect their privacy” highlights:

“The results show that consumers who personally know a victim of identity fraud tend to be more concerned about the crime overall. Further, their concern pushes them to take more steps toward protecting their personal information, although there does seem to be some ambiguity as to the most efficient privacy protection actions.”

The following chart illustrates people’s answers to the question of how concerned they are about identity theft.

How concerned are you about having your identity stolen? Total Know an identity theft victim Don’t know a victim Very/somewhat concerned 81% 88% 76% Very concerned 40% 46% 36% Somewhat concerned 41% 42% 40% Not very/not at all concerned 19% 12% 24% Not very concerned 12% 7% 15% Not at all concerned 7% 5% 9%

So while most of us are concerned about identity theft, this is a problem area where most of us do very little to actually protect ourselves. If you talk with a friend or family member that has had to recovery their identity from theft, you will learn just how scary and time consuming that this can be. So don’t be complacent.

by Rick Kam
April 3, 2008

This conference is one of the largest IT conferences for public agencies with attendance approaching 20,000 professionals. Leading educators and technology solution providers focused on security, privacy, and “green” IT solutions.

Keynote speakers from Google, Sun Microsystems and others talked about the future of computing and how public agency IT professionals can create a more productive and secure computing environment.

I presented for ID Experts on the topic of how an “Independent Risk Analysis” provides public agencies a more effective solution to mitigate risk when they have a data breach (i.e. when the best security measures fail, what next). Highlights from my presentation included:

1. The requirements that prompted congress to enact public law requiring independent risk analysis
2. When an agency would implement an independent risk analysis
3. What are the benefits of doing an independent risk analysis
4. How to initiate an independent risk analysis
5. How to be better prepared before an agency has a breach

ID Experts was one of two companies awarded a government contract to provide Independent Risk Analysis to public agencies in the U.S. This was a great opportunity for us to explain to public agencies how our solution helps them assess and certify the level of risk for an affected breach population and develop an effective risk mitigation plan.

by Doug Pollack

There is a growing amount of legal commentary emerging in the discussion surrounding the Experian vs. LifeLock lawsuit. This week, Peter Bronson from The Union.com published an article titled “Business Law Bulletin: Experian vs. LifeLock Heats Up“.

Relative to the false and misleading advertising issue, Mr. Bronson notes that:

“According to Experian’s lawsuit, at least one Lifelock ad claims that the company’s services make it virtually impossible for identity thieves to strike, but that fraud alerts are only effective against those particular types of fraud that require accessing a credit report. In other words, says Experian, Lifelock cannot protect against such forms of identity theft as an undocumented worker using someone’s Social Security number to obtain a job; or against unauthorized use of a credit card.”

It is interesting to see a credit bureau that advertises their credit monitoring services as a means to help deter identity theft relentlessly (who hasn’t seen the FreeCreditReport.com ads on TV?) make the case for the inherent limitations in this area.

Mr. Bronson goes on to point out the ambiguities with LifeLock’s famous $1 million guarantee:

“Lifelock does offer a $1 million guarantee that if a customer’s identity is compromised, Lifelock will help restore the customer’s credit standing and pay the cost of doing so. However, Lifelock’s web site states that the guarantee comes into effect when a customer’s identity is compromised “due to a failure or defect in our Service”, a phrase that seems open to more than one interpretation. (If the service offers protection against only certain types of identity theft, does the guarantee only cover those specific types?)”

This is the first instance where I’ve seen someone dig into the specifics of this guarantee. The “service defect” provision certainly provides LifeLock with a get-out-of-jail-free card. Not to mention, given that it is the financial institutions who provide most of the financial fraud protection, how valuable really is a $1 million guarantee other than as a marketing gimic. I guess we’ll all find out as this lawsuit unfolds.