Combating Identity Theft 204
An anonymous reader writes "Net-Security is running an interesting article about some of the problems facing organizations when it comes to identity theft. From the article: 'Identity theft is the major security concern facing organizations today. Indeed, for the banking industry, it is the number one security priority for 2006. Identity security has developed beyond the simplest form of authentication where one party issues and verifies identities within a closed group of users. While easy to do, this approach is extremely hard and costly to scale upwards and offers no interoperability with other authentication networks.'"
Um... (Score:5, Informative)
They're not helping themselves (Score:5, Informative)
Combating ID Theft is easy... (Score:4, Informative)
Identity theft protection here (Score:2, Informative)
Re:They're not helping themselves (Score:3, Informative)
Theoretically, if you buy stuff with an unsigned card, you are not on the hook to pay the bill in some states.
ID theft sucks and it's only getting worse (Score:5, Informative)
Re:They're not helping themselves (Score:5, Informative)
Here in the UK, we use the Chip and PIN system [wikipedia.org], which has been in effect for a while and practically mandatory since Valentine's Day [bbc.co.uk].
Lenders are liable for ID theft, not victims (Score:5, Informative)
They wanted me to sign an affidavit. I told them I wan't signing anything, it wasn't my problem. I quoted the following from CHAP. 41, SUBCHAP VI, sections b and e of U.S. Code TITLE 15 which states:
(b) Burden of proof
In any action which involves a consumer's liability for an unauthorized electronic fund transfer, the burden of proof is upon the financial institution to show that the electronic fund transfer was authorized or, if the electronic fund transfer was unauthorized, then the burden of proof is upon the financial institution to establish that the conditions of liability set forth in subsection (a) of this section have been met, and, if the transfer was initiated after the effective date of section 1693c of this title, that the disclosures required to be made to the consumer under section 1693c(a)(1) and (2) of this title were in fact made in accordance with such section.
(e) Scope of liability
Except as provided in this section, a consumer incurs no liability from an unauthorized electronic fund transfer.
Anyway, they took care of everything after that. Including my credit rating.
Re:Useless information (Score:4, Informative)
You can protect yourself from identity theft by taking your name off of the credit bureaus mailing lists. The credit bureaus are one of the biggest offender when it comes to selling your name and information to the credit card companies who in turn send you all those pre-approved applications. One call to the Opt Out Request Line (for Equifax, Trans Union, Experian and Consumer Credit Associates) is all it takes to permanently remove your name from all marketing lists that the credit agencies supply to direct marketers. You can also opt for a two-year period, renewing your request at any time in the future.
1-888-567-8688
To get rid of most other junk mail, write a letter giving your complete name, name variations and mailing address to:
Mail Preference Service
Direct Marketing Association
P.O. Box 9008
Farmingdale, NY 11735
1-800-407-1088 Opt-Out from all mailing and telemarketing lists
Other sources:
http://www.dmaconsumers.org/cgi/offtelephonedave [dmaconsumers.org]
http://www.dmaconsumers.org/cgi/offmailinglistdav
http://www.dmaconsumers.org/optoutform_emps.shtml [dmaconsumers.org]
Re:Measuring the risk (Score:3, Informative)
10% of 1.5 bilion British Pounds is 150 million Pounds NOT 1.5 million.
Bad mods, naughty mods.
Merchant rules require sig and ID. (Score:3, Informative)
According the merchant rules, for MasterCard anyway, the merchant is suppose to check the signature and request ID as part of their compliance (section 2.1.1.2).
If a card is not signed, the merchant is suppose to obtain authorization from the card issuer, request ID and have the customer sign the card then and there (section 2.1.1.3).
MasterCard Merchant Rules [mastercard.com]
not ID theft in the cool high tech sense, but... (Score:2, Informative)
She was ready to throw up her hands but online security is a big part of my job so I took up the cause for her. I don't expect to get her $700 back but I want to make it a little more difficult at the very least for the unclever scammers.
What shocked me is how lax WM's security policies are. According to the reps I spoke with, WM will cash any automated check with the right readily public account info on it. And they won't even categorize it as fraud so long as -- according to the manager in WM's Fraud Dept I spoke to -- the scammers have recorded the account holder saying nothing more than her account number. I'm still flabbergasted and wonder if this is true of the industry at large.
Not quite on topic, except perhaps in pointing out how excessive talk of encryption codes and integrated authentication platforms is when banks like WM won't even exercise the most basic security measures (or at least take responsibility when their poorly secured system gets played.)
In any event, all the blood and gore can be found here:
http://wamublamesgrandma.blogspot.com/ [blogspot.com]
And if you have less id-paranoid friends or family members (esp. senior citizens) out there, it's probably worth a couple minutes of your time to alert them to the perils of identity theft/fraud. I'm not naive, but this was an eye-opener even for me.
Re:Useless information (Score:3, Informative)
The lockdown doesn't work quite that way. No proof of identity is required to remove the lockdown (normally, at least). What is required is a specific code that's given out when the freeze is put in place and only to the party requesting the freeze. If the request for a report's accompanied by that code the report will be issued, otherwise the request is refused. Makes it very hard for an impersonator to override a freeze unless they were the ones who placed it, since if they didn't they wouldn't have gotten the code.
And yes, there's procedures for dealing with false freezes. They aren't trivial because it's supposed to be hard for an impersonater to remove a freeze, but an attempted DoS on your credit report can be dealt with.