Identity Theft Red Flags Rule Effective Jan 1 2008

The following is an abstract from a newsletter sent to me by The Institute of Fraud Risk Management. This is not my research and full credit for this post is given to them. This is the organization that certified me as an "Identity Theft Risk Management Specialist." They have a wealth of information and if you are a security professional, their designation is one you MUST have. For more information, please visit www.tifrm.com

------------------------------------------------------------------------------------------------

Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003

(aka Identity Theft Red Flags Rule)

Background:

The issuance of the final rule of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 rule implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act. The purpose of the Rule is to attempt to minimize incidents of Identity Theft and fraud in the opening and maintenance of covered accounts by financial institutions and creditors, as well as addressing issues of address discrepancies by users of consumer reports (credit reports and specialty consumer reports) and debit or credit card issuers.

Summary of Key Requirements:

The final rules requires each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement a written Identity Theft Prevention Program for combating identity theft in connection with the opening of new accounts and the maintenance of existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft of its customers and enable a financial institution or creditor to specifically:

1. Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.

The agencies also issued guidelines to assist financial institutions and creditors in developing and implementing a Program, including a supplement that provides examples of red flags.

The final rules also require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.

It is important to note that, as with the Disposal Rule, the Red Flags Rule does NOT automatically apply to every business. Under the final rule, only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. For example, a restaurant that accepts credit cards as a means of one-time payment in full by a customer who purchases a meal is not impacted; whereas, a utility company that opens and maintains accounts for its customers is impacted.

Administration and Oversight of the Program:

Each financial institution or creditor that is required to implement a Program must provide for the continued administration and oversight of the Program and must:

1. Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors; and

2. Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program; and

3. Train staff, as necessary, to effectively implement the Program; and

4. Exercise appropriate and effective oversight of service provider arrangements.

Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:

1. Assigning specific responsibility for the Program's implementation;

2. Reviewing reports prepared by staff regarding compliance by the financial institution or creditor; and

3. Approving material changes to the Program as necessary to address changing identity theft risks.

Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.

Flexibility for Small Entities:

The final requirements of the Red Flags Rule were drafted in a flexible manner intended to limit the burden on a substantial majority of low-risk entities, allowing these entities to conduct periodic risk assessments for covered accounts and allowing the remaining minority of low-risk entities to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities.

Final Rule Effective Date: 1 January, 2008

Date of Mandatory Compliance by Covered Institutions and Creditors: 1 November, 2008

Regulatory Agencies:(Applicable regulatory agency determined by the business' industry or nature of business / statutory regulator)

· Office of the Comptroller of the Currency

· Federal Reserve

· Federal Deposit Insurance Corporation

· Office of Thrift Supervision

· National Credit Union Administration

· Federal Trade Commission

Social Security Identity Theft

As you know from my May 14th post, Identity Theft is not just about your credit cards. One of your identity types that can be compromised is your social security identity.

According to Merriam-Webster Social Security is:

a United States government program established in 1935 to include old-age and survivors insurance, contributions to state unemployment insurance, and old-age assistance

The Social Security Identity was established to create and maintain a permanent master earnings record for the individual worker in the United States. It is maintained by the Social Security Administration (SSA) and the record has a unique number assigned to it; that is your Social Security Number (SSN). Although the use of your Social Security number has moved well beyond its’ initial purpose, it is still the master identifier of your earnings history. In other words, all the reported money you ever make, is reported under your SSN. Have you ever thought about what would happen if someone took your SSN, a false name, and used that to get a job?

Theft of this portion of your identity occurs when thieves use your SSN to gain employment or report income under your name. Many things could happen as a result of this.

For example:

· Thieves take the income, but don’t pay the taxes, leaving you with the bill and possibly making you subject of an audit.

· Wanted criminals use your SSN so they can get employment without being found.

· Illegal immigrants use your SSN to gain employment.

· Multiple people obtain employment under your SSN and it has a negative impact on your ability to collect your social security benefit.

One of the problems that has become increasingly common is the use of stolen SSNs by illegal immigrants. They are by no means the only group that is using illicit SSNs, but they are the largest group. Employers are required to verify the SSNs of all new employees. Illegal immigrants need to work to make money just like everyone else, but without an SSN, what can they do? In some cases, they act maliciously to take a number and use it. Sometimes, they are given a SSN from someone who makes them believe that it is real and that it now belongs to them. They don’t even know that they are committing a crime. Although the statistics that the government is using state that the number of illegal immigrants is between 10-15 million, we believe that the number is much higher. Why is that a problem you ask?

When one of my colleagues, John Gardner, was speaking to a group in New Mexico, he met with a number of business owners and received a rude awakening. After discussing the different identity types and how they relate to identity theft, a business owner said that it is standard policy for ‘employees’ to change their SSN. What happens is the person in question uses an SSN until it doesn’t work any more. That could be because the government has finally gotten around to finding out the SSN didn’t match the individual or the real owner of the SSN found out that he had new income in his name. Regardless, when the ‘employee’ is no longer able to either work or, more importantly, use the SSN to be able to cash checks, he simply walks into HR and changes his SSN. He doesn’t really care that it messes you up, just that he can cash his check.

Okay, so you may be thinking, so what!? How can an illegal immigrant using my SSN to get work really affect me? At least he is paying taxes, right? Say your right, that he really is paying taxes using your SSN. What happens when the income that he reports gets added to the income that you really did earn? How would you like the next higher tax bracket? Stings, doesn’t it? People need to wake up to this problem. Your current tax bracket and future benefits may be effected by this right now.

How bad is the problem? Well, according to one industry magazine, there are entire industries that would disappear if the illegal immigrants couldn’t work. Meatpacking, bakeries, or any one of a dozen more. The problem is, what happens when there is more than one person works under the same SSN? According to MSNBC .com

“With every paycheck, U.S. workers pay FICA taxes, destined for Social Security funds. But each year, millions of payments are made to the agency with mismatched names and numbers. The Social Security Administration has no idea who deserves credit for the taxes paid by those wage earnings -- so no one gets it. The amount of uncredited Social Security wages is now an enormous $420 billion, an amount that sits in what's called the Earnings Suspense File, an accounting limbo.” *

One doesn’t have to do a tremendous amount of connecting the dots to understand that there is not a lot of incentive for the SSA to fix this problem. If MSNBC is correct, the SSA has $420 billion in excess cash to do whatever with until the disparities are corrected. I am not saying this report or these theories are right or wrong, it is only my job to report the findings.

*http://www.msnbc.msn.com/id/6814673/page/2/print/1/displaymode/1098/

"Your loss of privacy is a package deal"

It is important to begin to understand the link between the loss of privacy and identity theft. The following illustrates just how much information you give away on a daily basis. Thank you to John Gardner for sending this to the Identity Theft Times.

--------------------
Your loss of privacy is a package deal
--------------------

David Lazarus
Consumer Confidential

September 12 2007

"The all-you-can-eat packages of voice, video and Internet services offered by phone and cable companies may be convenient, but they represent a potentially significant threat to people's privacy."

View Entire Article

Identity Theft - "Monster.com took 5 days to disclose data theft"

A big thanks to Bob Omtvedt who passed this on to The Identity Theft Times.

--
By Jim Finkle Fri Aug 24, 9:34 AM ET

"BOSTON (Reuters) - Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential information from some 1.3 million job seekers, a company executive told Reuters on Thursday."

View Entire Article

Identity Theft - Do you know what it really is?

Do you think you know what Identity Theft really is? After all, you are an intelligent person, you have read articles, seen television shows, watched commercials and they all say pretty much the same thing. Aside from the occasional horror story, identity theft is mostly about your credit cards and finances, right? Well, not exactly. There is no doubt identity theft is a heavily covered topic, but despite all of the media attention, the information you are receiving doesn’t even come close to telling the full story. It’s like the iceberg that sank the Titanic, what they saw at the surface, was not what caused the real problem. In fact, it was only the “tip” of the problem. It is the same with Identity theft, what you see in the media is only a small part of the real threat.

Okay, so if it isn’t what you’ve been told it is, then what is it? And even if you aren’t being told all of the details, why should you care? After all, Identity Theft happens to other people and not you. And when it does happen, it really isn’t that big of a deal, right? Well again, not exactly.

Just like the iceberg, the danger is real, and it is difficult to tell from the surface exactly what it will do to you. Fortunately, knowledge truly is power and the more of it you have, the better off you will be. Whether you are a nanny or a CEO, a politician or a policeman, a janitor or a doctor, Identity Theft should matter to you. Whether you have good credit or bad, no credit cards or a dozen, you are a felon or a saint, doesn’t matter. The fact is, someone else wants to be you, and chances are it won’t be in your best interest to have that happen.

The real question is, when it does happen, what do you do? Are there measures you can take to reduce it from taking place? Are there measures you can take to prevent it completely? Are there products you should buy or can you do it all yourself? If you own a business, should the idea of losing personal information about your customers or employees matter to you? Identity Theft is growing and changing every day, so it this not the definitive volume on the subject, but it will help you connect the dots so that you will have the basic knowledge you need to live with and respond to the threat of identity theft.

Identity Theft - You've Been Sold

On September 15, 2004 Investors Business Daily reported a help desk worker at a company that provides credit reports pled guilty to stealing information from over 30,000 people, netting thieves up to 100 million dollars. On the next day, the Wall Street Journal said that if you use a “computer to access the Internet, your privacy and your security are all in jeopardy. An international criminal class of virus writers, hackers, digital vandals and sleazy business people wakes up every day planning to attack your computer.”

Records at your local Court House are public unless sealed by Court Order. These include what you own, what you owe, your social security number, your birth date, your drivers license number and sometimes very private divorce files. Some of this information is included on UCC forms filed when you borrow money on a car for instance, in deeds and mortgages, on some leases that are filed, etc., etc. Almost all public records are being computerized and are available on line to anyone.

Any school you have ever applied to has your social security number and birth date, as does any company you have ever applied to work for. Every insurance agent and company you have ever applied to has this information as do the agents and companies of any company you have ever worked for. Any company you have ever borrowed money from and your banking institutions all have this information, not to mention the utility companies. There are companies that aggregate information from all these sources and many more and the information is for sale.

The question is, how can all your most private information be for sale. The reason is you have given each company, institution and office permission to sell everything about you. Each of us receives “Privacy Notices” that tell us they are going to sell and share everything about us to whomever they want, whenever they want. You must call and or write and request your info not be sold to “Opt Out”. The vast majority of us simply filed them thinking our privacy was being protected. The notices sometimes say they will not sell “except as provided by law” or except to their “subsidiaries”. My advice, read the notices from now on – there is an “Opt Out” procedure for a reason.

What kind of information is sold other than that above mentioned? Virtually everything about you; what you watched on TV last night, every page of every website you visit each night, the drugs you take, what and when and where you buy your clothes, your food, your preferences, your habits. All collected and sold with your permission because you have not responded to privacy notices for years.

The average American is in 50 separate databases, which have collected information about you. In the space we have here we cannot possibly cover the challenges we all face as a result of the average American being profiled down to their “strange and unusual habits.” The beginning of the solution is in the recognition of the problem.

Lost Wallet = Identity Theft and Jail Time

Folks, the stories are starting to come in and the misconceptions are being debunked. A man in in St. Petersburg lost his wallet and it landed him in jail after someone tried to cash a check in his name. A big thank you to Thomas Lake, a reporter for The St. Petersburg Times, who did a tremendous amount of research and wrote a fantastic piece. Although I have never met Thomas, it is journalist like him who will help lift the veil and show the reality of this insidious crime.


"Costly Mistakes"

"A forgotten wallet leads to an error-riddled check fraud investigation. The cost to a man, his family and their community could be immeasurable."

By THOMAS LAKE
Published June 3, 2007

TAMPA -- "When it was over he stood in the laundromat, by the clothing revolving in fresh-scented soap, and he sighed as he thought of the dream that washed away."

View Entire Story

Synthetic Identity Theft

Thank you to Bill Garner for this recent story ...

We first heard of this type of Identity Theft in 2005 when idAnalytics, an identity management company, released their research on the topic. A recent report put out by an NBC affiliate in Milwaukee prompted this posting.

Synthetic ID Theft
John Mercure - Today's TMJ 4 Milwaukee

"There's a rapidly growing form of identity theft that's being called the most sinister yet. You may be a victim right now, and not even know it for years. It's called Synthetic ID Fraud, and there are red flags to watch for...so you can minimize the damage."


View Entire Article

Identity Theft - The Third Misconception

Through various conversations and research, it has become apparent to me that there are three major misconceptions about Identity Theft.

1. That it is just about your credit cards or your finances
2. That you can't be held liable for the debt racked up in your name by thieves
3. That you can take steps to 100% prevent the crime
Nothing could be further from the truth.

Identity Theft - The Third Misconception

"That you can take steps to 100% prevent the crime"

It truly amazes me that there are companies and so-called "experts" out there that tell you, and the rest of the marketplace for that matter, that there are steps you can take to completely prevent identity theft. Have you heard of the product that can lock your life down "Guaranteed"? The company CEO is so audacious in his claims that he actually posts his SSN on the entry page of the website. Well a good friend and mentor of mine says "Time will either promote you or expose you" and I have been saying since day one that this particular company is a ticking time-bomb. Curios to know what I am talking about, check this out. I wish the CEO no ill-will, but I love that he is a victim of a crime that he says his product guarantees he can't be a victim of.

I only wish I would have written my post about the Five Common Types of Identity Theft earlier. Maybe they would have known that locking down you credit, which is something you can do on your own by that way, can't help in every area of Identity theft. Oh well ...

Wow, I guess you can even get tangential in a blog ... okay, back to the matter at hand. Why do I know that you can't 100% prevent the crime? Simple, it is not about what you do with your information, but what others do. See all the shredding in the world cannot stop a company who has your personal information from losing it or having it stolen. It is a concept I call, The DataBased You TM.

The DataBased You is the sum total of all of the information about you in the marketplace, whether on paper of electronic, that can build a better biography of you than you could of yourself. Think about this ...

Your name is literally in thousands of databases. Your address is as well. Your social security number is with The Social Security Administration and everyone you have ever given it to. You criminal record and legal history is out there. You real estate is a matter of public record (check out Zillow and put in your address). Your military history. Your employment history. Your insurance claims. Your driving record and car registration. Your phone number. The tracking information your GPS chip in your cell phone tells your provider where you are 24/7 ... and so on.

The point is, there are thousands of records, that are out your control, that have your private information in them. Between February 15th, 2005 and June 14th, 2007, whether it was hacking, lost computers, or lost data tapes, there were 155,166,602 records containing sensitive personal information lost! The question is, did one or more of them contain YOUR information?

No matter what you shred or what you buy, there is nothing you can do to 100% prevent Identity Theft from happening to you.

Identity Theft - The Second Misconception

Through various conversations and research, it has become apparent to me that there are three major misconceptions about Identity Theft.

1. That it is just about your credit cards or your finances
2. That you can't be held liable for the debt racked up in your name by thieves
3. That you can take steps to 100% prevent the crime

Nothing could be further from the truth.

Identity Theft - The Second Misconception

"That you can't be held liable for the debt racked up in your name by thieves"

Forget about those "comfy" old rules you think you know about fraud being committed in your name. Those commercials where someone is in trouble or under duress and their confidant says "just imagine someone stole your (fill in the blank) check card" and all of sudden, things are peachy, are a not only a joke, they are dangerously misleading.

I encourage you to download the Federal Trade Commission's Free Report "Take Charge: Fighting Back Against Identity Theft". On page 19 of this publication, you will read firsthand why the second misconception is just that, a misconception. It reads:

"send your letter so that it reaches the creditor within 60 days. If an identity thief changes the address on your account and you didn’t receive the bill, your dispute letter still must reach the creditor within 60 days of when the creditor would have mailed the bill"

What this means is, you could wake up tomorrow owing $75,000 on a debt that you can prove is not yours but because you did not dispute within the required time frame, you 100% owe the money. The notion of zero liability is a joke.

Here are two great stories that will hopefully help you kill the second misconception:

1) "Getting there money back isn't always easy"

2) "Forget about those comfy old rules about fraud"

Our next post will cover the third misconception, "That you can take steps to 100% prevent the crime".

Identity Theft - Beware of Peer-To-Peer Networks!

A big thanks to Aaron Hillyer, a good friend of The Identity Theft Times, for this story.

"Beware P2P Networks With a Tunnel to Confidential Data, Study Warns"
InformationWeek (05/15/07) ; Greenemeier, Larry

Peer-to-peer networks are being used by cyberthieves to tunnel into networks and access confidential information, according to a new study of corporate data leaks released by researchers at Dartmouth business school. Eric Johnson, a professor of operations management at Dartmouth's Tuck School of Business and a co-author of the study, noted that most users were not sufficiently protecting their files and data from peer-to-peer networks. He added that the majority of peer-to-peer software applications have interface designs that are confusing and even deceptive in a way that gets users to unwittingly share the contents of their entire hard drive. This can open up consumers to identity theft, and can also give criminals access to confidential information stored on corporate networks, such as job performance reviews and the results of security audits. There are a number of ways that companies can see whether their data has been leaked onto peer-to-peer networks. For instance, security professionals can set up their own accounts on the most popular peer-to-peer networks and search to see if any information being offered is similar to their proprietary data or intellectual property. Security professionals can also keep track of all searchable keywords that would lead a Web surfer to their company, including firm names, abbreviations, and ticker symbols, and use those keywords to search peer-to-peer networks.

View Entire Article

Identity Theft - The First Misconception

Through various conversations and research, it has become apparent to me that there are three major misconceptions about Identity Theft.

1. That it is just about your credit cards or your finances
2. That you can't be held liable for the debt racked up in your name by thieves
3. That you can take steps to 100% prevent the crime

Nothing could be further from the truth.

Identity Theft - The First Misconception

"That it is just about your credit cards or your finances"

Identity theft is so much more than just your credit cards or your finances. In fact, the Federal Trade Commission reports that only 28% of identity theft has to do with your credit cards and less than half of all reported instances are financial in nature. Please refer to the May 14th post to review the five common types of identity theft to gain an understanding on what Identity Theft really is.

My definition of Identity Theft is: "When someone gets some piece of information about you, personally, professionally, or financially, and uses it to their benefit and your detriment". The mainstream media is missing the boat because the majority the of reporting done focuses on the financial side of the equation. They are completely missing 4/5's of the problem.

Here are three great stories that hopefully will help you kill The First Misconception

MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You

Identity Theft Woes

Illegal Immigrants and Identity Theft

Our next post will cover The Second Misconception: "That you can't be held liable for the debt racked up in your name by thieves"

Identity Theft - Five Major Types

Hello and welcome to The Scary Face of Identity Theft. My name is Jeffrey Omtvedt and I am a Certified Identity Theft Risk Management Specialist. The goal of this blog is to educate the community on what Identity Theft truly is. Forget what you've seen on TV and the majority of what you have read because most pundits and reporters only cover one fifth of the problem, the financial side. To understand Identity Theft, you must first realize there are Five Major Types.

The Five Major Types of Identity Theft

Driver’s License Identity Theft

Thieves use your information to acquire a driver’s license in your name or claim to be you during a traffic stop

♦You could receive DWI, DUI, and other driving-related charges

♦Your driving privileges could be suspended or revoked

♦You could be arrested during a routine traffic stop for crimes you did not commit

Social Security (SSN) Identity Theft

Thieves use your SSN Identity to gain employment or to report income under your name

♦Thieves take the income, but don’t pay the taxes, leaving you with the bill

♦Wanted criminals use your SSN Identity so they can get employment without being found

♦Illegal immigrants use your SSN Identity to gain employment.

♦Thieves and Criminals use your SSN for employment, medical, financial, criminal, school, and other purposes.

Medical Identity Theft

Thieves use your information for insurance benefits, Rx, Medicare, Medicaid benefits, or for medical tests

♦Your rates could go up or your coverage could be cancelled or used up

♦You could owe thousands of dollars for a procedure you never had

♦You could be unable to obtain medical or life insurance, other coverage, and/or employment because of conditions that you do not have (AIDS, Diabetes etc…)

Character / Criminal Identity Theft

Thieves mask their criminal activity behind your identity

♦You could be arrested

♦You could be denied employment because of fraudulent criminal records found during routine background checks

♦Security checkpoints at airports could become a nightmare for you

♦You could be denied a passport and be barred from leaving the country

Financial Identity Theft

Thieves use your information to open new accounts or to gain access to existing accounts

♦Thieves rob your accounts

♦They rack up outrageous charges on credit cards, take out new loans, and more

♦They destroy your credit, forcing you to pay higher rates

♦You can absolutely be held responsible for the debts incurred by the thieves in your name