For consumers who may be unaware, skimming is a tactic used to steal credit card information. The thief can procure a victim’s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device to steal a victims’ credit card numbers.

In order to avoid becoming a victim of credit card skimming, here’s a list of the five most common places skimming occurs:

1. The Gas Pump 

The gas station is a favorite for thieves who use skimmers. This is because there are multiple credit card slots sitting outdoors, none of which have a clerk or employee directly monitoring their use.  Typically thieves will install a small electronic reader (which can be seen if closely observed) on the existing card reader. This additional illicit reader will store your credit card information as you swipe your card to activate the gas pump.  They’ll then come back later and pick the reader up in order to make use of the stolen credit card information.

2. ATM Machines

This is a popular choice for the same reasons as the gas station.  Thieves can leave a skimmer on a card reader outdoors and leave it to collect your information.

3. Restaurants/Bars

Usually, in these circumstances, the theft is pulled off by one of the actual employees of the establishment you’re visiting.  Either utilizing a small, mobile card reader or by waiting until you open a bar tab and walk away, a skimmer in this circumstance will either scan or otherwise store your credit card number in order to run up illicit charges in the coming days and weeks. Most of us never think twice about leaving our cards unprotected in the hands of an employee at the restaurant or bar we frequent, and the majority of servers and bartenders are honest, hardworking people.  But beware those few bad apples.  Just to be safe, it’s always good practice to close out your bar tab after each drink order (unless you know the bartender personally) and pay attention to what your server does once they walk off with your card.

4. Department Stores

The next time you go clothes shopping, be sure to pay close attention to the clerk who swipes your card.  Department stores can be potential hot spots for skimming because much like a restaurant or bar, it is not unusual for a clerk to leave your sight to process the transaction, making the temptation greater, and the successful completion of the scam easier.  Sometimes a skimmer will pay an inordinate amount of attention to the number on your card, so if they seem to be staring as though trying to memorize your number, or examining it front and back as if they’ve never seen such wonders before, it would be smart to watch them closely.

5. Call Centers

Do you order goods or services over the phone? Buyer beware, especially of call centers in foreign countries where the phone operators are paid very low wages.  In these cases, there’s a higher likelihood that one of these operators will use the credit card number you supply over the phone for their own personal gain.

The same concerns exist if you use a debit card.  However, the risk of damage to you is greater with a debit card, since you don’t have the same legal protections as a credit card.  Skimming a debit card requires that the thief also get the security PIN for the card, which does make it more difficult.  However, as the ITRC has seen, crooks can and do also seek debit card information.  So, you should be very careful of any transactions requiring the use of your debit card PIN where clerks or other bystanders could gain access to the card and the PIN at the same time.

If you suspect you’ve become a victim of credit card skimming, contact your credit card carrier and your bank and inform them of the fraud. Check your statements regularly so you can catch fraudulent activity as soon as it happens.  In some cases, you may be required to file a police report, but most complaints filed with your bank or credit issuer within 30 days of the fraud will be forgiven.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530.

 

If you run a business that has commercial interests and online interactions (as nearly all companies do these days), you might consider cyber insurance as a tool to mitigating the potential financial damage that may occur as a result of any type of breach, hack, or other fraud arising from internet communications.

Cyber insurance is a method to address the first and third party risks associated with all types of e-business, networks, and any other valuable information trafficked online.  This form of insurance can potentially encompass all types of potential loss; from risks associated with privacy issues, virus transmission, or infringement on intellectual property.  Virtually any type of loss or liability that can result from online interaction can be covered.  This relatively new industry sprung up as a natural counterpoint to the risks assumed by interacting in an exponentially growing e-marketplace.  Traditional liability insurance products do not address these types of risks.  Commercial businesses operating online now assume many of the same risks of exposure as that of large data companies, publishers, and information providers.  The major difference is the potentially limitless class of people and organizations that may hold your company liable in the event of a breach incident or improper exposure of their personally identifying information (PII).

In addition to the liability coverage cyber insurance provides, there is also an additional benefit of heightened awareness of threats on the part of management (who are footing the bill for the insurance) and therefore the greater level of effort towards educating employees on best practices to mitigate this type of risk.  When one considers purchasing cyber insurance, the insurance issuer will require an assessment of current conditions of your network security, employee practices, and every other aspect of a company’s operation that may alter the level of risk associated with e-commerce.  While this can be an annoyance, it can also be a very valuable tool.  Cyber insurance companies usually make use of an independent third party to run the initial assessment.  This will provide the employer with a very thorough look at their relative security, and point out where the greatest areas of risk are in their particular operation.  Though none of this sounds like a whole lot of fun, I promise you that being held liable for a major breach is much less so, and is far more expensive than even the highest insurance premium.

So if you have a business that maintains a large online presence, it might be worth considering the costs and benefits of cyber insurance.  For additional questions, contact the Identity Theft Resource Center at (888) 400-5530.

“Cyber insurance: What is it and why would you get it?” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Steve Peace and Michael Thorsnes, sponsors of the California Personal Privacy Initiative, have given up on collecting the 807,615 signatures needed to qualify the measure for the ballot.

The proposed measure sought to amend the California Constitution in a number of ways:

  1. to create a presumption that any and all personally identifying information collected for a commercial or governmental purpose is confidential
  2. to require the person or entity collecting personally identifying information for commercial or governmental purposes to use any and all reasonably available means to protect it from unauthorized disclosure
  3. to create a presumption of harm whenever someone’s confidential personally identifying information is disclosed without his or her authorization
  4. to create a safe harbor for unauthorized disclosure if there is a countervailing compelling interest and there is no reasonable alternative for accomplishing said interest

One of the effects of these changes would be a major impact on litigation as privacy and security data breach class actions often do not succeed due to the difficulty of proving harm to the plaintiffs. Just last month, an Illinois federal judge dismissed a class action lawsuit accusing Barnes & Noble Inc. for being responsible when a security breach of PIN pads in 63 of their retail stores may have divulged customers’ personal information. The judge dismissed the lawsuit, finding that the plaintiffs did not sufficiently show they had suffered any harm from the breach. A presumption of harm would have gone a long way towards helping the plaintiffs obtain a significant settlement from Barnes & Noble Inc.

California’s Legislative Analyst’s Office, in a review of the proposed constitutional initiative, found that the presumption of harm would “make it easier for individuals to win privacy lawsuits against state and local governments” and result in “unknown but potentially significant costs to state and local governments from additional or more costly lawsuits, increased court workload, data security improvements, and changes to information-sharing practices.” The Sacramento Bee reported that the Legislative Analyst’s Office opinion was a major reason for dropping the initiative saying that Steve Peace “struggled to coalesce the entire privacy community and ‘couldn’t in good conscious ask people to spend 25 million bucks’ on a proposal ‘where we were going to have to spend all of our time on defense’ because of the analyst’s analysis.”

“California Personal Privacy Ballot Initiative Dropped” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

According to the National Cyber Security Alliance, this year and the foreseeable future, one in five small businesses in the U.S. will be hacked. Of those that do get hacked, there’s a better than 60% chance they will go out of business. That’s about the same odds as playing the game of Russian roulette.

No sane person would ever consider playing that game, knowing the possible end result. So why do small to medium size businesses (SMBs), and many big ones too, play this game in the business world? Yet all across the globe SMBs, law firms and medical practices play this game on a daily basis with their business computers, leaving them vulnerable to cyberattacks with their sensitive data exposed. So how do cyber-criminals gain easy access to corporate computers, laptops, and mobile devices? How are they grabbing crucial data that’s causing many of the hacked businesses to close their doors for good?

The answer is keyloggers. It’s an insidious and extremely effective piece of malware that’s capable of evading detection by nearly all anti-virus programs. It can get past sandboxing and white listing attempts by some of the most advanced firewalls and IPS/IDS devices. A keylogger does exactly what the name states. It captures every keystroke typed on a computer keyboard and transmits that stolen information to a remote server controlled by the hackers. This may seem elementary to many people in the cybersecurity industry, but most people from small business owners up to board members of Fortune 500 companies are not aware of this very effective weapon used to compromise thousands of computer systems.

Keyloggers have been credited with many of the world’s most notable breaches: RSA/EMC, Lockheed Martin, Google, Epsilon, Oakridge Nuclear Weapons Lab, Citibank, Sony, World Bank, TJX, Heartland Payment Systems, the New York Times, NBC, Schnucks Supermarkets, as well as tens of millions of medical clinics, small business and consumers around the world. According to the 2012 Verizon Data Breach Investigative Report, malware was found in 69% of the breaches. Of the breaches where malware was used to steal data, 98% of the time they were paired with keylogging functionality.

Let me emphasize that: 98% of malware contain keyloggers.

What makes the keylogger the preferred weapon of choice is that they have been designed to avoid detection from anti-virus and anti-malware tools, and ephishing training, too. Cyber-criminals continuously test their malware against all the available security solutions to ensure they can evade detection to deliver their payload. Keyloggers can be embedded into any type of download (MP3, video, a picture file, a codec to run some videos, a Flash file, an online game) or attached to a phishing email or any type of web link. Speaking of mobile devices, mobile malware has jumped 614% in the last year.

Social Networking websites, like Facebook, LinkedIn, Twitter, Tumblr, and Pintrest, have become one of the favorite places for hackers to propagate spyware. Why? They are porous in terms of defense. Facebook is an extremely popular attack vector because of the popularity of third-party applications and games such as Farmville, Candy Crush Saga, Words With Friends, amongst others. Adding a “dislike” button and apps to see who unfriended you are also very popular and successful tactics. Just last month, a hacker who “debugged” a Facebook code, who wasn’t paid, got the world’s attention by hacking Mark Zuckerberg’s FB page. Should anyone now entrust his or her data on Facebook?

Anti-virus and anti-spyware cannot keep up with this threat; they are still stuck in the 1990s relying on signatures and weak attempts at behavioral analysis. This is why A/V solutions have been found in recent studies and reported in the New York Times to be less than 25% effective against modern malware, and less than 2% effective against a targeted attack. Keyloggers make a mockery of the majority of cyber defenses. It’s the path of least resistance for hackers.

The Internal Threat of Email

So what kind of data are the cyber-criminals after that’s causing so much economical carnage? For starters, it’s banking credentials. Banking websites’ usernames and passwords are highly sought after because hackers can easily create wire transfers of all the money in the bank to foreign bank accounts and or prepaid debit cards. Email user names and passwords are also highly sought after by the cyber-criminals because they are the keys to our online lives. Email addresses can be used to reset passwords for nearly everything we do online, such as credit cards, home utility bills, car payments, health insurance access, and online payroll websites. It’s easy for a cyber-criminal to setup several of their cronies with paychecks at the expense of small businesses.

Cyber-criminals are also after product designs, engineering drawings, sales plans / forecasts, negotiation positions, client / customer lists, contracts, sensitive emails, H.R. records with employee social security numbers, and a whole lot more. For medical practices such as doctor’s offices and clinics the danger lies in the fact many of them have poor and non-existent cybersecurity hygiene skills to begin with. They play online games, download music, and surf the web unrestricted on the same computers that house patient medical information. (I know because I have personally witnessed this behavior numerous times.) Healthcare systems easily become infected with keyloggers due to poor user behavior and protocol, not to mention lack of security tools. Medical office staffs are burdened with finding training solutions and documents to satisfy the HIPAA training compliance and requirements.

In an effort to avoid paying for these solutions, they perform web searches and will download a free document, PowerPoint or PDF file. Not realizing that these files may be booby trapped with malware that was intentionally placed there for free by the hackers in an effort to lure unsuspecting victims to them. This is known as a Watering Hole Attack.

The Prize of Medical Data

Prized medical data includes Medicare and other health insurance identification numbers, access to cloud based EMR/EHR (Electronic Medical Records / Electronic Health Records), access to a doctor’s ability to write e-prescriptions. With access to e-prescriptions, a cyber criminal can impersonate a doctor to access expensive drugs and other controlled substances, then invoice them to an unsuspecting patient’s insurance. A medical-hacker can also impersonate a patient or obtain expensive medical care under the victim’s name.

Medical identity theft is not as easy to repair as financial identity theft. In many cases, these forms of personal attacks take upwards of five years to be corrected, and still might not be done by the credit agencies’ indifference towards people. Medical identity theft can also have dire and sometimes-deadly consequences for an elderly or sick victim, with the advent of incorrect prescriptions or treatments as a result of contaminated and altered medical records due to someone impersonating them to obtain healthcare. Is it any wonder that healthcare is seen to be approximately seven to ten years behind the financial industry when it comes to cybersecurity controls?

To think that all of this is started with keyloggers and could have been prevented is the amazing part. Why make life easy for the army of hackers? Aside from the financial impact of suffering a cyber breach, and/or not reporting it the right way in accordance with data breach notification laws, the damage to reputation can be irreparable. Compound that problem with class action lawsuits, as well as insurance companies denying liability claims to victimized businesses, and state attorney general offices penalizing for suffering a breach. How can these breached companies stay in business?

Over the years many security solutions have sprung up attempting to either stop the keyloggers from getting onto a computer system to using impractical virtual keyboards. Some even give a false and a dangerous sense of security by promising to hold all the secret passwords in an encrypted vault. I say false and dangerous because while the passwords may be encrypted in the database, the master password used to lock and unlock these applications is still susceptible to desktop keylogging.

This is also one of the major flaws of file encryption tools to begin with. What good is encryption if the keys to the kingdom are compromised at the keyboard? That is an impossible task for these solutions to accomplish because they are attempting to protect the data at the application layer all while the keylogger is operating at the kernel layer hooking into the message queues of the Windows and Apple operating systems (You read that correctly, Apple is not immune to keyloggers). To put it in plain English, they’re trying to protect the 7th floor of a building by locking the doors and windows, while completely ignoring the air vents coming up from the basement.

Now this is not an attempt to disparage the password vaults and encryptions tools, because they’re still the good guys and are making an effort to combat cyber-crime, except they’re fighting the battle on the wrong front. Many organizations educate their staff with anti-phishing training hoping they become more secure because their employees now recognize the Nigerian 419 scam and know not to click on an attachment from a foreign person or entity. But how many of those training sessions are effective at helping an employee recognize that their colleague’s or college friend’s email have been hijacked by a cyber-criminal in an attempt to get them to open a trapdoor attachment named “executive pay summary” or “recruitment plan”?

That type of spear phishing campaign is what compromised RSA’s systems with keyloggers and gave the hackers access to the company’s SecureID two-factor authentication product design. A security company being hacked with its flagship product, how ironic is that? Anti-phishing training isn’t effective because all it takes is one clueless or disgruntled employee to click on the link and compromise everything. And with large corporations turning over new workers every week, training alone will not get it done. A company’s cyber defenses should never solely be dependant on training to detect phishing attempts, which is only one line of defense. Employees should instead be trained on what constitutes sensitive and protected information, and how to handle the data to comply with the various regulatory compliance laws. They also need to be trained on the regulatory and privacy laws within the jurisdiction of their businesses, such as HIPAA, PCI, MA201 in the U.S. and the EU Data Protection Act and PCI for businesses that are based or operate within the European Union.

The best approach is a holistic approach. That is what businesses need to survive the relentless assault against all the hard work they’ve spent years building. The best approach should be comprised of a defense in depth, coupled with education. In other words, focus on protecting the data and applications by locking them down with role based access controls, tag the data to detect abnormal behavior and insider abuse, authenticate the human with multi-factor authentication instead of certificates on the machine when a request comes in remotely. And last but not least, cloak the data from the hackers by deploying a “keystroke encryption technology” to render keyloggers useless. Only then will the playing field be leveled and businesses will have a chance of surviving this cyber onslaught.

“The Dangers of Spies on Your Keyboard” was written by Peter Simon. Peter is an Information Security Evangelist and IT security solutions architect. He founded OneForce Technologies in 2007. OneForce Technologies helps companies demystify security by delivering training solutions to address the various regulatory compliance requirements for data security. This article originally appeared in Cyber Defense Magazine.

As parents we start teaching our kids the basics of how the world and everything in it work.  The Cow goes Moo, the sky is blue, keep your identity true.  This suggestion may feel like it goes a bit too far, but does it really?  One of the new basics should be helping our children to understand what their identity truly is.

This is no small task.  It’s difficult for adults to keep up on the ever changing definition of “identity”.  But we need to at least give our children some basic context so that as they mature and become ready for the complexities they have the building blocks firmly in place.  We can achieve this simply by having a discussion when a concrete example is occurring.  How many parents right now are missing opportunities?  The use of biometrics is becoming more and more common in our daily lives.  How many of us participated in events that took our children’s fingerprints in order to identify them in a worst case scenario.  How many of our health care providers use palm prints when checking into the doctor’s office?  Take each of the moments to actually explain what is happening and why.  Not overly complex but at least a short explanation.  Make sure they understand that even though their identity isn’t a tangible thing, that it can be stolen.  This is certainly a complex concept but repeating it will help to cement it as they get older.

Don’t assume that leading by example is enough or that they will simply understand just by observation.  You will never know how your children truly perceive things (wrongly)until you ask or it hits you in the face.  I remember when someone asked my youngest child where money comes from.  He was four at the time and he promptly and confidently responded, “from the store.”  After some discussion we figured out that he had noticed how, on a regular basis, when I was done shopping and paid with my ATM card, I would usually get cash back.  In his mind not only did the groceries not cost anything, the store actually gave me money when I was finished taking all those delectable items off their hands.  Not every misconception is as humorous as this.  When we chuckle about the misconceptions that our children and even teens have about these things, whose fault is it?  It’s ours.  Not theirs.

School teachers have what they call “teachable moments”.  These are events which help them teach children about a concept which may be too complex to present on its own. However, when the concept is paired with a concrete example to which the children relate it makes it much easier for a young mind to understand.  We must find these “teachable moments” to help our children learn about just what their “identity” is and how to protect it.

“Teachable Moments in Identity” was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

At the ITRC, our trained staff handle anywhere from 900 to well over 1,000 new victim cases each month.  One of the more common questions our advisors are asked is exactly what can happen in terms of identity theft if your driver’s license falls into the hands of a would-be identity thief.  In many cases it depends on how much your thief resembles you if they have any expertise in fake ID production, and how willing they are to falsely represent themselves to law enforcement.

The truth is, an imposter can use your Driver’s License (DL#) or State ID number to impersonate you. No, they cannot open a credit card or mortgage account but they can write your driver’s license number on a check, give your license number (without the actual license) to a police officer at a traffic stop, or doctor/manufacture a license with your number to pass off to those who require ID (bars, employers, police, etc.)

The thing you need to keep in mind is that the only piece of information that is needed is your DL# or state ID#. Your name, address, DOB etc. is not needed to steal your identity.

How Can I Minimize My Risks?

The best thing to do is safeguard your driver’s license information. Don’t allow anyone but government officials to scan/swipe your license unless they are required to by law (buying medicine, checking ID at a bar, employment, rental property, etc.)

You also don’t want to have your license number automatically written at the top of your checks because if they were to end up in the wrong hands, it could result in years of check fraud problems. Check fraud is a felony and could lead to a warrant issued if you are not careful.

If your license or state ID is lost or stolen make sure you report this to the police, either in a theft report or an incident report. Afterward, you’ll want to speak to your state’s DMV or licensing agency and ask them to place a flag on your license number. This will alert law enforcement to be extra careful in identifying a person they may have pulled over.

How Can I Find If Someone is Using My Driver’s License?

Do not rely on courts or private companies to inform you when a fraud takes place. Most victims don’t find out their information has been used until they 1) get a background check for a job or government assistance 2) are told by a police officer during a traffic stop/border crossing/ or a visit to their house or place of work 3) are told by their bank that they can no longer have an account due to too many bad checks.

If you suspect that your documentation has been used, you can look into it in three ways:

  1. A Background Check

Police, government agencies, and financial institutions report activity to background check companies. Talk to your local law enforcement about what companies are reputable and accurate for background checks, especially when it comes to criminal activity.

NOTE: Your local law enforcement will not just give you a background check. They will only do so if you can show that fraud has taken place.

  1. Official Driving Record

The agency for your state that handles driver’s licenses (usually the DMV, BMV, etc.) keeps a record of all traffic violations associated with your license number. You can ask them to mail you a copy and then look it over for anything suspicious. Keep in mind that most states charge a fee (usually around $10).

  1. Consumer Reports from the Check Verification Companies

Like the Credit Reporting Agencies, the Check Verification Companies keep track of what checks have been written and attributed to your driver’s license. You can get your reports for free from all three agencies.

– ChexSystems (800) 428-9623

– Certegy (800) 437-5120

– TeleCheck (800) 366-2425

What Do I Do If I’m a Victim?

The first thing to remember is not to panic.

If you are arrested or find out about criminal charges on your record read Solution 06 Clearing Criminal Identity Theft. Make sure your fingerprints and picture are taken to be compared to those of the thief.

If you discover fraudulent checks being written under your license number Fact Sheet 126 – Checking Accounts and Check Fraud has the steps for you to take.

Always file a police report with your local police department and make sure they notate your license number in their report. You can use that later to change your license number.

Remember, the Identity Theft Resource Center’s Advisors are here for you if you have further questions or find you may be a victim of identity theft. Please contact us using the Live Chat function at the bottom of every page or call us toll-free at (888) 400-5530.


The ITRC’s free ID Theft Help App will also let you keep record of your case steps and provide you with proof of what actions you have taken.

You might also like…

Studies have consistently shown that the elderly are an especially high risk population when it comes to falling victim to scams, fraudsters, and identity thieves.  Elderly people are particularly at risk for identity theft, as well as other forms of financial abuse due to several factors.  First, older citizens tend to have more savings at their disposal and higher credit ratings, making them juicier targets than many other demographics.

Elderly people are also often less comfortable using digital information platforms like the internet.  This means they are less likely to check bank statements regularly.  It also means the elderly are often generally easier to fool in online scams that many of the rest of us are already aware of due to much higher computer and internet usage rates. Dependence on caregivers and advisors can also sometimes lead to an increased incidence of identity theft among elderly people.

So how do you protect your parents, or grandparents from being victimized by a clever online scammer or identity thief?  The answer is the same for the elderly as it is for every other demographic: education.  Concerned consumers should take the time to talk to their elderly family members to ensure they understand the risks of online interaction, and some of the common tactics scammers will likely use to try and trick them out of their hard earned cash.  For more information regarding scams and the elderly, don’t hesitate to visit the ITRC website at www.idtheftcenter.org.

Never send any banking or personally identifying information to anyone you don’t know.  There is no Nigerian prince who needs pop-pop to guard his royal life savings,  your nephew isn’t trapped in a Mexican Prison, and the Google Tech Team will never instant message gam-gam for her security credentials to confirm her service.  They should only shop online at sites they recognize and with vendors they trust.If there’s ever a doubt about an email or an online interaction, inform them to contact a family member or industry professional before they respond or take any action; it might save grandma’s life savings.

If an elderly member of your family does fall victim to a scammer or identity thief, contact the ITRC’s call center (Hours m-f, 8-4:30 PST) at 888-400-5530 and a trained victim advisor will be happy to assist you or your loved one in mitigating any damage resulting from the scam.

“Protecting the Elderly from Identity Theft” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

As the Identity Theft Resource Center helps to recognize National Cyber Security Awareness Month, it is appropriate for us to reflect upon how much has changed in the world of privacy, cyber security and identity theft in the last 10 years.

In 2003, the cost of a gallon of gas was $1.83 compared with the approximate $3.90 we see today.  Apple had just launched iTunes and the first iPod only two years previously (January and October 2001 respectively).  It would still be another four years until the first iPhone would be launched.  Now, 10 years later, it is announced that Apple is the number ONE most value brand in the world (surpassing even Coca-Cola).

In 2003, Google had been around for 7 years and was enjoying the almost inconceivable number of 200 million searches per day, and Gmail was getting ready for launch in early 2004.  Today, Google handles more than double that traffic, has 67% share in the U.S. search market and there are now 425 million Gmail users.

The ITRC is celebrating a 10 year anniversary as well.  In 2003 we were recognized as a 501c3 non-profit.  At that time the sole mission of the ITRC was to provide the best in class victim assistance at no charge to consumers throughout the United States.  That goal has remained at the core of the ITRC’s mission. However, much has been added to our goals and activities. We now provide education and awareness initiatives in identity theft related issues such as cyber security, data breaches, scams and fraud.  It is our goal to stem the tide of identity theft by determining issues that are potential pitfalls for consumers and helping them to minimize their risk.

One constant over the past 10 years has been the steady increase in the number of victims of identity theft.  For more than the last 10 years (13 years actually) identity theft has been the number one fraud related complaint captured by the FTC Consumer Sentinel Report.  We have seen this number of reported victims grow from 31,000 in 2000 (FTC Consumer Sentinel) to 8.6 million in 2010 (Bureau of Justice Statistics).

While we recognize that low tech mechanisms certainly still exists as a means to pilfer one’s identity, we believe the tremendous growth in the crime must be attribute to the overwhelming growth of the cyber world.  This year it is estimated that the number of cell phones on the planet will outnumber people.  We are all walking around with a tiny computer in our hands and all the inherent risk that poor cybersecurity practices carry with it, are now carried in our pockets and purses.

Sound cybersecurity practices are at the base of the pyramid when it comes to protecting our identities.  That is why the ITRC is a champion of National Cyber Security Awareness Month.  We have scheduled several projects that will demonstrate both our commitment to this effort and the importance of its success.  From a local presentation at a town hall meeting on October 1st, to a twitter chat that will attempt to engage a national audience, we are preparing to make great efforts to build awareness of this issue. Please engage in this dialogue this month.  Get your families, from you mother and father down to your children, this is everyone’s business!

“How Far We Have Come” was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Governor Brown signed a landmark bill this Monday giving minors the power to have content or information posted on the internet removed at their request. SB 568, introduced by State Senator Darrell Steinberg, has two main provisions directed at improving the protection and privacy of minors on the Internet.

Sen. Darrell Steinberg told the Los Angeles Times SB 568 is “a groundbreaking protection for our kids who often act impetuously with postings of ill-advised pictures or messages before they think through the consequences.” The first restricts operators of an Internet website, online service, online application ormobile application directed to minors from marketing or advertising products including but not limited to alcoholic beverages, tobacco products, firearms and certain dietary supplements. The second requires the same group to notify minors that they have the option of removing any content or information they post on the internet and to honor any such requests made.

The second requirement will likely have a large effect on social media websites such as Facebook, Pinterest and Tumblr, where minors communicate with their friends and social networks. Kids and teenagers often post embarrassing information or pictures on websites that they may later regret or their parents discover and want their child to remove. This law would not just provide a remedy for minors to remove embarrassing posts, but it would also provide a way for minors to remove personally identifying information they posted on the Internet, such as a new driver’s license, without knowing that it can put them at increased risk of identity theft and fraud. This is a good thing.

Unfortunately, there are many questions that the text of the law does not answer. What exactly does “directed to minors” mean? The law defines it as “reaching an audience that is predominantly comprised of minors, and is not intended for a more general audience comprised of adults.” This vague definition may confuse website operators and leave them uncertain of whether they are targeted by this law. In addition, what exactly does an operator have to delete when requested by a minor and will it have any real effect? As Gregory Ferenstein wrote on TechCrunch, the law “ignores the reality that it’s nearly impossible to delete information from the net: embarrassing photos spread virally, and Internet archives automatically create copies of nearly every piece of information on the web.” He goes on to point out that most websites already allow users to delete a post. The law requires that Internet operators have to delete only the information personally uploaded by a minor. So, a repost of something they upload would not be required to be deleted and thus may limit the practical effectiveness of the law.

While the law may have some flaws, it is a step in the right direction for attempting to improve the privacy rights of children and teenagers. It will be interesting to watch how this law is interpreted and enforced by the California court system once it becomes effective January 1, 2015.

“California Increases Privacy Rights for Minors” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

The World Wide Web Consortium’s (W3C) Tracking Protection Working Group (TPWG) has suffered a major blow as the Digital Advertising Alliance (DAA), a “consortium of the leading national advertising and marketing trade groups,” has declared they are withdrawing from the TPWG.

In a letter addressed to W3C CEO, Jeff Jaffe, Lou Mastria, Managing Director of the DAA writes, “Despite extension after extension of its charter year after year by the W3C, the TPWG has yet to reach agreement on the most elementary and material issues facing the group. These open items include fundamental issues and key definitions that have been discussed by this group since its inception without reaching consensus…”

The TPWG was chartered more than two years ago to standardize the technology and meaning of Do Not Track by working with privacy activists and the advertising industry in order come up with a satisfactory self-regulatory system. In this time, the TPWG has failed to come to consensus on any of the issues needed to effectively create the self-regulatory system such as defining something as essential as the term “tracking.” The DAA’s departure comes shortly after experts Peter Swire and Jonathan Mayer left the group in August. Peter Swire is a law professor and privacy expert who was the co-chairman of the TPWG before he left to work with the Obama administration’s intelligence review panel. Jonathan Mayer of Stanford University is a graduate student in law and computer science who left the group in August after saying in July that the “parties are now further apart on the negotiations than they ever had been.”

The future of W3C’s TPWG is uncertain and the Federal Trade Commission (FTC) and privacy advocates in Congress have been waiting two years for progress. Avoiding government regulation of the Do Not Track system was one of the reasons for the creation of the TPWG; however, with this lack of progress, more attention and effort may be given to passing Do Not Track legislation.

Currently, Sens. Rockefeller (D-WV) and Blumenthal (D-CT) have a bill pending in the Senate called the Do Not Track Online Act of 2013. This bill would require the Federal Trade Commission to establish standardized mechanisms for people to alert websites that they do not want to be tracked and to create rules prohibiting online services from collecting information when a consumer selects a Do Not Track option on their Internet browser. The FTC has up to this point declined to recommend legislative action, but Agency Chairwoman Edith Ramirez told The Hill in late August that, “There may be a solution that can be achieved. That doesn’t mean to say that I’m willing to be waiting endlessly.” With the DAA’s departure from the TPWG, the FTC’s position may become more amenable to Do Not Track legislation.

This ambiguity surrounding the progress of the Do Not Track standards may have prompted California Assembly Member Al Muratsuchi to introduce AB 370, a bill amending the California Online Privacy Protection Act to require commercial websites and online services that collect personal data to disclose how they will respond to Do Not Track signals from a user’s Internet browser. AB 370 was passed by the California Senate and Assembly and now awaits Governor Brown’s signature. Continued lack of progress in developing and implementing Do Not Track standards may give reason for other states to enact similar legislation to California’s AB 370.

The DAA still believes that there is a non-regulatory solution to the Do Not Track problem and intends to create its own DAA-led group with a new process to evaluate Do Not Track signals and how they can enhance consumer privacy.

“Digital Advertising Alliance Withdraws from W3C Tracking Protection Working Group” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.