Archive for April, 2011

by Christopher Maag

The Texas Comptroller’s Office exposed the personally identifying information of 3.5 million people, exposing them to the risk of identity theft “for a long period of time,” according to a statement released Monday by Comptroller Susan Combs.

The information was unencrypted, and the server was not protected by passwords.

“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Combs said in a press release.

The exposure happened because of human error after people inside the comptroller’s office failed to follow data security rules, Combs said. The data came from the Teacher Retirement System of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas, and it included names, Social Security numbers, dates of birth and driver’s license numbers.

The agencies did not encrypt the files, as required by Texas state government rules, Combs said. Workers in Combs’ office then placed the files on a server accessible to the public. Someone discovered the mistake on the afternoon of March 31, according to the press release.

The only marginally good news is that the information was recorded in long strings of numbers, instead of separated into distinct fields.

“I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location,” Combs said in the release. “We take information security very seriously and this type of exposure will not happen again.”

Combs contacted the state attorney general’s office to investigate what went wrong.  On April 13, her office began mailing letters to people whose information was exposed. Combs also said she will work with state legislators on a bill to create chief privacy officers at every state agency, and to create a statewide council on information security.

Related:

The End of Digital Innocence: What Does the Epsilon Breach Mean?

The Church of Identity Theft

Don’t Add Insult to Injury After a Data Breach

Christopher Maag is a freelance journalist for publications including The New York Times, TIME magazine and Popular Mechanics. He graduated with honors from the Columbia University Graduate School of Journalism, and has worked as a staff writer for daily newspapers, monthly magazines, alt weeklies and websites.  Maag writes about people with big dreams set on little stages, including a teenage girl who races jet-powered tractors, and people who make millions of dollars impersonating Barack Obama.

Image: Davide Restivo, via Flickr.com

This article originally appeared on Credit.com.

By Eduard Goodman, Identity Theft 911

The Federal Trade Commission is taking its role as America’s privacy and data protection authority more seriously than ever.

Fresh on the heels of its new-era privacy manifesto, which lays out its evolving expectations around the intersection of privacy and business, the FTC secured a settlement with three credit report resellers that failed to protect consumers’ personal information. As a result, hackers gained access to more than 1,800 credit reports.

“The FTC will take action against companies that cross the line with consumer data and violate consumers’ privacy . . . I think you’ll see more privacy cases in the coming weeks and months,” said Jon Leibowitz, FTC chairman, when the privacy report was released.

The resellers bought credit reports from the three nationwide credit-reporting bureaus and combined them into reports for sale to mortgage brokers. The FTC said the resellers failed to:

• Develop and disseminate information security policies for their own institutions and their end user clients;

• Assess the risks of allowing end users with unverified or inadequate security to access consumer reports through their portals;

• Evaluate the security of end users’ computer networks, require appropriate information security measures, and   train end user clients;

• Implement reasonable steps to maintain an effective system for monitoring end users’ access to consumer reports, including monitoring to detect anomalies and other suspicious activity; and

• Take appropriate action to correct existing vulnerabilities or threats to personal information in light of known risks.

These failures resulted in the exposure of consumer information to a number of groups and individuals without the authority to access it, including hackers.

What’s interesting about these complaints was their uniformity. In fact they were nearly identical. From my perspective this shows a systemic problem within the industry, one that is general enough for a “form complaint” approach by the FTC.

What I find most interesting, though, is the fact that there isn’t much that’s interesting here. The nature of the complaints and issues in the cases don’t stand out; these are not “groundbreaking privacy enforcement cases.” They are common privacy related complaints around improperly protecting access to consumer data.

Interestingly too, the punishment is also becoming the norm: 20 years of biannual third-party audits that check for proper processes and procedures to correct and improve the protection of sensitive data. This “life sentence” (as I refer to it) for privacy violations begins to drive home the seriousness of these issues in the eyes of the FTC.

If anything, the vanilla nature of these complaints clearly lays out that companies still aren’t doing enough to protect access to consumer information, and that there is no shortage of this type of lax behavior in any industry. The FTC will just keep chipping away at consumer-oriented privacy abuses, one case—or maybe three cases—at a time.

Eduard Goodman, Chief Privacy Officer, Identity Theft 911

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

Debt tagging occurs when debt collectors target the wrong person for a debt. These cases exact a toll on victims, particularly in the wake of the financial crisis, by damaging credit and taking months to resolve.

Fraud Specialist Mark Fullbright talks about debt tagging, including what to if you are wrongfully tagged with someone else’s debt.

By Ondrej Krehel, Identity Theft 911

Are you being tracked online? The answer is yes. There are financial incentives for everyone from malicious hackers, to scheming governments, to an industry that has found a way to monetize your digital habits.

Behavioral marketing—delivering ads to consumers based on their activity online—is an estimated $80 billion industry. The goal is to sell: cars, gizmos, vacation deals, cheap airfare, food and wine subscriptions—the list goes on forever.

Online targeted marketing is reshaping the electronic landscape. At the global level it is affecting content and is becoming a mirror of the consumer-based society that we live in and unconsciously create.

Last year, privacy advocates filed a complaint with federal regulators against tracking and profiling practices used by Google, Yahoo, Microsoft and other Internet companies. It was a step in the right direction. Internet companies should be pushed to be more transparent about the data they’re collecting and what they do with it.

The Federal Trade Commission is stepping in, debating the idea of a Do Not Track system where users would be able to simply click a button in their Web browser to turn off tracking. The idea is a mirror of the national Do Not Call list, but in that case the implementation was easier to pull off.

The proposed solution should address tracking on three levels: Consumers should have tools to protect themselves. Online portals should transparently present methods used for tracking. And marketing companies should be open about collected data and its usage.

Microsoft’s Internet Explorer and Mozilla’s Firefox now allows consumers to install do-not-track extensions that prevent advertising companies from following their online history. And Mozilla recently offered do-not-track capabilities for mobile browsers.

We can’t only focus on the consumer and protection of his PC, since tracking can happen on social portals, executed independent of our hypothetical consumer’s computer.

It took years for security awareness to take hold in the consumer mind. It has penetrated every aspect of our interaction with personal computers, networks and communications. Makes me wonder when software engineers are going to catch up and shift their focus to privacy-oriented designs. The clock is ticking.

Ondrej Krehel, Chief Information Security Officer, Identity Theft 911

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

It seems too blatantly unjust to be true: You receive a debt collection letter stating that you owe money. The collection agency starts calling you, repeatedly, demanding payment. You tell them the account isn’t yours, but they keep insisting it is. Finally, your credit score takes a hit, and you spend months cleaning up the mess.

Unfortunately, “debt tagging”—when collectors target the wrong person for a debt—and a variety of other debt-related errors and scams happen…a lot. The Consumer Sentinel Network, a database of millions of consumer complaints compiled by the Federal Trade Commission, tallied debt collection issues as the second-most reported consumer complaint in 2010—second only to identity theft. Debt collection accounted for 11 percent of all complaints filed and saw a 2 percent increase over 2009.

According to the FTC’s Annual Report 2011: Fair Debt Collection Practices Act, of the 144,159 debt collection grievances filed, top issues included:

• Harassing and recurring calls

• Misrepresentation of the amount, kind or status of the debt

• Failure to send a written notice or to self-identify as a debt collector and

• Falsely threatening arrest, property seizure—even violence.

    In short, some debt collectors engage in unethical or illicit behavior in an attempt to scare money out of innocent victims.

    Who gets tagged? The Michael Browns of the world are susceptible because they have a common name. In fact, an Identity Theft 911 customer with that name endured hundreds of harassing phone calls from a collection agency that had tagged him with someone else’s debt. Eventually, his credit rating plummeted, his credit card interest rates tripled, and he was unable to secure a much-needed loan to help his business.

    Others get tagged because the real debtor’s contact information is outdated or when collection agencies purchase debt at a discounted price, then pursue multiple people for the same account. The more people they tag with it, the more likely they will pressure someone into paying.

    Though debt collectors are not required to verify whether they have the right person before assigning the debt to their credit report, they are required to comply with certain laws.

    Through its Fair Debt Collection Practices Act, the FTC is working hard to “curtail deceptive, unfair, and abusive debt collection practices.” While they pursue legal avenues, you can protect yourself by following these tips.

    by Adam Levin

    Spot Quiz: What does the word epsilon mean to you? It is the fifth letter of the Greek alphabet. As I recall, in its lowercase form, epsilon stands for elasticity, among economists. There might even be a fictional spy named Epsilon.

    I’ll bet that up until a few days ago you didn’t know that Epsilon was also the name of a company that has exposed millions of Americans (including you, most likely) to the increased risk of imposter fraud, a crime that made it to the Federal Trade Commission’s top ten complaints list this year for the first time. Epsilon is a unit of Alliance Data that collects consumer information from hundreds of corporate clients to manage their email marketing campaigns.

    On April 1st, Epsilon posted a terse announcement on its corporate website, which set off a media frenzy and confirmed, yet again, the end of the Age of Digital Innocence:

    IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

    Apparently, an unknown cyber ninja (or coven of ninjas) had efficiently and maliciously gained unauthorized access to the Epsilon system and caused, according to Michael Kleeman, a network security expert at the University of California, San Diego, a “massive hemorrhage” of what has heretofore been considered non-personal identifying information, yet now is viewed by a growing number of privacy experts as the Social Security Number in the Digital Age—the email address combined with a name. In other words, the data that consumers provided to many large companies, such as J.P. Morgan Chase, Citibank, Kroger, Target, Best Buy, Disney Destinations and Verizon, could now be in the hands of guys we would never want to friend on Facebook.

    If you didn’t know anything more than that, it would be horrifying enough. After all, despite thousands of privacy policy disclosures and enormous media attention, most folks don’t know (or don’t want to know) that information provided to trusted financial institutions, service providers or retail stores is shared with other companies. Again, I’ll bet most Americans didn’t know that there even was a company called Epsilon. But worst of all, we still don’t know, even now, how much information Epsilon really has, or which information was truly hacked. It was publicly announced that, not to worry, only email addresses were stolen. I received several frantic emails from banks with which I have relationships assuring me that only my email address was no longer secure.

    Let’s make the salutary (and perhaps facile) assumption that the press releases and email alerts are accurate. So all the bad guys have is our email addresses and our names, right? No biggie, right? Well, not exactly. The problem is that our email addresses are also our user IDs on many websites. Few people are willing to change their email addresses, because too many other people would have to be notified. So in my case, I will have to strengthen my already strong passwords—again.

    Heck, it’s gotten so complicated that my current password contains several letters (some upper-, some lowercase), a few numbers, and symbols I have inserted in the place of letters (and forget about the punctuation marks I must now liberally sprinkle throughout). It seems like no password—even those reminiscent of chemical compounds—is enough anymore. (To say nothing about the “secret questions” many sites rely upon in lieu of forgotten passwords. In the Facebook age, it’s not difficult to figure out someone’s high school or mother’s maiden name, so users should establish answers to these as secondary passwords or responses completely unrelated to the question prompt.)

    A Focused Attack

    A hacker who has your email address, and your name, and the names of the businesses with whom you have relationships can launch truly insidious “spear phishing” attacks and, who knows, in a moment of acquisition ecstasy or carelessness you might just bite. In response to a very personalized email, people are much more likely to reveal truly personal information, or click on attachments far more venomous than the usual ham-handed and misspelled spam letters. Our whole lives are contained in our email files, as well as any confirmations of changes in our digital existence (and lest we forget, all password changes are confirmed back to our email). So when you innocently click on what appears to be an official memo, or email your BFF (or community thereof) to share the news about that great new car you just bought, voila!, you just provided another gateway to your digital soul, and handed a very clever and patient thief yet another piece of the puzzle they so lovingly cobble together in order to become you for their benefit. In the digital age, your email address, unique and personal to you, is as much of a unique identifier as your Social Security number. In fact, your email address may allow you to be financially “profiled” by very criminal minds.

    “When one has tens of millions of email addresses and an effective spear-phishing strategy, even if only a low percentage of targets respond, we are still looking at millions of people who could unintentionally release their personal information to the wrong people, or unknowingly click on a malicious link that installs malware on their computer,” says Ondrej Krehel, information security officer, Identity Theft 911. “Worse yet, these emails can be sent from all of their affiliations in the Epsilon database, perhaps on a weekly basis. The magical combination of customer emails and their affiliations with institutions gives hackers a more direct route for monetization.”

    The Epsilon breach was the most high profile, yet not most potentially devastating, breach to happen in the last few weeks. In March, RSA Data, a provider of information security, risk and compliance solutions, also announced—rather grudgingly and in abstruse terms—a major security breach. Even now, no one knows the full extent of that breach. But a clearer picture is emerging of how it happened. An innocent (not terribly prescient) employee of RSA actually opened an attachment to an email with the subject line “2011 Recruitment Plan.xls” even though he found it in his junk mail file. The attachment contained a virus which enabled the hackers to probe him and others for a couple of days, using their email contacts and information to dig deeper and deeper into the mysterious world of RSA until ultimately they isolated the right high access players who were the gateway to a very discrete section of the RSA system.

    I am not talking here about some guy sending annoying spam to folks at RSA for his amusement. It was an “advanced persistent threat” attack that targeted their SecurID two-factor authentication product. Relentless, patient hackers spear-phished RSA employees using sophisticated and clandestine means to gain continual, persistent intelligence, according to a recent blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.

    There is a theory that this was a state-sponsored hacking by a foreign government. Another theory, too, is that it’s corporate espionage, in which globally divided superpowers compete for intellectual property.

    Not About the “Quick Hit” Anymore

    For years we have been telling people that unless you are talking credit card or account compromise, it is not about the quick hit. Now that affected institutions have taken Paul Revere’s ride through their customer base, it is not a slam dunk that millions of consumers will be instantly spear-phished.

    Identities are currency. They are evergreen. Like fine wine they get better with age.

    The trajectory of this crime is much more subtle. It will be done over time by very calculating and patient hackers adding one piece of the puzzle at a time. Over a period of months, even years, email will arrive from impostors posing as businesses representing all aspects of our lives. They will ask for a tad of information here and there, offer a link to an irresistible deal, call upon us to make an impulsive decision and provide some personal identifying information in return for a product or service we can’t live without. They will engage us, attempt to garner our trust, compromise our information or turn our computers into transmitters of account numbers and passwords.

    With that firmly in mind, there are several things we must do: we must better secure our computers, be more skeptical and less forthcoming. We must read, think and evaluate the logic and value of the request and the reward before we click on any button other than “delete.”

    So maybe Epsilon was aptly named. As it turns out, the company became entrenched in something out of a spy novel, and it certainly demonstrates “elasticity” of information, doesn’t it? Ronald Reagan wisely said in a different context “trust but verify.” He was talking about nuclear arms, but our subject can also be deadly—fiscally—on a grand scale. The sad truth is that in the digitally dominated 21st century, you can forget about the trust part. Verify and protect everything. Always. Vigilantly. The World Wide Web is not a court room, but you can easily be made an innocent victim without due process.

    Adam Levin Adam Levin Chairman and cofounder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.

    Image: SigEp NV Alpha 03 via Flickr.com

    This article originally appeared on Credit.com.

    Don’t be fooled by snake oil marketing from some ID theft companies. Identity Theft 911 founder and chairman Adam Levin discusses what is being done to curb misleading claims, including a set of standards developed by a working group under the Consumer Federation of America.

    By Ondrej Krehel

    Some consumers are getting inundated with email warnings that their personal information may have been compromised in the Epsilon data breach.

    Hackers continue to probe systems for vulnerabilities, while businesses fail to sufficiently secure customer data and, as a result, data breaches occur on a daily basis. The lack of protection of your valuable information is aggravating, and it demonstrates how important it is to take action to protect your asset: your digital identity.

    The Epsilon breach potentially exposed the largest data set ever—billions of consumer email addresses. Epsilon clients include large financial institutions and many well-known retailers. Hackers obtained the email addresses of consumers who had opted in to relationships with these institutions, turning customers into sitting ducks for a practice commonly referred to as “spear phishing”—when criminals send a malicious email crafted with language and graphics to resemble those of a real institution. These emails can seem authentic and ask for details such as account information, PINs and passwords, or ask you to download an attachment or click on a link. Because the email comes from a trusted institution, recipients often believe they are genuine. Their intention is to steal your personal information, such as banking credentials, or install malicious malware on your computer.

    What should consumers do?  Here are some tips to stay safe:

    1.       Use extreme caution when opening emails claiming to be from any of the breached companies. Don’t provide personal, account or financial information if it’s requested in an email. Question unknown and unfamiliar parts of received emails.

    2.       Don’t open links or attachments in emails from suspicious or unknown sources. Even pictures, music and videos can contain malicious programs.

    3.       Change passwords for compromised email accounts. Use a strong password that includes upper- and lowercase letters as well as symbols. If you can’t remember all your passwords, use an application such as KeePass or Password Safe. Change security questions answers that can reset your password, and don’t provide real answers to them, such as your high school name.

    4.       Open a separate email address for interfacing with businesses—not the same account you use for your personal or work lives. Tweak your name—use an initial or your middle name—and add a few days or months to your birthday. Never give out your actual date of birth.

    5.       Update security programs such as antivirus and antimalware and firewalls to protect your computer. Viruses will destroy your data, and malware will steal your personal information.

    6.       Update third-party programs including Adobe and browsers such as Firefox, Chrome and Safari. Hackers often target third party applications with known vulnerabilities.

    7.       Review the spam filters in your antivirus program or Internet email provider. Make sure that you are maximizing its potential to quarantine malicious spear phishing emails.

    8.       Contact a professional if you are unsure about content you have received. You’re better off asking than being at risk.

    Technology can help us mitigate these attacks; however it’s ultimately the consumer who makes the choice to click on a link or provide personal information. Before releasing your treasured data, verify the validity of the request—and don’t trust blindly.

    Ondrej Krehel, Chief Information Security Officer, Identity Theft 911

    Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

    by Christopher Maag

    A massive data breach at an Internet marketing company has compromised the personal information of customers at some of the nation’s largest banks, retailers and grocery stores. The number of people whose information was exposed is not yet known.

    The breach occurred at Epsilon, which handles marketing and e-mail communications with customers for major corporations including Citibank, Best Buy and the Kroger grocery chain. Epsilon did not return calls seeking comment.

    But according to a company statement on April 1, an unauthorized user gained access to a portion of Epsilon’s e-mail system. Security Week reports the list of companies affected by the breach includes Citibank, JP Morgan Chase, US Bank, Kroger, Walgreens, Best Buy and TiVo.

    So what’s the big deal about having your e-mail information breached, particularly in this case? As Security Week points out, hackers gained access to the companies’ customer lists.  This gives them the advantage of tying your full name and e-mail to the companies and financial institutions of which you’re a customer.  They can use this information to give a sense of legitimacy to bogus (but usually very official-looking) e-mails in which they ask you for passwords or other sensitive information.  This is what’s known as “spear phishing.”  Here’s an excellent guide on spotting and avoiding Internet scams.

    [Related article: How to Spot, and Avoid, Internet Scammers]

    In related news, a restaurant company that failed to protect its patrons’ personal information agreed to pay a $110,000 fine for failing to follow Massachusetts’ tough data privacy law. The Briar Group owns popular bars and restaurants around Boston including MJ O’Connor’s, The Lenox, Ned Devine’s, The Harp and The Green Briar.

    “When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,” Attorney General Martha Coakley said in a press release.  “Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”

    The company put the credit card information of tens of thousands of people at risk of identity theft, according to the release. Hackers installed software on the company’s computer systems in April 2009 to steal customers’ credit and debit card information; the malware wasn’t removed until December 2009.

    Nevertheless, it continued to accept credit and debit cards even after it knew of the breach, according to the release. The company also failed to secure its in-store computers.

    Related:

    Don’t Add Insult to Injury After a Data Breach

    Big Data Breach at Sensitive Lab Prompts Credit Scare

    Christopher Maag is a freelance journalist for publications including The New York Times, TIME magazine and Popular Mechanics. He graduated with honors from the Columbia University Graduate School of Journalism, and has worked as a staff writer for daily newspapers, monthly magazines, alt weeklies and websites. Maag writes about people with big dreams set on little stages, including a teenage girl who races jet-powered tractors, and people who make millions of dollars impersonating Barack Obama.

    Image © Dana Rothstein | Dreamstime.com

    This article originally appeared on Credit.com.

    The news gets worse by the hour. In what could be the most extensive data breach in U.S. history, at least 20 companies have reportedly joined the list of Epsilon clients whose customers’ names and email addresses were accessed by hackers on March 30.

    The number of affected consumers has yet to be tallied, but breached companies so far include the nation’s second-largest bank and biggest grocery chain, as well as an organization in contact with 7 million students—from Citibank to TiVo, JP Morgan Chase and Disney, to Walgreens and the College Board. Many of these businesses have reassured customers that neither their PII nor any financial data was compromised. (See a list of Epsilon clients reportedly affected by the breach here.)

    Affected companies are scrambling to warn customers of the heightened risk of phishing and spamming attacks, advising customers to be wary of emails claiming to be from them asking for personal or account information—and reiterating that they never solicit such data.

    Epsilon stated that, “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk.” The self-proclaimed “world’s largest permission-based email marketing provider, sending over 40 billion emails annually,” Epsilon has 2,500-plus clients (including seven of the Fortune 10) and is the kind of target that has hackers around the world high-fiving.

    A breach of this epic scale highlights the persistent problem of third-party vendor breach, which occurs at every level. When consumers elect to receive email communications from a business or provide personal information in exchange for a free tote bag or sweepstakes entry, they’re not only entrusting their data to the company with which they’re directly interacting, but they’re potentially handing it over to every operation with which that company does business.

    As big corporations direct significant resources toward data protection, hackers must find novel ways of getting through. Third-party vendors often offer a back door into massive amounts of data. Confirmed email addresses and names are valuable, because they are often used for logins and authentication and can be a gateway to work, financial and personal information. Hackers crack passwords and access email inboxes and contact lists that can be used to commit identity theft or financial and other scams.

    An Epsilon spokeswoman declined to confirm names of affected clients or offer further comment. She stated that the company is cooperating with authorities on the ongoing investigation.

    Identity Theft 911 offers comprehensive data risk and breach response services.