Busted! The so-called “Bonnie and Clyde” ID Thieves were nabbed by authorities last Monday after stealing the identities of sixteen (confirmed) individuals and, after milking their bank accounts, living the high life at the expense of their victims. What I find particularly shocking about this case isn’t that sixteen people actually fell victim to the same scam but the age of the perps–22 and 25. Such young kids! To say that kids have no respect for their elders doesn’t even begin to cover this one. Not surprisingly, none of the ID theft victims were clients of Lifelock.

In all, Kirsch and Anderton obtained nearly $120,000 in cash and merchandise, authorities said, adding the couple unsuccessfully tried to obtain $112,000 more.

That’s almost $10,000 per person; pushing $20k if you include the attempts to attain credit this way. The credit card I personally use the most is through Bank of America and they’ve always called me if there were unusual purchases–I’ve always made them in the past (and Lifelock’s got my behind in case I didn’t) so I can’t even imagine in this particular case how egregious purchases such as these didn’t tip anyone off until so much cash had been looted. Apparently the two had been following “tips” from the book (I’m not making this up): The Art of Cheating: A Nasty Little Book for Tricky Little Schemers and Their Hapless Victims. That’s a great way to really indict yourself if you haven’t already–keep that book laying around when the police come with the warrant after you’ve made off with six figures of illegally purchased merchandise. Obviously not the sharpest knives in the kitchen but clearly not the dullest either if they were capable of pulling off the scam with so many innocent victims.

If you really want to work yourself up about being mad at them check out the pictures of them enjoying their ill-gotten vacations. It’s pretty amazing they were able to carry out this “plan” for two years–did it not seem suspicious that this young couple had such elaborate vacations? When I was that age my parents would have totally caught on. “So let me get this straight, you’re making $27k and going to Paris…how exactly?” Particularly frightening is that the people affected weren’t internet users and weren’t doing anything wrong. The point is that even if you’re a low-risk candidate you’re nonetheless exposed to some degree of risk simply because of the pathetic society we live in. I’d get Lifelock if I were you.

So let’s say you’re a hacker/id thief/scammer. You go online to hit the black markets of the internet to see what you can buy today–maybe some stolen credit card numbers perhaps? Oh my friend, you are behind the times–the hot new thing is simply usernames and passwords, according to BBC article. How on earth is a username and password more valuable to you, the hacker/id thief, than a credit card number. You can just plug that number into sites and start buying. The answer is pretty simple: people use the same logins and passwords for everything. Why would you simply want to steal a single credit card number when you could easily access all of their information, banking and otherwise.

Lifelock provides a great service in helping keep your identity safe but at the end of the day there has to be some personal responsibility to go with it. Lifelock serves as a pre-emptive strike against these types of people but once the damage is done then…well, you know how that’s going to end. Anyway, back to the article, apparently VoIP providers like Skype/Vonnage/etc, have yet to curb the budding eavesdropping of the relay of their messages.

So how much do these thieves charge for your information? Apparently about $12 for your credit card number and about $17 for your username and password. As a VoIP user myself I find this particularly disconcerting. On the bright side, though, VoIP is still relatively new and there haven’t been any major breaches of the networks yet. The key to avoiding this particular type of online fraud is simply to make sure you have different passwords to different sites. “I’ll never remember them all”, you say but think again. I’m even willing to tell you how I generate my passwords in the hopes that you’ll do the same thing. Take any site–let’s use Yahoo. I convert the first three letters of the domain name (in this case Yah) into numbers and immediately add that to the end of my “standard” password. I then take the total number of characters in the domain, subtract a secret number from it and then add that to the end. Bam, if you JUST do this you’re already on a better path to protecting yourself from this type of online fraud. Plus, once you have the pattern down you only have to remember ONE pattern and you’ll be able to generate passwords you can “remember” for all of the sites you use without having to use the same one.

For a long time (at least three years), there’s been discussion how RFID’s either inhibit or enable the theft of your identity. The basic premise of this argument is that when you have a credit card that can transfer data through radio waves (thus enabling a contact-less transaction) that anyone who is in possession of a machine that can read RFID essentially has free access to your card’s data. This is, for all intents and purposes, true–it’s a tried and true practice known as “skimming”. It’s a pretty scary concept–that identity thieves can simply walk around in crowded public places latching onto the radio frequency of peoples’ RFID cards and storing them for use later. Surprisingly, though, this rarely happens. Why? Because there are no portable RFID scanners–although there are certainly unscrupulous people out there with the ability to do it, for the most part common thieves simply aren’t willing to spend a couple grand to purchase a machine that can read these cards and then wheel it around through your local Whole Foods to snag your credit card data.

It’s been recommended on some websites to do ridiculous things like “take a hammer to your passport”, “zap your credit card” in the microwave, or “drill a hole” through the magnetic bar strips. Pretty ridiculous. For just $9/m (using your Lifelock promotion code) you can get Lifelock rather than going through these petty, useless practices but whatever. Preying on the paranoia of people is a pretty common practice and telling them to nuke their credit card in the microwave instills a false sense of panic that there are things they can’t see that are making them more vulnerable to identity theft. There are countless, valid threats out there but sleep easy friends, the RFID is not enabling malicious thieves to virtually steal your identity. There’s a much greater chance it’s get taken in the real world (see pickpocketing) or virtually by a virus or an insecure purchase.

If you’re still concerned about RFID and identity theft read this article on CNET. Although it’s a little scare-tactic-y it’s got a lot of solid information about how RFID works and how your personal data is stored and what credit companies are doing to help safeguard it.

Beep. Beep. Beep. That’s the sound of your groceries scanning at the supermarket. What you might not recognize is that when you go to pay for your groceries, you may be putting yourself at risk. If you live in New England or down in Florida, you need to check where you’ve been shopping. The chain Hannaford Bros. announced that it recently suffered a data breach that resulted in the theft of 4.2 million credit and debit account numbers.

The apparent cause of the problem was a system that illegally accessed the data while it was being transferred to the credit companies and banks for validation. While an encryption system had been in place before the attack, it proved to not be effective against these persistent data breaches. After finding out about the breach, Hannaford Bros. instituted stricter policies for the validation process. All systems associated with the grocery chain now have a level of encryption and security higher than the national average and stronger than required by the industry.

As investigations continue on the data breach, it appears that the breach began in late 2007, but was not discovered until recently. Company officials have not volunteered any information about why it took so long to identify the problem. Even after learning about the problem, it still took over a month before Hannaford Bros. was able to contain the breach. Within that time period, they did not alert any of their consumers which has raised questions about their handling of the situation. If individuals had known that their important data had been stolen, they could have purchased a membership for some sort of ID theft service, such as Lifelock. While investigations continue into the party, or parties, responsible for the breach, Hannaford Bros. maintains that its customers should feel safe in shopping and using credit cards at the store.

Between December 2007 and the present, there have been 1,800 cases of fraud related to the stolen credit and debit card numbers. Although the company states that no personal data was accessed during the breach, their investigation of the matter is still in progress. Customers of Hannaford Bros. would be wise to check all of their bank accounts for unauthorized withdrawals or fraudulent activity on their credit card statements for the last few months. If someone has been a victim of fraud, they should look into purchasing Lifelock, or another ID theft system. Checking your credit reports is also a suggested step in recovering from fraudulent activity.

While Hannaford Bros. attempts to win its customers back over, other companies throughout the northeast have been put on alert. The Massachusetts Bankers Association (MBA) put out a press release, letting the public know that they should be aware of the large data breach. While they did not initially recognize Hannaford Bros. as the “major retailer” in the report, the MBA was later able to verify that the grocery chain’s verification system was at the center of the problem.

In case you need another compelling reason to get Lifelock’s services, I’ve got one for you today. You’ve already heard about stolen laptops, Chilean hackers, and universities coughing up your personal data. But from our “random” file today we have someone who committed ID theft for…prescription drugs. I thought I had heard them all by now but I was apparently wrong.

This is a particularly interesting case because it wasn’t just the individual whose identity was stolen that was defrauded; the state was also on the line for about $20,000 worth of services provided to the wrong person. Apparently the fraud was instigated by the perpetrator by essentially doing the same things as the person from whom they stole the identity: going to the same appointments, getting the same medicines. It’s frighteningly simple and it was only discovered when the state realized it was double paying for the exact same services all scheduled on the exact same day. Good catch State of Washington! Unfortunately, when it was all said and done, the woman had defrauded the state for over $180,000 due to the cost of the medicines. Ouch. Apparently most of the costs incurred were with the Health Provider so they were on the hook for over $150k of it.

The 48-year-old woman was booked into the Snohomish County Jail just before 12:30 p.m. Tuesday for investigation of seven counts of first-degree theft, two counts of second-degree theft, six counts of forgery, first-degree identity theft and drug violations.

Those are some pretty hefty charges. I’d be curious to know how they’re handling the drug violations–simple possession? If there were seven counts of theft, I would have to assume she went on seven visits to the hospital–maybe the State of Washington wasn’t so great after all if it took seven tries of duplicate entries for them to be caught. I’d also like to know what kind of drugs they were–I’d of course guess painkillers but only because I can’t imagine someone stealing antibiotics for that long.

There aren’t many cases like this but it looks like the individual whose identity was stolen suffered no personal loss of anything and wasn’t personally defrauded out of any money. I guess that’s a small silver lining but regardless that’s pretty rare; most people aren’t nearly that lucky.

There was a data breach at Dominican University this weekend. Dominican University is located in Chicago and the data breach here affected over 5,000 current students and alumni from 2003, 2005, and 2007. First reported (to me anyway), here, it appears the problem was due to the misuse of access granted to part-time work-study students who were able to access Excel spreadsheets from previous years. What’s sad to me is that the university took no real action despite the problem being their own fault. They simply “encouraged affected individuals to place fraud alerts on their accounts”. I bet they wish they had Lifelock. Anyway, I think it’s pretty despicable that Dominican takes no real accountability for their error–most companies at least provide some sort of identity protection service for a year following a significant problem like this.

Dominican issued this statement:

“Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment. We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions. The university is conducting a complete security audit and internal review.

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.”

Hello! DO something. Yeah, it’s great that you’re notifying the affected individuals and their families but shouldn’t you actually do something other than suspend the students? What I really would like to know is how malicious the intent was to use this data. Did they just have access to it? Were they trying to use it? Did they just find it because they were seeing what all their passwords would let them into? Those would be the questions I would want answered if I were one of the affected individuals.

And you thought it was bad in the United States. In Chile hackers accessed and then posted the personal information of over six million people in the largest data breach in South American history.

The hacker, posting as Anonymous Coward, unleashed three compressed files that offered the taxpayer id (like our Social Security Numbers), addresses, phone numbers, and a host of other private information on the popular Chilean techblog Fayerwayer in the form of a comment on an article. Although the information was only available for two hours there’s really no way of knowing how many people saw/downloaded/accessed that data. Allegedly, the hacker posted the information to bring light to the poor security measures imposed by the government by releasing data on over 1/3 of the country’s population (of 16 million).

According to the Chilean newspaper that broke the story, El Mercurio, “The publicity has focused the country’s attention on both government IT security and also the country’s lax privacy laws. For example, Chile’s department of elections sells voter data including gender, name, address, nationality, date of birth, and information on disabilities.” That’s pretty frightening in and of itself–if the government is already going to make that data readily available for commercial purposes it stands to reason that a data breach like that would be happen.

Additionally noteworthy is that, in addition to posting the actual data, the hacker also posted tips on how to best use the data AND how he did it: apparently through the use of several proxies that allowed for near-anonymous access. Proxies are nothing new but they’re more frequently used for things like school-age children accessing sites like MySpace and Facebook after the sites have been banned from access at their schools. Further, these sites can be used to access just about anything–kind of like a baby VPN. It should come as no surprise then that given the ubiquity of these proxy sites that someone was going to take advantage of them in a place where the internet security is so lax.

Unfortunately for the affected Chileans there is no Lifelock or Debix to help bail them out of their situation so they’re going to have to take up their issues directly with the government; a government that has already made it known to them (the people) that they don’t take a particular interest in protecting their personal information.

It was revealed today that Pfizer might be in trouble again after they reported another potential data breach–this one affecting over 13,000 company employees. Like several other recent id thefts, this one was initiated by the theft of a company laptop that contained employee records. On the bright side, this time, was that there weren’t any social security numbers stored on the stolen laptop.

An employee was quoted as saying, “How many … times does this have to happen before someone figures out that the people being given access to this info are clearly incompetent and incapable of keeping it secure?”. I’ll go ahead and answer that for you–a LOT. This seems to happen all the time and it’s not just Pfizer that has some incompetent people being charged with safeguarding the identities of their employees.

Although Pfizer has said they’re now going to start encrypting all laptops, this is hardly going to prevent similar problems from arising in the future–like their employee correctly pointed out, when the people in charge of ensuring the safe handling of information can’t be counted upon to be responsible in doing their jobs all of the encryption and upper-level decisions aren’t going to do any good at all. To be cliché about it, an ounce of prevention is worth a pound of cure, but when you can’t even get an ounce of prevention into the right hands…well, then you’re going to be paying for a lot more pounds of cure; tons of cure (if you will).

Now, Pfizer has coupled these efforts with mandatory training for both employees and contractors covering the importance of data security so they’re taking the right steps but shouldn’t they have done this before the first incident last year–or at least before the most recent breach? We all make mistakes, both as individuals and as corporations, but come on, we all have enough to worry about that having to expend our mental energy on having safe identities because we have a job is really just ridiculous.

Fortunately there are several identity theft companies that provide large-scale solutions for companies in situations like Pfizer including Lifelock and their main competitor, Debix. Lifelock has been called upon in many previous cases to put locks down on the credit of affected employees to ensure no harm comes from the theft of private data.