Federal agencies and regulators announced this week that LifeLock will pay $12 million to settle a complaint that it used false and misleading claims in its advertising. $11 million of the settlement will be paid to the Federal Trade Commission (FTC) and $1 million to 35 state attorneys general, all of whom worked together on this case.

The history of aggressive advertising by Lifelock, as well as Experian with their FreeCreditReport.com singing pirate ads, has been aimed at giving consumers a sense that they can prevent them from falling victim to identity theft.

FTC Chairman Jon Leibowitz said in a statement that:

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

Illinois Attorney General Lisa Madigan concurred by saying:

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft.”

Unfortunately, this situation illustrates how a company can parlay millions of advertising dollars into a consumer franchise based on fundamentally unsound claims. Certainly a perfect example of where a real consumer need based on a serious problem — identity theft — is being addressed by a organization that isn’t playing straight with the American people.

As this comic strip illustrates, we can be our own worst enemy when it comes to exposing ourselves to risks of identity theft and crime. Increasingly, scammers will provide you with significant valid information such as your name, credit card number and issuing bank in order to gain your trust and solicit additional information such as the 3 digit card security code (CSC) with which they can more easily perpetrate various types of financial fraud.

Through twitter, we connected with the good people at Broadband for America to bring you this article about three common online identity theft myths.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work…(continue reading)

Because data breaches have become such commonplace incidents, there is concern that people have become desensitized to the potential harm they face when receiving a notification letter from an organization that they’ve trusted with highly personal information, that this information has been lost or misappropriated.

A recently published report from Javelin Strategies should be a wake up call to those people.

“The Javelin report, Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud, is based on multiple years of data and includes updates on 2009 data breaches, implications of changes to the legislative landscape and the technical means by which data breaches occur.”

This report should also be heeded by those banks, healthcare organizations, government agencies, insurance companies and others that we entrust with our social security and checking account numbers, birthdates and mothers’ maiden names,  and in some cases our personal health information. There is now proof that data breach incidents put the affected individuals in harms way. The responsibility for doing everything possible to help these people address this harm — from identifying identity fraud to cleaning up the fraud — should fall squarely on the laps of these organizations.

A few news stories have been circulating about the looming identity theft threat to couples who have decided to tie the knot. Thieves prey on our deepest and strongest emotions, and two people madly in love and about to take the plunge are certainly full of emotions and stress. Stress makes us more apt to decide quickly, without thinking the situation through. The sense of relief we feel may encourage us to accept an offer that seems “too good to be true” when we might otherwise hesitate. Our families and friends may also be targeted, for much the same reasons. Think like a thief- on average weddings cost over $20,000 and guest gifts range between $50-150 each. That places a rather large bulls-eye on anyone involved. Here is just a small list of the kinds of scams that are lurking out there:

• Fake vendors- these are identity thieves or card frauders. They are online, at bridal shows, and call individuals out of the blue. You may be even approaching them for a genuine service advertised in the classifieds or a bridal magazine, or it may be a “sweepstakes”. As part of the “contract” or “application” you answer personal questions in great detail or provide a credit card number that is later used to defraud you.

• Fraud vendors- this category is not technically identity theft, but still leaves you stung. Often you are promised a “free” sample and hand over your credit card for shipping and handling, and then find yourself with outrageous charges. Vendors take a deposit for renting you an item as pictured on their site, and when the big day comes, nothing arrives or what arrives bears little resemblance to the model. Sweepstakes and Giveaways should be especially scrutinized if you get a call and you “won” – there may be strings attached.

• Crooks- these people take advantage of the fact you share so much about your event. They may rob your house while you’re exchanging rings, or wait until you’re away on honeymoon. While everyone at the reception is distracted, they snatch purses or sneak into hotel rooms. Honeymooners are easily targeted by pickpockets, camera snatchers, and hustlers.

• Disappearing act- this can be anything from a deposit you paid disappearing from the books to a company suddenly going bankrupt. Bankruptcies are up 47% from last year, so this is a big concern. While insurance can help protect you, it is important to purchase coverage carefully.

• Malware – There are tons of “free” applications out there to help out couples. Cost calculators, dress design software, websites, countdown clocks, reminders, calendars, the list goes on… Then there are the flash animations and videos of weddings, decorations, crafts, flowers and more. However, some of these may contain harmful code that could harvest your information and place you at risk for identity theft and fraud.

• Robocalls and junk mail – While shopping around online or in person, you’re often asked to leave your contact information. This can result in an increase in junk mail offers and robocalls. Some of these are likely phishing attempts, and are cleverly disguised. Another risk with increased junk mail is the possibility of mail theft going unnoticed for a longer period of time. Pre-approved credit card offers may inflate your mailbox, also increasing your risk of fraud.

• “In distress” scam- this is commonly used while a couple is on honeymoon, but can strike at any time. Fraudsters may call, email, or take over your email or social networking accounts to contact your friends and family claiming to need emergency money. Excuses range from medical emergencies, to being kidnapped. Often they have “been robbed” and need the money to get home. The rest is ALWAYS to wire money or send Western Union.

• YOU – of all the threats, YOU might be your own worst enemy. Many couples have wedding announcements; send emails, e-vites, wedding websites, social networking pages, online gift registries with their personal information, personal details, family details, and wedding, reception and honeymoon specifics available to the public at large. Brides and grooms alike tend to become excited and may share greater detail about themselves, their partners and the event with coworkers and friends… and florists, photographers, DJs (or anyone else who will listen).

With a few minor changes and some awareness, you can still have all the bells and whistles to your big day while keeping your friends, family and your identity safe.

• Assume the numbers and addresses you are using to contact vendors, get quotes, order catalogs are going to be stolen, traded and sold over and over. Set up a PO Box and a separate number to use for your contact information.

• Contact the Better Business Bureau in your area about any vendor, sweepstakes, or service you are going to fork over a large amount of money to, or that you are unfamiliar with. Do this before you provide them any personal or contact information.

• Always assume that calls you receive are compromised and never reveal any personal information. You may trust calls you initiate to a trusted business more, but still exercise caution.

• Read ALL fine print carefully. TWICE.

• Keep all receipts; require everything in writing and document, document, document. Go over all your credit card and bank statements monthly and notify your financial institution right away if you notice any unusual activity.

• Quarantine. Don’t use the same passwords or email account for your social networking sites, registry, and wedding webpage. You should never attach your “trusted” email account you have been using to communicate with your friends and family to another site. A compromise of a social networking site can easily lead to an email compromise, and makes it easier for fraudsters to contact your entire address book for money. If your quarantined email is hacked and messages sent to all your friends, they should be more cautious since it is a different email than they are used to communicating with you. This will buy you enough time that you can then use your “trusted” email account to notify them all of the fraud (or better yet- call them!).

• Never send money Western Union- this is one of the few ways you can send money and never get it back. Provide contact information to their nearest consulate if you are met with this scam online.

• Limit access to personal information- If you are going to list the details of your big day and honeymoon, look for websites that allow you to create a wedding website for friends only, or that is password protected so you can control who has access.

• Be careful of accidentally revealing personal information like your mother’s maiden name (which may be derived from guest lists or online friend list on social networking sites) and your date or place of birth. Also, you will be asked a lot of questions so people can “get to know you” before your big day- make sure none of these questions and answers correspond to the security questions of any account you have. Go through each online account and determine what questions are asked if you click “I forgot my password”. You may wish to change those answers.

• Find gift registries that allow you to control privacy, and insist on revealing as little about yourself as possible. Gift registries often offer a disturbing amount of detail about you, and often are generally open to the public.

Check your credit reports regularly with www.annualcreditreport.com or by calling 1-877-322-8228.  If you do experiance fraud or a scam, report it to your Better Business Bureau and the FTC and place fraud alerts with the major credit bureaus.

ORAL TESTIMONY

OF

CATHERINE A. ALLEN

CHAIRMAN AND CEO, THE SANTA FE GROUP

BEFORE THE

UNITED STATES CONGRESS

committee on oversight and government reform

Subcommittee on information policy,
census and national archives

us house of representatives

HEARING ON

IDENTITY THEFT: A VICTIMS BILL OF RIGHTS

JUNE 17, 2009

Oral Testimony of Catherine A. Allen

Chairman and CEO, The Santa Fe Group

June 17, 2009

Introduction

Chairman Clay, Ranking Member McHenry, and members of the Subcommittee, thank you for your leadership in highlighting the issue of victims of identity crime and the often long and lonely road they walk toward restoration.

I have spent most of my career in the financial services industry, most recently as founding CEO of BITS a CEO-driven nonprofit financial services industry consortium and think tank, focused on fraud prevention, cybersecurity, and payments. I grew up in a small Missouri town where my family was in banking.

Today I am involved in efforts to examine the way the financial services industry is regulated and the impact of policy on consumers. In this area of identity theft, I believe we are just at the tip of the iceberg because of growing cybersecurity threats. We think a Victims’ Bill of Rights is necessary because the victims’ voice is seldom heard.

This testimony reflects the work of The Santa Fe Group Vendor Council, which was formed in 2006 to bring together thought leaders at service provider organizations to respond to the needs of industry and its customers. The Vendor Council promotes the development of secure, best-in-class technology solutions, standards, and business processes, as well as industry best practices related to fraud, payments, cybersecurity, data protection, and identity crime.

Last fall, the Vendor Council formed an Identity Management Working Group to develop an inventory of best practices for assisting victims of identity crime and suggesting improvements in law and corporate practice to make it easier for victims to dispute false records and reclaim their identity. From this work we have developed a framework that we refer to as an Identity Theft Bill of Rights. While my written testimony contains additional, helpful background material, I will focus my oral remarks on this framework.

An Identity Crime Victims Bill of Rights

Identity crime victims deserve the same rights as other crime victims. Identity crimes can have physical, emotional, and financial impacts comparable to other crimes. While much is being done in the private and public sectors to help victims, we still lack adequate provisions for restoration, reparation, or even prosecution. Today, most identity crimes will be treated as misdemeanors or very low-level felonies, and the majority of prosecutions will be civil as opposed to criminal actions for both individuals and organized crime thefts. We need better coordination, awareness of the victim experience, and concrete steps for correcting identity records.

For the benefit of individuals, business, and society, I propose the following rights for identity crime victims:

· The right to assessment

· The right to restoration

· The right to freedom from harassment

· The right to potential prosecution of the offender(s)

· The right to restitution

Right to Assessment

Consumers who suspect they have become a victim of identity crime should have the right to assess the nature and extent of damage to their identity. FACTA already grants many of these rights, but consumers face procedural Catch-22s. Businesses and government agencies should be required to provide notice to consumers when they suffer a data breach involving loss of sensitive personal information. The present patchwork of state laws and government policy needs to be replaced with a uniform federal statute spelling out notification requirements. Clear guidelines would help businesses contain costs and limit legal liability through compliance and enhance consumer protection.

Right to Restoration

Ideally, victims should be able to restore their identities to their pre-theft state. However this is not always possible because of the complexity of the crime, especially in cases of financial identity theft. Whether or not they can fully recover, it is imperative that victims be able to establish correct records. Relevant privacy laws need to be reviewed and amended, giving victims the power to access and correct their own record in cases of identity crime.

Right to Freedom from Harassment

Identity crime victims should be protected from harassment by collection agencies and others during and after the identity restoration process. Harassment often continues unabated because business and law enforcement have no way to distinguish victims from debtors and thieves. To combat this some states are issuing identity theft “passports” to verify that the carrier has been a victim of identity theft and help the person prove his or her identity. How effective these documents are remains to be seen, but a system that actually verifies victims is needed

Right to Potential Prosecution of Offenders

One of the great frustrations to identity crime victims is the lack of business and law enforcement resources to prosecute identity thieves. Of course, law enforcement needs to balance priorities and budgets, and business must weigh the costs and benefits of prosecution. However, these organizations need to also take the long view on the impact of identity crimes:

· First, identity crime continues precisely because it pays. Second, the FBI and Secret Service have found that where there is one victim, there are more. So instead of writing off the costs of an individual case, organizations should consider that for every instance of identity crime, there may be many others as yet undiscovered or yet to be committed by the same crime ring or individual.

· Third, not all the costs of identity crime are immediately visible or measurable.

Right to Restitution

Identity crime victims can spend hundreds of dollars and dozens of hours, and can experience untold misery during the process of restoration. They deserve restitution, the same as victims of other crimes, yet a study by the Center for Identity Management and Information Protection shows that defendants were ordered to pay restitution in only about a third of the cases studied. Restitution will help make victims whole, sends a message that identity crime is real crime, and helps ensure that when perpetrators are caught, identity crime does not pay.

Recommendations for Protecting Victims’ Rights

In summary, my testimony today advocates for the following legislative actions to help victims:

· Enact a uniform scheme across industry and government to assist identity theft victims that includes the Identity Theft Victims’ Bill of Rights

· Create a national standard of identification — one that cannot be forged by identity thieves — that victims can use to distinguish themselves from thieves and identify themselves to businesses, law enforcement and others.

· Expand the definition of “compensable crime” under federal and state law to include identity crime.

Additionally, there are some steps that could be taken right now to strengthen victims’ rights and help stem the tide of identity theft:

1. Invest in independent research on the effects of identity crime. To make fully informed decisions, we need a thorough understanding of the costs of identity crime. There are too many unanswered questions about what’s happening in policy, industry, and law enforcement. Public funding should be made available. We need to get beyond the anecdotes to understand the connection between data breaches and identity theft.

2. Create standard dispute procedures in industry and law enforcement. Upon resolution, victims would receive standardized, verifiable letters proving that issues had been resolved.

3. Empower the FTC to oversee victims’ rights. The FTC should be charged with oversight of proposed policies for cohesion across national laws for effectiveness, and to anticipate and prevent unexpected consequences. This should include ensuring that law enforcement is investigating identity crime cases consistently and effectively.

4. Include identity theft victims’ rights in any dialogue about a Consumer Financial Protection Agency. If a proposed agency focused on financial products and services emerges, financial identity theft policies and education might be considered under its jurisdiction and should be included in the dialogue.

Conclusion

Thank you for this opportunity to present on the plight of victims and the Victims Bill of Rights, and thank you, again, for your leadership. I would be happy to answer any questions.

Scammers and identity thieves often take advantage of fears, hopes and dreams. This is what makes some of their crimes so emotionally devastating to victims. Often the fraud or scam they are running appears to be the only hope in the victim’s life, until the true intentions are revealed.

Current events are always a draw for scam artists, and exploiting consumers by playing on their most vulnerable emotions remains the most lucrative sources of income. Before you hand over information or money, stop and think about how emotional you are at that moment. If your emotions are running high, maybe it is time to cool it. Ask if you can come back tomorrow, or call them back at another time. If they insist that it must be done right away, or otherwise hurry you- it is probably a good sign that this is a scam. Scammers don’t want you to take the time to check with the Better Business Bureau or your local police- they want your money now, and they will tell you whatever you need to hear to believe that “time is running out” or it is a “limited offer”.

Particularly during this tough economic state, people are turning to others for help and are often taken in by crooks. When you combine this fear with a confusion about where to access legitimate resources, you are asking for trouble. Many Attorney General’s offices, privacy bloggers, and security professionals have made an effort to bring exposure to the real assistance available to those who are experiencing woes during this recession. Thanks to their efforts, I have compiled a Guide to Identity Theft and the Recession which can be found here.

Do you know of additional resources or scams I did not mention? Please comment below, or follow us on Twitter @idexperts

 

 

 

By Rebecca Seaman

In this tough economy, many of us are actively searching for employment. In most cases, quite a bit of personal information is required to get hired. The question is when and under what circumstances should you disclose this personal information?

If you are just placing an initial application, the potential employer needs to know your name, relevant work history, and little else. They do not (In most cases- specialized or Federal positions may be an exception) need or require your Social Security number, drivers license number, maiden name, etc. In fact, I personally will not even provide detailed address information on my resume or initial applications. I simply provide City, State and Zip Code. This information is private and should not be required to secure an interview.

When will you need to provide more detailed personal information such as Social Security number? My advice is only after you’ve had an interview and the employer has expressed an interest to bring you aboard contingent on a background check. If your potential employer is not requesting a background check, then I suggest you only provide sensitive information once an offer has been extended and you are filling out tax documents.

Please be sure to safeguard your personal information, even when job hunting. I have personally seen initial applications asking for sensitive information, but it is never a required field by law. Remember, what you transmit over the internet has the potential to become exposed.  If you have any doubts at all, please research the company with the Better Business Bureau or your state AG before giving any organization your Social Security number.

Technology Review, published by MIT, has an article that is highlighting a personal crusade of mine. Your secret questions are not all that secret! I’ve said many times that most security questions are answered truthfully, and most of those are easily obtained or guessed. What town you grew up in, what high school you attended, what your pet’s name is are all probably either in public record or on your own profile page somewhere. Several chain-letter-type surveys that ask you to answer your teacher’s name and the street you grew up on in order to provide you with a “Rock Star” name are often a clever scam to get people to reveal the answers to these questions. From there, they only have to click on the “I forgot my password” link on email or websites to gain access to your accounts, profiles, identity and contact list. They may start contacting users in your address book, trying to scam money or personal information- creating a nightmare of fraudulent activity and impersonations to try to resolve.

Sarah Palin’s hacker gained access to her account in this way. As a public figure, much was on Wikipedia and other websites about her life which together provided the answers to her security questions. The lesson to learn here is that our LinkedIn profiles, business contacts and networking efforts may appear enticing to identity thief. Researches from Microsoft and Carnegie Mellon University show that the secret questions are typically insecure. “In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.”

More alarming:

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.

Remember, the easier it is for you to remember- the easier you make it for others to guess. The most secure method would be to create your own password for each security question, with special characters and number. However, realistically, most people will have to sacrifice a little security for convenience. I have always recommended coming up with your own secret question plan. When asked about your pet, give your best friend’s middle name. When asked about the town you grew up in, always answer with your shoe size and so on. This should cut down on the likelihood of a successful attack.

Did you know that that you can register your plans to travel abroad with the Bureau of Consulate Affairs to assist you in the event of an emergency or crime?

Travel registration is a free service provided by the U.S. Government to U.S. citizens who are traveling to, or living in, a foreign country. Registration allows you to record information about your upcoming trip abroad that the Department of State can use to assist you in case of an emergency. Americans residing abroad can also get routine information from the nearest U.S. embassy or consulate.

This can be very helpful if your wallet is stolen or you are mugged abroad and need help contacting the appropriate agencies and companies state side. Remember that traveling puts you at greater risk of identity theft. Unfamilar people and places, the widespread use of your information for hotels and other purchases can not only lead to identity theft- but make it more difficult to recover from when you return. Look up information about the country you are visiting at Department of State’s website and make sure you are aware of any warnings or advisories there may be about identity theft and fraud in the country you are visiting.