Privacy and Technology

Thoughts about changing technology and how it affects the public need for and access of public records and the relationship to identity theft.

Does new technology which enhances access to information pose an inherent danger to the privacy rights of individuals? Does ease of access to information increase the number of identity theft victims? Are more people likely to fall victim to information based frauds because of the World Wide Web?

These questions on the surface require an analysis between two ideas which have been in conflict since mankind has sought to build a better mouse trap. The essence of the dispute can be explained with the following debate question: do new technologies which change an existing process so much that even though all agree the process is vital, the new process brings with it costs that were not conceived of when the previous process existed. At such time, should the process be banned or changed into something else?

In English, what do I mean? Virginia, resident, Betty "B.J." Ostergren , runs a website named The Virginia Watchdog whose mission is to expose public records of public officials found online in order to bring attention to her supposition that the availability of electronic public records is a cause of identity theft. Ms. Ostergren contends that public records should only be available at a clerk’s office. So the question becomes, is there a fundamental difference in the nature of safety for consumers between access of public records which might contain personal identifying information electronically, online vs. electronically or by hand in a clerk’s office? With no dis-respect to Ms. Ostergren, I want to look at the question from a different perspective. Can’t identity theft occur under either scenario? (Note that data shows that most identity theft results in old fashioned theft of information by hand not by computer)

New technologies or new ways to do things have always come with new or shifting perceived costs and benefits. It is safe to say that before the introduction of automobiles, the frequency of significant traffic accidents where people were left with life-long injuries often resulting in costly court trials to determine who is liable for the costs of the disability was insignificant compared to today. Okay, horses occasionally threw riders and could damage someone else’s property or even another horse. But when automobiles came along, land speed increased and new dangers quickly became apparent. What did we, as a society gain with automobiles? For a start, quicker access to emergency medical care, ability to be mobile to visit family, to move out of crowded living environments, to travel to places we would never have scene otherwise and plenty more. Both new benefits and costs followed the mass introduction of the automobile. New businesses creating good wage jobs supporting the automobile also arose. And, along with the automobile came the shift from urban horse by-products to urban air and noise pollution.

Which was worse? It depends. Streets perceived as already crowded, and designed for slow horse traffic quickly became insufficient. Imagine driving in the middle of a city without traffic control. But it wasn’t necessarily the automobile itself which resulted in the negatives or the positives but how it came to be used and how society learned to manage the new challenges posed by automobiles. Yes, criminals too learned how to use a getaway car. But, police also learned how to use sirens and lights. So did ambulances and fire trucks. Did people learn to drive recklessly? You bet. Was law written to address reckless driving? Yes. Does the law deter reckless driving? Sometimes it does, and sometimes it does not.

Let us apply the lesson to identity theft. What causes identity theft? Is it easy access to personal information or a realization that most identity thieves are never caught or prosecuted? Maybe it’s some of both. But if identity theft were not so easy to commit and the perceived cost of perpetrating it so low, no matter how much personal information were to be accessible, the crime would not be amongst the biggest of consumer fears and result in losses to the US economy of $50 billion annually.

Is it a moral crisis that leads perpetrators to steal identities from other consumers or is the business of identity theft just too profitable to resist? Is the threat posed by possible prosecution for the commission of the crime too unconvincing? Does the perceived benefit or profit of committing identity based crimes exceed the perceived costs of apprehension and prosecution? These are questions which merely reflect upon the debate question above, a question which has arisen in every generation and with every new idea or new technology which opens the door for those who wish to exploit it for bad instead of good. Those who defend society from those whose intent is to exploit the situation for criminal means must decide between spending limited resources on either or both deterrence and remediation. Is the situation different with technology and identity based crimes than any other societal challenge previously faced?

interesting related read

FTC Report: Social Security Numbers and Identity Theft

The Federal Trade Commission has issued a report which doesn't break much new ground on protecting American citizen's Social Security Numbers. It does make official the call for new regulations intended to end unnecessary use of the Social Security Number (SSN) and provide for the privacy concerns of consumers when it is used. As the report makes clear, the genie cannot be stuffed back into the bottle. The SSNs of Americans are used, filed, stored, and accessed everywhere for business and identification purposes. That's pretty amazing for a number which is not officially an identification number.

Think about this. SSNs are assigned almost immediately after the birth of a baby. A basic paper card with few security provisions is given to the parents of the baby. The Social Security Administration will be happy to re-issue a card to a consumer as many as 10 times over a life time, not including legal name changes. If the card is lost or stolen, that is too bad. Apply for a new card - same number. No changes to your number will occur. Small wonder why identity theft is so easy to perpetrate. One of the basic pieces of information needed to commit identity frauds of all sorts is unprotected and is rarely changed even after it is exploited for criminal purposes.

Because so many functions of business though rely on the SSN for day to day operations, it will not go away anytime soon. Especially now as we boldly head into uncertain economic times, businesses cannot afford the cost of re-tooling from an obsolete identification system to a technologically safer credentialing system which matches stored card data to knowledge based authentication (KBA), PIN and/or biometrics. Many people are rightfully very concerned about these technologies and the implications they pose for consumer privacy. What cannot continue however is the current unabated abuse of the SSN which results in costly and time consuming identity restoration for consumers and billions of dollars in costs due to fraud; all facilitated by the SSNs inherent lack of safety. I am certainly not a proponent for national identity cards but the current system of using SSNs as a primary ID has to be put out to pasture. This is a subject we will need to visit again in the future.

---

FTC Issues Report on Social Security Numbers and Identity Theft excerpts

The Commission believes that the most effective course of action is to strengthen the methods by which businesses authenticate new and existing customers. Stronger authentication would make it more difficult for criminals to use stolen information, including SSNs, to impersonate consumers, thus devaluing the SSN to identity thieves and reducing the demand for it.

Limiting the supply of SSNs that are available to criminals, as a complement to improved authentication, although important, is more complex. SSNs already are available from many sources, including public records, and it may be impossible to “put the genie back in the bottle.” Moreover, there is a danger that reducing the availability of SSNs would have unintended, adverse consequences. A number of important functions in our economy depend on access to SSNs. Businesses routinely rely on SSNs to ensure that the information they use or share with other organizations is matched to the right individual. Still, we believe it is feasible to reduce the availability of SSNs to identity thieves, such as by eliminating unnecessary public display, while preserving the legitimate and beneficial uses and transfers of SSNs. The Commission’s five recommendations, detailed below in Section III, are:

• Improve consumer authentication;


• Restrict the public display and the transmission of SSNs;


• Establish national standards for data protection and breach notification;


• Conduct outreach to businesses and consumers; and


• Promote coordination and information sharing on use of SSNs.

This dual use of the SSN as identifier and authenticator has created significant identity theft concerns. SSNs often are described as the “keys to the kingdom,” because an identity thief with a consumer’s SSN (and perhaps other identifying information) may be able to use that information to convince a business that he is who he purports to be, allowing him to open new accounts, access existing accounts, or obtain other benefits in the consumer’s name. Unfortunately, SSNs have become
increasingly available to identity thieves, at least in part because they are so widely used as identifiers.

“Authentication” is the process of verifying that someone is who he or she claims to be. It is distinguished from “identification,” which simply matches an individual with his or her records, but does not prove that the individual is who he or she purports to be.

{Recommendations}

Given that the widespread use and availability of SSNs cannot be completely reversed,33 the Commission believes that the central component of the solution is to reduce the demand for SSNs by minimizing their value to identity thieves. This could be achieved by encouraging or requiring entities that have consumer accounts that can be targeted by identity thieves to adopt more effective authentication procedures, thereby making it more difficult for wrongdoers to use SSNs to open new accounts,
access existing accounts, or otherwise impersonate a consumer.

1. Improve Consumer Authentication
The Commission recommends that Congress consider establishing national consumer authentication standards covering all private sector entities that maintain consumer accounts other than financial institutions subject to the jurisdiction of the bank regulatory agencies, which already are subject to such requirements. These standards, which should be consistent with those covering financial institutions, should require private sector entities to create a written program that establishes
reasonable procedures to authenticate new or existing customers. This “reasonable procedures” approach, which should be fleshed out through agency rulemaking, should be technology-neutral and provide flexibility to private sector entities to implement a program that is compatible with their size, the nature of their business, and the specific authentication risks they face.

In developing authentication standards, Congress should consider several factors. First, the cost of implementing new authentication procedures should be evaluated in determining what is “reasonable.” Second, consumer convenience is a critical concern and also should be weighed in the reasonableness determination. Consumers are likely to resist authentication requirements that are too time-consuming or difficult, or that require the memorization or retention of too much information. Third, more robust authentication procedures that require consumers to provide additional information about themselves raise potential privacy concerns. For instance, some
businesses have developed authentication methods that require consumers to provide additional personal information either at the time the account is established or when the consumer later attempts to access the account. Many businesses use knowledge-based authentication in which they ask challenge questions, the answers to which are likely to be known only by the true individual. Although this method of authentication can overcome concerns about the unreliability of documentary evidence of identity45 and the lack of personal interaction in telephone or online transactions, challenge questions may require consumers to provide increasing amounts of information to businesses that are linked together in ways that may be unsettling to some.

2. Restrict the Public Display and the Transmission of SSNs
Although SSNs are valuable as a means of linking consumers with their information, much can be done to reduce the availability of SSNs to identity thieves by eliminating the unnecessary display and transmission of SSNs by the private sector. Restricting the display of SSNs on publicly-available documents and identification cards, and limiting the circumstances and means by which they can be transmitted, would make it more difficult for thieves to obtain SSNs, without hindering their use for legitimate identification and data matching purposes.

The Commission recommends that Congress consider creating national standards for the public display and the transmission of SSNs.64 Federal legislation would establish a nationwide approach to Federal Trade Commission reducing unnecessary display and transmission of SSNs, while addressing concerns about a patchwork of state laws with varying requirements. National standards should prohibit private sector entities
from unnecessarily exposing SSNs. The precise standards should be developed in rulemaking by appropriate federal agencies (i.e., agencies that oversee organizations that routinely transmit or display SSNs), and should include, for example, prohibitions against:

• publicly posting or displaying SSNs;


• placing SSNs on cards or documents required for an individual to access products or services provided by a covered entity, including student ID cards, employee ID cards, and insurance cards;


• transmitting (or requiring an individual to transmit) an SSN over the Internet, unless the connection is secure from unauthorized access, e.g., by encryption or other technologies that render the data generally unreadable;


• printing an individual’s SSN in materials mailed to the individual; and


• printing an individual’s SSN on the outside of an envelope or other mailer, or in a location that is visible without opening the envelope or mailer.

3. Establish National Standards for Data Protection and Breach
Notification
The Commission has previously expressed support for national data security standards that would cover SSNs in the possession of any private sector entity, and numerous commenters and workshop participants voiced similar support. Such standards, which would be implemented in rulemaking by federal agencies that oversee entities that routinely use and transfer sensitive consumer information, could be modeled after the Safeguards Rules and cover all entities that maintain sensitive consumer information.

The Commission also reiterates its support of its prior recommendation that Congress consider establishing national data breach notification standards requiring private sector entities to provide public notice when the entity suffers a breach of consumers’ personal information and the breach creates a significant risk of identity theft or other harms. These standards would also be implemented in rulemaking by appropriate federal agencies. Most states now have breach notification laws, but currently there is no across-the-board federal requirement. Commenters and workshop participants noted that, in addition to alerting affected consumers to protect themselves, these laws have had the indirect benefit of motivating companies to weigh their need to collect SSNs against the potential cost and liability that may ensue if the SSNs are compromised. Participants also noted that many businesses
have strengthened their safeguards practices to avoid data breaches, at least in part as a result of breach notification requirements. The state laws differ in various respects, however, complicating compliance.

4. Conduct Outreach to Businesses and Consumers
The Commission recommends increasing education and guidance efforts as additional steps to help reduce the role of SSNs in facilitating identity theft.

This type of guidance would be especially useful to small businesses and could include the following messages:

• the importance of collecting SSNs only when necessary and storing them only as long as necessary;


• steps businesses can take to reduce the use of SSNs as internal identifiers;


• proper disposal of SSNs;


• the importance of securing SSNs (such as by encrypting them) during their transmission; and


• limiting employee access to SSNs and conducting employee screening and training.

5. Promote Coordination and Information Sharing on Use of SSNs
Many private sector entities, from large multi-nationals and universities to small businesses and health care systems, have described the difficulties and expense of removing SSNs from computer systems and files, as well as the challenges of keeping up with the sophisticated and changing methods of identity thieves.

The Commission recommends that appropriate governmental entities explore helping private sector organizations establish a clearinghouse of best practices, enabling those organizations to share approaches and technologies on SSN usage and protection, fraud prevention, and consumer authentication.

Text of the Commission Report

Lifelock's Todd Davis: Identity for Sale

Fraud-prevention pitchman becomes ID theft victim

CNN via AP

Story Highlights:

• Man reportedly obtained loan using Social Security number of LifeLock spokesman


• Todd Davis regularly gives out Social Security number in ads for ID security company


• Customers file lawsuit, claiming Lifelock did not provide protection as advertised

SAN JOSE, California (AP) -- Todd Davis has dared criminals for two years to try stealing his identity: Ads for his fraud-prevention company, LifeLock, even offer his Social Security number next to his smiling mug.

Now, LifeLock customers in Maryland, New Jersey and West Virginia are suing Davis, claiming his service didn't work as promised and he knew it wouldn't, because the service had failed even him.

Attorney David Paris said he found records of other people applying for or receiving driver's licenses at least 20 times using Davis' Social Security number, though some of the applications may have been rejected because data in them didn't match what the Social Security Administration had on file.

Davis acknowledged in an interview with The Associated Press that his stunt has led to at least 87 instances in which people have tried to steal his identity, and one succeeded: a guy in Texas who duped an online payday loan operation last year into giving him $500 using Davis' Social Security number.

Paris said the fact Davis' records were compromised at all supports the claim that Tempe, Arizona-based LifeLock doesn't provide the comprehensive protection its advertisements say it does.

"It's further evidence of the ineffectiveness of the services that LifeLock advertises," said Paris, who is lead attorney on the three new lawsuits, the latest of which was filed this month.

Davis learned about the fraud in Texas when the payday-loan outfit called to collect on the loan, he said. He didn't get an alert beforehand because the company didn't go through one of the three major credit bureaus before approving the transaction.

Davis said it's possible driver's licenses have been issued to other people in his name because of the widespread availability of his personal information -- and because of what he described as the flimsy mechanisms in place to report that kind of fraud.

Paris noted that LifeLock charges $10 a month to set fraud alerts with credit bureaus, even though consumers can do it themselves for free.

But Davis stands by his company and his advertising gimmick, which has appeared in newspapers and on billboards, radio and MTV. He even broadcasts it by bullhorn on walking tours through crowded downtowns.

"There's nothing on my actual credit report about uncollected funds, no outstanding tickets or warrants or anything," he said. "There's nothing to indicate my identity has been successfully compromised other than the one instance. I know I'm taking a slightly higher risk. But I'll take my risk for the tremendous benefit we're bringing to society and to consumers."

The lawsuits, for which Paris is seeking class-action status, highlight the fundamental limits on how much security identity-theft companies can provide.

Companies like LifeLock can help guard against only certain types of financial fraud by helping consumers set up alerts with credit bureaus, which inform them when someone tries to open a new line of credit or boost their credit limit to finance a buying binge, for example.

The services don't guard against many types of identity theft such as use of a stolen Social Security number on a job application or for medical services, or even the instance of an arrestee giving police a stolen Social Security number to shield his own identity.

LifeLock is also being sued in Arizona over its $1 million service guarantee, which the plaintiffs claim is misleading because it only covers a defect in LifeLock's service, and in California by the Experian credit bureau. Experian accuses LifeLock of deceiving consumers about the breadth of its protection and abusing the system for attaching fraud alerts to credit reports.

Security experts say complaints about the company reinforce the time-honored wisdom of keeping your Social Security number secret.

"There's been a lot of marketing, a lot of hype about LifeLock," said Paul Stephens, director of policy and advocacy with the Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization. "The question is, 'How much protection does it really buy you?"'

"There is no company that can guarantee they can protect you (completely) against identity theft," Stephens said. "Absolutely nobody can do that."

---

"There's nothing on my actual credit report about uncollected funds, no outstanding tickets or warrants or anything," he said. "There's nothing to indicate my identity has been successfully compromised other than the one instance. I know I'm taking a slightly higher risk.

Have you ever seen such a self serving comment as this? "My identity" is safe, nevermind the fouled up records of state DMVs, the inaccurate records and safety concerns of who knows how many illegally licensed drivers acquired a motor vehicle operator's license using the PII of Todd Davis, creep in chief of Lifelock. Whether it is illegal workers or terrorists or felons, Todd Davis's lust for competitive greed has served well the needs of the "bad guys", perpetrators of identity theft seeking to skirt the law to illegally obtain motor vehicle operator permits.

Then he has the audacity to say:

But I'll take my risk for the tremendous benefit we're bringing to society and to consumers."

I hope Lifelock customers are carefully watching how callous and cavalier the creep in chief of Lifelock is concerning the law of the land. APRPEH has discussed the mis-adventures of Lifelock in previous posts and pointed out that the fraud alert will cure all hysterics will not prevent identity theft and should never be considered blanket protection against identity theft. Based upon the article above, the word may be getting out now that identity theft is more than credit accounts:

Companies like LifeLock can help guard against only certain types of financial fraud by helping consumers set up alerts with credit bureaus, which inform them when someone tries to open a new line of credit or boost their credit limit to finance a buying binge, for example.

The services don't guard against many types of identity theft such as use of a stolen Social Security number on a job application or for medical services, or even the instance of an arrestee giving police a stolen Social Security number to shield his own identity.

To all those companies out there selling services similar to what Lifelock does, and there are plenty of others, I say watchout, a class action suit is coming your way. A simple reading of paragraph 605A of the Fair Credit Reporting Act using the logic of a layman will render that fraud alerts are for intended for "the consumer{that} has been or is about to become a victim of fraud or related crime, including identity theft.." and for their protection:

a user of such consumer report shall contact the consumer using that telephone number or take reasonable steps to verify the consumer's identity and confirm that the application for a new credit plan is not the result of identity theft.

The whole subsection is below or see the FCRA in it's entirety. Anyone selling fraud alerts as the way to guarantee protection against identity theft is a fraud.

To recap, there are two main problems with the Lifelock approach:
1) credit issuers do not have to make a telephone call to verify the credit application
2) only about 20%-25% according to the FTC of all identity theft will be reported to a credit bureau meaning the fraud alert will not be read and no verification of the consumer's interest in the transaction, whatever transaction it might be, will be made.

FCRA 605A
(B) Limitation on Users
(i) In general. No prospective user of a consumer report that includes an
initial fraud alert or an active duty alert in accordance with this section
may establish a new credit plan or extension of credit, other than under
an open-end credit plan (as defined in section 103(i)), in the name of
the consumer, or issue an additional card on an existing credit account
requested by a consumer, or grant any increase in credit limit on an
existing credit account requested by a consumer, unless the user
utilizes reasonable policies and procedures to form a reasonable belief
that the user knows the identity of the person making the request.
(ii) Verification. If a consumer requesting the alert has specified a
telephone number to be used for identity verification purposes, before
authorizing any new credit plan or extension described in clause (i) in
the name of such consumer, a user of such consumer report shall
contact the consumer using that telephone number or take reasonable
steps to verify the consumer's identity and confirm that the application
for a new credit plan is not the result of identity theft.

previous APRPEH Id theft articles related to Lifelock:

Lifelock Brainblock Lifeblock Brainlock
Lifelock Getting Picked
Identity Protection Shopping
Minors and Identity
As G. Gordon Liddy Would Say..Suckers

Inexcusable Negligence

ID Theft Safeguard used to Steal IDs (from Laptop Security blog)

Even the most carefully laid plans can go awry. Federal prosecutors charged a Southern Californian woman this week with aggravated identity theft after she used a genealogy website to locate people who had recently died and to take over their credit cards.

Tracy June Kirkland was using Rootsweb.com to find the names, Social Security numbers and birth dates of people who had died. She would then call credit card companies randomly to see if "she" had an account, if "she" did, she would request a mailing address change and, in some cases, would add her own name as an authorized user. Ms. Kirkland repeated this scheme at least 100 times between October, 2005 and last month.

Rootsweb.com is a genealogical research site that, amongst other services, reproduces the Social Security Administration’s Death Index, which is a public list of people who have died, along with their birth dates and Social Security Numbers. The government publishes this list with such detail in order that banks can prevent people from applying for credit under any deceased people’s identities. The information is made public by the Freedom of Information Act.

Tracy Kirkland has found a loophole in the system by, instead of applying for new credit, simply co-opting existing credit accounts. This is the first time this exploit has been found, according to a spokesperson for the Social Security Administration.

"The reason the Social Security Administration has it out there is to prevent fraud, and when it’s used to perpetrate fraud it’s because not all the checks and balances were in place on the financial institution’s end."

So, what do you think? Should the Social Security Numbers be reported on the Death Index? Do you think the benefits to the prevention of identity theft outweigh the risks shown here?

You can feel the full court indictment here [PDF]

Via wired ; Logo: Rootsweb, a part of Ancestry.com and MyFamily.com Inc.Tags: rootsweb, identity theft, id theft, death index, breach

---

I could see how someone with access to the Social Security Numbers of recently deceased could be successful attempting this sort of fraud. But with consumers who passed away 2 or 3 years ago, there is no excuse for credit issuers to have not updated their electronic records. Anyone who has reviewed their own credit report knows that financial institutions do periodic inquiries in order to verify if their customer is still in the same risk category they were when the credit was first issued. Why is it then, that the issuers who gave out account information didn't notice that line which says "consumer has been reported deceased" and updated their database accordingly?

SS Death Index records are downloaded and incorporated into credit repository data on a regular basis, at the very least a few times a year. For a creditor to not know their customer is deceased is shear stupidity. Besides adding to the cost of total fraud loss, a loss which is passed on to the consumer, the survivors are left to deal with the credit issuer or even debt collectors to resolve the problem. As the article points out, the SS Death Index is public specifically to prevent this sort of fraud.

Lifelock Brainblock, Lifeblock, Brainlock

McGrath probing service preventing identity theft
By ERIN MADISON
Tribune Staff Writer

The Montana Attorney General's office is investigating LifeLock, a company profiled in Sunday's Tribune.

LifeLock is an identity theft prevention service. Customers pay $10 per month to have a fraud alert placed on their credit reports and be opted out of pre-approved credit card offers. If one of LifeLock's members has their identity stolen, the company covers any losses up to $1 million.

LifeLock previously ran a full-page ad in the Tribune, which included the Social Security number of the company CEO Todd Davis.

That ad piqued the interest of Attorney General Mike McGrath, said Assistant Attorney General Jesse Laslovich.
"When that ad appeared, we started investigating them," Laslovich said, adding that so far nothing has come of the investigation.

The attorney general's office is sending the company a notice of a civil investigation, Laslovich said.

LifeLock is not aware of any state investigation, said Tami Nealy, director of communications for the company.

When McGrath saw Davis' Social Security number in the advertisement, he had concerns that it wasn't actually the CEO's Social Security number, Laslovich said.

Davis says he can give out his Social Security number because LifeLock is effective in preventing anyone from using it to commit fraud.

The Social Security number in the advertisement is registered to numerous people, Laslovich said. That's probably because people see it and try to use it to open lines of credit, he added.

The number in the advertisement is Davis' real Social Security number, Nealy said. Davis gets calls via the LifeLock service every two or three weeks notifying him that people are trying to open lines of credit in his name.

Every time the company prints Davis' Social Security number, it also gives a disclaimer saying people should protect their Social Security numbers and not share them, Nealy added.

The attorney general's office also has concerns about LifeLock because most of the services it offers are things people can do for free on their own, Laslovich said.

The company doesn't deny that, Nealy said.

"Everything we do for you, you can do yourself," she said.

However, the company offers convenience in that members don't have to do those things themselves, such as renew fraud alerts, which expire every 90 days.

"You can change your own oil; you just don't," Nealy said.

Laslovich recommends that people do thorough research before signing up with LifeLock — look over the contracts before signing them, be sure to understand what the company offers and go over everything with a fine-tooth comb.

Laslovich noted that with the increase in identity theft, there also are some businesses cropping up that may only claim to protect people from identity theft.

"We're just trying to be proactive," he said.

Reach Erin Madison at 791-1466, 800-438-6600 or emadison@greatfallstribune.com.

---

APRPEH has posted information and analysis concerning Lifelock in the past: here and here. Lifelock at least is honest in admitting that the services they provide can be done for free by anyone. The analogy of changing the car oil doesn't really apply. A fraud alert can be placed on all three credit files in under 3 minutes, faster if you are familiar with the touchpad sequence. Both Experian's and Equifax's websites are set up to take the alert online. This a very simple process with very little risk of a leaving your garage a filthy mess and your fragile male ego shattered. More troublesome is the Lifelock marketing:

LifeLock, the industry leader in proactive identity theft protection, offers a proven solution that prevents your identity from being stolen before it happens. We'll protect your identity and personal information for only $10 a month - and we guarantee our service up to $1,000,000. We also offer the only identity theft child protection program available in the market, so guarantee your good name today and enroll now.

Fraud alerts are only affective in preventing credit based fraud. Any new account opening or transaction where a credit report is not necessary by-passes the fraud alert protection. Utility companies for instance including many telecommunications and internet service providers rarely if ever utilize a credit report for new account openings.

The same claims about safety have been made by the credit freeze advocates. APRPEH discussed the credit freeze issue in November.

The Lifelock marketing brags about selling "the only identity theft child protection program available in the market." Why is that?

Lifelock claims:

Among the things we do:

• We check credit reports every 6 months to ensure that there is no activity.


• If a credit report does exist, we place fraud alerts on credit reports, stating that this is a minor child and that no activity should occur.


• We check for work history and any misuse of the Social Security number.


• We repeat this process regularly to ensure that all is well.


• Starting out is hard enough. Starting out with a stolen Identity makes it ten times harder. We think that's worth $25 a year. Do you?

APRPEH discussed the issues involving minors and their Social Security Numbers and Minors and Identity last year as well.

A good question for Attorney General Mike McGrath to ask is exactly what protecting is Lifelock doing? The product described on their website merely goes the process of determining if fraud has occurred using a minor's personal identifying information. To find out if a credit report exists for a minor, follow the instructions available from the Identity Theft Resource Center. In general, the credit bureaus will not knowingly produce and report credit history associated with a minor. Once the bureaus are aware that a credit file is associated with a minor they will either freeze the file or mark it accordingly. What the bureaus consider a minor is a different matter. A teen who is listed as an authorized user on a credit card likely has a credit file. Expecting a consistent answer from the bureaus as to why one minor should have a file and another shouldn't is asking for too much.

Wishing Good luck to General McGrath.

Minors and Identity

Child ID Theft: Victim Tells His Story, Hoping to Help Others Avoid Woes

By Roxana Orellana
The Salt Lake Tribune
Article Last Updated: 10/16/2007 06:47:44 AM MDT


Zach Friesen, a 21-year-old college student from... (Francisco Kjolseth/The Salt Lake Tribune )«1» Zach Friesen first learned he owed money for a $40,000 houseboat when he turned 17 and applied for a job and a school loan.

Certainly he had never bought a houseboat.

Someone had stolen his identity when he was 7 and used it to get a loan. He's off the hook for the debt, but his credit remains damaged.

"I thought 'There's got to be something I can do as a victim to help people,'" he said.

Now 21 and a senior at the University of Colorado, Friesen has spent the past three years working for Qwest Communications' Incredible Internet Program talking to teens, parents, legislators and anyone else who will listen about teen identity theft.

On Monday he stopped at Skyline High School in Millcreek to caution students about the dangers of sharing too much information.

"High school students specifically are the target of identity theft," Friesen said. "They have clean lines of credit, so thieves know how much they are going to get when they target a child."

In addition, teens too often are willing to give out their information and don't check records such as credit reports that may turn up fraudulent activity.

In his case, Friesen said the thief had 10 years to get away with the crime and to this day, no one knows who stole his identity. When Friesen applied for his loan, the bank informed him of the debt and what the money had been used for.

He said teens and their parents can start by checking credit reports. Friesen said he is working with companies to try to get the expense of credit reports reduced for teens and for parents with multiple children.

Qwest started the Incredible Internet Program to offer families an online resource for smarter and safer Internet surfing, spokeswoman Katie Lessman said. The program seeks to educate teens before they learn the hard way that they're vulnerable to identity theft.

The company hired Friesen because he had a personal experience with identity theft and can relate what happened to him and other teens.

"It really opens some people's mind about identity theft," Robert Wilcox, a senior, said of Friesen's warning. "It's helpful. Most of the time we don't know what we're putting on the Internet."

Friesen said teens typically react with shock to his presentation. "I really want students to walk away with an understanding of what identity theft is and what to do in the event that it happens," Friesen said.

Protect your identity

Teens are particularly vulnerable to identity theft because they too often provide personal information. Here are some tips for protecting against theft and fraud:
* Never provide personal information to strangers. Do not post your photo online or post a public profile with data such as age, gender, hobbies or interests.

* Be sure you know who is receiving the instant messages you send.

* If something inappropriate happens online, report it immediately to www.cybertipline.com.

* Always be alert to Internet scams.

* To protect yourself and your computer, use software for spyware, spam and viruses.

* Parents should know their children's passwords and screen names. They also should learn Internet lingo such as POS: parent over shoulder.

Source: www.Incredibleinternet.com

---

Zach's message is very true. People, teens in this case, with clear credit reports are particularly vulnerable to fraud. Legally, anyone under 18 years of age cannot receive credit unless an adult co-signs the application. Why? Because minors are not legal signatories to contracts. A minor cannot be held liable in contract law and must be backed by someone who can be. The credit bureaus do not intentionally have files for minors as a result.

Social Security Numbers not associated with a consumer credit file leave the holder of that number vulnerable to fraud when a perpetrator fakes a name and date of birth to apply to credit thereby associating the wrong person with the SSN with the credit bureaus. This starts a trail of credit fraud perpetrated against an unknowing victim and which ends in a devastated credit standing.

Unfortunately, minors are most often victimized by parents or other family members. This is indeed tragic. In order to correct most credit reporting problems or to dispute fraudulent accounts with creditors, a police report may be required. The minor, upon reaching legal age and discovering the fraud must make a choice between starting life as an adult with bad credit or filing a police report incriminating his/her parents. That is, of course if the source of the fraud is known.

While advocating consumer credit education is a popular approach to reducing the likelihood of identity theft, educating minors means educating parents first. However, parent predators only become better predators with increased credit knowledge.

For teens, while credit education is important, privacy education is more important. Teens need to learn self-defense in general and spend a specific amount of time learning to be identity shrewd. Social websites have attracted a bit of attention as of late being an avenue to uncover information about a consumer for criminal purposes. Identity shrewdness training should take into account not only Internet behavior but document retaining and usage training. Teens do not to share with friends their SSNs, have easy access to original documentation (SS Cards, certified birth certificates, forms displaying their PII, etc.), or need more than a name and id number issued by their school.

Teenage computer users often have access to an adult's credit card number for internet activities. One has to wonder how many credit card accounts are made subject to fraud as a result. Teens and adults who routinely buy or order goods or services online should have a separate credit card (not a debit card) which is used only online. Using multiple credit cards online delays discovery of fraud and complicates the dispute unnecessarily.

More on identity theft at a later date.

Good reference

Targeted Phishing

Spear Phishing: A Targeted Attack

Posted August 13th at 12:01 pm | Tags: Catherine Forsythe, data breach, identity theft, phishing, security, spoofing |

from Flying Hamster

One of the common, well known attempts at identity theft is phishing. You may received email asking you to do things like verify your PayPal account or your eBay account. The criminals are casting a wide ‘net’ with broadcast spam to see who will respond. Playing the numbers game, if enough spam is sent out, someone will make the error and carelessly give up their personal information.

Spear phishing is not broad spectrum spamming. It is very specific and targeted. For example, if you received an email from someone from your tech support services asking to confirm your security code, would you do it? The email is addressed directly to you and has your name in the text of the note. A glance at the email address shows that it is a company email. If you send back your security code or password, you may have been ‘phished’ - specifically, you have been ’spear phished’. You were targeted.

Email addresses can be spoofed. And the mention of your name in the text is just social engineering. It is to manipulate you into feeling secure and giving up the information. Obviously, in business, the senior management has access to the sensitive data. One breach there could mean a security problem involving hundreds, perhaps thousands, of files containing information for a staggering number of identity thefts.

The spear phishing is not limited to businesses. It can happen to anyone. An example is the recurring jury duty scam. In this ploy someone may call or write and tells you that you have been negligent in performing your jury duties. You may reply that you did not receive any notification. The hacker then asks you for your social security number to confirm that the documents are indeed yours. And you can guess the rest… it’s spear phishing on a smaller scale.

Obviously, the precaution is to check before giving out any sensitive information. Check thoroughly and then check again. And even then, you may want to say ‘no’…

Catherine Forsythe

---

Just because it looks and sounds real doesn't mean that it is. If you are uncertain as to the truthfulness of an email contact or a mix of email and telephone contacts, do your own research. Do an internet search for the organization or entity and follow up based upon the contact information that you discover. Check out Rip Off Report. This is a great resource which helps unsuspecting consumers make decisions about suspicious emails or offers.

Another good resource is Fraud Watch International.

Above all, use good judgement. If need be, please respond to this blog on this post and I will take a look at the information you have submitted. While I cannot always be 100% accurate, I will do my best.