Group items tagged

Physician groups press FTC for exemption from Red Flag Rules With a May 1 deadline for compliance looming, the American Medical Association (AMA) has asked the Federal Trade Commission (FTC) to suspend the application of the Red Flag Rules to physicians and publish a new rule so that physicians have an opportunity to provide comments. In a March 9 letter to the FTC, AMA Executive Vice President Michael D. Maves wrote that the AMA "strongly believes that the FTC did not provide physicians with an opportunity to review and comment on this Rule." Controversy. Under the Red Flag Rules, which were finalized in October 2007 under the Fair and Accurate Credit Transactions Act (FACTA), financial institutions and creditors must develop and implement written identity theft prevention programs. FACTA provides a broad definition of "creditor" as "any entity that regularly extends, renews or continues credit." The FTC has interpreted this definition to include health care providers and physicians. The AMA and several other medical trade associations have taken the position that physicians were not intended to be subject to the Red Flag Rules, but the FTC has held firm in its interpretation, in spite of the objections. In a Feb. 4 letter to the AMA, the FTC reiterated its position that "the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services." The FTC also has taken the position that application of the Red Flag Rules to physicians will reduce the incidence of medical identity theft and will not impose a heavy burden on health care professionals. Rulemaking process. In addition to its claim that health care providers should not be classified as creditors, the AMA also has argued that the physician community was not informed that it would be subject to the Red Flag Rules.

The following is an excerpt from the book The Truth About Identity Theft. In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password. People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them. A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office. So I went back to my office, sat down, and picked up the phone. The first call I made was to find out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actuall

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. The Red Flags Rule is an anti-fraud regulation, requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA's definition of "creditor" includes any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

Many people are scaling back their summer vacation plans because of the current economic situation. Some are staying closer to home. Others may be taking shorter vacations. But it's important to remember that when you travel, your risk of exposure to fraud and identity theft may increase. It's a fact that people tend to let their guard down while on vacation. Criminals know this. Identity theft is often a crime of opportunity. Don't be a vacationer who presents a crook with that opportunity. Your personal information, credit and debit cards, driver's license, passport, and other personal information are the fraudster's target. A few minutes spent planning before you travel can help reduce the risk that a fraudster will ruin your vacation. Here are some tips to help you avoid any nasty surprises:

Being privacy saavy while on vacation - Priceless

The man accused of masterminding the largest identity theft in U.S. history agreed to plead guilty to related charges, according to court papers filed in Boston federal court on Friday. Albert Gonzalez is accused of helping to steal millions of credit card and debit card numbers from major U.S. retail chains, leading to tens of millions of dollars in fraudulent transactions. A former government informant who is already in jail, Gonzalez, 28, agreed to plead guilty to 19 counts in Massachusetts by September 11. The agreement also resolves charges pending in federal court in New York.

Privacy & security are individual rights and responsibilities, not just corporate or governmental responsibilities. Reliance on technology is bound to fail without motivation for all involved to find mutual benefits.

Identity theft and security is always in the spotlight through the constant stream of news stories about companies losing confidential customer or client data, such as social security numbers, credit card numbers, health histories and so forth. These "breaking news" stories now seem to happen so frequently that we scarcely pay attention to them unless, of course, we are directly impacted by them. They have, however, heightened the public awareness and have even spawned new identity protection businesses. Information technology companies rightly react to this by developing new technologies to improve security and eagerly market these to CIOs as a way to protect the personal information of their customers and clients. While we should use these appropriately, we can't rely just on technology for identity protection. While some of these security incidents involve someone hacking into a system, many involve a human failing. Examples include a laptop with confidential information being lost or stolen and employees e-mailing sensitive data to their personal e-mail accounts so they can work on it from home.

With the ink barely dry on headlines about what could be the biggest security breach in history (identity thieves hacked into payment processor Heartland Payment Services, possibly gaining access to the credit-card information of millions of consumers) signing up for a credit-monitoring service may have jumped a few notches on your to-do list. After all, paying $12 or so a month seems like a small price to pay for the peace of mind that -- through regular alerts about activity on your credit reports and other monitoring services -- you'll be protected from identity theft. Right? Think again.

Identity theft concerns are focused on the security and necessity of the collection process. Collecting personal information just because you can is unsafe. Organizations can reduce privacy risks by not collecting unnecessary personal info. Once the data gets into the data life cycle pipeline, the cost of managing and destroying it escalates. The Federal Trade Commission estimates that as many as 9 million people have their identities stolen every year. According to the Privacy Rights Clearinghouse, more than 200 million instances of data breaches have occurred since the beginning of 2005, and they show no signs of letting up. In the first quarter of 2008 alone, more than 85 million incidents were reported. The causes of data breaches run the gamut: Hackers get unencrypted, transmitted data and data at rest; laptops are stolen or lost; storage Relevant Products/Services devices are lost by third-party shipping companies; flash drives or PDAs are left lying around; Social Security numbers are accidentally printed on envelopes; or data is found on discarded computers. This article examines the organizational risks to CPAs and their clients or corporate employers of improperly managed data throughout the data life cycle. It also discusses best data management practices and proper procedures for responding to a data breach. Data breaches, whatever the cause, are costly. According to a study by the Ponemon Institute, the average cost of a data breach in 2007 was $6.3 million. The average cost to an organization per record compromised is about $197, which is typically spent on phone calls for customer notification, providing free credit monitoring, discounts on membership fees, or discounts on merchandise to make up for the security Relevant Products/Services breach. Some organizations also experience an increase in customer turnover. The organization typically spends additional money in data protection Relevant Products/Services enhancements. Companies sanctioned by

A consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves, has agreed to settle Federal Trade Commission charges that it violated federal law. Under the settlement, the company and its principal must ensure that they provide credit reports only to legitimate businesses for lawful purposes, use a comprehensive information security program, and obtain independent audits every other year for 20 years. The settlement also imposes a $500,000 penalty but suspends payment due to the defendants' inability to pay. According to the FTC, the defendants use sensitive financial data from other consumer reporting agencies to create reports that landlords use to assess potential renters. These reports contain consumers' names, Social Security numbers, birth dates, bank and credit card account numbers, credit histories, and other personal information. The Commission alleges that the company failed to properly screen new customers. The company allegedly requested only publicly-available information from applicants seeking credit reports, and it did not request supporting documentation to establish that an applicant was actually a landlord renting property. As a result, identity thieves posing as property owners were given an account with unlimited online access to credit reports, and the account was used to access at least 318 reports containing sensitive personal information. The FTC charged the defendants with violating the Fair Credit Reporting Act (FCRA) by furnishing credit reports to persons who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to prevent such impermissible disclosures and to verify their customers' identities and how they intended to use the information. The agency also charged them with violating the FTC Act by failing to employ reasonable and appropriate security measures to protect sensitive consumer inform

Salesmen and parents know the technique well. It's called the takeaway, and as far as Keith Mularski is concerned, it's the reason he kept his job as administrator of online fraud site DarkMarket. DarkMarket was what's known as a "carder" site. Like an eBay for criminals, it was where identity thieves could buy and sell stolen credit card numbers, online identities and the tools to make fake credit cards. In late 2006, Mularski, who had risen through the ranks using the name Master Splynter, had just been made administrator of the site. Mularski not only had control over the technical data available there, but he had the power to make or break up-and-coming identity thieves by granting them access to the site. And not everybody was happy with the arrangement. A hacker named Iceman -- authorities say he was actually San Francisco resident Max Butler -- who ran a competing Web site, was saying that Mularski wasn't the Polish spammer he claimed to be. According to Iceman, Master Splynter was really an agent for the U.S. Federal Bureau of Investigation. Iceman had some evidence to back up his claim but couldn't prove anything conclusively. At the time, every other administrator on the site was being accused of being a federal agent, and Iceman had credibility problems of his own. He had just hacked DarkMarket and three other carder forums in an aggressive play at seizing control of the entire black market for stolen credit card information. ....In the end they would regret that decision. Iceman was right

U.S. authorities announced what they believed to be the largest hacking and identity theft case ever prosecuted on Monday in a scheme in which more than 130 million credit and debit card numbers were stolen. Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven Inc and Hannaford Brothers Co, federal prosecutors said in a statement. The suspects also hacked two unidentified corporate victims, the U.S. attorney's office in New Jersey said in the statement. Prosecutors allege Albert Gonzalez, 28, of Miami, and two unnamed Russian coconspirators targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities. The suspects would seek to sell the data to others who would use it to make fraudulent purchases, the statement said.

Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, like the origins and perpetrators of so many individual data breaches, mystery also lies behind the aggregated numbers. "I'm not sure that this says breaches are increasing," ITRC founder Linda Foley tells Digital Transactions News. "What we know is the reporting of breaches is increasing." A handful of states now require some disclosure of data breaches to authorities, Alaska being the most recent. And some companies that have been hacked are starting to report breaches voluntarily, Foley says. While data breaches can compromise all manner of personal and business records, they often involve credit and debit card data and bank-account information. ITRC lists five major categories of breached entities, with the so-called banking/credit/financial sector accounting for 10% of 2008's breaches. Businesses, which include physical and Internet retailers, insurance companies and other private enterprises, accounted for 36.8%. Schools accounted for 21.3%; government and military facilities, 17%; and health-care facilities, 14.9%. IRTC also categorizes breaches by how they happened, such as through hackings-break-ins into computers and related systems, insider thefts, data lost in physical transit, and by other methods. The number of 2008 hackings through late June in the banking/credit/financial category was 10-double the five for all of 2007. The estimated number of records compromised as a result was 227,864. In 2007, the reported number of compromised records at financial institutions through hackings was 83,500. But Foley says not to put too much stock in the records numbers because so many breached organizations don't know or fail to report the number of compromised records when they report a bre

Legal woes may be next for Heartland Payment Systems, a payment processor that reported a major security breach this week. Depending on the results of the ongoing investigation, Heartland is likely to face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data theft cases. "The businesses that use Heartland as a credit card processor, as well as thousands of consumers, will be anxiously watching for any negative impact, including harm to their business reputations, and the real possibility of identity theft or fraud," says Vernick. The fact that Heartland's systems were certified as being fully in compliance with data handling rules, called the PCI standards, raises questions about the efficacy of such standards. Hannaford Brothers grocery chain was likewise fully PCI compliant when it had 300 stores hacked and 4.3 million record swiped..... "This latest incident shows how, despite companies being compliant with regulations such as PCI, they are still a long way from being secure," says Mike Rothman, senior vice president of strategy at elQnetworks.

The Veterans Affairs Department has agreed to pay up to $20 million to veterans for exposing them to possible identity theft in 2006 after losing their sensitive personal information. In court filings Tuesday, lawyers for the VA and the veterans said they had reached agreement to settle the veterans' lawsuit alleging invasion of privacy. The money will be used to pay for veterans who suffered actual harm, such as emotional distress or expenses incurred for credit monitoring. The lawsuit came after a VA data analyst in 2006 admitted that he had lost a laptop and external drive containing the names, birth dates and Social Security numbers of up to 26.5 million veterans and active-duty troops. The laptop was later recovered intact.

A Port Washington medical practice was defrauded of nearly $250,000 by a former employee who for four years paid her credit card bills with automatic debits from a doctor's checking account, Nassau police said. Debra Camilo, 42, of 110 Malba Dr., Whitestone, began the transfers in the spring of 2004 and even though she was fired a year later -- for reasons unrelated to the fraud -- she continued until July 2008, police said. All told, the former office manager made more than 80 unauthorized debit transfers to her Visa credit card amounting to $241,341, police said. Crimes against property bureau detectives arrested Camilo Thursday afternoon in Manhasset and charged her with grand larceny, identity theft and fraud. She was scheduled for arraignment Friday in First District Court, Hempstead.

Consumers and companies are vulnerable to hackers and identity thieves even after U.S. authorities arrested a man they said was a master hacker who stole 170 million credit and debit card numbers. Estimates on the total financial impact of breaches vary, but a study by Forrester Research put the cost at $90 to $305 per compromised record when considering the cost of upgrades, notifying customers and legal and marketing expenses. "Under our banking laws, it's the financial institutions that will be stuck paying for fraudulent use of credit cards. We have the consumers responsible for $50 and the rest winds up on the card issuer," said Joel Reidenberg, a professor at Fordham Law School who teaches privacy law. Banks in turn pass along costs to retailers as fines and fees. On Monday, three men were indicted on charges of stealing more than 130 million credit and debit card numbers in what U.S. authorities said they believed was the largest hacking and identify theft case ever prosecuted in the United States

"It's the easiest way for a bad guy to pretend to be you." So why are banks still using SSNs as a major form of customer identification?

"Every day thousands of people download new applications onto their smart phones without much care for the terms of service they so easily agree to. What most of these people don't know is they may be volunteering information and allowing for companies to gather data without their consent. Recently a company called Pinch Media was charged with being a little too invasive when it comes to gathering information through their iPhone apps. According to one iPhone developer, applications using Pinch Media can retrieve information like your phone's personal ID number and can work in conjunction with other applications like Facebook to determine your gender, birth year and even your exact longitude and latitude. Pinch Media has been accused of gathering information that has nothing to do with its applications. Instead, they have been using this data collection for advertisements and other marketing purposes. Worse, is that this information is often taken without the consent of the user and more often than not does not allow the user the option to stop the information gathering. Pinch Media has fought back by arguing that they are completely within their rights to retrieve the information as long as the user gives consent when they agree to the terms of the application. Regardless of whether or not the information they gathered is being used for good or ill mannered purposes one thing is certain. Smart phone users should pay more attention to the terms of service they agree to. A simple visit to a software developer's web site can be the difference between you using your applications and your applications using you. Take the time out to read the fine print, and if you aren't sure about something - email the company directly with your questions or concerns."

"The number of fraudulent IRS websites taken down in 2008 soared to 3,030, up more than 240 percent from 2007, according to a GAO analysis of Internal Revenue Service data, suggesting a sharp increase by criminals to draw unassuming taxpayers to faux tax agency websites to steal identities and money. In a Government Accountability Office audit, made public Thursday, the GAO credited the IRS for implementing programs to prevent, detect and resolve identity theft, but said the tax agency needs to do a better job in assessing the effectiveness of its initiatives. And, as it relates to potential online abuse, the IRS should be more consistent in enforcing security controls. "

"Nearly every practicing doctor in the United States is being warned that their identities might have been stolen when the laptop of an employee of an insurance trade group was snagged from a car in Chicago. The laptop contained business and personal information such as Social Security numbers, addresses and certain identification numbers on the laptop of an employee from the Chicago-based Blue Cross and Blue Shield Association, a trade group for the nation's Blue Cross health insurance plans. The association confirmed that an employee "broke protocol and transferred to a personal laptop" information that was stolen in late August. No patient information was on the database, and so far, no doctor has reported a security breach. However, nearly 20 percent of the doctors listed in the database have their Social Security numbers as their medical-care provider identification, putting these health professionals at risk for identity theft, according to an article in the Chicago Tribune."