Posts Tagged: security freeze


23
Aug 16

A Life or Death Case of Identity Theft?

Identity thieves have perfected a scam in which they impersonate existing customers at retail mobile phone stores, pay a small cash deposit on pricey new phones, and then charge the rest to the victim’s account. In most cases, switching on the new phones causes the victim account owner’s phone(s) to go dead. This is the story of a Pennsylvania man who allegedly died of a heart attack because his wife’s phone was switched off by ID thieves and she was temporarily unable to call for help.

On Feb. 20, 2016, James William Schwartz, 84, was going about his daily routine, which mainly consisted of caring for his wife, MaryLou. Mrs. Schwartz was suffering from the end stages of endometrial cancer and wasn’t physically mobile without assistance. When Mr. Schwartz began having a heart attack that day, MaryLou went to use her phone to call for help and discovered it was completely shut off.

Little did MaryLou know, but identity thieves had the day before entered a “premium authorized Verizon dealer” store in Florida and impersonated the Schwartzes. The thieves paid a $150 cash deposit to “upgrade” the elderly couple’s simple mobiles to new iPhone 6s devices, with the balance to be placed on the Schwartz’s account.

“Despite her severely disabled and elderly condition, MaryLou Schwartz was finally able to retrieve her husband’s cellular telephone using a mechanical arm,” reads a lawsuit (PDF) filed in Beaver County, Penn. on behalf of the Schwartz’s two daughters, alleging negligence by the Florida mobile phone store. “This monumental, determined and desperate endeavor to reach her husband’s working telephone took Mrs. Schwartz approximately forty minutes to achieve due to her condition. This vital delay in reaching emergency help proved to be fatal.”

By the time paramedics arrived, Mr. Schwartz was pronounced dead. MaryLou Schwartz died seventeen days later, on March 8, 2016. Incredibly, identity thieves would continue robbing the Schwartzes even after they were both deceased: According to the lawsuit, on April 14, 2016 the account of MaryLou Schwartz was again compromised and a tablet device was also fraudulently acquired in MaryLou’s name.

The Schwartz’s daughters say they didn’t learn about the fraud until after both parents passed away. According to them, they heard about it from the guy at a local Verizon reseller that noticed his longtime customers’ phones had been deactivated. That’s when they discovered that while their mother’s phone was inactive at the time of her father’s death, their father’s mobile had inexplicably been able to make but not receive phone calls. Continue reading →


16
Aug 16

SSA: Ixnay on txt msg reqmnt 4 e-acct, sry

The U.S. Social Security Administration says it is reversing a newly enacted policy that required a cell phone number from all Americans who wished to manage their retirement benefits at ssa.gov. The move comes after a policy rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves.

In an announcement last month, the SSA said all new and existing ‘my Social Security’ account holders would need to provide a cell phone number. The SSA said the numbers would be used to send recipients an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

But sometime in the past few days, apparently, the SSA decided to rescind the cell phone rule.

“We removed the requirement to use a cell phone to access your account,” the agency noted in a message posted to its mySocial Security portal. “While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security. We continue to pursue more options beyond cell phone texting.”

Hopefully, those options will include using the U.S. Mail to send Americans a one-time code that needs to be entered at the SSA’s Web site to complete the sign-up process. I should note that the SSA is already mailing out paper letters via snail mail to Americans who’ve signed up for an SSA account online; they’re just not using that mailing to securely complete the signup and authentication process.

Here’s a redacted letter that a friend of mine received and shared the other day after signing up for an account online. It merely explains what the agency already explained about the texting policy via its Web site.

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at ssa.gov.

A letter that the Social Security Administration sends out via the U.S. Mail for every American who signs up to manage their benefits at ssa.gov.

The SSA does still offer the text message feature as part of what it calls “extra security” options. These extra options by the way do include the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, crooks won’t go through the more rigorous signup process — they’ll choose the option that requires less information. That means it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online. Continue reading →


1
Aug 16

Social Security Administration Now Requires Two-Factor Authentication

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

ssasiteThe SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number,” the agency said. “The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account. We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised.”

Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are.

The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees. Continue reading →


10
Jun 16

IRS Re-Enables ‘Get Transcript’ Feature

The Internal Revenue Service has re-enabled a service on its Web site that allows taxpayers to get a copy of their previous year’s tax transcript. The renewed effort to beef up taxpayer authentication methods at irs.gov comes more than a year after the agency disabled the transcript service because tax refund fraudsters were using it to steal sensitive data on consumers.

irsbldgDuring the height of tax-filing season in 2015, KrebsOnSecurity warned that identity thieves involved in tax refund fraud with the IRS were using irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.

In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the actual number of victims was probably closer to 724,000.

So exactly how does the new-and-improved Get Transcript feature validate that taxpayers who are requesting information aren’t cybercriminal imposters? According to the IRS’s Get Transcript FAQ, the visitor needs to supply a Social Security number (SSN) and have the following:

  • immediate access to your email account to receive a confirmation code;
  • name, birthdate, mailing address, and filing status from your most recent tax return;
  • an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit;
  • a mobile phone number with your name on the account.

“If you previously registered to use IRS Get Transcript Online, Identity Protection PIN, Online Payment Agreement, or ePostcard online services, log in with the same username and password you chose before,” the IRS said. “You’ll need to provide a financial account number and mobile phone number if you haven’t already done so.”

The agency said it will then verify your financial account number and mobile phone number with big-three credit bureau Equifax. Readers who have taken my advice and placed a security freeze on their credit files will need to request a temporary thaw in that freeze with Equifax before attempting to verify their identity with the IRS. Continue reading →


14
Mar 16

From Stolen Wallet to ID Theft, Wrongful Arrest

It’s remarkable how quickly a stolen purse or wallet can morph into full-blown identity theft, and possibly even result in the victim’s wrongful arrest. All of the above was visited recently on a fellow infosec professional whose admitted lapse in physical security led to a mistaken early morning arrest in front of his kids.

The guy police say stole Miller's wallet and got him wrongfully arrested was himself apprehended earlier this month.

The guy police say stole Miller’s wallet and got him wrongfully arrested was himself apprehended earlier this month.

On the morning of Feb. 20, Lance Miller was arrested in front of his two children by local sheriffs in Golden, Colo. Miller, a managing partner at cybersecurity recruitment firm Curity, had discovered his wallet was missing three days prior to his arrest, reported it to the local police and canceled his credit cards. In the meantime someone had drained his checking account of approximately $5,000, and maxed out his credit cards for almost another $5,000.

“I was standing there in front of my kids saying, ‘You guys are crazy. Do I look like a burglar?'” Miller recalled. “The cop goes, ‘Well, I don’t know what a burglar looks like,’ and they put me in cuffs and in the car.”

Miller said it wasn’t until the 30-minute, handcuffed drive to police station that the local police and the local sheriff’s office began comparing notes, discovering in the process that they’d grabbed the wrong guy and removing the cuffs. Miller soon learned the thief who’d stolen his wallet had impersonated him during multiple traffic stops. A car the impostor was driving also was spotted speeding away from the scene of a burglary, but Miller said the police in that case didn’t give chase in that case because it wasn’t a violent crime. Continue reading →


28
Jan 16

FTC: Tax Fraud Behind 47% Spike in ID Theft

The U.S. Federal Trade Commission (FTC) today said it tracked a nearly 50 percent increase in identity theft complaints in 2015, and that by far the biggest contributor to that spike was tax refund fraud. The announcement coincided with the debut of a beefed up FTC Web site aimed at making it easier for consumers to report and recover from all forms of ID theft.

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47 percent increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks.

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Those numbers roughly coincide with data released by the Internal Revenue Service (IRS), which also shows a major increase in tax-related identity theft in 2015.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Ramirez was speaking to reporters to get the word out about the agency’s new and improved online resource, identitytheft.gov, which aims to streamline the process of reporting various forms of identity theft to the FTC, the IRS, the credit bureaus and to state and local officials.

“The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others,” Ramirez said. “Identity theft victims can now go online and get a free, personalized identity theft recovery plan.”

Ramirez added that the agency’s site does not collect sensitive data — such as drivers license or Social Security numbers. The areas where that information is required are left blank in the forms that get produced when consumers finish stepping through the process of filing an ID theft complaint (consumers are instructed to “fill these items in by hand, after you print it out”).

The FTC chief also said the agency is working with the credit bureaus to further streamline the process of reporting fraud. She declined to be specific about what that might entail, but the new and improved identitytheft.gov site is still far from automated. For example, the “recovery plan” produced when consumers file a report merely lists the phone numbers and includes Web site links for the major credit bureaus that consumers can use to place fraud alerts or file a security freeze.

The "My Recovery Plan" produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC requests that consumers not file false reports (I had their PR person remove this entry after filing it).

The “My Recovery Plan” produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC kindly requests that consumers not file false reports (I had their PR person remove this entry after filing it).

Nevertheless, I was encouraged to see the FTC urging consumers to request a security freeze on their credit file, even if this was the last option listed on the recovery plan that I was issued and the agency’s site appears to do little to help consumers actually file security freezes.

I’m also glad to see the Commission’s site employ multi-factor authentication for consumers who wish to receive a recovery plan in addition to filing an ID theft report with the FTC. Those who request a plan are asked to provide an email address, pick a complex password, and input a one-time code that is sent via text message or automated phone call. Continue reading →


2
Dec 15

OPM Breach: Credit Monitoring vs. Freeze

Many readers wrote in this past week to say they’d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM’s response — the offering of free credit monitoring services for up to three years — won’t work if readers have taken my advice and enacted a “security freeze” on one’s credit file with the major credit bureaus. This post is an attempt to explain what’s going on here.

OPM offices in Washington, DC. Image: Flickr.

OPM offices in Washington, DC. Image: Flickr.

Earlier this week I got the following message from a reader:

“I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM’s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM’s credit monitoring services will not work for accounts with a security freeze.”

The reader continued:

“This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM’s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person’s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone — ID protection firms or ID thieves included — from viewing your file.”

I reached out to my followers on Twitter to gauge their reactions to this. I wrote: “Finish this sentence: Lifting a freeze to enable credit monitoring is like….” Here were some of the notable responses:

@sdweberg 10:22pm …shooting your rottweilers and paying the neighbors a monthly fee to “keep an eye on” your house.

@shane_walton 10:15pm …installing flash to watch a flash video about the evils of flash.

@danblondell 10:13pm …leaving the storm doors open to keep an eye on the tornado

@flakpaket 12:48am …leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors.

@ShermanTheDad 8:25am …taking your gun off safety to check and see if it’s loaded.

Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file *after* you’re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.

As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score. Continue reading →


18
Nov 15

Report: Everyone Should Get a Security Freeze

This author has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.

everyonegetsafreeze

Each time news of a major data breach breaks, the hacked organization arranges free credit monitoring for all customers potentially at risk from the intrusion. But as I’ve echoed time and again, credit monitoring services do little if anything to stop thieves from stealing your identity. The best you can hope for from these services is that they will alert you when a thief opens or tries to open a new line of credit in your name.

But with a “security freeze” on your credit file at the four major credit bureaus, creditors won’t even be able to look at your file in order to grant that phony new line of credit to ID thieves.

Thankfully, US-PIRG — the federation of state public interest research groups — also is now recommending that consumers file proactive security freezes on their credit files.

“These constant breaches reveal what’s wrong with data security and data breach response. Agencies and companies hold too much information for too long and don’t protect it adequately,” the organization wrote in a report (PDF) issued late last month. “Then, they might wait months or even years before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring services.”

The report continues: “Whether your personal information has been stolen or not, your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring. Paid credit monitoring services in particular are not necessary because federal law requires each of the three major credit bureaus to provide a free credit report every year to all customers who request one. You can use those free reports as a form of do-it-yourself credit monitoring.”

Check out the USPIRG’s full report, Why You Should Get Security Freezes Before Your Information is Stolen (PDF) for more good advice. In case anything in that report is unclear, in June I posted a Q&A on security freezes, explaining how they work, how to place them and the benefits and potential drawbacks of placing a freeze.

Have you frozen your credit file? If so, sound off about the experience in the comments. If not, why not?


2
Sep 15

OPM (Mis)Spends $133M on Credit Monitoring

The Office of Personnel Management (OPM) has awarded a $133 million contract to a private firm in an effort to provide credit monitoring services for three years to nearly 22 million people who had their Social Security numbers and other sensitive data stolen by cybercriminals. But perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.

Not long after news broke that Chinese hackers had stolen SSNs and far more sensitive data on 4.2 million individuals — including background investigations, fingerprint data, addresses, medical and mental-health history, and financial history — OPM announced it had awarded a contract worth more than $20 million to Austin, Texas-based identity protection firm CSID to provide 18 months of protection for those affected.

Soon after the CSID contract was awarded, the OPM acknowledged that the breach actually impacted more than five times as many individuals as originally thought. In response, the OPM has awarded a $133 million contract to Portland, Ore. based ID Experts.

No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims. While state-sponsored hackers thought to be responsible for this breach were likely interested in the data for more strategic than financial reasons (recruiting, discovering and/or thwarting spies), the OPM should not force breach victims to pay for true protection.

As I’ve noted in story after story, identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.

Many of these third party services also induce people to provide even more information than was leaked in the original breach. For example, CSID offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.

The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.

But there’s a catch: Depending on the state in which you reside, the freeze can cost $5 to $15 per credit bureau. Also, in some states consumers can be charged a fee to temporarily lift the freeze. Continue reading →


8
Jun 15

How I Learned to Stop Worrying and Embrace the Security Freeze

If you’ve been paying attention in recent years, you might have noticed that just about everyone is losing your personal data. Even if you haven’t noticed (or maybe you just haven’t actually received a breach notice), I’m here to tell you that if you’re an American, your basic personal data is already for sale. What follows is a primer on what you can do to avoid becoming a victim of identity theft as a result of all this data (s)pillage.

Click here for a primer on identity theft protection services.

Click here for a primer on identity theft protection services.

A seemingly never-ending stream of breaches at banks, healthcare providers, insurance companies and data brokers has created a robust market for thieves who sell identity data. Even without the help of mega breaches like the 80 million identities leaked in the Anthem compromise or last week’s news about 4 million records from the U.S. Office of Personnel Management gone missing, crooks already have access to the information needed to open new lines of credit or file phony tax refund requests in your name.

If your response to this breachapalooza is to do what each of the breached organizations suggest — to take them up on one or two years’ worth of free credit monitoring services — you might sleep better at night but you will probably not be any more protected against crooks stealing your identity. As I discussed at length in this primer, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.

In short, if you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth paying for these credit monitoring and repair services (although more than likely, you are already eligible for free coverage thanks to a recent breach at any one of dozens of companies that have lost your information over the past year). Otherwise, I’d strongly advise you to consider freezing your credit file at the major credit bureaus. 

There is shockingly little public knowledge or education about the benefits of a security freeze, also known as a “credit freeze.” I routinely do public speaking engagements in front of bankers and other experts in the financial industry, and I’m amazed at how often I hear from people in this community who are puzzled to learn that there is even such a thing as a security freeze (to be fair, most of these people are in the business of opening new lines of credit, not blocking such activity).

Also, there is a great deal of misinformation and/or bad information about security freezes available online. As such, I thought it best to approach this subject in the form of a Q&A, which is the most direct method I know how to impart knowledge about a subject in way that is easy for readers to digest.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it. 

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Equifax has a decent breakdown of the state laws and freeze fees/requirements. Continue reading →