Kill the Password: Why a String of Characters Can’t Protect Us Anymore

You have a secret that can ruin your life.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

Read More

Experian Customers Unsafe as Hackers Steal Credit Report Data

When hackers broke into computers at Abilene Telco Federal Credit Union last year, they gained access to sensitive financial information on people from far beyond the bank’s home in west-central Texas.

The cyberthieves broke into an employee’s computer in September 2011 and stole the password for the bank’s online account with Experian Plc, the credit reporting agency with data on more than 740 million consumers. The intruders then downloaded credit reports on 847 people, said Dana Pardee, a branch manager at the bank. They took Social Security numbers, birthdates and detailed financial data on people across the country who had never done business with Abilene Telco, which has two locations and serves a city of 117,000.

The incident is one of 86 data breaches since 2006 that expose flaws in the way credit-reporting agencies protect their databases. Instead of directly targeting Experian, Equifax Inc. and TransUnion Corp., hackers are attacking affiliated businesses, such as banks, auto dealers and even a police department that rely on reporting agencies for background credit checks.

“This is profoundly important, because it illustrates a growing problem when it comes to data breaches and security –the chain is only as strong as its weakest link,” Senator Richard Blumenthal of Connecticut, a former attorney general who has investigated credit-rating agencies before, said in an interview. “If their customers have inadequate security practices, so do the credit bureaus.”

Six States

This approach has netted more than 17,000 credit reports taken from the agencies since 2006, according to’s examination of hundreds of pages of breach notification letters sent to victims. The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate who goes by the online pseudonym Dissent Doe and who asked not to be identified to preserve the separation between profession and advocacy.

Experian, based in Dublin, and Chicago-based TransUnion said in statements that the breaches began with infections of customers’ computers, an area over which they have little control. The credit bureaus said that their databases weren’t breached directly.

Tim Klein, a spokesman for Atlanta-based Equifax, and Clifton O’Neal, a spokesman for TransUnion, declined to comment on specific cases. Neither would provide details about any breaches they’ve had involving the compromised log-ins of clients.

Protect Consumers

“We continue to invest in the security systems we have in place to protect our clients and consumers,” Gerry Tschopp, a spokesman for Experian, said in an e-mailed statement. “Of course, the first line of defense lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means.”
Representatives of Abilene Telco said no bank employees were involved in the data breaches.

“We don’t know what happened and we don’t know how it happened — we just know we didn’t do it,” said Pardee, the branch manager at Abilene Telco, now renamed First Priority Credit Union, recalls telling victims who called the bank after discovering that someone had viewed their credit reports.

Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports, according to the website, where Dissent Doe and other advocates have posted the documents. All of the incidents involved hackers stealing online log-in credentials from the credit bureaus’ customers.

Congress Investigation

The incidents shed new light on security weaknesses at credit bureaus at a time they are under investigation by both houses of Congress over how much data they collect and how it’s used. While security hasn’t been a focus of the probes, the breaches are cause for further investigation, Blumenthal said.

Dissent Doe has filed a complaint with the Federal Trade Commission, arguing for a formal investigation into Experian’s security practices and urging lawmakers to enact legislation that creates a national database of breach reports.

The FTC declined to comment specifically on the incidents. The agency has punished data brokers when hacking attacks on their customers led to the theft of credit reports. Last year, the FTC sued three credit-report resellers when compromised client log-ins resulted in more than 1,800 stolen reports. The agency also filed a lawsuit in 2008 against a mortgage lender after at least 400 credit reports were stolen.

Failure to Check

The commission faulted the companies for failing to check whether their customers had sufficient security and for not adequately monitoring suspicious behavior coming from them. The cases were settled, with the companies agreeing to 20 years of security audits.

“If you are providing access through an online portal, it’s your responsibility to secure that portal,” Maneesha Mithal, associate director of the FTC’s division of privacy and identity, said in an interview.
Credit reports are highly coveted in an identity theft industry that the U.S. Department of Justice estimates affected more than 8.6 million people and cost U.S. households $13.3 billion in direct financial losses in 2010.

FTC Crackdown

When criminals steal a credit report, they get enough information to take out new credit cards, qualify for loans, get a driver’s license and even obtain medical treatment, according to Chris Jay Hoofnagle, director of information privacy programs for the Berkeley Center for Law & Technology.

“One basic problem is that unsophisticated companies tend to treat their own customers as insiders, and not treat them with the type of skepticism and controls aimed at outsiders (hackers),” he wrote in an e-mail. “Of course, the insider risk is a massive problem.”

A crackdown by the FTC almost a decade ago led to stronger security measures among information brokers, including credit bureaus, according to Jay Foley, a partner with the consulting firm ID Theft Info Source, who has followed the industry since 1999. Those efforts, though, have focused mostly on preventing the data providers from being tricked into giving criminals accounts that give them access to credit reports, Foley said.

A series of breaches at ChoicePoint and Seisint, data brokers that were bought by LexisNexis parent Reed Elsevier Plc, led to landmark settlements that served as a warning to the industry. The newly disclosed breaches show that credit bureaus haven’t invested enough in fraud-detection technology to spot odd behavior coming from customers, Foley said.

The company has since improved its security with a number of measures including audits and additional fraud-detection technologies, Stephen Brown, a spokesman for Reed Elsevier’s LexisNexis division, said in a statement.

“The industry has cleaned up its act, but the act it was cleaning up was who they were allowing to have credentials,” Foley said in an interview. So instead, criminals are going through the third parties that have already gotten approval, he said.

View Source

New Identity Theft Methods

Parents do everything they can to protect their children but if something horrible does occur, no parent is prepared to discover that they must not only deal with their grief, but they must also contend with the fact that their deceased child’s identity has been stolen.

According to, more and more parents have discovered that someone had stolen their child’s social security number directly from the government through the Social Security Administration’s on-line public Death Master File. The file is used by the agency to stop benefits for the deceased as well as to pay survivors for benefits that they may be due.

It has also become an ideal place for identity thieves to search for information they can use to file false income tax returns. Parents often don’t discover that their deceased child’s identity has been stolen until they file an income tax return. The IRS claims that as an agency they must carefully balance accuracy with the need to process returns efficiently. Once the IRS sends a refund, even if it is in response to a fraudulent return, the money is gone.

The same file also creates another problem by erroneously listing living individuals as deceased. This creates what is known as credit zombies. This is most often due to data entry errors which are easy to make but almost impossible to correct. Inspector General Patrick O’Carroll Jr. testified that from January 2008 to April 2010 more than 35,000 people were placed in credit limbo when they were declared dead in the system. This keeps these innocent people from opening bank accounts, obtaining loans or even getting a driver’s license renewed.

Lawmakers have heard from their constituents about identity fraud and error and are trying to change or limit access to the Death Master File as well create a more effective system for correcting errors. Chairman of the Senate Subcommittee on Fiscal Responsibility & Economic Growth, U.S. Senator Bill Nelson recently convened hearings on tax refund fraud as did a panel in the U.S. House of Representatives.

Until a legislative solution can be reached, the IRS is attempting to stem tax fraud identity thefts by flagging deceased taxpayer’s final returns and preventing any one else from using their Social Security numbers.

View Source


The Homeland Security Department maintains fingerprints of every foreigner who enters the country to help prevent fraud, but 825,000 of those records appear to be associated with multiple individuals, according to internal investigators. The sheer number of discrepancies raises questions about how many immigrants intentionally are faking their identities to evade authorities versus falling victim to poor typing.

Frank Deffer, a DHS assistant inspector general, noted some of the mismatches in the department’s fingerprint database were tied to individuals with rap sheets. The identification tool is the responsibility of the US-VISIT immigration program.

“Although most of the inconsistencies can be attributable to data input issues, US-VISIT is unable to quantify the extent to which the same individuals provided different biographical data to circumvent controls and enter the United States improperly,” he wrote in a report released this week. “Without this information, US-VISIT may be hindered in its ability to share information that could help border enforcement agencies prevent improper entries into the United States.”

Investigators discovered hundreds of thousands of situations where one set of prints corresponded to multiple names and birth dates. The database holds hundreds of millions of fingerprint records; the irregularities represent only 0.2 percent of individuals logged.

“Although this is a very small percentage of the total records, the volume of records makes it significant,” Deffer wrote. “In some cases, we found that individuals used different biographic identities at a port of entry after they had applied for a visa under a different name, or been identified as a recidivist alien.”

Instances of offenders trying to game the system include a women who illegally entered the United States in 2006 and then tried to get in again — using variations of the same name — in 2009, 2010 and 2011. In another incident, a man used two different identities to apply for visas, and after being denied entry, he used yet a third name and birth date to try again later the same year.

Other individuals, with no criminal records, also endeavored multiple times to get into the country using different names and birth dates over several years. “In one example, the same set of fingerprints was associated with nine different names and nine different birthdates in 10 different attempts to enter the United States,” Deffer stated.

Many of the situations involved women who legally altered their names. “We found that nearly 400,000 records for women have different last names for the same first name, date of birth and [fingerprint identification number],” he wrote. “These instances are likely women who changed their names after a marriage.”

During the study, auditors examined records covering 1998 through 2011.

Most of the time, US-VISIT personnel try to resolve cases in which people who appear to be one and the same have different information listed in records, the auditors found. The researchers are not specifically targeting scams, Deffer explained. Accidental typos, the fact that various immigration-related agencies use incompatible data formats and other keying mistakes are factors they look for when probing mismatches. During the course of typical procedures, US-VISIT has picked up on only two instances of fraud, agency officials reported to the IG.

The enormity of the conflicting data, however, may obscure actual fraud. “These inconsistencies can make it difficult to distinguish between data entry errors and individuals potentially committing identity fraud,” he wrote.

In a written response to a draft report, Rand Beers, undersecretary of DHS’ National Protection and Programs Directorate, which oversees US-VISIT, said the program has “initiated a proactive review” of ID data to spot fraud and alert the proper authorities. As of May 8, US-VISIT had researched 1,200 official alien registration numbers filed for immigrants trying to enter or obtain benefits, and added 192 of those individuals’ prints to a watch list of known or suspected criminals.

“Subjects suspected of fraud may be or have already attempted to commit passport fraud, U.S. citizen-lawful permanent resident fraud and fraud involving possible alien smuggling,” Beers wrote in the letter.

Deffer, however, said this review stops short of examining possible fraud committed by travelers such as visitors from visa waiver countries who do not have alien registration numbers, or do not need visas for entry.

US-VISIT is in the midst of expanding its database to potentially verify IDs using iris and facial recognition. Program spokeswoman Kimberly Weissman recently said, “while US-VISIT is testing new tools, technologies and approaches to integrate US-VISIT’s biometric and biographic applications into a comprehensive set of automated services, the goal remains the same: to ensure that U.S. government decision-makers have access to the information they need to determine someone’s identity, when they need it.”

View Source

Ex-IRS Worker Charged with Stealing Taxpayer’s Identity

A former Internal Revenue Service employee has been indicted and arrested for allegedly stealing a taxpayer’s identity.

Domeen Flowers, 48, of Maitland, Fla., was arrested Thursday, in Florida, as a result of an indictment returned by a federal grand jury sitting in Philadelphia, Pa. The indictment charges Flowers, a former IRS employee in Philadelphia, with participating in an alleged identity theft scheme involving the personal information of a taxpayer.

According to the indictment, Flowers used her position with the IRS to make unauthorized computer entries into the IRS’ Integrated Data Retrieval System. After accessing the system, Flowers obtained personal identifying information pertaining to a taxpayer, identified in the indictment only as “E.R.” Flowers allegedly used the information to apply for credits from different credit card companies in E.R.’s name. An initial appearance was held in U.S. District Court in Orlando, Fla. Flowers was released on bail pending an appearance in U.S. District Court in Philadelphia.

If convicted of all charges, Flowers faces between two to 46 years in prison and a fine of up to $1,254,000, a special assessment of $900, and two years of supervised release.

The case was investigated by Treasury Inspector General for Tax Administration’s Philadelphia Field Office and is being prosecuted by Assistant United States Attorney Floyd J. Miller.

Read more

5 ways to avoid identity theft

Just last week, one of my friends had his identity stolen when he lost his credit card. All of a sudden, he had charges to his card rolling in from Chicago.

Identity theft and credit card fraud, however, can be much more complicated than just losing your wallet. If your personal information becomes compromised, it can lead to thousands of dollars in extravagant charges on your credit card, which can ruin your credit score.

Here are five ways to avoid having your identity and/or credit card stolen:

1. Physically secure all valuables in a car
It seems like common sense, but like they say, common sense isn’t so common. Earlier this year, the Riley County Police Department reported a spike in car thefts in Manhattan, especially during the winter months. However, just because it isn’t snowing outside does not mean people should abandon caution.

Leaving things like cell phones, wallets, money or other valuable in plain sight in a car can lead to your identity being compromised.

If you are traveling, make sure you know where your important documents and cards are at all times. Being reckless or aloof can lead to losing things, and sometimes it’s too late to retrace your steps.

2. Divulge sensitive information on a need-to-know basis
Being flippant with information such as account passwords, personal identification numbers and your social security number can cause serious issues. Not everyone needs to have access to personal information.

The most common mistake when it comes to divulging sensitive information seems to happen to people in relationships. Girlfriend gives boyfriend password to bank accounts or other online shopping accounts when they are dating. Girlfriend breaks up with boyfriend later on, but doesn’t think to change account passwords; boyfriend now has the ability to clean out accounts.

Keep sensitive information secure; you never know who can use that information against you.

3. Avoid using public computers to access the Internet
How many times do you see people at Hale Library doing online banking? If you haven’t noticed it, look for it the next time you go to the library; it’s incredible how many people don’t even think about it.

The fact is, however, that those computers get used by hundreds of people every day, making online identity theft much more likely. According to a report compiled by research firm Javelin Strategy and Research, nearly 12 million Americans were victims of identity theft in 2011.

Using only personal, secure devices is just another safeguard against having your information compromised. If you cannot avoid using a public computer, make sure you log out when you’re done.

4. Lock all mobile devices and tablets
Generally, most laptops and personal computers are password-protected by default. Many people, however, don’t think to lock their phones or tablets, although it is a common feature in most mobile devices today.

Mobile devices now allow users to monitor and transfer money between bank accounts, quickly and easily shop online and gain access to other secure information that once was only accessible through personal computers.

According to the same research done by Javelin Strategy and Research, identity thieves often target frequent users of mobile devices and social media because they tend to be less cautious.

The Javelin report also reported 7 percent of smartphone users fell victim to identity fraud in 2011.

Protect yourself; it might be easier not to have to enter a password every time you want to surf the Web on your iPad or send a text on your phone, but at least you know that your secure information won’t be compromised.

5. Change passwords to accounts intermittently
K-State students are all familiar with the K-State Office of Information Security and Compliance’s password change requirements for their eIDs.

Although many students react to this mandate with disgruntled sighs and slight annoyance, the university has the right idea.

An identity thief’s best friend is stagnancy; after all, a target is easier to hit when it isn’t moving.

Changing your passwords can help you stay protected. No matter how annoying it can be, having sensitive information stolen can be far more of a pain to deal with than switching up passwords.

Read more

Utility bill scam steals personal information

The President of the United States is not going to pay your utility bill.

Atmos Energy is warning customers about the latest version of a scam that promises federal stimulus money for utility bills in exchange for a customer’s personal information. The scam artist provides a bank routing number that supposedly has an account with funds to pay past due bills.

However, there is no such program and customers should never give personal information to anyone who is not an authorized agent of any utility company.

Atmos Energy previously warned customers about the scam in May but has been receiving calls this week from customers who received the bank routing number. The North Carolina Attorney General issued a warning about this scam June 28 and utilities in Florida have also reported a similar effort.

According to Better Business Bureau reports, scammers have visited customers in person, posted fliers and used social media and texting to send messages claiming that President Obama will provide a credit or directly pay utility bills.

Read more

FBI cybercrime sting leads to 24 arrests

The FBI orchestrated a two-year cybercrime sting that resulted in 24 arrests, with some alleged hackers facing more than 20 years in prison for allegedly profiting from stolen information such as credit card and bank account numbers, law enforcement authorities announced today.

The U.S attorney’s office in Manhattan and the FBI announced the arrests and provided details of the sting operation, which involved FBI agents posing as hackers while the bureau set up a fake “carding” forum, according to the press release (see the full release below). Carding is the term for crimes associated with exploiting stolen personal information for profit. The forums helped “carders” communicate and, in some cases, find mailing addresses — usually empty apartments or houses — for products purchased with stolen credit-card data.

While the sting netted 24 arrests across eight countries, authorities only shared the charges of 12 alleged hackers. These individuals were charged with several counts of fraud, including selling personal data, using stolen information to purchase or obtain products, and selling tools to aid hackers in stealing information.

The FBI claims it prevented 400,000 potential cybercrimes via this operation.

These three alleged hackers face the heaviest sentences:

Ali Hassan, aka “Badoo,” faces charges that carry a total maximum sentence of 37 years for selling credit card information — some of which reportedly came from hacking an online hotel booking site. The credit card information, described as “fulls,” by hackers, included cardholder name, address, social security number, birth date mother’s maiden name, and bank account information. Hassan, 22, is a resident of Milan, Italy.

Mark Caparelli, aka “Cubby,” who faces charges that carry a maximum of 30 years total. Capparelli, 20, of San Diego, Calif., reportedly used stolen credit cards and Apple product serial numbers to get replacement products under defective product claims. A credit card is required in case the defective product isn’t mailed back to Apple. Using this technique Capparelli allegedly sold and shipped four iPhone 4 devices to an undercover FBI agent.

Michael Houge, aka “xVisceral,” allegedly sold malware, including remote access tools (RATs) that allowed users to take over and remotely control an infected computer. Houge’s alleged RAT gave users the ability to turn on Web cams and record keystrokes. According to the release, Houge, a 21-year-old Arizona resident, sold the tool for $50 a pop and bragged about infecting between 50 to 100 computers himself and selling the RAT to others who infected thousands of computers. His charges carry a maximum of 20 years total.

Read more

Financial Crimes: Credit card ‘cloning’ is a growing form of identity theft

Lexington financial crimes detective Gene Haynes swiped a credit card through an innocuous black card reader known as a “skimmer.” Less than a second later, two lines of illuminating text showed up in a Microsoft Word document on his computer screen.

The mishmash of numbers and symbols was the visual representation of all the information stored on the card’s magnetic strip.

“That’s all it takes” for a credit card to be compromised, he said.

The information then can be emailed or downloaded over the Internet and rewritten onto any card with a magnetic strip, such as gift cards or hotel keys. While the victim’s credit card is still in his or her possession, someone could be using a perfect replica hundreds of miles away.

“Suddenly they’ve got a physical asset that they can use to shop in stores,” said John Sileo, a Denver-based author and speaker on identity theft and financial crimes. “There’s not much you can do. They can spend on it until you figure it out or until the credit card company catches it.”

The process, called “cloning,” accounts for much of the growth in credit card fraud during the past few years, officials said. According to a Javelin Strategy and Research report, credit card fraud has increased 87 percent since 2010, culminating in aggregate losses of $6 billion nationwide.

Credit card cloning is easy and lucrative, accounting for its popularity, said Sileo, who founded the Web site For example, an unscrupulous restaurant waiter with a pocket skimmer might be able to steal information from hundreds of customers a week, selling that information to those with the means to encode fake credit cards.

Battery-powered skimmers can be carried in a pocket or hung inconspicuously over card slots at gas pumps and ATMs, copying information as customers swipe cards to pay for gas or withdraw cash.

People whose cards are skimmed might not know for weeks or months that their information has been stolen. Once someone realizes it, the account usually is closed quickly. Savvy crooks know to rack up major bills just as fast.

Two financial crimes detectives in Lexington primarily investigate credit card fraud. Detectives Mike Helsby and Larry Kinard each take about 50 reports of credit card fraud a month, they said. Among those, cases involving cloned credit cards are most troublesome because there is little Lexington police can do, Helsby said.

If a cloned card is used outside Lexington, police do not have the authority to investigate it.

“We don’t like to take reports here for people whose cards have been used outside of our jurisdiction, because all it does is inflate our numbers,” he said. “There is nothing we can do. We can’t call California and request (surveillance) video, and even if we got it, we can’t place charges.”

Instead, interstate credit card fraud should be reported to the Internet Crime Complaint Center, or IC3, a partnership between the FBI and National White Collar Crime Center. Most, if not all, banks and lending institutions accept reports from the IC3 in lieu of a police report when victims are disputing fraudulent charges, Haynes said.

Online reports may be submitted at, by clicking on “file a complaint” on the home page. When following the prompts, victims should select “identity theft” as the type of incident they are reporting. (Many states consider credit card fraud a form of identity theft, though Kentucky doesn’t, detectives said.)

IC3 aggregates data submitted and can cross-check it to find a point of compromise. For example, they might discover 500 fraudulent credit cards were used at the same gas station in Lexington, and they can forward that information to Lexington police, who then can investigate further.

However, given the lengthy paper trails that can complicate fraud investigations, the best defense is never to have your credit or debit card compromised. Detectives offered the following tips:

■ Don’t carry more credit cards than you need.

■ Check card readers at self-serve gas pumps, ATMs or other machines for obvious card skimmers.

■ Don’t let your credit card out of your sight for any longer than necessary when paying for items or meals.

■ Check your bank history often. Most banks allow you to check your account online or through apps on smartphones.

■ Take advantage of security measures offered by your bank. For example, some banks allow you to set spending limits that require authorization over certain dollar amounts.

■ Never give anyone the PIN number for your debit card (and don’t write it on or near your card).

■ Pick a random PIN number rather than obvious numbers like your address or phone number.

■ As soon as you notice your wallet or credit card is missing, cancel all your cards.

■ If your card has been stolen or compromised, secure copies of bank statements to provide to police or federal authorities.

Such tips might seem like common sense, but investigators say they’re invaluable to combat a type of crime that affects thousands of people daily and siphons billions of dollars from individuals and financial institutions every year.

Read more

Identity Theft: The Number One Consumer Complaint in 2011

Identity theft was the number one consumer complaint from consumers to the Federal Trade Commission (FTC) for the 12th year in a row.

The FTC tracks and records complaints into Consumer Sentinel, an online database used to track targets and research cases. Of more than 1.8 million complaints filed with the FTC in 2011, nearly 15 percent were identity theft complaints.

Twenty-five percent of those were tax or wage related, according to data from the FTC’s annual Consumer Sentinel Network Data Book released on Tuesday. The Miami-Ft. Lauderdale metro area ranked number one for most identity theft crimes.

Thirty percent of identity theft victims never notified police, according to Consumer Sentinel Data. However, Consumer Sentinel Data is accessible by law enforcement agencies for investigations. And data from Consumer Sentinel can be added by about a dozen other agencies, including the U.S. Postal Service Inspection Service, the Department of Justice Internet Crime Complaint Center, and all U.S. and Canadian members of the Better Business Bureau.

Meanwhile, the Electronic Frontier Foundation released a new version of HTTPS Everywhere, a Web browsing tool for Firefox and Google Chrome browsers, that automatically encrypts communication with major Web sites to help protect user information from monitoring and hijacking of data that can lead to identity theft.

The new version, HTTPS Everywhere 2.0 for Firefox, has a feature that warns a user when they’re visiting a Web site that has security vulnerabilities, flagging sites that are vulnerable to eavesdropping or man in the middle attacks.

“In recent weeks, an unexpected weakness in the encryption used by many routers, firewalls and VPN devices made big news,” said EFF Technology Projects Director Peter Eckersley. “The new version of HTTPS Everywhere for Firefox will let users know when they connect to a website or device that has a security problem–including weak key problems like the ones that were disclosed two weeks ago–giving people the information they need to protect themselves.”

The browser extension has been downloaded in more than one million homes since its launch in 2010, according to an EFF press release distributed on Tuesday.

Read more