22. May 2010 · Comments Off on LifeLock’s CEO’s Identity Stolen 13 Times – Who’s fault? · Categories: Identity Theft · Tags: ,

The Phoenix New Times (via Wired) is reporting that LifeLock's CEO Todd Davis's identity was stolen 13 times. That's 12 more than had been previously reported. The question is, who's fault is it?

Clearly from a security perspective, it's not a good idea to display your Social Security Number on billboards and TV advertisements. However, from a marketing perspective it was brilliant. The actual dollar amounts lost due to these identity theft incidents were low. If those costs were simply written off as marketing expenses, it was a good deal for Todd Davis.

On the other hand, the legal expenses LifeLock has incurred are a different matter. I am not sure if the $12 million in legal judgments could also be simply written off as marketing expenses. I previously wrote about the $11 million and $1 million judgments
against LifeLock here.

LifeLock's identity theft protection is really limited to automatically posting "Initial Fraud Alerts" with the three consumer credit agencies, Equifax, Experian, and Trans Union.

The actual FTC complaint, in section 18 details the limitations of an "Initial Alert." In other words, there are many ways you can still suffer an identity theft attack with an Initial Alert turned on with all three consumer reporting agencies. Many of these are due to third parties not exercising the due diligence they should.

To my knowledge, only Equifax provides a service that actually enables you to LOCK your account. However, locking is not the silver bullet either as there are forms of identity theft that can be perpetrated without accessing your credit report. And since you can only lock Equifax, you are still vulnerable to Experian or TransUnion being abused. Finally, even if Experian and TransUnion added an easy locking process similar to Equifax's, you would have to pay fees to them as well.

26. April 2010 · Comments Off on Treasury Department estimates up to 1.2 million hiding income by using stolen Social Security numbers · Categories: Identity Theft · Tags: ,

If the IRS is coming after you for not paying taxes on unreported income, it may be that someone used your Social Security Number on his W-4. According to the Treasury Department's Inspector General for Tax Administration, it happened as many as 1.2 million times in 2007.

Thanks for the pointer from the Office of Inadequate Security (databreaches.net).

What is worse, the full article on WebCPA says that the IRS lacks the procedures to identify this type of identity theft:

TIGTA assessed whether the IRS has procedures to effectively handle
collection issues related to ITINs [Individual Taxpayer Identification Number]. It found that the IRS lacks internal
guidelines for its employees to follow to assist either the taxpayer
whose wages are being attached or the legitimate holder of the Social
Security number (who may unknowingly be the victim of identity theft).

Just another way identity theft can bite you!! It appears there is no way to protect yourself against this one. Perhaps the credit agencies could detect this.

13. March 2010 · Comments Off on LifeLock pays $12 million to settle charges of false and deceptive claims · Categories: Identity Theft · Tags: ,

SC Magazine reports:

LifeLock will pay $11 million to the Federal Trade Commission (FTC)
and $1 million to a group of 35 state attorneys general to settle
charges that the Tempe, Ariz.-based company made false claims about its
identity theft products.

The FTC contended that LifeLock's claims
were "deceptive" because the fraud alerts it places on customers'
credit files can only protect against certain types of identity theft,
such as new account fraud, which occurs when an ID thief opens up new
financial accounts by using the victim's name and Social Security

In addition, ironically:

LifeLock, which bills itself as "#1 in identity theft protection," has
gained national notoriety with commercials that show Davis' Social
Security number on the side of a truck, while Davis tells the audience
that he is confident his company's services will protect him – and
potential customers – from having their identity stolen. But Davis
reportedly has been a victim of ID theft.

As I have said before, Identity Theft is a real problem. To protect yourself, start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.

04. October 2009 · Comments Off on Bogus Identity Theft Study – Conclusions? Who cares. · Categories: Identity Theft · Tags: ,

Slashdot posted a story about an Identity Theft study conducted by interviewing people convicted of identity theft. A more detailed post to which Slashdot referred has more details.

The supposed conclusion drawn by Heith Copes (University of Alabama at Birmingham) and Lynne Vieraitis (University of Texas at Austin) is:

"Despite public perceptions of identity theft being a high-tech,
computer driven crime, it is rather mundane and requires few technical
skills. Identity thieves do not need to know how to hack into large,
secure databases. They can simply dig through garbage or pay insiders
for information. No particular group has a monopoly on the skills
needed to be a capable identity thief."

The flaw in their work of course is that they only interviewed thieves who were caught!! In order to really draw meaningful conclusions about identity theft they need to interview thieves who did not get caught.
Of course that increases the difficulty dramatically.

It reminds me of a story I heard years ago from my friend Joe. One night he was walking down a narrow street that had only one street light. Under it was a drunk who seemed to be looking for something. My friend Joe went up to him and asked if he could help. The drunk said, "Sure, I lost my keys and I'm looking for them." My friend asked the drunk, "Where did you lose them?" The drunk responded, "Over there." My friend asked, "Then why are you looking over here?" The drunk answered, "Well it's dark over there. The light is over here."

12. September 2009 · Comments Off on Protect yourself – Anonymized data really isn’t · Categories: Identity Theft, Privacy · Tags: , ,

Just in case you thought there was any hope of maintaining personal privacy, forget it. In fact you must assume your personal information is exposed and take steps to prevent identity theft.

Ars Technica reported this week that law professor Paul Ohm published a paper describing how easy it is to identify specific individuals from "anonymized" data that is released for research purposes and his recommendations for minimizing this type of abuse.

Ars Technica, quoting from Paul Ohm's paper, described the process a graduate computer science student used in the mid-90's to identify then governor William Weld of Massachusetts from "anonymized" health records released by the Massachusetts Group Insurance Commission.

Data is anonymized by removing "personally identifiable information" like name, address, and Social Security number. The anonymized data is useful for further statistical analysis by a variety of researchers.

The graduate student showed that she could "reidentify" individuals 87% of the time with only three pieces of information – zip code, date of birth, and sex. The key to her process is the availability of voter rolls, which you can buy for a small fee from any town, at least in Massachusetts. These voter rolls provide the name, address, zip code, birth date, and sex of every voter.

Professor Ohm's call for a reexamination of privacy laws and tougher regulation is admirable as this may protect you against disclosure of medical conditions and the like that can be used against you.

However, the biggest threat right now is identity theft. You must assume that your personal information is out there for anyone who wants it. Therefore you must take steps to limit the risk of identity theft. Start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.