IDENTITY THEFT
Definition of Identity Theft
What is Identity Theft? Identity theft is defined as a type of crime where someone pretends to be someone else in order to steal money or for getting other benefits. The term Identity theft is actually a misnomer because it is not possible to steal someone's identity but can only use it. Stealing someone's identity enables the thief to make enormous number of financial and personal transaction in someone else's name, leaving the victim responsible for all the mishaps. The consequences of Identity theft may be very severe. In this modern world today, an individual can become someone else very easily. What an identity thief does as someone else reflects quickly on the reputation of the victim. Loss of reputation and financial created by Identity thief causes devastation of the life of the victim. Identity thief is different from identity fraud as the latter is related to the usage of a false identity to commit a fraud. Identity theft is actually impersonating a real person.
A common example of identity theft is when an identity thief steals a wallet or purse of the victim and then obtains personal identification of the victim. Then he uses this personal information to open a credit card account in the name of the victim. Then the perpetrator can do anything which requires just credit card such as internet shopping and much more.
One of the hardest hit by identity theft crimes are banks. In fact Bank Identity Theft is considered as the earliest one. It is there even before there were credit cards, social security, job banks, airline and medical identity thefts. Bank Identity theft takes several forms. In some cases, the thief continuously draws huge amounts of cash from another person's account until no money is left in his account. In another form, the identity thief using the personal information of the victim applies for bank loan in the name of the victim.
In America, It is the fastest growing crime. Approximately 70 thousand to 90 thousand Americans were affected in Identity theft. Many of the cases were due to credit card fraud. Innocent people are being arrested every year because of the identity theft. They are held responsible for the crimes done using their names by the criminals
Theft of Identity is always personal. Thieves could be those living closely with the victim such as relatives, roommates, friends, household workers, etc. They have instant access to victim's personal papers.
Small percentage of identity thefts are targeted against a person as Revenge. The thief's motivation is to have an attack on the victim's reputation. The personal nature of this kind of Identity theft is terrifying.
The History of Identity Theft
Based on Identity Theft surveys it has been found that Identity theft is more common now than before. This is due to the advent and widespread use of the internet. However Identity theft has its origin even before the internet. Long before the advent of internet, identity thieves stolen identity through "dumpster diving" or going through the trash of the victim to collect personal information about the victim. They also used phone scams to find out the personal identifying information of the victim. Now with the advent of Internet, Identity theft has become more common, easier to perform and also safer to perform. Also the techniques used become more sophisticated such as phishing, skimming, etc.
Identity Theft Research
What did the researchers find?
· Although anyone is vulnerable to attack by Identity thieves, individuals are more likely to be victimised by persons such as family members and roommates, who have access to their personal information.
· Identity theft generally involves 3 stages: acquisition, use and discovery. Researchers found that longer the time taken to detect, the greater the loss incurred and lesser the likelihood of successful prosecution. Persons at extremes of age (both teens and older persons) and those with less education are less likely to discover the identity theft quickly and to report it.
· The access to personal information about victims and the anonymity the Internet offers would-be thieves attract them to perform Identity Theft.
· More research is needed to discover means of Identity theft protection. Researchers should focus on the three main areas of vulnerability.
· Practices and operating environment of document- issuing agencies that allow attackers to exploit opportunities to grab personal information.
Identity theft statistics
Surveys in the United States of America regarding Identity Theft from 2003 to 2006 have showed a decline in the number of victims and the cost of identity theft from US $47.6 billion in 2003 to US $15.6 billion in 2006. The average fraud per person declined from $4,789 in 2003 to $1,882 in 2006. The Federal Trade Commission (FTC) has released news about identity theft which stated that in the year 2003, there had been at least 27 million Americans who have fallen to the identity thieves.
The 2003 survey from the Identity Theft Resource Centre found that:
· Only 15% of victims find about the theft through proactive action taken by a business.
· The average time taken by a victim to resolve the problem of identity theft is around 330 hours.
· 73% of victims state theft the problem started when the thief acquired a credit card.
· The emotional impact is similar to that of victims of violent crimes.
Michelle Brown, a victim of Identity theft testified before a United States Senate Committee Hearing on Identity Theft. Ms. Brown testified that:" over a year and a half from January 1998 through July 1999, one individual impersonated me to procure over $50,000 in goods and services. Not only did she damage my credit, but she escalated her crimes to a level that I never truly expected: she engaged in drug trafficking. The crime resulted in my erroneous arrest record, a warrant out for my arrest, and eventually, a prison record when she was booked under my name as an inmate in the Chicago Federal Prison."
In Australia, Identity theft is estimated to cause a loss of AUS $1 billion to AUS $4 billion per annum in 2001. In the United Kingdom, the Home Office reported that Identity Theft costs £1.2 billion annually.
Child Identity Theft stories
Identity thieves like to target children because their credit files are never checked. Parents think that it is not important to check the credit report of the children. Even before Identity theft became established in 21st century, identity thieves started targeting children. Because of the advanced techniques of Identity theft such as phishing and other online identity thefts, children are more vulnerable to attack by identity thieves than before. Even a story about child identity theft titled "Never Too Young to Have Your Identity Stolen" written by Barbara Whitaker published in New York Times (July 21, 2007).
An opportunity too good to pass up
The thief may be an opportunist - one who sees his chance and takes it. The thief's motive is simple. It is just to buy goods and receive services at the expense of someone else. In one interesting incident, the identity thief blames the U.S. Securities and Exchange Commission (SEC) for displaying names and Social security numbers on their website for the entire world to see. This tempted him to apply for car loans in 14 of those individual's names. It was a crime of opportunity.
Another opportunity which tempted a boy to become Identity thief is narrated here. He was using a public computer in a public library regularly. One day while browsing, he stumbled across a database of disclosure forms the public companies and their officials file with SEC. It was too tempting. He assumed one of the names and applied for a car loan online through a Bank. It was rejected along with his subsequent 11 applications under different names. However on his next try, he got a $15,000 check. No need for intelligence to do things like these. It is clear that the opportunity is provided by us. The opportunity along with little temptation is what converting a normal person into an Identity thief
Living Large on your Good Name - Causes of Identity Theft
Once the needed information is acquired, an Identity thief can do any one of the following
· Apply for a Credit card in the victim's name. Thereby the victim becomes liable for perpetrator's transactions.
· Open a bank or building society account in the victim's name.
· Apply for other financial services in the victim's name.
· Apply for any benefits in the victim's name like housing benefit, new tax credits, income support, job seeker's allowance or child benefit.
· Run up debts like using the credit card/ debit card details to make purchase or obtain a loan in the victim's name.
· Apply for a driving license in the victim's name.
· Apply for a passport in the victim's name.
· Register a vehicle in the victim's name.
· Apply for a mobile phone contract in the victim's name.
One person received a letter from a bank stating that his credit card application has been denied. But the shocking thing is he hadn't applied for a credit card. Next, there are counterfeit phone services which an identity thief can open in victim's name with victim's identity. So victim would be receiving the bill for what identity thief is using. So victim would be left with a monstrous bill and his delinquency is reported to the credit bureau.
If an Identity thief is able to steel victim's check book or capable of obtaining new checks on victim's account through illegal means, he/she could completely dry victim's account. He also could write bad checks against the victim's accounts as often as possible before the bank reports the felonious conduct.
If an identity thief gains access to the personal data of the victim, he can take out loans in the name of the victim. If the thief is sharp enough, he/she receives the goods and the victim receives the bill!
The ultimate damage than can be done to a victim by an identity thief is to file for bankruptcy under victim's name. Even this would be intended to cause harm to the victim. Identity thieves might buy a car or rent an apartment in the name of the victim. They may even commit crimes in the name of the victim. For example, in one case, the identity thief was a major drug dealer using the identity of a high ranking corporate executive. That caused a lot of troubles to him. Whenever he travels overseas, the executive has to carry an official letter stating that he is not a drug dealer. Even recently, police broke into his room with guns drawn.
Many identity theft victims have been denied car loans, student loans, credit cards and even jobs. Some had their telephone service disconnected and driver's license suspended
Identity Theft can cause IRS (Internal Revenue Service) problems to the victim
Most people know that Identity Theft is becoming a bigger problem. But the thing they do not know is that it can cause problems with the Internal Revenue Service (IRS). There are a couple of ways the Identity Thief can hurt victim with the IRS.
· The personal information of the victim can be used to create fake identities for others. As illegal immigrants are facing new regulations where they must produce proof of citizenship to receive medical service, a job and so on, fake identity using personal information of the victim is used for this purpose. Social Security Number (SSN) is especially used for this purpose.
· The Social Security Number (SSN) is the number used by the IRS to track down the earnings of the person. If someone is else using it to get a job, the IRS is going to think that the person is earning more than he is reporting. The victim can then expect a huge audit and pure misery until the situation is worked out.
The IRS is aware of the problems with Identity Theft. If the victim of Identity Theft starts receiving notice from the IRS, the victim must immediately contact the IRS. Once contacted, the IRS will take a closer look at the earnings of the victim. They may interview the employer and look at the location of the business. If the victim is in Los Angeles and the employer is in Boston, the IRS is going to let the victim off the victim. The IRS now has a toll-free number to assist victims of Identity Theft. Victims can call 1-800-908-4490 and speak with a customer service representative Monday to Friday, from 8 am to 8 pm.
College Students prime target for Identity Theft
College students are considered particularly vulnerable to Identity Theft. People aged 18-29 make up the most common group victimised by Identity theft. Every college student and parent is familiar with the booths on college campus attracting the students to sign up for free credit cards. But credit cards and college students can be a bad combination. Some credit card companies even offer free T-shirt in return for signing up for a credit card. One such student signing up credit card for a free T-shirt had a terrible experience. He said, "My third day at college, I applied for several credit cards on campus. Five years later, I found out that all my personal information was posted on a Web site. I had cars bought in my name and credit accounts across the country. A college student who ran one of the credit card booths was responsible for posting my information. Even though I now have a new Social Security number, I constantly have to monitor my credit reports. I have had to explain all of this to employers who run background checks on me. Those free T-shirts wound up costing me $150,000!" Effects of Identity theft on the life of the student will be severe and it may take years for him to repair the damage caused by Identity Theft.
It is very unfortunate that college students and campuses are big targets of Identity thieves. The Federal Trade Commission (FTC) found out that 31% of Identity theft victims fall into the age group of 18-29.
Why are college students such likely targets for Identity Theft?
· Naivety - This is considered the No. 1 reason. Students aren't aware of the fact that Identity Theft might happen to them or that they are not aware of the prevention measures to be taken. They are also vulnerable to "phishing" attacks. Simply they will reply their personal information for the fake email. Also many students share their personal information online in social networking site or shopping sites.
· Receiving many credit card offers. According to the department of education, 50% of college students receive credit card offers. Many students simply throw the offers without destroying them. Anyone can make use of that offer and buy a credit card in the name of that student without his knowledge.
· Failure to examine financial records: Students are bad at carefully reading their credit card statements or balancing their checking accounts. This makes Identity theft go undetected for some time.
What preventive measures can be taken?
· Talk About it: Parents must alert their children about Identity theft problems in addition to usual warnings given to their children which include drugs, drinking, smoking, sex, etc. Identity theft seminars can be conducted in schools and colleges to create awareness about this potential problem. Many articles regarding identity theft should be published in news papers and internet for the purpose of creating awareness among students. Awareness about the assistance to the victim of Identity theft should also be created.
· Send a shredder to school: Students should be provided with a shredder to destroy their mail and credit card offers.
· Pull credit reports: Free credit report of the student should be pulled and verified together with the student to make sure that it does not contain anything unexpected. This is a good habit to instil in the child for long-term and doing it together emphasizes its importance.
TYPES
Identity theft has been classified into five types.
· Business/commercial identity theft
· Criminal identity theft
· Financial identity theft
· Identity cloning
· Medical identity theft
Identity theft can be a source of other crimes such as illegal immigration, terrorism and espionage. Identity theft may in some instance be a means of blackmail. Even some identity thefts are for non - financial purposes.
Financial identity theft
It is usually of two types.
1. Victim Established Accounts accessed: To obtain funds from the bank account of a real person, the perpetrator pretends to be an existing account holder. This usually involves obtaining victim's identity token in the form of card number (in case of credit card), PIN code (for ATM), etc. Then that identity token is used to make transaction as in ATM, Internet Banking, Air ticket reservation, Internet shopping, etc. When this happens, the real account holder must notify this illegal transaction. Even the victim's account may be taken over by the perpetrator. That is the perpetrator reroute account statements to a new address. This "account takeover" opens the account for rapid abuse.
2. Perpetrator established accounts: By making use of someone's identity, the perpetrator creates new account. The intention is to utilize the victim's good credit history to obtain funds either in the form of credit cards or loans.
Here is a classical example of Bank fraud. The criminal obtains loan from a bank or any other financial institution by impersonation of someone else. By providing accurate name, address, date of birth, etc, the criminal uses the identity of the victim. The situation is worse if the lender is not able to verify an original, government issued id. This happens in Online, Telephone, Fax and Mail transactions. This Kind of crime is considered non-self-revealing. The perpetrator keeps the money from the loan, won't repay the financial institution. Finally the victim is blamed for defaulting on a loan which he/she never authorized.
Identity cloning and concealment
In identity cloning and concealment, a criminal acquires the personal identification of someone and uses the same for impersonating him as victim. This is done for the purpose of concealment from authorities. This may be done by
· A person who wants to avoid arrest for crime.
· A person who is working illegally in a foreign company
· A person who is hiding from creditors
One important thing to notice here is that concealment may continue for an indeterminate period of time. Detection of such a crime is more difficult than credit-dependent financial crimes. Even the perpetrator may obtain illegitimate documents or identifiers thereby making his concealment secured.
Criminal identity theft
This is a situation where a criminal identifies himself as someone else to avoid arrest. From the stolen documents or personal information belonging to another person, such a criminal may even obtain a state issued ID. The ID contains the victim's name and his identification. When the criminal is arrested, the police place charges under the victim's name and release him. When the criminal fails to appear before the court of law, a warrant would be issued to the victim. Then only the victim becomes aware of the identity theft.
It becomes difficult for the victim to clear his record. The measures required are complex and depend on whether the true identity of the criminal can be determined. He might need to contact the original arresting officers to prove his identity. Sometime his fingerprint may prove his identity. He may even have to attend a court hearing to clear his record. Even after clearing his records in court, the victim is still susceptible to a future background check as various data aggregators still have the incorrect criminal records in their databases
Synthetic identity theft
This is recently becoming more common. Here the identities are partially or fully fabricated. Usual process is combining a real social security number with a fake name and date of birth other than the ones associated with the security number. This form of identity theft is more difficult to track as it does not show on either person's credit report directly. This can affect the consumers in two situations.
· When the consumers names become confused with the synthetic identities.
· If negative information in their sub files impacts their credit.
Medical identity theft
This occurs when someone's name and other parts of their identity (such as insurance information) are used for obtaining medical service and goods or used for making false claims for medical services. This occurs without the victim's knowledge or consent. Medical identity theft can result in the creation of fictitious medical records in the victim's name.
How Identity Theft is committed? - Techniques for obtaining personal information
An Identity thief obtains identifiers of the victim in one of the following ways. Protecting yourself against identity theft involves knowing the Identity theft facts and information, and the way an identity thief steals your information.
· Stealing victim's mail or getting information from the waste thrown into the dustbin (Dumpster Diving).
· Getting information about the victim from computer servers that have been disposed off carelessly.
· Getting identifiers about the victim from government registers or searching information from public records.
· Stealing the wallet or purse of the victim thereby gaining access to his identifiers such as identity card or Credit cards.
· Eavesdropping on public transactions
· Using computer malwares and viruses such as Trojan horses, obtaining personal information from computers and computer databases.
· Advertising fake jobs to which victims will apply with their full name, address, curriculum vitae, telephone numbers and even banking details.
· By infiltrating the organizations that store large amounts of personal information.
· Impersonating a trusted institution or company (corporate identity theft or company identity theft) in an electronic communication for the purpose of obtaining personal information (phishing)
· Obtaining fingerprints for the purpose of faking fingerprint identification.
· Browsing social network sites such as MySpace, Facebook, Orkut, etc for the purpose of obtaining information about the users.
Phishing
Phishing is a type of identity theft scam where attempts are made to acquire sensitive information of users such as usernames, passwords, credit card details and account details by masquerading as a trustworthy entity in electronic communication. It is actually an attempt of identity theft made on the internet. Usually these communications are purported to be from popular social web sites, auction sites, and online payment processors. Information is usually obtained through e-mail. The email directs the user to a fake website which almost look and feel like the real one. The fake website then asks for the personal identifiers. Detecting fake website is barely possible even when using server authentication. So phishing is a type of social engineering techniques used to fool the users by taking advantage of poor usability of current web security technologies. The magnitude of the problem can be realised by the fact that governments are taking measures to prevent phishing by legislation, user training, public awareness and security measures.
The first recorded use of the term "phishing" was made in the year 1996. This term is derived from "fishing". Fake sites are used as baits to get information from the users.
History and current status of phishing
A phishing technique was described in 1987. That presentation was actually delivered to the international HP Users group, Interex.
Early phishing on AOL
An identity thief may disguise as an AOL staff member and send an instant message to a potential asking for his password. In order to convince the victim, the message might ask for verification of his account or confirmation of his billing information. Once the victim was attracted by the bait, he might reveal his password. Once the password is revealed, the identity thief uses the password to get the identifiers of the victim. Phishing on AOL requires custom written programs such as AOHell. The magnitude of the problem can be understood by the fact that AOL added a line on all instant messaging stating "no one working at AOL will ask for your password or billing information". AOL developed a system to deactivate the accounts involved in phishing even before users respond to it.
Transition from AOL to financial situations
Once account information of AOL users has been captured, the identity thieves misuse credit card information. This led to the realization that attacks against online payment systems were feasible. Then identity thieves planned for a direct attack against a payment system affecting E-gold in June 2001. This was followed by a "post-9/11 id check" after the September 11 devastating attacks on World Trade Center (WTC). Though these attacks were just failures, they laid the foundations for fruitful attacks against banks.
Recent phishing attempts
Customers of Banks and Online payment services are usually targeted by phishing. Emails purported to be from Internet Revenue Service have been used to obtain identifiers from U.S. taxpayers. First version of this kind of phishing sends instant messages indiscriminately expecting appropriate victims to respond and the rest might not respond. But recently only messages are sent to appropriate victims only. This targeted version of phishing has been termed spear phishing. Whaling is a type of phishing where attacks are targeted specifically at senior executives and other high profile targets within businesses.
Social networking sites have become the primary targets of phishing. As the information is easily available about users, they are the primary targets of identity theft. Experiments even point out a 70% success rate for phishing attacks on social networks. The RapidShare file sharing site has been targeted by phishing to get a premium account. TD Ameritrade's database contains name, address, date of birth, phone number, trading activity, social security numbers, account numbers, email addresses. Attackers managed to break into that database so that they launch a follow-up spear attack.
Interesting information is that over 50 percent of phishing thefts in 2006 were committed by groups operating through Russian business network based in St. Petersburg.
Phishing techniques
Social engineering
People have an inherent response to things that appear important. When a message is sent to them with subject such as "to restore access to your account", they take prompt action. This behaviour is made use of in phishing. The victims usually click such a link immediately and end up in fake sites intended to obtain identification information from the users. This issue is becoming more severe so that even government sites are informing their users about such fake messages.
Link manipulation
Most methods of phishing make use of some form of technical deception to drag users to their fake sites. The following techniques of link manipulation may be handled
· Misspelled URLs or the use of sub domains are some of the common tricks handled by the attackers. For example, the URL http://www.yourbank.example.com/ will take the victim to "yourbank" section of the example website rather than to the "example" section of the yourbank website. Misspelled sites are also commonly handled. For example, youhooo.com is the domain for a famous mail and social service website. The attackers used to create a fake site of the original version using misspelled site such as youhoo.com. This fake site asks for username and password of the victim. This username and password are then used to access the original site to access the information about the victim.
· Sometimes the attackers make the anchor text for a link appear to be valid. But the link might be pointing to a fake site rather than that in the anchor text. For example the anchor text www.abcdef.com may actually point to a site www.fake.com.
· Another type of phishing used links containing the '@' symbol which was originally intended to include a username and password. For example the link www.google.com@members.tripod.com directs the user to a page on members.tripod.com contrary to the belief that the user is directed to a page on google.com. Such URLS are disabled in Internet explorer. Mozilla and Opera issue a warning message before continuing to the page.
Filter evasion
Attackers are now using images instead of text in their messages to avoid detection by anti-phishing filters. As anti-phishing filters only texts commonly used in phishing mails, it cannot detect messages with images.
Website forgery
Once a victim is directed to the phishing site, the drama is not over. Some phishing scams alter the address bar by either using JavaScript commands or by replacing the address bar with a fake address bar containing the address of a legitimate URL.
Even the flaws in the scripts of a trusted website can be used by an identity thief to inflict attack on a potential victim. These types of attacks are known as cross-site scripting. These are particularly problematic. Because trusting the site, the user provides the information. But the flaw in the scripting of the site is used to transfer the information to the attacker. Such a flaw was used in 2006 against PayPal.
In order to evade anti-phishing techniques which scan the websites for phishing related text, attackers have begun to use flash based sites. These look similar to real sites, but the text is hidden in multimedia object.
Phone phishing
Not all phishing attacks are based on fake websites. Sometimes messages purported to be from a bank direct the user to make phone call to a number. That number is owned by the attacker and provided by a Voice over IP service. Once the victim dials that number, he is prompted to enter his account number and PIN. Voice phishing sometimes called vishing even involves fake caller id data to make the user believe that he is calling a trusted organization.
Other techniques
Another successful technique is to direct the user to a bank's legitimate website, then obtaining information from him in a pop up window in a way that it appears the bank is actually requesting for the details of the user. For this and many other purposes, pop up windows are blocked in all famous web browsers.
Phishing statistics
It is estimated that between May 2004 and May 2005, phishing caused losses to approximately 1.2 million computer users in the United States. This totally approximates to US $929 million loss. United States businesses are losing an estimated US $2 billion per year as their clients are becoming victims. The situation was worse in 2007. Approximately 3.6 million adults lost US $3.2 billion in the twelve months ending in August 2007. In United Kingdom loses from phishing almost doubled from £12.2 million in 2004 to £23.2 million in 2005. On an average 1 in 20 computer users claimed to have lost out to phishing in 2005.
United Kingdom banking body APACS adopted a stance. That is "customers must also take sensible precautions. So they are not vulnerable to the criminal."
Anti-phishing
Several different techniques are handled to fight against phishing ranging from legislation to technology created specifically to use against phishing. Prevention is better than cure. So making the people aware of the problem and effects of phishing is a better attempt than taking measures to punish the attackers.
Social Responses
The best strategy for combating phishing is to create awareness among people. They should be taught to recognize fake e-mails and how to deal with them. Spear phishing is a newer phishing tactic where attackers target a specific company. So individuals are trained at various locations, including United States military academy at West point, New York. In a study conducted in June 2004 about spear phishing, 80 percent of 500 West Point cadets who were sent a fake e-mail were tricked into revealing personal information.
A slight modification of the browsing habits is what needed to avoid phishing attacks. When contacted about an account needing to be "verified", it is wise to contact the bank or company from which the email apparently originated and verifying whether the email is legitimate or not. Alternatively instead of using the hyperlink provided in the email, the genuine address of the company can be typed into the address bar of the browser.
Almost all legitimate emails from trusted companies contain an item of information that is not readily accessible to the attacker. For example, PayPal always address their customers by their username in emails. So if an email purported to be from PayPal addresses the recipient in a generic fashion ("Dear PayPal Customer") it is more likely to be a fake email. Emails from banks and credit card companies often contain partial account numbers which is unavailable to the attackers. However a recent study has shown that people are failing to distinguish between the first few digits and the last few digits of the account number. This is a significant problem because the first few digits are often the same for all clients of a financial institution.
People have to be trained to arouse suspicion if the message does not contain any specific information. But phishing attempts in 2006 even use specific information. This makes the situation worse. So it is unsafe to assume that message is legitimate just by the presence of specific information. In a recent study conducted, it has been found out that providing specific information in fake emails does not affect the outcome as many people do not pay attention to such specific information.
The Anti-Phishing Working Group, an industry and law enforcement association has predicted that conventional phishing techniques become obsolete in the near future because of the increasing awareness of the social engineering techniques used by attackers. They predicted that pharming and other forms of malware will pose threat in the near future.
Technical responses
Anti-phishing measures have been implemented as features embedded in browsers, anti-virus software, as extensions or toolbars for browsers and finally as part of website login procedures.
Helping to identify legitimate websites
Most websites which are targeted for phishing are in fact secure websites. SSL with strong cryptography is used for server authentication. Website's URL is used as identifier. In theory, it should be possible for the SSL authentication to confirm the site to the user and this was SSL v2's design requirement. But unfortunately, it is easy to trick the SSL authentication.
The superficial flaw is the browser's security user interface (UI) is not capable of dealing with today's strong threats. There are actually three parts in securing authentication using TLS and certificates.
· Indicating the connection is in authenticated mode.
· Indicating which site the user is connected to.
· Indicating which authority says it is the site.
For a confirmation to the user, all three are necessary for authentication.
Secure connection: The standard display for secure connection from mid-1990s to mid-2000s was the padlock. This was easily missed by the user. Mozilla used a yellow bar in 2005 as a better indication of the secure connection. Unfortunately due to the innovation of the EV certificates, certain high-value certificates are displayed with a green bar and other certificates with a white bar and the yellow bar used in 2005 was discontinued.
Which site: The user is expected to confirm that the domain name in the browser's address bar was in fact where they intended to go. Sometimes due to their complexity, URLs cannot be easily parsed. Also Users often do not know to recognise the URL of the legitimate sites they intended to connect to. This flaw makes the authentication meaningless.
An alternate approach is the use of petname extension for Firefox which lets the user to give own labels for websites. This makes the users recognise that site when they visit the same again. If the site is not recognised by the extension, then it would either issue a warning to the user or block the site outright. This is a form of user-centric identity management of server identities. Some even suggest selection of graphical representation than just a pet name.
With the advent of EV certificates, browsers typically display the organization name in green bar which is more visible and is fortunately more consistent with the web user's expectations. But the main thing is many users to look for the certificate. They even don't care to see the address bar. In this fast world, they miss this small piece of valuable information about the security of the site.
Fundamental flaws in the security model of secure browsing
Experiments to improve the security interface resulted in both advantage and disadvantage. Advantage is that it resulted in benefits. Disadvantage is that it has exposed the fundamental flaws in the security model. The underlying causes for the failure of the SSL authentication are many.
Security before threat: Secure browsing was put into place before any threat was evident. So it lost its importance in the war between the browsers. The original design of the Netscape browser included a prominent display of the name of the site and certification authority's name. In the first release, these were dropped. Nowadays users are not checking the security information at all.
Click-thru syndrome: If a certificate had an error in it, the browser would launch a pop up to warn the user. But users have a tendency to bypass the warnings, resulting in Click-thru syndrome.
Lack of interest: The process of acquiring certificate is inconvenient and expensive. So the use of authentication is too rare to be anything but a special case.
Lateral communication: The security model for secure browsers include many participants - user, browser, vendor, developers, CA, auditors, web server vendor, ecommerce site regulators and security standards committee. For proper authentication, there should be communication between all the participants. In reality, all participants are looking others as the source of failures leading to phishing. So the local fixes are not prioritised.
Browsers alerting users to fraudulent websites
This is one form of popular approach to fight phishing. Here a list of known phishing sites in maintained and the browsers check the required site against such lists. Microsoft Internet Explorer 7, Mozilla Firefox 2.0, Safari 3.2, Opera all contains this type of anti-phishing measure. Firefox 2.0 used Google anti-phishing software. Opera 9.1 uses live blacklists from PhishTank and GeoTrust. According to an analysis by an independent software company, Firefox 2.0 appears to be better than Internet Explorer 7 in detecting fraudulent sites and warning. As some implementations of this approach sent the visited URLs to a central service to be checked, concerns about privacy have been raised.
In order to mitigate the problem of phishing sites impersonating victim sites by embedding their logos and other images, several site owners have altered their images and the users are informed of such alterations. The image may be moved or their filename changed. So when such a fake page is viewed, a warning message may be displayed instead of original image.
Augmented password logins
Many sites are asking users to select personal image for their login page. So that each time the page is viewed from their computer, that personal image is displayed in the login page. With the personal image displayed users can be sure that that is not a fake page. Users are instructed to enter the password only when they see that image. This technique is used in the Bank of America's website, Yahoo, etc. However a recent study suggests that only few users refrain from entering their password when personal image is absent. This feature is susceptible to other attacks, such as those suffered by Scandinavian bank Nordea in the late 2005 and Citibank in 2006.
Some financial institutions use a technique similar to the previous one by displaying an automatically generated "Identity Cue" consisting of a coloured word within a coloured box.
Eliminating phishing mail
Number of phishing emails that reach inbox of the user can be minimised by using specialised spam filters. Spam filters rely on machine learning and natural language processing approaches to classify phishing emails.
Monitoring and takedown
Several companies offer banks and other institutions round the clock services to monitor, analyze and assist in shutting down phishing websites. Individuals can contribute to this technique by notifying volunteer and industry groups (for example phish tank) of such fake websites. Phone phishing can also be reported by users to Federal Trade Commission.
Ghosting
Ghosting is a form of Identity Theft in which someone steals the identity and the role in the society of a specific dead person (the "Ghost") whose death is not known to many. Usually the person who steals the identity of the dead person (the "Ghoster") is almost the same age that the dead person would have been if still alive so that any documents citing the date of birth of the Ghost will not be conspicuously incorrect.
The purpose of ghosting is to enable the ghoster to obtain an existing identity for his own use that is already listed in the government records. As the original possessor is dead, the identity of the Ghost is dormant. Ghosting is based on the fact that separate government agencies do not share a total exchange of information. Therefore, a Ghoster can apply for a passport or Social Security benefits in the name of a dead person because these agencies do not cross check the applicant's history to determine if a death certificate has been issued in the name of the applicant. But nowadays it is difficult to perform ghosting than before because of extensive cross-checking.
General description
The motive for ghosting and financial identity theft is entirely different. Usually Identity theft is done for exploiting the credit rating of a living person who is an active member of the society. The thief retains his own name and place in society while unlawfully using someone's more advantageous financial situation. The Identity thief is more interested in exploiting the victim's financial credit rather than actually acquiring the victim's identity. In contrast, the ghoster is interested in the dead person's identity rather than the financial status. Dead person is chosen for avoiding the risks that would occur if two living people used the Social Security Number (SSN). Unlike a typical Identity thief who squeezes quick profits from the victim and move on to the next victim, a ghoster may actively seek to acquire and maintain a respectable credit rating in his or her new identity.
Ghosting is largely a phenomenon of the 20th century. Before the arrival of Social Security System, a person can live without incurring suspicion even without possessing Identity documents. Counterfeit identity information also cannot be proved easily before the advent of social security system. With the advent of Income tax and Social security system in the 1920s, it became essential for every adult to possess an identity that was registered with the government. In the 21st century, ghosting became difficult to perform with advancements in technology. Also the governments have increased the penalties for those who get caught.
Before databases were computerized, ghosting was easier to perform especially in United Kingdom where birth certificates and death certificates are public documents. The General Records Office in London contains indexed registers of all births, deaths, marriages and adoptions in England and Wales. The typical ghoster might consult the death records for getting the identifying information of a dead person appropriate for his age and sex. After finding a suitable candidate, the ghoster would then consult the birth index for getting the dead person's date of birth. Then he may pay a small fee to obtain a copy of the dead person's birth certificate. Using this as base, the ghoster would gradually acquire information to live in the place of the dead person.
Although majority of known ghosters are male, females can easily perform ghosting for 2 reasons
· A female ghoster can steal the identity of a dead woman who had married and taken her husband's name. Detection becomes difficult in this case as the death certificate and the birth certificate will show two different surnames (one her father's name and the other her husband's name)
· Also, gaps in the ghost identity's employment history (the number of years between the ghost's death and the ghoster claims the identity of the dead person) will not arouse suspicion in case of a female ghoster. It might be explained in the following way. She might have spent the transition years as a homemaker with no wages.
In the 1970s, a counterculture publishing firm in California named Eden Press published a pamphlet, The Paper Trip, providing detailed instructions for performing ghosting. The advice given to people interested in performing ghosting is to find newspaper archive for old articles about death of an entire family in accident while on vacation outside their home state. This offers several advantages to a potential ghoster.
· Because the incident caused death of multiple persons, there are more available options for the identity thief who can choose to use identity of one of them appropriate for his age and sex.
· As the entire family get killed in the accident, the dead person whose identity is stolen for ghosting is not likely to have any immediate relatives who are still alive and aware of his death.
· Because the family died outside their home state, death of the family members will be registered in a state other than their home state. Birth records will be in their home state. So the information is unlikely to be cross-referenced. Unless the deceased family's remains were not returned to their home community for burial, the staffers in the local records office are unaware that the family is deceased. So there will not be any suspicion when someone claiming to be the member of the family requests a copy of the birth certificate of any of the family members.
· Because the deaths occurred years ago (as the information is gathered from old news papers), new requests for an old birth are unlike to arouse suspicion in anyone's mind.
Drawbacks
Ghosting is no longer easy to perform. Because of the increasing computerization of vital records, it is a difficult task to perform ghosting nowadays. Until the 1990s, each state in the United States maintained its own Birth records and Death records in separate registries with no cross reference. Modern search engines enable the government clerks to establish quickly if a death certificate has been ever issued to the person in any state.
Many ghosters have criminal records under their original identity and seek new identities to start a new life free from criminal records. Before the advent of computer imaging, it was a difficult and tedious process for law-enforcement officials to search fingerprints archives. If a ghoster was arrested and his fingerprint registered in his new identity, the authorities might fail to discover any records of a prior arrest for the same set of fingerprints registered with a different name and date of birth. This is not true nowadays with much sophisticated techniques. With the advent of Modern Imaging technology, millions of fingerprints can be scanned with search engines and a positive match can be found quickly which can be transmitted electronically by police to other police forces anywhere in the world. New identity documents can no longer conceal prior arrests.
Another factor discouraging Modern-day ghosting is the development of Biometric I.D. and DNA typing. Another factor that discourages ghosting is the penalties for ghosting have become very severe. Previously, persons who have long record of criminal activity and arrests would try to commit the minor crime of ghosting in order to acquire a new identity with no prior arrests. This is no longer true. After September 11, 2001 attacks (9/11 attack), any person found to be in possession of false identity is suspected of terrorism. The unlawful acquisition of identity either identity fraud or ghosting will be dealt far more aggressively than he might have been in the past.
Ghosting has never been false proof. After acquiring the identity of the dead person, the ghosters gain over confidence. They refuse to abandon the habits and associations of their previous identity.
Types of ghosters
Most ghosters are hiding their identity away from something: a criminal record, a marriage, or bad debts. In contrast to typical identity thieves, ghosters are usually persons with a previous criminal record who are searching for a new identity with no criminal records. Several members of the Revolutionary Youth Movement of the 1960s desired to hide their false identities and decided to start a new life with no memory of the past events they indulged in. Most of them started a new life by ghosting. During the Vietnam War, many young men avoided the draft by fleeing to other nations especially Canada. There they acquired ghost identities enabling them to live as natives of those countries.
During the Holocaust, many Jewish refugees in Poland and Austria were given fraudulent Baptismal certificates by Catholic priests, enabling them to pass as Catholics. Technically this can be called ghosting as the identity papers were authentic documents provided by authorities (the clergy) empowered to issue them.
During the days of racial segregation in the United States and South Africa, light skinned mulattos, legally defined as Negros, had strong desire to acquire ghost identity as Caucasians.
Another category of people who like to acquire ghost identity includes victims of sexual abuse especially if the abuse occurred in childhood. They would like to acquire the identity of someone who was not the victim of sex abuse. This is especially true if the sexual abuse was Incest as the victim and the sexual predator are closely related. The victim has a strong incentive to escape his or her family name and identity. It is found out that major proportions of ghosters belong to this category. Ghosters who fit into this category are difficult to discover because they acquire this identity not for committing any crime but to live according to the law away from the sexual predators.
Another unusual class of ghosters are transsexuals who feel a compulsion to change their physical gender. Regarding Sex reassignment surgery, United Kingdom is peculiar. In the United States and other similar industrialised nations, a person who undergoes sex reassignment surgery can usually petition the government to issue a new birth certificate and passport reflecting the change of sex. But United Kingdom did not allow this. Until the Gender Recognition Act 2004, the person officially belonged to the same sex even after undergoing Sex Reassignment Surgery (SRS). Another flaw in the British law is that all children born with ambiguous genitals must be registered as male at birth, even if they developed female traits later and identified as female. An English woman born with enlarged clitoris was considered male. The British government refused to amend this error. So she decided to acquire a ghost identity of female appropriate for her age.
Credit Card Identity Theft
Credit card fraud is a broad term used for the theft and fraud committed using a credit card. The purpose may be to obtain goods without paying or to obtain unauthorized funds from an account. Credit card fraud is a subtype of identity theft. The series of events involved in credit card begins with the theft of the physical card. It would also follow obtaining information shared with the merchant during usual transaction. By using the information obtained, online purchase can be made or loans can be applied. These types of activities can be done until the account is ultimately used for the fraud. A simple example for such a crime is that of a store clerk copying sales receipts for later use. As credit card use in internet has become more frequent, the situation is becoming worse.
Physically stolen cards will be reported by the cardholder immediately and sufficient loses can be avoided. But stealing information of the credit card and using the same in internet by the identity thief can occur undetected for weeks or even months. The credit cardholder will discover fraudulent use only after receiving a bill statement. But the bill statement is delivered infrequently (usually every month).
Stolen cards
When a credit card is lost or stolen, it remains active until it is cancelled by the cardholder by informing the issuer. Most issuers have 24 hour telephone numbers for this purpose. But still it is possible for the thief to use the card until it is deactivated by the issuer. Without these security measures, a thief could potentially purchase thousands of dollars in merchandise before the card holder or the issuer is aware of the situation.
The only common security measure on all cards is a signature panel, but signatures are relatively easy to forge. Many merchants will request to see a picture ID to verify the identity of the cardholder. The ID may be a driver's license. Some credit cards include the picture of the credit card holder. The merchants can request for identification details but the cardholder has a right to refuse to show the additional information. In fact asking the credit card holder for such information may be a violation of the agreement made by the merchant with the credit card companies. Once the card is stolen, self-serve payment systems are common targets since there is no method to verify the identity of the credit cardholder. As a security measure, such self-serve payment systems require the card holder to enter the ZIP code. But that is no use when wallet is stolen from the original cardholder as the wallet contains additional information required to provide to the self-serve payment systems. For instance driver license contains the home address and ZIP code printed on it.
Card issuers have several countermeasures including software that can authorize the transaction by estimating the probability of the fraud. For example when a large transaction occurs at a great distance from the cardholder's location the software will consider that transaction as suspicious and requires authentication. The software provides instruction to the merchant to verify the card issuer, or to decline the transaction, or even to hold the card and refuse to return it to the customer.
Compromised accounts
Credit card information is stored in a variety of formats. Credit card account numbers are often imprinted or embossed on the card and a magnetic stripe on the back of the card contains information in machine readable format. Most common information in the magnetic stripe includes:
· Name of the card holder.
· Account number.
· Expiration date.
· Verification/CVV Code.
Card not present (CNP)
The mail order and the internet are the major routes for fraud against merchants selling and shipping products. If the card is not physically present, the merchant has to rely on the cardholder (or someone purporting to be so) presenting the information indirectly through mail, telephone or the internet. But presenting credit card information indirectly through these means is more risky than presenting the card in person. Telephone ordering is the most risky one.
It is difficult for the merchant to make sure that actual cardholder is authorising the purchase. Though the shipping companies can confirm the delivery to a location, but they are not required to verify the identification. Also they are not usually involved in processing payments for the merchandise. A common security measure is to authorise shipment only to an address approved by the card holder. This can be verified by simple methods offered by the merchant banking systems.
Small transactions generally undergo less scrutiny and are less likely to be investigated by the card holder or the issuer, it has been said that many fraud prevention features do not recognise small transactions.
Identity theft
Identity theft can be divided into two broad categories: Application fraud and account takeover.
Application fraud:
Application fraud occurs when the identity thief uses the stolen documents to open an account in the name of the victim. Identity thieves steal documents such as utility bills and bank statements to build up useful personal information or they may create counterfeit documents.
Account takeover:
Account takeover is another aspect of identity theft where the attacker tries to take over victim's account. First the attacker gathers information about the intended victim required tom masquerade as the victim. Then using the personal information of the victim, the attacker contacts the card issuer and asks for mails to be redirected to a new address. The attacker then reports that card is lost and asks for a new one to be sent. Some merchants handle a new practice to protect their consumers and their own reputation where they ask the cardholder to send a photocopy of the physical card and statement to ensure the legitimate usage of a card.
Skimming
Skimming is the theft of credit card information used in legitimate transaction. It is usually done by a dishonest employee of a legitimate merchant. The thief can store credit card number of the victim in many ways which may range from basic photocopying of the receipt to advanced technique using a small device called skimmer. Skimmer is a small electronic device to swipe and store hundreds of victims' credit card numbers. Common scenarios for skimming include restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. So the employee should be watched carefully from the moment he receives the card till he returns the card. He should not be allowed to swipe the card twice for any reason.
Instances of skimming have been reported where a device is put over the card slot of an ATM (Automated teller machine) by the skimmer. That device reads the magnetic strip of the credit cards or debit cards as their user unaware of this passes their card through it. This device is always used in association with a pinhole camera which reads the Personal Identification Number (PIN) of the user at the same tome.
It is difficult for the typical cardholder to detect that he is a victim of skimming. But card issuers can detect when a large enough sample is given. The card issuer collects a list of all cardholders who have complained of fraudulent transactions. Then by using a technique called data mining, the card issuer discovers the relationship between the cardholder and the merchants they use. For example, if many of the cardholders who complained of fraudulent transaction use a particular merchant, that merchant can be investigated directly. Merchants are responsible for the security of their cardholders. They are responsible for safeguarding their consumers against skimming else penalties for merchants will be severe ranging from large fines by the issuer to complete exclusion from the system. Exclusion from the system is a deathblow to the businesses such as restaurants where credit card transactions form the base.
Carding
Carding is a process to verify the validity of the stolen card. To test the validity of the card, the thief may enter the card information on a website that has real time transaction processing. The thief knows that card is valid, if the card is processes successfully. The thief does not need to purchase an actual product to test the validity of the card. The purchase is usually for a small momentary amount for two purposes - avoid using the credit card's limit and also to avoid attracting the card issuer's attention unnecessarily. A Cardable website is a website known to be susceptible to carding.
In the past, computer programs called "Generators" were used to produce a sequence of credit card numbers. Then the numbers are tested to see which were valid. However this technique is no longer applicable as websites now require additional data such as card expiration date, 4 digits PIN (Personal Identification Name), cardholder's name, etc for authorising the transaction. Nowadays, carding is commonly used to test credit card information obtained from skimming and phishing.
A set of credit card details that has been verified in this way is popularly known in fraud circles as phish. The individuals who will carry out the actual fraud buy this data files of the phish from a carder. The value of a phish in the market ranges from US $1.00 to US $50.00 depending on the type of the card, freshness of the data and credit status of the victim. If the data is new, it is more valuable. Similarly card information with more credit value is valuable.
Profits, Loses and punishment
The responsibility of the credit card fraud varies with the country. In the United States of America, merchant is responsible for credit card fraud. In some countries, card issuer has the responsibility whereas in others, it is the cardholder who is responsible. The inconvenience can be quite costly even if the cardholder does not lose money actually. And credit card companies have to pay for preventing credit card fraud while maintaining good customer experience.
Credit card companies like Visa and MasterCard get revenue from each transaction at a rate of 2 to 4 percent depending on the payment method. So naturally, credit card companies try to increase the number of transactions. But implementing methods to reduce credit card fraud actually reduce the number of transactions and cumulative transaction volume. This results in conflict of interest for the credit card companies. Also fraud investigation costs tend to be higher.
United States
Cardholder liability
In the United States of Americas, the liability of the credit cardholder is limited to US $50.00 in the event of theft regardless of the amount charged on the card by the Federal law. In practice many card issuers will not charge this payment from the customer's account if the customer signs an affidavit stating that the charges are fraudulent. Card issuers increase the fees and interest rates to compensate for such loses.
Merchants
The merchant bears the whole loss. The merchant loses the value of any goods or services sold. These loses make the merchants to be alert. This result in banning legitimate transactions thereby causing lose to the merchant. Online merchants with the view of safeguarding them can apply for additional services offered by credit card companies such as Verified by Visa and MasterCard SecureCode. However customers find such things time-consuming. This affects the online merchants.
According to the Federal law, the merchant is the responsible person for the credit card fraud and not the credit card company. The merchant should pay the full cost of the fraud and the chargeback fee if not covered by the merchant's chargeback insurance. Current legislation is not in favour of merchants and it hurts them seriously. They have to accept loses as part of doing business. Online shops anticipate such loses and so they raise the cost of the goods as compensation.
Card Theft
US credit card fraud is widespread and frequently left unpunished. Crimes are handled only when the limit reaches $150,000. This fact is well known by credit card thieves and this in fact encourages credit card fraud as it is easy to keep fraudulent cash below $150,000. For example, the Federal Trade Commission (FTC) has a policy not to investigate fraud cases below $2,000.
Detection and Punishment
In the United States of America, people who commit credit card fraud are left unpunished. This encourages them to involve in credit card fraud frequently and victimize more consumers and merchants. The Secret Service handles crime involving the United States money supply. But as mentioned before, credit card frauds are handled only when their limit reaches $150,000. Being aware of this, most credit card criminals keep purchasing from any one business below $150,000. Credit card fraud can be reported to the Federal Trade Commission (FTC) and to local and regional authorities. The Federal Trade Commission (FTC) also has a policy not to reports where the value of fraud does not exceed $2,000. Depending on the amount, type and location of fraud, the Local Law enforcement may or may not further investigate a credit card fraud.
United Kingdom
In the United Kingdom, Consumer Credit Act 1974 (amended 2006) regulates the use of credit cards. This Act provides a number of protections and requirements to be fulfilled. Both the merchant and the credit company are jointly liable for sale. Card holder can approach either of these two if there is any fault. Because of this responsibility most card issuers provide protection against faulty sales and will chase up merchants that sell faulty goods. Any misuse of the card must be refunded by the card issuer or merchant.
Distance Selling Regulations states that goods ordered by phone, Internet or mail should be delivered to the cardholder's address. There is also a 7-day "cooling off period" where they can be returned without charge. The aim is to protect from mis-selling, but it also helps against credit card fraud
Credit Card Companies
To prevent being "charge back" for fraud transactions, Merchants can sign up for services provided by Visa (Verified by Visa) and MasterCard (MasterCard SecureCode). This requires additional information to be entered by the consumer to confirm a transaction. This can be beneficial in terms of the security it provides. But at the same time it is time consuming to customer which many customers do not like.
Most of the online merchants are not taking adequate measures to protect their websites from fraud attacks. Being blind to sequencing is one example of inadequate measures to protect against attacks by credit card criminals. In contrast to automated product transactions, a clerk overseeing "card present" authorization requests must approve the customer's removal of the goods from the premise in real time.
Credit card companies like Visa and MasterCard receive profit from transaction fees which is usually between 2% and 4%on each transaction. This makes the credit card companies focus their attention on increasing the number of transactions. Number of transactions and protection are inversely proportional. The credit card companies can increase the number of transaction by reducing the precautions needed for authorising the transactions
All card-accepting companies and card-carrying customers are bound by civil contract law. But there are only few criminal laws covering the card-stealing fraud.
Merchants
In addition to loosing goods or services sold, the merchant is liable to charge back fee. For that, many merchants are taking steps to avoid charge backs such as not accepting suspicious transactions. This further increases the loss. The merchant may also miss the legitimate transaction in this process.
How to protect yourself from identity theft
How to protect oneself from identity theft? How to stop identity theft? These questions are asked by many people as Identity theft is the fastest growing crime in the United States of America and if not careful, it could happen to anybody at anytime. On average, it takes a year to realize that they are victims of identity theft. Preventing Identity theft is an essential requirement of the modern era. Even though it is not possible to completely stop identity theft, measures needed for avoiding identity theft must be known to everyone.
Personal Information
The best way to stop identity theft is to understand what personal information should be kept private. Protecting the personal information means protection against identity theft. While some information is inevitably going to be made public, there are some items with high sensitivity that should never be made public. The sensitivity of each identifier is given in the table below. Protecting oneself against Identity theft involves nothing more than protecting the personal information particularly those items which are highly sensitive. Anyone with the knowledge of one of the high sensitive items can do a lot of damage to the victim. The complicated thing in identity theft is identity the manner and from where identity theft is stolen.
Item Sensitivity
Full Name Low
Address Low
Phone Number Low
Date of Birth Medium
Birth place Medium
Mother's Maiden Name Medium
Social Security Number High
Bank Account Number High
Credit Card Number High
PIN or Password High
Where your identity is stolen from?
The following are the precautions to be taken to prevent Identity theft.
Mail - Mail Identity Theft
The Federal Trade Commission has reported that approximately 400 thousand Americans suffered Identity Theft in the last year due to stolen. Almost 90 percent of such cases could have been avoided. When dealing with mail, careful attention has to be paid as it contains lot of sensitive personal information. Here are some tips for ensuring the mail doesn't fall into the wrong hands.
· Do not leave outgoing mail in an unsecured location. Deposit mail in USPS collection boxes.
· Do not leave mail in the mailbox overnight or on weekends.
· Have your mail held at the post office while you are out of town.
· Get a mailbox that locks.
Computer - Computer Identity Theft or Cyber Identity Theft
Most casual PC users are unaware of the potential problems in the Internet. Such casual users can have their identity theft stolen unless they have adequate knowledge and protection. Following ways can be handled to protect oneself
· Use anti-spyware and anti-virus software
· Do online shopping only on trusted sites.
· Find out fake mails and do not get baited by persons involved in phishing.
· Encrypt your wireless connection. So that outsiders do not have access to your personal computer.
· While selling the computer, format the hard drive and do not leave any personal data.
Trash
One man's trash can become another man's treasure. So, one should be careful while discarding personal information such as Social Security Number (SSN), bank account, credit card, etc. Such information must be shredded before discarding into thrash. The information that must be shredded before discarding includes the following
· Bank statements
· Credit card statements
· ATM receipts.
· Expired passports, visas and credit cards
· Cancelled or voided checks
· Tax forms
· Bills
· Paystubs
Safeguarding personal information
Immediate reporting of lost or stolen credit cards and debit cards: As soon as credit cards or debit cards are found missing, the issuing bank must be contacted immediately. Prevention is better than cure. Most banks cancel the missing card and reimburse the victim for any fraudulent changes. The victim will receive a new card in mail within a week.
Avoid keeping Social Security Number (SSN) in wallet: This is a common mistake done by most persons. Though keeping Social Security Number (SSN) in wallet is convenient, it is not safe. In case the wallet is stolen, the thief has everything needed to steal the identity of the victim.
Never provide personal information to anyone contacting through a phone solicitation: It is easy for an identity thief to pretend as a legitimate business person when contacting through phone. So when requested to provide information about the credit card over the phone, it is wise to think twice before providing information. If you initiate the call for any purpose, then such information can be provided.
Check your bills and bank statements as soon as they arrive for evidence of identity theft: Checking the accounts regularly can limit the theft due to stolen identity. That can be done by reviewing bills and bank statements carefully after receiving. This information can also be checked in online regularly.
Checking credit reports for free: According to the Fair and Accurate Credit Transactions Act of 2003, a person is entitled to receive free credit report from the big three credit bureaus every 12 months. Once credit report is received, it should be checked for anything suspicious such as any accounts opened in the person's name to which he or she is unaware. Once anything suspicious is noted, one of the three credit bureaus should be contacted immediately and requested for placing a fraud alert on the person's credit report.
No reason for revealing Date of Birth and/or Social Security Number (SSN) in resume: There is hardly any need for these sensitive information to be revealed in the resume. Also potential employers do not need these information about you at first glance. Also if the resume is sent to 50 or 100 different employers, it is very difficult to tell how many hands the social security number. And a potential employer may not keep these information about you safe as you keep.
Using ATM card wisely: It is wise to avoid going to ATM at night. Also it should be clear that no one is behind the shoulder when entering the PIN (Personal Identification Number). In case the PIN is revealed to anyone other than the trusted ones, it should be changed immediately.
Guarding the check book: Check books should receive special care. They should be carefully guarded as they contain the name and address of the holder and the bank account number. Check book should not be kept in an unsecured place or in car. If stolen, the thief could write fraudulent check or even can break into victim's account. If any of the checks are found missing, the bank should be contacted immediately without any delay.
Strong Passwords: The password should not contain word or number that other people can guess easily. Using date of birth or last four digits of social security number as passwords is not wise as they can be guessed easily.
Securing personal information in home: Being in home does not mean the personal information is safe and not stolen. If there are roommates or house keepers are employed, mails and phone calls should be secures. Use of mail locks is recommended. Also privacy should be ensured before making any personal calls.
Know who else has your information: It is wise to know about personal activity procedures at work, doctor's office, or any other institution that keeps record of the personal information. It should be clear who is having access to the personal information and it is handled properly. If personal information is not handled properly, the Federal Trade Commission (FTC) or the Better Business Bureau should be contacted.
Identity theft Insurance
Many of the Identity theft insurance coverage and other related services are being offered by the same organizations that are failing to protect personal identity, such as banks and credit card companies. Second thing is Identity theft insurance does not reimburse you for money that is stolen from you. Some policies pay expenses such as lost wages and legal fees. But the fact is lawyer is not always required to resolve an Identity case. Finally, identity theft is usually committed by someone we know, often family members and friends. But identity theft insurance does not pay if the crime is committed by a family member. So it is not going to protect against the thing that is most likely to happen.
Identity theft Shield
Identity theft shield has been developed by Kroll to help the companies to come up with a solution to resolve identity theft. Actually this service is available to the pre-paid legal members of the society with the use of the identity theft shield.
With the identity theft shield, the members can have easy access to their possessions. It gives them credit ratings to fight back and make reactions if an identity thief plans to threaten the financial standing. Identity theft shield is designed to give warning if things go wrong. If an activity is not doing well, the damage done to the credit history can be restored with the Identity Theft Shield. With the help of identity theft shield, reports can be made easily. The members are given up-to-date credit report without additional charge
Identity Theft Resource Centre® (ITRC)
Identity Theft Resource Centre® (ITRC) is a non profit, nationally respected organization dedicated solely for the purpose of understanding and prevention of Identity Theft. The ITRC provides victim and consumer support. It also creates awareness among people through public education. The Identity Theft Resource Centre® (ITRC) also gives advice to governmental agencies, legislators, law enforcement and business about the growing problem of identity theft.
Identity Theft Assistance Center (ITAC)
Financial companies fund ITAC to help the victims of Identity Theft, provide consumers with information to detect and prevent fraud and Identity Theft, and to partner with law enforcement including FTC (Federal Trade Commission) and United States Postal Inspection Service in investigating and prosecuting Identity theft and fraud.
Identity Theft Services, Inc.
Identity Theft Services, Inc. is a non-profit educational corporation to help the victims of Identity theft. They are providing free seminars concerning "Identity Theft' at the OASIS foundation for senior citizens in Scottsdale, Arizona and even a series of college classes on this subject.
Identity Theft 911
Identity Theft 911 offers individuals and institutions the most comprehensive help available to the problem of Identity theft. Identity theft 911 gives victims of identity theft the needed guidance. It helps in the resolution process. It also helps the victim of identity theft to defend himself. Identity theft 911 also offers identity theft solutions specially designed for banks, academic institutions and enterprise employee assistance programs (EAPs).
Identity Theft Software
Many Identity theft protection softwares have flooded the market. These software functions by erasing the files from the computer completely before getting rid of the PC to prevent Identity theft, erases traces of personal information and surfing history, etc. These softwares may help in preventing computer identity theft. One more type of Identity theft software includes tools to keep the personal information safe and secure. The software requests the user to enter sensitive information such as bank account, credit card number and social security number. Than whenever any personal information is sent via email, internet, etc., the software alerts the user. Personal information is never relayed from the computer without the knowledge of the user and therefore forms best identity theft protection.
Identity Theft Monitoring Services
All we have to do is to give the Social Security Number to the Identity theft monitoring services. If they notice any suspicious activity, they will alert the user of the Identity theft through an e-mail or a phone call. They guard the identity of the user by monitoring three credit-reporting agencies (Experian, Equifax and TransUnion), cell phone applications, government databases and public information. Some also provide Identity Theft Insurance to help defray costs associated with recovering from Identity Theft cases. Identity theft monitoring services cost US $10 to US $ 20 per month. Some ID Theft monitoring services even offer even more at a higher cost.
10 Smart tips to prevent Identity theft
Approximately 14 million Americans were victims of Identity theft between January 1 2001 and mid-May 2003. How to prevent Identity theft? In order to protect oneself from Identity theft, he must know details about identity theft. By following security measures, you can protect yourself from identity theft.
1) Securing business premises with locks and alarms.
Alarm systems act as effective barriers to thieves and also those with intention of identity theft. Especially those security alarms monitored by a security company are better options. External doors should have deadbolts and exposed windows should be covered with security film, bars, screens or shatter-proof glass.
2) Securing Business records under lock and key
Physical business records such as costumer records and other data on paper should be kept in locking filing cabinets. Cabinets should be locked at night and other parts of the day when not supervised such as during lunch time. Copies of system and database back-ups should be kept in safe and made sure that it cannot be accessed by identity thieves.
3) Shred, shred, shred.
Business records of any kind should not be thrown into thrash just because they are no longer valid. That becomes a bonanza for criminals with intention of identity theft. Instead all business records that are no longer valid should be shredded. Those involved in small and home based business can buy inexpensive shredders. For those involved in large scale business, there are shredding services that will come and do that needs to be done.
Mails which are a favourite source of information for identity thief should receive special attention. Anything with name and address should receive treatment by shredder. Most bills should be shredded.
4) Be cautious on the phone.
On the phone, it's not that much difficult to pretend to be someone. Particular attention should be given when personal information or information about any customer is sought. Such details should not be provided in phone unless caller's identity can be confirmed. It is better to avoid providing personal information tin phone for any reason.
5) Limiting access to computers.
Computer network needs to be secured with passwords and firewall. So that anyone who wanders through office can't access the secured computer network. Access to employees should also be restricted based on the need. Databases that contain sensitive information should be password protected and employees should not be given access to that unless needed.
6) Protecting computers from hackers.
Hacking into company systems and databases has become a favourite technique of identity theft. In order to avoid such intrusions, computer network should be protected by firewall. Firewall prevents access to computer networks by unauthorised persons. Also firewall can be used to restrict employees thereby preventing access to sensitive information in databases. Firewalls can be purchased at any computer stores or downloaded. Another option for persons involved in small business or home based business is to purchase and install a small router which often has firewall protection capability.
If your system is running Windows operating system, it is also important to stay up to date. Windows should be updated frequently. Windows XP and Windows Vista are providing Automatic updates which alerts the user when updates are available.
7) Be aware that internet is a dangerous place.
Before ordering something off the net using a credit card, first the user should be aware that it is a secure site. Unless the site is secure, it would be dangerous to provide information about the credit card to the site. Other potential problems in net are spyware and viruses. While using Internet Explorer, it should be made clear that security option is set to a higher setting on each computer in the network. Antivirus and Antispyware software handle spywares well.
And if the company has a website, owner should be careful as to what kind of information was posted on the site and how. If sensitive information is to be placed in the net such as financial data and customer databases, such information should be password protected or encrypted.
8) Avoid broadcasting information
Employees should be trained how to protect customer's information. Customer's identity information should not be revealed. Just turning the computer screen so that it can't be viewed by anyone other than the operator is a simple measure. Another simple measure is avoiding practices such as not repeating customer information loud. Files with customer information should not be kept open in counters.
9) Crate and enforce a company wide security policy.
The purpose if the security policy is educating the employees about issues such as identity theft and data protection. It should include information about the email filters in use, computer network access, internet use policies, protecting customer identification information and reporting incidents and violations. In short, a manual of the issues involved in security and handling threats such as identity theft should be issued to all the employees in the companies. Not only providing the manual is enough, it should be made clear that employees are aware of the information in the manual.
10) Disconnect ex-employees immediately.
When employees resign from the job or no longer they work for the company, they should be restricted from accessing the computer network and company data. This should be done as soon as possible.
Identity theft laws, protection services and punishment- Regional legal responses
The penalties for Identity theft varies with different nations. The following gives brief information about Identity theft legislation in different nations.
Australia
In Australia, Each state has enacted laws that deal with different aspects of identity theft. On the Commonwealth level, under the Criminal Code Amendment Act 2000 which amended certain provisions within the Criminal Code Act 1995,
135.1 General dishonesty
"A person is guilty of an offence if: a) the person does anything with the intention of dishonesty causing a loss to another person; and b) the other person is a Commonwealth entity. Penalty: Imprisonment for five years"
In the same way, each state has enacted their own laws to deal with misuse of personal information and data.
Canada
Under the section 403 of the Criminal Code of Canada,
"Everyone who fraudulently personates any person, living or dead,
(a) with intent to gain advantage for himself or another person, (b) with intent to obtain any property or an interest in any property, or (c) with intent to cause disadvantage to the person whom he personates or another person, is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years or an offence punishable on summary conviction."
France
In France, a person charged of identity theft can be given a penalty up to five years imprisonment and €75,000 fine.
Hong Kong
Under Hong Kong Laws chapter 210 Theft Ordinance, section 16A Fraud,
"(1) if any person by any deceit (whether or not the deceit is the sole or main inducement) and with intent to defraud induces another person to commit an act or make an omission, which results either-
(a) In benefit to any person other than the second-mentioned person; or (b) in prejudice or a substantial risk of prejudice to any person other than the first-mentioned person, the first-mentioned person commits the offense of fraud and is liable on conviction upon indictment to imprisonment for 14 years."
India
Under the Information Technology Act 2000, Chapter IX Section 43 (b)
"If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected."
United Kingdom
In United Kingdom, Data Protection Act 1998 protects the personal data. The Data Protection Act covers all the personal information handled by an organization. The personal information may be name, date of birth, anniversary dates, addresses, telephone numbers, account information, credit card numbers, etc.
United States
The increase in crimes of identity theft has led the United States government to draft Identity Theft and Assumption Deterrence Act. The Federal Trade Commission appeared before the United States Senate in 1998. The Federal Trade Commission discussed various forms of Identity Theft including Credit Card frauds, commodities and services frauds, mortgage fraud, etc. The Identity Theft and Assumption Deterrence Act (2003) [ITADA] amended U.S. Code Title 18, § 1028 ("Fraud related to activity in connection with identification documents, authentication features, and information"). The Act has also provided the Federal Trade Commission with the right to track the number of incidents and the dollar value of loses.
Identity Theft Penalty Enhancement Act
In July 2004, President Bush signed Identity Theft Bill known as Identity Theft Penalty Enhancement Act passed by Congress in response to the growing problem of Identity theft. The Act amends the Federal criminal code to establish penalties for Identity Theft. The act adds 2 years to prison sentences for "knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person" during and in relation to specified felony violations. It also adds 5 years to prison sentences for violators who use false identification in the commission of "terrorist acts".
Recovery from Identity theft
Steps to be taken by a victim of identity theft
What to do if you are a victim of Identity Theft? The victim must have to make an effective identity theft commercial prevention plan. The victim must take the following 4 steps as soon as possible to fight identity theft and for restoration of the consequences of Identity Theft.
1) Place a fraud alert on credit reports and reviewing the credit reports.
Fraud alerts help the victim by preventing the identity thief from opening any more accounts in the name of the victim. Toll free fraud numbers of any of the three consumer reporting companies can be contacted to place a fraud alert on victim's credit report. It is enough to contact one of the three companies. The other two companies will be contacted by the one to which the victim contacts. If victim does not receive any confirmation from any of the three companies, then that company also should be contacted directly.
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
Once fraud alert is placed in victim's file, he is entitled to order one free copy of his credit report from each of the three companies and if requested, only the last four digits of his Social Security Number (SSN) will appear on his credit reports. After receiving the reports, they should be reviewed carefully. The reports should be checked for inquiries from companies which the victim did not contact, for the accounts he didn't open and for any debts in his account that he cannot explain. If any information like Social Security Number, address, name is fraudulent or inaccurate, the inaccurate information should be removed. While correcting the credit report, use an identity theft report with a cover letter explaining the request to get the fastest and complete results.
In order to make sure no new fraudulent activity has occurred, credit reports should be checked periodically at least in the first year following discovery of identity theft.
2) Close the accounts that you believe have been opened fraudulently.
The victim must call and speak with someone in the security or fraud department of each company. The victim must follow up in writing, and include copies of supporting documents. Originals of supporting documents should not be included. Credit card companies and concerned banks should be notified in writing. Letters should be sent by certified mail. In order to file what the company received from the victim and when, return receipt should be requested. A file of his correspondence and enclosures should be maintained.
When new accounts are opened, new Personal Identification Numbers (PINs) and passwords should be used. Easily available information like mother's maiden name, date of birth, the last four digits of social security number or phone number should not be used. If charges or debits on victim's account have been made identity thief, forms to dispute those transactions should be requested from the company. If identity thief has fraudulently opened accounts, measures to be taken to ask the company to dispute those transactions:
· For charges and debits on existing accounts, the representative should be requested to send the company's fraud dispute forms. The requesting letter should be written to the company at the address given for "billing inquiries", not the address for sending payments
· In case of new unauthorised accounts, dispute can be filed directly with the company or can be filed with a police report and can be provided a copy, called an" identity theft report", to the company.
1) If victim wants to file a dispute directly with the company and do not want to file a report with the police, it should be made clear that the company accepts the Federal Trade Commission's ID Theft Affidavit. If the company does not accept the Federal Trade Commission's ID Theft Affidavit, company's fraud dispute forms should be requested through the representative
2) But it is a better option to file a report to the police and then providing the company with an identity theft report. For example, if the company has already reported these unauthorized accounts or debts on victim's credit report, an Identity theft report will require them to stop reporting that fraudulent information.
3) File a complaint with the Federal Trade Commission.
The victim must know how to report identity theft to law enforcement agencies. The victim can file a complaint with Federal Trade Commission using the online complaint form or call the Federal Trade Commission's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261 or write to Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The victim should not forget to call the hotline if he gets additional information or problems.
Providing information about the identity theft complaint to the Federal Trade Commission can help law enforcement officials across the nation to track down identity thieves and stop them. The Federal Trade Commission can refer victim's complaints to other government agencies and companies for further action.
Additionally victim can provide a printed copy of his online Complaint form to the police to incorporate into their police report. By submitting the printed Federal Trade Commission ID Theft complaint along with the police report (both of these in conjunction constitute an Identity theft report), the victim is better protected. This identity theft report can be used to
· Permanently block fraudulent information from being incorporated into victim's credit report
· Ensure that debts do not reappear on victim's credit report.
· Prevent a company from continuing to collect debts that resulted from identity theft.
· Place an extended fraud alert on victim's credit report.
4) File a report with the local police or the police in the community where the identity theft has taken place.
A report should be filed about the identity theft by informing the local police department. The local police department should be requested to file the report in person. If the request is not accepted, the report may be filed over the net or telephone. If the local police are not ready to take victim's report, then another jurisdiction like state police can be tried. When going to local police department to file report, printed copy of the Federal Trade Commission ID Theft complaint form, cover letter and supporting documentation should be submitted.
The officer is requested to attach the ID Theft Complaint into the police report. Also the police should be informed that the victim needs the Identity Theft Report (The police report with ID Theft Complaint attached) to dispute the fraudulent accounts and debts created by the identity thief.
Identity Theft Affidavit
Identity theft affidavit is an instrument that helps victims of identity theft to recover from the damage caused by identity theft. The identity theft affidavit was developed by Federal Trade Commission (FTC). It has been designed in a way that makes it easy for the victims to report their predicament to various companies where their names were used to commit identity theft. Companies can be easily noticed about an account that was opened on behalf of a victim. Initial separate forms have to be filled and submitted to each company making the process a tedious one.
The Identity Theft Affidavit has been developed after consultation with various banks, consumer advocates and credit grantors. For this reason, it is widely accepted among retailers, issuers of credit and financial institutions other than banks. The identity theft affidavit will make it easy for an individual who has suffered from Identity theft to recover from the identity theft.
Fraud Alert
There are two types of fraud alerts:
· An initial alert.
· An extended alert.
Initial fraud alert
Lifetime of an initial fraud alert on victim's credit report is at least 90 days. Whenever a suspicion of Identity theft is made, the victim may ask an initial fraud alert placed on his credit report. In initial alert is appropriate if a victim has lost his wallet or if he has been taken in by a phishing scam. When an initial fraud alert is placed in victim's credit alert, he is entitled to order one free credit report from each of the three nationwide consumer reporting companies. If requested, only the last four digits of the victim's Social Security Number (SSN) will appear on his credit reports.
Extended Fraud Alert
Extended fraud alert can be placed in victim's credit report for seven years. If the person is a victim of Identity theft, he can place an extended fraud alert. The consumer reporting company can be provided with an Identity Theft Report. Even an Automated Identity Theft Report such as the printed FTC ID Theft Complaint is sufficient to obtain an extended fraud alert. When an extended fraud alert is placed on victim's credit report, he is entitled to order 2 free credit reports within 12 months from each of the three nationwide consumer reporting companies. In addition, the consumer reporting companies will remove the name of the victim from marketing lists for pre-screen credit offers for five years unless he asks them to put his name back on the list.
Either to place or remove either of these alerts on credit reports, the victim is required to produce appropriate proof of identity. That may include Name, Date of birth, Address, Social Security Number (SSN), etc as requested by the consumer reporting company.
What does a fraud alert not do?
Although a fraud alert can block the identity thief from opening new accounts in victim's name, it is not a real solution to all types of identity thief. It offers no protection from an identity thief using victim's existing credit cards or other accounts. Also it is of no use when identity thief is opening an account in victim's name that doesn't require credit check- such as telephone, wireless or bank account. Finally, if there is an identity theft already going on when the victim place the fraud alert, the fraud alert is not going to stop it. But a fraud alert can be extremely useful in stopping identity theft that involves opening a new line of credit.
Credit freeze
Many states have laws that let consumers to restrict access to his or her credit report. This is called Credit Freeze. If a credit freeze is placed, potential creditors and other third parties will not able to get access to victim's credit report, unless the victim temporarily lifts the freeze. This prevents an identity thief from opening an account in victim's name.
Credit freeze laws vary from state to state. Some states allow provision that anyone can freeze their credit file, while in other states only victims of identity thief can do so. Even the cost of placing, temporarily lifting and removing a credit freeze also varies. Though many states do not charge identity theft victims for placing a credit freeze, but other consumers pay a fee which is usually $10. The important thing to note here is that these payments are for each of the three credit reporting agencies. So in order to freeze the credit file, it would mean placing the freeze with each of the three credit reporting agencies, and paying the fee to each one.
Who can access the credit after a credit freeze is placed?
Even after placing a credit freeze, the victim can have access to his/her free annual credit report. He will also be able to buy his credit report and credit score even after placing a credit freeze. Companies that the victim does business with (for example, Credit Card Company or Cell Phone Company and the collection agencies working for these companies) will still access to the credit report. In some states, even potential employers, insurance companies, landlords, etc can still have access to the credit report after placing a credit freeze.
Temporarily lift
The victim can temporarily lift the credit freeze for one of the following reasons
· The victim wants to apply for a loan or credit card.
· The victim need to give access to his or her credit report and the person is not covered under exception by the credit freeze law
The victim can temporarily lift the credit freeze by using a PIN (Personal Identification Number) that each credit reporting company would send once credit freeze is placed. Most states require a fee to temporarily lift the credit freeze. The credit reporting agencies take 3 days to lift the credit. This should be considered while placing a credit freeze because "instant credit" becomes impossible.
What does a credit freeze not do?
Similar to fraud alert it is not a solution to all types of identity thief. Even though a credit freeze can prevent an identity thief from opening new accounts, it will not completely protect the victim. It is of no use when the identity thief is going to use the current credit accounts. Also new accounts such as telephone, wireless and bank accounts can be opened by the identity thief in the name of the victim as they do not require credit check. In the presence of ongoing identity theft, credit freeze will not help in stopping it. Even though credit freeze will not help the victim in these situations, the credit freeze protects the victim from majority of identity theft that involves opening a new line of credit.
Difference between a credit freeze and a fraud alert:
With a fraud alert in place, businesses may still check victim's credit report. Depending on whether an initial 90- day fraud alert or an extended fraud alert has been placed, potential creditors must either contact the victim or use what the law refers to as "reasonable policies and procedures" to verify victim's identity before issuing credit in his name. However, the steps potential creditors take to verify victim's identity may not always alert them that the applicant is not actually the victim who placed fraud alert.
A credit freeze, on the other hand, will prevent potential creditors and other third parties from accessing the credit report of the victim unless
· The victim temporarily lifts the credit freeze.
· The victim already has a relationship with the company.
As with credit freezes, fraud alerts are mainly effective against new credit accounts being opened in the name of the victim, but will likely not stop thieves from using existing accounts of the victim, or opening new accounts such as new telephone or wireless accounts, where credit is often not checked. Also, only people who've had their ID stolen - or who suspect it may have been stolen, may place fraud alerts. Anyone can place a credit freeze.
Identity Theft Reports
An Identity Theft Report is a police report that includes enough detail about the crime for the credit reporting companies and the businesses involved to verify the person is actually affected by the identity thief. The Identity Theft Report should also include information regarding which accounts and information came from identity theft. This information may not be there in police reports.
The printed copy of the Federal Trade Commission's ID Theft Complaint can provide additional information for the police report. Legally the police are not required to use the Federal Trade Commission's ID Theft Complaint as part of their report.
When filing an Identity Theft Report, the credit reporting companies will block fraudulent information from appearing on the credit report of the victim. Filing an Identity theft Report with the credit reporting companies or with the companies where the thief used the information of the victim should make sure that these debts do not appear in the credit report of the victim. An Identity Theft report can even prevent a company from trying to collect debts resulted from identity theft or selling those debts to others for collection. Identity Theft Report also helps the victim to place an extended fraud alert on his or her credit report. The Identity Theft Report should contain enough information that the person is a really a victim of identity theft. Then only the Identity Theft Report will be accepted by the credit reporting agencies else they may decline the Identity Theft Report.
Creating and using an Identity Theft Report may require two steps:
· Step One begins when the victim of Identity theft files a report with a local, state or federal enforcement agency which may include the Local police department, State Attorney General, the FBI, the United States Secret Service, the Federal Trade Commission or the United States Postal Inspection Service. In the report, as much information as possible should be given about the crime. If dates of the identity theft are known precisely, they should receive special attention. Information regarding the fraudulent accounts opened and the alleged identity thief should also be provided. It is better to file an online complaint with the Federal Trade Commission, then obtaining a printed complaint and finally incorporating that into the police report.
· Step two starts when a copy of the Identity Theft Report is sent to the businesses involved and the credit reporting companies. The Identity Theft Report should be sent by certified mail and return receipt requested. The companies may ask for additional information or documentation to help them verify the identity theft. They have to make their request within 15 days of receiving the Identity Theft Report. Then the credit reporting companies can take another 15 days to verify they get all the information they needed in the Identity Theft Report.
Medical Identity Theft: What to do if you are a victim (or are concerned about it)?
Medical identity theft is a serious problem because criminals who use the identity of the victim for medical care or services can introduce changes to the medical record of the victim that is impossible to undo. These changes range in severity from small things to substantial fraudulent information that can pose a medical risk to the victim.
So in order to completely resolve from medical identity theft, it is important to clean up the medical files of the victim. The medical files may have been altered to reflect diseases that the victim does not have.
Unlike financial identity theft, medical identity theft is harder to detect and sometimes the information must be gathered from different places. Some people become aware of the medical identity theft when a debt collector sends a letter or he calls the victim. But others notice the medical identity theft only after an insurance investigator alerts them of the problem or after errors have been noticed in their medical file. In some instances, the victim becomes aware of the medical identity theft after he receives a strange bill for medical services he did not receive.
Following measures must be taken by the victims of identity theft and those who would like to take preventive measures
· Closely monitor any "Explanation of Benefits" sent by a public or private health insurer.
· Pro-actively request a listing of benefits from the health insurer of the victim.
· Request a copy of current medical files from each health care provider.
· File a police report.
· Correct false information in the file.
· Keep an eye on credit report
· Request an accounting of disclosures.
Closely monitor any "Explanation of Benefits" sent by a public or private health insurance agent.
Many medical identity thefts can be identified early by the victim if he reviews his insurance statements carefully. If anything appears wrong in the insurance statement, questions should be raised with the health insurer or the health provider involved. Just because money is not lost, it does not mean that everything is okay. The kinds of problem medical identity theft may see include:
· Being charged for services that he or she did not receive.
· Being charged for office visits that the victim did not make.
· Being charged for the medical equipment that the victim did not use.
Pro-actively request a listing of benefits from the health insurance agent of the victim.
Once a year, pro-actively request has to be made to see a listing of benefits paid in the name of the person by his health insurer. Instead of waiting for the insurance company to send a listing, it should be requested pro-actively. If any payments which the victim did not recognise are there, the insurer or provider should be followed up to learn more.
Sometimes billing address and phone number of the account will be changed by the identity thief. This the statement delivered to the address entered by the criminal and the victim is not aware of the statement. So asking the statement pro-actively can detect and help foil fraudsters who use this technique.
Each person is having the right to request for a copy of records from health insurer and nearly every health provider under the health privacy rule issued under the authority of the Health Insurance Portability and Accountability Act (HIPPA). Similarly each person is also having the right to receive a notice of privacy practices from insurers and providers which will be required for access requests.
Request a copy of current medical files from each health care provider.
Health care providers can be requested to allow the person to inspect or have a copy of the medical file they maintain about that person. A wise person makes request each time he visits the doctor. It is much easier to receive a copy of the health care files before there are problems than after there are problems.
Even though not a victim of medical identity theft, there are many good reasons to request for a copy of the medical files. Some people like to keep copies of their health records so they can maintain a personal health record in one place.
But if one suspects that he has become a victim of medical identity theft, he must obtain a copy of his record from his doctor, hospital, pharmacy or laboratory. This may be essential in finding out the medical identity theft and taking steps to recover from the theft. Obtaining health records may be complicated at sometimes but it is an essential step to recover from the medical identity theft.
While each person is having the right to inspect and have a copy of his health record, a health care provider such as hospital or his doctor can charge him a fee for a copy. He has to think about the costs involved before requesting for a copy. For instance copies of X-rays, CT scans can be expensive.
In certain cases of medical identity theft, some health care providers have been reluctant to show the health records to the medical identity theft victims. If the health provider decides that the information in the file is not about the victim, he may reject the request. This is one difficult situation. But the victim must explain his rights. He must explain the health provider why he believes that he has been victimised. He must politely ask the health provider for the assistance of the provider in figuring out the problem. In fact the health provider is also has been a victim of the same thief because without paying for services, the thief used services from the healthcare provider. The healthcare provider and the victim must have a joint interest in figuring out the problem. Some hospitals have used a system The World Privacy Forum calls a "Jane/John doe file extraction" to help the victims of medical identity theft while still protecting the "trail" of the records. If the health records are not provided by the healthcare provider, the victim may ask them to read about the file extraction process.
If a health care provider refuses to release medical files that are in the name of the victim, the victim should be able to file an appeal of the denial. The health care provider's "notice of privacy practices" (or privacy policy) will explain the provider's appeal procedure. The victim is entitled to receive a copy of the provider's notice of privacy practices upon request and without cost.
If the victim is not satisfied by the way his request for access or for a copy has been handled, he may file a complaint with the Office of Civil Rights at the Federal Department of Health and Human Services (website: http://www.hhs.gov/ocr phone: 1-800-368-1019). He may have greater rights under the laws in his state. He may even able to get assistance from his state health departments, fraud investigators, elected representatives, or lawyers (attorneys) if the victim of Identity theft believes that the denial of access may be actually covering details about the medical identity theft.
Asking for a copy of all of the victim's health records may be more expensive and provides more information than needed. It is useless. So getting only information that is needed is wise. For example, if the victim receives a notice that a hospital has treated him for diabetes, then records should be requested about a particular visit that is questionable. Also it should be confirmed about the particular visit when such a diagnosis is made. If the information shows problem, the victim is always having the right ask for more information.
File a police report.
Once the victim is aware of the medical identity theft, the most important thing to do is to file a police report. The victim may need the police report for requesting assistance from health care providers and insurance companies. Even though the victim may not have any insurance, it is necessary to file a police report. In some cases, the victims of medical identity theft may have financial impact from the crime. For example, victim can have substantial collections from hospitals and other health care providers listed on their credit report. The victim may need a police report in his file in this type of situations. Also, in the crime of medical identity thief, the thief may seek drugs at various health care providers. In such cases, a police reported is needed by the victim to help him show that there is a person impersonating him with his stolen identity.
Correct false information in the file.
Victims of identity theft time and measures to correct their financial records after the crime. But that kind of attention is not paid to correct the medical records after the crime. Even though it takes time to correct medical records, it is critically important for all victims of medical identity theft to correct their medical records. If any information is discovered that is not actually about the victim, then measures to be taken to remove the fraudulent information from the medical record of the victim. Similarly if any information that bears no relation to the disease that the victim is having or if any information is there about the treatment he didn't receive, request should be made to remove the false information from the record completely.
Amending a health record is a tedious process. Here are some guidelines regarding amending the health record.
· If erroneous information is found in a doctor's office file, the victim must request the doctor to remove such false information. The doctor may simply delete the records. But the job is not over yet as the insurance company will be having copies of the same information which also needs correction. There could be erroneous information in the laboratory and pharmacy records too. So intense measures to be taken to track down all the record keepers with erroneous information.
· When one record keeper corrects the record, according to HIPAA Federal Health Privacy Rule, he has the duty to inform others to whom he disclosed the original information. The record keeper should be insisted that he tell others about the correction. But the victim should not rely on representations that these correction notices have been sent. The other record keepers should be asked if they receive any intimation about the correction and whether they have corrected the information in the victim's medical record.
· In some cases of medical identity theft it is the doctor or the identity thief posing as doctor who has altered the information in the medical files of the victim. In these cases the victim must word hard in conjunction with the insurance company to get the information corrected and false information removed from the medical files of the victim.
· In case a person believes that he has been victimised, it is essential to file a police report and obtain a copy of the report. Sending copies of a police report to insurers, providers and credit bureaus may be a step in solving the problem of medical identity theft. Even though it cannot be guaranteed that a police report can solve the problem, it will make solving the problem easy.
· Doctors and Hospitals are most often reluctant to remove erroneous information from the medical files of the victim. Sometimes, action was taken on the basis of erroneous information and this false information is needed to explain why that action was taken. The usual remedy is to keep the false information and make a note why it is wrong.
· Even though it is advisable to keep the erroneous information and indicate why it is not wrong, for a victim of medical identity theft, removal of erroneous information is absolutely needed. For example, because of an identity thief's action, the victim's medical file is being changed to reflect an appendectomy that he never received, an incorrect blood group or a diagnosis of psychosis that does not apply to the victim. This erroneous information in the medical file of the victim may haunt him in the future and affect his future health. Even it can create problems in obtaining health or life insurance in the future.
· Explaining the problem clearly and politely to the health care providers and health insurers will help. A police report may be convincing when record keepers are reluctant to change the erroneous information in their records. If the erroneous information cannot be corrected by these means, legal help may be necessary. A lawyer may be able to solve the problem by convincing a doctor or the hospital. There are also legal remedies available against record keepers maintain erroneous information that may result in harm to medical identity theft victims.
Keep an eye on credit report
Medical identity theft can be discovered by regularly reviewing the credit statements. A number of victims of medical identity theft discovered that they are victimised by checking their credit reports. The commonly noticed thing by victims of medical identity theft was a collection notice for a hospital, medical lab, radiological lab or a variety of medical services on the credit report.
If the identity thief used the name, Social Security Number and insurance information of the victim, it is very difficult for the victim to prove that the debt does not belong to him. In a majority if such cases, the victim can prove his innocence by comparing the false entries in the medical file with their regular medical files. For example the imposter who is treated may be older or younger than the victim and the imposter may have a different disease and so on.
In order to remove the debt collection action from the victim's credit report, the victim must file a police report and send the police report to the collection agencies. The victim must place a dispute on the collection notice(s) right away.
Request an accounting of disclosures.
An accounting of disclosures is a right under HIPAA that most individuals are not aware of. It is a necessary tool to combat and recover from the medical identity theft.
An accounting of disclosures, also called a History of Disclosures, is a record of disclosures of personal health information made by health care providers or insurers. This record shows information about what details were disclosed, when it was disclosed, why it was disclosed, to whom it was disclosed, etc. This information is extremely useful to track down record keepers who are having erroneous information about the victim.
According to HIPAA Federal Health Privacy Rule, the victim has a right to have a copy of the account of disclosures of his or her records made by health care providers and health insurers. But unfortunately, the federal rule does not require an accounting when records are disclosed for treatment, payment or any other purposes. However some institutions may maintain these records anyway and may provide the information to the victim when requested.
When a person suspects that he has been victimised, an accounting of disclosures should be requested from health care providers and health insurers annually. The record keeper's notice of privacy practices should explain the procedures for making a request.
eBay Identity Theft
When Deborah Fraser's Credit Card Number was stolen, the thief didn't use the credit card number to purchase costly things or other high end gadgets. Instead, the credit card number was used to buy a domain name with the word eBay in it. That scam website tricked many eBay users to hand over their eBay username and password.
Fraser, a pharmacy technician in Lockport, New York, who was listed as the registrant and administrative contact for the fake eBay domain, said "Somebody fraudulently used my credit card to buy the domain name that ended in eBay. It's very upsetting to think that someone had my credit card. I don't know if I'm ever going to go on eBay again, because I don't know if it had anything to do with purchasing something there, or what."
