Identity Theft

Mar 2, 2006 8:00 AM

Lcha :

Despite my shredding of everything that leaves our house with ous names on it for years. Despite the 3 levels of software security(antivirus, anti-spyware, and zonealarm, all updated) and a hardware firewall. Despite my being careful about what personal information I share, I have become the victim of identity theft.

Let me say right now that the only way I caught this in a timely manner was that I was using a credit watch service. So when anything changes on my credit reports, I get an e-mail. This literally saved my butt and mitigated the damage. I highly encourage using a credit watch service.

In mid January, 2006, I recieved an e-mail from this service informing me that there was an address change on one of my little used credit cards. I contacted the credit card company, determined it was fraudulent and discovered that there was a fraudulent charge. The card was cancelled and the charge was reversed.

I then put a fraud alert on my credit files. I filed a police report with the local law enforcement agency. A week later I discovered that this bogus address that was given to the credit card company was transmitted by that company to the credit agencies through their normal monthly updating. So now I have a bogus address, being listed as a previous address luckily and not a current address, in all my credit files. So, now I had to go through the dispute process with all 3 credit agencies.

Until this week I was thinking this might be a one off identity theft. But, 2 days ago I get a call from AT&T security. Someone was trying to set up phone service with my information and the fraud alert in my credit file alerted them to call me before an account was set up. I told them this was a fraudulent account and they gave me some info on who was doing this. Probably a bogus address is all. I passed this on to the local shefiffs dept.

So, this is where I am at. Someone has my personal info and is trying to use it to set up accounts. I have been very lucky in that I have caught this early. Some people don't discover this until loans have been taken out. At that point it takes YEARS to clear things up.

This timely e-mail was sent to me by ConsumerReports:

<b>Dear Larry,

Dozens of companies, schools, and agencies routinely ask you for your Social Security number--along with other sensitive information about you. Unfortunately, they don't always keep your information safe.

Last year, data security problems put 55 million

Mar 2, 2006 8:37 AM

Lcha :

honeyoneohone, I am VERY confident my info was not stolen from my computer OR my home. I believe it was probably stolen from some business. I only mentioned my computer to show that I have been deligent on MY end from trying to keep this from happening.

I also changed my passwords on my online financial accounts and spoke with representatives of the financial firms to let them know what was happening and to see if they can do anything to heighten security measures on my account. I also let them know that I was not happy or comfortable with the Username/Password only method used to access my accounts. I told them my bank, Bank of America, had been instituting extra measures to verify my identity before being allowed access to my account, measures I am in favor of, and that they need to look into enhanced measures as well.

Mar 2, 2006 9:32 AM

PEIC :

You said "Let me say right now that the only way I caught this in a timely manner was that I was using a credit watch service. So when anything changes on my credit reports, I get an e-mail. This literally saved my butt and mitigated the damage. I highly encourage using a credit watch service."

What credit watch service do you recommend?

thank-you

Mar 2, 2006 11:02 AM

Lcha :

I have only used one service and that is the one from Equifax. www.equifax.com

I can't say if this is the best or the cheapest. The Equifax service monitors all 3 credit reporting services. You can even set it up to send you a text message to your cell phone.

It really bothers me that we have to pay $10 each time just to see our credit file on a regular basis. It's a nice little racket the credit services have going. Make people pay to keep track of the inaccurate data and fraudulent accounts that should never get in the file in the first place. The worse job the credit services do, the more people will sign up for the extra services.

Mar 2, 2006 11:40 AM

Lcha :

Here is a link to a nice site with lots of identity theft resources set up by the Federal Trade comission.

http://www.consumer.gov/idtheft/

I filed an official complaint with the FTC as well on my case.

BTW, the local fraud investigator at the Fort Bend County Sheriff's Dept told me that unless there are hundreds of related fraud cases or unless the dollar value of an individual case is in the upper tens of thousands or hundreds of thousands, nothing much will really get done. The law enforcement resources are just not there.

Mar 2, 2006 12:08 PM

peter norwest :

whats really dangerous here is outsourcing. It just a matter of time. If you guys call CSR make sure you are talking to people here. Even the IRS efile it goes to another country. Use the software but file by mail. I don't care if I don't get my money in 5 days. People here who does this theft at least has accountability.

Mar 2, 2006 8:16 PM

AL_W :

.
Fed law went into effect about 18 months allowing you to check you credit record at each of the big 3 once a year for free.

https://www.annualcreditreport.com/cra/index.jsp

This is the truely free access point. The site the Feds forced them to create. No hidden krap behind a 90 day free banner. Try a search engine search. It's not easy to find. Several close Imps. Oh yes, they are allowed to, and do, try to sell you an enhanced report with you FICA score, but you can skip all of that krap.

Now, why anyone would want to check all three at once, I don't know, but according to what I've read, that's the norm. In reality, the Big 3 share their data almost 100% with each other. For me, I've checked each one separately 4-5 months apart. Not quit as good as a 'report it now' service, but a lot better than nothing. And the price is right. They do get an e-miil address out of you, so you might want to give them an Yahoo or Google address.

I totally agree with lcha. They've made a business our of getting people to pay just to correct the system's poor ( call it cheap ) record reporting.

Mar 3, 2006 6:58 AM

Lcha :

AL_W, in checking my 3 credit reports I found small differences between them. A wrong phone number on one and not the others. My main credit card was listed as inactive on one but not the other two. So, you can't assume that the reports are clones of each other.

The other thing I would like to stress is that the once a year free credit report is not enough. I would say 4 times a year with a credit watch. Due to my circumstances I will be checking it every month for the next year. A nice $300 for the credit agencies.

In addition to the credit card address change and the attempted phone account, there was an inquiry, and not just a promotional inquiry, by American Express. I wrote them immediately and stated I did not make the inquiry and am not trying to establish credit and if anybody is then it is fraudulent. This was probably another failed attempt that was thawarted by the fraud alert and my being on top of things.

Mar 3, 2006 12:11 PM

Steve Thompson :

Icha, this is not a reccomendation but I would like your opinion. Do you think it would be worth buying identity theft insurance? Is it cheaper than the service you are using? Looks like it would be nice to have should you need it. i.e. the Recovery and Reimbursement coverage.

http://www.zanderins.com/idtheft/idtheft.aspx

Like I said, do you think it is worth considering or is it another thing to pay for that you have little chance of using? TIA

Mar 3, 2006 2:56 PM

Lcha :

SteveT,
When you sign up for the credit watch service with Equifax, they give you $5000.00 worth of identity theft insurance. To be honest I have not examined the terms closely.

So far I am out exactly $0.00 is cash. It has cost me time. Will they pay for my time? How much? I really doubt I will get reimbursed for my time.

Now, if I had not caught this for a year and had 7 accounts opened in my name and was hiring lawyers and such to get me out of the mess, I think the insurance would cover that. But, insurance or not, I personally don't want to ever GET in that position so I am not hot on the idea of theft insurance to cover it. My 'insurance payments will be the credit watch charges and the credit report charges. This year both will total about $400.

Mar 4, 2006 1:03 PM

Steve Thompson :

Thanks for your opinions and info. Found this site that may be of help to others here.

http://www.idtheftcenter.org/index.shtml

Mar 6, 2006 7:50 AM

Lcha :

<b>Lcha here: I did not realize one could do this. It was never mentioned by anyone that I have talked to so far. I am setting this up today.</b>


March 5, 2006, 7:28PM
Security freezes can limit ID theft
Such laws give consumers more control over credit

By EILEEN ALT POWELL
Associated Press

NEW YORK - About three years ago, Michael Steiner got a call from a bank asking him to confirm that he had applied for a $20,000 personal loan. He hadn't, but someone using his name was seeking that money — as well as loans totaling $68,000 from other institutions.

Steiner, a certified financial planner with RegentAtlantic Capital in Chatham, N.J., was a victim of identity theft. And after months of dealing with bank security officers, collection agencies and law enforcement officials to clear his own record, he's become an advocate for practices to protect others from similar distress.

"The bottom line is that you can't totally insulate yourself from ID theft," Steiner said. "But there are measures you can take to greatly reduce the risk."

Consumers have a growing arsenal to use in the war against identity theft. Under the Fair and Accurate Credit Transactions Act of 2003, they are entitled to free copies of their credit reports each year from the three major credit bureaus — Equifax, Experian and TransUnion — so they can check them for accuracy.

The FACT Act also allows consumers to put fraud "alerts" on their credit bureau reports if they believe someone has stolen their Social Security number, credit cards or other personal data. Once the alerts are in place, the banks and retailers who use the reports are supposed to do extra investigation before granting new credit in the consumer's name.

But these measures deal with ID theft after it's happened, not before. As a result, there's growing support for security "freeze" laws that allow consumers to block access to their credit reports unless the consumers give lenders permission to see them.

A dozen states have enacted freeze legislation, according to Edmund Mierzwinski, consumer program director for the U.S. Public Interest Research Group in Washington, D.C. They are California, Colorado, Connecticut, Illinois, Louisiana, Maine, Nevada, New Jersey, North Carolina, Texas, Vermont and Washington.

In most cases, the credit bureaus are allowed to charge a fee of about $10 for consumers who are not ID theft victims to order or lift a freeze on their reports.

Rules vary widely
Some

Mar 6, 2006 4:38 PM

Bob Eldredge :

Thx for all this info! BobE

Mar 7, 2006 2:11 PM

Lcha :

Just got a call from Sprint security. Looks like someone in Las Vegas tried to set up an account with my info. At least these big tele companies are checking up on the fraud alert.

I sent in all the paperwork to put a permanent security freeze on all my credit files. Now, no info can leave my files without my explicit permission.

The problem is, however, there are some companies that will extend service to people without even checking a credit file. I'm not sure what happens in that case. I'll just cross that bridge when I come to it.

Mar 9, 2006 9:57 PM

AL_W :

lcha, talk about irony....

Late this afternoon, my wife got an "invalid transaction" msg when she used her ATM at a major food store. She though she may have messed up with her pin, and being in a hurry she just paid for it with her credit card.

After dinner, we went shopping, and her card came back with same "invalid transaction" msg. My ATM worked just fine.

Getting home, we called the bank and found out the ATM account had been closed out at a branch. No address change, no owner name change, no money transaction, just an ATM account close on 3/7.

At this point in time, I'm inclined to think someone fat fingered an ATM number and inadvertantly closed her ATM.

Needless to say, I'll be keeping my eye on things real closely for a while.

Mar 10, 2006 6:05 AM

Lcha :

AL_W, the account closing may be more benign for you. The ATM account may have been closed by the bank.

Yesterday it was reported that THOUSANDS of debit card pin numbers have been stolen. Fake cards were created using these pin numbers and peoples bank accounts were being drained. So, many banks cancelled customers cards, temporarily.

Did you know that companies are KEEPING the pin number you type in at the little pad? Most probably don't know they are even doing it as it is the software that is storing these pin numbers. Hackers have figured this out. The fact that these pins are being stored and the companies may or may not know about it is just part of the overall problem of lax security of our personal and private data.

On another note, I will not use debit cards. There are 4 reasons for this:

1) While I have several credit cards I only have 1 checking account. If someone messes with my credit card I just use another. Changing my checking account is a much bigger hassel.

2) If someone fraudulently charges $2000 on my credit card I notify the bank and at most I am liable for $50 by federal regulation. Debit cards have no such $50 rule by regulation. Banks 'offer' this to their customers but they don't have to.

3) If fraudulent charges appear on my credit card I simply don't pay them. So I have no out of pocket losses. If someone steals from my debit card, my account is immediately debited. I lose the money until I can fix things. Other checks may bounce as there might not be funds to cover them. Big hassel.

4) I get air miles on my credit card. We get 2 free round trips a year on my SW Airline card and my wife and I go to Vegas. Since I NEVER carry a balance on my credit cards, it's a free trip.

In addition to Vanguard and Fidelity I talked to T.Rowe Price yesterday about their security. Especially online and telephone access. I suggested that in the future I will be making decisions on where I invest in part based on my perception of their security efforts. The rep was typing frantically in the background so I think a customer suggestion will at least get read by someone. If you are at all concerned about your data security I suggest you(plural) voice your opinion to the banks, brokerage firms and mutual fund companies that you deal with.

Mar 10, 2006 9:29 AM

Lcha :

I just got off the phone with American Express. Seems someone has bilked them out of $13,000 under my name. It is all taken care of on my end so no problem for me except enduring a 45 minute phone call with 3 parties.

But...why was this account even opened when I have a fraud alert on file? No good answer from them.

I also told them that when I saw American Express had made an inquiry on Jan 26th, I immediately sent them a letter stating that it was not by me and is probably fraudulent. I even documented that act on this very thread a while back. So, they had 2 chances to not lose $13000 and blew both of them.

Luckily, the detective I am relaying all this information to says American Express is VERY good at pursuing fraud cases and $13000 is a large enough amount to pursue. This will be a first as no one else has been interested in following up who the fraudsters are so far.

I have been doing a little research on suing creditors and credit bureaus. I'm starting to feel a tad litigous lately. :)

Kirk, I'll put out some info on freezing credit a bit later.

Mar 10, 2006 1:11 PM

peter norwest :

everday seems like identity card is looking attractive

Mar 10, 2006 1:27 PM

Lcha :

<b>Security Freeze</b>

There are some web sites with some really good info on putting a security freeze on your credit file. Especially if you live in CA. Here's one:

http://www.privacy.ca.gov/sheets/cis10securityfreeze.htm

It gives addresses and steps to take for each of the credit agencies, FAQ style.

TransUnion has a decent Security Freeze FAQ at:

http://www.transunion.com/content/content.jsp?id=/personalsolutions/gener al/data/SecurityFreezeFAQ.xml

I hope the links are not too big.

These two sites should give you most of the info you need. There are some State differences in the laws governing security freezes however. In CA, for instance, anyone can set up a security freeze. In TX, you have to be the victim of identity theft and have a police report filed.

To me there is NO downside to a permanent security freeze. For the one time every few years I need a business to access my credit files, I can lift the freeze temporarily to allow that. For the remaining 363 days a year I really don't WANT anyone accessing my files. So, now that I am a identity theft victim, I plan to leave my security freeze in place forever.

Note: Not all businesses consult a credit report before providing a service but most do if the $$$ are anything near substantial. Also Title 15 of the U.S. Code, Section b and e states:

<b>b) Burden of proof
In any action which involves a consumer's liability for an unauthorized electronic fund transfer, the burden of proof is upon the financial institution to show that the electronic fund transfer was authorized or, if the electronic fund transfer was unauthorized, then the burden of proof is upon the financial institution to establish that the conditions of liability set forth in subsection (a) of this section have been met, and, if the transfer was initiated after the effective date of section 1693c of this title, that the disclosures required to be made to the consumer under section 1693c(a)(1) and (2) of this title were in fact made in accordance with such section.

(e) Scope of liability
Except as provided in this section, a consumer incurs no liability from an unauthorized electronic fund transfer.</b>

So, it is not my responsibility to prove that it was NOT me that made a transaction, it is the responsibility of the party that authorized the transaction to prove it was or was not me. This is a big deal and I am planning on suing the first company that violates this code by adding derrogi

Mar 10, 2006 4:59 PM

AL_W :

"The ATM account may have been closed by the bank. Yesterday it was reported that THOUSANDS of debit card pin numbers have been stolen. "

lcha, we've already been through that one. One of the kid's ATM card was involved about 40 days ago. They sent a new card with a letter and told us the old card would terminate in 10 days. Cards at Wells Fargo and BofA were effected. It was inside data at a third party company that got out.

A quick check this afternoon shows all quiet in the accounts.

The wife's and mine cards are ATM's only. No Visa link. They are only used at large name places.... Longs Drugs, Safeway Foods, etc. No Mom&Pops. No third party ATM's. Integrity of the system is important, and along the line of what you've posted, and a computer under the counter just doesn't cut it. Most transactions are via Credit Card. Then it's their money that is at risk, not mine.

This kind of stuff is never going to go away. Biometrics won't help when someone can intercept the data.

I do some banking with USAA. A few years back, they called having noted two transactions in England, the first for $15 at a Rexall Drug Store, the second an hour later for $80 something at a clothes store, and nothing else that would indicate travel was occurring. Of course the account got closed, but since I was picking up a new computer system that afternoon, they marked my file as such, and when I called, they opened it up, the vendor initiated the transaction, the agent confirmed that was the vendor and amount to me, allowed the transaction to complete, and then closed it again. Now, that's service! New cards arrived in few days.

Smarter systems systems is the only way to fight this. Telling of A/E that their systems are still stupid.

Mar 23, 2006 9:07 AM

Lcha :

Here is what I didn't see in this article that I wanted to see. A Fidelity spokesperson saying that all client data residing on company laptops are encrypted using the most robust encryption methods known to mankind and that even if somebody DOES try to access the client files they would be unsuccessful.

I didn't see that. If these client files were not encrypted Fidelity should be held <b>criminally and civilly negligent.</b> NO EXCUSES!

If I were a Fidelity customer I would call or write Fidelity IMMEDIATELY voicing your concerns on their data security protocols. I would suggest to them that your future business with Fidelity will, in part, be based on your perception of their data security integrity.

Without input from their concerned customers, they will not have the motivation to beef up their security measures.

And yes, I have spoken with the 3 big mutual fund companies that I deal with on the security issue and have told them what I described above.

Mar 23, 2006 9:10 AM

Lcha :

I now have a security freeze on all 3 of my credit files. This is permanent until I change it. I have pin numbers for each credit bureau so that I may temporarily lift the freeze when the need arises.

I am not out of the woods on this issue by any means but I feel much better with the freezes in effect.

Mar 25, 2006 4:58 PM

Charlotte Frederick :

I could not agree more. Where and when do we start going after these incompetent jerks?

Mar 25, 2006 5:00 PM

Charlotte Frederick :

I think it is time for a class action suit against Fidelity and HP? What about it retirees?

Apr 17, 2006 9:29 PM

Teeauna Woods :

Guards against Identity Theft. For more info visit www.prepaidlegal.com/HUB/teeaunawoods

Apr 25, 2006 8:48 AM

Bob Eldredge :

I got a call last nite asking for me by name. He said he was from paypal. He ask if I'd paid for a couple of items with a visa card, I had not. He said someone was making purchases in my name. He ask if I was familiar with a website, I did not recognize it. He did not ask for, or read the card # to me. He did ask for my email address & I gave it to him. He said he would also mail the info to me. Here is the email he sent last nite. OK, this is starting to look like phishing.. I opened a paypal acc several yrs ago, I never used it at all.
========

Mon, Apr 24, 2006 08:06 PM
Thank you for contacting PayPal with your concern.

In order for PayPal to begin processing the credit of any stolen funds back
to your credit card, bank account, or PayPal account balance, please follow
the instructions below:

1. Completely fill out affidavit.

2. Sign the affidavit.

3. Attach a copy of your credit card statement or bank statement
showing the transaction(s) in question

4. Mail the completed affidavit and copies of the appropriate
statements to:
PayPal Investigations
Attn: Unauthorized Activity Affidavit
P.O. Box 45950
Omaha, NE 68145

If you have any additional questions or concerns, please contact via
webform at https://www.paypal.com/.

If you have any further questions, please feel free to contact us again.

Sincerely,
Miguel
PayPal Account Review Department
PayPal, an eBay Company

Apr 25, 2006 12:53 PM

Steve Thompson :

They contacted you first but start by saying in the e-mail

<b>"Thank you for contacting PayPal with your concern."</b>

Yup sounds phishy to me.

Apr 25, 2006 6:25 PM

AL_W :

BE6,

Do you have a PayPal Account referencing that credit card?

If not, and if any charges show up, I'd complain to the card company that PayPal is phishing.

If you have an PP account referencing that card, you need to ask for resolution with ( read that as WORK WITH ) the vender first, after which you may challenge the charge via the card company.

Apr 25, 2006 6:53 PM

AL_W :

Interesting reading about PayPal:

http://msnbc.msn.com/id/3078504

Apr 26, 2006 6:05 AM

Lcha :

Paypal tries hard to get you to become a 'Verified' customer. Getting verified means you link your bank account to Paypal. Great for them as then they can debit your bank account of those pesky chargebacks you initiated.

The Paypalsucks.com site is a good site for exposing some of the consumer unfriendly TOS users gloss over when signing up for an account.

Apr 27, 2006 9:17 AM

Bob Eldredge :

Today I checked & there were 4 charges for just over $300 all on Tue 4/25. I'm glad paypal alerted me, even if I did think it was a bogus call. Just called Visa, acc now closed & new card being sent. He said he would also report this to the 3 bureaus.

Hoping this is the only pblm. I haven't found anything else as yet, other cards, bank, etc.

May 4, 2006 7:13 AM

Lcha :

<b>Q. What could a boarding pass tell an identity fraudster about you? A. Way too much

A simple airline stub, picked out of a bin near Heathrow, led Steve Boggan to investigate a shocking breach of security</b>

Wednesday May 3, 2006
The Guardian

This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing gum wrappers and baggage tags, cast off by some weary traveller, when I first laid eyes on it just over a month ago.

The traveller's name was Mark Broer. I know this because the paper - actually a flimsy piece of card - was a discarded British Airways boarding-pass stub, the small section of the pass displaying your name and seat number. The stub you probably throw away as soon as you leave your flight.

It said Broer had flown from Brussels to London on March 15 at 7.10am on BA flight 389 in seat 03C. It also told me he was a "Gold" standard passenger and gave me his frequent-flyer number. I picked up the stub, mindful of a conversation I had had with a computer security expert two months earlier, and put it in my pocket.

If the expert was right, this stub would enable me to access Broer's personal information, including his passport number, date of birth and nationality. It would provide the building blocks for stealing his identity, ruining his future travel plans - and even allow me to fake his passport.

It would also serve as the perfect tool for demonstrating the chaotic collection, storage and security of personal information gathered as a result of America's near-fanatical desire to collect data on travellers flying to the US - and raise serious questions about the sort of problems we can expect when ID cards are introduced in 2008.

To understand why the piece of paper I found on the Heathrow Express is important, it is necessary to go back not, as you might expect, to 9/11, but to 1996 and the crash of TWA Flight 800 over Long Island Sound, 12 minutes out of New York, with the loss of 230 lives. Initially, crash investigators suspected a terrorist bomb might have brought down the aircraft. This was later ruled out, but already the Clinton administration had decided it was time to devise a security system that would weed out potential terrorists before they boarded a flight. This was called Capps, the Computer Assisted Passenger Pre-screening System.

It was a prosaic, relatively unambitious idea at first. For exam

May 6, 2006 11:23 AM

Lcha :

<b>This is a really nice feature. For MBNA the program is called ShopSafe and is VERY easy to set up.

Best use. Those ultra cheap 'trial subscriptions' that recur if not cancelled. With a temp cad number, if you cancel you can be assured that you will not be re-billed because the card number will not be good anymore.</b>


<b>Temporary Card Numbers Increase Security, Save Time
</b>
January 03, 2005
Filed under: Credit Cards Identity Theft

Sure, your credit card protects you from unauthorized charges and limits your liability when your card number is stolen. But what about the time you must spend straightening out card theft? Read how single-use temporary credit card numbers increase security and save you time.

Whenever you use your credit card, there's a small chance that someone will steal your card number. Your card or number can be physically stolen from your wallet, copied by a thieving employee, or stolen from a merchant's customer database by hackers over the Internet. Thankfully, federal law limits your liability for credit card fraud to a maximum of $50. Some credit issuers, such as VISA, go beyond the federal requirement and limit your liability to $0. No matter how many plasma TVs the thief purchases with your card, your money is protected.

Your money may be safe, but your time is not. Credit card theft (and other types of identity theft) may take several hours of your time to resolve. You must call the credit card company to notify them of the card theft or unauthorized charges, write letters disputing the charges, and request that the credit bureaus place a fraud alert on your report. For many, dealing with card theft requires taking time off work, which could in lost income or vacation time. Remember the old adage: time is money.

You can reduce your risk of card theft online by using temporary single-use card numbers. Most credit card companies will issue temporary card numbers for online use that are valid for only one transaction. The temporary card number is linked to your credit card account, and works just like your normal credit card. However, once the temporary number is used, it expires. Even if the temporary card number falls into the thieving hands, it's completely useless.

<b>When you use a temporary card number, you need not worry about your credit card number being stolen. Temporary card numbers are accepted anywhere where your normal credit is accepted. Since they are only valid for one transaction, tem

May 24, 2006 1:18 PM

Lcha :

<b>This IS outrageous! As I experienced, the faster you discover the theft, the easier it is to mitigate. Now some of these folks are already 2 MORE weeks behind. The theft of the data is bad enough. The cover-up is criminal. Shameful!</b>

Data theft not reported for two weeks
VA secretary expresses anger over agency's decision to keep burglary quiet

WASHINGTON - Under intense bipartisan fire from Capitol Hill, Veterans Affairs Secretary Jim Nicholson said Wednesday he was outraged by his agency’s decision to keep the theft of veterans’ personal data quiet for two weeks.

“I will not tolerate inaction and poor judgment when it comes to protecting our veterans,” said Nicholson, declaring that he initially left it to VA investigators rather than calling the FBI.

“I am outraged at the loss of this veterans’ data and the fact an employee would put it at risk by taking it home in violation of our policies,” he said in a statement to The Associated Press. “Upon notification, my first priority was to take all actions necessary to protect veterans from harm.”
Story continues below &#8595; advertisement

He said he had asked the department’s inspector general to expedite an investigation to determine who was responsible for the time delay in revealing the burglary.

Nicholson’s remarks came amid growing outrage from lawmakers over the May 3 theft, which involved the birthdates and Social Security numbers of 26.5 million veterans. The VA employee had taken the information home without authorization.

Take him ‘into the woodshed’?
On Wednesday, Sen. Patrick Leahy said President Bush should call Nicholson “into the woodshed” because of the data theft. Citing past budget problems at the VA, Leahy said Nicholson should consider resigning.

“It all adds up to a heckuva bad job for America’s veterans,” said Leahy, D-Vt. “The President should call Secretary Nicholson into the woodshed for a serious shake-up in how the VA is run.”

Burglars on May 3 took the government-owned laptop and disks from the VA employee’s suburban Maryland home. The equipment contained information mainly on veterans discharged since 1975.

But the FBI was not notified until late last week, two law enforcement officials said Tuesday, a move that delayed a warning to veterans now at risk in one of the nation’s largest security breaches.

The Senate Homeland Security Committee and the Committee on Veterans Affairs said they would hold a joint emergency hearing Thursda

May 30, 2006 7:07 AM

Lcha :

PHOENIX — In a Scottsdale police station last December, a 23-year-old methamphetamine user showed officers a new way to steal identities.

His arrest had been unremarkable. This metropolitan area, which includes Scottsdale and Phoenix, has the highest rate of identity theft complaints in the nation, according to the Federal Trade Commission. Even members of the Scottsdale police force have had their identities stolen.

<b>But the suspect showed officers something they had not seen before. Browsing a government Web site, he pulled up a local divorce document listing the parties' names, addresses and bank account numbers, along with scans of their signatures. With a common software program and some check stationery, the document provided all he needed to print checks in his victims' names — and it was all made available, with some fanfare, by the county recorder's office. The site had thousands of them.
</b>
The data were not as rich as some found in stolen mail or trash bins. But for law enforcement officials here, this was another turn in a cat-and-mouse game in which criminals have outpaced most efforts to stop them.

"We're trying to keep up with the technology," said Lt. Craig Chrzanowski, who runs Scottsdale's property crimes division, including a computer crimes unit started two years ago. "But they're getting a lot better."

In an economy that runs increasingly on the instantaneous flow of information and credit — aggressively promoted by banks and credit card companies despite the risks — Phoenix and its surrounding area provide a window on one of the system's unintended consequences.

<b>According to a Federal Trade Commission survey in 2003, about 10 million Americans — 1 in 30 — had their identities stolen in the previous year, with losses to the economy of $48 billion.</b> Subsequent surveys, by Javelin Strategy and Research, a private research company, found that the number of victims had declined to nine million last year but that the losses had risen to $56.6 billion.

<b>In Arizona, one in six adults had their identities stolen in the last five years, about twice the national rate, according to the Javelin survey.
</b>
Arizona officials have responded with a preventive mantra: shred all documents and avoid giving Social Security numbers or bank account numbers to strangers over the telephone or the Internet. The State Legislature has passed tougher penalties for people caught stealing or trafficking in stolen identities.

Jun 2, 2006 9:58 AM

Bob Eldredge :

Does this sound like something worthwhile? BobE
http://dallasdigest.mywowbb.com/forum2/16561.html

Jun 9, 2006 12:43 PM

Lcha :

We need some strong laws to make not disclosing personal data theft a federal crime. The best way to mitigate identity theft damage is to get on it early and these people who hide data breaches are making that impossible. Very soon there will be some lawsuits by I.D. theft victims against some of these nondisclosures.

<b>Energy Department Officials
Weren't Immediately Told
Of Personnel-Data Breach</b>
Associated Press
June 9, 2006 2:55 p.m.

WASHINGTON -- <b>A hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department's nuclear-weapons agency.

But in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior department officials were told only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said.
</b>
The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, N.M. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said.

NNSA Administrator Linton Brooks told a House hearing that he learned of the security break late last September, but did not inform Energy Secretary Samuel Bodman about it. It had occurred earlier that month.

Mr. Bodman first learned of the theft two days ago, according to his spokesman.

"He's deeply disturbed by the way this was handled," said Craig Stevens, a spokesman for Mr. Bodman.

Rep. Joe Barton (R., Texas) chairman of the Energy and Commerce Committee, called for Mr. Brooks's resignation because of his failure to inform Mr. Bodman and other senior DOE officials of the security failure.

The House Energy and Commerce oversight and investigations subcommittee learned of the security lapse Thursday evening on the eve of its hearing on DOE cyber security, said Rep. Ed Whitfield (R., Ky.), chairman of the panel.

The issue dominated lawmakers questioning of DOE officials at the hearing. After an open session, the subcommittee continued questioning Mr. Brooks and other officials about it at a closed session because of the security implications.

Although the compromised data file was in the NNSA's unclassified computer system -- and not part of a more secure classified network that contains nuclear weapons data -- the DOE officials would provide only scant information about the incident during th

Jun 9, 2006 5:57 PM

:

AMEX used to have such a system which I was very happy with, until they discontinued it without explanation.

Do you know of a credit card company that still has single-use credit cards?

Jun 11, 2006 11:03 AM

Lcha :

<b>
Do you know of a credit card company that still has single-use credit cards?</b>

Yes Norm, MBNA lets you do it very easily online. They call it ShopSafe.

Jun 11, 2006 5:16 PM

Lcha :

<b>I guess the card issuer is at risk when they open new cards so easily</b>

Exactly. And American Express was ripped off for $13,000 in my name. In thye end we ALL pay through higher interest rates. At least those that keep a balance.
<b>
I get several emails a week where I have to log into the damned web site then click some links just to find out my Blue Cross payment went through and set off a trigger.</b>

I got the same type of useless false alarms for 3 years before I got a 'real' alert. I always looked at every alert though. With Roboform my login to Equifax is fast and just one click so the whole things takes maybe 1 minute.

Jun 16, 2006 5:36 PM

Lcha :

<b>Rapid Response Is Best Defense Against ID Theft
</b>
By Brian Krebs
washingtonpost.com Staff Writer
Friday, June 16, 2006; 2:54 PM

It may have already happened to you: A letter arrives in the mailbox from your bank or alma mater, stating that a hacker break-in or lost laptop may have compromised sensitive data on thousands of people, and that you may be among the unlucky ones. What to do?

<b>As a potential identity-theft victim, your first step is to "move quickly and in an organized way" before the thieves attempt to use the information, said Betsy Broder, assistant director of the Federal Trade Commission's division of privacy and identity protection.</b>

In the past 15 months, corporations, universities and other organizations <b>alerted more than 85 million U.S. consumers that their personal or financial data might have been compromised due to data breaches,</b> disgruntled employees or just plain incompetence. While consumer data leaks don't automatically result in financial losses or cases of identity theft, experts say your chances of becoming a victim depend on how well you know your rights and how rapidly you spring into action.

A speedy response is most important in cases where a data breach or loss involves a consumer's Social Security number, which can be used to open new lines of credit in the victim's name.

The FTC recently made available on its Web site downloadable form letters and worksheets to help people navigate the myriad steps often required to repair such damage, Broder said.

<b>"It's essential that people document each and every step they take in this process," Broder said. "It can be daunting to get through this, but ... people [should] be careful and deliberate in how they go about it."
</b>
Any potential theft of a Social Security number should immediately be reported to one of the three major credit bureaus, said Beth Givens, director of the San Diego-based nonprofit Privacy Rights Clearinghouse. That report should include a request that a 90-day fraud alert be placed on your credit files (consumers have the right to renew this alert indefinitely, but they must contact one of the credit bureaus every three months to do so).

The company you call must contact the other credit bureaus, who will place an alert on their versions of your report. This means that businesses and creditors will have to call you before extending additional lines of credit in your name. Givens suggests providing the credit bure

Jun 21, 2006 7:19 AM

Lcha :

<b>Visa Says ATM Breach May Have Exposed Data
</b>
By MICHAEL LIEDTKE
The Associated Press
Tuesday, June 20, 2006; 10:43 PM

<b>SAN FRANCISCO -- Visa USA on Tuesday confirmed an ATM security breakdown has exposed more consumers to potential mischief, the latest in a long line of lapses that have illuminated the often flimsy controls over the personal information entrusted to businesses, schools and government agencies.
</b>
The latest breach dates back to February when San Francisco-based Visa began notifying banks of a security problem affecting a U.S.-based contractor that processed automated teller machine transactions.

Visa, one of the nation's largest issuer credit and debit cards, publicly acknowledged the trouble Tuesday in response to media inquiries prompted by Wachovia Bank's decision to replace an untold number of debit cards issued to its customers.

Charlotte, N.C.-based Wachovia issued the card replacements last week as an antifraud measure, said bank spokeswoman Mary Beth Navarro. She declined to explain the circumstances that triggered the action after several months.

Visa also gave out few details about the incident. Thousands of banks have issued millions of debit cards bearing the Visa logo.

In a statement, Visa said it is working with its member banks and authorities "to do whatever is necessary to protect cardholders."

Under Visa's policy, consumers aren't held liable for any unauthorized purchases made with their cards.

Visa's security headache is hardly isolated.

In recent years, a wide ranges of businesses and bureaucrats have fumbled away Social Security numbers and other sensitive information that could be used to tap into the finances and credit records of unwitting consumers.

<b>In one of the most far-flung breaches to surface so far, the Social Security numbers and other personal information of 26.5 million U.S. military veterans was stolen last month when an employee took some digital data to review at home.
</b>
Visa has encountered security problems with other contractors besides the ATM processor that triggered the February alert.

CardSystems Solutions Inc., a payment processor used by both Visa and rival MasterCard International Inc., suffered a lapse that exposed up to 40 million credit and debit card accounts to potential abuse between August 2004 and May 2005. The thieves are believed to have grabbed data from a small fraction of those accounts.

Visa and Wachovia weren't even the o

Jul 11, 2006 7:41 AM

Lcha :

<b>Citibank Phish Spoofs 2-Factor Authentication
</b>
Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" -- the second factor being something the user has in their physical possession like an access card -- as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.

These methods work, however, only so long as the bad guys don't fake those as well. Take this latest phish, spotted by the people over at Secure Science Corp. It uses an impressively crafted Web-based e-mail that targets users of Citibank's Citibusiness service, which -- as its name suggests -- caters to businesses. Citibusiness also requires customers who want to log into their accounts online to use a supplied token in addition to their user name and password. The small device generates an additional password that changes every minute or so.

The scam e-mail says someone (a nice touch added here -- the IP address of the imaginary suspect) has tried to to log in to your account and that you need to "confirm" your account info. Not a whole lot that's revolutionary there, but when you click on the link, you get a very convincing site that looks identical to the Citibusiness login page, complete with a longish Web address that at first glance appears to end in "Citibank.com," but in fact ends at a Web site in Russia called "Tufel-Club.ru."

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. <b>That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.
</b>
Update, 4:41 p.m. ET: I forgot to mention that while this phishing site was active late last week and during the weekend, it has since been shut down.


<b>Lcha here: I received an e-mail from Vanguard a few weeks ago informing me that they were going to go to a more sophisticated user logon system soon. It sounded like the type Bank of America uses in that some form of token is created on the computer you use most often to access your account.
Very good news!</b>