At last Friday's championship celebration parade, featuring World Series MVP Sean Carter, Yankee fans, apparently lacking confetti, flung documents containing sensitive personal information into the air.

According to Fox 5 New York, "Some of the documents were medical records listing names, addresses, insurance information, medical diagnoses, and other private information. One document was somebody's stock brokerage account, containing financial information."

Sure, it's not technically the Yankees' fault, but when your owner is a convicted felon, disrespect for the law will trickle down to the fans.

Private Documents Tossed on Yankees Parade [Fox 5 New York]
(Photo: frankieleon)

Some time this morning (10/21) my wife's Hotmail account was taken over. We're not sure how they gained access to the account as she avoids all forms of spam and doesn't visit any illicit sites. Maybe it was this fiasco? Anyway, I found out about it because I received an obvious spam message from the account (so did several others in her contacts) and called her about it. She then found herself unable to log in (her password has been changed) or reset the password (her security answers have also been changed). Sounds like time for customer support, except there is no phone customer support directly available for Hotmail (unless you know one I don't).

I tried the identification validation page they have but that is not super useful as it also requires a security answer but doesn't say for which question, and asks for an IP address from when the account was created over 5 years ago in a different house with a different ISP. We honestly don't know what to do here, but the idea of someone controlling her account due to no fault of our own (other than choosing Hotmail, I guess) and getting no help from Microsoft other than access to a page where many people are complaining about the same thing and being asked for information we know has been changed, really bugs us. So I guess I'm asking HELP! Is there an exec level CRS line? Does anyone over there no how we can get hold of a real live person so we can tell them that asking for security information that can, and has, been changed is pointless?

Richard says he and his wife have been using Gmail for more than a year, so they're not completely e-paralyzed by the theft, but it would be great to get that Hotmail account back. Is there anything you can think of for Dave and his wife to try?

(Photo: dirtyblueshirt)

CBS 5 spoke with a man who had uploaded his resume to CalJOBS, the state jobs website where residents must register in order to receive unemployment benefits. The man bookmarked the URL where his data was, but each subsequent time he viewed the link, he saw different users' information, including addresses, employment history, and other information that could easily be used by identity thieves.

After CBS 5 showed the glitch to a computer security expert, they discovered that it was possible to modify other people's resumes.

California says they've since fixed the glitch and are going through the site to make sure there aren't any more giant security liabilities. We're glad it's back up, as there are probably a few former state IT workers who need unemployment benefits.

Security Flaws Discovered in California EDD Website [CBS 5]
(Photo: Amazon)
Thanks, Matt!

Step one, of course, is to cancel any credit card that's been swiped. It's the second step that too many people forget, she writes:

Most people forget this step until it's too late. After I had cancelled my card, it quickly dawned on me how many automatic bill payments I had filtering through that very credit card on a monthly basis.

After you've cancelled your card, you'll have to go through and switch every automatic payment from that credit card to another card or bank account.

This is the catch-22 with those handy-dandy automatic bill payments – they can always come back to haunt you if your credit card changes or expires (or gets hijacked by some scammer halfway across the globe forcing you to cancel your card).

The tongue-in-cheek step 3 is my favorite — track down the jerks who stole your credit to exact sweet revenge.

What You May Be Forgetting When You're The Victim Of Identity Theft [Carrie... On the Cheap]
(Photo: scenemissingmagazine)

She recommends one that cross-cuts in order to prevent someone who really, really wants your identity from taping together strips of your old tax returns. The best shredder of all, she says, is fire — and Beavis would agree — which she used to use when her house was heated by a wood stove.

There are ways to get access to shredders other than breaking down and buying one, which according to Stephanie should be the last resort for a creative freeloader. You can look for free ones on Craigslist, borrow use from a shred-happy friend, or wait for a shredding party, she writes:

Shredding Events: Keep your sensitive papers for shredding in a secure place (away from the prying eyes of roommates and dubious guests-of-roommates), and find out when there's going to be a free, public shredding event in your area to take it all to. Your best friend in finding one of these events is Google! Search for "[your city] shredding event" and see what comes up. You can also check the Shred-It website to see if that particular company is sponsoring an event near you soon.

If all else fails, of course, buy a shredder. After all, they're only $30.

Get a Cross-Cut Paper Shredder [National Protect Your Identity Week] [Poorer Than You]
(Photo: someToast)

The thief got hold of his wife's SSN, address, and DOB, says John, and used that to access his wife's TransUnion credit report. He says TransUnion confirmed that someone had accessed her credit report via the credit bureau's website.

On the credit report, the credit card numbers are listed in full. John says he spoke with the merchants the card numbers were used at and they confirmed that the thief used tried several different expiration dates before successfully charging the card. Since the report also says what date the account was opened, guessing the expiration date isn't as hard as it might be otherwise.

I just checked my TransUnion credit report, a portion of which I'm showing above, and indeed the credit card numbers are listed in full. I also noticed a disclaimer that said, "the account # may be scrambled by the creditor for your protection." That "may" should be an "is." Both the creditors and credit bureuas need to change how credit card and account numbers show up. All the pieces of information needed to access an individual's credit report can be gotten from public records.

"If you haven't already done it go right now and check your TransUnion credit report, set a password on the account to prevent thieves who know you SSN/Address/DOB from accessing it. If when you get there there is already a password and you didn't set it you're probably a victim," says John.

(Photo: B Rosen)

Idaho Personal Finance [University of Idaho Extension via Idaho Business Review]

According to the FBI, the U.S.-Egypt phishing operation collected personal information from thousands of victims and used that information to defraud U.S. banks. Hackers based in Egypt allegedly captured banking information and other personal details, then supplied that information to associates in the U.S. who then withdrew funds using the stolen credentials and wired back a portion of the proceeds to Egypt.

Information Week notes that "all 53 defendants in the U.S. face charges of conspiracy to commit bank fraud and wire fraud, which carry a maximum sentence of 20 years in prison."

"One Hundred Phishers Charged In Largest Cybercrime Case" [Information Week]
(Photo: adobemac)

The WSJ wrote:

Although there are no hard data tracking the number of such shred-a-thons, people in the paper-shredding industry say they are becoming more popular. Tom Thompson, general manager of Information Protection Solutions of America, a Chicago-based consortium of 90 certified shredding companies, says that inquiries he's received about shredding events have doubled to three or four a week after the financial crisis hit last year.

With paper fraud accounting for 25% of reported data breaches for the first half of the year, according to the Identity Theft Resource Center, a nonprofit based in San Diego, mobile shredders provide a quick solution to a critical but otherwise tedious at-home ritual.

In most cases, the events are partnerships between the city or community and professional shredding companies. That means if you want to see your own city host a similar event, a good place to start looking is on sites like these:

• Shred-it
• FileStoreShred.com
• PROSHRED Security

Or heck, maybe you can get your local church or community group involved and help organize the event yourself. That way you can cherry-pick your neighbor's most valuable sensitive data to resell help your neighbors be more safe.

"A Town That Shreds Together..." [Wall Street Journal]
"Shred-A-Thon to prevent identity theft" [KOLD News 13 via bbi_secure]
(Photo: oddharmonic)

The Seattle Times reports that the (tall) Federal agents had shown identity theft victim Michelle McCambridge a surveillance photo of the woman who stole her identity. Michelle didn't recognize the lady then, but she sure did when the lady came up to the counter where Michelle worked at JC Penney and tried to sign up for a credit card.

Michelle stepped away and made sure the manager got an image of the lady and reported it to law enforcement. Because of her cool thinking, she helped law enforcement apprehend the woman and four others who were part of an id theft ring that had defrauded at least 39 people.

The key in cracking the case, authorities say, was that Michelle and other victims got active in their cases and contacted the stores to make sure they saved their security tapes.

That doesn't happen very often, [Agent Velling] said. Usually, people just file a police report, cancel their accounts, and the cases languish for lack of evidence and resources.

"Identity-theft crimes are some of the most difficult criminal cases to investigate," Velling said.

Identity-theft victim meets her identity thief [The Seattle Times] (Photo: XISMZERO)

Hoping retailers secure their side of things is another matter, but that's why step 5 of this chart is "monitor your credit report."

"5 Easy Steps To Preventing Identity Theft" [Visual Economics]

The sites give you access to a wide range of your personal information, with links to your free annual credit report, past insurance claims, health history, checking account info, background checks, previous purchase returns, and your rental history.

Because some of these were new to us, we decided to go through the whole list and try out all of the links Consumer Reports provided. (We didn't try the free credit reports from annualcreditreport.com, with which most readers should already be familiar.)

ChoiceTrust, which provides free reports on personal property and auto insurance claims, as well as bankruptcies, liens, and any licenses (e.g., firearms, admission to a state medical board, etc.) you have, gave us accurate information quickly.

Chex Systems, which offers free reports on checking and debit history, over drafts, unpaid charges, and so on, was accessible, but does not offer online reports; ours will be arriving in the mail next week. TeleCheck, which provides similar information, had a buggy website that kept clearing form values when we clicked Submit. Encouraging sign from a company that has access to your checking account.

The Retail Equation provides your return history, used by stores to spot potential refund/return scams, but you can only access a free report online if you've been denied a return and have a refusal code, otherwise you'll need to contact them by phone to get your report.

SafeRent and RentBureau both provide consumer information to landlords and property management companies when prospective renters apply for housing. Both sites offer free reports, however, you have to print out and mail in a form to receive your report.

The CR article also offers several phone numbers for companies that maintain your medical records, although when we tried, it was such a formidable labyrinth of phone trees and automated prompts that we up for going through it all.

Taking control of your finances and your personal information requires knowing what agencies are saying about you. Use these resources to spot any fraud, incomplete information, or legitimate red flags that will pop up when you apply for credit, a mortgage, or an apartment.

Big Brother Is Watching [Consumer Reports Money Adviser]
(Photo: frankieleon)

"Hacker in US payment card theft case pleads guilty" [Reuters]
(Photo: Brymo)

Based on a Bargaineering post, this method is designed to destroy the magnetic strip and any identifying information on the card at all. The cuts are placed to obliterate not only the magnetic strip, but the embossed name and card number.

We can't help but wonder: is this worth the effort? Isn't it more fun to hack the card into random pieces, making sure to cut through all text? This is all too methodical. Where's my blender?

In all seriousness, how do you destroy your deceased cards? (Crosscut shredder with a card slot, here.)

Cut up your credit card the right way [YouTube]
Properly Destroy A Credit Card [Bargaineering.com]

(Photo: frankieleon)

Update: Here's a screencap of the page, for those readers fortunate enough to not live anywhere near a Dolan.

"Police find skimmer on Long Beach ATM" [News 12 Long Island] (Thanks to Betsy!)
(Photo: Rennett Stowe)

The laptops sent to Vermont governor Jim Douglas were purchased with a credit card opened in his name, and other officials in the state have received similar suspicious shipments.

The National Governors Association has issued a bulletin about the suspicious shipments. It also said that Vermont's laptops were paid for with a credit card issued in Douglas' name - but that was not one actually held by the governor or issued by that state.

Officials in Washington and Wyoming said those computers had been purchased with credit cards whose account numbers did not match any issued by those states. West Virginia State Police Sgt. Mike T. Baylous declined to comment on how the laptops shipped there may have been paid for.

"The State Police and the FBI are working jointly to get to the bottom of why these computers were sent to West Virginia," Baylous said Thursday.

Let's hope that the states and FBI get to the bottom of this before the apparent criminals work their way up the alphabet.

State govs saying 'No thanks' to mystery laptops [AP]
FBI investigating laptops sent to US governors [Computerworld]

(Photo: The_WB)

"ID Guard Stamp Obfuscates Your Personal Info" [Oh Gizmo!]

According to The Register,

For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user's cookies, according to a web security expert.

The XSS, or cross-site scripting, flaws made it possible for phishers to send Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics. The holes could also allow criminals to steal browser cookies used to authenticate online accounts.

Ameriprise's vice president of public communications responded, "There's no one at risk here," by which we assume he means, "No one important on our side of things. Our customers can suck it."

Russ McRee points out that all financial websites should show more diligence when it comes to maintaining security. It would be easy enough to implement: "There should be something on their site that says 'If you see a security issue on our site, please report it.'"

Visit The Register's article to see actual examples of the type of exploits that have been on Ameriprise's website for nearly half a year. The Register adds, "Such web-application flaws are often easy to fix because they require only a line or two of code to be changed. Sure enough, Ameriprise repaired its site less than two hours after The Register notified company representatives of the vulnerabilities."

"Security bugs crawl all over financial giant's website" [The Register via jen_h]

Both were courteous enough to call Mike and deny the thief's attempts at opening the accounts, but their helpfulness stopped when Mike asked to know where his assailant was:

I got a call from AT&T asking to verify that I was opening a new account with them. I said no I'm at home. They apologized and then said they will halt the application process. I said, tell me where this is occurring so I can file a report. They said they couldn't divulge that information as it's private and due to the privacy act they cannot discus such information over the phone, I ask to speak to a manager they said nobody was available.

Next up Sprint. I got a call Monday 8/3 asking the same thing. This time I lost my cool. I demanded some sorta retribution for this. I asked repeatedly why they could not help me. They suggested I speak to their fraud department. I said well thanks that may help. I then call Sprints fraud department and got the runaround. It would seem that somebody would have to open an account in your name for them to actually be able to help you. I again speak to a person that gives me this "privacy act riot" I again ask to speak to a manager and was denied.

I went online and did a search on what to do, problem is I'm not sure how to file a police report if I don't know where this is occuring from. I filed a very brief FTC complaint. And I already have a Fraud alert. I also requested my credit report from one of the credit agencies (however due to my fraud alert I have to give my first born child in order to get it as I'm not able to view over the internet.

So bottom line. I'm at my wits end. I don't know where else to turn. I don't even know how they got a hold of my social as I'm very very anal about giving it out and shred all of my papers that would've had it. I don't even carry my social card with me it's in a fire proof safe at home. The only thing I can think of is I recently bought a house and switched my cell phone into my name. So either Verizon or somebody at a bank stole my info.....

At least Mike is better prepared than most identity theft victims. But his story is a cautionary tale that no matter how careful you are, you're always vulnerable to such attacks, and won't necessarily find potentially defrauded corporations in helpful moods.

(Photo: Spidra Webster)

The Carterton man, who asked to remain anonymous, told the Herald that when he and his wife noticed the Auckland purchase they called BNZ to ask what went wrong.

He said he was "astounded" when a staff member denied the bank was responsible and then gave him Mrs Hansford's home address, work address, mobile phone number and private email address so he could sort the situation out himself.

"We were advising them of a fraudulent transaction and they couldn't care less," he said.

"I was incredulous and surprised and wondering why the bank didn't do basic checks like the person's name and address before the transaction. Their basic response was 'tough - if you don't like it - tough'. Which was when we cancelled the account."

Bank of New Zealand offered the woman $2,000 to apologize for sharing her personal information. She turned it down and canceled her account.

Customers' anger as bank passes on personal details [New Zealand Herald]

Examiner suggest some tried and true ways to insulate yourself from identity-theft danger, including this tip:

Move your financial transactions online by turning off paper invoices, statements and checks, including paychecks, and replacing them with electronic versions where offered by employers, banks, utilities or merchants. Avoid mailing checks to pay bills or deposit funds in your banking account. Instead, pay bills online and use remote deposit check imaging services on online banking sites.

This effort rubs out the paper trail. Crooks are more likely to steal information on paper, from personal belongings and through telephone calls, rather than online.

Other advice includes keeping tabs on your accounts, keep personal information to yourself and watch out for phishing e-mails. Anything to keep your financial profile to yourself, because identity theft is one case when imitation is not a form of flattery.

Consumer 101: How can I stop ID-theft cold? [Examiner]
(Photo: dooleymtv)

Give the back of your passport a few good whacks and hope the feds don't give you 25 years for tampering with a passport.

The State Department asserts that hackers won't find any practical use for data skimmed from RFID chips embedded in the cards, but "if you don't want the cards read, put them in an attenuation sleeve," says John Brennan, a senior policy adviser at the Office of Consular Affairs.

Gigi Zenk, a spokeswoman for the Washington state Department of Licensing, says the envelope her state offers with the enhanced driver's license "ensures that nothing can scan it at all."

But that wasn't what researchers from the University of Washington and RSA Laboratories, a data security company in Bedford, Mass., found last year while testing the data security of the cards.

The PASS card "is readable under certain circumstances in a crumpled sleeve," though not in a well maintained sleeve, the researchers wrote in a report.

Another test on the enhanced driver's license demonstrated that even when the sleeve was in pristine condition, a clandestine reader could skim data from the license at a distance of a half yard.

Well well, State Department, here's a sad little communiqué you never expected from the internet: we told you so.

Special alloy sleeves urged to block hackers? [AP via Upgrade: Travel Better]
PREVIOUSLY: HOW TO: Disable RFID in Your New Passport
(Photo: Ryan McFarland)

From the researchers' sample, it was possible to identify in a single try the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born from 1973 to 1988. It was possible to identify all nine digits for 8.5 percent of those born after 1988 in fewer than 1,000 attempts.

The accuracy of the prediction system increased for smaller states and for people born after 1988. The accuracy was higher for those born in the late 1980s and after because of rules that led increasingly to the assignment of Social Security numbers at birth. The researchers, for example, reported that they needed 10 or fewer tries to predict all nine digits for 1 out of 20 Social Security numbers assigned in Delaware in 1996.

The study points out that although it's technically possible for criminals to repeat the results of the study, it's currently unlikely. Still, it underscores that SSNs are an "aging technology," in the words of one law professor quoted in the article. Or as one of the co-authors of the study says,

"My hope is that publishing these results may open a window of opportunity, so to say, to finally take action," Mr. Acquisti said. "That S.S.N.'s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address."

"Social Security Numbering System Vulnerable to Fraud, Experts Say" [New York Times]
(Photo: TheLawleys)

Hariette's story is long, but you'll alternately laugh and cringe as she shares what happened to her after her checkbook was stolen this past December. Hariette worked with her bank to quickly patch up any security holes from the theft, and soon she was set up with a new account.

Changing her billing info with Verizon was not so easy, however. Apparently Verizon's "e-center" has never been seen by any humans working at Verizon, but it's where you have to go to get anything done. Here's probably the most telling exchange Hariette has with any Verizon employee in the whole story:

As the 20th minute approached, the rep fearfully told me, "Ms. Surovell, I am only allowed to spend 20 minutes helping each customer. From this point on, you will have to hold for the e-center yourself."

"So, what was the point of your being involved at all, if you can't do anything for me?" I asked.

"Ma'am, I'd like to help you, I would, but I'll get in trouble if I don't get off the line now."

He was becoming frantic.

I stayed on the line, holding for the e-center until I got the announcement. It was 6 p.m., and the e-center was officially closed. I was welcome to phone back the next day between 8 a.m. and 6 p.m.

There you have it: a Verizon employee admitting that he has to not help solve your problem or his job will be at stake.

Our favorite person at Verizon now is officialy "T," the relocated Texan who is some sort of security agent for Verizon, and who used to work in Tampa, and who won't stop calling Harriette a "ticket" whenever she amuses him. Oh, also he keeps calling her from his Verizon cell phone, which goes in and out of range, and he suffers from road rage.

"Well, I gotta be honest here, Ma'am, and tell you that it's not looking good. Now, let me warn you, we're going into a zone, and my cell may go out, so..."

"I didn't hear the last thing you said. You're fading out."

"What? What did you say?"

"I said I can't hear you! I'm hanging up."

"What was that, Ma'am?"

A few minutes later, he called back.

"'T', I can't stay on the phone with you like this every day. These calls are taking a lot of time, and I need to use my time to be writing my articles. "

"Ma'am, you are a ticket! Hey, can you hold on there a minute, some people should not be allowed on the road (screaming out the window...) 'Lady, you fucking idiot, you goddamned moron, who the fuck taught you how to drive?!' (Without skipping a beat...) Pardon my language there, Ma'am, I hope I didn't offend you, but some people driving out there can really rile you up."

"I'm a New Yorker, it takes more than the f-word to shock me." I lied. "T's" segues from extreme formality (I was being "Ma'am'ed" more than Judge Judy) into gross obscenity unnerved me.

"Well you are a ticket, I tell you, that's what you are!"

Sure, that part of the story sounds like it's ready to be optioned for a movie, but there's no happy ending when Verizon is involved. In fact, if customer service is a priority for you, remember this response from Verizon when Hariette asked them to at least apologize for wasting her time for six months on what was supposed to be a simple account edit: "No, we will not."

Verizon Customer Diss-Service" [Matahariette]

I have a major problem going on with my WaMu credit card. I had thousands of dollars fraudulently charged in California and now they are saying I owe this money because the call came from the telephone number associated with my account. Do you have any advice? I just don't know where to start. Each time I try, I hit a dead end.
For instance, I've tried to get the telephone records to prove the call was not made from the phone number on the account because this is what WAMU requested from me before they will ever reinvestigate this case with there fraud department. The phone company will not release that information without a subpoena. I've gone to the police but they say there is nothing they can since the crime happened in California. Please help me if you think there's anything I can do im at my wits end.

This is a credit card but they did used a pin number to withdrawal cash from the card in addition to using the card for purchases at Target. The charges happened around November 22 and I reported them as fraud to WaMu in December when I saw them on my statement. It took about a month to process the fraud investigation and they took the charges off my account for January. This month I got a letter claiming I am responsible for these charges because, according to their records, the pin request to withdrawal cash was made from my parents number in Arvada, which is the number on the account. All these fraudulent charges were made in California. My guess is they had my information and made the call from a some type of web site that disguises the actual number they are calling from and makes it look like it's coming from another number (my parents' number in this case).

I called executive customer service and they would patch me over to Rosita saying she couldn't help me but I explained my case to them again, asking to l re look this over. They said they would call me back in two days and its been about two week with no call so I wrote this letter and send it with my last bill:

"With reference To card number ending in

This is to inform you that I have no intentions of paying any charges, interest or penalties incurred in California on my WaMu visa. All these charges occurred over a 2 day period. November 23-24, 2008. The card was and is in my possession. I live and work in Colorado including the dates in question. I have never requested nor used a PIN number. How could this have ever been verified by a phone call? I do not know anyone in the Los Angeles area.

Since August 2008 I have not used that card at all. This is to be reported as identity theft, already reported locally. You as a creditor are entitled by law to report to the collections agency of your choosing as identity theft.

Enclosed is payment in full for all charges for which I am responsible including current accrued interest, consider this my stimulus gift to your troubled institution.

Why did this occur the Monday after your November 21. 2008 layoff of 1600 employees? Certainly your new owners, Chase, and Obama USA, need to be apprised of your sloppy security measures as well."

I'm betting that the takeover has something to do with the WaMu's non-responsiveness. A should try kicking this up the CHASE corporate ladder. For privacy reasons, Chase, which owns WaMu, declined to comment on A's case, but said they would look into and have someone get in touch with A.

(Image: Elton Lin)

With that, they've usually got your name, address, and definitely your bank account and routing number, all of which they can use to open up new accounts in your name and go on a spending spree, leaving you hanging with the charges. Not to mention, of course, just using those checks in the checkbook to buy stuff.

Who's doing the lifting? Service personnel the victim let into their home, like maids and electricians. Unsettling , you ask them to clean the house and instead they clean you out.

(Photo: Betsssssy)

I am stuck in a identity non-theft nightmare. About two weeks ago I file a claim for a damaged phone from Asurion. During the authentication process they asked me several questions about people that are linked to my public records (my parents, etc.). There were several questions about an Hipolito [Lastname], who I've never heard of, so I answered honestly that I had no idea who this person was. My claim was denied because I did not answer questions about this person accurately but they did accept me sending a fax of my ID's as proof of identity. I thought it was strange but thought nothing more of it.

Yesterday I applied for a car loan at up2drive.com. I was approved for the limit I wanted at a great rate. I called to accept the terms and get the loan details and was put through a similar authentication procedure over the phone and again there were questions about this person I don't know which I could not answer. I failed the authentication process and as a result I am not eligible to reapply for 90 days at which point they will likely ask me the same questions about this person I and no one in my family has ever heard of. They suggested I call Equifax, Social Security and my county public records department and see where and when this name became attached. Equifax said the name does not appear on my record (I had printed out my credit reports a couple of days prior to this anyway so I knew that) and all they could do was put a fraud alert on my file and send it to the other two reporting agencies. I called Social [Security], they said they could not track that down, to go to public records. I called my friend who works in the public records department and she searched everything with my name and this persons name and nothing comes up.

Short of hiring a lawyer (which I cannot afford) to track this person down or track down where in my public records this name occurred, I don't know what to do. None of the companies that authenticated me have any specific information, I couldn't even get the name of the company that gives them the questions to ask for authentication. I am stuck and have no idea where to go or what to do.

If I had to guess, I would say that somehow Kathy's data has become enmeshed with that of another woman with the same name in public records databases. As I learned doing background checks at a former job, this happens quite often.

We've heard from other readers with similar issues—for example, being blocked from seeing credit reports after they were unable to verify details of a mortgage that they never took out.

Any advice for Kathy, and other readers with this problem? Where can people track down the source of erroneous data, and get it removed from their records to prevent headaches like these?

(Photo: juniorvelo)

"We found evidence of only 2 instances where IRS personnel conducted visitations to shred/burn facilities in the past 2 fiscal years," the report notes. "Not all Territory Managers were even able to identify the contractor who provided their shred/burn services or where they were located. None of the four contractor sites we visited had ever received a request from the IRS to inspect their facility or onsite records."

In response, the IRS says it will keep close watch on both its dumpsters and contracted employees. Honest!

Increased Management Oversight of the Sensitive but Unclassified Waste Disposal Process Is Needed to Prevent Inadvertent Disclosure of Personally Identifiable Information (Audit # 200830008) (pdf) [Treasury Inspector General For Tax Administration]
Report: IRS Created Dumpster-Diver Swimming Holes [The Washington Post]
(Photo: sonyaseattle)

I woke up this morning to an email stating I had made two $50 gift card purchases [on iTunes Music Store]. I contacted my bank and apple, then did a google search and found that many others had the same thing happen to them.

Over on GetSatisfaction, there's a long thread about fraudulent iTunes charges, but no clear answer about what's going on. In fact, some people seem to be getting hit with charges on their credit cards from a fake APL*ITUNES business even if they don't have iTunes accounts, while others who do have iTunes accounts receive receipts via email for real gift card purchases that they didn't make.

One person says his bank told him that it's become a common enough fraud attempt for them that they flag all iTunes purchases. He's in Australia, but the complaints on GetSatisfaction are from customers around the world.

I'm from Australia and received a call today from my bank asking if I had made a $1.00 purchase with Apl Itunes with my card. When I said no, she said she would immediately decline the charge and said that I should also immediately cancel my card. She further said that there is an organized crime element that make $1.00 purchases on Apl Itunes with fraudulently obtained card numbers. If the charge isn't disputed by the cardholder then the criminals "get to work" making bigger purchases with the card number. Apparently it has become such a big problem my Bank specifically filter out all $1.00 card transactions for Apl Itunes and contact the cardholder within a few hours.

Here's another person's story from last summer:

Chalk me up as another victim. haven't used my itunes account to ever purchase. I set it up with a new Ipod 3 years ago. I had 4 Charges $103, $103, $51.50 and $51.50 all for "APL*ITUNES and the 800 number. Which when you call is just the recording.

I called my bank and canceled the card. Can't dispute as it's still pending. I also called the real Apple number. The CSR reported that my card had been used to purchase 4 gift cards and then provided me with the email address they were sent to which is not my email address. My Card number was not stored in the apple store so how they got it baffles me.

Here's the Fox news story. Fox points out that nobody really knows who's behind the charges or how to stop them. Our advice is the same as ever: monitor your accounts closely, and when you see a suspicious charge call your bank immediately to dispute it, and to initiate anti-fraud measures if necessary.

(You can read the transcript of the video segment at the link below.)

"Scammers Use iTunes to Drain Bank Accounts?" [MyFox New York]
"Apl.itunes has taken money from my account and I never ordered anything." [GetSatisfaction] (Thanks to db!)

"Today my wife went to withdraw money from our bank account and noticed to her surprise that we were over $4000 overdrawn. We then went online to check our account and noticed that there was a large pending payment to our American Express card. We checked the Amex account online and saw the same payment listed there. But neither my wife nor I had authorized this payment. So we called American Express and thus began a descent into madness...

1. The first person my wife talks to at Amex says that she'll have to open a billing inquiry and it could take up to six weeks to resolve. My wife said that was unacceptable and asked to speak to a supervisor.

2. The supervisor said that they called a number (they wouldn't even tell us what number) associated with our account and that the person they spoke with authorized the payment. My wife said that neither of us had spoken to anyone and the supervisor said that he would pull the tape of the call and would call us back within the hour.

3. The customer service rep (not the supervisor) who called us back said that they had reviewed the call and related the transcript to us. It's important to understand that my wife has an unusual first name that someone could take for being either a male or female name:

Amex Rep: Is this [my wife's name]?
Man at unknown phone number: "Yes, this is [my wife's name].
Amex Rep: Do you authorize a payment of $XXXX on your account?
Man: "Yes, you can take the money out of my bank account."
Amex Rep: Would that be the account ending in xxxx?
Man: "Yes, that's the account."

Based on this crack display of identity verification, Amex says they would not be refunding the money. We said we would be putting a stop payment on the transaction and would be contacting a lawyer.

So, apparently if you have a phone number that used to belong to an Amex account holder and Amex calls you asking for payment, all that is required to authorize money be removed from that person's bank account is to say "yes, that's me" and "yes, that's my account". No verification of social security number. No asking what the last four digits of the bank account is. No "what's your mother's maiden name".

My wife and I are outraged. It is unbelievable that Amex makes no attempt to verify that they are talking to the right person. Heck they could have even called our home phone number and if someone else (a babysitter, a mother—in-law, etc.) answered, all they would have to do is pretend to be one of us and they could authorize a payment!"

Be warned, folks. Pass on any address change and phone number updates to your bank, credit card issuers, direct debit recipients, etc., as soon as possible.

(Thanks to vslacks!)

RELATED
"Amex Wants To Play "Scam Call" With You, Please Participate"
(Photo: Björn Söderqvist)

Use the built-in security features

If your phone allows you to set a security code to turn it on or return from sleep mode, use it. Seriously, tapping in a few digits or tracing a pattern on the screen isn't that inconvenient, considering it's the easiest and cheapest way to lock a thief out of sensitive data.

On the iPhone, you can even set the device to wipe itself after 10 failed attempts to enter the correct PIN.

Phones that run Symbian (e.g. Nokia phones) have a setting that will lock the phone automatically if another SIM card is inserted.

If your phone supports auto-blind cc on emails—for example iPhones and Blackberries—turn that on so you can potentially intercept messages.

Consider installing anti-theft software

Most smartphone platforms have at least one software solution out there for tracking or remotely accessing your phone should it go missing. Finding where your phone is at the moment is only half the battle, of course; you'll still have to get the police interested in your cause, or go vigilante and try to track it down on your own. (Yes, there's the occasional crowd-sourced success story, but sadly we can't run every stolen iPhone story on the blog.)

Here are some sample anti-theft and tracking apps for phones. Some of them are free, some cost up to $25. We're sure there's more, and we're not endorsing anything—this list is just to help you out if you have no idea what to look for. Also, before you buy an app, make sure it's not offering functionality that's built-in to your device already.

If it's really expensive, consider adding it to your insurance

Some smartphones are such an investment—especially if you buy them unlocked and unsubsidized—that it may be worth your peace of mind to see whether you can add the phone to your homeowner's or renter's insurance. Check out this post for details.

Make it easy for someone to contact you

If you follow our advice above and do everything you can to lock others out of your phone, you'll also effectively prevent any Good Samaritan from being able to reach you to return the phone.

If your phone has a wallpaper or background image that displays when the phone is locked, consider adding an email address to the image—sort of the digital equivalent of a bookplate or luggage tag. (If you're completely inept with graphics programs, we found a free 99 cents app called Wallpaper Maker on the iPhone store that will slap your contact info on your wallpaper for you.) You can also add something like that to custom skins you might apply to your device. If you have a case, put a label on the inside of it.

(Photo: AMagill)

Visa really wouldn't want to do much to hurt its business partnership with the companies, considering how big they are. In addition, the contracts they have with merchants aren't invalidated just because Visa delists them, so cutting ties completely could hurt Visa financially.

The recertification is just a formality, too:

"There have been no material system changes that would have negatively altered [last June's] certification, and we have in fact enhanced the security of our systems in the interim," RBS WorldPay said. "[But] because of the criminal intrusion, we need to be recertified earlier than the normal schedule."

In other words, this is purely Visa looking out for Visa by pretending to be concerned about payment processor security, while in reality just covering its butt.

"Visa drops Heartland, RBS WorldPay from PCI compliance list after breaches" [ComputerWorld] (Thanks to Roger!)
(Photo: orphanjones)

The man who discovered it, Kevin Andreyo, deserves a slap on the back for using the power of the web to track down personal information about himself—he used pipl to perform a search on his name and address—and he deserves a slap somewhere else for using the same password on every account.

"That isn't just my password for Comcast, it's my password for everything that is not tied to my credit card," Mr. Andreyo said in an interview.

People! Do not do that! Unless you suffer from brain damage or some form of learning disability, your brain can remember more than one password. Do not make it easy for scammers by using a master key that can open any door into your personal life.

If you're worried that you were on the list, the easiest way to tell is to see if your Comcast email account has been frozen—Comcast is taking this measure as well as "contacting them to educate them about using safe passwords."

"Passwords of 8,000 Comcast Customers Exposed" [New York Times]
(Photo: scriptingnews)

Best Buy says if you think you may have been exposed to risk, call their Customer Care Center at (866) 792-6391.

"Best Buy employee in West Palm Beach arrested for stealing credit card information" [Palm Beach Post] (Thanks to andem!)
(Photo: kalleboo)

Regenersis studied a random sample of 2000 handsets processed during the first week in December and found that 99% of handsets received contained some sort of personal data, including: contacts, SMS messages, pictures, music, videos, calendar entries, emails, notes, mailing lists and to do lists. In some cases, extremely sensitive information was contained, including bank details, addresses, and confidential emails.

This study was based on European phone donations, but we're not going to pretend that U.S. citizens are ahead of the curve when it comes to data privacy. So please: recycle your phones, but don't leave sensitive info on them.

If you need to erase your phone but don't know how, try Googling the phrase "wipe phone data" + the name of your phone. Or visit this website and search for your phone there.

"WARNING: 99% of All Recycled Cell Phones Contain Owner's Private Data" [CleanTechnica] (Thanks to Derrick!)
Free Data Eraser [Recellular.com]
(Photo: Pål Berge)

What? No credit monitoring offer? Well at least they can tell us which businesses were affected, right? Nope:

Robert Baldwin, Heartland's president and chief financial officer... said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach.

Baldwin said it would be unfair to mention any one of his company's customers.

"No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair," he said. "Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know."

It's clear that Heartland is in the business of servicing other businesses, not consumers, and as such they're pretty much pretending we don't exist. The Washington Post also points out that Heartland chose an interesting day to release the news, considering there's a big Obamavent happening to provide distraction.

As for the actual cardholders, you may have already been issued a new card recently without explanation; well, this could be the explanation. Otherwise, your best bet is to closely monitor your accounts for unauthorized activity—which you do already, right?

"Payment Processor Breach May Be Largest Ever" [Security Fix - Washington Post] (Thanks to Flintstone03!)
(Photo: mary_gaston22)

Some of the things her research team has learned:

• Users who are simply taught about phishing attacks don't retain the info and keep falling for them, but users who are tricked into falling for a phishing attack first and then taught show far greater retention—it's a "teachable moment" in the researchers' terminology. (Idea: when phishers are caught, their punishment is to have them continue to phish but on behalf of government entities in order to create these "teachable moments.")
• Even when web browsers warned users they were on a phishing site, many ignored the warnings. People who used IE 7 were more likely to ignore warnings than people who used Firefox 2. You might assume this is because Firefox users are generally savvier computer users, but Cranor says the difference can be attributed to the clearer interface design of Firefox, where severe warnings stand out more dramatically than day-to-day warnings, so that users have a better chance of noticing them. (She says IE 8 has taken notice of this and improved its warning presentation.)
• Antiphishing programs that rely on a combination of blacklists and heuristics are dramatically better at catching phishing sites immediately than those that rely on blacklists alone, which is crucial because many phishing sites are extremely short-lived:
  

  We discovered that most of the blacklist programs caught fewer than 20 percent of the phishing sites when we tested them within minutes of receiving the URLs. After five hours, most could detect about 60 percent of the active phishing sites. The programs that used a combination of blacklists and heuristics fared much better, with one detecting almost 90 percent of phishing attacks from the beginning of our test.

"How to Foil "Phishing" Scams" [Scientific American]

RELATED
Anti-Phishing Phil

Identity theft protection companies love touting advertising statistics like "8.4 million adults were victims of identity theft in 2007" and "the mean fraud amount per fraud victim was $5,720 in 2007" (PrivacyRights.org) because they're really scary. There's almost no reason to pay a monthly fee for something you can do yourself, most of the time at no cost. Here's what ID Theft Protection usually involves. Note: Several of these not only make it hard for other people to get new credit under your name, but also for you, so be sure to pick the ones that work best for your financial situation.

CHECK YOUR CREDIT HISTORY
The first step in prevention is to check whether you've unknowingly become a victim. By keeping close tabs on your report, you can identify signs of fraud as early as possible. Look for any lines of credit opened up in your name that you don't remember. If you spot them, dispute the credit item with the credit bureau and let them know it's identity theft. You'll need to do this with all three bureaus. You can get your free credit report from annualcreditreport.com. Because you only get one free one from each bureau per year, I like to check one report from a different bureau every four months. When you pay for identity theft protection, this checking is one of the "benefits" they tout... something you can do yourself, absolutely free.

FREEZE YOUR CREDIT
You can freeze your credit report, stopping most identity thieves immediately. With your credit history frozen, no one can access your credit history. If a responsible lender can't access your history, then they won't give the thief any credit. They could have all the information in the world but your credit is locked away. It's a pain to initiate, costs about $10 at each bureau (and you'll have to do each one separately), but is a very effective strategy if you've been having identity problems.

Each state deals with credit freezes differently. In some states there are fees, in others credit freezes are only available to consumers who have filed an ID theft related police report. Other states do not allow credit freezes at all. To find out what the laws are in your state, check out Consumer's Union for an up-to-date round up of credit freeze laws.

STOP THE UNSOLICITED CREDIT CARD MAILINGS
Save a few trees and your identity by signing up at OptOutPrescreen.com, that will stop most of those unsolicited pre-approved applications. Then call up all of your cards and ask to be removed from their marketing lists, which should stop all the rest. OptOutPrescreen.com stops mailings from companies you don't have an existing business relationship with, calling each card will stop mailings from companies you do have an existing business relationship with. By reducing those pre-approved offers, you reduce the risk some someone opens up your mailbox and steals one of them for their own nefarious purposes.

PUT FRAUD ALERTS ON YOUR CREDIT HISTORY
Call up each bureau and request that they put a fraud alert on your account. This lets any potential lender or creditor know that they should do some extra investigating when it comes to their request because fraud has occurred in the past. Lenders don't want to be party to identity theft anymore than you do so they will take the notice seriously. It's not a hard protection like freezing your credit, but it's better than nothing if you don't want to deal with the hassles of freezing and unfreezing your credit.

BUY A CROSS-SHREDDER
A cross-shredder is a paper shredder that cuts vertically and horizontally, turning sensitive mail into confetti. If you think a torn up credit card application wouldn't be accepted by any respectable credit card company, you'd be wrong. Red Tape Chronicles has a story about how Chase approved a torn up credit card application! You can pick up a cross-shredder at any office supply store and they're well worth the investment.

If you read identity theft protection company websites, you'd think they had some secret way of putting a force field around your credit - they don't. As for large dollar guarantees to protect your identity, many only cover failures on their part. If a thief gets through by some other means or doesn't fit their narrow interpretation of "theft," guess who else you have to fight? Yep, the ID theft company itself. With those steps, you can do for free what some identity theft companies will charge you a ridiculous $20 a month for. Save your money for all those "hot deals" at Circuit City.

Jim writes about personal finance at Blueprint for Financial Prosperity.

(Photo: Getty)

The Dallas Morning News doesn't mention whether or not the DISD will be contacting the people who have had their SSNs appropriated, but they did offer this detail:

The DISD-issued Social Security numbers began with "200" – a prefix assigned to people in Pennsylvania, and Mr. Phillips' office noted that many ended with sequential numbers.

In general, though, with the exception of the occasional criminal background check, the fake SSNs were supposedly kept away from any legitimate use, and even if your SSN fits the description above the odds are low anything bad has happened. We're just amazed at the school district's monumentally bad judgment.

"Dallas ISD faulted for using fake Social Security numbers" [Dallas Morning News] (Thanks to AttorneyWrangler!)
(Photo: Getty)