When referring to the case, an eBay spokesperson stated the obvious

“What the case highlights is the importance that people need to place in choosing a sensible password,”

What exactly makes for a good password? I read an article once (can’t remember where) that said to do the following:

1. Think of your favorite phrase, quote, or song lyric that’s at least 8 words long.
2. Take the first letter of each word.
3. Substitute numbers for letters.

The example I remember was a Dr. Seuss quote, so I’ll use an Animaniacs spin-off of Green Eggs and Ham:

1. Phrase: “I does not like gold eggs and meat.”
2. Take the first letters of the phrase: idnlgeam
3. Now, substitute some numbers for letters.”i” and “l” kind of look like “1″ and “e” looks like a backwards “3″ so “1dn1g3am”.

The system has been working for me - and since I create my password from scratch with a meaning behind it, I have a greater tendency to remember it.

Is there another solution? I read a few months back that eBay (or, at least, Paypal) was looking into implementig security keys.GearFuse.com posted a picture of these security devices, which generate unique keys every 30 seconds. Users must type in that unique key along with their username and password.

It sounds like a pain to use, but perhaps something like that would reduce the number of phishing scams. If scammers need your randomly generated security key along with your username and password, that may make the stolen data more difficult to use.

Not surprisingly, there are a lot of “opportunists” out there who give up their info in exchange for this possibility of wealth. These gullible saps soon become the victims of identity theft.

So, how does it work?

Police have just arrested two guys in Florida who allegedly run one of these identity theft scams. They’ve been trolling neighborhoods looking for vacant homes where they can send credit cards, bills and other mail without the home owner’s knowledge. Then, they apply for all sorts of credit cards, have them sent to these homes, and collect the mail.

The scary thing is that it sounds like police caught these two guys by accident. A patrol car just happened to be cruising the neighborhood and see a Pontiac drive up to a mailbox and grab the mail. They pulled the guys over, questioned them, and then searched their car - where they found all sorts of information in the names of other people.

Even more scary, one of the guys - Adentuji Idowu - has been investigated by the Secret Service since 1992 and has been arrested twice for committed identity fraud.

The moral? If an opportunity sounds “too good to be true”, it likely is. Save yourself a lot of time and hassle by not providing your personal information to anyone that offers you several million dollars. Learn how to protect yourself from identity theft.

In vishing schemes, scammers call up random numbers, provide a fake 1-800 number, and ask you to call to confirm your credit card information and other account details. They set up these numbers through Skype, Vonage, and other VoIP providers. They can even spoof the caller id to make it look like they’re really from the institution they report to be from.

The CIO Blog warns

customers should be highly suspicious of any phone or e-mail contact that does not use their first and surnames, and should never dial a call-return number or reply to an e-mail regarding any financial matter.

I’ve always been cautious to give out my credit card number over the phone. These latest reports of “vishing” are just scary. It seems there’s nothing you can do to protect yourself other than be extremely cautious. At least with the internet, you can run a whois search on sites that seem sketchy. With the phone, how can you double check?

There are two types of threats that can be considered spyware:

1. Trojan viruses and “keyloggers” - these malicious programs install themselves on your computer, track your internet activities, and send your personal information back to hackers.
2. Adware - these are programs that spy on your internet activity for the purpose of showing you more relevant advertisements or to redirect you to other websites.

The first type is illegal. The second isn’t but can be annoying and slow your computer to a crawl or prompt pop up ads whenever you’re online.

How To Stop It
According to the Pew report, 91% of internet users say they’ve altered their internet behavior to avoid spyware. According to the numbers

• 81% have stopped opening email attachments unless they are sure they are safe (9% say they never did)
• 54% have started reading user agreements more carefully before they download software
• 48% have stopped visiting certain websites
• 34% have stopped downloading software programs from the internet (while 33% say they never did)
• 25% have stopped downloading music or videos from peer-to-peer networks (48% more say hey never did)
• 18% switched to a different browser

How To Remove It
There are a number of programs out there that will scan your computer for installed spyware and adware and remove it. I highly recommend:

Spybot
LavaSoft’s Ad Aware
Spy Sweeper

I find that it’s generally best to install at least two of them, as one will inevitably miss some stuff that the other will pick up.

Visa USA and the US Chamber of Commerce are sponsoring a nationwide lecture series to crack down on identity theft at the point of sale. They say businesses should work to improve data security in 4 key areas.

Storage: What kind of processing software or processor does the business use? What kind of data is collected and how is it stored? If purchase information is not stored electronically, sales receipts that contain account numbers should be protected.

Laws and standards: Does the business understand both the law and payment-industry requirements for protecting cardholder information? Customers should do business only with merchants that are compliant.

Checkout: Businesses should train employees to stop skimming and to look for the important security features of credit cards.

Access: Businesses should limit employee access to cardholder information.

Visa got involved last year when a hacker got access to 40 million credit card numbers through it’s payment processing company, CardSystems Solutions.

As identity theft becomes more of a problem, it will be interesting to see how Congress will try to legislate it - particularly since just this week, Senate Minority Leader Harry Reid learned he was a victim of identity theft. Someone got his credit card number and charged $2000 at Walmart and other stores in North Carolina.

In the first case, Charles White and Allen Smith allegedly headed up a 10 person group who defrauded banks to the tune of at least $1 million. By using the names, social security numbers, addresses, and dates of birth of potentially hundreds of customers of Commerce Bank, Wachovia Bank, PNC Bank, and M&T Bank, they were able to cash foreign and counterfeit checks as well as withdraw funds from current customers’ accounts.

In an unrelated scheme, 10 more individuals were charged with mortgage and identify fraud that involved 180 properties, most in South and Southwest Philadelphia, that could cost the government and private lenders more than $11 million.

Mahn Huu Doan was charged with submitting bogus bank records, W-2 forms and pay stubs to get government backed loans. He was going to resell the homes for profit, but when they didn’t sell, Doan couldn’t pay back the loans. The properties will go into foreclosure.

“Foreclosures affect everyone in Philadelphia,” U.S. Attorney Meehan said, citing a recent study by the Reinvestment Fund. “For every foreclosure within a block of your house and within a year, your house will lose 1 percent of its value. You can therefore imagine the impact that 180 foreclosures will have on our neighborhoods.”

In a third case, Kasimu Clark allegedly recruited bank employees to provide personal information about customers. He then distributed phony IDs to his crew of 8 or so (only Clark has been charged so far), and the group proceeded to cash checks and withdraw some $1.2 million.

Source: U.S. Attorney Announces Multiple Identity Theft and Mortgage Fraud Indictments24 are charged in 6 ID-theft rings
ID-fraud indictment names 24

Identity theft is becoming a huge concern. According to David McIntyre, CEO of TriWest, 53 million identities have been stolen to date and 19,000 more are stolen every day. Companies on average spend 1600 work hours per incident at a cost of $40,000 to $92,000 per victim. (Source: CIO Magazine, 5/15/06)

Virtually all instances of identity theft start with the thief getting access to your credit card, debit card, or social security number. They can then either take over your existing accounts or open new accounts with your information

In cases of credit card fraud, you are usually liable for no more than the first $50 of the loss. Debit card users have less protection against fraud, and if they don’t act fast enough, their entire account could be wiped out. Check out the Federal Reserve’s Consumer Handbook to Credit Protection Laws for more info.

One way identity thieves can open new accounts in your name is by filling out one of those junk mail applications and changing the details. A few months back, Rob Cockerham tried an experiment to see just how desperate credit card companies are for new accounts. So he cut up an application, taped it back together, changed the address to his father’s home and included his cell phone number. Less than a month later, he received his new card at his father’s address.

Here are 7 ways to protect yourself from identity theft.

• Buy a cross shredder - Shred any bills, personal correspondence and junk mail credit applications before throwing them out. Tearing is not enough.
• Join the Federal Trade Commission opt out list or call 1-888-5OPTOUT.
• Request a credit report at least once a year. You’re entitled to a free annual credit report.
• Set up a security freeze with credit agencies. If you live in California, you can tell credit agencies to freeze your account - so that no creditor can open an account in your name without your permission and a secret pin number. 18 states have introduced freeze laws into state legislature. (See MSNBC )
• Don’t carry your social security number in your wallet.
• Delete email asking for personal information.
• Be careful about giving credit card informaton and other personal data over the phone.

For more information, check out Justice Talking’s podcast on Identity Theft and the Privacy Rights Clearinghouse site.

Larry Dignan of eWeek thinks that it’s time corporations are fined for losing data. This year alone, we’ve heard of the 26.5 million veterans info that was stolen from an employee’s house, the YMCA lost a laptop containing personal info of 65,000 people in May, Hotels.com may have exposed data for 243,000 individuals, and just last week a laptop containing personal information of 13,000 District of Columbia employees and retirees was stolen out of the home of an employee of ING U.S. Financial Services.

You’d think companies would keep that kind of sensitive info secured in a database on their servers rather than unsecured with no password or encryption on a laptop. Why do these employees need to carry that kind of info outside the office? And even if they did need to access some of the data, there are ways that companies can allow employees to access their servers securely.

The Department of Veterans Affairs is facing two class action suits for their loss of data. Plaintiffs are seeking $1000 for each person listed in the database - that’s $26.5 billion.

The suits were filed under the US Privacy Act, which only applies to government data breaches but perhaps it’s time to offer stiff penalties about those in the corporate world as well.

Information Week now has an article on data grabbing. Did you know that the FBI sends 30,000 national security letters - special subpoenas that don’t require a judge’s signature that allow the FBI to request bank, insurance, phone, ISP and credit report records (thankfully, medical records are not included) - each year? And unlike subpoenas, companies who receive a national security letter can’t disclose that they’ve received one?

Subpoenas can at least be fought in court, as Google did, but now the Justice Department is asking Google, AOL, Verizon and other internet bigwigs to keep their subscriber information and customer data for at least two years - you know, in case the government needs it for a criminal investigation.

What might government agencies do with all the business and Internet data they’re collecting? Some skeptics worry about a single massive database where all kinds of information gets crunched together, providing a complete picture of Joe Citizen. That seems a remote possibility, though researchers at the Defense Advanced Research Projects Agency did work on a system several years ago that would have mined data in that way to identify terrorists. That program, dubbed Total Information Awareness, was scrapped more than two years ago under public pressure.

A different but related concern is that data collected for one purpose could get used for another. USA Today last week reported that the FBI plans to use its database of DNA evidence, collected from convicted criminals and some others upon arrest, to help identify thousands of dead people whose identities aren’t known.

There’s also the concern that once the feds gets their hands on data, they can’t be trusted to secure it. Look no further than last month’s news of a stolen laptop and external hard drive containing data on 26.5 million military veterans and family members. The Veterans Affairs Department has been fingered for its lack of security before, but it’s not the only agency with low marks. Security becomes even more of an issue as more data accumulates and gets retained longer.

Encryption is one solution, but encrypted data can’t be searched easily and is thus less useful to the government. Nothing, it seems, about data sharing between businesses and government is destined to be easy.

The data, which included names, social security numbers, and dates of birth for veterans and some of their spouses discharged since 1975, was stolen from the unidentified employee’s home somewhere around the Baltimore field office.

“They believe that this was a random burglary and not targeted at this data,” [Veterans Affairs Secretary Jim] Nicholson said, adding that there had been a series of burglaries in that community. “It’s highly probable that they do not know what they have,” he said.

Let’s hope they’re not reading the newspapers or the internet, which might clue them in.

Source: Yahoo! News