Jay Foley, co-founder of the Identity Theft Resource Center, told me recently that 57 percent of all identity fraud involves opening new accounts "for short-term gain." The ITRC should know: it has been surveying ID fraud victims for several years and has amassed some impressive real-world statistics.
Foley also said 13 percent of the identity theft victims found out about the attacks only after criminals had established utility or cable service in their names. "So your credit record is more theirs than yours, making it harder to fight them in court," he said.
Clearly the best solution is to stop credit fraud at the moment it starts, when the account is first applied for, but for years credit histories and scores lay shrouded in mystery.
Fortunately, there's greater transparency with regard to credit reports these days. Since 2003, the Fair and Accurate Credit Transactions Act, or Facta, makes it possible for individuals to request one free annual credit report from each of the three major credit reporting agencies. (Go to AnnualCreditReport.com.) Initially, it was to correct any errors in the credit report; many people, however, use this process to monitor their reports for credit fraud.
While you can request all three credit reports at once, experts recommend staggering these, requesting one from a different reporting agency every 90 days or so. That way you'll see a comprehensive view. In addition to requesting your credit report, Congress, through laws such as the Fair Credit Reporting Act (FCRA), has provided other tools for monitoring your credit activity.
A fraud alert placed on your credit history requires an issuing entity to contact you first before opening a new account. Fraud alerts need to be renewed every 90 days unless you are a documented victim of identity fraud, in which case you are entitled to additional protection for up to seven years.
Another option is to place a credit freeze on your credit history. As of November 1, 2007, all three major credit reporting agencies offer this option. Lenders looking to issue credit in the name of someone with a credit freeze will be unable to access the credit history without your explicit permission. In most states there is no termination date, however there is a $10 fee to institute a freeze, and a $12 fee to lift it whenever you want to allow a credit check. These fees are waived if there is proof the individual is an identity fraud victim. The main advantage of a credit freeze over a fraud alert is that the credit freeze does not expire. Credit freezes, however, do not apply to entities with whom the consumer has an existing account. Nor do they apply to law enforcement agencies and certain governmental agencies.
The plans from Experian, Trans Union, and Equifax are similar, each providing a complementary credit report from all three reporting agencies, continuous monitoring of credit activity and any online use of your personal information, and some insurance against identity fraud abuse. The plans range from $11 to $14 per month, with annual and family plans available for less. They do not, however, place alerts or a freeze on your credit history.
This creates a market for private identity protection companies. One of the first was TrustedID, which costs $10 per month per adult (with annual and family plans available) and places both a fraud alert and a credit freeze on your credit history (requiring you to be contacted in both cases), opts you out of credit offers, $1 million in loss insurance, scans for personal data on the Internet, and monitors change of address. TrustedID also scans for medical fraud and protects against spyware.
Providing similar protection is LifeLock. This company is perhaps the best known because its CEO advertises his personal Social Security number as an example of how secure the company is. Bruce Schneier recently did an analysis of what's right and what's wrong with LifeLock as did the CNET Blogger Network's Chris Soghoian.
The Achilles' heel in all of these plans is that the financial institution does not have to make a reasonable attempt to contact you, so the fraudulent account may still get opened. Even with a credit freeze, some financial intuitions won't contact you. There's no way to prove or disprove an institution called you, said ITRC's Foley.
Until now.
Back in 2004 a guy named Bo Holland took a gamble. He bet that that identity fraud would only get worse, not better. And he was right. Having built a series of start-ups within the financial services industry, Holland had an insider's perspective on the problem; he knew how banks and other institutions handled credit requests; he also had worked at Critix Systems, so he had understanding about application delivery. With his latest start-up, Debix, an identity protection network, Holland pulled together all of his skills.
Not only does Debix put a credit freeze on your profile, but it uses its own phone number to log whether the credit institution tried to contact you. And if you're not available, Debix puts the pending account or loan on hold until you are able to return the call. And by using a Debix phone number, not your home number, on your credit report, that adds another layer of security to the product.
So how does Debix work in the real world? Say you are at a car dealership and you need to finance a new car. Shortly after the salesperson leaves the showroom floor, your mobile phone should ring. That's Debix; you know it because it's your voice saying a secret code. Then Debix asks if you indeed are seeking to establish a new account. If yes, you type in a secret personal identification number.
Say you are on vacation and Debix conveys a permission request for a new account. Since you didn't request a new account, you press star and you are instantly put in touch with a Debix investigator, who then contacts the party requesting the credit check. The advantage here, says Holland, is that the ID fraud case is still hot. In some cases, Debix has been able to identify a particular IP address and then turn that information over the local law enforcement. This saves local law enforcement time; they don't have to get a warrant for the bank's information--Debix has already provided the information.
Jerry Dixon, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, told me that there are many reasons why ID fraud cases aren't investigated.
"An assistant U.S. attorney might ask 'What's the likelihood of this going overseas?' 'What is the likelihood of being able to nail down who this is without having to write 20 subpoenas first?'"
If the IP address goes out to Belarus, then Dixon says forget it; the U.S. no longer has a law enforcement attache in Belarus so it's hard to enlist sympathy from law enforcement in that country. But if a company like Debix can provide law enforcement with details from the financial institution and a party willing to press charges, your odds of getting someone arrested improve.
Sound too good to be true? In a study published by Julie Fergerson, vice president of Emerging Technologies, and Debix's Holland, the authors looked at 30,000 Debix-secured transactions during a two-month period at the end of 2007. Of those, 380 were identified as fraud and were stopped immediately. Overall, the rate of new account fraud among Debix customers was zero percent.
ITRC's Foley said he was impressed with the results within the survey. Holland told me that during the survey period there were four instances of new account fraud. In each case, however, the financial institution did not call the customer. With Debix, though, you have some recourse. Debix maintains a record and can prove the institution in question did not attempt to call the customer.
Since learning about Debix in June, I've been trying to knock the protection, but so far cannot. Holland, it turns out, is no stranger to the computer security community; since 2004 he's been showing his wares and soliciting opinions at Defcon in Las Vegas. He invited Phil Zimmerman, creator of Pretty Good Privacy (PGP) to fault it, and he could not. Holland has invited other computer hackers to pick apart his logic. Even Foley and Dixon are full of praise for Debix.
And it gets better.
As of Monday, Debix is lowering its prices "way down" says Holland. One adult can sign up for $24 a year; families with up to three adults and four children can sign up for $72; and families with up to five adults and four children can sign up for $144 a year. That's much less than similar plans being offered by Experian, Trans Union, Equifax, TrustedID, and LifeLock. And Debix has been protecting people since 2004, so it's not some untested entity.
If you can name a more secure ID protection service for less cost, I'd like to hear from you.
It's a question I get asked a lot: what's a good way to remember passwords for a computer?
Here's how Christopher Horn over at Real Simple chose to answer it:
Writing down random log-in user names and passwords is unsafe and leaves them vulnerable to getting lost. Use a spreadsheet or a word-processing document to keep track of all the information safely. List the link for each website you have an account with and the specific user-name and password information that goes with that account. Click the Save As option under the File tab and name the document. The Save As window will have an Options or Security Options key, which you should select. Navigate through the menus, entering the necessary password--for both opening and modifying the document--until you have successfully secured and saved your list. To retrieve the information, open the file and enter one password to access all the others.
I disagree.
There are some problems with Horn's answer. What happens if you want to log in to an account using a different computer? And, shouldn't you encrypt the file as opposed to just using a password?
Even the security people at Microsoft have told me that using the passwords within Windows and Office aren't necessarily your strongest security option. I know that password protection within Word or Works can be defeated with a variety of password-cracking programs. John the Ripper is perhaps the best known program and uses lists of common dictionary words to brute force unknown passwords. Chances are, Real Simple readers will probably use "password" as the password for their password list. But, still, placing a password on a file (placing a lock on it) is not the same as encrypting the entire file (scrambling the contents so only you can read it).
Me? I go low-tech. I write down all my passwords with pen and paper and do so in such a way that it would take someone a long while to associate a password with a given account. I also change these passwords from time to time. And I don't store my low-tech, highly obfuscated password crib sheet anywhere near my computer.
For a more thorough discussion of the various issues around passwords and password management, check out Elinor Mills' latest CNET News feature.
Gaining the ability to remotely control your HVAC might seem like an energy-responsible thing to do, but it might also pose hidden security risks.
In a recent blog titled Security implications in HVAC equipment SANS handler Swa Frantzen wrote of his concerns regarding one energy-saving program in Texas. The utility, TXU, uses what's called an iThermostat, which allows you to program your thermostat remotely over the Internet from any laptop or desktop.
In California, PG&E offers a similar program, SmartAC. PG&E also uses an Internet addressable, programmable thermostat, however, the user guide (PDF) mentions only remote access from the utility, not from the end user.
Frantzen makes it clear that's he's not intentionally picking on the iThermostat system; he's only using it for educational purposes. Nor am I necessarily saying the SmartAC program is flawed either. I do, however, think his academic questions are quite valid because they go beyond just HVAC systems.
Recently there was a security hole identified within an Internet-connected coffee maker. I think the first question here should be: do we really need to access our coffee machine remotely?
It might be argued that these systems (the HVAC and coffee machine) both terminate--they don't necessarily allow a remote attacker access to a home computer network. But that's for right now. Jump ahead a few years when these systems start talking each other, when you'll be able to create a warm and comfy home environment from your desktop at work.
Until then, what if someone remotely views your schedule of when the AC turns on and off? It could tip a potential burglar to when you're likely to be home and when not. And what if, asks Frantzen, the remote lockout on the thermostat fails and some remote hacker cranks the heat or air conditioning setting to its maximum setting while you're on vacation?
Is anyone even thinking about these issues? If not, shouldn't someone be?
- prev
- 1
- next
