Posts Tagged: Gartner Inc.


2
Dec 16

Visa Delays Chip Deadline for Pumps To 2020

Visa this week delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. Experts say the new deadline — extended from 2017 — comes amid a huge spike in fuel pump skimming, and means fraudsters will have another three years to fleece banks and their customers by installing card-skimming devices at the pump.

Until this week, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Under previous Visa rules, station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.

This week, however, Visa said fuel station owners would have until October 1, 2020 to meet the liability shift deadline.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

“The fuel segment has its own unique challenges, which we recognized when we first set the chip activation date for automated fuel dispensers/pumps (AFDs) two years after regular in-store locations,” Visa said in a statement explaining its decision. “We knew that the AFD segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps. For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017.”

Visa said fuel pump skimming accounts for just 1.3 percent of total U.S. payment card fraud.

“During this interim period, Visa will monitor AFD fraud trends closely and work with merchants, acquirers and issuers to help mitigate any potential counterfeit fraud exposure at AFDs,” Visa said.

Avivah Litan, a fraud analyst with Gartner Inc., said the deadline shift wasn’t unexpected given how many U.S. fuel stations are behind on costly updates, noting that in some cases it can cost more than $10,000 per pump to accommodate chip card readers. The National Association of Convenience Stores estimates that station operators will spend approximately $30,000 per store to accommodate chip readers, and that the total cost to the fuel industry could exceed $4 billion.

“Some of them you can just replace the payment module inside the pump, but the older pumps will need to be completely removed and replaced,” Litan said. “Gas stations and their unattended pumps have always been an easy target for thieves. The fraud usually migrates to the point of least resistance, and we’re seeing now the fraudsters really moving to targeting unattended stations that haven’t been upgraded.” Continue reading →


1
Oct 16

Source Code for IoT Botnet ‘Mirai’ Released

The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

The Hackforums post that includes links to the Mirai source code.

The Hackforums post that includes links to the Mirai source code.

Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

The Hackforums user who released the code, using the nickname “Anna-senpai,” told forum members the source code was being released in response to increased scrutiny from the security industry.

“When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO [link added]. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.

According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.

“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer.
Continue reading →


15
Jul 16

Cybercrime Overtakes Traditional Crime in UK

In a notable sign of the times, cybercrime has now surpassed all other forms of crime in the United Kingdom, the nation’s National Crime Agency (NCA) warned in a new report. It remains unclear how closely the rest of the world tracks the U.K.’s experience, but the report reminds readers that the problem is likely far worse than the numbers suggest, noting that cybercrime is vastly under-reported by victims.

ons-statThe NCA’s Cyber Crime Assessment 2016, released July 7, 2016, highlights the need for stronger law enforcement and business partnership to fight cybercrime. According to the NCA, cybercrime emerged as the largest proportion of total crime in the U.K., with “cyber enabled fraud” making up 36 percent of all crime reported, and “computer misuse” accounting for 17 percent.

One explanation for the growth of cybercrime reports in the U.K. may be that the Brits are getting better at tracking it. The report notes that the U.K. Office of National Statistics only began including cybercrime for the first time last year in its annual Crime Survey for England and Wales.

“The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the U.K. in 2015,” the report’s authors wrote. “These figures highlight the clear shortfall in established reporting, with only 16,349 cyber dependent and approximately 700,000 cyber-enabled incidents reported to Action Fraud over the same period.”

The report also focuses on the increasing sophistication of organized cybercrime gangs that develop and deploy targeted, complex malicious software — such as Dridex and Dyre, which are aimed at emptying consumer and business bank accounts in the U.K. and elsewhere.

Avivah Litan, a fraud analyst with Gartner Inc., said cyber fraudsters in the U.K. bring their best game when targeting U.K. banks, which generally require far more stringent customer-facing security measures than U.S. banks — including smart cards and one-time tokens.

“I’m definitely hearing more about advanced attacks on U.K. banks than in the U.S.,” Litan said, adding that the anti-fraud measures put in place by U.K. banks have forced cybercriminals to focus more on social engineering U.K. retail and commercial banking customers. Continue reading →


11
Mar 15

Apple Pay: Bridging Online and Big Box Fraud

Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

applepayTo understand what’s going on here, a quick primer on card fraud is probably in order. If you’re a fraudster and you wish to walk into a Best Buy store and walk out with a big screen TV or xBox console on someone else’s dime, you’re going to buy “dumps,” which are data stolen straight off the magnetic stripe on the backs of cards.

Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like Target, Home Depot and countless others over the past year. Dumps buyers encode the data onto new plastic, which they then use “in-store” at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $10-$30, but the payoff in stolen merchandise per card is often many times that amount.

When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — i.e., card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $1-$5 per stolen account.

So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Avivah Litan, a fraud analyst with Gartner Inc. explained a blog post published earlier this month that Apple provides banks with a fair amount of data to aid banks in their efforts at “identity proofing” the customer, such as device name, its current geographic location, and whether or not the customer has a long history of transactions with iTunes.

All useful data points, of course, unless the iTunes account that all of this information is based on is hijacked by fraudsters. And as we know from previous stories on this blog, there is a robust trade in the cybercrime underground for hijacked iTunes accounts, which retail for about $8 per account.

Continue reading →


3
Feb 15

Banks: Card Thieves Hit White Lodging Again

For the second time in a year, multiple financial institutions are complaining of fraud on customer credit and debit cards that were all recently used at a string of Marriott properties run by hotel franchise firm White Lodging Services Corporation. White Lodging says it is investigating, but that so far it has found no signs of a new breach.

whitelodgingIn January 31, 2014, this author first reported evidence of a breach at some White Lodging locations. The Merrillville, Ind. based company confirmed a breach three days later, saying hackers had installed malicious software on cash registers in food and beverage outlets at 14 locations nationwide, and that the intruders had been stealing customer card data from these outlets for approximately nine months.

Fast-forward to late January 2015, and KrebsOnSecurity again began hearing from several financial institutions who had traced a pattern of counterfeit card fraud back to accounts that were all used at Marriott properties across the country.

Banking sources say the cards that were compromised in this most recent incident look like they were stolen from many of the same White Lodging locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky.  Those same sources said the compromises appear once again to be tied to hacked cash registers at food and beverage establishments within the White Lodging run hotels. The legitimate hotel transactions that predated fraudulent card charges elsewhere range from mid-September 2014 to January 2015.

Contacted about the findings, Marriott spokesman Jeff Flaherty said all of the properties cited by the banks as source of card fraud are run by White Lodging.

“We recently were made aware of the possibility of unusual credit card transactions at a number of hotels operated by one of our franchise management companies,” Flaherty said. “We understand the franchise company is looking into the matter. Because the suspected issue is related to systems that Marriott does not own or control, we do not have additional information to provide.”

I reached out to White Lodging on Jan. 31. In an emailed statement sent today, White Lodging spokesperson Kathleen Sebastian said the company engaged a security firm to investigate the reports, but so far that team has found no indication of a compromise.

“From your inquiry, we have engaged a full forensic audit of the properties in question,” Sebastian wrote. “We appreciate your concern, and we are taking this information very seriously. To this date, we have found no identifiable infection that would lead us to believe a breach has occurred. Our investigation is ongoing.”

Sebastian went on to say that in the past year, White Lodging has adopted a number of new security measures, including the installation of a third-party managed firewall system, dual-factor authentication for critical systems, and “various other systems as guided by our third-party cyber security service. While we have executed additional security protocols, we do not wish to specifically disclose full details of all security measure to the public.” Continue reading →


30
Oct 14

Chip & PIN vs. Chip & Signature

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature. Check out Flyertalk’s comprehensive Google Docs spreadsheet here for a member-contributed rundown of which banks support chip-and-PIN versus chip-and-signature.

I’ve been getting lots of questions from readers who are curious or upset at the prevalence of chip-and-signature over chip-and-PIN cards here in the United States, and I realized I didn’t know much about the reasons behind the disparity vis-a-vis other nations that have already made the switch to chip cards. So  I reached out to several experts to get their take on it.

Julie Conroy, a fraud analyst with The Aite Group, said that by and large Visa has been pushing chip-and-signature and that MasterCard has been promoting chip-and-PIN. Avivah Litan, an analyst at Gartner Inc., said MasterCard is neutral on the technology. For its part, Visa maintains that it is agnostic on the technology, saying in an emailed statement that the company believes “requiring stakeholders to use just one form of cardholder authentication may unnecessarily complicate the adoption of this important technology.”

BK: A lot of readers seem confused about why more banks wouldn’t adopt chip-and-PIN over chip-and-signature, given that the former protects against more forms of fraud.

Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.

So, PIN at the end of the day is a static data element, and it only goes so far from a security perspective. And as you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost and stolen fraud, the business case for chip and signature is really a no-brainer.

Litan: Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada. Continue reading →


27
Oct 14

‘Replay’ Attacks Spoof Chip Card Charges

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

CLONED CHIP CARDS, OR CLONED TRANSACTIONS?

The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.” Continue reading →


16
Sep 14

Breach at Goodwill Vendor Lasted 18 Months

C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations.

cksystemsOn July 21, 2014, this site broke the news that multiple banks were reporting indications that Goodwill Industries had suffered an apparent breach that led to the theft of customer credit and debit card data. Goodwill later confirmed that the breach impacted a portion of its stores, but blamed the incident on an unnamed “third-party vendor.”

Last week, KrebsOnSecurity obtained some internal talking points apparently sent by Goodwill to prepare its member organizations to respond to any calls from the news media about the incident. Those talking points identified the breached third-party vendor as C&K Systems, a retail point-of-sale operator based in Murrells Inlet, S.C.

In response to inquiries from this reporter, C&K released a statement acknowledging that it was informed on July 30 by “an independent security analyst” that its “hosted managed services environment may have experienced unauthorized access.” The company says it then hired an independent cyber investigative team and alerted law enforcement about the incident.

C&K says the investigation determined malicious hackers had access to its systems “intermittently” between Feb. 10, 2013 and Aug. 14, 2014, and that the intrusion led to the the installation of “highly specialized point of sale (POS) infostealer.rawpos malware variant that was undetectable by our security software systems until Sept. 5, 2014,” [link added].

Their statement continues:

“This unauthorized access currently is known to have affected only three (3) customers of C&K, including Goodwill Industries International. While many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25.”

C&K System’s full statement is posted here. Continue reading →


8
Sep 14

In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud

Nearly a week after this blog first reported signs that Home Depot was battling a major security incident, the company has acknowledged that it suffered a credit and debit card breach involving its U.S. and Canadian stores dating back to April 2014. Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.

pwnddepot

The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores. But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs.

Experts say the thieves who are perpetrating the debit card fraud are capitalizing on a glut of card information stolen from Home Depot customers and being sold in cybercrime shops online. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.

Here’s the critical part: The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).

This is especially helpful for fraudsters since most Home Depot transactions are likely to occur in the same or nearby ZIP code as the cardholder. The ZIP code data of the store is important because it allows the bad guys to quickly and more accurately locate the Social Security number and date of birth of cardholders using criminal services in the underground that sell this information.

Why do the thieves need Social Security and date of birth information? Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:

-the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card;
-the card’s expiration date;
-the customer’s date of birth;
-the last four digits of the customer’s Social Security number.

On Thursday, I spoke with a fraud fighter at a bank in New England that experienced more than $25,000 in PIN debit fraud at ATMs in Canada. The bank employee said thieves were able to change the PINs on the cards using the bank’s automated VRU system. In this attack, the fraudsters were calling from disposable, prepaid Magic Jack telephone numbers, and they did not have the Cv2 for each card. But they were able to supply the other three data points.

KrebsOnSecurity also heard from an employee at a much larger bank on the West Coast that lost more than $300,000 in two hours today to PIN fraud on multiple debit cards that had all been used recently at Home Depot. The manager said the bad guys called the customer service folks at the bank and provided the last four of each cardholder’s Social Security number, date of birth, and the expiration date on the card. And, as with the bank in New England, that was enough information for the bank to reset the customer’s PIN.

The fraud manager said the scammers in this case also told the customer service people they were traveling in Italy, which made two things possible: It raised the withdrawal limits on the debit cards and allowed thieves to withdraw $300,000 in cash from Italian ATMs in the span of less than 120 minutes. Continue reading →


19
Mar 14

Are Credit Monitoring Services Worth It?

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

Experian 'protection' offered for Target victims.

Experian ‘protection’ offered for Target victims.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one).  But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done.  It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster.  And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”

FRAUD ALERT BREAKDOWN

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

Continue reading →