Parker Waichman LLP Injury Alerts
IDENTITY THEFT SERIOUS SECURITY BREACHES AT MAJOR CORPORATIONS, FINANCIAL INSTITUTIONS, AND OTHER ORGANIZATIONS JEOPARDIZE THE PERSONAL INFORMATION OF COUNTLESS INDIVIDUALSMay 1, 2005 Introduction:
In October 2002, we wrote about “identity theft” which was rapidly becoming a serious problem in this country and around the world. At that time, however, the main target of identity thieves were individuals who either were targets of scams or failed to protect their personal information.
Since then, however, identity theft has reached epidemic proportions and the thieves are no longer satisfied in targeting one individual at a time. Today’s identity thief is more likely to be a criminal who has penetrated the computer security system of a bank, credit card company, data reporting service, or some other organization which has sensitive personal and financial information on tens or hundreds of thousands of people in its data base. The thieves may also be or have access to corrupt employees of one of those organizations who are willing to steal and then sell the information to others.
This dramatic shift in the way personal information is stolen has made organizations which do not properly protect their data vulnerable to law suits from individuals and businesses who suffer financial harm as a result of the negligent storage of sensitive data.
Clearly, this is no longer a situation where a person has to be careful of what they discard in their garbage or who might be looking over their shoulder at an ATM or public telephone. While those risks are still very real, individuals must be prepared for the possibility of massive data thefts that they have no control over.
What is Identity Theft?
Identity theft can be defined as the improper or unauthorized taking of another's (the victim) identity for the purpose of: (1) obtaining credit or credit cards from banks or retailers; (2) stealing money from the victim's existing accounts; (3) applying for loans; (4) renting a house or apartment or leasing personal property (automobiles, boats, equipment, etc.); (5) filing bankruptcy; (6) establishing accounts with utility companies; (7) obtaining a job; or (8) committing a crime.
Identity theft is now the most widespread form of fraud (according to the Federal Trade Commission) victimizing more than 500,000 people a year. In 2005, that number is expected to soar to 900,000. The emergence of the internet and global commerce has made it easier than ever to gain access to all types of sensitive personal information including social security, bank account, and credit card numbers as well as passwords and organizational data bases. Criminals regularly conduct a variety of scams directly on unwary consumers. They are also constantly searching for ways to access organizational data bases through the use of stolen passwords or by finding dishonest employees who are willing to sell confidential client information.
Victims of identity theft can spend hundreds of hours and thousands of dollars to clear their names and restore their credit rating. Often, however, the negative effects of identity theft last for years and cause the victim untold annoyance, inconvenience, and financial harm.
Old Tricks and New Scams
Identity theft can be as simple as someone picking through your garbage or looking over your shoulder at an ATM or as complicated as having your personal information stolen from a “secure” data base at your bank, broker, or credit card company. It is important to be aware of both the latest scams as well as old tricks that have been updated for use in the cyber age.
The following list includes many of the common identity theft scenarios that can occur in every day life aside from on the internet in your home or office.
• "Shoulder surfing" is watching the victim as he or she punches in telephone numbers, access codes and pin numbers, and credit card numbers.
• "Dumpster diving" is when thieves rummage through trash bins, garbage pails, and waste paper baskets at or outside of private homes, apartments and office buildings, retail stores, restaurants, schools, hospitals, doctors', dentists' and lawyers' offices, insurance companies and other establishments where receipts, cancelled checks, applications, forms, billing information, or other personal information can be found.
• Stealing the victims' mail when they are away on vacation in order to obtain bank account numbers, credit information, new credit card applications, and courtesy checks issued by credit card companies.
• Eavesdropping on telephone conversations in order to listen for credit card numbers and the like.
• Obtaining "public" information at courthouses and other municipal offices.
• Fraudulently obtaining the victim's credit report.
• Stealing the victim's wallet or purse.
While some of these techniques may seem a little “outdated” they are still viable options for anyone wishing to obtain your identity for financial gain or to conceal their own identity.
In addition to the aforementioned techniques for stealing identities, there are several new scams that are plaguing individuals across the country.
Phishing, also called “carding” or “spoofing,” is a high-tech scam that uses e-mail spam to trick consumers into giving out personal information such as credit card numbers, bank account information, or Social Security numbers. These “phishers” will commonly copy a Web page from a popular site, such as an Internet service provider or a financial services company, and set up a replica page that appears to be a part of the company’s actual site. Then they will send an email to unsuspecting consumers containing a link to the replica page and ask them for personal information. Once the consumer enters the data and submits the form, the scammer has all of their information and the user has no idea that a scam even occurred until it is too late.
It is estimated that between 1% and 20% of these scams actually succeed. Phishing attacks are increasing steadily each month. If you receive an email that asks you to click on a link and enter you’re billing information in order to prevent your account from being closed or to “update” your information, do not reply or click on the link. Contact the company mentioned in the email by using a phone number or web address that you know to be legitimate. Companies doing business over the internet will never ask for personal information without properly identifying themselves. Emails that are generic and which are not addressed to you by name are likely to be bogus and should never be opened.
A visit to an ATM has its own risks. In addition to the possibility of being mugged, there is also the chance that the machine has been altered by the addition of a “skimming” device which fits over the actual slot where you insert your debit card. The skimming device is able to read and store your credit card number and password as you attempt to perform your transaction. Small digital cameras are sometimes used to record your PIN number as you punch it in. Armed with this information, the thief can then make a duplicate debit card and use it at other ATMs to withdraw money.
Last year alone over $2 billion was stolen from bank accounts across the country. Detecting a skimmer can be difficult as they are designed to look like part of the machine itself. Here are some tips to avoid becoming a victim of skimming:
• Examine the ATM carefully. If you see a discolored reader, hanging wires, a posted sign, or an unresponsive keypad, use another ATM.
• Avoid any ATM where the card slot does not go directly into the machine. If there is anything attached to the machine in the area of the card slot, do not use the machine.
• If the ATM “eats" your card, call your bank immediately and put a stop to the account. Even if there is no foul play, it is better to be safe than sorry.
• Use familiar ATMs or ATMs that use security cameras, such as bank ATMs.
• Avoid ATMs that are outside. Use ATMs that cannot be accessed without first using your card to unlock the door to the ATM room.
• Avoid “no-name” ATMs which are often not secure and which may be operated by identity thieves themselves.
• Avoid ATMs in high crime areas or locations which are frequented by suspicious characters.
• Be suspicious of anyone lingering close to an ATM or someone who offers to help you with your transaction.
Perhaps one of the more unsettling scams involves the selling of personal data over the internet to anyone willing to pay a small fee. For $35 on www.secret-info.com and for $45 on www.Iinfosearch.com you can obtain someone else’s Social Security number, one of the most powerful pieces of personal information an identity thief can possess. It has been argued that Social Security numbers have been over-used for identification purposes and, at the same time, under-protected. (In fact, until only recently, rather than issue their own ID numbers, colleges, medical insurers, and banks would routinely use Social Security numbers for identification purposes.) Unfortunately, no law prohibits the sale of Social Security numbers.
More than a dozen Websites exist which offer all kinds of personal data for sale. While the information is not always given out, one group admitted honoring between 13% and 30% of the requests they receive each week. Although they claim they are taking the proper security measures, one consulting firm put www.secret-info.com to the test and found that it was extremely easy to obtain a Social Security number without having to prove the legitimacy of the request.
In this area, more governmental protection is needed. The selling of Social Security numbers must be prohibited. In addition, Social Security numbers should no longer be used as a primary identification numbers by any business or organizations. Clearly, the more places a Social Security number appears, the more likely it is to be stolen.
AOL and other Online Scams
America Online regularly provides its customers with a description of current Internet scams which they may encounter. Popular scams which are presently making the rounds are as follow:
• AOL ‘Update Your Account Billing Information’ Scam: An email with this subject will appear in your inbox. Do not open it unless it is legitimate AOL mail. Official AOL mail has a blue envelope next to the date and has a dark blue border around the mail and the “Official AOL Mail” seal at the top of the message. Official AOL mail will never have attachments. AOL will never ask you for your password or billing information in an e-mail or instant message. If you receive an email that looks suspicious, click “report spam” to report the mail to AOL.
• eBay “Verify Your Identity” Scam: If you receive an e-mail from eBay that asks you to click on a Web site that requests a user name or e-mail address and password it is a scam and should be reported to AOL immediately.
• Washington Mutual Bank “Reconfirm Account Information,” Sun Trust Bank “Fraudulent Activity on Your Account,” Citibank “Cardholder Information Needed:” If you receive an email with any of the aforementioned information in the subject line, do not open the email and report it to America Online immediately. In addition, you should never open and e-mail from a bank or other online institution that you do not have a relationship with.
• Pay Pal “Update Your Account Information” Scam: If you receive an email from PayPal asking you to click a link to a web site that request a user name or e-mail address and password it is a scam and should be reported to America Online immediately.
Protecting Yourself from Identity Theft
While the threat of identity theft is very real, there are a number of steps that you can take to avoid becoming a victim.
• Keep your Social Security number confidential and only give it out when absolutely necessary.
• Do not provide your driver’s license number or Social Security number on your checks.
• Never give out personal information over the telephone unless the person asking is a reputable and trusted source. In general, it is advisable to give out personal information only when you have initiated the contact yourself by calling a legitimate number.
• Always keep your credit card receipts in a safe and secure place. If you don't want them, shred them.
• Always check your monthly credit card statements for unauthorized purchases or suspicious charges.
• Check your credit report regularly and report any suspicious activity. Have your credit monitored on a consistent basis by a trusted company and always review your financial information. Reviewing your credit report twice a year is recommended.
• When making a purchase, never let your credit card out of your sight if possible. If you sign a receipt that has carbon paper (most have now been replaced with carbonless receipts), take the carbon copy or be sure it is destroyed.
• Never leave your wallet or purse unattended.
• Make a photocopy of every document that you keep in your wallet and keep those copies in a safe place.
• Don't carry around sensitive documents unnecessarily. There is rarely any reason for you to carry your passport, Social Security card, or an excessive number of credit cards.
• Be very careful when operating an ATM machine or making any telephone call in which credit card numbers, access or pin codes, your Social Security Number, or other personal information must be punched in or spoken. Be sure to look around you to see that no one is lurking about.
• Keep a list of all bank accounts, credit card numbers, expiration dates, credit line amounts, customer service numbers, and other sensitive personal information in a safe place where it can be quickly accessed in the event of a problem.
• Keep all unnecessary documents, and credit cards in a safe place.
• Become more difficult to prey upon. Use an unlisted telephone number if possible, omit your address on checks, and shred all documents or mail that contains any personal information.
• Be careful with courtesy checks from your credit card companies and unsolicited offers for new credit cards. If you do not use them, destroy or shred them.
• Do not open or respond to unsolicited, suspicious, or unidentified e-mails.
• Choose passwords that are not obvious and yet are easy for you to remember.
• Immediately call any credit card company or retail store credit office if you do not receive a bill that you are expecting. (Some thieves will go so far as to change the billing address on your accounts in order to keep you from seeing the unauthorized activity on your account.)
• Do not give away personal information over the telephone.
• Do not fall for bogus telephone calls that claim you have won a valuable prize or offer you a new major credit card. The caller will seek to obtain important personal information from you which will then be used to steal your identity. As the caller to mail you the offer or application. If they refuse or make some excuse why they can't, hang-up. If they do send you an application or other forms, read them carefully and only send them back and filled out if you are sure that they are from an established or reputable company or bank.
• When you are away from home, be sure to have someone pick up your mail.
• When traveling, do not carry extra credit cards, Social Security card, birth certificate, passport or any travel papers in your wallet or purse except when absolutely necessary.
IDENTITY THEFT GOES SUPERSIZE
Today’s identity thieves are no longer satisfied with one victim at a time. The new approach to identity theft is to steal as many identities as possible at the same time. It is for this reason that organizational software and databases are now targeted. Recently there have been several high-profile database thefts or losses that have put hundreds of thousands of people at risk for identity theft.
The common theme in all of these situations is the adequacy of security. Whether the information is stolen directly, bought from a dishonest employee, or lost through the negligence of the organization itself, inadequate security practices are often at the heart of the problem. These ongoing security lapses are leading lawmakers to push for tighter rules for U.S. data aggregators. The following is a brief recap of security breaches and other news relating to identity theft or stolen personal information.
• In March of 2005, a security breach at LexisNexis – an information broker database containing addresses, driver’s licenses, and Social Security numbers- allowed outsiders to access personal data files of as many as 310,000 people. It wasn’t clear whether the breaches enabled any identity thefts but all 310,000 people were notified and given free credit monitoring as a result of the breach.
• Just prior to the LexisNexis breach, there was a security breach at ChoicePoint Inc., a company which sells access to personal databases. A con artist was able to call the company and gain access to the personal data of thousands of people. Information on nearly 145,000 people nationwide was no longer protected and authorities said that 750 people were defrauded. In addition, two senior executives are now under investigation by the Securities and Exchange Commission for stock trades that took place after they learned about the scheme last fall but before they made it public.
• In April of 2005, British financial giant HSBC PLC notified at least 180,000 people of a scam involving General Motors-branded MasterCards. Apparently, when these cards were used to make purchases at Polo Ralph Lauren, criminals obtained access to their credit-card information. The bank immediately alerted cardholders, saying that they take the security of their accounts very seriously. HSBC is checking to see if any other credit cards were affected.
• At the end of February 2005, Bank of America reported that a small number of backup tapes containing records of the personal financial information of government employees were lost in a shipment to their backup center.
• Just this month, Time Warner Inc. reported that a container of computer tapes containing information on 600,000 current and former employees was lost during a truck ride to a data storage facility. While there have been no reports of identity theft or fraud as of yet, foul play has not been ruled out.
• In March, an eBay scam set up by phishers (see above for description) caused one coin collector a lot of stress. Someone used his eBay account to sell about $780,000 worth of coins, many of which never existed. Fees for the fraudulent action had been financed with $300 from the coin collector’s personal PayPal account. His eBay identity was stolen and while the victim was able to change his credit card numbers, he has yet to recover some of the online fees charged by the phishers to his account as well as the $7,500 worth of merchandise that he had purchased but the phishers has shipped to a different address in order to steal them.
• In April 2005, a former Blockbuster video store employee was indicted on charges of stealing customers’ identities and then using them to buy more than $117,000 in trips, electronics, and even a new Mercedes-Benz. The former employee was able to steal credit card numbers, Social Security numbers and other private information from 65 customers in 2003 using the store’s online database. He was then able to open up new retail store and credit card accounts and make outlandish purchases. According to the indictment, the man had one accomplice and is now facing 47 to 51 months in prison if convicted.
• In April of 2005, administrators at the University of California, Berkeley, disclosed that a computer laptop containing the names and Social Security numbers of nearly 100,000 people had been stolen. There was no evidence that the stolen information was used to commit fraud but UC Berkeley is not the only school to face such a situation. Just three days earlier, Northwestern University reported that hackers broke into the computers at the Kellogg School of Management and potentially gained access to information on more than 21,000 students, faculty and alumni. As most colleges use a student’s Social Security number as their primary identification number, a college database can be a hacker’s pot of gold.
• In April of 2005, a man in Hackensack, NJ was accused of conducting a massive scheme to steal 500,000 bank accounts and personal information and sell it to bill collectors. His accomplices included branch managers and employees from some of New Jersey's biggest banks, including Bank of America, Wachovia and Commerce Bank. All of them are accused of turning over customer bank account numbers and balance information for a profit of $10 per account and in some cases, the bank employees printed out entire customer computer screens and turned them over to the ringleader.
Unlike individual cases of identity theft, which are often the product of inattentiveness on the part of the victim or which cannot be attributed to a lack of security, these recent massive data thefts or losses may very well lead to civil liability on the part of the organization for negligence or for failing to have adequate security measures in place.
What to Do If You Are the Victim of Identity Theft
Once you find out (from whatever source) that you have become a victim of identity theft, you should take action immediately. Here are the things you can do to minimize the impact on your life:
1. File a report with your local police.
2. Don't change your Social Security Number. (It will probably cause more problems than it will solve.)
3. Don't cancel your credit cards. It may be very difficult for you to get new ones. You are better off reporting the fraud and getting new security codes, putting a fraud alert on the account and making sure that the issuer does not change your address without your personal instruction to do so.
4. Contact the fraud departments of each of the three major credit bureaus. Get a copy of your credit report, which is free to ID theft victims. Ask that your file be flagged with a "fraud alert tag" and a "victim's statement." That will limit the thief’s ability to open new credit accounts, as new creditors will call you before granting credit, generally. Insist, in writing, that the fraud alert remain in place for the maximum of seven years.
5. Contact the Federal Trade Commission to report the situation. The telephone number is 1-877-ID THEFT (877-438-4338). The address is Consumer Response Center, FTC, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
6. Contact the Social Security Administration at 1-800-269-0271.
7. Contact the I.R.S. at 1-800-829-0433.
8. Call the fraud units of the three major credit reporting companies. Equifax - 1-800-525-6285 - P.O. Box 740250, Atlanta, GA 30374-0250. Experian (formerly TRW) - 1-888-EXPERIAN or fax to 1-800-301-7196 - P.O. Box 1017, Fullerton, CA 92634.
9. Contact creditors you believe are affected.
10. Contact your bank(s). Place stop payment orders on any outstanding checks. You may have to close your accounts and open new ones.
11. Contact the major check verification companies if necessary. CheckRite 1-800-766-2748. ChexSystems 1-800-428-9623. CrossChek 1-800-552-1900. Equifax 1-800-437-5120. SCAN 1-800-262-7771. National Processing Co. (NPC) 1-800-526-5380.
12. Obtain an Identity Theft Survival Kit at www.identitytheft.org/id_theft_kit.htm that contains vital information about how to survive what can be a very aggravating and frustrating situation
13. Consult other sources for information and assistance:
U.S. Postal Service - 1-800-275-8777 - www.usps.gov/websites/depart/inspect
U.S. Secret Service - www.treas.gov/usss
U.S. Social Security Administration - 1-800-269-0271 - http://www.ssa.gov
CALPIRG Consumer organization - 1-310-397-3404 - www.calpirg.org or USPIRG - 202-546-9707 - http://www.pirg.org/
VOIT (Victims of Identity Theft Support Group - www.calpirg.org
U.S. Dept. of Justice - http://www.usdoj.gov/criminal/fraud/idtheft.html
If you have been the victim of identity theft which you believe was caused by the negligence of an organization entrusted with your personal information, contact Parker & Waichman to discuss the matter since you may be entitled to pursue a civil action for the damages and financial losses you have suffered.