When referring to the case, an eBay spokesperson stated the obvious

“What the case highlights is the importance that people need to place in choosing a sensible password,”

What exactly makes for a good password? I read an article once (can’t remember where) that said to do the following:

1. Think of your favorite phrase, quote, or song lyric that’s at least 8 words long.
2. Take the first letter of each word.
3. Substitute numbers for letters.

The example I remember was a Dr. Seuss quote, so I’ll use an Animaniacs spin-off of Green Eggs and Ham:

1. Phrase: “I does not like gold eggs and meat.”
2. Take the first letters of the phrase: idnlgeam
3. Now, substitute some numbers for letters.”i” and “l” kind of look like “1″ and “e” looks like a backwards “3″ so “1dn1g3am”.

The system has been working for me - and since I create my password from scratch with a meaning behind it, I have a greater tendency to remember it.

Is there another solution? I read a few months back that eBay (or, at least, Paypal) was looking into implementig security keys.GearFuse.com posted a picture of these security devices, which generate unique keys every 30 seconds. Users must type in that unique key along with their username and password.

It sounds like a pain to use, but perhaps something like that would reduce the number of phishing scams. If scammers need your randomly generated security key along with your username and password, that may make the stolen data more difficult to use.

In vishing schemes, scammers call up random numbers, provide a fake 1-800 number, and ask you to call to confirm your credit card information and other account details. They set up these numbers through Skype, Vonage, and other VoIP providers. They can even spoof the caller id to make it look like they’re really from the institution they report to be from.

The CIO Blog warns

customers should be highly suspicious of any phone or e-mail contact that does not use their first and surnames, and should never dial a call-return number or reply to an e-mail regarding any financial matter.

I’ve always been cautious to give out my credit card number over the phone. These latest reports of “vishing” are just scary. It seems there’s nothing you can do to protect yourself other than be extremely cautious. At least with the internet, you can run a whois search on sites that seem sketchy. With the phone, how can you double check?

For those of you who don’t want to download the info, there’s a number of web interfaces up at AOLSearchDatabase.com, AOLSearchLogs.com, and AOLStalker.com to allow anyone to search the database - or you can get some of the highlights from CNN.com.

The gist is that AOL released 20 million records of real queries to their database, which happens to be powered by Google. AOL usernames were replaced with a unique number, but that number was associated with every search they did - including people, social security numbers, and addresses. As you might imagine, this caused lots of concern over privacy of data and what should and should not be allowed. Weblogs, Inc CEO turned AOL employee, Jason Calacanis even called for search engines to not keep search logs. Google apparently was not swayed to stop keeping logs, though they assure us their employees won’t release the data.

And by Wednesday, the first searcher was identified by the NY Times.

Ms. Arnold, who agreed to discuss her searches with a reporter, said she was shocked to hear that AOL had saved and published three months’ worth of them. “My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder.”

Looking through the data released, it’s not difficult to see why the government wants this information. Earlier this year, Google was the only search engine to refuse to hand over search logs to the Department of Justice. AOL, MSN, and Yahoo all handed over their logs when asked.

The interesting thing is that this incident may spark new legislation from Congress. Representative Edward Markey (D-Mass.) proposed a privacy bill back in Feb 2006 and is now encouraging his colleagues to take action

Markey’s bill is H.R. 4731, the Eliminate Warehousing of Consumer Internet Data Act (EWOCID). The bill would require Internet companies to destroy obsolete electronic data, and particularly data that could be used to individually identify consumers. The bill would also instruct the Federal Trade Commission to set up standards for the maintenance and destruction of data, and enforce the provisions of the law.

There are two types of threats that can be considered spyware:

1. Trojan viruses and “keyloggers” - these malicious programs install themselves on your computer, track your internet activities, and send your personal information back to hackers.
2. Adware - these are programs that spy on your internet activity for the purpose of showing you more relevant advertisements or to redirect you to other websites.

The first type is illegal. The second isn’t but can be annoying and slow your computer to a crawl or prompt pop up ads whenever you’re online.

How To Stop It
According to the Pew report, 91% of internet users say they’ve altered their internet behavior to avoid spyware. According to the numbers

• 81% have stopped opening email attachments unless they are sure they are safe (9% say they never did)
• 54% have started reading user agreements more carefully before they download software
• 48% have stopped visiting certain websites
• 34% have stopped downloading software programs from the internet (while 33% say they never did)
• 25% have stopped downloading music or videos from peer-to-peer networks (48% more say hey never did)
• 18% switched to a different browser

How To Remove It
There are a number of programs out there that will scan your computer for installed spyware and adware and remove it. I highly recommend:

Spybot
LavaSoft’s Ad Aware
Spy Sweeper

I find that it’s generally best to install at least two of them, as one will inevitably miss some stuff that the other will pick up.

Visa USA and the US Chamber of Commerce are sponsoring a nationwide lecture series to crack down on identity theft at the point of sale. They say businesses should work to improve data security in 4 key areas.

Storage: What kind of processing software or processor does the business use? What kind of data is collected and how is it stored? If purchase information is not stored electronically, sales receipts that contain account numbers should be protected.

Laws and standards: Does the business understand both the law and payment-industry requirements for protecting cardholder information? Customers should do business only with merchants that are compliant.

Checkout: Businesses should train employees to stop skimming and to look for the important security features of credit cards.

Access: Businesses should limit employee access to cardholder information.

Visa got involved last year when a hacker got access to 40 million credit card numbers through it’s payment processing company, CardSystems Solutions.

As identity theft becomes more of a problem, it will be interesting to see how Congress will try to legislate it - particularly since just this week, Senate Minority Leader Harry Reid learned he was a victim of identity theft. Someone got his credit card number and charged $2000 at Walmart and other stores in North Carolina.

In the first case, Charles White and Allen Smith allegedly headed up a 10 person group who defrauded banks to the tune of at least $1 million. By using the names, social security numbers, addresses, and dates of birth of potentially hundreds of customers of Commerce Bank, Wachovia Bank, PNC Bank, and M&T Bank, they were able to cash foreign and counterfeit checks as well as withdraw funds from current customers’ accounts.

In an unrelated scheme, 10 more individuals were charged with mortgage and identify fraud that involved 180 properties, most in South and Southwest Philadelphia, that could cost the government and private lenders more than $11 million.

Mahn Huu Doan was charged with submitting bogus bank records, W-2 forms and pay stubs to get government backed loans. He was going to resell the homes for profit, but when they didn’t sell, Doan couldn’t pay back the loans. The properties will go into foreclosure.

“Foreclosures affect everyone in Philadelphia,” U.S. Attorney Meehan said, citing a recent study by the Reinvestment Fund. “For every foreclosure within a block of your house and within a year, your house will lose 1 percent of its value. You can therefore imagine the impact that 180 foreclosures will have on our neighborhoods.”

In a third case, Kasimu Clark allegedly recruited bank employees to provide personal information about customers. He then distributed phony IDs to his crew of 8 or so (only Clark has been charged so far), and the group proceeded to cash checks and withdraw some $1.2 million.

Source: U.S. Attorney Announces Multiple Identity Theft and Mortgage Fraud Indictments24 are charged in 6 ID-theft rings
ID-fraud indictment names 24

The expert reaction to the Month of Browser Bugs is mixed, with some people thinking that making the bugs public can only put pressure on companies to release security patches faster. Others think that going public with this info will only make it easier for hackers to exploit the bugs.

According to Moore’s blog, all these bugs in Internet Explorer were reported to Microsoft in March 2006 and they apparently have yet to be fixed. Each blog entry has a button designed to test the bug, complete with a warning that it may crash your browser. I tried the FireFox one, and sure enough, my browser crashed. The site reports that the bug was fixed in Firefox 1.5.0.3 but I’m using Firefox 1.5.0.4 and it’s still there, unfortunately.

FireFox has marketed itself as a more secure browser than Internet Explorer because it uses alternative technology to ActiveX, which controls how plug-ins interact with webpages and has been known to be easily hacked.

Hopefully, browser companies will be quick to release patches to take care of these security flaws. And for those of you still on Internet Explorer, you may want to consider switching browsers.

Identity theft is becoming a huge concern. According to David McIntyre, CEO of TriWest, 53 million identities have been stolen to date and 19,000 more are stolen every day. Companies on average spend 1600 work hours per incident at a cost of $40,000 to $92,000 per victim. (Source: CIO Magazine, 5/15/06)

Virtually all instances of identity theft start with the thief getting access to your credit card, debit card, or social security number. They can then either take over your existing accounts or open new accounts with your information

In cases of credit card fraud, you are usually liable for no more than the first $50 of the loss. Debit card users have less protection against fraud, and if they don’t act fast enough, their entire account could be wiped out. Check out the Federal Reserve’s Consumer Handbook to Credit Protection Laws for more info.

One way identity thieves can open new accounts in your name is by filling out one of those junk mail applications and changing the details. A few months back, Rob Cockerham tried an experiment to see just how desperate credit card companies are for new accounts. So he cut up an application, taped it back together, changed the address to his father’s home and included his cell phone number. Less than a month later, he received his new card at his father’s address.

Here are 7 ways to protect yourself from identity theft.

• Buy a cross shredder - Shred any bills, personal correspondence and junk mail credit applications before throwing them out. Tearing is not enough.
• Join the Federal Trade Commission opt out list or call 1-888-5OPTOUT.
• Request a credit report at least once a year. You’re entitled to a free annual credit report.
• Set up a security freeze with credit agencies. If you live in California, you can tell credit agencies to freeze your account - so that no creditor can open an account in your name without your permission and a secret pin number. 18 states have introduced freeze laws into state legislature. (See MSNBC )
• Don’t carry your social security number in your wallet.
• Delete email asking for personal information.
• Be careful about giving credit card informaton and other personal data over the phone.

For more information, check out Justice Talking’s podcast on Identity Theft and the Privacy Rights Clearinghouse site.

The lawsuit, filed last Monday in the District Court of Travis County, Texas, were aware that sexual predators troll MySpace looking for children. The suit seeks damages of no less than $30 million for fraud and negligence in misrepresenting their security measures to protect children and teens. The suit also charges 19-year-old Texas resident Pete Solis with sexual assault and emotional distress.

According to the lawsuit, on April 6, Solis contacted the girl via MySpace and reportedly lied about his background - that he was a high school senior. She provided her cell phone number and 6 days later, the two met and he allegedly sexually assaulted her.

MySpace has responded by restricting adult access to information teens provide about themselves. Starting next week, anyone over the age of 18 can’t request to be on a 14 or 15 year old’s friends’ list unless they already know the youth’s email address or full name.

Of course, it’s not that difficult to lie about your age on MySpace. What’s preventing adults from claiming to be teens? There’s no way MySpace can put any type of age verification into place without serious privacy concerns. I mean, it’s not like they’ll be able require social security numbers which are then checked against government data.

Personally, I don’t really see how MySpace is liable for this. It would be next to impossible for them to moderate every piece of information that people post to their site.

I also don’t see how legislation in the House of Reps right now - the Deleting Online Predators Act, which will supposedly block access to online social networks at schools - will help.

I think a better solution is for parents and schools to educate teens about what information is appropriate to divulge online. But even that requires parents to be aware of this relatively new social media phenomenon and take measures to interact and be a part of their children’s lives…

Larry Dignan of eWeek thinks that it’s time corporations are fined for losing data. This year alone, we’ve heard of the 26.5 million veterans info that was stolen from an employee’s house, the YMCA lost a laptop containing personal info of 65,000 people in May, Hotels.com may have exposed data for 243,000 individuals, and just last week a laptop containing personal information of 13,000 District of Columbia employees and retirees was stolen out of the home of an employee of ING U.S. Financial Services.

You’d think companies would keep that kind of sensitive info secured in a database on their servers rather than unsecured with no password or encryption on a laptop. Why do these employees need to carry that kind of info outside the office? And even if they did need to access some of the data, there are ways that companies can allow employees to access their servers securely.

The Department of Veterans Affairs is facing two class action suits for their loss of data. Plaintiffs are seeking $1000 for each person listed in the database - that’s $26.5 billion.

The suits were filed under the US Privacy Act, which only applies to government data breaches but perhaps it’s time to offer stiff penalties about those in the corporate world as well.