How to Avoid Cons That Can Lead To Identity Theft

By WALTER S. MOSSBERG
May 1, 2008; WSJ

When most people think about Internet security problems, they focus on viruses and spyware -- technological attacks that can usually be mitigated by technological defenses. But the most insidious Internet security problems today rely on human gullibility, not tricky software. While technological defenses can help you fend off these newer types of attacks, your best weapons against them are common sense, alertness, and careful email and Web-surfing practices.

These types of attacks are called "social engineering," and they are used by criminals to steal your money and identity, and to plant on your computer malicious software that can be used to keep ripping you off. Social engineering is the online equivalent of an old-fashioned con game, in which a crook frightens people with false warnings, or tempts them with false promises, and then robs them.

While viruses and spyware overwhelmingly afflict Windows users and spare users of Apple's Macintosh computers, social-engineering schemes can ensnare Mac users as well. There's nothing inherent in Macs that makes their owners more resistant to falling for social-engineering scams.

The most common form of social engineering is called phishing, a one-two punch using both email and Web browsing to trick people into typing confidential information into Web sites that look like the sites of real companies, especially financial institutions. But these phishing sites are actually skillfully designed fakes that transmit your sensitive data to criminals, often in distant countries. Once these creeps have your passwords and account numbers, they can loot your funds and steal your identity.

Here are some tips to help you avoid being the victim of social engineering, updated from a similar column I wrote in 2006. It includes information on some antiphishing software that wasn't available back then. But remember: Security software alone can't save you from scams.

1. Never, ever click on a link embedded in an email that appears to come from a financial institution, even if it's your own bank or brokerage and even if it looks official right down to the logo. The same goes for payment or auction services, like PayPal or eBay. Don't do this even if the email asserts that your account has a problem, or that the bank has to verify your information. And certainly don't enter any passwords, Social Security numbers or account numbers directly in an email.

These types of emails are almost always fakes, and the links they contain almost always lead to phony Web sites run by criminals. The only exception might be a confirmation email from a brokerage firm concerning a trade you know you made minutes before. Even legitimate-looking addresses in emails or in the address bar of Web browsers can be fakes that hide the crooks' true Web addresses. The lock icon on a Web site can also be falsified.

If you are truly worried about your account, call the bank or company, or go to its Web site by manually typing in its address or by using a well-established bookmark in your browser that you created yourself.

2. Don't click on links to offers for free software or goods that you receive in an email, especially from a sender or company you've never heard of.

3. Never download software from unfamiliar Web sites unless you are absolutely sure you need it and it's legitimate. Even if it claims to be a useful program, it may very well be a malicious application like a "key logger," which can report back to crooks everything you type into your computer. If you really want the program, do a Web search on it first, to see if others have reported it as a malicious fake.

4. If a Web site tells you that you need to download special viewing software to see its videos, don't do it. Even if it claims to be giving you legitimate viewing software, like Microsoft's Silverlight, Adobe's Flash or Apple's QuickTime, don't download it there. Go to the official Microsoft, Adobe or Apple Web sites to get these viewers.

5. Use a Web browser, like Internet Explorer 7 on Windows, or Firefox 2.0 on Windows or Mac, that includes built-in features to warn you about, or block access to, known phishing sites. The next versions of these two browsers will have even stronger features that will detect sites that are not only fake, but which are known to distribute malicious software.

Unfortunately, the third major browser, Apple's otherwise excellent Safari for Mac and Windows, lacks any such antiphishing detection, though I expect Apple to add the feature in a future version. So, for now, Mac users worried about phishing should rely on Firefox.

6. Consider security software that tries to detect and block phishing sites. McAfee's free Site Advisor and paid Site Advisor Plus products do a good job. Symantec has similar features built into its large security suites, Norton 360 2.0 and Norton Internet Security 2008.

7. Educate yourself by reading about social engineering and phishing and how to avoid being a victim. Microsoft has a very good guide at: microsoft.com/protect/yourself/phishing/identify.mspx and Symantec has one at: symantec.com/norton/clubsymantec/library/article.jsp?aid=cs_phishing.

Follow these tips and you'll be a happier -- and safer -- surfer.

Credit-Card Security Falters

Industry Standard
Hasn't Prevented
Recent Breaches

By JOSEPH PEREIRA
April 29, 2008; WSJ

Despite efforts by the credit-card industry to force retailers to protect their customers' data, several recent security breaches suggest that current requirements aren't enough.

Hannaford Bros., a unit of Belgium's Delhaize Group SA, says it received a certificate on Feb. 27 stating it was fully compliant with the credit-card industry's security protocols. But that same day, the New England supermarket chain was informed by its card-transaction processor that there appeared to be a problem with its customers' credit-card accounts. The chain soon learned that data for 4.2 million cards may have been stolen.

Until now, most known retail-data breaches occurred at companies that failed to comply with steps mandated by a credit-card industry group called the Payment Card Industry Security Standards Council, or PCI, in Wakefield, Mass. The Hannaford attack -- and another disclosed last month at Okemo Mountain Resort, a ski operator in Vermont -- has prompted retailers to seek security systems well beyond PCI standards.

Hannaford last week announced the adoption of two such measures. The company installed a round-the-clock security monitoring-and-detection service provided by International Business Machines Corp. to track all user log-ins. The chain has also begun to encrypt all its customer card information immediately from the time the card is swiped at the cash register, so that data is scrambled all the way to the company's corporate servers, from where it is sent to the credit-card company. "PCI is a good place to start but retailers are going to have to go above and beyond PCI," said Bill Homa, Hannaford's chief information officer.

Says Bonnie MacPherson, a spokeswoman for the ski resort, which lost card data for nearly 50,000 customers, "We did everything we were supposed to." The company says it doesn't know whether the breach resulted in any theft.

Joshua Jewett, information chief at Family Dollar Stores Inc. in Charlotte, N.C., plans to beef up the cash register systems at about 2,500 of the company's stores by August with more data encryption than mandated by PCI. Both Hannaford and Family Dollar are purchasing security systems from Verifone Holdings Inc. of San Jose, Calif.

Until two years ago, retailers faced a cacophony of security requirements, with each of the major credit-card brands -- including Visa Inc., MasterCard Inc. and American Express Co. -- issuing their own set of standards. Then the credit-card industry established PCI, and consolidated the best data security practices into a single, unified code.

The compilation, called PCI Data Security Standards, requires such things as encrypting or masking customer data, regularly updating antivirus software, restricting access to card data to only certain authorized personnel and protecting stored information with firewalls, among other things.

Retailers that fail to meet the requirements are subject to fines.

In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.

Credit card-related fraud grew to $5.49 billion in 2007 from $1.46 billion in 1997, according to industry tracker Nilson Report. Law-enforcement officials attribute the rise to new technological applications as well as increased participation by international organized-crime groups.

Bob Russo, PCI's general manager, says PCI believes its standards -- derived with input from more than 500 data-security specialists -- are adequate, but he adds that PCI is still awaiting the results of investigations into the Hannaford and Okemo breaches. "If there is something that's lacking in the standards, then we'll address it immediately," he says.

In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable -- a company's private internal computer network. Many previous breaches involved wireless network systems.

PCI mandates that all transaction data sent over networks that are publicly accessible -- such as in coffee shops -- be encrypted, but it doesn't require that for transmissions over internal private lines.

At Hannaford and Okemo, hackers managed to install malicious software into the companies' private networks to steal credit-card information being transmitted to processors for approval.

"This kind of attack would not have been possible if the credit-card data had been encrypted," says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.

Michael Cherry, an online-security consultant, says companies can encrypt credit-card data at cash registers, which PCI doesn't require, at minimal cost. "You can be worry free for less than $100 per cash register," says Mr. Cherry.

Two companies that provide such technology -- called personal identification number pad encryption -- are courting new customers, playing up Hannaford and Okemo's vulnerabilities.

Verifone Holdings is promoting its VeriShield system, which was purchased by Family Dollar. A similar product, called MagneSafe, is offered by MagTek Inc., of Carson, Calif.

Rob Caulfield, chief executive of TrustCommerce, an Irvine, Calif., credit-data processor that works with MagTek's clients, says he knows of about two dozen retailers currently using MagTek encryption and about 300 others that "are queuing up to become clients."

Meanwhile, PCI has been upgrading its requirements for retailers as more information about vulnerabilities is gleaned from data breaches. In February, PCI required merchants to ensure that PIN pads are tamper proof and their credit-card data are rendered useless if they are opened. The requirement follows a theft last year where thieves stole PIN pads from Dutch retailer Royal Ahold NV's Stop & Shop stores in the Northeast U.S. and accessed customers' debit-card passwords.

As of June 30, retailers must install firewalls that prevent hackers from accessing internal company files through software programs that are exposed to the Internet, such as applications that handle online credit-card transactions. PCI also plans to toughen its standards in September in the areas of wireless transmissions, card-preauthorization procedures and software applications that handle credit-card data. "From all the data breaches we've seen, we're quickly learning that the point-of-sale is our weakest spot in the payment chain," says Mr. Russo.

Are Your Medical Records at Risk?

Amid Spate of Security Lapses,
Health-Care Industry Weighs
Privacy Against Quality Care

By SARAH RUBENSTEIN
April 29, 2008; WSJ

When it comes to protecting the privacy of patients' computerized information, the main threat the health-care industry faces isn't from hackers, but from itself.

In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised. The incidents have included the theft of an unencrypted laptop from an employee of the National Institutes of Health and the inadvertent posting of personal data unsecured on the Web from insurers WellCare Health Plans Inc. and WellPoint Inc. At the UCLA Hospital System, several employees were fired or disciplined recently for sneaking peeks at Britney Spears' computerized medical files.

In another recent incident, a former patient-admissions employee at NewYork-Presbyterian Hospital/Weill Cornell Medical Center was arrested this month for allegedly selling at least 2,000 patient identification records, according to the U.S. Attorney for the Southern District of New York. The employee improperly accessed nearly 50,000 patient records in a computer system storing names, Social Security numbers and addresses, court documents allege. Hospital spokeswoman Myrna Manners says some patients have told the hospital they suspect their information had been "used," though it wasn't clear for what purpose or whether identity theft had occurred.

Health care isn't the only industry whose slip-ups can upset consumers or expose them to identity theft. But hospitals are notable for the sheer number and types of employees -- including billing staff, nurses, doctors, researchers and lab technicians -- who have quick access to individuals' private information. A number of hospitals have been installing controls that limit by job function the types of data that employees can see. But institutions also are reluctant to control access to patients' private data too tightly, for fear that doing so could get in the way of patient care, especially in emergencies.

"There are just thousands of people who have access -- and need to have access -- to confidential information, and to try to change their behavior is a challenge," says Donald Bradfield, a senior counsel for Johns Hopkins Health System.

The steady stream of privacy breaches threatens to undermine the health-care industry's effort to adopt electronic medical records. That push is meant to make medical care both safer and more convenient for patients, but a major barrier to health-care digitization has been anxiety about preserving the security of such sensitive data.

"What patient is going to want their data to be transmitted electronically if they can't trust the system to keep their data safe?" says Jill Dennis, a senior vice president at the American Health Information Management Association, a professional organization. "The internal mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system."

Patient advocates criticize as too lax institutions' enforcement of a federal privacy law that restricts health providers, insurers and certain other entities from allowing access to private health information to those who don't need to see it. Since the privacy provisions of the law, the Health Insurance Portability and Accountability Act, were implemented in 2003, some 35,000 reports of privacy violations have been submitted to the Department of Health and Human Services. But the department has not levied a single civil fine.

Instead, the department says, it has sought and gained "voluntary compliance" with the law in 6,000 cases. An HHS spokeswoman said the department's approach has led to "improvements that were constructive and were achieved more quickly than through imposition of monetary penalties." Those actions have often involved educating employees about what the law says and how to follow it.

HHS says several hundred reports of violations have been referred to the Department of Justice for criminal prosecution. A DOJ spokeswoman says the department has filed around 200 criminal cases since the 2003 fiscal year under a statute that includes HIPAA, but didn't have a breakdown of just HIPAA-related cases.

David Feinberg, chief executive of the UCLA Hospital System in Los Angeles, calls the celebrity snooping incident "almost mind-boggling," considering that employees had been repeatedly warned not to look at patients' files. Prior to the privacy breaches, UCLA had a computer system that audited who was looking at information on a handful of patients. The hospital permits any patient to request auditing, though high-profile patients more commonly do so.

In the coming months, UCLA plans to start using a new system that will block certain details of patients' records, depending on who is accessing them. For instance, a lab technician would get only lab results, rather than a full medical chart that may also contain radiology reports and notes from doctors and nurses. The system will also allow for auditing on a larger scale, and will include features that require all employees to list their relationship to the patient and will warn them if they're entering "an especially protected chart," Dr. Feinberg says.

Another health system beefing up security is Johns Hopkins, in Baltimore, which has increased employee education on privacy and started adding encryption software to its computers. The action comes after an embarrassing episode last summer, when a computer chained to a desk at Johns Hopkins was pried loose and stolen by a Hopkins employee and an outside vendor's employee. The computer, which was password-protected but not encrypted, had information on about 5,800 patients who were in a registry for people with tumors, including their names, addresses, dates of birth, Social Security numbers, genders, races, medical record numbers and cancer diagnoses.

In another incident involving Johns Hopkins, a deliveryman for a vendor of computer storage devices in late 2006 lost a shipment of the devices on a loading dock at a florist, where he was picking up flowers that he needed to deliver for another client. The misplaced storage devices contained the names, dates of birth, genders, races, mothers' maiden names, fathers' names and medical record numbers of more than 83,000 Johns Hopkins patients.

The hospital also has made other adjustments. Nurses affiliated with Johns Hopkins who are making home calls sometimes used to carry files with them on a "whole roster of patients," not all of whom they were visiting that day, or had extraneous information on those they were visiting, says Mr. Bradfield, the senior counsel. Now, nurses are supposed to carry only what's essential. Johns Hopkins has also instructed its departments to monitor more closely when packages leave their premises and arrive at their destination.

Many hospitals are reluctant to control access to data too tightly for fear that it will create red tape in emergency situations. "We have to be able to take care of patients, too," says Wendy Mangin, president of the American Health Information Management Association and director of medical records and privacy officer at Good Samaritan Hospital, in Vincennes, Ind., which audits clinical staff's access to medical data but doesn't block it.

Most health organizations that have experienced recent privacy breaches say they haven't received reports of identity theft related to the incidents. A report from the U.S. Government Accountability Office in June 2007 said there is little evidence that identity theft has resulted from data breaches in a variety of industries, including health. But the GAO added that it's hard to find the original source of data used in identity-theft cases.

More than identity theft, some patient advocates worry about emotional trauma. "Monetary damages don't really get at the sense of invasion that people experience when their privacy has been breached," says Ms. Dennis of the health-information management association. Patients may also worry about their medical information finding its way to a potential health insurer or employer.

In another recent incident, health insurer WellCare said a Web developer inadvertently made the Social Security numbers, dates of birth, names and medical details of about 10,500 Georgia patients publicly available through Internet searches while sending the data to state regulators. More limited information on as many as 71,000 other patients may also have been made publicly available.

WellCare learned of the problem March 20, when a health-plan member called customer service to complain, but company employees assumed the state was responsible. Only after the same health-plan member contacted the company again did WellCare shut down online access to the information, on April 2.

And in February, a laptop with information from MRI reports, names and dates of birth of about 3,200 people enrolled in a cardiac-imaging clinical trial at the National Institutes of Health was stolen from the car trunk of a researcher who'd taken it along to his daughter's swim meet. The laptop -- which was password-protected but not encrypted, contrary to government policy -- also had Social Security numbers for 1,281 of the participants whose records had been sent to the National Death Index, which keeps track of vital statistics including whether trial participants are still alive.

Patients who are worried their medical records may be accessed inappropriately can take some limited steps to try to prevent it. Denver Health in Colorado, for instance, allows patients after receiving care to be informed of every person who has accessed their information. And some hospitals grant patient requests that access to their records be restricted more than is normal.

Patients whose health-insurance identification numbers have been compromised should monitor the "explanations of benefits" statements that insurers send home to make sure a criminal isn't using their stolen account information to obtain insurance coverage.

Going back to traditional paper records, as some patients advocate, wouldn't necessarily solve the problem. Recently, a schoolteacher buying a box of scrap paper in Utah discovered that it contained patient medical records from Central Florida Regional Hospital that were destined for a Medicare auditor in Las Vegas. The hospital says shipping via UPS is typically "secure and reliable." But UPS spokeswoman Lynnette McIntire cautioned: "In general, we don't recommend that those kinds of paper records be sent."

Looking out for identity theft, fraud

BY SUSAN TOMPOR • FREE PRESS COLUMNIST • April 23, 2008

Retired teacher Donna St. John's hand shot up the minute the workshop instructor asked if anyone ever had his or her identity stolen.

St. John recalled the time several years ago that somebody tried to buy a refrigerator, washer and dryer with one phone call to Sears after opening a credit card in her name. The store caught it. But St. John, who used to teach at Sterling Heights High School, never forgot how quickly trouble could start.

About 50 people attended the two-hour identity theft seminar sponsored by Michigan First Credit Union in Lathrup Village on Monday. The event was one of more than 300 classes, seminars and activities scheduled in Michigan during Money Smart Week this year. See www.moneysmartweek.org/michigan for other events.

Crooks' tricks

On Monday, about 15 in the group raised their hands after David Waxer, a financial counselor for GreenPath Debt Solutions in Southfield, asked people if they ever experienced identity theft or fraud.

Some spotted fraudulent charges on a credit card after renting a car or going to a restaurant. One man signed up for a trial promotion that cost $4.95 online. He canceled the service before the trial was up. But later, he was wrongly charged $140 twice for that service.

One man's wife pulled out a card one day and it wasn't hers. Somehow, somebody slipped her another card, letting her think she still had her own plastic and then used her card without her knowledge.

Somebody stole a child's Social Security number.

We're all vulnerable to identity theft. We all need to protect our information.

"Keep a close watch on every electronic transaction -- every bank statement," Waxer told the group.

How to fight back

Other suggestions:

• Study your credit report to see if someone has opened credit cards using your name.

See www.annualcreditreport.com. That is the only central site that enables you to request a free report once every 12 months from Equifax, Experian and TransUnion. You can request all three reports at once. Or you can monitor your credit by staggering requests -- say getting one report from Experian in January, another from TransUnion in May and one from Equifax in September.

• Avoid carrying too many credit cards or other ID.

If you've got a pocket-size birth certificate, keep it at home. Don't carry your checkbook on daily errands. Do not leave a car rental agreement in a rented car. Do not carry your Social Security card.

• Be aware that some crooks use cell phones to take pictures of card numbers.

• Pay attention to when certain bills arrive in the mail. Some crooks complete a change of address form so your mail is forwarded to another address where they have access and can buy more goods using your card.

And read every statement. You could find somebody trying to charge $1,000 in Christmas decorations to your bill. One man in the group said that's what happened when somebody got access to credit by stealing his personal information.

Identity Thieves Target Tax Refunds

Scammers Snag Personal Information to File Bogus Returns;
Florida Girl Scout Troop Falls Victim to 'Hotmama983'

By Tom Herman
March 12, 2008; WSJ

Doing your taxes is painful enough. But it can be especially so when a scam artist files a phony tax return with your name, Social Security number and other personal information in an attempt to collect a refund.

Growing numbers of victims are complaining to the Internal Revenue Service and the Federal Trade Commission about this and similar scams, and one senior IRS official is urging the agency to do more to help victims.

Identity theft has become one of the "most serious problems" facing taxpayers, said IRS National Taxpayer Advocate Nina Olson in a report to Congress early this year. Among the major problems that can arise are delays or denial of refunds, the report said. Taxpayers could also face "the assessment of tax debts resulting from income" reported on the fraudulent return. Ms. Olson is scheduled to testify about the subject tomorrow at a hearing of a House Ways and Means subcommittee.

The Federal Trade Commission received 20,782 complaints on tax-related identity-theft issues in 2007, up from 15,442 in 2006 and 8,041 in 2003. But Ms. Olson of the IRS believes those numbers "significantly understate" the size of the problem and the number of taxpayers hurt by it because, she says, the agency doesn't have a comprehensive method of tracking the various types of identity-theft cases.

In one recent case in Pensacola, Fla., Holly M. Barnes, a former Girl Scout troop leader, was sentenced to 10 years in federal prison after pleading guilty to multiple counts of identity theft and filing "false and fictitious" claims for tax refunds, according to the U.S. attorney for the Northern District of Florida. Ms. Barnes created a bogus Girl Scout medical-release form to get sensitive information, including children's Social Security numbers, the U.S. Attorney's office said. She then used the information to prepare and file electronic federal income-tax returns using the screen names "Hotmama983" and "Freewoman74."

The phony refunds were transferred into five different bank accounts she controlled. She "filed false claims totaling more than $187,000, from which she obtained more than $87,000" from the government "as a result of fraudulently using the identity of these children, including her own children," according to the U.S. attorney's office. At the sentencing, the judge ordered her to pay $87,976.70 in restitution to the IRS. Ms. Barnes's lawyer, Thomas Keith, says the sentence is being appealed.

Separately, a Connecticut woman who prefers to remain anonymous was recently notified by a New York bank that her application for a refund anticipation loan had been rejected. "That blew my mind," she says -- because she hadn't applied for such a loan and hasn't yet even prepared her tax returns for 2007. She also recently received a letter from the New York state tax department questioning her 2007 return, which she hasn't yet filed. She notified her accountant and the IRS of the situation.

"It's horrible," she says. She has no idea how her identity was stolen -- but adds that "I now shred everything that comes to my house with my name on it" before throwing anything away.

In another recent case, the victim was a 53-year-old Michigan woman named Marie Mendoza. Early last month, Ms. Mendoza received a call from a representative of a nearby office of H&R Block Inc., the tax-preparation firm that had prepared her returns for the past decade or so. She says the Block representative asked her to bring back some paperwork she accidentally had taken with her two days earlier when she was there to file her return for 2007.

"I said, 'What, are you kidding?' " Ms. Mendoza says. She replied that she hadn't been to the Block office at all this year, hadn't filed her tax return for last year -- and isn't planning to use Block because she feels they charged too much last year.

Ms. Mendoza soon discovered that someone had filed a fraudulent return in her name. The thief had arranged to collect $4,005 through an instant loan and already has pocketed the money. "It was very upsetting," she says.

Ms. Mendoza says Block has assured her she will not be held responsible for the loan, but her woes are far from over. When she tried filing her tax return electronically, the IRS rejected it. That rejection was "very stressful," she says, because she needed that refund to pay her bills. Since then, she says, she has had to borrow money, mainly from friends. She recently filed her federal income-tax return on paper but doesn't know when she will get her refund. She has hired an attorney, Adam G. Taub, and Detroit TV station WXYZ reported on her story.

H&R Block says that it is "working closely with local authorities to assist them in their investigation" and will "continue to offer assistance to the taxpayer who was the apparent victim."

Refund fraud isn't the only type of tax-related identity theft. In other cases, the thief uses a stolen Social Security number to get a job in the U.S. In a typical case, that person's employer later files a Form W-2 reflecting the wages, and IRS data systems attribute those wages to the rightful owner of that Social Security number. Victims discover the problem after getting a startling notice from the IRS asking about unreported income.

IRS officials say they have taken steps to combat the problem. But the agency "has not done enough to improve identity theft procedures for victims of identity theft or to secure its filing system from fraudulent filers," Ms. Olson said in her report to Congress. IRS procedures "are reactive rather than proactive and assume taxpayers will have the wherewithal to contact the IRS and work their way through layers of employees until they reach someone with the authority to adjust the accounts," she said.

"Too often, victims of identity theft receive more scrutiny from the IRS than the perpetrators of identity theft," Ms. Olson said.

If you're stung by tax-related identity theft and are tied up in red tape, here's one suggestion: Contact the IRS's Taxpayer Advocate Service (www.irs.gov/advocate). That's the organization within the IRS, headed by Ms. Olson, designed to rescue people encountering "economic harm," people who already have tried resolving their tax problems through normal IRS channels or those who think an IRS system or procedure isn't working as it should. Each state and IRS campus has at least one local taxpayer advocate, who is "independent of the local IRS office and reports directly to the National Taxpayer Advocate," according to the IRS Web site.

"There is no sure way to prevent" getting hit by identity-theft criminals, says Brian Lapidus, chief operating officer of the fraud solutions division of Kroll Inc. But here are a few common-sense tips that may reduce your chances:

Beware of phony emails that appear to be from the IRS. "Phishing" scams can appear in many different forms and guises, but the basic purpose is to trick you into revealing personal and financial data, such as Social Security, bank-account or credit-card numbers. In a typical case, the email says you're entitled to a refund for a specific dollar amount. But first you have to click on a link in the email to get a special claim form, which asks you for personal information.

The IRS says it "does not send unsolicited email about tax account matters" to individuals, businesses, tax-exempt groups or others.

If you hire someone to do your taxes, be sure you know and trust that person well and have checked out his or her credentials carefully. You're handing over sensitive information that you don't want to fall into the wrong hands.

"Ask a trusted friend to introduce you" to an expert tax preparer, says Kroll's Mr. Lapidus. Or check with a certified public accountant, enrolled agent or tax lawyer.

In general, make every effort to protect the confidentiality of your key personal information, especially your Social Security number. Be careful to safeguard the privacy of sensitive personal data you store on your computer or your PDA. When choosing your password, don't use the word "password" or your birthday. And check your credit reports regularly to see if anything looks odd or suspicious.

If you do encounter tax-related identity theft problems, report them not only to the IRS but also to the FTC (www.ftc.gov).

Brochure has tips on identity theft

BY SUSAN TOMPOR • FREE PRESS COLUMNIST • February 27, 2008

A handy brochure on how to stop identity theft is popping up in mailboxes nationwide, courtesy of the U.S. Postal Service and the Federal Trade Commission. And frankly, I'd hang on to this one.

"Identity theft is something that gives consumers a fair amount of anxiety -- and the best way to deal with anxiety is information," said Betsy Broder, assistant director for the FTC's division of privacy and identity protection in Washington, D.C.

This brochure is packed with Web sites, phone numbers and plenty of tips on how to "Deter-Detect-Defend" and fight identity theft.

The brochures are being sent to every household in the United States as a way to educate consumers about various scams and the ways to prevent identity theft.

Keep tabs on bills

Some helpful resources listed in the brochure:

• Get your free credit report each year at www.annualcreditreport.com or call 877-322-8228. The law requires major nationwide consumer reporting agencies -- Equifax, Experian and TransUnion -- to give a free copy of your credit report (not the credit score) each year if you ask for it.

You may have to navigate through ads for other services at the free site, but if you pay attention you do not have to buy other services.

If you're a baby boomer who is taking care of an older parent, help your parent get a copy of his or her credit report, too. There have been cases in which a caregiver has stolen personal information.

• To report ID theft, file a police report with local law enforcement. You also should report the theft to the trade commission. You can go online to www.ftc.gov/idtheft or call the FTC identity theft hotline at 877-438-4338. • Never click on links in spam e-mail, you know, e-mails that supposedly come from your bank, the Internal Revenue Service or your credit card company. You can see www. onguardonline.gov for more information.

"Your bank has your information. They don't need it from you," Broder told me by phone on Tuesday.

She suggests that consumers can minimize the damage if they scrutinize their bills each month, too.

You want to be able to spot if anyone has access to your bank account or credit cards.

Other big red flags: Bills that do not arrive as expected; calls or letters about purchases that you did not make and statements for credit cards that you never opened.

"The longer it takes to discover it, the more difficult it is to resolve," Broder said.

Thieves tactics' subtle

Sometimes, consumers know if a credit card is stolen. Or they know if someone broke into the house.

Yet some crooks are getting sneaky. Some have walked into offices and lifted a credit card or two from several individuals. They leave the entire wallet or purse behind, so you may not even realize for a while that a credit card was stolen. You may only know you've been scammed once you go to a restaurant or store.

"In half of the cases, people don't know how their information was compromised," Broder said.

It's Hard to Hide From Your 'Friends'

By VAUHINI VARA

January 30, 2008; Wall Street Journal

In November, users of social-networking site Facebook Inc. started seeing updates on what their friends had bought online. Last month, users of a Google Inc. news service began receiving lists of articles their friends and acquaintances had read online. And earlier this month, Sears Holdings Corp. let people type anyone's name, phone number and address on a Web site to learn about their Sears purchases.

All three examples have one thing in common: The companies allowed Web users to access personal information about other people they know -- sometimes without the knowledge of those people.

Online-privacy debates used to center on how Web sites share their users' information with the government, advertisers or complete strangers. But in recent months, a new question has emerged: How much should your friends and acquaintances really know about you?

Internet-privacy experts, and in some cases the users themselves, are demanding more controls on how information is shared with so-called friends. Web sites, in turn, are taking steps to make it easier for users to change their privacy settings and determine exactly which friends see what information.

The data-sharing issues grow as more companies take a page from popular social-networking sites like MySpace and Facebook that let their users create pages full of details like where they live and work, who they are dating, and what their weekend plans are. People can share that information with other people by adding them as "friends," a term usually taken to describe anyone they know. As that idea has caught on, Internet companies have taken it further. If people like sharing basic information, the thinking goes, they'll love sharing even more particulars -- like their shopping and reading habits.

"These companies think, 'Oh, neat, look what we can do,' but some consumers respond by saying, 'Wait, we didn't want you to do that,'" says Lillie Coney, associate director of the Washington D.C.-based Electronic Privacy Information Center.

No Easy Solution

For consumers, there is no silver bullet to solving these privacy issues because each Web site shares information differently. So right now the onus is on individuals to protect themselves by painstakingly visiting each site to change their settings.

Facebook in November introduced a marketing program called Beacon to keep their users on the site longer. In this feature, Overstock.com Inc., Fandango Inc. and dozens of other companies agreed to notify Facebook every time one of its users made a purchase on one of their sites. In turn, Facebook began notifying those users' friends of the purchases.

Rachel Hundley, a law student in Chapel Hill, N.C., experienced this firsthand. After the 24-year-old bought a dress and some shoes on online retailer Overstock, the online retailer notified Facebook of the purchase. Facebook in turn sent a message telling several of Ms. Hundley's friends about it. The next day, a friend commented on her "cute dress." Ms. Hundley says she was "disgusted" by the experience, saying she wanted more control over how her information was shared.

When she tried to fix the situation, she faced hurdles. She first checked a box on Facebook asking the site never to tell her friends about her Overstock purchases. But when she later looked over her privacy settings, she realized she also needed to check a separate box to keep the Web site from telling her friends about activities on other sites outside of Facebook.

Responding to criticism from Ms. Hundley and others, Facebook changed its privacy settings in December, making it easier to opt out of the program altogether. Still, because of the backlash, Overstock.com pulled out of the arrangement, although other retailers remain.

Jennifer King, a privacy researcher at the University of California at Berkeley, suggests several privacy-strengthening steps for people who use services like email, photo-sharing and social-networking sites that allow users to create lists of "friends." Ms. King recommends adding someone to your list of "friends" only if you really know them. She also advises considering how sharing a message, photo or personal detail online could later embarrass or harm you.

"Pretend you're sharing it with everyone at a party -- and that they're all holding video cameras," Ms. King says.

Here is a guide for some ways to take control of your information on some of these services:

On Facebook, start by clicking on the "privacy" link at the site's top right-hand corner. You can click on the links to "profile," "search" and so on to determine who can see your information. A surefire way to avoid showing information to strangers is to choose "only my friends." But if you want to hide details even from some friends, put them on what's known as a "limited profile," a bare-bones version of your profile.

To stop Facebook Beacon altogether -- as Ms. Hundley did -- click the link to the privacy page. Then click on "External Websites" and check the box labeled "Don't allow any Websites to send stories to my profile." ("Stories" are Facebook-speak for "updates about me.")

Tackling Privacy Concerns

Facebook plans to let users organize their friends into groups and choose exactly which information each group gets to see, says Chief Privacy Officer Chris Kelly. He says about 20% of Facebook users have tweaked their privacy settings in some way but declines to say what percentage has opted out of Beacon. "People have different tolerance levels, and the best way to address that is to give them more transparency about what's being shared and more control over what's being shared," he says.

News Corp.'s MySpace, like Facebook, notifies its users when one of their friends has a birthday, posts new photos or adds new information about themselves to their profiles -- though it doesn't tell users what their friends do on sites outside of MySpace, as Facebook does with Beacon. MySpace has its own privacy settings, which it details in the privacy page accessible via a link in the top right-hand corner of MySpace. The company declined to comment on privacy policies.

Review Privacy Settings

Beyond these companies, there are scores of other sites that allow users to share personal information, from photo-sharing sites like Hewlett-Packard Co.'s Snapfish to Amazon, which lets people share details with others about what they've been reading. Be sure to review your personal profile and read the sites' privacy policies.

Established Web companies like Google are also adding features to let people share their online activities with others. In December, Jonathan Rawle, a 28-year-old physics researcher in Didcot, England, logged onto Google Reader, a service that lets users keep track of new articles and blog posts and read them without leaving Google's service. The service also lets users "share" items with certain friends by clicking a button.

This time, Mr. Rawle saw a list of items that someone named Roger, who he didn't know, was sharing with him. Google had recently begun guessing who its Google Reader users' friends are, by tracking their habits in Google's instant-messaging service, Google Talk, and then automatically sharing items with those people. That meant if Mr. Rawle clicked the "share" button to send a news item to his real friends, Roger might see it, too. Mr. Rawle says he now refrains from sharing items altogether.

A Google spokesman says the company is considering adding more privacy controls, but for now, the only way to avoid sharing with a specific person is to delete that person from your address book in Google Talk. The company doesn't share the data with third-party companies.

At Sears, a spokeswoman says the purchase-tracking service -- which was available at ManageMyHome.com -- "was added to provide our customers with easy access to useful information about products they have purchased from Sears." Sears took down the feature, she says, after the company received privacy complaints.

How to Protect Your Private Information

Your life is an open book online. It doesn't have to be.

January 29, 2007; WSJ
By MICHAEL TOTTY

"On the Internet," as a New Yorker cartoon famously observed, "no one knows you're a dog." Thanks to the ease of finding personal information online, that may be the only thing about you they don't know.

Indeed, for anyone who knows where to look, your address, phone number, birth date and more are only a few clicks away. Dedicated searchers can easily turn up property records, unlisted or cellphone numbers, and even more sensitive information such as Social Security, credit-card and bank-account numbers. In Broward County, Fla., a simple search through pet licenses can in fact tell whether you're a dog -- or at least whether you have one.

It's enough to make anyone feel...exposed. Do we really want our friends, our neighbors, our colleagues -- or any stranger, for that matter -- knowing so much about us? Do we want them to know even the small stuff: where we've lived, how much we paid for our house, how old we are, how they can reach us?

For many of us, the answer is no.

The semi-good news is that our lives don't have to be quite such an easily opened book. Privacy advocates and professional investigators say people can shield at least some personal information from online snoops.

"There are things individuals can do," says Charles Wood, an information-security consultant in Sausalito, Calif. "You're going to have to work on it, it's going to take some time, and we're going to have to wait for better laws. This isn't something they need to throw their arms up about."

The semi-not-so-good news is that it may not be possible to erase completely your online traces. Many details are contained in public records, like voter lists, property records and court filings that increasingly are being placed online. Trying to keep these records private could take more time or money than many people are willing to spend.

To make sure that these documents can't be used by identity thieves or stalkers, privacy advocates are promoting legislation requiring states to remove or block out especially sensitive facts, such as Social Security or bank-account numbers that might end up in bankruptcy filings, property deeds and other public documents. For instance, after it was discovered that Florida counties had put documents online containing Social Security numbers, including that of Gov. Jeb Bush, the state adopted a law requiring counties to remove those numbers before posting documents online.

But such laws may be slow in coming, if they come at all. And they go after only a small portion of our online tracks. What follows is a guide based on recommendations from privacy advocates, investigators and others for taking control of one's online information.

KNOW THYSELF

People vary in how sensitive they are about others being able to see their personal information. Just as businesses should assess their actual risks before spending time and money on security measures, individuals need to do the same before beginning to clean up their online identity.

Some people may not care if some of the personal details of their lives are online, or they figure there aren't enough details available to worry about. For others, the risk of identity theft or the desire to limit email spam and other marketing pitches are enough reason to make some effort to get a handle on their online information. Then there are those people, such as high-profile executives or celebrities, as well as victims of domestic violence and stalkers, who may want to take stronger measures to shield their private details from online snoops.

People "really need to be clear about what they want to achieve, and the rest will be a function of that," says Mr. Wood, the security consultant.

KNOW WHAT'S OUT THERE

Privacy advocates advise those worried about identity theft to monitor their credit reports regularly. The same is true about one's online identity.

Beth Givens, the director of Privacy Rights Clearinghouse, a San Diego-based advocacy group, says most of the consumer complaints her group receives come from people who have suddenly found details about themselves during a routine online search. "People are just really shocked that anyone can sit down at a computer" and find personal information, Ms. Givens says.

Indeed, an "ego search" for one's own name on any of the popular search engines can be an eye-popping experience for most people, turning up newspaper articles, postings to Internet discussion groups, professional licenses or a passing mention in a friend's blog.

Of course, any simple search will turn up a lot of other people with the same names, especially for those with common names. Given how widespread it has become to "Google" prospective dates, the parents of children's playmates or new neighbors, it's just as worthwhile to uncover such cases of mistaken identity.

For instance, a recent Google search for my own name, "Michael Totty," mostly returned the kind of results expected for a journalist -- reprints of published articles.

But it also contained an Amazon.com profile and "wish list," which I had created for people who know me, not for the world to see. And it turned up the owner of a private airport in northern Arkansas, an English worker who was seriously injured during the construction of the Channel Tunnel and an appeals-court ruling from Tennessee concerning the case of a Michael David Totty who was convicted of theft and burglary. Will people who look me up, I wonder, think I am the Michael Totty convicted of theft? Sometimes, a mistaken identity can be as problematic as a stolen identity.

But a basic search is only a start. The Web features dozens of sites where you can hunt for personal information about people -- from addresses and phone numbers to a full background check that covers criminal and sex-offender records, bankruptcies, liens, and relatives and associates. Most of these "people search" sites charge fees for a detailed background check, but a surprising amount of personal information can be uncovered at no charge.

One of the most widely used is two-year-old ZabaSearch, a free, advertising-supported site from Zaba Inc. Type a name into its simple Google-like search box, narrow the search by state, and the site comes back with a list of names and addresses -- and in many cases phone numbers and year of birth. The site also contains paid links to services that provide more-detailed background searches for a fee.

For instance, an all-state query for "Michael Totty" turned up 50 listings, including my current and previous two addresses and phone numbers and the correct birth year. Some of the listings weren't about me, but the site found quite a bit of personal information about me that was accurate.

The spread of blogs and social-networking sites such as MySpace.com provides a treasure trove of information for snoops, and a nightmare for the privacy-conscious. Cynthia Hetherington, managing director of the corporate strategic intelligence unit of Aon Corp.'s consulting practice, advises high-profile executives on managing their online identities. She tells of a job candidate for a Wall Street investment group who was rejected after recruiters discovered comments on his wife's blog about allegations of sexual harassment at his previous employer.

COVER YOUR TRACKS

It is possible to clean up many of these online traces, but it can be a difficult and time-consuming task. And, privacy experts warn, there's no assurance that everything will be removed.

Many sites make it possible to have one's name removed from their search results, though it usually isn't easy. Intelius Inc., Bellevue, Wash., will let anyone "opt out" of the company's online people-search results by mailing or faxing a letter with the person's name and address as it appears on the site. But Intelius cautions that the request doesn't remove the person's information from its public-records database, so the person's information might reappear when Intelius refreshes its listing with new records -- requiring another request for removal.

"If you're going to ask us to suppress this information, we have to make sure you're who you say you are," says Ed Petersen, Intelius's executive vice president of sales and marketing. To that end, Intelius requires anyone requesting removal to verify his or her identity -- for instance, by faxing a copy (with the photo blacked out) of a driver's license or other government identification.

US Search, a unit of First Advantage Corp. in St. Petersburg, Fla., says on its Web site it will make "good faith efforts" to remove personal information when requested, but requires that you mail a signed letter complete with full name, email and mailing address, Social Security number and other personal details. (The Privacy Rights Clearinghouse Web site contains a comprehensive list of data brokers and their opt-out policies.)

While repeatedly removing your name from these sites can become tedious -- after all, it may involve dozens of sites -- it eventually will pay off. "This is a short-term fix, but when monitored every few months becomes effective in keeping your name out of their search engines," says Ms. Hetherington. "Getting to this point is a big win for the [person] who wishes to preserve a little privacy and avoid old college chums they'd sooner forget."

At least one service has sprung up to assist people who want to remove their names from these people-finder sites. MyPublicInfo Inc. in May began offering its IdentitySweep service, which for $4.95 a month will comb about 50 different directory sites for personal information. At the consumer's request, the Arlington, Va., company will then fill out all the required opt-out forms and will monitor the sites to make sure the information stays removed.

Chris Mueller, a marketing consultant in Northern California, signed up for the IdentitySweep service because she was worried about identity theft. Since starting the service this spring, she has used it to remove her name from a handful of online directories. "It's one of those 'sleep a little better at night' things," Ms. Mueller says.

In some cases, it pays to go directly to sites to ask that they remove personal or otherwise embarrassing information. One of Ms. Hetherington's clients, a rising investment banker who previously had been a beauty-pageant winner, found her swimsuit-competition photos in a Google search. The client sent several requests to the Web site that hosted the photos, asking to have them removed. She succeeded only after promising the site's Webmaster an autographed picture -- in an evening gown.

Removing personal information from public records can be more difficult, but states are becoming more cognizant of the easy availability of sensitive information in electronic documents. In Florida, where counties have been required for years to make official records available online, people can request to have sensitive details blacked out in posted documents. This system was in place before the law requiring counties to remove the details took effect.

GUARD YOUR INFORMATION

Most privacy advocates say the best way to shield your online identity is to avoid giving out personal information in the first place.

"Once it's out, it's impossible to rein in," says Chris Hoofnagle, senior fellow at the University of California's Berkeley Center for Law and Technology. "It can be recontextualized and used for purposes not anticipated by the individual."

This can be as simple as not signing up for supermarket loyalty cards, mailing in those ubiquitous warranty cards that come with new purchases (the information is frequently sold to marketers and ends up in online databases) or entering sweepstakes. Be especially careful about disclosing personal information in discussion groups, chat rooms or blogs. Limit exposure to spammers by not including your email address on Web sites. If you do include it, try to present it as a button or some other graphical element -- regular text can be read by automated programs ("bots") that scour the Internet looking for information.

Getting an unlisted phone number can partly shield it from prying eyes, but not completely. Unlisted numbers can still end up in online databases because marketers and investigative firms can buy unlisted numbers from outfits such as toll-free services and pizza-delivery companies. Mr. Hoofnagle also recommends that privacy-conscious consumers request that wireless and land-line phone companies not resell their calling information.

Protecting Social Security numbers is probably most important, since identity thieves can use the data to get credit under victims' names. Privacy advocates advise job hunters not to include the numbers when posting résumés online.

Mr. Hoofnagle and other privacy advocates recommend that consumers give out the numbers only for tax, credit and unemployment purposes. "There are four things you should ask when someone asks for a Social Security number," says Diane Stubbs, a private investigator in Scottsdale, Ariz. "How will you use it, how will you protect it, is it really necessary for this transaction, and what if I don't give it to you?"

Since much information comes from such common sources as property records and utility-service requests, security consultants advise those who are really serious about protecting their privacy -- high-profile businesspeople or victims of stalking or domestic abuse -- to take more-aggressive measures.

For instance, many executives and celebrities set up special land trusts that enable them to buy property and start utility service anonymously. Although typically used to shield landlords and other property owners from litigation, Ms. Hetherington and others advise clients to use land and other trusts to keep names and addresses out of public databases.

START YESTERDAY

Unfortunately, all these efforts take time to bear fruit, while information already online remains available to anyone with time, a computer and an Internet connection.

"If someone wanted to limit this kind of information," says Ms. Stubbs, the private investigator, "they should have started years ago."

AT ISSUE: SMART PHONES

Handheld devices are a security risk

Workers' remote wireless access to documents lets hackers grab data

January 6, 2008

By WAILIN WONG
CHICAGO TRIBUNE

Smart phones are poised to become the next major security challenge for businesses.

For now, a good rule of thumb for on-the-go workers is: "If you don't need to do it, don't do it," said Aaron Cohen, chief executive of the Hacker Academy, a Chicago-based firm that provides security training for companies and government agencies. Cohen warned against idly checking e-mail or opening sensitive documents on a handheld device unless it's absolutely necessary.

Security experts say that, in general, business-oriented smart phones come from the manufacturer with decent built-in safeguards, such as encryption and firewalls.

But consumer-oriented mobile phones, which have far fewer safety features, are increasingly taking on such PC-like characteristics as Wi-Fi connectivity, making them attractive to people who want to use them for work.

In a Computing Technology Industry Association survey conducted this year of 1,070 small businesses in North America, 60% of firms said they've seen an increase in the past year in security issues related to the use of handheld computing devices.

Chris Nickerson, a Denver-based security specialist at Alternative Technology, said the concern for businesses is whether these phones "will cause so much of a risk that they will eventually ... just be banned from corporate environments."

Laptops, smart phones and PDAs give employees the ability to work from home or travel far from the office, all while transporting the information they need on their mobile devices. But the increasing ease of working remotely is creating a growing set of security concerns for companies.

Workers on the go "still want access to the same data applications that they have if they're sitting at their desk in their office," said Steven Ostrowski, spokesman for the Computing Technology Industry Association. "Mobility is a great thing ..." but "every one of those individuals that's accessing the network remotely is a security risk."

So far, there haven't been any high-profile epidemics of mobile viruses like the "I love you" worm for PCs that spread rapidly around the world in 2000. But developers have demonstrated the destructive potential of such worms.

The "Cabir" virus, which first appeared in 2004, used Bluetooth technology to jump from phone to phone. Another virus, known as "Commwarrior.A," replicated itself by sending a picture or text message to people in the infected device's contacts list.

Theft is a bigger issue now.

Nickerson said he walked through an airport carrying a suitcase that contained a device that sucked up hundreds of megabytes of contact information and other personal data through unprotected Bluetooth connections.

Nickerson has used the same machine in the offices of his corporate clients. The gadget searches for Bluetooth devices for which users haven't changed the manufacturer-provided default passwords. The machine enters the default password and accesses information through the open Bluetooth connection.

"You'll be amazed," said Nickerson, who is featured in a cable TV program that follows his team as it infiltrates corporate security systems. "You'll look at this hard drive when you're done, and you'll see everything from pictures of people's families to user names and passwords and financial data."

Someone using a company laptop to send data from a nonsecure Wi-Fi hotspot could unwittingly have that information monitored. Neglecting to set new passwords on phones and other devices leaves them vulnerable. Companies also face the headache of theft or misplacement of phones, external hard drives and pen-size flash drives.

While hacking once was about bragging rights or cyber vandalism, security industry officials say profit now largely drives attacks, as the kind of information traveling over wireless networks grows in volume and value.

Terry Kurzynski, CEO at Chicago-based Halock Security Labs, said a stolen credit card with an accompanying security code can fetch at least $9, compared with $1.50 for just the number and its expiration date.

Ostrowski, of the CompTIA, said a greater emphasis on training will help companies communicate to their employees that there's a trade-off between convenience and security risks.

"Security has to come out of the IT department," Ostrowski said. "It can't be relegated to the geeks anymore. It has to be part of the corporate culture."

Passport Technology Draws Security, Privacy Concerns

ASSOCIATED PRESS
January 2, 2008

WASHINGTON -- Passport cards for Americans who travel to Canada, Mexico, Bermuda and the Caribbean will be equipped with technology that allows information on the card to be read from a distance.

The technology was approved Monday by the State Department, and privacy advocates were quick to criticize the department for not doing more to protect information on the card, which can be used by U.S. citizens instead of a passport when traveling to other countries in the Western Hemisphere.

The technology would allow the cards to be read from up to 20 feet away. This process only takes one or two seconds, said Ann Barrett, deputy assistant secretary for passport services at the State Department. The card wouldn't have to be physically swiped through a reader, as is the current process with passports.

The technology is "inherently insecure and poses threats to personal privacy, including identity theft," Ari Schwartz, of the Center for Democracy and Technology, said in a statement. Mr. Schwartz said this specific technology, called "vicinity read," is better suited for tracking inventory, not people.

The State Department said privacy protections will be built into the card. The chip on the card won't contain biographical information, Ms. Barrett said.

The card vendor -- which has yet to be decided -- will also provide sleeves for the cards that will prevent them from being read from afar, she said.

A 2004 law to strengthen border security called for a passport card that frequent border crossers could use that would be smaller and more convenient than the traditional passport. Currently, officials must swipe travelers' passports through an electronic reader at entry points.