It continues to be a boom time for cybercrime according to the latest Consumer Reports National Research Center “State of the Net” survey. Consumer Reports found that one in five online consumers have been victims of cybercrime in the last two years to the tune of an estimated $8 billion. And the overall rate of the crime has remained consistent over the five years that Consumer Reports has been tracking.

But Consumer Reports notes that the problem stands to get worse as rising unemployment and foreclosures fuel a wave of recession-orientated Internet scams, and as the popularity of social networking services grow, creating more openings for identity thieves. Consumer Reports found that 13 percent of social-network users experienced some form of abuse.

Additionally, Consumer Reports estimates that 1.2 million consumers have had to replace their computers over the past two years due to software infections and an estimated 3.7 million households with broadband Internet access did not use a firewall to protect against hackers. Below are additional findings related to major online threats:

• Phishing or sending authentic-looking but fraudulent e-mail designed to steal sensitive personal information is a continuing concern. Consumer Reports estimates that about 7 million consumers gave phishers personal information over the past two years; that’s 1 in 13 online households. Among scam victims, 1 in 7 lost money in the past two years, comparable with data from the last survey. Total damage to U.S. consumers through phishing attacks works out to about $483 million.
• Spyware: Consumer Reports found 545,000 households had to replace computers in the past six months and one in 12 people had serious problems with spyware.
• Online identity theft: Consumer Reports estimates 1.7 million households were victims of ID theft committed over the Internet in the past year, of those two-thirds said the incident occurred because of an online purchase.

Certain online threats are almost as prevalent today as when Consumer Reports conducted its first survey five years ago. Consistent with last year’s findings, 1 in 3 respondents had heavy levels of spam and 1 in 7 have had serious problems with viruses.

See the full press release at:  PRNewswire

In a small but significant victory in the battle to regain control of Social Security numbers, the New Jersey Supreme Court ruled this week that a data broker seeking 8 million pages of real estate documents is not entitled to the Social Security numbers contained within the documents and that the broker must pay for the redaction of the numbers from the documents.

Showing an appropriate level of sensitivity to the increased threat of identity theft associated with the unwarranted distribution of Social Security numbers, the Chief Justice of the Court specifically cited the possibility of identity theft in the written opinion.

According to the New Jersey Star Ledger:

The court unanimously agreed that the documents, requested by a business that wants to sell electronic access to this information, are public records under the state’s Open Public Records Act. But it stressed some of the personal information, if released, would hurt residents.

“The request was made on behalf of a commercial business planning to catalogue and sell the information by way of an easy-to-search computerized database. Were that to occur, an untold number of citizens would face an increased risk of identity theft,” Chief Justice Stuart Rabner wrote for the court.

Bergen County officials called the decision a victory for all New Jersey residents concerned about identity theft.

“While the public has a right to public records, the public also has a right to privacy of personal information,” said County Executive Dennis McNerney.

In my opinion, the court has struck the correct balance between satisfying the public’s right to know as codified in the Open Public Records Act, while also protecting the privacy of personal information that can be used by identity criminals. 

It is refreshing to see that courts across the country are taking the threat of identity theft – resulting from personal information contained within public documents – seriously.  This is a great trend that has been slowly developing over the last ten years.

May that trend continue.

A spam e-mail claiming to be from former CBP Assistant Commissioner, Thomas S. Winkowski, is currently being circulated. This attempt to defraud is the typical e-mail scam using the name and reputation of a federal government official to create an air of authenticity.

The spam e-mail indicates the CBP has stopped a Diplomat who is carrying a consignment to be delivered to the recipient’s residence. This consignment allegedly contains millions of dollars, which is revealed to be an inheritance for the e-mail recipient.

As with many other scams, this e-mail advises the recipient they will be permitted to access this inheritance once the recipient has given the sender of the e-mail their personal information.

This e-mail is a hoax. Do not respond.

The U.S. CBP does not send unsolicited e-mails. Consumers should not respond to unsolicited e-mails or click on any embedded links, as they may contain viruses or malware.

It is imperative consumers guard their personally identifiable information (PII). Examples of a person’s PII include, but are not limited to: date of birth; social security number; and bank account numbers. Providing your PII will compromise your identity.

If you have received this e-mail, or a similar e-mail, please file a complaint at www.IC3.gov.

Source: www.IC3.gov.

Last November, after giving the keynote address at the Gartner Identity and Access Management Summit in Orlando, Florida, I finally got to meet Avivah Litan.  Avivah, a vice-president and distinguished analyst at Gartner, is one of the nation’s leading analysts of identity theft and financial fraud and someone I’ve admired for a long time.

While chatting with Avivah, she mentioned that she had just received the raw statistics back from a survey she had designed to examine identity theft, data breaches and financial fraud.  We huddled over Avivah’s laptop in a side room at the conference and quickly reviewed some of the numbers.  It was immediately obvious – even with just a cursory look – that this new Gartner study would break ground.

Indeed it did.

Gartner and Avivah have just released the study.  Here is the Gartner press release.  I think you’ll find the numbers and analysis eye-opening.  In coming days, I’ll try to break down the numbers even further to look for more information on the scope and impact of identity theft.

Gartner Says 7.5 Percent of U.S. Adults Lost Money as a Result of Some Sort of Financial Fraud in 2008

Victims of Electronic Checking and/or Savings Account Transfer Fraud Were Nearly Five Times More Likely to Change Banks Because of Security Concerns

Approximately 7.5 percent of U.S. adults lost money as a result of some sort of financial fraud in 2008, in large part because of data breaches, according to a recent survey by Gartner, Inc. Analysts said this is having an adverse effect on consumer victims who are significantly changing their financial transaction behaviors.

Gartner surveyed nearly 5,000 U.S. adults in September 2008 to gauge the impact of identity theft, and the leading types of financial fraud. Payment card fraud – that is, credit, debit and ATM card fraud – was the method most actively used by crooks to steal money, claiming 36 percent more victims in 2008 than other types of fraud. New-account fraud, in which a thief steals identity information to open a new account, occurs less frequently than payment card fraud, although Gartner estimates that up to half of all new-account frauds involve synthetic identities, and therefore many cases go unreported.

“When compared with the average consumer, nearly twice as many people who lost money to fraud in 2008 changed their shopping, payment and e-commerce behavior,” said Avivah Litan, vice president and distinguished analyst at Gartner. “Furthermore, fraud victims are also more cautious about which brick-and-mortar stores they shop at and how they pay for goods when they get there, demonstrating more awareness of the risk of data breaches.”

Ms. Litan said that victims of electronic checking and/or savings account transfer fraud in 2008 were nearly five times more likely to change banks because of security concerns, when compared with the average customer. About twice as many of the victims curtailed online money transfers and bill payment used in online banking.

Conviction rates for these crimes are quite low. Less than one-third of the victims reported the crimes to law enforcement, and about 5 percent reported them to the Federal Trade Commission. The chances of a criminal getting arrested and convicted for identity-theft-related fraud are much less than half of 1 percent.

Gartner found that financial losses were highest in the case of new-account, credit card and brokerage fraud, with average losses per incident totaling $1,097, $929 and $900, respectively. However, victims of brokerage, credit card and debit/ATM card account fraud find it easiest to recover their losses, receiving an average of 100 percent, 86 percent, and 77 percent of the funds stolen, respectively.

In contrast, victims of new-account fraud, check forgery, and checking or savings account fund transfer fraud recovered the lowest percentage of stolen funds, or 42 percent, 48 percent and 54 percent, respectively. New-account fraud is also the most difficult from which to recover, with 35 percent of victims suffering further from a damaged credit rating, which can take years to restore.

“Given the impact of financial breaches on the consumer, it is not surprising that many are now changing their behaviors,” said Ms Litan. “In percentage terms, the behaviors most influenced by security concerns include online shopping and payments. Online banking also takes a big hit, with 20 percent of worried consumers in our survey saying that their online banking behavior has been affected. This percentage doubles among fraud victims.” Gartner found that PayPal has received a big boost from those who change their online payment behavior because of security concerns.

While a relatively modest 6 percent of all consumers say they changed banks as a result of security concerns; that number rises to 28 percent among victims of checking/savings account transfer fraud. This compares with 5 percent overall who switched because of concerns regarding the financial health of their banks and 21 percent overall who changed because of excessive fees.

Ms. Litan advised financial institutions that have implemented strong security controls and protections to make this fact visible to their customers and engage customers in jointly participating in security solutions.

“Most consumers will say that security is as important to them as the financial health of the institution, and this rises significantly in importance among customers who have been victims of a financial account takeover,” she said. “Financial institutions that take security seriously will be rewarded with greater customer retention, which is a smart move when you consider that the cost of acquiring new customers is typically much higher than the cost of retaining existing ones.”

 For the full press release and to purchase the report click –> here.

As discussed here last week, my hometown of Steamboat Springs, CO suffered a data breach as a result of a laptop stolen during a burglary of the local school district office that has impacted upwards of 1,300 past and current Steamboat Springs School District employees.

Last Friday, I wrote a column titled Stolen Laptop Brings Identity Theft Risk for my local paper, The Steamboat Pilot & Today, offering a number of suggestions for both the school district and the employees that had their Social Security numbers stolen.

Today, the Steamboat Pilot & Today has a report titled District Charging Former Employees For Credit Monitoring on the school district’s response to the breach and the plan to offer credit monitoring.  As most readers know, the standard procedure around the country in a data breach that exposes personal identifying information that can be used to open a credit line is to offer at least one year of free credit monitoring paid for by the custodian of the records that were breached.

As you can guess from the title of today’s report, Steamboat seems to be taking a rather different approach.  Here’s the relevant portion of the Pilot’s report:

The Steamboat Springs School District is offering discounted credit monitoring for about 900 former employees whose Social Security numbers were on a stolen laptop, but some retirees aren’t pleased they have to pay anything to protect their credit.

The district will offer a year’s worth of credit monitoring for $40 to former employees whose Social Security numbers were on the laptop stolen from Finance Director Dale Mellor’s office the night of Feb. 24. That price is a discount from the regular price of $100 individuals would pay on their own for EquiFax monitoring, District Human Resources Director Anne Muhme said.

The district will cover the cost of credit monitoring for 423 current employees, including substitutes and other part-time positions.

The coverage for current employees will cost the district about $17,000, Muhme said. Covering past and present employees would have cost about $52,000.

The report goes on to provide quotes from a number of former employees who are – to say the least – unhappy that the school district is not paying for their credit monitoring.

Those employees have every right to be dismayed.  The school district should provide credit monitoring for all impacted employees regardless of whether they are current or former employees.  It goes without saying that identity thieves don’t differentiate based upon job status.

As the district’s decision appears to be based upon cost, the district should either find a more cost efficient means of protecting all those who had their Social Security numbers stolen or find the funds to  provide monitoring for everyone under the plan being offered to current employees.

A final note.  Towards the end of today’s report is perhaps the most bizarre response I’ve ever witnessed to a data breach.  You have to read it to believe it – so here it is:

Steamboat Springs School Board member John De­­Vincentis, a former Strawberry Park Elementary School principal whose Social Security number also was on the stolen laptop, said he has heard from several frustrated former employees. DeVincentis would like the district to show its concern and appreciation for those former employees without paying the $52,000 it would cost to provide monitoring for everyone.

“I’m looking for an in-between, something that keeps good feelings between the old staff and current staff and the School Board. Fifty-two thousand dollars is not worth it, probably, in my eyes,” he said.

DeVincentis suggested offering a picnic or a free school program for those affected.

“Just something that says you guys are worth at least a picnic or a talk or to do something fun together,” he said.

So let me get this straight.  A member of the school board is suggesting a picnic instead of credit monitoring?

Incredible.

In that case, I would suggest the only meal that would do justice at the picnic would be baloney sandwiches.  That way the former employees can be full of the same substance as school board member DeVincentis.

For the ninth year in a row, identity theft is the top consumer complaint as reported to the U.S. Federal Trade Commission.  I bet next year will be the tenth.

I first got involved in the battle against identity theft in 1998 when I testified in July of that year before the United States House of Representatives about the growing threat of information brokers stealing and selling citizens’ financial information.  In 1999, the Federal Trade Commission (FTC) reported for the first time that identity theft was the crime that Americans complained about the most as a consumer issue.  Since that year, identity theft has remained at the top of the list.

If anything, identity fraud and identity theft are now far more sophisticated crimes than they were back in the 90’s when the government first started to take note of the increasing levels of financial fraud associated with identity theft. 

There is no doubt that international organized crime is playing a significant role and even domestic cases are becoming more complex.  The days of merely stealing mail or dumpster diving for personal identifying information seem quaint at this point.  Today’s identity criminals are full-fledged participants in the world of cybercrime and utilize sophisticated hacking techniques to perform large scale data breaches.

The sad reality is there will be little relief from identity theft until there is a coordinated international effort backed up by laws that recognize this growing menace for the threat it is.  Until that day, we will continue to see identity theft continue as the top consumer complaint year after year.

Officials at the city of Muskogee recently discovered that a computer “zip” disk containing personal information has been in public circulation since 2000.

The citizen who found the disk noticed the official city label and returned it.

Late Friday afternoon, the city issued a press release saying they had discovered a “possible breach of utility billing information” on about 4,500 utility accounts that were closed prior to August 2000.

The city is in the process of putting together a list of contact information for the former account holders so they can be notified. Many of the addresses on the disk are more than seven years old and the people have moved without forwarding addresses.

Although the disk contained Social Security numbers for some of the account holders, the press release said officials don’t believe the information has been used to harm anyone.

See the full report at muskogeephoenix.com.

A woman who used to work for CitiBank will now spend two years in prison for aggravated identity theft and bank fraud.

A federal judge in Jacksonville handed down 26-year-old Isla Brumfield’s sentence Thursday. According to court documents, Brumfield had worked in the Customer Service Sales Department at CitiBank.

Prosecutors said that in her position, she used a computer to access both credit card account numbers and the personal identification information associated with CitiBank credit card accounts. They said that in December 2007 and January 2008, Brumfield assisted in a scheme to use compromised personal information to obtain a CitiBank credit card. According to investigators, one of Brumsfield’s associates then used the fraudulently obtained credit card to withdraw cash from ATMs throughout Duval County.

See the full report at MSNBC.com.

[Editors note:  This week, in my hometown of Steamboat Springs, Colorado, a laptop containing the Social Security numbers of 1,300 past and present school employees was stolen.  Below is the beginning of a column I wrote for my local paper about the event and what steps the school district and employees should consider.]

Because of the theft of a laptop containing the Social Security numbers of 1,300 past and present Steamboat Springs School District employees this week, I’m changing hats from columnist to identity theft consultant.

As readers may recall, when not sharing my opinions on issues impacting the Yampa Valley, I work as an information security consultant and editor of an identity theft Web site. Under that fedora, I’ll offer the same advice I provide individuals, corporations and governments across the country when they experience breaches of sensitive information similar to what happened to the school district.

Although it is unlikely the stolen laptop will result in financial fraud, the school district and employees should respond with an eye toward the worst-case scenario. And, even if you aren’t a school employee, you may want to read on. Statistically, each of us has our personal or financial information stolen each year – there are more than 300 million records exposed per year in reported data breaches. For that reason, we all should know how to guard against identity theft.

Social Security numbers are the keys to the kingdom of financial fraud. There are more than 15 million victims of identity theft in the U.S. every year, resulting in more than $50 billion in financial harm. Identity theft is the fastest-growing crime in America, and it shows no sign of abating.

In light of the stolen Social Security numbers, the school district and jeopardized employees should consider the following:

See the full column at The Steamboat Pilot & Today.

A laptop computer was stolen from Steamboat Springs (Colo.) School District’s business office in an overnight break-in, police report.

Officer JD Paul of the Steamboat Springs Police Department said five interior doors were damaged and one laptop was stolen some time between 7 p.m. Tuesday and 5 a.m. today at district offices at the George P. Sauer Human Services Center on Seventh Street.

The computer came from the office of District Finance Director Dale Mellor. Superintendent Shalee Cunningham sent an e-mail to staff this morning, advising them to check their financial records.

“JD Paul from the police department has asked that all of us scrutinize all credit accounts and bank accounts to be sure they have not been jeopardized,” she wrote.

Paul said it is unclear what data was on the stolen laptop and Mellor declined to comment because the investigation is ongoing.

See the full report at The Steamboat Pilot & Today.