AUGUST 2010
Inside This Issue . . . THE YEAR’S BIGGEST ID BREACHES (SO FAR) THE NEWEST
PHISHING SCAM THE WORK-AT-HOME PYRAMID SCHEME
HEARTBREAK HOTELS THIS MONTH IN PROTECT
Identity theft can happen to anyone at anytime. Eleven million Americans already know that the hard way. This truth is perfectly captured in a story in this edition of PROTECT enewsletter. “The Yearʼs Biggest ID Breaches” reports that the first six months of 2010 saw three hundred major public and private sector security breaches resulting in the exposure of 8 million-plus personal records. Yours may be among them. In that same story, we note that an AT&T security breach exposed the email addresses of thousands of Apple iPad users, among others, NYC Mayor Michael Bloomberg, ABC News Anchor Diane Sawyer, White House Chief of Staff Rahm Emanuel, and other celebrities. No one is immune.
COLLEGE KIDS FACE THE MUSIC
GULLIBLE GRANDMAS
PROTECT can be part of the solution. The people who operate I.D. SHIELD 360, a leading service that helps shield you from the criminals determined to steal your identity, bring it to you. Every month, youʼll find useful and authoritative ideas and information to protect your most important possession – your identity.
ID THEFT CAN HAPPEN TO ANYONE AT ANYTIME
THE YEAR’S
BIGGEST
ID BREACHES (SO FAR) We’re just a bit past the halfway mark of 2010, and already there have been several extremely large identity record breaches. These include banks, insurance companies, phone companies and government agencies: in short, anyplace where large amounts of personal information are aggregated. Here, in order, are institutions that have managed to exposure more than 100,000 people to risk during the first half of 2010.
1.
ECMC
The Education Credit Management Corporation had a portable media device stolen the old-fashioned way. It contained names, addresses, dates of birth and Social Security for 3.3 million students. This affects up to five percent of all students with federal loans in the U.S., representing one of the biggest cases of student identity theft in the nation's history. 3.3 MILLION
2.
LINCOLN NATIONAL CORPORATION 1.2 MILLION
Records of around 1.2 million users may have been exposed as the result of a breach in the portfolio information for two financial subsidiaries of Lincoln National Corporation. The company told the New Hampshire Attorney Generalʼs Office that personal data such as names, addresses, Social Security numbers, account numbers, account registration, transaction details, account balances and in some cases, dates of birth and e-mail addresses had been exposed.
3. AVMED
1.2 MILLION
Clients of AvMed Health Plans became vulnerable when two company laptops were stolen. They carried information from more than a million Floridians, both current and former clients and dependents. Names, addresses, phone numbers, Social Security numbers and private health information were compromised. Company administrators maintained that the only people with keys were the cleaning crew.
4. CITIBANK
600,000
A so-called processing error led to Citibank to print the Social Security numbers of hundreds of thousands of customers when they send out annual tax documents. The envelopes were sent via the U.S. Postal Service. In Citibank始s defense, the numbers were not identified as Social Security numbers and may have been interpreted by outsiders as a mailing routing number.
5. AFFINITY HEALTH
PLAN
6. US ARMY RESERVES
207,000
400,000
An office copier that Affinity leased and returned may have had personal information still on its hard drive. The basics are at risk: Social Security numbers, dates of birth, and medical information. More than two hundred thousand names, addresses and Social Security numbers of U.S Army Reservists and dependents are at risk from the theft of a CD-ROM. The theft took place at the Reston VA offices of Serco Inc., a government contractor. Serco was commissioned to hold data on reservists, according to its contract with the U.S. Army's Family and Morale, Welfare and Recreation division.
7. MMMR
180,000
Millennium Medical Management Resources handles billing for emergency health care physicians. It discovered that many patients treated between 2003 and 2006 may have been victims of identity theft due to a portable hard drive theft. The recently stolen data included names, medical records, Social Security numbers and insurance information.
8. VALDOSTA
UNIVERSITY
STATE
170,000
The Georgia institution reports that someone gained unauthorized access to a computer server, which held 170,000 student and faculty social security numbers and grades. The breach, which dates back several months, was discovered by the school始s IT director.
9. AT&T/APPLE
114,000
At least 114,000 e-mail addresses of iPad 3G customers were exposed by a security breach at AT&T. It includes several high-ranking government officials. The breach occurred when a group of hackers found a flaw in a web application that enabled them to tap a list of customer e-mail addresses.
WORK-AT-HOME
SCAMS
Everyone dreams of working at home in their PJʼs and a cup of hot chocolate. Pursuing this dream may quickly turn into a nightmare. The FTC receives nearly eight thousand complaints annually about work-at-home scams. And with the economy in the doldrums, you can expect those numbers to continue to rise. Beware of the four most common forms of work-at-home scams:
PYRAMID SCHEMES Once upon a time multi-level marketing — people receive commission on the sales of others they sign up as distributors — was an efficient way to get the word out about small companiesʼ products. Avon and Tupperware were legendary success stories. However, with the growth of 21st century technologies like the internet, everyone can get their products in the public eye. Still, scammers continue employ this method to attract victimʼs to buy into the scheme. There is no guaranteed a weekly income; you have to recruit others to make a buck. Most people are unable to recruit sufficient numbers of people, and end up losing their investment.
TRAINING WHEELS “With the proper training, anyone can work at home” is this scamʼs motto. Scam artists promise training in how to start a business at home. The trick here is that you must send them money. The information that comes back is usually useless and confusing with lots of sponsors trying to sell you things to improve your business which, it turns out, is non-existent in the first place.
THE BILL COLLECTOR No need to go to school for accounting if you are willing to invest around $10,000 in equipment and software to run a billing collection service. These scams promise to have customers ready and waiting for the victim. Truth be told, real companies are looking for legitimate accountant firms to process their billing and are not anxious to send their clientʼs billing information to an unqualified person working out of their own living room. ARTS AND CRAFTS Artists and those inclined to work with their hands are drawn to the craft and assembly scams. The scammer sells “essential and unique” materials to victims for outrageously high prices. This scam operates on the unfulfilled promise that there is a large market for handmade hats, baby clothes and jewelry that you assemble yourself and that look like the store brands. The market for such products is slim to non-existent.
10 T E L L T A L E S I G N S THAT A WORK FROM HOME JOB OFFER IS A SCAM
CONGRESS MAY STEP INTO THE BREACH Some in Congress are taking the identity theft plague seriously.
Senators Tom Carper, D-Del., and Bob Bennett, R-Utah, are reaching across the aisle this summer to sponsor a bipartisan 2010 Data Security Act. This new law would trump individual state regulations by establishing a national law that requires public and private institutions to safeguard sensitive data and to notify people whose personal information might have been compromised. The bill is based on a 1999 law, which forces financial institutions to protect against theft of personal information of their clientele, and to inform customers if and when a breach occurs.
If enacted, the new law will require federal agencies to establish “appropriate standards relating to administrative, technical and physical safeguards” to ensure the security and confidentiality of sensitive account and personal information that is maintained or communicated by or on behalf of that agency. Agencies also would be required to protect against any anticipated threats or hazards to the security of such information, as well as any misuse that could result in substantial harm or inconvenience to a consumer. Of the bill, Senator Carper says: “"It seems nearly every other day there is a report of consumers' highly sensitive personal information being compromised by a store, a school, or some third party data center… We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country. This comprehensive approach will better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud."
Last year, Senator Dianne Feinstein, D-Cal., proposed a related bill that would allow lawsuits to be brought against companies that do not properly inform their clients that personal information may have been stolen. The Senate Judiciary Committee has cleared both bills, and they are on the calendar to be presented before the full Senate. DOWNLOAD THE ENTIRE SECURITY ACT HERE
TABNAPPING
THE NEWEST WAY TO PHISH
These days the internet is so versatile and important to daily life that people tend to leave their browsers up all the time with lots of tabs open. Unfortunately, scam artists have learned how to take advantage of the constantly open tab. Experts call them “tabnappers” — scammers who steal victimʼs tabs on browsers like Firefox and Safari, and fool you into entering personal information on them. Itʼs the newest form of phishing and the most intricate.
Tabnapping relies on the internet-age version of multi-tasking. Often people have several tabs on their browsers at work and at home, checking their bank account while ordering books on Amazon while listening to Pandora while playing a game while reading Facebook while posting on Twitter. All at the same time. Knowing this, the tabnappers accesses an innocent personʼs browsing history to figure out which sites they view most often, say Amazon or Citibank. Then they create a web page that looks
like the real thing. Then when the victimʼs browser is up, and several different tabs are open, the tabnapper places the fake web page up on the screen hoping that the internet user has forgotten which tabs are open. When the scam works, the innocent user clicks “back” to the rigged page, logs in or otherwise enters personal information. The scammer sees it all.
Two aspects of this scam make it especially effective for phishing. Firstly, the scammer does not need the person to click through a link; users believe they have already opened the page and the bogus page looks exactly like a real page. Secondly, many sites do time out after a while, especially bank sites, so it is common to ask visitors to log in again. How can you beat this scam? One way is to minimize the number of tabs you have open at one time. Also, take a moment to check the URL of any web page that has been sitting on your screen for an extended period. Generally a fake tab does not have a real URL; the URL will be strange and different from the real thing. Finally, close a tab whenever are asked to re-log-in to a site and bring the web page up refreshed.
CLICK HERE TO LEARN HOW TO FOIL A TABNAPPING SCAM
TOUGH LESSONS FOR
COLLEGE KIDS It is almost back-to-school time and, as tens of thousands head back to campus, it始s an ideal moment to note that college students often fall victim to scams. Without a ton of realworld experience and a certain amount of naivety, they are easy targets for scam artists and identity thieves looking to make a couple of easy bucks. The best way students can protect themselves is by being aware and staying alert. Here are this year始s five most common back-to-school college scams according to the experts:
1. LEAVE THEM A-LOAN
During the recent economic downturn, student loans have become more scarce and students more desperate. This makes them vulnerable to scammers or messages claiming to provide lots of loans at very low interest rates. Students need to verify that any potential loans are from a reliable source. Check with the bank or agency or non-profit foundation to see if the representatives, and their claims, are authentic. Federal government loans are often the safest option.
2. FACE THE MUSIC
With little money and the need to have the hippest music, scammers are picking on college students who are illegally downloading music and video. Internet scammers are sending out bogus letters demanding $500 for students alleged illegal downloads.
3. FAKE IS FAKE
Diploma mills promise a diploma with a fancy and official sounding name on it for cheap. However, those couple of dollars thrown down for a diploma will not get students their dream jobs or dream salaries. That money would be better invested in saving for a real education and earning a real diploma. No one is fooled by a degree from the University of the Equator.
4. CHEAT SHEETS
The web is making it easier for the lazy and dishonest to find term papers, test answers, lecture notes. But beware. Colleges are adapting new kinds of software and oversight to trip up these scams. And even if you don始t get caught cheating, buying these kinds of materials only cheats yourself.
5. CHECK HIM OUT
As college admissions gets more and more competitive, students are turning to counselors who can help with their college choices. But there are fakers out there, too. Check the counselor始s credentials thoroughly before investing in their help.
TRUE STORIES GOOD COP BAD COP
Nobody suspected anything when a Miami FL cop drove to the supermarket in uniform and in a marked police car and withdrew $460 from an ATM machine. But there is a back story. It turns out that Christian Alvarez-Vega, a police officer for almost 12 years, had arrived at the scene of a car accident on that morning in January 2011 and had driven one of the accidentʼs victims to the local hospital. In the process, he found the passengerʼs bankcard, which had been left in the police car by mistake. Alvarez-Vega called the passenger, and asked for their pin number, claiming that he needed it to complete the official police investigation report. The passenger gave him the pin number and, on that same day, Alvarez-Vega withdrew $460 from the passengerʼs bank account. Now, Alvarez-Vega is facing theft charges.
YOU AINʼT OUT OF TEXAS YET
The sun may rise, the sun may set, but you ainʼt out of Texas yet. A Corpus Christi TX man, Daniel Montoya, was wrongly detained in Nueces County Jail for six days. Montoya was stopped for a minor traffic violation but was then arrested for an outstanding criminal charge in Missouri. It turns out Montoya, father of three and grandfather of four, had never left the state of Texas. Montoya immediately understood why he was being falsely accused; his identity had been stolen several years ago. He knows this because every year when he files his taxes he has to go to the IRS and file a police report as well. Montoya has been fighting to regain his name for years and the thief continues to commit crimes across the country. Montoya now says he plans to change his Social Security number to prevent further problems.
DISSAPEARING ACT
Having evaded the law for nine year, a Portland OR man was arrested and taken into custody on charges of multiple identity thefts as well as first-degree forgery and possession of a forgery instrument. David Jay Ristick, 32, was also charged with failure to appear on an accusation of unauthorized use of an automobile. Ristick had fallen off the authorityʼs radar since 2001. When Ristick was discovered, it turned out he had changed his name from David to Steve and had created a new social security card and birth certificate. He had also altered his appearance by gaining a substantial amount of weight. In his home, officials found a tool that makes realistic counterfeit check drafts, money orders, and other such official documents.
DOUBLE TROUBLE
When Julia Robinson, 30, tried to steal the identity of a 99-year old women for the second time, the police were on to her. Robinson had worked as a caregiver for a Macomb County GA woman; there she was caught on camera stealing this womanʼs checks from her room, and using her identity to get credit. She was convicted and given probation the first time, but now the police now believe she did the exact same thing a second time: using the womanʼs social security number to create accounts. Robinson is currently in jail with a $50,000 cash bond.
GULLIBLE GRANDMA
“Hi Grandma, itʼs your grandson.” Naomi, a successful businesswoman in L.A. was duped by the “relative in distress scam.” Naomiʼs grandson called her up one morning and begged for bail money; he purported that he was in jail in Canada and they would not let him return home unless he posted bail immediately. Being a devoted grandparent, Naomi went straight to Western Union and wired $1,000 to a Canadian lawyer just as her “grandson” had
instructed. She could not distinguish his voice because she is hard of hearing; it turns out the scam artist was impersonating her 24-year old grandson. Los Angeles police note that many grandparents, eager to help their grandkids, have been similarly defrauded.
HAVE A NICE STAY Five people have been charged with aggravated identity theft and money laundering after thousands of guests at the Emily Morgan Hotel in San Antonio TX were victims of an identity theft ring. A storage room, where guest receipts were kept, had been broken into. None of the guests knew of the incident until strange charges began to appear on their credit card statements. The Emily Morgan is a four-star luxury hotel in historic downtown San Antonio, adding to the unexpected nature of the crime. Defendants were caught after a multistate shopping spree, and are accused of conspiracy to commit identity theft fraud, and counterfeiting.
CAUGHT NAPPING
Police officers finally caught up with Melinda Greene, one of Utahʼs most wanted identity thieves. Greene, 31, was recently found sleeping in bed in a Salt Lake City Best Inn & Suites room. Authorities have been looking for her since April 14 when she was indicted on five counts of bank fraud and one count of aggravated identity theft. Greene is accused of breaking into parked automobiles and stealing peopleʼs personal information including bank account information. Inspectors suspect that Greene stole roughly $50,000 all together. Greene traveled to cities all across Utah including Sandy, West Jordan, Park City, and West Valley City burglarizing and defrauding local residents in each place.
HEARTBREAK
HOTELS
Hotels are an increasingly popular target of identity thieves. A new study by Trustwave, a security company that specializes in protecting hotel systems, found that hotels are surpassed restaurants for the top spot where your credit card data is most likely to be stolen.
Just as robbers target banks because thatʼs where the money is, hackers target hotels because thatʼs where the data is. Booking and reservation centers generally have thousands of credit card numbers on file and one successful break-in can net the hacker big numbers and big money.
In addition, hotels are popular targets because credit card information is not only used to check-in, but throughout the hotel in places like the golf course, the restaurants, the spa, the gift shop, the pool bar, and are all processed through one central computer system. These central systems, says Trustwave, are designed in the same way across hotels, so once the hackers figures it they can take a “cookie cutter”
approach to breaking hotels. In addition, tend to give many employees access to the computer systems, making the installation of malware easy and skimming credit cards even easier. Finally, there is the low-tech angle. Hotels are huge public meeting spaces where people mix, and personal information and property are vulnerable to thieves lurking in the background.
How can guests protect themselves?
• Get a copy of your room bill, and hold on to it for 30 days to make sure you donʼt get charged for anything extra.
• Check your credit card statements carefully to ensure no fraudulent charges were placed, and make sure to frequently check them online.
• Do not leave receipts, airline tickets, print-
outs, and other documents in wastebaskets in public spaces.
• Do not leave personal effects lying around
when you take a break from meetings. In your room, place key documents in the safe.
• Try to avoid using business centers for
internet access unless you can be assured that cached data is purged.
• Urban legend has it that identities can be
stolen off hotel key cards; this, thankfully, is not true. Most hotels only encode the guest name and room number on the magnetic strip.
WATCH A VIDEO ABOUT PROTECTING YOURSELF AT HOTELS HERE
GULF CLEANUP TURNS SLIPPERY
The unprecedented Gulf oil spill has created potential jobs for the unemployed in the region. Unfortunately, as with all natural disasters, some people use it as an opportunity to prey on those who want to give, those who want to volunteer, and those who want to work. Put in blunter terms: not all jobs being offered as part of Gulf cleanup efforts are real and not all training is legitimate. This has been the hard lesson of some people — many unemployed — who have paid hundreds of dollars in upfront fees for emergency response training or for guaranteed work placements that have not materialized.
THERE ARE SEVERAL RED FLAGS THAT GIVE AWAY THIS SCAM.
GUARANTEED JOB. Legitimate placement agencies do not guarantee a job, they only agree to do the best they can for you.
UPFRONT PAYMENT. Reputable employers do not ask you to pay upfront for training or certification or expenses. This is a direct violation of the OSHA (Occupational Safety and Health Administration) rules. GENERAL OFFERS. The more vague and general the offer, or the more types of jobs being bandied about, the less likely the offer is real. Vague email offers are a particular problem. PHISHING FOR INFORMATION. Be skeptical of prospective employers who ask for credit card, debit card or bank account information.
CHARGING FOR LISTS. Reputable employers do not charge you for lists or jobs or for information about how to find a job. This information is generally available for free. According to the FTC, legitimate training and job-related information can be found at: DEEPWATER HORIZON RESPONSE BP STATE OF ALABAMA STATE OF FLORIDA STATE OF LOUISIANA STATE OF MISSISSIPPI