Feature Article
Mark Pribish
October is National Cyber Security Awareness Month and October 16th-22nd is National Protect Your ID Week
By Mark Pribish
Vice President and ID Theft Practice Leader

Did you know that the month of October is National Cyber Security Awareness Month and that October 16th through the 22nd, 2011 is National Protect Your ID Week?

In the event you did not know, The National Foundation of Credit Counseling (NFCC) often known as Consumer Credit Counseling Service (CCCS) has partnered with the National Sheriffs' Association and the National Association of Triads to support this year's Protect Your Identity Week (PYIW) from October 16th through the 22nd, 2011 (please see here).

Participating member agencies and sponsors will focus on prevention including shredding, workshops, speakers, and credit report reviews which are open to the public and free of charge.

At the same time, the Department of Homeland Security (DHS) has kicked off its 7th Annual National Cyber Security Awareness Month (please see here) with a public campaign to encourage everyone to take action in protecting their Personally Identifiable Information (PII) and that "the Internet is a shared resource and securing it is our responsibility."

Here at Merchants Information Solutions, Inc. - we are celebrating both National Protect Your ID Week and National Cyber Security Awareness Month by running an eight page ID Theft newsletter article to remind consumers - especially children/students and seniors - about the ongoing threat of identity theft and data breach events.

This issue will include standard definitions of identity theft, types of identity theft, types of scams, and identity theft resources.

We will also include some identity theft related statistics that may not be well known, but may be of interest especially if you have health insurance, require healthcare services, receive government benefits, file taxes, and have children/grandchildren.

Definitions

Consumer Identity Theft - The FTC defines "identity theft" as a fraud that is committed or attempted, using a person's identifying information without authority. This means a fraud event that involves someone pretending to be someone else in order to steal money or other benefits.

Personally Identifiable Information (PII) - Refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

Personal Privacy - Your personal information is more than your name, address and Social Security number (SSN). It includes your shopping habits, driving record, medical diagnoses, work history, credit score and more. The right to privacy refers to having control over this personal information. It is the ability to limit who has this information, how this information is kept and what can be done with it.

Password Management - Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks, by creating a password that is difficult to guess, does not share popular names or words, does not have consecutive letters and/or numbers and is not similar to a previous password.

Types of ID Theft (Financial and Non-Financial)

Child ID Theft occurs when a child's identity is used by another person for the imposter's personal gain. Children are targets because they are not typically working or applying for credit (e.g. student loans) until they are teenagers.

Criminal ID Theft, where you can be adversely affected when a criminal chooses to use your name and fake driver's license information at the time of a traffic ticket, DUI or felony. Once bail is posted, the police are now coming to your home to arrest you for skipping bail while the imposter has already left town!

Driver's License ID Theft includes the use of another person's identity along with fake identity documents like a birth certificate or social security card. Oftentimes criminals simply create these documents from their personal computers and print them after changing your Personally Identifiable Information (PII).

Employment Fraud/ID Theft occurs when an identity thief obtains employment by using a stolen or synthesized (made up) social security number (SSN).

Financial ID Theft occurs when a criminal either takes over a current checking or credit card account or when someone fraudulently opens a new checking or credit card account in your name and then fraudulently uses those accounts to commit financial fraud.

Government Benefits ID Theft occurs when identity thieves pretend to be another person to steal money in the form of social security benefits, unemployment benefits, welfare benefits, etc.

Medical Benefits ID Theft affects both healthcare providers and patients when someone poses as another individual who has a different blood type or medical condition and the medical record reflects the information of the imposter and NOT the individual whose identity has been stolen. When a medical record/file has been compromised, it could cost the patient his/her life and the provider could end up being sued. Another common theme is when an imposter uses your health insurance information for elective surgery and your health insurance does not cover any of the costs and you get stuck with the bill.

Senior ID Theft occurs when a senior's identity is used by another person for the imposter's personal gain. Seniors are targets because most seniors have spent their lives building credit-worthiness and retirement funds and can be too trusting.

Social Media ID Theft occurs when your online identity is stolen and used to promote content that is not originated by you. It can be a form of cybersquatting where your stolen account may be used to steal money from family and friends, create new accounts or to negatively smear your reputation.

Social Security Number ID Theft occurs when someone uses your social security number to apply for a job, which can lead to taking over your identity. A common theme when someone steals your social security number is to obtain employment and then the imposter fails to pay taxes and the IRS comes after you for failure to pay taxes.

Synthetic ID Theft is a type of ID fraud in which thieves literally create new identities by combining real and fake identifying information to establish new accounts with fictional identities.

Types of Scams

Cyber Crime - From spyware to new viruses to using a computer and the Internet to steal an individual's Personally Identifying Information (PII). Cyber Crime has also expanded into stalking / targeting victims which has become more prevalent with the popularity of social networking groups like Facebook (see http://www.facebook.com/security for more information).

Pharming - The process of redirecting internet domain name requests to false websites to collect personal information.

Phishing - A scam that uses an authentic-looking fraudulent email to solicit confidential customer information in response.

Pre-texting - Where a thief poses as a legitimate representative of a company, bank, employer, landlord, business owner, Internet service provider, or anyone else that contacts you in an attempt to garner your confidential information usually by asking you to verify some data.

Skimming - Stealing credit/debit card numbers by swiping the card to a portable data storage device; or by attaching to an ATM or credit/debit card reader.

Spoofing - Where fraudsters create fraudulent websites to look just like an actual website via phishing or pharming schemes.

Spyware - Where information is collected from a computer user without his or her knowledge/informed consent, which reports information to a third party. This is used by legitimate business as well as identity thieves.

Vishing or Voice Phishing - Sending an e-mail hoping to get victims to telephone a voice mail box to disclose sensitive financial and personal information.

2011 ID Theft Trends and Statistics

I would now like to provide some of the latest ID Theft statistics and industry trends for 2011 including:

  1. According to PriceWaterhouseCoopers in a September 2011 Healthcare Report, Medical Identify Theft is the fastest-growing form of identity theft in 2010 affecting 1.42 million Americans and costing more than $28 billion.

  2. According to a May 2011 GAO Taxes and Identity Theft Report, Taxpayer Identity Theft increased to 245,000 identity theft incidents in 2010; up from 169,087 incidents in 2009 and 51,702 incidents in 2008.

  3. According to the 2011 GAO Report, Identity theft harms innocent taxpayers through refund fraud where an identity thief uses a taxpayer's name and Social Security Number (SSN) to file for a tax refund, which IRS discovers after the legitimate taxpayer files.

  4. According to the 2011 GAO Report, Identity theft harms innocent taxpayers through employment fraud where an identity thief uses a taxpayer's name and SSN to obtain a job. When the thief's employer reports income to IRS, the taxpayer appears to have unreported income on his or her return, leading to enforcement action.

  5. According to an August 2011 Digital Forensic Association (DFA) Report called The Leaking Vault - 6 years of Data Breaches, the DFA found that on average for every single day for the past six years that 388,000 records per day were lost/stolen and that 15,000 records per hour were lost/stolen.

  6. According to the March 2011 FTC Consumer Sentinel Report (CSN), Identity theft was the number one complaint category in the CSN for calendar year 2010 with 19% of the overall complaints.

  7. According to the 2001 FTC Report, Government documents/benefits fraud increased 4 percentage points since calendar year 2008. The 2011 FTC Report listed the following ID Theft categories reflecting 2010 statistics:

    • Government documents/benefits fraud (19%)
    • Credit card fraud (15%)
    • Phone or utilities fraud (14%)
    • Employment fraud (11%)
    • Bank fraud (10%)
    • Loan fraud (4%)
    • Child Support (0.2%)

  8. According to the 2011 FTC Report, the FTC data concluded the following identity theft complaints by victims' age:

    • 19 years old and under 8 percent
    • 20-29 years old 24 percent
    • 30-39 years old 21 percent
    • 40-49 years old 19 percent
    • 50-59 years old 15 percent
    • 60-69 years old 8 percent
    • 70 years old and over 5 percent

  9. According to the 2011 FTC Report, the Top 10 states in 2010 with the highest per capita rate of reported identity theft complaints include:

    • Florida
    • Arizona
    • California
    • Georgia
    • Texas
    • Nevada
    • New Mexico
    • New York
    • Maryland
    • Illinois

  10. According to the March 2011 Ponemon Cost of a Data Breach Study, and for the fifth year in a row, data breach costs have continued to rise where data breaches in 2010 cost companies an average of $214 per compromised record, up $10 (5 percent) from 2009.

  11. According to the Privacy Rights Clearinghouse (www.privacyrights.org) and since January 2005 through October 7, 2011, there have been 2,711 data breach events (that we know of) totaling 542,214,290 personal records breached.

  12. According to the Privacy Rights Clearinghouse (www.privacyrights.org) and since January 2011 through October 7, 2011, there have been 392 data breach events (that we know of) totaling 23,316,765 personal records breached.

  13. According to the Privacy Right Clearinghouse, the Type of Organization experiencing a data breach event for Years January 2005-Sep 3, 2011 include:

    • BSO - Businesses - Other 325 breaches totaling 8 million records (12.1%)
    • BSF - Businesses - Financial and Insurance Services 404 breaches totaling 248 million records (15.1%)
    • BSR - Businesses - Retail/Merchant 276 breaches totaling 116 million records (10.3%)
    • EDU - Educational Institutions 568 breaches totaling 9 million records (21.3%)
    • GOV - Government and Military 495 breaches totaling 132 million records (18.5%)
    • MED - Healthcare - Medical Providers 544 breaches totaling 21 million records (20.4%)
    • NGO - Nonprofit Organizations 58 breaches totaling 1.8 million records (2%)

  14. According to the Privacy Right Clearinghouse, the Type of Data Breach event for Years January 2005-Sep 3, 2011 include:

    • Unintended disclosure (DISC) 480 breaches totaling 16 million (17.9%)
    • Hacking or malware (HACK) 500 breaches totaling 312 million (18.7%)
    • Payment Card Fraud (CARD) 41 breaches totaling 75,000 (1.5%)
    • Insider (INSD) 283 breaches totaling 32 million (10.6%)
    • Physical loss (PHYS) 343 breaches totaling 3 million (12.9%)
    • Portable device (PORT) 759 breaches totaling 160 million (28.4%)
    • Stationary device (STAT) 181 breaches totaling 9 million (6.7%)
    • Unknown or other (UNKN) 83 breaches totaling 3 million (3%)

  15. According to the Privacy Rights Clearinghouse, the Type of Data Breach event for 2011 includes:

    • Unintended disclosure (DISC) 55 breaches totaling 4.1 million records (14%)
    • Hacking or malware (HACK) 100 breaches totaling 13.4 million records (25.5%)
    • Payment Card Fraud (CARD) 14 breaches totaling 6,499 records (3.5%)
    • Insider (INSD) 56 breaches totaling 107,500 records (14.3%)
    • Physical loss (PHYS) 57 breaches totaling 15,330 records (14.5%)
    • Portable device (PORT) 70 breaches totaling 3.2 million records (17.9%)
    • Stationary device (STAT) 18 breaches totaling 2.5 million records (4.5%)
    • Unknown or other (UNKN) 22 breaches totaling 13,500 records (5.6%)

  16. According to the Privacy Right Clearinghouse, the Type of Organization experiencing a data breach event in 2011 includes:

    • BSO - Businesses - Other 51 breaches totaling 861,000 records (13%)
    • BSF - Businesses - Financial and Insurance Services 41 breaches totaling 566,000 records (10.5%)
    • BSR - Businesses - Retail/Merchant 61 breaches totaling 12 million records (15.6%)
    • EDU - Educational Institutions 47 breaches totaling 389,000 records (12%)
    • GOV - Government and Military 53 breaches totaling 4 million (13.5%)
    • MED - Healthcare - Medical Providers 129 breaches totaling 5.6 million records (33%)
    • NGO - Nonprofit Organizations 5 breaches totaling 828 (1%)

  17. According to the Privacy Right Clearinghouse, the definitions on the types of data breach events include:

    • Unintended disclosure (DISC) - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.
    • Hacking or malware (HACK) - Electronic entry by an outside party, malware and spyware.
    • Payment Card Fraud (CARD) - Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals.
    • Insider ( INSD) - Someone with legitimate access intentionally breaches information - such as an employee or contractor
    • Physical loss (PHYS) - Lost, discarded or stolen non-electronic records, such as paper documents
    • Portable device (PORT) - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc.
    • Stationary device (STAT) - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.
    • Unknown or other (UNKN)

  18. According the Verisign 2010 Malware Security Report on the common types of malware delivery mechanisms, malware can be delivered is the following ways:

    • Software updates: Malware posts invitations inside social media sites, inviting users to view a video. The link tries to trick users into believing they need to update their current software to view the video. The software offered is malicious.
    • Banner ads: Sometimes called "malvertising," unsuspecting users click on a banner ad that then attempts to install malicious code on the user's computer. Alternatively, the ad directs users to a web site that instructs them to download a PDF with heavily-obscured malicious code, or they are instructed to divulge payment details to download a PDF properly.
    • Downloadable documents: Users are enticed into opening a recognizable program, such as Microsoft Word or Excel, which contains a preinstalled Trojan horse.
    • Man-in-the-middle: Users may think they are communicating with a web site they trust. In reality, a cybercriminal is collecting the data users share with the site, such as login and password. Or, a criminal can hijack a session, and keep it open after users think it has been closed. The criminal can then conduct their malicious transactions. If the user was banking, the criminal can transfer funds. If the user was shopping, a criminal can access and steal the credit card number used in the transaction.
    • Keyloggers: Users are tricked into downloading keylogger software using any of the techniques mentioned above. The keylogger then monitors specific actions, such as mouse operations or keyboard strokes, and takes screenshots in order to capture personal banking or credit card information.

To conclude, I hope you have found this month's newsletter to be informative, educational, and helpful in being proactive in learning about ID Theft and in protecting you and your family from the challenges of identity theft and the many data breach events being reported in the news.

I have also listed below five ID Theft related websites that can support you and your family's continuing education.

ID Theft Resources

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.

Sincerely,
Mark


Scam Central

Trading Your Personal Information for Stimulus Money

How much personal information would you be willing to give out for a chance to win $500 in stimulus money? Everyone can use an extra $500. So what exact information would you need to provide? Well, pretty much your most sensitive, and valuable information. The very information we have been educating you to protect at all costs. You guessed it, this is yet another scam.

How It Works:

Some senior citizens in southwest Atlanta were recently targeted by this scam. Some victims were contacted by phone, others learned about it from a friend and some read about it in the paper. News of the deal spread like wildfire throughout the community. The deal was simple; simply go to a website and fill out a form. However, the form is just a piece of paper with no official letterhead. The form asked victims to provide their name, address, phone number, Social Security number, and date of birth with the promise that if they were "approved", they will receive a Visa Check card in about four weeks. However, no card was ever issued, and victims had just given out their most valuable information.

In this particular instance, the forms were recovered after some initial complaints about the scam, and the person collecting the forms realized that he himself was scammed into participating in the scam and wanted no part of that, so he returned the forms. But the surprising rate at which people rushed to offer their Personally Identifiable Information (PII) in exchange for money should be alarming to everyone. Why would you give someone your valuable PII in exchange for a chance to win some money? You may as well fill out a credit application with your information and hand it over.

Your Defense:

Common sense is your best defense in situations such as this one. While this scam was caught pretty quickly in Atlanta, it has the potential to crop up again somewhere else and spread quickly.

Never give out your personal information unless absolutely necessary. If you are the kind of person that likes to enter contests or sweepstakes, stop and consider the type of information requested and weigh the risks first. Don't let the lure of free money cloud your judgment, and don't be afraid to ask questions about how your information will be used. Is it necessary for you to give them so much information? Why do they need your Social Security number and how will they use it? What will happen to your information during and after the contest? Will the information be destroyed, or end up in the hands of marketers or possibly scammers?

Although it would be nice to enter a contest and win big money, I would have to raise an eyebrow at any form that asks for the type of information this scammer was collecting unless I was in a bank or auto dealer applying for a line of credit, or opening a new account. With so many of us living on fixed or tight incomes during these trying economic times, the last thing anyone would want to do is expose their personal information to possibly be used fraudulently. Don't let it happen to you.

If you believe your identity has been stolen, call 866.SMART68 today.