Tuesday, November 27, 2012

Thanksgiving Day Macy’s Parade Oops.


Parade viewers were surprised to find shredded police report information with addition to the normal parade confetti. In a strange twist Confetti collected by spectators near 65th Street and Central Park West revealed arrest records, incident reports and personal information and that identified undercover officers. There was also information of Mitt Romney's motorcade route to and from the final presidential debate at Hofstra University.
From an interview with WPIX. "There are phone numbers, addresses, more Social Security numbers, license plate numbers," said Ethan Finkelstein, 18, of Manhattan, who gathered up some of the confetti with friends. "And then we find all these incident reports from police."

An investigation in to how this happened has discovered the records that landed on spectators at Macy's Thanksgiving Day parade were brought by a Nassau County Police Academy department employee. The employee has not been named by investigators.

Nassau County Police are considering upgrading to cross cut shredders for future use. Macy’s confirmed that the confetti used for the parade, supplied by Macy’s, is colored paper.


 

 

Retailers beware:


With the approach the holiday season, retailer’s and merchants will need to be diligent in watching over their operations. Identity thieves, scammers, hackers, and others criminal types will be going full-fledged during the holidays. They will be counting of the hustle and bustle to allow them to penetrate Point Of Sale systems across the country. They will use any tool they can, from virus to converting an employee, to steal the data that they want.

The scary part is that when they are successful the backlash at the merchant will be intense. For each merchant system that is compromised there will be questions and complaints as to how this could and did happen. The business that doesn’t have the correct answers, or failed to observe some security step, will in the end answer these ugly questions in a court of law.

Wednesday, November 7, 2012

POS Warning

In an article “Why Data Theft Experts Recommend Paying in Cash”, by Byron Acohido, published in USA Today the experts talk about the dangers of debit card theft. They also bring up the growing problem of POS terminal attacks. What they don’t talk about is how the public is going to respond to the exposure.

If you are a business owner or the manager of a store in a chain, you now have a duty to your company and customers to look at those terminals every day. The thieves are slick at what they do so you will need to be more vigilant in watching for tampering. If you suspect tampering, take that terminal off line and have it checked out. The first time it comes to light that a POS terminal was used, after being suspected, there might be a very ugly outcry from customers. There may even be action from attorneys against the store and or company.

For those companies and managers who don’t feel the need to be watchful and claim ignorance there will be an attorney who will clearly address the lack of due diligence. Business owners and leaders need to understand that these attacks are becoming more common the need for greater effort on their part is required.

The last part of the article brought up the age old advice that maybe people should carry and use cash. When people carried cash they were subjected to the threat of robbery. Now they need to be concerned about using a debit card. I stand by my position that consumers need to use credit cards for all transactions because of the higher legal safe guards of credit cards. I still believe that you should carry an ATM (only)card only for getting cash when you need it. The debit card is a direct pipe line into your bank account and can cause significant problems if it is lost or cloned. The risk versus reward for using a debit card is not good enough for me.

Wednesday, October 31, 2012

South Carolina Breach and Error


This past week I have been reading about the data breach in South Carolina. Hackers gained access to the records of the Department of Revenue and 3.6 million South Carolina Taxpayers data. Data ranging from Social Security numbers to home addresses was available.

In the days following the notice of the breach the Governor Nikki Haley has spoken about the data not being encrypted. In her comments she stated that “The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those agencies you might think encrypt Social Security numbers actually don’t. It’s not just that this was a DOR situation, but an industry situation.”  

For the past ten years I have tried to bring to the attention of the public that data exposure is a real problem. In California where the first data breach notice law was created, the standard is that if the data is encrypted then notice is not needed. This was included to provide business with a security step that would make encrypting the data a more cost effective option.

There are numerous ways to encrypt the DOR data and still allow DOR personnel to use it. I wonder if the Governor considers paying for 3.6 million people to have credit report monitoring is more cost effective. We are rapidly approaching the point where those who have a breach, and had not taken the step of encrypting the data, will find themselves discussing the standards in front of a jury of their peers.  

Monday, October 15, 2012

Webroot Hits a Homerun With ‘SecureAnywhere 2013’


In the time of caution and concern the users of computers can become confused by the various antivirus programs.  I make it part of my job to check out programs and evaluate them against what is currently available and what needs to implemented.

Webroot has created a new  tool to help fight against those who would hijack our information. Webroot’s antivirus software SecureAnywhere 2013 steps up to the plate with new features and functions that users need in our daily travels on the Internet, especially due to cybercrime and mobile devices.

SecureAnywhere 2013 has high speed antivirus scanning and perhaps the best malware detection tools that I have tested. I was provided with a demonstration of their tools last week during a call with the product manager and one of the engineers. In a live example I was shown that this software can detect and warn you of a number of web login scams. It empowers the everyday user and allows them to  link onto the Internet  safer than ever before.

For years I have told people to be careful of online login scams and the threat of malware. Webroot’s SecureAnywhere 2013 is a reasonably priced anti-virus tool that allows the user to trust this new antivirus program and focus on their project or task. I never minimize healthy distrust of what are clear scams but at least now I don’t need to worry when I login online to my bank because this tool will tell me if it is the correct site or not. Keyloggers and scam sites can’t penetrate this software so I feel safe in allowing my family to be online without concern. One additional feature that I love about this product is the speed of the antivirus scanning. Having used a number of products before that could take up to an hour to complete a scan, imagine my surprise to see a scan done in just minutes. I am talking about single digit minutes.
The following was taken from the press release for this product:
In the first review since its 2013 product release, Webroot SecureAnywhere AntiVirus again garnered the PC Magazine Editors’ Choice Award. In his review, PC Magazine Lead Security Analyst Neil Rubenking wrote, “Webroot SecureAnywhere AntiVirus 2013 gives you speedy scanning and excellent malware blocking in a ridiculously small package. Webroot remains an Editors' Choice for antivirus protection.

This software is a positive step forward and should be part of  a computer user’s arsenal of tools to protect and defend against the threats of online identity theft.

Tuesday, October 9, 2012

Job Seekers Be Wary


Computers have made job searching a lot faster. It has also opened the door to companies taking multiple applications for a single position. Now comes the trouble spot. Job seekers need to be careful that the application they are filling out is from a legitimate company and for a actual job. Scammers are offering jobs on line. You fill out the online application and never receive a call. Before you fill it out check it out.

Florida Realtors Warn to be on the Alert for Bogus Emails.


The Florida Department of Business and Professional Regulation is warning Realtors and other professionals with state licenses to watch out for emails supposedly coming from the Department. The scam is an email informing the recipient that they are subject of a pending disciplinary action. The target is directed to contact an investigator at a toll free phone number. During this interview the scammers collect a variety of personal and business information.

Sandi Poreda, communications director for the department, said that the scammers have managed to copy “the banner on our website and created an email signature that looks very much like ours.”

This scam should be a concern for any business person that has been licensed by the State. This scam will most likely be travelling across the country in the next few months. Every business person should think twice before providing information based on an email request.  

Thursday, July 5, 2012

DNS Changer Day is Coming

In April the FBI made numerous arrests of a cyber-criminal group that created and operated a malware scam called DNS Changer. The core of the scam was to trap consumers into using a fraudulent DNS Server and there by getting directed to fraudulent websites. When the FBI made their arrests in April, to prevent the loss of internet services to around 500,000 consumers, the bureau chose to operate the DNS servers until all of the affected computers could be patched. On July 9th 2012 the FBI will shut down the fraudulent DNS Servers.

Computer users are strongly suggested to follow the steps below to insure that their computers will not loose internet access on the 9th.

To tell if your computer is infected. Go to http://dns-ok.us and wait for the page to load. If it comes up "green" then you are ok. On the other hand, if it detects a problem you need to visit another website; www.dcwg.org. This is an industry run website with all of the information you need to remove this malware from your computer.

Please take the time and make sure you are not going to be affected when the FBI pulls the plug.

Friday, June 15, 2012

Nationwide Study on Medical Identity Theft


I read an article today about a study commissioned by Nationwide Insurance and conducted by Harris Interactive.  The topic of the study was the question of medical identity theft. The results only confirm what I have seen for the past 10 years or so. The public still does not understand that Identity theft in the medical field occurs.

The survey conducted by telephone, of only of people with health insurance, showed that 1 out of 6 (15%) respondents stated that they knew about Medical identity theft. When asked only 38%, of those who said they knew what medical identity theft was, were able to define it.

The depth of medical identity theft is growing each year. In 2010 there were 1.5 million persons victimized to a tune of $30 Billion dollars. The damage is clearly felt in the higher costs of medical services and insurance. The worse news is that there is no real solution in sight.

The various forms of medical identity theft manifest different problems and concerns. We have all heard the warning about what will happen should someone receives the wrong blood because of mixed files. So how about the victim who is denied medical equipment because his or her information was used by imposter to scam Medicare. There is the victim who has to defend himself in a court of law because of collection actions resulting from medical services provided to the thief. There is the problem of the medical issues of the imposter affecting the livelihood of the victim. There certain medical conditions that when reported make the wheels spin regardless of any other information. Imagine losing your pilot license when you are a flight school owner and training instructor.

I don’t want to be the voice in the wilderness calling out the danger but how much more will the medical system take before it collapses under the barrage of fraud?




Cyber Data Breaches What Is Coming

The news for the last few days has talked about the Linked-in and the E-harmony password breaches as though it was a super threat. In the realm of data breaches you need to understand the issue. What is breached and what information is exposed. If I have your password I can get into your account right? What if I don’t know your login ID? If all I have is your password I may not be able to do much unless there is a way to identify you or the account. If I can identify you, I can contact you to scam you out of additional information to commit my crimes. If I can identify the account then I can login and take over the account. The type of account will determine the damage that I can create.

When there is a breach of date the concern is three fold.

1.       Was the information enough to supply me with the data I need to create new accounts?

2.       Was there enough information to allow me to sucker you into giving up more information?

3.       Was it enough for me to take over the account and drain it, max it out or use it to scam others?

When a company has a data breach and does not clearly indicate what was exposed it leaves the recipients to try and guess what to do. It also leaves the company somewhat exposed to legal reprisals. The time frame in a breach should be discovery, investigation, informed notice, and then proceed with your business. The investigation should involve law enforcement and they should be called before any repair or system fixes are started. The notice needs to be clear and concise and complete. The better these steps are done the better for all involved.   

Monday, May 14, 2012

Data Breach Warning of Lawsuits


Last Monday an article by Jay Singleton published in the Connecticut Law Tribune cast some very ominous warnings for every medical or financial organization across the country. Trial lawyers are setting their sights on you for the data you have and how well you protect it.

With medical organizations pressing to put patient records into electronic format, all it takes is one lost laptop or a single data security lapse and you become to focus of a number of law firms. One loss of personal information and any of the people whose information you held could take legal action against you. According to the federal Department of Health and Human Services, the personal medical data for more than 11 million people may have been exposed during the past two years.

Financial institutions already have similar problems. Attorney Michael A. Stratton, of New Haven’s Stratton Faxon, is involved in two class actions filed in New Haven seeking damages from banks accused of mishandling personal information of customers. One case involves the Bank of New York Mellon, which lost data tapes containing personal information for about 4.5 million people, including 500,000 customers of People’s United Bank of Bridgeport.

While these lawsuits are in their early stages and there is no clear examples of loss or damages to be presented. There are plaintiffs lawyers who concede that valuation of these cases is still a big unknown. This does not mean that they will not search until they find it.

The health-related privacy cases as class actions is still untested territory, attorneys believe new law will be made in the next few years. That means attorneys and the courts will be addressing these issues in the not too distant future. It would be best if your company or organization is not the test case for this type of new action.

IRS and TIGTA Testify on Identity Theft before Congress

Last week J. Russell George, the Treasury Inspector General for Tax Administration and IRS Deputy Commissioner Steven Miller appeared before Congress to report on the issue of Identity Theft and tax fraud. From Georges testimony a laundry list of issues were presented to the oversight Committee.

Issues included had to do with timely resolution, IRS and Victim communications, process steps for victims returns are not a priority, guidelines for identity theft cases are inconsistent and incomplete. The biggest failing appears to be that the IRS does not use the data from identity theft cases to identify trends.

The issues that US Citizens face, when dealing with an identity theft tax problem, are formidable to say the least.  I have for many years studied these problems from a variety angles, seeking the best way to guide the victim through what is for them a nightmare. The best path is still not always clear because of the different parties involved in resolving the problem. For the victim they have the burden of proving that they are a victim. The IRS employee has the task of evaluating the statements and documents of the victim, trying find the truth from the fiction that maybe assumed facts, erroneous conclusions and just plain confusion on the part of the victim. It is all too easy for someone jump to a wrong conclusion when trying to unravel the different elements of the case, which leads to mistakes by both the victim and the Government.

For more than ten years I worked with victims trying to create a path through the maze of issues that would put the victim and the Government on the same side. That has not come to pass yet. There are a number of ways to address the issues and then format the steps so that they work for both the victims and the IRS, but that will require both groups working together. For the past five years, I have wanted, to sit down with the policy makers from the IRS, to create a program that will help the victim of identity theft, and not be able to be gamed by the perpetrators.

To J. Russell George, the Treasury Inspector General for Tax Administration and IRS Deputy Commissioner Steven Miller, I have been hoping to work with the IRS so you would not have to go before Congress and report the ugly state of the problem. The issue of identity theft will not be going away anytime soon. From the stories in the press about the thieves playing the system is only the surface of what is really going on. There is no time like now to put an end to it.

Wednesday, May 2, 2012

Data In-Security in the Healthcare Industry


I am seeing more and more stories about the breaches in the healthcare industry. What I am not seeing is a strategic push to fix the problem. 

From the Verizon breach report we get to see that most of the breaches are due to the human element.  The hactivists seemed to be responsible for about 58% of the documented attacks.  Just 4% were attributed to insiders which means that 1/3 of the breaches were due to the acts of cybercriminals.  The report states that 97% of the breaches could have been avoided by simple “basic or intermediate” security controls.  Or the fact that 69% of the attacks used malware for access. More than a little sad was the stat of 92% of the breaches were discovered by a third party. There is the stat of 94% involved compromised servers. When you couple that with the stat of 85% took more than two weeks to be discovered.

With the additional information from the breach report it paints a clear picture that most of the businesses have not started to make data security priority it needs to be.  You need to look at what the data is and how you need to use it.  Then you design the system to protect it and you. Once the system is built and running, you test it and then retest it to make sure it works for what you need it to do. Then you monitor the system on a daily basis looking for the clues that someone is trying to attack you. 

It is not as hard as you might think and I firmly believe it will more cost effective to do than say paying for a breach of data.

Thursday, April 26, 2012

Identity Theft and the Dead


I remember explaining to a group of people one time that “your credit does not stop just because you died.”  There were a number of very shocked people in that room.  I was responding to a question from a woman whose husband had passed away two years earlier.  She was upset because she was receiving phone calls from collection agencies about debts that were created after her husband had passed.

Many people believe that once you die all of your accounts just disappear.  They don’t realize the steps needed to shut down both the accounts and the identity. To close the accounts you need to send a copy of the death certificate and a letter explaining the situation to each of the creditors.  This also includes those credit accounts that are open but have a zero balance.  The next step is to send a photocopy of the death certificate to the three Credit Reporting Agencies so they will mark the file as deceased.

To shut down some of the governmental records you need to send the death certificate to the Social Security Administration. Most of the time this step is only used by the surviving spouse to collect the survivor benefit.

Now we have a study from ID Analytics that shows how 2.5 million deceased people have had their identities used for fraud and work purposes. Does this really surprise anyone? In 2004 there was a report that in one State, during a one month period, 140 deceased people applied for drivers licenses. 

There are numerous stories of persons that have had their identity taken and used after their death.  Many of those stories come from the surviving family who are dealing with the fallout of the imposters actions.  It is in many ways almost as painful for families as the loss of the loved one. Time does not ease the pain of these issues, it cause them to multiply.  With the each fraudulent account there is a possibility of dealing with as many as 4 collection agencies that are involved.

One more aspect of the crime of identity theft and the deceased is that it is not unheard of to find that the perpetrator is from the deceased’s own family or circle of friends. There are many different solutions to the problem of identity theft.  None of the solutions are all encompassing or can be put in place as simply or easily as most of us would like.  This will be a long time fixing the problems and then fixing the fixes.

Monday, April 16, 2012

Data Breaches in the Medical Community


The recent study commissioned by Kroll Advisory Solutions shows a clear increase in data breaches. 27% of the respondents stated they had at least one security breach during the past year, this is up from 19% in 2010.  Respondents indicated 79% were attributed to employees, while many of the others were due to the actions of outsourced or contract employees. More than half of the problems were identified as unauthorized access to data, such a patient name and date of birth, by an outside individual.

The survey found 27% of the respondents had at least one security breach over the past year, up from 19% in 2010 and 13% in 2008. The survey found 79% were attributed to employees, while most others were chalked up to actions from outsourced or contract employees. Over half of the problems were identified as "unauthorized access to information," typically the patient's name and birth date, by an individual.

From the study it was reported that paper breaches including improper destruction happened over 40% of the time.  The survey reported that computer security issues were increasing rapidly.  This was identified problems around the use or loss of laptops or portable handheld devices 22% of the time. Data breach problems from third party vendors retaining healthcare data rose to 10% up from 6% in 2010.  The network breaches due to outside attacks were reported about 3%.

From the report 31% felt that information available on a portable device was a factor most likely to to contribute to the risk of a breach. In 2010 the estimate was 20%.  Twenty two percent of those who responded said the data was compromised when a laptop, handheld device or computer hard drive was lost or stolen, which is twice the number who said this in 2010.

The following is an excerpt from an article by Ellen Messmer at Network World.

The report says the vast majority of healthcare institutions conduct formal risk analysis, relying mainly on federal guidelines such as CMS Meaningful Use requirements and the National Institute of Standards and Technology. The goal is to comply with the mandates of the American Recovery and Reinvestment Act of 2009, which includes funding for healthcare records, and the HITECH Act, which contains penalties for security lapses related to misuse of patient healthcare information.

The report says almost all the survey's respondents had taken steps to prepare their hospitals and medical centers for a possible federally-run Office of Civil Rights HIPAA audit. Four percent had been audited and 90% in this case indicated they'd try to prepare better in the future. Two percent of all respondents said their organization had been fined as a result of a HIPAA violation.

The key here is in the very last sentence. Those organizations that were fined for HIPPAA violations also faced the threat of prolonged legal action.  The organization that does not take the steps to eliminate the risk gambles its own future.  The cost of controlling the data is one thing.  The cost of protecting the data is another that cannot be ignored.

The Question of Legislation


The State of Maryland has passed and sent to the Governor an interesting piece of legislation.  It will allow parents to freeze their children’s credit report. It will allow parents to freeze something that is not supposed to exist.  So if there is no file what does the parent do?  Keep checking back every year until they find that the file has been created?  The effort and desire to do something good for children has produced something that will be marginally effective at best. 

The correct way to protect the children would be to have the Social Security Administration supply the name and SSNs for all the children to the three credit reporting agencies.  This file would be automatically checked anytime a request for credit report was made of the CRAs. If no file is found the CRA could then check the list of minors.  It would protect all of the minors without the parents having to do anything special.

There is one clear problem with a sign up system. For some of the children the person who should be signing them up will be the person stealing the child’s identity. The children who need the protection most are under the control of the perpetrator.

When we first started looking into the issue of child identity theft the first group we ran into were foster children who were aging out of the foster care system.  Soon after, we discovered that children who were in close proximity to drug users often found themselves to be victims.

Our original suggestion was that the SSA would share the list of minors with the three CRAs and the Department of Motor vehicles for all the States and Territories.  We suggested that because we had discovered that some of the stolen identities were used to get replacement drivers licenses. One of the cases involved a father who had lost his driver’s license due to multiple DUI.

I applaud the desire to help children avoid becoming victims of identity theft. From what I have seen there is a need.  It is however a need that must be fixed the right way.  There are too many mistakes that can come from rushing a fix into place.   

Tuesday, April 10, 2012

Cell Phone Database to Fight Identity Theft


A joint venture by several of the large cell phone providers is going to help people avoid identity theft.  They are building a database of lost and stolen cellphones with the intent of blocking the phone being reactivated.  The wireless companies are making this effort in a positive attempt to block cell phone thieves from using the stolen phone. 

The core idea is in to help keep the owner's personal information out of the hands of the person who steals or finds the phone. The cell phone will have an identifying code assigned to it that will allow providers to deactivate the phone and stop it from being used again once it reported lost or stolen. Anyone trying to reverse engineer or hack the code should face serious legal troubles. 

Customers with AT&T, Sprint-Nextel, T-Mobile, and Verizon will have the protection. The Federal Communications Commission believes the database will be ready to launch sometime around October.

Saturday, April 7, 2012

Having No Fun With The IRS


There are multiple stories of tax time problems and issues.  With each tale we hear more of the difficulties that the victim goes through.  The outraged cries of why does this happen ring across the country.  There must be a way to protect myself and my family from this kind of identity theft!

Time for a reality check. The IRS system is designed to collect tax monies from employers and then refund the over collection upon the delivery of a return.  They are not in the practice of validating the SSN with the person.  They operate on the simple belief that each of the tax returns they receive are valid because it would make the whole system collapse if they had to screen each for authenticity.  With the hundreds of fraudulent returns that are reported last year or this, there are millions of valid returns.  Imagine trying to validate millions of returns, as fast as possible so you can generate the return and get it to the proper party.

One of the largest problems could be solved by combining the data of the SSA with IRS. The problem is by combining those two organizations you will be one large step closer to George Orwell’s 1984 society.  The more information in one place, under the control of one large government agency, the greater the chance of it being misused.  It is a very fine line to walk between effective and the issue of big brother.

There will be many conversations within and around the parties concerned about this problem before we start seeing changes.  For me that is a comforting thought because it is change that is not thought out that sparks new problems.

Thursday, April 5, 2012

One More Time into the Breach


In a recent article, by Neil Versel in Information Week, two of the more recent breaches for the medical industry are discussed.  The key point made in the article was that for both groups the data was not encrypted.  For Howard University Hospital the data was downloaded by a subcontractor who took it off site.  For the other breach, the State of California Department of Child Support Services, were shipping backup tapes by a commercial carrier for some off site testing.

For years now I have been talking about the need for encryption as a data protection tool.  You let data leave your control, then the people who you have entrusted it to better have the same if not better protection for than you do.  Without encryption every entity that loses control of the data must inform those whose data was exposed. 

The fact that seven years after Choicepoint  became the poster child for breaches, we still have companies and agencies that do not encrypt the data.  That still allows subcontractors to take the data off site in unsecure fashions.  That does not have a plan in place for dealing with an information breach is unrealistic.  There is no one who is exempt from data theft or loss.  Why should anyone think that the rules don’t apply to them?

The information on the article in Information Week is below.

 2 Healthcare Data Breaches Show Importance Of Encryption
Patient data from Howard University Hospital and California Department of Child Support Services wasn't fully encrypted, and one security expert wants to know why.
 By Neil Versel  InformationWeek 
http://www.informationweek.com/news/healthcare/security-privacy/232800389
 April 05, 2012 04:35 PM

Skimmers Stike Again


The Federal authorities in Nevada announced an indictment that accuses 13 California residents of participating in an identity-theft scheme that employed electronic skimmers at ATMs around Las Vegas to illegally capture data from credit and debit cards.

 The unique use of the skimmers in this case was the fact that the skimmers were mounted into exterior door readers at Chase bank branches in the valley. To gain after hour access to the ATM machines the customer has to swipe their card in a door reader.  The indictment charges that the defendant’s  also installed a pinhole camera on the ATM pin pads to capture the account holders’ personal identification number (PIN).

The door skimmers captured account holders’ data, including account numbers, names and card expiration dates. This information, along with the captured PIN’s, allowed the defendants to create and use counterfeit credit cards.
This is the reason that I always use one of the tools God gave me before I stick card in any machine.  I first stick my finger in the opening and move it around.  If the slot moves in any way I will never stick my card in it.

Monday, April 2, 2012

The Next Big Opps.


MasterCard  and Visa, working with Law Enforcement, are investigating a breach of information from a third party card processing company.  The breach may have exposed up to 1.5 million credit card numbers and holders.  The consumers now get to watch their statements for charges they don’t recognize and didn’t make.  Businesses get to deal with the loss of goods and services to the thieves using the stolen data. The credit card companies get to monitor the activity and try to shut down the fraudulent charges or deal with the financial loss.

The interesting part of this is if you asked the normal consumer who the third party company is or what they do, you will get a blank look or a shrug of the shoulders.  The third parties are the unknown element in the business loop.  The customer knows the merchant and the credit card company / bank but they have no idea of how many others are parts of the loop.

The problem is when one of the background companies has a failure that exposes the data the message the consumer receives will be diluted and vague.  The diluted message doesn’t clearly inform the consumer that the data is theirs or the proper steps to mitigate the loss and quite normally there will not be a clear explanation of what has happened.  Because there is not a clear connection between the company, and a vendor they used, who lost the data the focus falls on the merchant.

This is and will continue to be a very costly problem until each group steps up and put in place the needed things to reduce the damages.  The Businesses need to hold their venders responsible for the security of the data that passes through their systems.  The processors need to use up to date encryption software to eliminate the potential easy score of data. The Banks and Card companies need to keep their security standards up.  For the consumer they need to be aware of their personal information and where it is shared.

Until  the day we all pull together the thieves will continue to succeed.

Wednesday, March 28, 2012

Breaches Are Just Part Of Doing Business - Not Really

Have we gotten to the point where someone losing our data does not affect us anymore.  Have we reached the point where the pain of changing things is greater than our outrage at poor management of our personal information?

 I read an article by Elinor Mills, “Why 'data breach' isn't a dirty word anymore”, in a CNET (blog) - ‎Mar 26, 2012‎. Her first sentence was, “Contrary to popular belief, data breaches don't necessarily sink a company, studies and survivors indicate.”  While it is an interesting article it overlooks several things I believe need to be considered. 

The example of the Heartland Payment Systems is interesting in that it is not a direct to the consumer business.  They provide businesses with the system to handle credit and debit card transactions.  The customers of Heartland could switch to a different processing company but that requires some serious thought and consideration.  Additionally the Heartland customers are not directly feeling the effects of the breach.  They are not being sued.  Their names are not being bandied about in the press so there is limited impact on them.

For the Heartland it means that they must fix the problem and show the customers that they are taking the correct steps keep it from happening again. It also means that Heartland has to defend itself from all of the different laws suits that will be filed.  Yes I know that one of the suits was dismissed but there are still the costs of the lawyers to defend against it.  If you take the costs of the lawyers and the fixes that need to be made to the systems, you will find that it could have been done for so much less if someone had analyzed the process, detected the flaws, and applied the fixes that were needed in the first place.
Breaches do not need to happen. They happen because someone did not takes the steps to make the system right, use the system right, or protect the data.

Monday, March 26, 2012

Microsoft Strikes Back at ZeuS and SpyEye

Our good friend Brian Kreb’s blog today brings new hope. It appears that Microsoft has teamed up with law-enforcement that have been able to track down servers and operating a bot net supporting the Zeus and SpyEye malware.  These two malwares have been responsible for the theft of over $100 Million dollars from small and midsized businesses.  The takedown took place last week in several different locations.  Along with the seizure of servers operating the bot net malware there where 800 domains used by the crime servers. These domains were used to give the appearance of legitimate operations while the thefts were taking place.

Iovation: The New Tool in the Fight Against Identity Theft and Fraud


One of the big advantages that identity thieves have had is the ability to be so many different people at the same time from the same computer.  We’ve all heard the stories of the bad guy sitting in front of his computer shopping in his underwear.  Ordering online from many different stores with one identity then shifting to the next and going through the next identity shopping at the same stores. 

Well there is a way to take that advantage away from the thieves. A program offered by iovation called  ReputationManager 360 takes this long time advantage away from the criminals. 

What makes the ReputationManager 360 so special is the fact that it identifies the machine involved in the transaction as well as the user profile.  The machine’s footprint is one of those things that is unique about the transaction.  Imagine being able to see three transactions coming in with different user IDs but from the same machine footprint.  Is it possible yes, but is it likely no.  The not likely factor will save you a lot of time and money over the best guess analytics that most companies are using today.

In 2008 iovation commissioned a study “The Total Economic Impact of iovation ReputationManager™” to document the effects on a single company in the financial services industry.  I found the results to be eye opening to say the least.  A 300% ROI is nothing to sneeze at. If it can help shut down the thieves and reduce the loses then it is something to seriously look at.

For more information on ReputationManager 360 I suggest that you check at www.iovation.com.   

Friday, March 23, 2012

H&R Block Manager Arrested for Identity Theft of Tax Clients


An H&R Block manager in Southern California has been arrested for identity theft.  The stolen identities used were of his former tax preparation clients. Arrested by special agents with the IRS’s Criminal Investigation division is Damon Dubose of North hill Ca.

Dubose has been working as a manager for an H&R Block office in Van Nuys.  It appears that he used his position to access old client files to prepare bogus tax returns. He prepared bogus tax designed to obtain tax refunds and credits.  He then used H&R Block Emerald Cards to withdraw the fraudulently obtained refunds from automated teller machines.

In an article, written by Michael Cohn for Accounting Today,  H&R Block made the following comment. "H&R Block takes this matter very seriously," said H&R Block spokesman Gene King. "This was an isolated incident and we are cooperating fully with authorities on the investigation of a former employee. The situation involves a small number of clients who have been contacted and informed of the steps the company is taking to help them and correct the situation."

The way this guy was discovered is to say a little unusual to say the least.  He was noticed by a patrolman loitering near bank ATMs wearing pantyhose over his head.

In the search of Dubose’s vehicle, the officer found six envelopes with personal information and H&R Block Emerald Cards.  Emerald Cards allow H&R Block customers to access their tax refunds electronically like a debit card.



Dubose appeared in Court Thursday and was released on bond.  His next court appearance is April 30.

The notable thing is that almost every year there are stories of tax preparation service employees caught committing identity theft.  Perhaps it’s time to take a serious look at who you have doing your taxes.

Thursday, March 22, 2012

Hacktivism: Leading Cause for Compromised Data in 2011


Verizon’s new report identifies that hactivists were responsible for more than half of the data stolen from companies in 2011.  What is more of a concern to me is that 98 percent of the data breaches covered in the new report came from external agents.  More troubling is that 83% were identified as organized criminal groups.

Hacktivists are searching for headlines and ways to embarrass whichever company they chose to oppose.  The greater concern is the under the radar criminal groups who are after transaction data or personal identifying information with profit in mind.  I wonder how many companies have been breached without it being detected or reported. 

From reviewing the report I am forced to wonder about all of the small to mid-size targets that are going through day to day operations with limited security and protection.  I wonder how long it will be before we hear of companies being extorted for money to prevent the damage to their reputation by perpetrators of a breach. 

For the small to mid-size companies I strongly suggest you take a careful look at what data you have and how it is protected.  You won’t need to build a Fort Knox of security around it if you take some simple precautions with how you store it. The time and money you invest in doing it right will be a lot less expensive than paying for a breach. 

Monday, March 19, 2012


A salute to the Sheriff Al Lamberti of Broward County Florida.  He is taking a new approach to the identity theft at tax time problem.  The Sheriff is fighting back using  code enforcement.

 The Broward Sheriff’s Office and the City of Oakland Park recently began examining many of the newly opened tax service providers opening within the city. According to a prepared release, approximately three dozen tax service providers have opened since the start of the 2012. So far the investigators have found that many of these temporary businesses don’t have the proper business licenses required to operate.

 Florida officials have some concerns that the illegally operating shops are possibly contributing to the growing number of identity theft cases. They suspect some illegitimate tax preparers are taking customer information and using it to either file phony tax returns or selling the information to others.

Friday, March 16, 2012


The management of Blue Cross Blue Shield of Tennessee (BCBST) has discovered the cost of data in-security.  Its 1.5 million dollars for the loss of 57 unencrypted computer hard drives from a facility in Tennessee. This is a costly way to find out that you haven’t got enough or the right type of security to protect the information at the core of your business.  Costly because you will still need to review and implement the safeguards for the data now.

Business needs to readdress the way it values the data that it collects on its clients, patients and employees.  Knowing the contact information of your patients helps you contact them when you need to.  Having additional information can be used for specific things with in the business.  But consider that the information you have to contact  your patients, clients or employees is what I need to steal their identities or to scam them into giving me more information so I can do further damage. 

It is time to look at the data from two viewpoints.  What do I need to have to do the job and what value does that have for someone else?  Does what I collect need a special form of storage or protection? What do I need to do to make it less susceptible to external theft and less available to insider miss use.

When I approach my business from this second point of view I can be better able to avoid the cost of a breach.

Tuesday, March 13, 2012


An article by Chris Strohm for Bloomberg discussed the need for the upper management in the medical profession to start giving very serious thought to the security of the patient data.  It will not be long before you will see lawsuits start against anyone who loses control of their data.  There are many steps that can be taken to reduce the risk and at this time all of the various steps are much less expensive than the cost of a data breach.  The article is worth the time to read it.

Digital Health Data at Risk From Manager Support, Study Finds

http://www.blogger.com/blogger.g?blogID=1006404151226945489#editor

Monday, March 12, 2012


The recent report from the Ponemon Institute, sponsored by security company Trend Micro, found the cause of many data breaches was a combination of employee error and misconduct.

The report called ‘The Human Factor in Data Protection,’ revealed that more than 78 percent of respondents site intentional and accidental staff errors for at least one data breach in the past two years. And a separate analysis of companies of fewer than 100 employees found that small to medium businesses are at greater risk of their employees mishandling data than large enterprises. The rate of data breaches at SMBs was 81 percent, compared to 78 percent across the board.

This is because the report identified SMB employees were reported to be more likely to engage in ‘risky’ behavior; over half (58 percent) have or will open attachments or website links in spam, compared to 39 percent from large enterprises.

More than three quarters (77 percent) will or have left their computer unattended, compared with 62 percent at enterprises. A further 55 percent of SME employees were likely to visit off-limit websites, 11 percent more at enterprises.

 The three base causes of security breaches are laptop loss or mobile data device (35 percent), third party mishaps (32 percent), and system errors (29 percent).  Nearly 70 percent of respondents felt strongly that their organization’s security measures are not sufficient to stop a targeted attack or hacker.

Once again the Ponemon Institute has presented a crucial piece of work for the small and med size businesses to take note of.  Given the choice of attacking a large enterprise network with a dedicated security team watching it or hitting a smaller less patrolled network which would you pick?  Run the risk of quick detection or smaller safer reward with smaller chance of discovery? 

The Federal Trade Commission has just released a new victim impact report.  I suggest that anyone in business who deals with claims of identity theft please read this report.  You will find a number of items from which you can draw guidance.

Identity theft is not going to go away.  The thieves know how profitable it is and how easy it is to avoid being caught. The Federal Trade Commission recently released its annual report on the complaints of 2011.  No one should be surprised to see Identity Theft in the top spot once again.  This is the crime that not restricted by borders or governments.  Your information can be stolen from any place where it has been stored as well as sold to anyone anywhere who might wish to abuse it.

There has been a fluctuation in the numbers for the past three years 2009 numbers were higher than 2010.  Many people speculated that the crime was receding while I believe that the financial environment and tighter credit granting practices had more of an impact.  Now with the report from Javelin placing the number closer to 12 million and the number increases from the FTC for 2011 it is clearer that the problem appears to be back on the rise.

When you read in the paper or see on television that a group has been arrested, remember that there are a lot more of them out there continuing to commit the crime.  There have been a lot of ideas put forward to help protect you from identity theft.  The problem with the claim is that there are so many different ways your identity can be used and abused that no one idea can cover all of the different elements.

There are some of the companies offering services are expanding into the uncovered areas.  Each step is a move in the right direction.  We need to remember that complete protection is a number of steps away from being total coverage.



One of the topics I will cover has to do with data breaches.  There are all sorts of opinions about the need to protect a company’s data.  The rules about protecting the data vary from State to State but the base principals  are the same.  You collect it you need to make sure that it is secure