The price for stolen credit card numbers is…
identity theft
Writing "Ask For ID" On Your Credit Card Won't Stop Fraud, But It's Still A Good Idea
By 4.27.08
Writing “Ask For ID” on the back of your credit card isn’t an unimpeachable guarantee of security, but it could be the last line of defense between you and a fraudulent charge. Invoking perilously flawed logic, the Boston Globe argues: “the cardholder gains nothing by not signing the card or writing in ‘See ID’ on the signature panel.” Let’s dismantle this nonsense piece by piece.
FreeCreditReport.com Doesn't Practice Good Security Hygiene
By 4.25.08
You’d think a credit monitoring service—even one as skeevy as freecreditreport.com—would take great pains to keep up the appearance of security and confidentiality. You’d be wrong. When Brian called to cancel their service he was asked to call out his social security number and his mother’s maiden name, even though it turned out they could easily access his account and cancel his service with only his phone number and birthday. Oh, and the first CSR hung up on him, but (sadly) that’s not really very newsworthy anymore.
After a multimillion-dollar verdict, attorneys get fee award, too
By 4.24.08
To add (just) insult to (just) injury, a Florida judge awarded $518,301 to Angela Williams’s attorneys (PDF link). Ms. Williams recently won almost $3 million in a lawsuit against Equifax for Equifax’s refusal to fix her credit report after her identity was stolen.
5 Credit Card Scams To Beware
By 4.23.08
Completely fictional companies pass these charges onto people’s credit card bills and bank accounts and cellphone bills. The processing companies just pass them on and it’s up to consumers to monitor their bills and dispute the charges. So the fake company is just very nice about canceling all the charges from the people who complain, and then they rake in from all the people who don’t check their bills close enough.5. “Cramming”
Completely fictional companies pass these charges onto people’s credit card bills and bank accounts and cellphone bills. The processing companies just pass them on and it’s up to consumers to monitor their bills and dispute the charges. So the fake company is just very nice about canceling all the charges from the people who complain, and then they rake in from all the people who don’t check their bills close enough. [More]
Collection Agency's Server Stolen; Had 700,000 Accounts On It
By 4.19.08
Indiana broke its own record for computer security breaches last month, when a server containing personal data on 700,000 people was stolen from the offices of Central Collection Bureau, a debt collection agency. The stolen data included names, personal billing information, last known addresses, and social security numbers of people who hold delinquent accounts with a variety of companies, including utilities and hospitals. The company said the server was behind “three locked doors” and “was protected by two passwords, but was not encrypted.”
Data On Over 40,000 Patients Stolen From NYC Hospital
By 4.12.08
The New York Times is reporting this morning that an unnamed employee stole personal data on over 40,000 patients from NewYork-Presbyterian Hospital/Weill Cornell Medical Center. The theft “occurred over the past several years and included patients’ names, phone numbers and Social Security numbers.” As we’ve come to grimly expect in these cases, the hospital was made aware of the theft in January, and announced it publicly on Friday after an internal audit. “We obviously deeply regret that this has happened,” said the hospital’s spokeswoman, Ms. Manners. She also said that investigators are “looking into the possibility that the theft could be part of a larger criminal scheme.”
Leukemia Survivor Who Had Identity Stolen By Lab Tech Tells His Story
By 4.10.08
We wrote about Eric Drew a few weeks ago—his personal information was stolen by a shady lab technician while he was undergoing treatment in 2004.
Flawed Sprint Security Worse Than We Thought
By 4.9.08
In the comments on our post exposing a flaw in Sprint’s online account security that would let a stranger completely take control of your cellphone account, a former Sprint rep says it’s even weaker than what we thought. How? Reader Dragonfire81 says that every question about cars has three luxury models and one typical car, making it pretty easy to guess. “None of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. “I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.” Here’s his comment in full:
Flawed Security Lets Sprint Accounts Get Easily Hijacked
By 4.8.08
We found you can hijack a Sprint user’s account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I’ll show you we cracked into a Sprint account and just how much damage I could have done, inside…
Redbox Shows Businesses How To Properly Handle A Data Breach
By 4.7.08
Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country, and on Friday they announced that they’d found credit card skimmers attached to three of their kiosks. What’s surprising is that they ‘fessed up so quickly, and in a highly public manner—they’ve got the text “SECURITY ALERT” at the top and bottom of their website, and the email they sent to their members is detailed, forthright, and helpful, and reposted in its entirety—along with photos of sample card skimmers—on their site. Attempts at identity theft no longer surprise us, but a competent handling of the issue by a company is pretty amazing.
Why Did Advance Auto Still Have Customer Credit Card Numbers On File From 7 Years Ago?
By 4.4.08
From the Richmond Times-Dispatch:
Advance Auto said a computer hacker may have gotten financial information of up to 56,000 customers at 14 stores in Virginia and seven other states. The Roanoke company said the customers shopped at the 14 stores from December 2001 to December 2004.
Why would a company have customer info on file for so long? I found one credit card processor’s FAQ which said that the max for chargebacks is 180 days, which is only in the case of when a merchant has violated merchant rules (otherwise it’s 120). So Advance Auto was about 2375 days overdue for a records wipe. It’s time to start tightening up the lax security standards on the retail level that have created a playground of plunder for identity thieves.
(Thanks to Volksaddict!)
ConsumerSay Wants All Your Data, Will Give You $20 For It
By 4.2.08
Pssst, wanna make an easy $20? Just give all your bank account and personal data over to ConsumerSay, a consumer opinion and behavior tracking firm owned by Lightspeed Research. Jen, who sometimes fills out surveys for freebies and cash, got an email from them offering her $20 for only 5 to 10 minutes of her time. Oh, and all of her financial transaction data.
Maryland's Dental HMO Security Breach Was One Of Nearly 40 In The State Since January
By 4.1.08
A few days ago we linked to a Baltimore Sun article that investigated the recent accidental release of private patient data online by The Dental Network. Now the reporter who broke the story, Liz F. Kay, has contacted us with news that “this was the largest of nearly 40 breaches affecting Maryland residents” since a disclosure law went into effect in January:
Thirty-nine businesses or groups have reported losses of sensitive information involving about 87,500 Maryland residents in the three months since a state law took effect requiring that people be informed of such incidents, records show.
Sprint Twiddles Thumbs While 12-Year Customers Get Scammed For $2,500
By 3.31.08
Someone hacked this couple’s Sprint account, and bought four new phones on it, leaving these 12-year customers to pay over $2,500. Every time they called Sprint, the fraud department said not to worry and that the charges would be off the bill next month, but the disconnect notices kept arriving until Sprint shut off their phone. Only after a local consumer reporter got involved was the problem solved. When asked why it took so long, Sprint said, “it takes a while to complete a thorough investigation.” If you’re a legacy Nextel customer now with Sprint, you may want to ask about getting a PIN set up on your account. The account seemed to have been targeted (the fraud department said probably by someone inside Sprint) because it was an old Nextel account that didn’t have a PIN.
Scam Watch: Credit Card Shaving
By 3.31.08
Have you heard of “credit card shaving?” In this version of credit card fraud, thieves try out 16-digit number sequences until hitting one that works. Then they take gift cards from stores and shave off the digits and glue them onto a credit card. They scratch the magnetic strip so the clerk has to enter the credit card number by hand. It’s apparently all the rage in Portland There’s no defense against it except to monitor your statement for suspicious charges.
Prison Officials Lose Flash Drive With Data On 3,500 Volunteers And Visitors
By 3.31.08
The San Francisco Chronicle has reported that “a flash memory drive containing names, birth dates and driver’s license numbers of more than 3,500 people who either volunteered or visited San Quentin State Prison in a group tour has been lost.” Our reader Paul, who sent us the tip, adds, “When I read it my first thought was, “Gee, I wonder what the chances are of this personal data ending up in criminal hands? Mmm, maybe 100%.” Our favorite part of the story: the data wasn’t encrypted, but prison officials have said that now they’re going to start encrypting it.
