According to ECMC, the stolen information was on a portable media device. In the words of their spokesman Paul Kelash, “It was simple, old-fashioned theft. It was not a hacker incident.” More proof that the simple threats are still the most serious. The company does use key-card control of their physical facility but has not yet released how the theft was accomplished. It’s rarely hard to tailgate into a building then walk out with a thumbdrive.

Notices have not gone out yet so we don’t know if it’s just current loan holders or if the breach included information on closed accounts as well. ECMC is the designated guarantor for loans in Oregon, Virginia and Connecticut which I interpret to mean that you may be at risk if you got your loans through schools in those states. But the way those documents get shared around, any of us with loans could be at risk.

If you haven’t checked your credit report lately, this is a good excuse to do so. You are eligible for a free copy of your credit report every 12 months. Be sure to go to the official site (not the deceptive site with the goofy adds and “free” in the domain name). And remember that you can check just one of the three credit reports, saving the other two for 4 and 8 months later respectively.

This is how debit cards originally worked. There was no built-in overdraft protection – you either had enough money in the account or you did not. If not, there was no harm – the transaction just didn’t go through and you pulled out a credit card instead. It might be a little embarrassing in front of the clerk but it kept you from spending money you didn’t have.

That changed when banks realized that they could earn a lot of money on the overdraft fees. Almost overnight, overdraft went from an uncommon option that you could add to the account to a default that was almost impossible to unbundle from the account. Congress reeled in banks’ ability to collect many of those fees and at least these two banks have realized that it’s not worth the trouble to try to nickle-and-dime customers for what’s left. Easier just to reject the transaction and let the customer use a different card.

I think this is an excellent trend. It reestablishes the difference between a credit card and a debit card, giving each a distinct purpose. If you want convenience and deferred payment, carry a credit card. If you don’t trust yourself not to overspend, carry a debit card. Debit cards can be good for young people and others who are struggling to learn financial discipline.

That said, I have two concerns. First, where will the banks turn to replace this revenue stream? They made a lot of money on those fees. We can expect the rules to change (again) as banks adapt and find new ways to make money. We’re all going to have to watch the rules for our accounts very carefully as the banks adjust to the new regulations.

Second, debit cards still carry a far higher risk when they are stolen. Lose your credit card and you are only liable for the first $50 (assuming that you notify your bank in time, etc). Lose your debit card and the thief can empty your account of whatever balance you have in there. Before this change, I was absolute in my recommendation that there was no longer a good reason to carry a debit card. Maybe carry an ATM-only card but nothing else. Now… Well, the financial discipline imposed by these new (or newly old) debit cards might just be right for some people. Those same people will be most badly hurt if/when the debit card is stolen. What used to be a simple decision is now more complicated. If you do decide to carry a debit card, remember the risks.

• Don’t leave outgoing mail in an unsecured mailbox – especially checks (which have your bank number and signature on them). Take the extra time to detour to the post office drop box.
• Or even better, pay your bills online through your bank’s secure website.
• Sign up for direct deposit and for electronic deposit of as many incoming checks as you can. Don’t advertise when you’ve got a check coming. An insurance company I know recently had a check forgery case based on a single claim check stolen from the victim’s mailbox.
• Keep your eyes open for changes in patterns. If you haven’t received a bill on time, one possibility is that an ID thief changed the address and is using your account to establish his/her false identity.
• If you’re expecting a package, track it’s progress on the carrier’s website. Make sure that it doesn’t sit unattended any longer than necessary.
• Think about signing up for electronic statements instead of getting them through the mail. It’s cheaper the company (and ultimately for the consumer), it reduces the volume of paper to manage and, as long as your computer security is good, it can be as safe or slightly safer than paper statements.
• If you’re going out of town, put a hold on your mail.
• If you live in a high-crime area, consider a post office box.

You can read the full ODI press release at ohioinsurance.gov.

Insurance companies do sometimes ask for confidential information such as SSNs and birthdates in the normal course of business. However, it would be highly unusual for the insurance carrier to contact the customer directly or to do so other than in writing. If you receive a call that strikes you as suspicious, hang up and call the number printed on your last policy statement. If the call was legitimate, the customer service representative will be able to look up your account and confirm it.

Be very cautious about handing out your personal information to anyone you do not know well. Ohio customers who have already received one of these fraudulent calls, are asked to report it to the ODI at 1-800-686-1527.

Lastly, if you believe that you may have given up your confidential information to a fraudulent caller, you should check your credit report and consider putting a fraud alert on your account. For more on how to check your credit report, you can follow this link to the archive of tips on this topic.

The Federal Trade Commission hosts a terrific site with lots of content on identifying and deflecting these kinds of scams. If you haven’t already been out to visit www.onguardonline.gov, I strongly recommend the site. It has some excellent overview material on security at the personal and small business level. The site also has a set of games covering a variety of topics like spyware, online auctioneering, peer-to-peer, phishing and spam. Test your knowledge of internet security and safe shopping. It’s well worth the time to visit the site.

The site’s material comes from a number of public and private sources but is all released for public use. If you run your own personal website, you can post their games, videos and handouts to your own site and help spread the word. (Instructions are here.)

Addendum:
This tip has inspired me to create a more permanent set of links to some of the better games and awareness quizzes that I’ve run across. I’ll try to get them posted in a permanent sidebar on the blog but in the meantime, here are a few good links.

• CMU Anti-Phishing Game – Learn to identify fraudulent URLs
• Mission:Laptop Security – Protect your laptop while traveling
• Anti-phishing Father’s Day card – Flash video on phishing
• Auction Action – Test your knowledge of online auctioning
• P2P Threeplay! – a quick quiz on file-sharing
• Invest Quest|http://www.onguardonline.gov/games/invest-quest.aspx – a simple quiz but the ‘disclaimers’ are pretty funny
  From westfieldinsurance.com
  ]]> http://rossander.org/infosec/2008/11/onguard-online/feed/ 0 http://rossander.org/infosec/2008/08/you-just-received-a-breach-disclosure-letter-now-what/ http://rossander.org/infosec/2008/08/you-just-received-a-breach-disclosure-letter-now-what/#comments Mon, 25 Aug 2008 07:00:00 +0000 Mike Rossander http://rossander.org/infosec/?p=23 You just received a breach disclosure letter. Their systems were "compromised". Now what? Do you call the police, close all your bank accounts and change your credit card numbers, file the letter and hope for the best?

  The first thing is to take a deep breath. Breach disclosure letters can be intimidating but don’t panic. Take the time to figure out what, if anything, you should do. Read the disclosure letter itself very carefully. The disclosure letter should have some details about the breach. It may be enough to show that the breach didn’t apply to you. (I got a letter recently about my son’s medical information. Based on the dates in the letter, I knew that the breach couldn’t have affected him.) If you want more information, look on the internet. Check out the company’s website but also look for independent news reports. Be cautious about the blogs and other unverified sources, though. Look specifically to see what information is at risk. Also try to figure out whether the information was stolen or merely lost. If it was stolen, the odds are much higher that the information will be misused.

  If you think it was stolen, start watching your accounts carefully, especially if the compromised information included bank or credit card numbers. Check those accounts online daily, looking for unauthorized transactions. If you see something suspicious, call your bank immediately.

  If you haven’t done so recently, request a copy of your credit report. You should be in the habit of checking it regularly. Be extra vigilant for a cycle or two after receiving a breach disclosure letter. If the thief is going to abuse your account, it will probably only be for a few large transactions sometime within 3-6 months of the theft.

  If your Social Security number has been compromised, strongly consider calling the three major credit bureaus to put a fraud alert on your records. When reviewing your credit report, look particularly for new accounts opened in your name. If you feel you’re at a particularly high risk, you can also implement security freeze, though the costs may outweigh the protections for most people.

  If the breach disclosure letter says that you are eligible for credit monitoring, think about that. Personally, I don’t believe they will do anything for me that I’m not already doing for myself for free since I already monitor my credit report. I don’t want to put my personal information in the hands of yet another company just so they can do the same thing. Worse, some of these monitoring services put into the contract that they will automatically renew you (for fee) when the free period runs out. I don’t want to have to remember to turn off the monitoring in a year. But if monitoring will help you sleep better at night, consider it.

  Finally, if you’re an actual victim of identity theft ( not just credit card fraud), you do want to call the police and file a police report according to Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. Keep a copy of the police report for your records. You’ll need it to prove your innocence as you attempt to clean up your credit reports. Follow the instructions at the credit reporting agency’s website to dispute incorrect information.

  based in part on a CSO Online column
  From westfieldinsurance.com
  ]]> http://rossander.org/infosec/2008/08/you-just-received-a-breach-disclosure-letter-now-what/feed/ 0 http://rossander.org/infosec/2008/05/safe-vacationing-encore-tip/ http://rossander.org/infosec/2008/05/safe-vacationing-encore-tip/#comments Mon, 19 May 2008 07:00:00 +0000 Mike Rossander http://rossander.org/infosec/?p=35 It’s hard to believe that it’s almost Memorial Day and that people will start leaving for summer vacations soon. Please take appropriate precautions both before you leave and while you’re on your vacation to reduce your risk of fraud and identity theft.

  Before you leave:

  1. Clean out your wallet.
  • Use traveler’s checks or credit cards for payment. Leave your checkbook at home.
  • Leave your debit card(s) at home. Under federal law, your liability is limited if your credit card is misused. If your debit card is stolen, you could lose all the money in your checking account.
  • Take an ATM card that does not have debit card privileges. Your bank should be able to issue you an "ATM only" card.
  • Never carry your Social Security card in your wallet.
  • Leave any unneeded credit cards and any other unnecessary documents at home.
  2. Photocopy your wallet and keep the copy in a safe place. If your wallet is stolen, the copies will tell you who to call to get your cards canceled. Note: If you will be gone for a long time, consider leaving a copy with someone you trust who can help you cancel the cards while you’re still on the road.
  3. Stop your newspaper delivery and have the Post Office hold your mail (or ask a trusted neighbor to collect them for you). The bills and account statements in your unlocked mailbox are a goldmine for an identity thief. And the packages and newspapers piling up on your front step are a sure sign to a burglar that you are away.

  While on your vacation:

  • Don’t leave your wallet, passport or any identifying documents in your hotel room unattended. Use the hotel safe if it’s available.
  • Keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.
  • Guard your credit card receipts and rental car agreements, especially if they contain your full credit card number or driver’s license number.
  • Use ATMs at banks or credit unions and which are in well-lit areas.
  • If you are taking your laptop with you, be very careful when using it for on-line banking and other password-protected services, especially if you are connecting to a wireless hotspot.
  • Be equally cautious of cyber-cafes and other public-access internet facilities. Anyone could have left a keystroke logger on the machine in order to capture your ID and password.

  By the way, there will be no InfoSec Tip next week. Have a safe holiday.

  From westfieldinsurance.com
  ]]> http://rossander.org/infosec/2008/05/safe-vacationing-encore-tip/feed/ 0 http://rossander.org/infosec/2008/05/credit-freeze-defined/ http://rossander.org/infosec/2008/05/credit-freeze-defined/#comments Mon, 12 May 2008 07:00:00 +0000 Mike Rossander http://rossander.org/infosec/?p=36 Most states have passed "credit freeze" laws, allowing individual consumers to lock their credit reports and, in theory, reducing their vulnerability to identity theft. While the credit freeze is in place, the credit reporting agency may not give out your credit report unless you explicitly grant permission and confirm your identity using a PIN or password. This makes it harder for the identity thief to open an new account or to get new credit in your name.

  Even if your state does not have a credit freeze law, the three major credit reporting agencies now offer freezes voluntarily. To institute a credit freeze, you generally need to send a written request to each of the three major credit reporting agencies. The specific instructions vary from state to state. You can find links to each state’s instructions at ConsumersUnion.org. The states allow the credit reporting agency to impose a fee to initiate the freeze (usually $5-10 per credit reporting agency but often free to confirmed victims of identity theft) .

  If you do freeze your credit report, you will have to lift the freeze whenever you want credit. Under almost all the state laws, you’ll have to pay again each time you want the freeze lifted. This can make opening a new account or even changing your existing service more difficult and expensive. When you apply for the freeze, you will be given the instructions and PIN needed to lift the freeze. In some cases, you’ll have to lift the freeze yourself – in others, you might be able to authorize the merchant to do it for you. Either way, it will take some extra time. It will also make you ineligible for “instant credit” unless you lift the freeze before going to the store.

  The credit freeze laws have implications for businesses that use credit reports for purposes other than lending (such as evaluating underwriting risk). Unless the state law has explicitly carved out that usage as allowed (and many but not all states did for underwriting), the business should expect extra paperwork and several extra steps in the process to get permission to view the consumer’s credit report. The law varies from state to state. Check with your corporate counsel for details.

  As a consumer, you should also know that a credit freeze will not necessarily keep you safe from identity theft. While most reputable creditors will check your report before issuing credit, some don’t. Identity thieves can still exploit those situations, knowing that you will have to pay the consequences. A credit freeze also will not protect you from exploitation of existing accounts.

  If you are at increased risk of identity theft and already have a house, car, phone service and the credit cards you need and you see no near-term need to refinance any of them, a credit freeze might be appropriate for you. If you have few risk factors or will need to legitimately seek credit for yourself soon, a credit freeze could be more trouble than it’s worth. Personally, I do not have a credit freeze on my account. I take normal precautions to make my identity hard to steal in the first place (I have a shredder and use it, I don’t leave financial documents like credit card bills on the kitchen counter, I don’t keep my SSN in my wallet, I use strong passwords, etc) and I check my credit report regularly. To me, the incremental protection of a credit freeze is not now worth the extra hassle and expense.

  From westfieldinsurance.com
  ]]> http://rossander.org/infosec/2008/05/credit-freeze-defined/feed/ 0 http://rossander.org/infosec/2008/04/what-to-do-when-you-lose-your-wallet/ http://rossander.org/infosec/2008/04/what-to-do-when-you-lose-your-wallet/#comments Mon, 21 Apr 2008 07:00:00 +0000 Mike Rossander http://rossander.org/infosec/?p=39 My brother-in-law had his wallet stolen over the weekend. In the interest of learning from the misfortunes of others, here are some things to think about.
  1. Never, never, never carry your Social Security card in your wallet.
  2. Photocopy your wallet about once a year. Lay the contents out on a copier (front and back) so you have a record of all the cards and contact numbers.
  3. Only carry the cards that you use on a regular basis. Leave the rest in a safe place at home. If you have bills set up to auto-pay by credit card, use a card that you leave home. Otherwise, you’ll have to change all those accounts when the card is cancelled.
  4. When your wallet is lost or stolen, immediately call the financial institutions and start canceling the cards that were lost.
  5. Call the three credit reporting agencies and put a fraud alert on your account. Consider putting a credit freeze on your account. (A fraud alert is free but must be renewed in 90 days. A credit freeze will typically cost $10 and requires extra effort to have lifted when you want to apply for credit legitimately but it provides somewhat better protection.)
  6. If you haven’t reviewed your credit report lately, do it now. Follow the instructions at annualcreditreport.com.

  Police advise men to keep the wallet in their front trouser pocket, not a jacket pocket and definitely not a rear pocket. Police advise women to keep their purse with them and to carry it on their strong-hand side (if you’re right-handed, carry it on your right shoulder).

  If you’re traveling, keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

  From westfieldinsurance.com
  ]]> http://rossander.org/infosec/2008/04/what-to-do-when-you-lose-your-wallet/feed/ 0 http://rossander.org/infosec/2008/03/annual-credit-report-review/ http://rossander.org/infosec/2008/03/annual-credit-report-review/#comments Mon, 03 Mar 2008 07:00:00 +0000 Mike Rossander http://rossander.org/infosec/?p=45 This Tip was first run in March 2007. This "encore tip" is an annual reminder to check your credit report.

  This is your annual reminder to request your credit report. Under the Fair and Accurate Credit Transactions Act (FACTA), every consumer is eligible for a free copy of his/her credit report every 12 months. Follow the instructions at www.annualcreditreport.com to request your credit report from each of the three major credit reporting agencies.

  When reviewing the credit reports, look for:

  • adverse actions on your accounts that might indicate that you have been a victim of identity theft
  • accounts that have been opened in your name without your knowledge. Even if the identity thief is making the payments regularly, the account could still be in use for illegal activities.

  If you find a discrepancy, follow the specific instructions on the website to dispute any incorrect information.

  Don’t forget to check the credit reports of your immediate family members, especially minor children and dependent elders. Both of those groups are at elevated risk of identity theft.

  Remember that you are also eligible for a report every 12 months from any of the specialty agencies which have information about you.

  If you want more frequent feedback on your credit history, consider asking for your free copy from only one of the major credit reporting agencies at a time. Space the requests for the other two agencies out every four months. For example, you could ask for your free copy from Experian in March, your free copy from TransUnion in July and your free copy from Equifax in November. Once you start, you will have to keep the same rotating pattern. Schedule the requests on your calendar.

  From westfieldinsurance.com
  ]]> http://rossander.org/infosec/2008/03/annual-credit-report-review/feed/ 0