What to keep (and not to keep) in your wallet

via What to keep (and not to keep) in your wallet, clarionledger.com

PDF: Whats in your wallet

For years, ads for a popular credit card company have asked, “What’s in your wallet?” While that question is used to sell consumers on the company’s credit cards, it also points to something we all should think about from time to time: Our wallets often contain vital pieces of information about us that could be used to steal our identities, raid our bank accounts, or compromise our personal safety.

The history of the wallet goes back to antiquity. In ancient times, men and women would carry small pouches containing some of the essentials of everyday life. In 1991, two German tourists hiking in the Alps between Austria and Italy stumbled upon the frozen remains of the “Iceman” (who was later nicknamed Otzi). The mummy, dating from about 5,300 years ago, was found remarkably well-preserved and has helped us understand a lot about life during his time. Otzi was carrying a small leather pouch containing knives, flint and food. This type of pouch evolved into the wallets we carry around with us every day.

According to wallet company Pad & Quill, the first modern (“flat”) wallets were first seen in the 1600s, but they were worn on the belt, as a conspicuous sign of wealth. As people began to carry paper money, identification cards and then credit cards, wallets began to get thicker. Today, most people’s wallets contain a mixture of cash, photos, credit and debit cards, driver’s licenses, ID cards and a variety of other essentials.

The invention of “digital wallet” technology and apps have shrunk the average wallet, but many experts believe we’re still carrying too much around with us. Pickpockets can be found everywhere, and losing your wallet can expose you and your family to a lot of danger. With all the danger, and alternatives provided by technology, perhaps it’s time to rethink our wallets.

The editors of Kiplinger’s, in a recent article, urged consumers to consider eliminating eight things from their wallets. Instead of carrying everything, they advise, make a copy or image of all the items, front and back, and keep the originals and copies in a secure place.

 Social Security card. The first (and possibly most dangerous) thing to remove is the Social Security card. While most Americans grew up being told they’d need to carry their Social Security cards around with them, that advice is no longer useful or safe. Avoid anything with the Social Security number on it. The use of the SSN as a general identifier has shrunk considerably, with the last major holdout (Medicare) phasing out the use of the SSN this year. By April 2018, all Medicare recipients should be receiving a new card with a non-SSN number.

Password cheat sheet. Most people have more than two dozen passwords they need on a regular basis (some have many more). The tendency is to reuse a password, select something easy to remember or write them all down on a “cheat sheet” they carry with them. But all those are risky. Instead, use a password app, or jot them down and keep them in a locked safe in your home.

Spare keys. While it’s tempting to keep a spare house key in your wallet, a thief who steals your wallet already has your address from other documents in the wallet, so giving him a key is a bonus. Instead, keep a spare key with a trusted family member or neighbor in case you need it.

Blank checks. Many people keep a blank check in their wallet for convenience. Checks contain both the account number and routing number, and it would be easy for a thief to forge your signature and possibly could use your driver’s license as ID if they stole or found your wallet.

Other items suggested for removal by Kiplinger’s include passports, multiple credit cards, birth certificates and receipts. To read all their advice, visit http://bit.ly/2liA1ED.


DNA test kits: Is your privacy at risk?

via DNA test kits: Is your privacy at risk?, clarionledger.com

PDF: DNA Test Kits privacy

Human beings have an insatiable desire to know our heritage. In the past, the best tools to determine our genetic heritage came through family Bibles, scribbled family trees, and stories handed down from generation to generation. Serious genealogists could do a better job, but it was still largely an inexact science. And if there were gaps in our family histories, it was nearly impossible to fill them in.

In the Moak family, a distant cousin published an extensive genealogy nearly 60 years ago, helping spark my interest in the topic.

But with the discovery of the structure of DNA in the 1950s, and the later mapping of the human genome, family genealogists suddenly had new tools available. Now, using a small swab of saliva or cheek scraping, you could find out (broadly, in most cases) where your ancestors came from. Entrepreneurs seized on the technology, and we started hearing about services which could give you a picture of your genetic heritage. Now, ads for services such as AncestryDNA, 23andMe, MyHeritage and others have garnered millions of dollars from consumers eager to fill in the gaps in their family histories.

Typically, consumers pay from $99 to $200, and get a report showing groups and regions from which their ancestors probably originated. A typical report will give you a percentage of the DNA associated with known ethic groups, along with a map showing where those people probably lived. Earlier this month, PC Magazine reviewed five test companies (23andMe, AncestryDNA, National Geographic Genographic Project, HomeDNA and MyHeritage DNA). Their comprehensive report gives a good snapshot of the different services provided. Some have been offering extended services; for example, showing your relative risk for diseases with known genetic markers.

DNA testing has, of course, yielded many promising possibilities in addition to the commercial ones. Some genetic diseases can now be spotted and possibly even prevented. But with all the promise has also come many fears. Some have raised the specter, for example, that insurance companies and drug companies would be interested in information that a person carries genes for deadly (and expensive) diseases. Others have voiced darker fears, for example, that babies with “desirable” traits could be chosen in favor of others with less-desirable genetic potential, possibly leading to a sort of genetic apartheid.

A more present concern, though, is privacy. In a recent blog post, Federal Trade Commission attorney Lesley Fair advised consumers to be wary about how well this potentially valuable information is being protected. “The data can be very enlightening personally,” Fair noted, but a major concern for consumers should be who else could have access to information about your heritage and your health. If you’re thinking about buying an at-home DNA test kit, you owe it to yourself — and to family members who could be affected — to investigate the options thoroughly.”

Fair urges consumers to comparison-shop services to see how they intend to protect your information. “Scrutinize each company’s website for details about what they do with your personal data,” she urges. “Rather than just clicking ‘I accept,’ take the time to understand how your health, genetic, and other sensitive information will be used and shared. Hold off on buying a kit until you have a clear picture of the company’s practices.”

And in this era of ever-bigger breaches of computer systems with sensitive data (this summer’s blockbuster Equifax breach is just the latest), it’s important to recognize the risks. These companies don’t just collect your DNA; they also collect payment and demographic information about you that could potentially be valuable to thieves.

So, shop carefully, monitor your credit, and be ready to report problems. Fair urges consumers who have experienced problems or concerns about genetic testing companies to report them to the FTC; she noted the agency has already acted against companies they accused of failing to protect their customers’ privacy. To file a complaint, visit https://www.ftccomplaintassistant.gov/#crnt.

Skimming ring in 3 states busted

via Skimming ring in 3 states busted

PDF: Card skimming ring

As you gas up your car during holiday trips, the FBI is warning consumers to watch out for credit card skimmers on gas pumps, which could be used to steal your money and identity.

The FBI and a U.S. attorney this week announced they had busted a multi-state ring that had installed skimmers on gas pumps across Kentucky, Ohio and Indiana. Officers collared eight people in an operation that included more than 30 law enforcement agencies across the three states, after the thieves made off with more than 7,000 card numbers and about $3.5 million.

“This form of identity theft is causing untold losses to both financial institutions and individuals who are merely filling their tanks at the gasoline pump. As we begin the busiest travel season of the year, consumers need to pay special attention to where and how they pay for gasoline as criminals are using new and more sophisticated technologies,” noted U.S. Attorney Russell Coleman.

Skimmers are becoming increasingly sophisticated, and thieves have gotten proficient at making them look close enough to the real thing to fool all but the savviest customers. Thieves install the devices over the card-swipe device on the pump, and in some cases, replace the pump’s original card reader. When unwitting customers swipe their cards to pay for gas, the device reads the card number and other information, which is then used to raid the customer’s bank account or steal their identity.

You may recall that police last year found a skimmer installed on gas pumps in the Clinton area, resulting in arrests and indications the activity was part of a larger ring operating across several states.

In the case announced this week, the FBI reported the thieves installed the devices inside the gas pumps, then later retrieved them. The stolen financial information was then re-encoded, transferred, or cloned on to the magnetic strip of other plastic cards that were sold or used to purchase merchandise.

Although skimming is not a new phenomenon, it is getting harder to detect. PC Magazine’s Max Eddy wrote about the technology last year, noting the devices are now smaller than a deck of cards, and can be placed on an ATM or point-of-sale terminal easily. Often, he notes, thieves will also place a camera nearby to record Personal Identification Numbers (PINs) of customers, but in some cases, they have installed fake keypads as well.

Spotting a skimmer is not always easy, but Eddy gives a few pointers:

  • Watch for mismatched colors or styles. If the overall color in the area where you insert your card is black, for example, but the card reader is yellow, that could be a sign that it’s fake. Also, watch for mismatches in lettering or the materials used.
  • Wiggle everything. Since readers have to be hastily installed so the thieves won’t get caught, they don’t usually have much time to make sure everything fits perfectly. Eddy advises pulling at the reader and keypad to ensure nothing moves.
  • Look around. Cover the keypad with your hand, to prevent anyone from seeing your fingers as they enter the PIN. Many devices now have a little shield over the top of the keypad to prevent someone seeing your fingers as they enter the numbers, or recording your movements from a distance. Still, covering the keypad as you enter can prevent thieves from getting the all-important PIN.
  • Use the EMV chip. Since most newer card readers accept EMV (Europay, Mastercard, Visa) chips that require your card to be inserted, this option gives you more security and requires thieves to install devices inside the reader.
  • Pay inside. It’s less convenient to pay inside the store, but generally more secure.

It’s also a good idea to keep up with your purchases. Most banks now have apps that allow you to keep up with transactions, so if you notice any activity you didn’t authorize, report it immediately.

Credit freeze over data breach should be free, AG Hood says

Source: Credit freeze over data breach should be free, AG Hood says, clarionledger.com

Mississippi’s attorney general is calling on two of the nation’s “Big 3” credit reporting agencies to immediately end the practice of charging fees for consumers to freeze their credit accounts in the wake of the massive data breach that affected their counterpart Equifax.

Following the news that more than 145 million Americans (including about 1.3 million Mississippians) were at risk after hackers broke into Equifax’s database over several weeks this summer, consumer advocates urged consumers to “freeze” their credit reports. A credit freeze effectively keeps anyone from using credit bureau files to open new accounts, and stays in place until removed by the consumer.

But when people tried to freeze their credit files with Equifax, they were told they’d have to pay a fee. The resulting outrage made Equifax reconsider its decision, and it agreed to waive its fees to freeze accounts. The company’s response to the crisis cost CEO Richard Smith his job and cast doubt on the company’s future.

But despite pressure, TransUnion and Experian didn’t waive their own fees to freeze consumers’ accounts. Mississippi Attorney General Jim Hood and 35 of his counterparts want to change that. Hood sent out a news release last week, saying the group had sent letters to TransUnion and Experian urging them to waive their fees immediately or they’d send the bill for all the agencies’ fees to Equifax.
“If these agencies do not waive their fees, I intend to make Equifax pay for the fees that victims have incurred due to their hack,” Hood said in the release. “For customers who have already paid fees to place a freeze on their account, Equifax must reimburse them.”
Immediately after that breach, Hood and his counterparts forced Equifax to extend their free credit monitoring through the end of January. Still, he argues, it’s not enough. “Although Equifax also agreed to waive fees for its security freezes, people are still having to pay fees at other agencies,” Hood’s release noted.
“While it is legal in Mississippi to charge up to $10 to place a freeze on credit reports, General Hood believes a measure to waive that fee in extreme situations such as this breach should be seriously considered.” He noted that credit reporting agencies profit by selling consumers’ information, “and they have a responsibility to protect that same information.”
A credit freeze protects consumers by prohibiting third-party access to a consumer’s credit file; it’s considered one of the most effective ways to protect yourself should someone try to open credit accounts in your name. A freeze stays in place until the consumer removes it by using a unique passcode provided by the agency. Since it will also keep you from getting new credit — such as a mortgage or auto loan — while it’s in place, you’ll need to lift it if you are applying for credit.
Unless and until the fees are waived at TransUnion and Experian, a credit freeze will cost Mississippians $10 at Experian and TransUnion, but you won’t have to pay a fee at either if you’ve been a victim of identity theft.
Hood also reiterated his advice for protecting yourself against identity theft:
  • Regularly request your free credit reports, inspect them closely, and promptly dispute any unauthorized accounts.
  • Inspect all financial account statements closely and promptly dispute any unauthorized charges.
  • Consider placing alerts on your financial accounts so your financial institution alerts you when money above a pre-designated amount is withdrawn.
  • Beware of potential phishing emails; don’t open any email messages or attachments from unknown senders, and do not click on any unknown links.
  • Watch out for “spoofed” email addresses. Spoofed email addresses are those that make minor changes in the domain name, frequently changing the letter “O” to the number zero, or the lowercase letter “l” to the number one. Scrutinize all incoming email addresses to ensure that the sender is legitimate.

For info on how to freeze your credit at all three bureaus, visit http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/.

Freezing your credit after the Equifax breach


freeze credit

NASA Federal Credit Union


Source: Freezing your credit after the Equifax breach, clarionledger.com

A recent data breach from one of the nation’s largest credit bureaus has sent shockwaves throughout an industry that holds information affecting the financial futures of millions of Americans.

Hackers reportedly broke into the files of Equifax for a six-week period from May through July, making off with personal information for about 143 million consumers. This brazen heist is one of the largest to date, potentially exposing nearly half of Americans to the risk of identity theft (along with considerable numbers of Canadians and British citizens).

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” an apologetic Equifax Chairman and CEO Richard F. Smith said in a video statement. “I apologize to consumers and our business customers for the concern and frustration this causes.”

 You may recall that Equifax and the other “Big 3” credit bureaus were sued in recent years by Mississippi Attorney General Jim Hood and his counterparts around the nation after allegations of shoddy record-keeping and reporting practices led to errors and damage for some consumers. The suit resulted in a 2016 settlement of more than $7 million.

Of course, data breaches are nothing new, and happen constantly as hackers probe the security of databases around the world. The threshold for making the national news has gotten higher, so if a breach makes big news, it’s usually one that has set a record.

“The types of data potentially exposed in this breach could ruin lives, businesses, and might I say, credit scores,” Hank Thomas, chief operating officer at Strategic Cyber Ventures, a Washington incubator of cybersecurity companies, told McClatchy News Services. The trove of data (with a potential value of hundreds of millions of dollars on the black market) included names, Social Security numbers, dates of birth, addresses, driver’s license numbers and credit card information.

As you read this news, you might be asking yourself, “should I be worried?” Most every source I’ve consulted says the answer is a resounding “yes.” The amount and type of data that has been compromised can expose you to the risk of identity theft for years to come. Using this data, fraudsters could open new credit accounts or lines of credit in your name, apply for driver’s licenses, even get speeding tickets on your record (for which you can be arrested) and steal government payments such as Social Security checks and tax refunds.

The danger is here, and it’s real. So, what next? In the wake of the announcement (which Equifax waited several weeks to do), the company announced it would be offering a year of free credit monitoring through its TrustedID Premier service. But many advocates pointed out that signing up for the service includes language that some said could be construed as signing away the consumer’s right to sue over the breach. After significant pushback, the language was changed. Still, some financial experts advise consumers not to sign up for the one-year monitoring, since the effects of the breach could last years.

Many experts advise that consumers who may be affected by the breach place a “credit freeze” on their reports at all three major reporting agencies: Equifax, TransUnion, and Experian. Placing a freeze on your account takes a little effort and can be inconvenient. But if you are applying for credit, you can temporarily lift the freeze yourself, and re-enable it later. A credit freeze blocks your credit reports from being shared with potential new creditors. Without a credit report, most lenders won’t open a new line of credit. (It won’t stop them from changing information on existing accounts, however.) Freezing your accounts will not affect your credit or score.

Note: Bowing to public outcry after the breach, Equifax announced Sept. 11 that it would waive all fees for the next 30 days for consumers who request a credit freeze. To freeze your file on Equifax, click on: https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp. (It wasn’t known at the time of this writing whether TransUnion and Experian would also be waiving fees on credit-freeze requests.)

For more on credit freezes, visit https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do.

SSNs on Medicare cards soon to be a thing of the past

via Another path cut off for identity thieves, clarionledger.com

PDF: SSN Medicare 1SSN Medicare 2

Last week, I ran across an old scrapbook, full of little pieces from my past. As I meandered through the ticket stubs, cards and letters, each one dredged up memories and emotions I had packed away.

There was a stub from my first music concert, tickets to football games, a letter of acceptance to college and mementos from events the details of which were long gone. Some of the scraps went all the way back to my childhood, each holding its precious little cargo of memory.

Among the artifacts on those pages was my original green-and-white Mississippi driver’s license from 1980. Its edges were cracked and the print a little faded, but the plastic card was still pretty much intact. There was no photo; just the facts about my birthdate, my height and weight, my address and a few other nuggets of information. At the time, I gave no thought to the fact that my driver’s license number was the same as my Social Security number. In fact, almost no one did at the time.

But the use of the Social Security number has become a problem because it’s been used by criminals to commit identity theft. This week, one of the last major holdouts on using Social Security numbers on its cards has announced it’ll be phasing that practice out. The Center for Medicare and Medicaid Services, which runs the two programs, announced the Social Security numbers will be replaced soon for its 57.7 million Medicare recipients. The action is being taken to meet a Congress-imposed deadline to remove Social Security numbers on all Medicare cards by April 2019.

In place of than identifying information, each Medicare beneficiary will be assigned a new, randomly generated number called a Medicare Beneficiary Number, consisting of a mix of upper-and lower-case letters. CMS will start mailing out cards with the new numbers in April 2018, and says it will work to educate participants about how to destroy their old cards and keep their information private.

“We’re taking this step to protect our seniors from fraudulent use of Social Security numbers, which can lead to identity theft and illegal use of Medicare benefits,” CMS Administrator Seema Verma said in a news release. “We want to be sure that Medicare beneficiaries and health care providers know about these changes well in advance and have the information they need to make a seamless transition.”

Regulators, advocates and even members of Congress have urged CMS for many years to make the change, but it’s been long in coming. “The Social Security number is the key to identity theft, and thieves are having a field day with seniors’ Medicare cards,” Rep. Sam Johnson, R-Texas, told the New York Times in 2015.

CMS officials have cited a variety of reasons for the delays, including the refocusing of resources to implement Healthcare.gov, the website that registers participants for services provided under the Affordable Care Act.

Although their use for identity theft has exploded in the past few decades, Social Security numbers have never really been very secure. Although the number was designed for a specific purpose — identifying participants in the Social Security System set up in 1935 — it began to be used as a more general identifier. Since nearly every American citizen had one, it was considered a sort of universal ID number. Financial institutions began to use it, as did government agencies, businesses and organizations of all kinds.

It didn’t take long, though, for people with nefarious intentions to abuse the new Social Security numbers. According to the Social Security Administration, in 1938 a national newspaper ad for wallets made by the E.H. Feree Co. (and sold widely by Woolworth’s department store) featured an image of a Social Security card fitting into one of its wallets. The problem was that the picture contained the real Social Security number assigned to Hilda Whitcher, who was the secretary for E.H. Feree’s vice president and treasurer. By 1943, at least 5,755 people were using Whitcher’s number for their own, and at least 40,000 people eventually claimed it. Although Whitcher was soon assigned a different number, people kept using the old one until at least 1977.

A more recent, but equally notorious case is that of Lifelock Founder Todd Davis, who famously published his own Social Security number in ads, websites and even on billboards, daring criminals to try to use it to commit identity theft. At least 13 crooks successfully took him up on the offer, though (and many more tried). What started as a brazen publicity stunt turned into real losses for several companies that had to write off the uncollectable debt racked up by identity thieves.

Although the number of ID cards with Social Security numbers continues to decrease and Medicare recipients will no longer be exposed to this particular threat, the Social Security number will still continue to be used internally for a variety of purposes. (By the way, Mississippi stopped using Social Security numbers on Mississippi driver’s licenses long ago; Department of Public Safety spokesman Warren Strain told me the practice was discontinued during the mid-2000s.)

Protecting yourself from identity theft still requires a lot of vigilance and some caution. Social Security numbers are still a point of vulnerability. Often, people ask me whether they’re in danger carrying their Social Security card or other documents containing that number in their wallets or purses. Almost always, I relay the sage advice I got years ago: The best place to carry your Social Security number is in your head.

Fraud, ID theft top consumers’ nightmares, studies find

Clarionledger.com, 9/28/2015

PDF: Studies – Consumers fear fraud, ID theft

Americans are gearing up to do battle on their doorsteps this weekend. The foe takes the form of tiny superheroes, movie baddies and zombies demanding candy. It’s OK, though; we know that underneath the masks are sweet kiddies, not real monsters. But increasingly, many people are worried about the real threats that lurk under the bed – ghouls who can take your life savings with a keystroke, derail your carefully-laid plans for retirement or your kids’ education, or even destroy your reputation.

Within the past week, news of two separate studies (from Bankrate.com and the American Bankers Association) hit my inbox, highlighting the fact that Americans are worried about their financial and information security and feel vulnerable to predators.

Much of the angst stems from recent data breaches, which have exposed the security vulnerabilities in a system trusted to protect vital information. Hardly a day goes by that we don’t hear about some new breach, whether it’s customer contact information, credit card numbers, or embarrassing publication of names from sites like Ashleymadison.com. All this bad news is eroding our trust in the financial system at a time in which technology should be giving us more security than ever.

According to Bankrate’s study, nearly eight in 10 Americans worry about having their identity stolen. Nearly a quarter of consumers described themselves “very frightened” about the prospect of identity theft.  Then there’s this shocking claim: about half of Americans (46 percent) report that they’ve either been a victim of identity theft or know someone who was. That’s up significantly (12 percent) from just a few years ago.

While about one in five consumers (many of them Millennials) appear oblivious to or unconcerned about the threat, many have taken it seriously. Many in the Bankrate.com study say they aren’t checking their credit reports regularly, and 41 percent say they conduct banking and other sensitive tasks on unprotected Wi-Fi networks that don’t require a password. Both of these activities could help detect fraud, or prevent it from happening in the first place.

“When asked where cardholders feel most vulnerable to fraud following a credit card purchase,” the ABA’s study concluded, “64 percent say they are most concerned about hackers breaking into retailers’ computer systems, compared to just 16 percent who cite physical card theft and 13 percent who cite “phishing” scams.”

Similarly, the ABA study found that many worried consumers are holding the system responsible. Nearly eight in 10 consumers believe the government should “hold retailers, banks and other companies involved in the payments system to the same security standards.”

“Millions of Americans have had their most sensitive information compromised in retailer data breaches, so it’s understandable that consumers are concerned that retailers aren’t doing more to prevent future hacking incidents,” said Doug Johnson, ABA’s senior vice president of payments and cybersecurity policy. “These survey results reaffirm what we’ve believed all along.  Retailers need to join with banks and payment networks to combat fraud and focus on the future by updating their payment security systems and proactively working to address emerging threats head-on.”

The recent card conversion was part of a “liability shift” for credit and debit-card fraud, in which merchants could bear the cost of fraud if they don’t take sufficient steps to secure the data. Previously, such liability was borne almost exclusively by banks and the financial system.

That’s especially true with the recent conversion to new card reader (EMV) technology; the messy transition has confused customers and reinforced existing security concerns. “Following high-profile data breaches at major retailers including Target and Home Depot, 94 percent of consumers say it is important for retailers to upgrade their security controls, and 70 percent say retailers should be installing EMV chip-enabled card readers as soon as possible,” the ABA noted.

But many merchants and industry groups have protested that the new technology – while a step in the right direction – is vulnerable because it doesn’t take full advantage of the security features available, besides being expensive and difficult to implement. For example, the new EMV cards still in many cases don’t require the use of a PIN, a feature which could enhance security.

The National Retail Federation (NRF) and other industry groups have been vocal about these concerns. “EMV is all new to me, and banks and the networks are not contacting small businesses to help the transition in any way,” noted small business owner Keith Lipert, who recently testified before Congress on behalf of the NRF to protest the new requirements. “No one from my bank, processor or existing supplier even contacted me about the need to add a new EMV device, let alone a deadline by which to do so.”

The NRF’s David French recently stated that credit and debit card fees are the second-largest expense for many small businesses after labor, and that the card industry imposes “a multitude of complex rules on small businesses.” Chip-card readers and installation can vary from “a few hundred dollars to thousands of dollars” per terminal, he said, with an industry average of $2,000.

Whatever the outcome of this battle will be, consumers are looking for a hero to protect them from the very real monsters that wait to prey upon their livelihoods, identities and futures. So far, said hero remains out of sight.

Moak: Lifelock lets down customers, feds say

Originally published at Clarionledger.com on 7/29/2015.

Link: Moak: Lifelock lets down customers, feds say

We’ve all heard and seen the ads by LifeLock, which aggressively promote the company’s services of being able to protect and defend consumers against identity thieves. A pioneer of sorts in what was to become a highly profitable industry in a nation worried by potential identity theft, the company now is public and has a reported 3.6 million customers. But LifeLock now finds itself in hot water once again with federal regulators, who say they failed to live up to a 2010 settlement regarding alleged deceptive advertising and failing to practice what it preaches when it comes to its own customers.

The Federal Trade Commission last week asserted that LifeLock violated a 2010 settlement with the agency and 35 state attorneys general by “continuing to make deceptive claims about its identity theft protection services, and by failing to take steps required to protect its users’ data,” the FTC said in a news release.

“It is essential that companies live up to their obligations under orders obtained by the FTC,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “If a company continues with practices that violate orders and harm consumers, we will act.”

In the 2010 settlement, the FTC accused LifeLock of telling customers its services could provide a wide umbrella of protection against identity theft, but an FTC official noted at the time that the protection “left enough holes that you could drive a truck through it.” Furthermore, the company was accused of failing to protect its customers’ personal information — a key principle on which the company is founded. LifeLock was required to pay $12 million in refunds, ordered to start a stringent program to protect customer information and was barred from making any more “deceptive claims.” The company agreed to do so in the settlement.

But last week in an Arizona federal court, the FTC charged that from “at least October 2012 through March 2014,” LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, Social Security and bank account numbers; 2) falsely advertising it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s record-keeping requirements.

The FTC also asserts that from at least January 2012 through December 2014, LifeLock “falsely claimed it protected consumers’ identity 24/7/365 by providing alerts ‘as soon as’ it received any indication there was a problem.”

After the action was announced last week, CNBC reported that LifeLock stock plunged 49 percent. For its part, LifeLock disagrees with the claims. In a statement, the company noted, it is “prepared to take our case to court.”

“Security of our systems has always been, and will remain, of primary importance to us,” LifeLock’s statement read. “Based on the evidence, we do not believe that anything the FTC is alleging has resulted in any member’s data being taken.”

I often get asked the question if people really need services like those provided by LifeLock and other companies. Neither LifeLock nor any company can prevent identity theft from happening; it’s a crime of opportunity, often financed by international criminal organizations with deep pockets, taking advantage of security vulnerabilities. Sometimes, it’s just a simple matter of a greedy person sensing an opportunity. But if an identity thief wants your information badly enough, he can probably get it. If a monitoring system is alert enough, it could warn you if someone attempts to use your account (but then, so do most credit card companies).

And in reality, if you do become a victim, you can do much of the work of clearing your name for free, if you are willing to do it. Recovering from identity theft takes time and persistence, though; if considering an identity theft monitoring service, be sure you understand exactly what you can expect. Consumer Reports has an informative article at http://bit.ly/1mgRVSK. Financial Finesse (http://bit.ly/1Mt0Y0A) has some good advice as well.

And — just as you take action to protect your personal security such as locking your car door — you can decrease your risk by being careful. Adopt habits like shredding your documents, using passwords that are hard to guess, and not allowing your credit card out of your sight at restaurants. As always, vigilance is the key.

New tool helps report ID theft, start recovery

Originally published in the Clarion-Ledger on 5/21/2015.

PDF: New tool helps report ID theft start recovery

Many years ago, my wife’s purse was stolen from her locked car while she walked at a Jackson-area park. She filed a police report, but never got back the cash and other items contained in the wallet. For the next couple of years, every time she bought anything on credit or had to show her personal identification, she had to relive the whole thing all over again and answer questions about why her license was “flagged”. The burglary probably took less than a minute, but the damage was long-lasting and went far beyond just losing cash and some credit cards.

Far from being a “victimless” crime, identity theft is a personal violation. Someone has taken your most important asset – your identity – and used it to create personal gain for themselves or criminal organizations. Although in many cases, the money stolen via identity theft can be replaced, it’s not as easy to restore your good name. Ultimately, once you find out you’ve been targeted, it can be a years-long, uphill battle to prove that you weren’t the one who charged all that merchandise on your credit card, or who opened up all those accounts and then failed to pay up.

Despite the fact that identity theft has been skyrocketing for the past two decades, it has often been difficult for consumers to know how to identify it, deal with it and repair the damage. As I’ve spoken to groups over the years about this topic, it’s apparent that there’s a lot of misinformation out there and a certain feeling of helplessness. In nearly every group, there are people who say their lives have been turned upside-down by some faceless predator who wrecked their credit, stole in their name and even got them in trouble with the law.

And adding to the confusion is the fact that there is now an entire identity-theft industry pitching all types of products and services – of varying levels of effectiveness — promising to prevent identity theft in the first place, help identify when a crime has been committed and to help you fix the damage. Some of these products are probably effective in helping identify when a crime has occurred and maybe to help educate you about the risk. But ultimately, repairing the damage by determined identity thieves is up to you, the victim.

The numbers around identity theft are staggering: back in February 2014, a report from Javelin Research found that 13.1 million people in the U.S. had been victims of identity theft. That amounts to about $18 billion stolen by identity thieves. That report did indicate that the total take by identity thieves was down somewhat from the previous year, probably due to better security measures. But the total number of people victimized has never been higher. This is often a global crime, transcending state and national borders.

In years past, the best way to respond to identity theft – once it’s been identified in the first place — was to file an affidavit with law enforcement at every level – local, state and federal – to get it on the record. Otherwise, you really couldn’t do a lot about it, other than contacting every creditor and institution to place yourself on their radar. Often, law enforcement often didn’t have the knowledge, tools or authority to help.

But a new website called Identitytheft.gov came online just last week, providing a sort of one-stop shop to help you respond should you become a victim. (A Spanish version is at RobodeIdentidad.gov.) Simple checklists on the site give you a roadmap of what to do, whom to contact and how to go about taking care of the many tasks required. There are also links to a lot of resources, such as lists of utility companies, credit card companies and government agencies.

The site also has tools specifically designed to help if you’ve been notified that your information may have been compromised in a data breach (such as the huge Target theft last fall), or if you’ve gotten the nasty surprise that someone has filed taxes in your name and absconded with your refund.

Ultimately, the site is a step in the right direction to helping give consumers some resources and assistance. But ultimately, when it comes to identity theft, there is no “silver bullet”; The best defense is educating yourself how to lower your risk, staying informed about your credit and financial accounts and having a plan to deal with it should an identity thief target you. A visit to the site (before you need it) may help you prepare yourself in case you need it one day.

Is your car tracking you?

It’s a spy-movie staple: wanting to keep tabs on an opponent’s vehicle, the spy sneaks up behind the car, implants a tiny tracking device under the bumper, and the vehicle can be tracked anywhere it goes. Although the technology may have at one time seemed exotic, today’s vehicles allow just about the same result in myriad ways – many with the full knowledge of drivers.

When we get into our cars, most of us don’t pause to consider the possibilities that someone is tracking our every move – or could if they wanted to. But the fact is that our cars are full of little electronic devices that monitor the car’s vital statistics. Any mechanic can hook into your car’s data center and download various pieces of information. But the recent revelations of just how far spy agencies can and will go in pursuit of personal data have raised concerns about just how clear are the fishbowls in which we all live. And those fishbowls now have wheels.

Particularly, privacy advocates are growing nervous about the pervasiveness of data being collected, based on fears that the information could be used against us. The National Highway Traffic Safety Administration (NHTSA) reports 96 percent of new cars are equipped with a “black box” of sorts called an Event Data Recorder (EDR) device, which collects data from crashes. The NHTSA requires EDRs in all new cars by September 1. EDRs collect information about speed, direction, seat belt usage and other factors. They only keep a few seconds of data, but that’s enough to provide critical information about what might have caused a crash, and factors that might have caused injury or death. Safety advocates argue that data is valuable in making safer cars.

But EDRs have a potential dark side, too. Insurance companies and attorneys can also gain access, using the information to place blame or aid in prosecution. And criminals have demonstrated they can hack the black boxes, even to the point of changing VINs (Vehicle Identification Numbers) so the car can be more easily stolen.

The use of EDRs has been regulated in 16 states, and some Congressmen earlier this year proposed a bill to limit their use.

Of course, the EDR is just one of many technologies which could be telling interested parties the specifics of our driving habits. Many of these are self-imposed, such as allowing location data on our cellphones. Some are safety features, such as GM’s OnStar or Mercedes’ Mbrace, but they are constantly collecting data about a vehicle’s location, speed, braking and many others. It’s important to note that these features bring security, comfort and convenience to our in-vehicle experiences, but also raise some thorny issues.

Insurance companies are getting in on the act, too. State Farm’s Drive Safe and Save program and Progressive’s Snapshot use different technologies to gather information on driving habits, which may then be used to “train” drivers by incentivizing them with potential discounts.

Regardless of whether you care or not about how much information is being collected about you, most Americans don’t like Big Brother snooping around. If you’re one of them, it’s important to be vigilant. Here are a few things Consumer Reports suggests to help minimize the information you’re sharing:

  1. Stay anonymous. Don’t share self-identifying infor­mation such as your Facebook status or publicize your location on social media.
  2. Scrub the data. When selling a car, clear the navigation system of recently visited addresses, or adjust the settings so that the system doesn’t save locations that you input.
  3. Read the fine print. Every company has a privacy policy, but many people don’t read it. Read it, and know what it says about your rights.
  4. Cancel the data flow. If you’re selling a car that has a telematics system or if you decide not to use it anymore, contact the company to let it know. Confirm what happens after you opt out and what is done with previously collected data.
  5. Don’t leave a trail. If you’re concerned about the security of other information sent from your car, use cash instead of electronic toll-collection devices such as E-ZPass. Also, don’t just turn off your cell phone; take out the battery, because phones still have tracking capabilities even when they’re shut off.
  6. Think security. Don’t leave a portable GPS or any other electronic device in your car; take it with you. Lock your glove box if that’s where you keep your insurance and regis­tration information. And use a valet key instead of handing over your personal car keys.

To read more about the use of EDRs, you can download a comprehensive study produced by the Congressional Research Service.