Got a SSN I can Borrow?
Apparently, I can use my own name and your Social Security Number to get a job or buy a car and it is not an identity theft crime. Really. This is according to a recent Colorado Supreme Court ruling. They ruled that, ‘that using someone else’s Social Security number is not identity theft as long as you use your own name with it.’ Seriously. The case in question involved a man who used his real name but someone else’s Social Security number to obtain a car loan. The court said that since he used his real name, along with other identifiable pieces of information, he wasn’t trying to impersonate someone else. The SSN info was just the ‘lender’s’ requirement and not a ‘legal’ requirement. The defendant said that he fully intended to pay the loan back and wasn’t trying to avoid the bills. There was another case where a man used a fake SSN to get a job at a steel plant in Illinois. He presented a Social Security card with his name but a fake SSN. Since he didn’t know that the number was fake and belonged to another person, the US Supreme Court ruled that he also didn’t break any federal ID theft laws since he did not ‘knowingly’ use another person’s number. He just ‘borrowed’ it. He could have just written 9 random numbers that may or may not have been tied to someone’s identity or he could have bought it from a broker, not knowing it was either fake or stolen. These decisions contradicted previous rulings in Missouri, California, the Midwest, the Southeast and many other regions. It also left folks scratching their heads wondering just what were the courts thinking. Their logic is that, ‘(The suspect) claimed that the government could not prove that he knew that the numbers on the counterfeit documents were numbers assigned to other people….The question is whether the statute requires the government to show that the defendant knew that the ‘means of identification’ he or she unlawfully transferred, possessed, or used, in fact, belonged to ‘another person.’ We conclude that it does.’ I understand that there is a fine legal line between malicious intent and an uninformed accident but if you make up a number or obtain it by improper means, it’s still fake, false and fraudulent. I also understand that there are criminal organizations that prey on immigrants who might not fully understand the ramifications and are told that it is legitimate. We’ve all, at some point, been lured, duped or convinced that something we were obtaining was the real thing. We’re told with great conviction that it is authentic and because we want to believe, we do. When the truth is exposed, the ‘I didn’t know’ defense is obviously the most common and very well might be the honest answer. Maybe because I focus on Information Security and a bit skeptical myself, I also gotta believe that there’s that little nudge, intuition or feeling in your belly telling you that something isn’t right. I know because I’ve ignored that gut-check and got burned. Just because something is ‘not-illegal’ does not make it the right thing to do. I’m not claiming to be a Mr. Goody-Two-Shoes and have certainly made my fair share of mistakes along with doing things I know to be wrong, legal or not. I also know that always acting in the ‘proper’ way or doing the ‘right’ thing is difficult sometimes. That’s what makes us human. We might seek the easiest, least complicated and sometimes slightly unethical way of accomplishing something. Sometimes we have to break the law to ensure the safety of others – like speeding to the Emergency Room if your wife is giving birth or a person is bleeding to death – but those are extenuating circumstances and doesn’t necessarily cause harm to others; unless, of course, you run somebody over on the way to the hospital. There are victims with this SSN borrowing since the real person may not ever know that their information was used since it won’t show up on a credit report. The trouble starts when a loan or tax payment is missed and by then, it’s too late. The courts have had difficulty over the years trying to interpret certain laws as technology whizzes by but, at least in the States, our Social Security Number is one of our unique, primary identifiers and should be protected. Incidentally, BIG-IP ASM does have a cool feature called Data Guard that can mask sensitive data from being leaked from the web application. Data Guard helps protect against information leakage like the leakage of credit card or Social Security numbers. Instead of sending the actual data to the client, ASM can respond by replacing the sensitive data with asterisks, or block the response and sending out an alert. You can also decide what ASM should consider as sensitive: credit card numbers, Social Security numbers, or responses that contain a specific pattern. ps twitter: @psilvasInfographic: Protect Yourself Against Cybercrime
Maybe I’ll start doing an ‘Infographic Friday’ to go along with Lori’s F5 Friday. This one comes to us from Rasmussen College's School of Technology and Design Cyber Security Program and shows the online risks and offers some good tips on how to better protect your computer and avoid being a victim of cybercrime. psDon’t Take the Impostor’s Bait
Phishing has been around since the dawn of the internet. The term was first used in an AOL Usenet group back in 1996 but it wasn’t until 2003 when many baited hooks and lures started dropping. Popular transaction destinations like PayPal and eBay were some of the early victims of these spoofed sites asking customers to update their personal and credit card information. By 2004, it was a full-fledged ‘get rich quick scheme’ with many financial institutions – and their customers – as targets. Oxford Dictionary defines Phishing as, ‘The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’ You’ve seen it, the almost perfect looking email with actual logos, images and links to a reputable company only to have it go to a slick looking replica complete with a login form. If you aren’t paying attention and do enter your credentials, you’ve just given a crook access to your money. The Anti-Phishing Working Group (APWG) reports a 250 percent jump in the number of detected phishing websites between October 2015 and March 2016. More than in any other three-month span since it began tracking back in 2004. That’s around 230,000 unique phishing campaigns a month. And as recent as last week, American Express users were hit with a phishing email offering anti-phishing protection. Go figure. If you clicked the link, you were taken to a bogus Amex login page which asks for all the important stuff: SSN, DoB, mother’s maiden, AMEX number plus security code and a few other vitals. When complete, you’ll be redirected to the authentic site so you think you’ve been there all along. That’s how they work their magic. A very similar domain URL and all the bells of the original, including the real customer service 800 number. You can combat it however. F5’s WebSafe Web Fraud Protection can secure your organization (and your customers) against the evolving online fraud and you do not need any special client to detect it. WebSafe inserts an obfuscated JavaScript code which can detect malware like bait, mandatory words or if the fake was loaded from a different domain. It can validate source integrity like comparing fields for multiple users and detect threats like automatic transactions. Alerts are sent to an on premise dashboard and can also be forwarded to F5’s Security Operations Center (SOC). If you are configuring malware protection for the login and transaction pages for a financial application, it’s as simple as adding an Anti-Fraud profile to your VIP. First, you create an anti-fraud profile: Then indicate which URL should be watched and the action: Then enable Phishing detection: And when a phishing attach occurs, both the domain and the username of the victim get reported to the dashboard: The code that’s inserted is a little piece of JavaScript added to your website to detect the malicious activity. No action is needed on the part of the user since everything is handled within BIG-IP. This tiny piece of code will dramatically reduce fraud loss and retain the most important asset in business—customer confidence. Don't get fooled by a faker. ps Related: Security Sidebar: Spear Phishing Still Happens…A Personal Story Phishing you say, well that’s not my problem Getting Started with WebSafe Phishing Activity Trends Report (pdf)I Almost Bit...and Would've Been Bitten
My daughter has been asking for a puppy for over a year. A Chow puppy. I've had Chow Chows my entire life and our current Chow, Max, is a big 72lb cinnamon boy. He's also the medical alert dog for our daughter. Max, a rescue, is about 5 years old and we wanted to get a puppy so Max-Boy can help train the new fur-ball. With the amount of travel I do, we've been pushing it off for a while but it came to a head this week since the kid is now on summer vacation and the pleas have been daily. Instead of 'Are we there yet, are we there yet,' it has been, 'When are we getting a puppy? When are we getting a puppy?!?' So I looked. Specifically for a recently born cream female. And wouldn't you have guessed, I found some! And even found one that would've been about an hour driving distance. So I emailed them. Within the hour we get an email back telling us that the puppy is available but the family is in Fargo, ND due to the mother recently passing away. They are selling the pups, which were their mom's, since they remind them of their mum and it hurts to see the pups. He also asks a bunch of questions like, How old? Married? Have kids? Location? Why this Breed, etc. It didn't occur to me that the text of the email was written like so many scam emails with poor punctuation, bad sentence structure and a few things that didn't add up. I was so excited to have quickly found, at a reasonable price, the puppy of my daughter's dreams. Then we spoke and I started digging. He had an accent like so many of those 'This is MS security and your Windows computer is doing bad things...let me connect.' But again, I didn't want to categorize this guy just by an accent if he was really legit. But I did warn him that my wife is a retired US Marshall and if this was a scam, she'd be on his tail. He didn't seem concerned and continued to push for the sale. I told him that we had family across the border in Minnesota and could they visit to see the pup. While hesitant, he said yes and provided an address. I looked up the address and it was an apartment building and according to one of the sites, no pets allowed. Hmmm. He also had an odd name - one that I couldn't find in any search. Path. Path was his name. While on the phone, I started to find a bunch of rip-off reports about a lady with the same phone number as Path. He said it was his wife but had no idea about the bad reviews. I also asked him about his 'home' number and wife's email being listed on a scammers website. I mean, you gotta really be doing something bad to actually make it on one of these lists. He never answered that question but did happily send pictures of the pup. That's where he messed up. We thought two of the pictures looked familiar and did an image search. Wouldn't ya know, those pictures were lifted off a UK pet site that listed a white, chow puppy back in 2012! And I found another picture he sent from a German site that sells dogs. Although the suspicions were there, that's when it really sunk in. I was about to be swindled. I searched for dog scams and that's where I found a bunch of scammed people talking about similar sob stories. My wife died, my kid died, my aunt died and we need to get rid of the dog due to memories. You'd think families would keep the pet as a sweet remembrance, not a painful reminder. We called the Fargo PD, gave them all the info and they seemed appreciative, even though the address was probably fake too. We quickly brought that to a screeching halt and were glad we caught it in flight. I was tempted to ask him why the pictures he sent were on other sites but felt I needed to cut all communication. We went on to next listing...a real one with verifiable info and now have a chow puppy girl arriving in July. Her name is Coconut and that's her at the top. Scams and scammers are all over the place and even seasoned folks can get caught up, especially when emotions and children are at play. Even so, I can tell you that doing a little rational research can save you from being a statistic. And watch out for those summer scams. ps Related My Sensored Family Identity Theft Hits Close to Home When Personal Security is Compromised Privacy for a Price Lost in Translation...in Italy Technorati Tags: scams,pets,people,summer,silva,security Connect with Peter: Connect with F5:Unplug Everything!
Just kidding…partially. Have you seen the latest 2011 Verizon Data Breach Investigations Report? It is chock full of data about breaches, vulnerabilities, industry demographics, threats and all the other internet security terms that make the headlines. It is an interesting view into cybercrime and like last year, there is also information and analysis from the US Secret Service, who arrested more than 1200 cybercrime suspects in 2010. One very interesting note from the Executive Summary is that while the total number of records compromised has steadily gone down – ‘08: 361 million, ‘09: 144 million, ‘10: 4 million – the case loads for cybercrime is at an all time high – 141 breaches in 2009 to a whopping 760 in 2010. One reason may be is that the criminals themselves are doing the time-honored ‘risk vs. reward’ scenario when determining their bounty. Hey, just like the security pros! Oh yeah….the crooks are pros too. Rather than going after the huge financial institutions in one fell swoop or mega-breach, they are attempting many more low risk type intrusions against restaurants, hotels and smaller retailers. Hospitality is back on the top of the list this year, followed by retail. Financial services round out pole position, but as noted, the criminals will always have their eye on our money. Riff-raff also focused more on grabbing intellectual property rather than credit card numbers. The Highlights: The majority of breaches, 96%, were avoidable through simple or intermediate controls; if only someone decided to prevent them. 89% of companies breached are still not PCI compliant today, let alone when they were breached. External attacks exploded in 2010, and now account for the vast majority at 92% and over 99% of the lost records. 83% of victims were targets of opportunity. Most attacks are opportunistic, with criminal rings relying on automation to discover susceptible systems for them. Most breaches aren’t discovered for weeks to months, and most breaches, 86%, are discovered by third-parties, not internal security teams. Malware and ‘hacking’ are the top two threat actions by percentage of breaches, 50%/49% respectively, along with tops in percentage of records 89%/79%. Misuse, a strong contender last year, went down in 2010. Within malware, sending data to an external source, installing backdoors and key logger functions were the most common types and all increased in 2010. 92% of the attacks were not that difficult. You may ask, ‘what about mobile devices?’ since those are a often touted avenue of data loss. The Data Breach Report says that data loss from mobile devices are rarely part of their case load since they typically investigate deliberate breaches and compromises rather than accidental data loss. Plus, they focus on confirmed incidents of data compromise. Another question might have to do with Cloud Computing breaches. Here they answer, ‘No, not really,’ to question of whether the cloud factors into the breaches they investigate. They say that it is more about giving up control of the systems and the associated risk than any cloud technology. Now comes word that subscribers of Sony’s PlayStation Network have had their personal information stolen. I wonder how this, and the other high profile attacks this year will alter the Data Breach Report next year. I’ve written about this type of exposure and felt it was only a matter of time before something like this occurred. Gamers are frantic about this latest intrusion but if you are connected to the internet in any way shape or form, there are risks involved. We used to joke years ago that the only way to be safe from attacks was to unplug the computers from the net. With the way things are going, the punch line is not so funny anymore. ps Resources: 2011 Verizon Data Breach Investigations Report Verizon data breach report 2011: Hackers target more, smaller victims Data Attacks Increase 81.5% in 2010 Verizon study: data breaches quintupled in 2010 Sony comes clean: Playstation Network user data was stolen X marks the Games Microsoft issues phishing alert for Xbox Live Today's Target: Corporate Secrets The Big Attacks are Back…Not That They Ever Stopped Sony Playstation Network Security Breach: Credit Card Data At Risk Breach Complicates Sony's Network Ambitions Everything You Need to Know About Sony's PlayStation Network Fiasco e-card Malware
I’ve gotten some e-cards this holiday season from organizations that I know, and you might even receive one from F5. I just wanted to post a short reminder to be careful of these, especially if you get one from someone you don’t know. This is, and has been for several years, one of cybercriminals favorite ways of distributing malware, infecting your computer and stealing your info. Usually, the e-card arrives in your email with a link to view it online. Once you click that link and visit the purported e-card site, you can become infected. In fact, if you get one and don’t know the sender at all, I’d delete it right away. Often you don’t need to visit a site to get infected since the payload might in the email itself. The Better Business Bureau is also warning of another phishing scam with cybercriminals masquerading as a shipping company. You’ll get an email with a tracking number in the subject line. The note says that the package could not be delivered and asks the user to print the attached document. At that point, if you do open the attachment, then a virus is installed on your computer. There have also been charitable giving scams, coupon code scams, too good to be true sale scams and other rip-offs to swindle you of your money and sensitive info. You might be thinking, ‘ahh, geeze – not another,’ but this is the time of year those cybercriminals like to prey on people’s holiday spirit and general preoccupation with with other things festive. Keep anti-virus updated, use a firewall, be suspicious, use common sense and enjoy the holidays. ps Resources: BBB Raising Warning Against Phishing E-mails Better Business: Scammers eager to spoil your holiday season The Safe Shopper's Cyber Shopping Guide Holiday Scams To Watch Out For Beware of bogus online offers bearing a free iPad2010 Year End Security Wrap
Figured I’d write this now since many of you will be celebrating the holidays over the next couple weeks and who really wants to read a blog when you’re reveling with family and friends. It’s been an interesting year for information security, and for me too. I started the year with New Decade, Same Threats? and wondered if the 2010 predictions of: social media threats, smarter malware/botnets, using the cloud for crime, financial DDoS, rogue software, Mac and Mobile malware, more breaches and a whole host of others would come through. And boy did they. Social media was a prime target for crooks with the top sites as top targets. Users were tricked to accepting and sharing friends that really weren’t friendly and social networks became a new hotbed for malware distribution. As for malware, while many botnets and spam outfits got taken down this year, Stuxnet was certainly the most sophisticated piece of malware researches have seen in a while. Targeting industrial & utility systems along with the ability to reprogram itself, no longer was it my single laptop or a company’s system that had a bull's-eye, although the initial infection is with those systems, it was nuclear facilities, oil refineries and chemical plants that were the ultimate objective. For Cloud Computing, was it Cloud 9 or Cloud Crime when it came to using the cloud for nefarious activities? Many people thought that with the cloud offering a slew of computing power, that it would be a prime way to initiate an attack. We really didn’t see much pertaining to ‘cloud breaches’ even though almost every survey throughout the year indicated that security in the cloud was everyone’s ichiban concern. I covered many of these surveys in my CloudFucius Series, now playing in a browser near you. This article talks about that, the reason we might not have seen much in the way of cloud specific breaches is that many of the data loss repositories do not differentiate between a cloud based and non-cloud attack. In addition, cloud providers are not that willing to spill vulnerabilities that have led to crimes. Share please. Banks and financial institutions were certainly targets this year, why wouldn’t they be, that’s where all the money is. In one incident, about $3 million was stolen from various banks around the world using viruses and more than 100 crooks suspected of running the global cybercrime ring were arrested in the US and UK this September. A 16 year old Dutch kid was arrested last week for a Distributed Denial of Service attack on the MasterCard and Visa websites. And, merging malware, mobile and money stores, the ZeuS Trojan could infect a desktop, capture the user’s bank credentials next time they logged in to their financial institution, popped a dialogue box for the user to ‘include’ their mobile phone for SMS payments, send the phone a fake message & certificate for acceptance and then installed another Trojan on the phone to monitor messages via SMS. Lots of trickery and luck to be successful but still a very scary exploit. And if you think those mobile banking apps are secure, think again. Just last month, a number of those apps were found to have serious vulnerabilities, flaws and holes. Many of those apps have been patched in light of the research but as with any ‘new-ish’ type technology, mobile banking must be locked down before the masses adopt. Too late now. I wrote about corporate espionage both in Today’s Target: Corporate Secrets (2010) and The Threat Behind the Firewall (2009) and this year did not disappoint. Social engineering or convincing someone to give up their info is alive and well but throughout 2010, employees stole secrets from the companies they worked for: Former Goldman Programmer Found Guilty of Code Theft, Greenback engineers guilty of corporate espionage, Ford secrets thief caught red handed with stolen blueprints, and SEC Bares Text of Inept Suspects As They Sold Disney Earnings Info To FBI Agents. These insider events can often be more costly than an external breach. This is by no means an exhaustive list of the breaches, attacks, vulnerabilities, hijacks, frauds, or other cybercriminal activities from 2010. I’d probably be writing through the holidays to get them all. These were just some of the things I found interesting when looking back at my initial blog entry for the year. With 2011 being the Year of the Rabbit, just how much will cybercrimes multiply? ps Resources: Social Life’s a ‘breach’ Security: Malware, Hacks and Leaks: The Top 10 Security Stories of 2010 2010: Looking back at a year in information security Surprising little information about Cloud Computing and Terrorism or Crime Accounts Raided in Global Bank Hack ZeuS attacks mobiles in bank SMS bypass scam Firm finds security holes in mobile bank apps The truth about Mac malware. It's a joke Study: No Hacking Needed when Modern Spies Steal Corporate Data Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011 Ponemon Encryption Trends, 2010 Personal Data For Sale – In time for the Holidays! Synthetic Identity Theft: The Silent Swindler Cybercrime, the Easy Way Dumpster Diving vs. The Bit BucketGiving Thanks for the Hackers, Crackers and Thieves
This holiday season, give you friendly neighborhood hacker (black or white hatted) and nice pat on the back. ‘Why?’ you may ask. ‘Aren’t they responsible for the nasty botnets, malware, SQL injections, stolen identities, government infiltration, Stuxnet, and all the malicious things you warn against in this very blog?’ Yes, but over the years it’s been the very same folks attempting to and successfully gaining access to systems to infect, steal, snoop and causing general havoc that have made security better. All the new variants of worms, viruses, trojans or the all encompassing ‘malware’ force security professionals to stay alert, review risks and come up with solutions to thwart such attacks. It is a great battle of wits in this game of chess that’s played out over the internet. Patch one hole, find another; lock one system, infiltrate another; fix one vulnerability, expose another. As an aside, I’m using the term ‘hacker’ to mean both the good and the bad. In the media, the term hacker has grown to mean someone with bad intentions who breaks into computers with malicious intent, but within the programming world, it’s also considered a compliment. A hacker is just someone with exceptional computer skills that can, essentially, make a system do what they want. Even the term ‘hack’ can be good and bad; a compliment or insult. If you ‘hack’ something with criminal intentions, then it is bad but if you come up with a clever way or a brilliant ‘hack’ to accomplish something, then you are praised. Both break the rules - either the law or the accepted way of doing something. Over the years, while software firms, financial institutions, retailers, travel outlets, ISPs and others would deny the fact that there might be something wrong or a vulnerability within their code, systems and infrastructure, it would be the ‘hacker’ that would prove to the world and force the manufacturer to both admit and fix the weak link. As the years have passed and the hackers are often proven right, companies now (to some extent) welcome the insight of how to make their products more secure. ‘Welcome’ might not be the most accurate term but there is less denial and more acceptance, with quicker fixes, patches and other remedies. They have also made the individual user more aware of the things that might harm their computers and compromise their identity. They have made the casual user more savvy to avoiding those pitfalls, tricks and methods to steal personal information. They have taught us to be more careful about the links we click, the things we publish on social media sites and how we navigate the internet. Imagine how open If you haven’t figured it out by now, there has always been the Great Battle between Good and Evil – those who want to help and those who want to hurt; those with good intentions and those with bad; those with kindness and those who are cruel. Granted, it is not as black and white as depicted and there are many, many grey areas when it comes to doing what is right. If the bad guys have, by their actions, forced providers to bestow better solutions and make us, as users, safer, then have at it! With anything, if you can pull whatever good out of a bad situation and learn from it, then you are living a fruitful life – and that, you should be thankful for. ps twitter: @psilvasSynthetic Identity Theft: The Silent Swindler
As a brief follow up to yesterday’s Got a SSN I Can Borrow, I came across this story from The Red Tape Chronicles saying the odds that someone else has used your Social Security Number is One in 7. ID Analytics, a data collection and customer behavior analytics firm, works with organizations, including the US Social Security Administration, to detect Identity-Based fraud; separating the true customers from the impostors. They’ve analyzed 290 million Social Security numbers and found that 40 million of those numbers have been connected to more than one name; basically, 40 million of us are sharing identities with someone else. They also indicated that 6% of the total population, or 20 million Americans, have multiple SSNs associated with their name. Often, it might just be an incorrect entry or typo into a system, but it can also be when criminals apply for credit at multiple banks changing 1 digit with each application – around 20% are deliberate misrepresentations. When the system propagates either the error or intentional entry, that second SSN is forever associated with the individual and thus Synthetic. Synthetic Identities are created when an unassigned number gets attached to someone and a new entity is created within the credit system. Some people have 4-5 SSNs connected to their name and 5 million SSNs are connected to three or more people. Synthetic Identity Theft is typically when a criminal uses either totally fake or a mixture of fake and real information to create a new identity. Usually, a fraudster will use a real SSN with a fake or different name that is associated with that number. Synthetic Identity Theft is difficult to track, detect and report since individuals are usually not aware it is occurring since it doesn’t appear on a credit report and because a combination of names, addresses, SSNs and so forth are used, it is usually does not match up with a single, individual consumer to claim fraud. Most go unreported and become ‘charge-offs’ within the financial institution well before anyone is aware of the problem. Protect yourself by shredding mail and sensitive documents since thieves will dig through trash to find pieces of information they can use; review your Social Security benefits booklet every year to check if the income reported is actually what you made; and stay on top of your credit, reporting any discrepancies. The free AnnualCreditReport.com is the official site to help consumers to obtain their free credit report each year. I tend to grab all three at once since I subscribe to a credit monitoring service, but if you don’t – stagger each of three reporting agencies reports throughout the year to see any changes since the last credit file disclosure. If necessary, you can also put a Security Freeze on your credit report. Finally, don’t give out your Social Security number if you don’t have to – if someone asks, like a doctor’s office, just respectfully decline. I have never had a problem telling someone that I prefer not to give out that sensitive information. Heck, you could probably even say you’ve been a victim of Synthetic Identity Theft. ps twitter: @psilvasIdentity Theft: Good News-Bad News Edition
So which would you like first? Javelin Strategy & Research said identity theft incidents were down 28% in 2010 (vs. 2009) according to their latest consumer survey. This is the lowest level since 2007 and about 3 million less victims than in 2009. They partially attribute this to a decline in industry reported data breaches going from 604 (221 million exposed records) to 404 (26 million exposed records) in 2010 along with economic conditions, better security measures and busts by law enforcement playing a major role. If you have an existing credit card account, there’s good news on that front also – fraud from existing credit cards was down 38% ($14 billion) compared to 2009 ($23 billion). New account fraud, where the victim might not have any idea than an account was opened in their name, took top honors in types of fraud with $17 billion siphoned. ‘Change in physical address’ was the No. 1 method of account takeover reported by victims. Don’t drop the confetti yet, however. While the overall numbers look encouraging, the devil is in the details as the cliché goes. Even thought the overall numbers are down, the consumer out-of-pocket expense to resolve ID fraud went from $387 per incident to $631 in 2010 – a 63% increase. Because criminals are using more clever ways to steal you data, you have to spend more time fixing the issue and the costs can grew. Your friends and family are also sticking it to ya. ‘Friendly Fraud,’ when someone you know steals your info, increased 7% with 41% of this batch saying their SSN was stolen. They also found a correlation between retail sales and identity fraud. When sales are up, fraud is down and when sales are down, fraud goes up, says James Van Dyke, founder of Javelin Strategy & Research. He feels that when the economy is doing well and people can make purchases with their own money, they are less likely to steal. Add to that, better security measures are in place and people are more aware of identify fraud, thus they keep a better eye on questionable transactions. Another bad sign is that while credit card fraud has dropped, debit card fraud went from 26% to 36% in a year. This could be due to more people using debit cards rather than credit for purchases but also due to debit’s lower level of protection when it comes to fraud. Some would question the validity of the survey since it is a ‘self-report’ telephone survey and bank data would argue that fraud is actually up in many areas. There are many more intriguing tidbits in the report and you can check out Javelin’s report with a couple interesting charts here. ps
