The practice of implementing and renewing fraud alerts by several companies selling identity theft prevention/recovery products may stop.

Fraud alerts can be put in place at one of the three major credit bureaus (which automatically notifies the other two bureaus) when an individual believes that they are a victim of identity theft or have reason to believe that may become a victim of identity theft.  The initial fraud alert lasts 90 days and then must be renewed or it drops off the individual’s credit file.

An entire identity theft prevention industry has come into existence primarily based upon a service which renews a fraud alert for individuals automatically every 90 days.

A court case involving identity theft protection service LifeLock and credit bureau Experian ended in LifeLock being ordered to stop implementing fraud alerts on behalf of third parties (Lifelock’s customers) at Experian.

Debix- another identity theft protection service - announced that they will discontinue the use of fraud alerts due to the opinion issued by the U.S. Federal District Court in the Experian v. LifeLock case.

Regardless of the court’s opinion and the impact on commercial identity services, individuals would be wise to consider a security credit freeze as a more powerful alternative to a fraud alert.  The security credit freeze offers better protection against new credit lines being opened because it blocks the credit bureaus from providing a frozen credit file to potential creditors rather than just the “note” a fraud alert places on a credit file.  While there is a fee each time an individual orders a freeze or thaw on their a credit file, the added security may be worthwhile for many consumers.

For example, if an identity thief applies for a new credit card in your name the card issuing company will attempt to pull your credit report to see if you qualify.  When a credit freeze is in place, the card company will not be able to access your credit report at all.  Therefore, the card company will not issue a new credit card to the impostor.

If the security credit freeze is not attractive to victims of identity theft, there is also the option of a seven year extended fraud alert.  Identity theft victims must provide an identity theft report in order to qualify for the extended alert.

Until you lose your identity, you may not realize just how precious it is.

Some 6,000 people were jolted by this shocking reality when they fell victim to one of the largest international identity theft and credit card fraud rings in recent history.

The unraveling of this multi-million dollar scam began in September, 2007 when a package delivered to an employee of a  real estate office was opened by the owner of the office.  Upon finding 60 valid credit cards inside the package, the owner reported the find to law enforcement authorities who – with aroused suspicions – began a nearly two year investigation, involving electronic eavesdropping, physical surveillance and the translation of thousands of conversations and e-mails.

The investigation was revealed when forty-five indictments were handed down last month to individuals alleged to have stolen the credit cards and personal credit information of thousands of hapless victims.  The defendants are accused of shipping stolen or illegally obtained credit cards to buyers around the world.  The fraud, estimated at a staggering $12 million, hit individuals across the United States and Canada.

While announcing the bust, Queens Distrct Attorney Richard A. Brown said, “Our investigation reveals that – in terms of just the sheer number of people indicted – this is one of the largest identity theft networks uncovered in recent history and is just possibly the tip of a much larger global credit card trafficking operation.  Besides draining the bank accounts of individuals throughout North America, we believe that the defendants – some of whom live in California, Illinois, Maryland, Pennsylvania and Toronto – also shipped stolen or fraudulently obtained credit cards to buyers around the world and that purchases were made in such far-off places as Japan, Saudi Arabia and Dubai.”

New York City Police Commissioner Raymond W. Kelly and Brown said the ring was made up of three enterprises working together.  Commissioner Kelly said, “When these suspects said ‘charge it’ they stole more than cash and goods.  They robbed unsuspecting victims of their identities too.  This was a sophisticated crime ring which met its just end through painstaking investigation by NYPD detectives and unstinting support by Queens prosecutors.”

As part of the identity theft ring’s operation, a simple, easy-to-obtain and inexpensive technique called Caller ID Spoofing enabled the suspects to defraud the victims and their banks and credit card companies.  Caller ID Spoofing changes the number appearing on Caller ID and some providers of Caller ID Spoofing also provide services that can alter the caller’s voice to such an extent that a man can sound like a woman and vice-versa.

Legitimate uses of Caller ID Spoofing and SpoofCards purportedly enable professionals such as doctors and attorneys to protect their cell phone numbers.  However, in the hands of the defendants named in the indictments, Caller ID Spoofing allowed the defendants to impersonate legitimate credit card account holders by pretending to be calling the account holders financial institution.  Brown went on to explain, “SpoofCards are virtually untraceable and can be used by identity thieves and hackers to pose as government and financial entities as a means to unscrupulously obtain personal information from unsuspecting consumers.”

To acquire the credit cards three methods were used. Cards were either fraudulently taken over, fraudulently opened or intercepted in the mail.  Once the thieves had the stolen cards, all they had to do was visit the nearest ATM machine.  ID mills produced bogus back-up identification materials, such as driver’s licenses, to enable the suspects to present the cards to bank tellers and withdraw larger amounts of money.

This multi-faceted crime ring appears to have been well organized with individuals assigned to specific roles such as account washers, account preparers and account maintainers.

Account Washers:  Gathered specific information on account holders such as mother’s maiden name, household income and occupation to enable account preparers to take over the account.

Account Preparers:  Caller ID Spoofing allowed the defendants to activate the account by pretending to be calling from the account holder’s phone.  By posing as the account holder, the account preparers could then manipulate the information to their advantage by changing key information including the mailing address, PIN number and/or increasing the credit line on the account.

Account Maintainers:  Paid off accounts to avoid any suspicision of fraud and upped the credit lines.  Once the credit line reached a high point, all monies were withdrawn.

But, that’s not all.  Compromised accounts were then sold to identity theft cell leaders who in turn distributed them to the ring’s foot soldiers and shoppers.  Shoppers bought top-of-the-line electronics and were charged with finding “fences” who would buy the electronics from them.

The indictments charge the defendants with Enterprise Corruption under New York State’s Organized Crime Control Act.  Said District Attorney Brown, “Technological advances have made it increasingly easier to carry out identity theft and fraud, two of the fastest growing crimes in the United States…We will continue to work closely with our law enforcement colleagues to stamp out such fraud and help to maintain our nation’s safety and security.”

Queens District Attorney Richard A. Brown, joined by Police Commissioner Raymond W. Kelly, today announced that an international forged credit card and identity theft ring based in the New York metropolitan area and with roots in Nigeria has been successfully dismantled following the indictment this week of forty-five individuals. The ring – which was comprised of three separate identity theft and forged credit card groups that employed multiple cells – is alleged to have been responsible for stealing the credit cards and personal credit information of thousands of American and Canadian consumers, costing these individuals, as well as financial institutions and retail businesses, more than $12 million in losses over the past year alone.

The full press release is available at: http://www.queensda.org./newpressreleases/2009/may/operation%20plastic%20pipeline_05_2009_ind.pdf

Over the course of the last year, the fact that many – perhaps most – data security breaches are going unreported by the majority of data breach reporting organizations and web sites has become very apparent. 

Almost every day, small breaches that appear in news items around the United States are never reported to the public by the Privacy Rights Clearinghouse, the Identity Theft Resource Center and other organizations that the media often cites as authoritative on the total number of data breaches.  This under-reporting does a disservice to the American public and our elected representatives and government agencies charged with protecting those who’ve had their personal information exposed.

Equally as important, those overlooked “small” breaches are often far more significant than the larger breaches that are reported by data breach monitoring organizations.  More often than not, the small, unreported breaches have actual victims who’ve sustained actual losses as compared to many of the larger breaches where it is fairly obvious the missing data will never fall into the wrong hands.

By way of one extreme example, yesterday the Associated Press reported from Virginia:

A former bank credit card department manager has been sentenced to two years, three months in prison for bank fraud and identity theft.

U.S. Attorney Dana Boente said Monday that 38-year-old Bernard James Brown Jr. of Saluda also was ordered to pay more than $65,000 in restitution to his former employer, Eastern Virginia Bankshares.

According to prosecutors, Brown used a stolen access device and identifying information to withdraw money from someone else’s account. After the credit card account was closed, Brown reopened it under a new name and address and continued to tap the account for cash and purchases.

Granted, this is a relatively small breach of one customer account, of one bank, by one bank employee.  Odds are this breach will never appear on the lists of breaches compiled by the Privacy Rights Clearinghouse, the Identity Theft Resource Center and other breach reporting organizations.

Yet, to the bank and its’ customer, this is an extremely serious breach that resulted in at least $65,000 in losses – not to mention the damage to the bank’s reputation for safeguarding customers.

This is not to criticize the fine work that the PRC, ITRC and others do.  It is a recognition that the collection and reporting methods of breaches are so inadequate as to be useless from a statistical perspective.

And, without good data about data breaches, we cannot come to the correct answers in addressing the epidemic of data breaches.

With the recent infection of over 700 computers at the University of Utah, many people are asking, “How do I know if my computer is infected with Conficker?”

For those who want to know if their computer (this does not currently apply to Apple products) is infected, there is a simple test called the “Conficker eye chart test.”

Just click here for the Conficker eye chart test  and follow the easy onscreen instructions.

Some other indications that your computer is infected with the Conficker worm include:

•1)      You cannot visit the Microsoft Conficker fix page.

•2)      You cannot visit security sites like Symantec , Trend Micro , or McAfee.

•3)      You cannot shut down your computer.

 If you determine that your computer is infected with Conficker:

•1)       Disconnect your computer from the Internet.

•2)       From a different computer, which is not infected, change your user names and passwords.

•3)       If you have used your credit card while infected contact your credit card company and cancel that card and ask for a new card/number.

•4)       Have an expert remove the Conficker worm from your computer from a different uninfected computer.

Conficker is now selling itself to unsuspecting victims by pretending to be a $50 Anti-Virus product named “Spyware Protect 2009.”   Spyware Protect 2009 is being offered to computer users though spam emails and pop-up advertisements.  Those who sign up for Spyware Protect 2009 lose their $50 and have their computer infected with the Conficker worm.

A Conficker timeline:

 Win32/Conficker.A was reported to Microsoft on November 21, 2008

 Win32/Conficker.B was reported to Microsoft on December 29, 2008

 Win32/Conficker.C was reported to Microsoft on February 20, 2009

 Win32/Conficker.D was reported to Microsoft on March 4, 2009

 Win32/Conficker.E was reported to Microsoft on April 8, 2009

Recent news reports indicate a computer containing confidential information about the helicopter that transports President Barack Obama was breached by a computer in Iran. In January, Heartland Payment Systems, a company that provides credit and debit card, payroll and related processing services to more than 250,000 business locations nationwide, announced it had a data breach that potentially exposed credit card numbers, expiration dates and other data. The Heartland breach includes about 700 Penn State purchasing cards, which are in the process of being replaced.

The Identity Theft Resource Center, a nonprofit organization dedicated exclusively to the understanding and prevention of identity theft, said that 656 security breaches had been reported by the end of 2008, reflecting an increase of 47 percent over the 2007 total. As of March 17, the resource center already reported 110 breaches for 2009, potentially exposing close to 1.3 million records containing personally identifying information such as Social Security and credit card numbers.

As the nationwide problem of identity theft continues to evolve and grow, Penn State is not immune. Malicious software, downloaded by unsuspecting employees who click on messages containing links to fake greeting cards or other seemingly harmless sites, has compromised computer networks at University Park and other campuses.

See the full report at Penn State Live.

Computer-virus infections don’t cause your machine to crash anymore.

Nowadays, the criminals behind the infections usually want your computer operating in top form so you don’t know something’s wrong. That way, they can log your keystrokes and steal any passwords or credit-card numbers you enter at Web sites, or they can link your infected computer with others to send out spam.

Here are some signs your computer is infected, tapped to serve as part of “botnet” armies run by criminals:

See the full report at MSNBC.com.

Getting hacked is like having your computer turn traitor on you, spying on everything you do and shipping your secrets to identity thieves.

Victims don’t see where their stolen data end up. But sometimes security researchers do, stumbling across stolen-data troves that offer a glimpse of what identity theft looks like from criminals’ perspective.

Researchers from U.K.-based security firm Prevx found one such trove, a Web site used as a stash house for data from 160,000 infected computers before it was shut down this month.

The find offers a case study on just how much data criminals are stealing every day, from the utterly inconsequential to the alarmingly private.

It also shows the difficulty in shuttering criminals’ ID-theft beachheads: The Web site Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.

See the full report at WAtoday.

Heartland Payment Systems, one of the largest credit card processors in North America, is finally being called to the carpet for the apparent lapses in Payment Card Industry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, perhaps even the largest breach ever considering the full extent of the exposure has yet to be determined.

Called to the carpet sort of, anyway; the sanctions and guidance laid out by Visa seem a little lackluster when weighed against the severity and duration of the breach.

Given that Visa is now considered the most likely of several candidates for inclusion in the Dow Industrial Average, taking up slack from soon to be sidelined Citigroup and Bank of America, it is not surprising that they do not want to call too much attention to the situation.

See the full report at Information Security Resources.

Republican Norm Coleman’s campaign notified donors Wednesday that at least 4,700 had their personal financial data compromised, a potential blow to his ability to continue raising money for his costly Senate election fight.

Coleman’s campaign advised supporters to cancel the credit cards used to make donations.

The disclosure came at a bad time for Coleman, who is in the seventh week of a lawsuit challenging the recount that put his Democratic opponent, Al Franken, on top by 225 votes. A special court is nearing the end of that trial, but expensive appeals could follow.

See the full report at KSTP.com.