I Get Asked the Darnedest Things – Including How to Protect Ill-Gotten Gains

March 5, 2012

I recently spent a week teaching several hundred students, teachers and parents in several schools and school districts across North Carolina. The sessions are always great, but since there is never enough time to answer everyone’s safety, security and privacy questions, I encourage listeners to leverage the “Ask Linda” section on my website.

The questions I typically get asked range from “is_____ a strong password”, to questions about situations that need immediate intervention. However, among the many follow up questions from this trip came my first request for assistance in protecting stolen funds. The audacity and irony in the email are just too good not to share, so with identities hidden, here’s the original email – and my response. Enjoy.

On 12/16/2011 “Michael”:

Today, you spoke my school (xxxxx).  The talk was the best I have ever heard at a school event because during 2009-2010 I recovered other people’s old RuneScape accounts.  I learned many ways to look up people, many of which you mentioned today.  I have since stopped recovering because many people have found out this easy way to make money and so there are far fewer unused accounts to steal. I also did a fair bit of phishing on the system pelican (fish.in.rs) which is a mass mailer of runescape phishers, so all I needed was an email address owned by a scaper.

Since then, I have been sitting on a few thousand dollars worth of RuneScape currency. With college coming up, I am hoping to sell this on the RuneScape black market sythe.org .  The preferred method of communication of most members is MSN which I saw on your website that you used to work for.  One of the questions I had for you is: can another person that is chatting with you on MSN get your ip address?  I have heard many hackers claim they can get ips through skype, MSN, and email communications.

On another note, I plan on majoring in mathematics and becoming an investor.  However, I am wondering what classes are recommended to become an internet security consultant such as yourself.

Enjoy your stay in North Carolina,

Thanks,

Michael

“Michael”,

The answer to your question is yes, MSN or windows live uses the Microsoft notification protocol that carries the client IP address in some of its headers. While I’m pleased that you found my internet safety, security and privacy presentation to be useful, I’d say that given your phishing and account theft activities the field of security is not the right one for you, and recommend you stick to investing.

Linda

Advertisements

It is Absolutely Critical that you Understand YOU Are the Digital World’s Currency

October 15, 2011

In order to truly be a “free” website the provider cannot charge you fees, collect your information to sell, rent, lease, or share, or put advertising in front of you. Needless to say, there are very few truly free websites; most that are truly free are government, institutional, school, or non-profit websites, though even many of these types of organizations advertise and sell consumer information.

The way most ‘free’ services make money is not by selling advertising. What they sell is access to you, and information about you to advertisers, marketers and researchers, and others.

Your information is the commodity that drives the internet economy. It is collected through your online actions and the information you share, as well as through the exposure of your information by others.

Every piece of information you post, and every action you take online has value to some company or someone. That isn’t necessarily a bad thing. This trade in information lets you use the websites without paying money for your access. Your information helps companies provide you ads that are more targeted to your interests. It helps researchers and companies know what kind of products to design, and so on.

If you read a website’s terms and conditions you should be able to see just what information is being collected and how it is shared, though many companies make it very difficult to understand the full scope of their use of your information.

In addition to the information the hosting site is collecting and monetizing, an entire new industry has been created just to collect all the information posted by you or about you on any site – including government sites – to sell, rent, share, etc. to any interested party – see my blog Civil Rights Get Trampled in Internet Background Checks to learn more on this particular aspect.

And the data collection and reuse does not end with the hosting company or data collection companies. Your information is also collected and used by recruiters to make their hiring or enrollment decisions, potential dates or friends, by journalists interested in interviewing you. It’s searched by charitable organizations that are looking for sympathetic individuals to ask for charitable donations. And your information is collected and used and by far less pleasant people who want to use the information for things like bullying, cyberstalking, identity theft, home robberies, and other crimes.

To really understand your digital value and how this may have consequences far beyond those you feel comfortable with, let’s look at an example.

“Jenny” is 65. She loves using the internet to research information and stay in touch with friends and family. She’s on Twitter with friends, on Facebook with her grandchildren, and on a social networking site for seniors with her interests.

In Jenny’s profile she provides her full name, age, and location. She’s included a short line or two about her interests – chamber orchestra music, gardening, wine and photography. She’s taken a couple of online quizzes of her likes and dislikes which makes it easier for new people to see if they have something in common with her.

In one blog post she notes that she’s fed up with the democratic agenda. In another she talks about her grandkids that come to her house twice a week after school.  She complains that her knees and back hurt twice a week – on the days after her grandkids are over. And she says she hates exercising as much as she ever did, but that it’s even harder to get motivated since her mastectomy.

She tweets from the same doughnut shop every morning where she meets up with friends. On her senior site she joins a wine aficionado group and slyly acknowledges that while she only has one glass of wine a day – she frequently refills that glass several times over!

The photos Jenny has posted are of grandkids, her dog and nature shots.  There’s nothing embarrassing in what she’s posted, she wasn’t mean to anyone, but she doesn’t really understand the far reaching ramifications of what she posts.

How do others use this information?

The web service companies she uses collect this information – as well as information about the website she was on before she came to their site (ah, she banks at Chase) and the website she navigates to when she leaves – (oh, she went to the appointment scheduling page of a doctor in the ABC medical practice). They collect they type of computer/phone being used (wow, that’s an old HP!), it’s operating system, IP address, location, etc.

The web service companies are likely to cross tab this information with other information collected by data aggregators from government websites like Jenny her birth certificate – parents’ names, place of birth, date of birth, which when combined with records where Jenny has entered the last 4 digits of her social security number, provides her whole SSN – see my blog Kids and Financial ID Theft; a Growing Issue to learn how SSN’s are deconstructed.

Data aggregators have also collected the birth certificates of her children and grandchildren, her voter record, criminal record (clean), driving record (two speeding tickets in past 18 months). They’ve also gathered information on her deceased husband, what he did for a living (and her projected retirement funds), and information about her home, and previous properties she’s owned.

Crawling the web, data aggregators also see where she’s donated to charities, what her friends are saying about her, what information is discoverable through her photos, and the vehicles she has registered (one car, one boat).

And so on.

What surprises Jenny is that when she chooses to switch auto and boat insurers, she’s denied because of her potential drinking problem, which combined with her speeding tickets could be an expensive mess for the insurance company. She is also denied when she tries to purchase some life insurance – anyone who eats doughnuts every morning, hates to exercise and has already had cancer isn’t seen as a good risk.

Donation requests from music organizations, and catalogs from gardening, and pet supplies companies start showing up on a whole slew of websites Jenny visits online – and more arrive in her mailbox.

Her granddaughter discovers she will have to pay more for medical coverage because the insurance company learned through Jenny’s posts that breast cancer runs in the family.

Jenny falls for an ID theft scam that looked like a request for information from her doctor’s office asking her to reconfirm her billing and insurance data for their records.

To make matters worse, Jenny came home last week after her daily doughnut shop meet up, to find her home had been broken into. All of her photography equipment was stolen.

Once Jenny recognized how information she posted was affecting her, and her family members, she immediately took down some of her posts. Unfortunately, the data aggregators, and web service companies still have their data sets, so the damage is permanent.

If you take this scenario, and expand it to all the communications, contacts, and digital data collected about you, you’ll begin to see the magnitude of the financial model behind web services and data aggregators.

I am frequently asked why internet service companies don’t do a better job in giving their customers what they want. The answer to this is simple; they are giving their customers what they want – and what they want is your data.

In short, while you are the consumer of a websites services, you are not the service’s customers – those are companies paying to get access to you and your information.

A great illustration of this concept was created by the people behind Geek and Poke, and though the company targeted in the cartoon is Facebook, the concept applies to every other web service or product that makes their money behind the scenes.

As you provide information consider how it is being sold, bought, or simply taken and make sure you’re okay with potential outcomes now and over time.

Learn more about the commodity model in this blog When it Comes to Online Ad Tracking, You Can Opt out Any Time You’d Like – But Can You Ever Leave?

Note: ilookbothways.com does not collect, trade, sell, or use any information about our readers, nor do we accept any advertising on our site. The occasional ad that does land on our pages is NOT associated with us in any way.

Linda


Florida AG’s Office Estimates over 500k Kids ID’s Stolen Each Year

October 4, 2010

Although statistics are not kept on identity theft victims under 18, estimates indicate the crime affects more than 500,000 children nationally each year, according to the Florida Attorney General’s Office in an article in the Palm Beach Post.

The article goes on to quote Linda Criddle saying:

Children’s SSNs are highly prized because children have no credit history, said Linda Criddle, president of the Safe Internet Alliance in San Diego. She warns that theft of children’s SSNs is on the rise.

The two primary threats to children’s financial identities are family members, even parents, who want to open a new line of credit, and professional thieves who use computers and public information to find SSNs, Criddle said. They use sophisticated programs to search for the numbers through databases kept by schools, doctors and insurance companies. The criminals then sell the unblemished numbers to people who use them to obtain credit cards and rack up huge debts they will not have to repay.

Criddle offers these suggestions to reduce your child’s risk of financial ID theft:

  • Keep Social Security cards locked up. These don’t belong in wallets or loose in your home where others may come across them.
  • Tightly restrict sharing your child’s SSN. You may be asked to provide your child’s SSN in many circumstances, such as to enroll him or her for a sports team, or at the doctor’s office. However, you do not need to give their SSN – you can show other evidence of age or information that your health care provider needs for billing.
  • Teach your children not to share their SSNs. When they are applying for jobs, at which point they finally do have to share the number, make sure the employer and company are legitimate so the risk of resale is low.
  • When creating a bank account for your child, set up only a savings account and make sure there is no overdraft protection included.
  • Monitor your child’s credit as you do your own. If you wait until you see a red flag, a lot of damage may have occurred, and often you’ll see no red flag at all until your child seeks credit. Running a credit report does introduce some risk, but you can mitigate this by freezing their credit. This way, if the very act of checking your child’s credit history generated a credit file you have squashed the chances for abuse. Unfreeze their credit when they do seek a loan.

To read the full article, click here.

Linda


Kids and Financial ID Theft; a Growing Issue

September 11, 2010

Stealing children’s social security numbers (SSNs) to use or sell is not new, but it is becoming more widespread. The problem is expected to get worse before it gets better, according to the Associated Press.

Financial identity theft has grown into a multibillion-dollar problem, and at least 7% of the cases that are reported target children’s identities. The actual number of child victims may actually be much higher, as the theft of a child’s financial identity is often not discovered until the child applies for credit.

It is precisely because kids aren’t seeking credit that make theft of their Social Security numbers so lucrative. The allure of an untainted SSNs (one with no credit problems) is in the opportunity it represents for creating fake lines of credit and charge up high debts.

How kids financial ID theft happens

There are two primary threats to kids’ financial identities. The first comes from family members looking for a new line of credit. They steal their children’s, nieces’ or nephews’, even younger siblings’ identities, primarily to use themselves to create new lines of credit.

The second threat comes from criminal businesses that use computers and publicly available information to find Social Security numbers for which no line of credit has been established. You may wonder how criminals steal numbers that aren’t in any system, but that’s the beauty of it. They don’t have to know whose SSN they’re stealing, they just have to find SSNs that are legitimate and have no credit history.

The way these criminals collect the SSNs is tied to the antiquated method by which SSNs are generated.

SSN’s have three sections; the first three numbers represent the state in which the SSN was issued (after 1972 they represent the zip code). Anything between 001-003 and before 1972 for example, is issued in New Hampshire.

The second set of numbers in the social security string represents a specific window of time during which the number was generated, quickly identifying the age of the legitimate SSN recipient.

The last four digits are the only random numbers – and ironically those are the ones you’re asked to provide most frequently.  Knowing how SSNs are created, criminals can use a computer program anticipate the next set of numbers to be generated, then they can test these to find which are legitimate.

Criminals then take these SSNs and sell them to people who want credit they can use to accumulate huge debts they won’t have to repay. These numbers sell for anywhere between a few hundred to several thousand dollars apiece.

“When a creditor gets a request in with a valid SSN, one that they can confirm has been issued, they don’t get information telling them to whom the number was issued,” says Linda Foley, of the Identity Theft Resource Center (ITRC), an organization that offers counseling and resources to identity theft victims.

“That’s not information Social Security gives out.  Nor is it information that the three credit reporting agencies have access to.”

From that point, it is easy for the thief to put down his name, a date of birth, and a reasonable excuse for why he his Social Security number had been issued recently.

Once the purchaser of the stolen SSN defaults on their loans, the credit line is shut down and that SSN is no longer of use – but serial SSN thieves simply buy a new SSN and continue running up debt. Assistant US Attorney Linda Marshall from Kansas City states, “If people are obtaining enough credit by fraud, we’re back to another financial collapse. We tend to talk about it [identity theft fraud] as the next wave.”

Because SSNs with no credit line often come from young children who have no money of their own, these numbers are ideal candidates for opening a new, unblemished line of credit. Add to that the low likelihood that anyone is monitoring that child’s financial identity, and crooks have a winning combination.

Julia Jensen, an FBI agent in Kansas City, recently discovered a ring of criminals using public searches to identify SSNs without credit lines while investigating a mortgage-fraud case. “The back door is wide open,” she said, comparing the businesses that sell the numbers to drug dealers.

“There’s good stuff and bad stuff,” she said, referring to the value of a stolen SSN. “Bad stuff is a dead person’s Social Security number. High-quality is buying a number the service has checked to make sure no one else is using it.”

Unfortunately, experts say, it’s nearly impossible to prevent the fraud because it’s so easily concealed and targets such vulnerable people.  “There’s no way to protect your child completely,” says Foley.

The difficulty in protecting children’s SSNs and financial identity is multifaceted:

  1. Financial ID thieves are using sophisticated programs to search for dormant SSNs through databases kept by schools, doctors, and insurance companies, which typically require children’s Social Security numbers be provided.  Rapidly evolving methods used for selling the numbers make tracking this kind of theft particularly difficult.
  2. Credit issuers typically do not keep track of the age of Social Security number holders, so they cannot alert families when a child’s number is being used – something Foley’s organization has been trying to change since 2005, and a protection she considers vital for preventing child identity theft on a large scale.\
  3. Even parents who routinely check their own credit information rarely think to check reports for their children, particularly if the children have not yet begun to work. But if a SSN is compromised, criminals can run up tremendous charges in a child’s name.
  4. The methods and locations used to sell SSNs change frequently, and may be camouflaged under legal transactions. Some of these sketchy companies have impressive, high-tech websites. Others advertise on sites like Craigslist.

The impact of financial ID theft on a child

It takes time and a lot of work to restore a financial reputation, and the repercussions of a damaged credit score can impact a child for life. As they seek loans for college, cars, and homes, they may struggle to qualify and be permanently subject to  higher interest and mortgage rates.

Someone has to pay the debts accrued against that SSN. Sometimes it’s the victim or the victim’s family that pays. More often it’s the businesses that sold whatever goods were purchased that get stuck with the costs, which of course get passed on in the form of higher prices for all their customers.

Reduce your child’s risk of financial ID theft

  • Keep Social Security cards locked up. These don’t belong in wallets or loose in your home where others may come across them.
  • Tightly restrict sharing your child’s social security number. You may be asked to provide your child’s SSN in many circumstances like to enroll them for a sports team, or at your doctors office.  However, you do not need to give their SSN, you can show other evidence of age or information that your health care provider needs for billing.
  • Teach your child not to share their SSN. When applying for a job, make sure the employer and company are legitimate so the risk of resale is low.
  • When creating a bank account for your child, only set up a savings account and make sure there is no overdraft protection included.
  • Monitor your child’s credit as you do your own. If you wait until you see a red flag, a lot of damage may have occurred, and often you’ll see no red flag at all until your child seeks credit. Running a credit report does introduce some risk, but you can mitigate this by freezing their credit. This way, if the very act of checking your child’s credit history generated a credit file you have squashed the chances for abuse. Unfreeze their credit when they do seek out a loan.

Red flags that your child’s financial ID has been stolen

There is no silver bullet to protect your child from ID theft, but there are some red flags:

  • Be suspicious if your child receives any unsolicited credit offers in your child’s name, or notices from debt collectors.
  • Or Someone who has access to the child’s SSN has sudden prosperity
  • Or if you get a  notice from the IRS saying the SSN number you used on your tax return (or on their tax return) is a duplicate number.
  • Or your insurance company denies a claim for your child because they have already covered the procedure.
  • Or the bank notifies you when you go to establish a savings account for your child, that an account using that SSN already exists.
  • Or you receive a warrant for a traffic violation for a child without a drivers license.
  • Or your child is denied government assistance because records show they are already receiving benefits
  • You get a request for a job verification when your child has never had a job

If your child’s credit has been compromised, take immediate action

Report any suspected theft of your child’s financial identity. Use the Federal Trade Commission’s Web site to find and follow the steps needed to report fraud. Or call their toll-free identity theft hotline at 1-877-ID-THEFT (438-4338). THEN call Social Security. You may also want to visit the ITRC’s website for facts and information, or call its hotline at (888) 400-5530.

What’s happening to reduce the risks

The non-profit Identity Theft Resource Center has proposed a solution to the growing problem of illegal use of children’s SSNs: the creation of a Minors 17-10 Database, which would include not only the Social Security numbers, but also first and last names and birth month and year to credit organizations, departments of motor vehicles, and other institutions that require a Social Security number for background checks. The information would be kept on until the child is 17 years, 10 months old. This age was chosen, Foley said, because this is the time when teenagers are putting in paperwork for student loans and other credit forms.

Linda


T-Mobile Confirms Biggest Data Breach; Affords Glimpse of Internet’s Financial Underbelly

November 17, 2009

Thousands of personal record details of British T-Mobile customers were stolen and sold by an employee for “substantial sums” to rival carriers putting a spotlight on the unlawful trade in personal data in the UK.

According to an article in the Guardian, the employee allegedly sold the account information to a number of “brokers”, who then resold the data to competing mobile services so they could target T-Mobile customers.

“The number of records involved runs into the millions, and it appears that substantial amounts of money changed hands,” according to Christopher Graham, the UK’s Information Commissioner. “We are considering the evidence with a view to prosecuting those responsible and I am keen to go much further and close down the entire unlawful industry in personal data.”

Pressing for change, Graham said “More and more personal information is being collected and held by government, public authorities and businesses. In the future, as new systems are developed and there is more and more interconnection of these systems, the risks of unlawful obtaining and disclosure become even greater. If public trust and confidence in the proper handling of personal information, whether by government or by others, is to be maintained, effective sanctions are essential.”

Why this matters

It is not just Social Security numbers, account numbers, and driver’s license numbers that have value to criminals and legitimate corporations alike. In the data age, you are a commodity. Every piece of your personal information, your preferences, your relationships to others, your financial value, information about services you currently use, your location, even your emotions has significant economic value.

Given the value of the data the temptation to steal and sell it is huge – there’s a reason that over 340 million personal data records have been breached in the US alone since Jan. 2005.

Companies and criminals purchase this information to help in the design products (including malware), shape and target advertising (and fake ads), even help build socially engineered scams tailored to you.

The Information commissioner is right. Slapping small fines on those who steal and sell consumers private information offers little deterrent when the data sellers can collect premium prices. When the only consequence is a fine, it’s nothing more than another cost of doing business.

In the T-Mobile case, not only should the T-Mobile employee who stole the information receive a strong punishment, the competitors bought the data to poach customers should be charged with purchasing stolen goods.

Without punishing every piece of the “entire unlawful industry in personal data” it will be difficult to make headway against the crimes and protect consumers.

Linda


New tool calculates Your ID Theft Risk

November 3, 2009

newtool1Symantec has released a new Risk Calculator tool that lets you get a sense of how much your information is worth to online thieves, and how at risk you are to having that information stolen.

It’s a useful tool for not only understanding the underground economy, but for reviewing your own online actions from a security perspective.

Linda


Latest ID Theft Stats

July 27, 2009

Identity theft continues to hold our attention – and rightly so. Here are some recent stats from SpendOnLife.com that bear consideration:

  • There were 10 million victims of identity theft in 2008 in the United States
  • Households with incomes higher than $70,000 were twice as likely to experience identity theft than those with salaries under $50,000
  • Online methods accounted for only 11% of ID theft
  • Stolen wallets and physical paperwork account for almost half (43%) of all identity theft
  • More than 35 million data records were compromised in corporate and government data breaches in 2008
  • 43% of victims knew the perpetrator
  • In cases of child identity theft, the most common perpetrator is the child’s parent
  • 38-48% discover their identity has been stolen within three months, but 9-18% of victims don’t discover problem for four or more years
  • The mean cost per victim is $500

6 steps to reduce your risk of identity theft and deal with the aftermath

  1. Everyone above the age of 14 needs to actively monitor his or her credit history. You have the right to one FREE credit disclosure in a twelve-month period from each of the three national credit reporting companies—TransUnion, Experian, and Equifax. The easiest way to get these reports is through AnnualCreditReport.com, a service created by these three credit institutions specifically to help consumers get free annual reports. You can also pay credit monitoring services to watch your account for you.
  2. Consider if you want all, part, or none of your information viewable in online directory searches. It usually costs money to keep your information private (often referred to as a privacy tax) but the few dollars it costs may be well worth it to you.
  3. If your identity has been stolen, contact your bank(s) and other financial institutions immediately. Contact local law enforcement and file a report. Contact your insurance company. Freeze your credit with the three credit reporting companies listed above.
  4. If you are a victim of identity theft, go to the FTC’s Identity Theft Web site to get information about additional steps you may need to take.
  5. If your reputation or images have been stolen, contact the Web site where the abuse occurred and where the material is displayed. They should work with you to take it down and discipline the offender.
  6. Identity theft victims should alert their friends and family. Your identity theft means friends and family may also be affected, depending on the information stolen or abused.

Click to read the full data set.

Linda