Moving ...

by Doug Pollack

Our ID Experts blog is moving to a new home. Please check out the latest in identity theft and data breach news, advice and other happenings at our new address www.blog.idexperts.corp.com.

We are also sponsoring a new, informational data breach news site providing articles and news events specifically focused on data breaches. Please visit often or subscribe to this site at www.databreachwatch.org.

Both sites will continue to provide you with current and helpful information in the areas of identity theft and data breaches.

Independent Risk Analysis Presented at FOSE Conference April 1, 2008

by Rick Kam
April 3, 2008

This conference is one of the largest IT conferences for public agencies with attendance approaching 20,000 professionals. Leading educators and technology solution providers focused on security, privacy, and "green" IT solutions.

Keynote speakers from Google, Sun Microsystems and others talked about the future of computing and how public agency IT professionals can create a more productive and secure computing environment.

I presented for ID Experts on the topic of how an "Independent Risk Analysis" provides public agencies a more effective solution to mitigate risk when they have a data breach (i.e. when the best security measures fail, what next). Highlights from my presentation included:

1. The requirements that prompted congress to enact public law requiring independent risk analysis
2. When an agency would implement an independent risk analysis
3. What are the benefits of doing an independent risk analysis
4. How to initiate an independent risk analysis
5. How to be better prepared before an agency has a breach

ID Experts was one of two companies awarded a government contract to provide Independent Risk Analysis to public agencies in the U.S. This was a great opportunity for us to explain to public agencies how our solution helps them assess and certify the level of risk for an affected breach population and develop an effective risk mitigation plan.

More on Experian vs. Lifelock

by Doug Pollack

There is a growing amount of legal commentary emerging in the discussion surrounding the Experian vs. LifeLock lawsuit. This week, Peter Bronson from The Union.com published an article titled "Business Law Bulletin: Experian vs. LifeLock Heats Up".

Relative to the false and misleading advertising issue, Mr. Bronson notes that:

"According to Experian's lawsuit, at least one Lifelock ad claims that the company's services make it virtually impossible for identity thieves to strike, but that fraud alerts are only effective against those particular types of fraud that require accessing a credit report. In other words, says Experian, Lifelock cannot protect against such forms of identity theft as an undocumented worker using someone's Social Security number to obtain a job; or against unauthorized use of a credit card."

It is interesting to see a credit bureau that advertises their credit monitoring services as a means to help deter identity theft relentlessly (who hasn't seen the FreeCreditReport.com ads on TV?) make the case for the inherent limitations in this area.

Mr. Bronson goes on to point out the ambiguities with LifeLock's famous $1 million guarantee:

"Lifelock does offer a $1 million guarantee that if a customer's identity is compromised, Lifelock will help restore the customer's credit standing and pay the cost of doing so. However, Lifelock's web site states that the guarantee comes into effect when a customer's identity is compromised "due to a failure or defect in our Service", a phrase that seems open to more than one interpretation. (If the service offers protection against only certain types of identity theft, does the guarantee only cover those specific types?)"

This is the first instance where I've seen someone dig into the specifics of this guarantee. The "service defect" provision certainly provides LifeLock with a get-out-of-jail-free card. Not to mention, given that it is the financial institutions who provide most of the financial fraud protection, how valuable really is a $1 million guarantee other than as a marketing gimic. I guess we'll all find out as this lawsuit unfolds.

Putting LifeLock to the Test

by Doug Pollack

Right on the heels of the lawsuit filed by Experian against LifeLock, the self-proclaimed leader in identity theft protection, which asserts that LifeLock uses deceptive advertising and misleading claims in advertising their service, as well as illegal means of setting fraud alerts on behalf of their customers, now a CBS news report by Jim Benemann has put LifeLock to the test, along with two other companies, Debix and TrustedID, that rely on credit bureau fraud alerts or freezes for protecting their customers.

It seems that based on this test, these products do not prevent identity theft as you might be led to believe based on LifeLock's advertising. So on to the test. The first thing he did was have three of his colleagues, Tom, Jillian, and Kristine, each sign up for one of the three services. Then...

"With their permission, CBS4's Jim Benemann took all of Tom, Jillian and Kristine's personal information including their social security numbers and dates of birth. Using that information, Benemann applied for the same major credit card in each of their names. The only little thing he changed was the address. Benemann asked for those credit cards to be mailed to his home address. Essentially, he stole Kristine's, Tom's and Jillian's identities.

The three testers weren't worried. They all figured they would get that phone call telling them that someone was applying for credit in their name and they would put a stop to it immediately. Tom waited, Jillian waited and Kristine waited close to their phones. They waited 24 hours, then 48 hours and then a week. Not one of them got a phone call from any creditor even though they had paid companies for credit protection."

It is worth noting, that a fraud alert can easily be placed by an individual for free, just by contacting the credit bureau. Unfortunately services like these make the fraud alert seem like a "silver bullet" for preventing identity theft. As this test proves, nothing could be further from the truth. The reporter goes on to note:

"And remember Kristine who signed up with LifeLock? A little more than a week after Benemann applied for a credit card in her name, that card arrived, mailed to him, at his home address. And that had Kristine all the more interested in finding out about LifeLock's $1 million guarantee...Here is what LifeLock had to say:

'The credit card companies have a contract with the credit bureaus that say they must honor fraud alerts. The fact that they chose not to is proof that the fraud alerts are not bulletproof. The good news is that this is where the LifeLock $1 million guarantee is most effective. LifeLock is not a credit monitoring service but a protection service in the event a fraud alert proves to be ineffective.' "

Having said that, LifeLock didn't clarify how they then provide "protection" for the victim of ID theft. In the past, LifeLock had outsourced victim recovery services to other companies. It would be instructive to know what they do for their victims today.

The Indirect Costs of a Data Breach

by Doug Pollack

A recently published article in E-Commerce Times concerning the costs of corporate data breaches titled The Cost of ID Theft, Part 2: Fixing the System written by Andrew Burger, highlights the staggering economic impact of the increasing number of data breaches by America's corporations.

The article notes a statistic from the Ponemon Institute that pegs the average cost of a data breach at $197 per record compromised.

"The stakes are already quite high when it comes to data loss: According to Gartner and the Ponemon Institute, the loss of a single record -- not financial fraud -- is around (US)$197. If you take the extremely conservative estimate from the same research that said that in 2007, 127 million records were lost, you get around $25 billion in direct losses noted Uriel Maimon, senior researcher for security firm RSA."

Ponemon further explores these costs, finding that around two-thirds of the cost of the data breach is associated with the loss of customers or reduction of corporate reputation.

"The cost of lost business is likely to be larger and more significant than actual cash losses and expenses related to remediation, however. The average customer churn for businesses surveyed that had suffered a breach was 2.67 percent, noted Kevin Bocek, director of product marketing for encryption firm PGP."

With this in mind, companies should plan as part of their data breach response plans to explicitly focus on elements of their response that will engender customer goodwill. While this may seem difficult to achieve in such circumstances, every opportunity to reach out and touch your customers creates an opportunity to increase retention and brand loyalty.

Credit Union Customers Targeted with Latest Scam

by Heather Wells (Recovery Advocate)

What could be worse than having your bank account or good credit history hijacked around the holidays? Picture yourself at the register attempting to pay for gifts using your debit card and being told that there are insufficient funds in your account. Or imagine checking your credit reports only to discover dozens of new maxed out lines of credit that you did not know about.

The identity thieves are getting increasingly clever with their scams. They have realized that consumers are becoming less willing to respond to “phishing” emails that direct them to decoy websites asking for personal banking information or a social security number. Most folks delete these sorts of emails suspecting foul play, which is the smart thing to do. The newer version of this phishing scam is known as “vishing,” or “voice phishing.”

An article from consumeraffairs.com dated December 3, 2007 states that “sophisticated criminals now send emails instructing consumers to call a telephone number instead of clicking on a link. This tactic, known as ‘vishing’ can be especially effective because consumers who encounter a live person are much more likely to let down their guard.”

Read more from the article and view a recently circulated vishing email here.

Consumers who receive one of these bogus emails should contact their credit union directly by using the phone number on their monthly statement or by obtaining the number from the financial institution’s official website. It’s also a good idea to report this scam to the Federal Trade Commission at http://www.ftc.gov/.

The Missing Ingredient in Most ID Theft Services. Personal Help.

by Doug Pollack

There has been a great deal of attention recently paid to the actions by credit bureaus enabling consumers to use credit freezes as a tool to avoid or deal with identity theft events.

In a recent New York Times article titled "In ID Theft, Some Victims See Opportunity", the author highlights several companies, like ours, that provide ID theft protection services. Several of these companies see the use of credit freezes and credit fraud alerts as a panacea for eliminating the threat of identity theft. This is a position that we do not subscribe to. We believe strongly in encouraging consumers to use all appropriate best practices to avoid identity theft, and we provide a product, FraudStop, that provides broader prevention from ID theft by addressing not just credit records, but also other records including real estate, motor vehicles, utilities and the like, all of which can be used by identity thieves.

"Among its peers, LifeLock has attracted the most attention--much of it negative. In radio and television ads, Todd Davis, chief executive of LifeLock, gives out his Social Security number to demonstrate his faith in the service. As a result, he has been hit with repeated identity theft attacks, including one successful effort this summer in which a check-cashing firm gave out a $500 loan to a Texas fraudster without ever checking Davis' credit report. Last summer, The Phoenix New Times, an Arizona paper, reported that LifeLock's co-founder, Robert Maynard, had a criminal past. Maynard later resigned."

But despite the best protection, ID theft does and will occur. Which is why the consumer is best served by a company that can provide them with an expert to handle any identity theft issues. Which is what we do with our staff of personal recovery advocates. Most identity theft protection services companies do not provide recovery services. They do not have teams of trained professionals. They do not see this as important. We obviously do. And so do the over 2.5 million people that rely on our recovery services.

Among other things, the author highlights that identity theft services whose only value is in setting fraud alerts or credit freezes for consumer, are vulnerable to potential legislation.

"[This] business [specifically mentioned were LifeLock, TrustedID, and Debix] is vulnerable if Congress succeeds in pressuring the three major credit agencies to make these theft-fighting measures cheaper and more accessible to consumers. Sen. Charles Schumer, Democrat of New York, criticized the credit companies last month for making identity theft freezes too cumbersome to set and lift. Each of the three credit agencies recently bowed to public pressure and made freezes available in all 50 states."

But this article is silent on the consumer need for professional ID theft recovery services. It is projected that over 10MM people in the US will fall victim to identity theft in 2008. Identity theft protection services such as ours, and those provided by others in this space, will help in turning this trend. But consumers should be told the truth. There isn't a silver bullet that will guarantee that you won't become a victim of identity theft. ID thieves are using increasingly more sophisticated means to steal from you. Which is why if you opt for an identity theft protection service, it should include expert, professional, personal recovery assistance.

Experian, Equifax and TransUnion Offer Credit Freeze to All Consumers

by Heather Wells (Recovery Advocate)

Starting this month, all consumers will be able to place a “security freeze” with the three major credit reporting agencies. This press release sent on October 31, 2007 details who is eligible to freeze their credit files for free and which folks may need to pay fees to each of the credit bureaus for this service. These fees are for "freezing" and "thawing" your credit files.

Before November 1st of this year, there were 39 states (and DC) that had laws on the books stating that their residents could freeze their credit files. Some other states had adopted freeze laws that applied to victims of identity theft only. With this new law, everyone is eligible, whether they are victims of identity theft or not.

A security freeze (a.k.a. credit freeze) prevents creditors and other entities from viewing your credit report without your express permission. When you apply for credit with a freeze in place, you must use a PIN provided by the bureaus to temporarily lift the freeze. The temporary lift lasts 2-3 days and the entire process adds a few extra days to the application process. The freeze is in place indefinitely until you decide to permanently lift it. Much has been written about the benefits and drawbacks of the freeze. If you are thinking about placing a security freeze, be sure to take into consideration all of the negative consequences as well as the positive.

For example, with a freeze in place, you may be denied employment because your potential employer is unable to conduct a background check. I have personally worked with victims of identity theft who were unable to purchase a new car at a "super sale" rate because they did not time the "thawing" of their credit files just right. On the other hand, there are many id theft victims who enjoy the peace of mind that the freeze offers them, and are more than willing to put up with any potential inconveniences or out-of-pocket expenses.

The three credit bureaus have more information on security freezes at their websites, www.experian.com, www.transunion.com and www.equifax.com.

Warning: Be on High Alert for Fake FTC Email Containing Virus

by Heather Wells (Recovery Advocate)

An online article from Reuters dated October 29, 2007, details the latest alarming scam aimed at the unsuspecting public. Reuters reports that an unknown number of consumers may have received a bogus email that appears as though it was sent by the Federal Trade Commission (FTC). The emails are not from the FTC and are instead designed to lure an innocent victim to click on attachments and links that could leave them vulnerable to Identity Theft.

“'The e-mail says it is from ‘frauddep@ftc.gov’ and has the FTC's government seal. But it was not issued by the agency and has attachments and links that will download a virus that could steal passwords and account numbers, the agency said.

'It's a treasure trove for identity theft," said David Torok of the FTC's Bureau of Consumer Protection. ‘We're concerned. The virus that's attached to the e-mail is particularly virulent.’”

Unfortunately, this isn’t the first time the Federal Trade Commission has had to issue a warning regarding bogus emails. In June of 2007, consumers were also under attack from fraudulent emails that looked like legitimate correspondence from the FTC.

The Federal Trade Commission is encouraging consumers to forward the email to spam@uce.gov, an FTC database, for investigation and then to delete the email. For more official information and instructions, go to the FTC website.

Synthetic ID Theft

by Doug Pollack

The Wall Street Journal this week published an article on synthetic identity theft titled "The Borrower Who Never Was" (Christoper Conkey, October 29, 2007).

It describes how an identity thief named James Rose would create synthetic identities, those that appear real on paper, but were actually used by him in order to trick financial institutions into making loans or issuing credit cards.

"Working with a partner, Mr. Rose tricked the guardians of the credit system -- lenders and the three big credit bureaus -- into treating his fake identities as if they were real, creditworthy consumers. He obtained several hundred credit cards in the names of Mr. Gregory and as many as 500 other fake personas over two years, filching around $750,000 over a two-year period."

Unlike more common identity theft, synthetic identities are used primarily to defraud financial institutions without affecting individuals. Mr. Rose noted that their goal was to "make a lot of money without actually hurting people."

Despite protestations to the contrary, some feel credit bureaus aren't doing enough to deter identity theft. In the case of synthetic identity theft, it is the knowledge of credit bureau procedures that enable criminals to create and exploit synthetic identities. Evan Hendricks, editor of Privacy Times, notes that "the credit bureaus are at the epicenter of identity theft and there's no pressure at this point to force them to make changes."

Business breaches a source of identity fraud

by Doug Pollack

A recently federally funded study on identity fraud by Utica College's Center for Identity Management and Information Protection "paints a complex portrait of the signature crime of the digital age, one that has been the top consumer fraud complaint to federal authorities for six consecutive years."

As described in a recent article titled In Many Major Cases ID Theft isn't Personal (Joseph Menn, LA Times-Washington Post, 10-22-07), this study challenges a widely held perception that a majority of identity theft cases occur with people that are known to the victim.

Based on 500 individuals arrested by the US Secret Service over the last several years, only 8% were relatives of or acquainted with their victims. The most common tool for identity theft based on this study was any of a variety of technology devices, including credit card encoders, computer printers and telephones, which contributed to 37% of the cases.

This study further reinforces the need for individuals to be very careful with their personal information, and how and when and to whom they disclose it, but also highlights that identity theft can occur even to those people that are consummately careful.

Clark Howard on ID Theft Services

by Doug Pollack

I've been a long time listener of Clark Howard. It is hard not to appreciate the solid advice on how to save money and not "get ripped off".

With the expansion of competing services targeted at consumers to protect from identity theft, it can be difficult knowing who to trust or what criteria to use in selecting a service. He has commented extensively on identity theft, and provided the following advice to his listeners:

"Clark gets tons of calls about identity theft. It has remained a real aggravation for people, especially when they have been a victim. ...The only time he would recommend paying for a service is if a human being comes with the deal, and that person is going to clean up your credit for you. "

After 4 years in the ID theft protection business, ID Safeguards launched a new consumer identity theft protection service earlier this week called FraudStop. FraudStop is distinctive in that it provides exactly this kind of personal service to victims of identity theft. The company has a team of experienced "recovery advocates" that, if a FraudStop member falls victim to identity theft, will personally take on their case and do everything necessary on their behalf to restore them to pre-theft condition.

While I realize that Clark Howard doesn't endorse products, which is part of his appeal, I am pleased that the FraudStop offering from ID Safeguards is in alignment with the advice that he gives to his listeners.

Gap Reports Theft of Laptop Containing Personal Information

by Heather Wells (Recovery Advocate)

800,000 applicants for employment with the Gap may have had their personal information compromised, according to a September 29, 2007 article in SFGate.com written by Carolyn Said.

“The San Francisco retailer on Friday reported the theft of a laptop containing unencrypted personal information for 800,000 job applicants. The data, stolen from the offices of a third-party vendor, covered job seekers in the United States, Canada and Puerto Rico who applied online or by phone between July 2006 and June 2007. Most of the applicants were seeking jobs at Old Navy, although some applied for jobs at Gap, Banana Republic and Outlet stores."

A majority of people think that it’s required to put their social security number, date of birth, and other personal data on an application for employment or on a resume. This is a common misperception that makes job applicants extremely vulnerable to Identity Theft. So, what are some items that DO NOT belong on a resume or job application?

1) Your Social Security Number
2) Date of Birth
3) Driver’s License Number

If a company requests any of this information simply write “see below” and then add a note at the bottom of the application stating that you would “be happy to give this information during the interview process.” Explain to your potential employer that you are simply protecting yourself from the threat of Identity Theft.

In general, employers do not make a hiring decision based solely on looking at an application or resume and they do not need this info unless they are truly interested in hiring you. The same goes applying for a job over the phone. Explain to the person taking down your name and work experience that you don't feel comfortable giving up so many other personal details on the telephone. You never know where your information could end up, on an unsecured computer or desktop, in a trashcan, or even worse, in the hands of an id thief!

Lose Your Customer or Employee Data?

by Rick Kam

Eric McNulty authored a Harvard Business Review case study September 2007 called "Boss, I Think Someone Stole Our Customer Data".

In this HBR case study, McNulty illustrates how a small business called Flayton Electronics learns that the security of its customer data has been compromised—and faces tough decisions about what to do next.

90% of organizations lose or have customer data stolen each year (see related blog). If you are one of the 65 million business in America and have this happen to you, how would you respond?

The most important decision a CEO and/or Chief Security Officer will make is what to do once you find out this has happened to their organization.

Remain calm. Just because personal protected information may be lost or stolen doesn't mean that the information will be misused by perpetrators to commit ID theft of financial fraud. In many cases, the perpetrator was targeting the laptop to resell it to a pawn shop for a few bucks to buy drugs. But, you still have to act quickly to determine if the information was compromised and do a risk assessment of whether or not the information may cause harm if it were misused.

There are several questions you have to ask. Here are a few of the key questions:

1. was the information encrypted or not?
2. if it was encrypted, was the encryption key protected?
3. when did we discover the information was missing or stolen?
4. what information was lost (name, SSN, account numbers, etc.)
5. was there evidence to believe there was criminal intent?
6. did we contact law enforcement?
7. who knows about the issue?
8. how many records were compromised?

Once you have an initial assessment of the issue, you make a risk assessment, develop a risk mitigation plan, and implement your incident response plan. If all of these sound foreign to you, ask your privacy or compliance officer to do a review of your ability to respond to a data breach.

Free Credit Reports?

by Heather Wells (Recovery Advocate)

Everyone should check their credit reports at least once a year to make sure that all of the information contained in them is accurate and up to date. You should also check your reports for any information that is fraudulent, which could signal that you are the victim of Identity Theft. This includes accounts as well as personal information such as addresses and phone numbers.

There’s only one legitimate source where you can obtain your FREE credit reports and that’s http://www.annualcreditreport.com/. The law requires that each of the major credit reporting agencies-Equifax, Experian, and TransUnion-give you a copy of your credit report every year at no charge.

If you are ever online and are asked to enter a credit card number in order to obtain a copy of your credit report, DON’T DO IT. Many of the companies that advertise free credit reports and credit scores will enroll you in services that you don’t want or need. Cancelling these services once you’ve given over your billing information can be difficult or downright impossible.

So, before you give over your credit card number for something that is supposed to be “free,” don’t do it. Go to http://www.annualcreditreport.com/.

Share Your SSN with Anyone?

by Rick Kam

When is it OK to give someone your SSN, if ever?

The answer is ...

NEVER give out your SSN to an organization or person you don't know.

There are only a few reasons organizations need your SSN. One is if you are applying for credit. Say, you walk into your local car dealer and decide to buy a new/used car. The dealer will ask you for a copy of your drivers license and will check your credit report to see if you are an able buyer.

Another good reason an organization will ask for your SSN is if you are applying for a job. The employer will do some background and credit checking depending on the position you are applying for. If you are not comfortable with the organization having your personal information to do this background check, you may want to reconsider working for them.

The other reason is to pay taxes. The IRS will require your SSN on your tax returns. Many of us may ask why the IRS needs your SSN? Well, it is so they can identify that you submitted and paid any taxes due. Unless you want the IRS coming after you, it is probably a good idea to provide your SSN on your return.

If others ask you for your SSN, make sure you ask why they need it and ask how they plan to protect and destroy the information once they are done with it. It is incumbent on organizations to protect your personal information, especially with recent privacy legislation (i.e. HIPAA or GLBA).

Gone in 4 Seconds

by Rick Kam

Have you thought about how a perpetrator might steal your personal information? I came across this video called "Gone in Four Seconds." In this video, crooks prey on unsuspecting victims at a gas station, stealing their personal information while they are not looking.



Have you been a victim of ID theft? Share with our readers how this happened and any suggestions you have to help them avoid the crime.

Counterfeiting for the 21st Century

by Heather Wells (Recovery Advocate)

One of the most common forms of identity theft and fraud is what is known of as “skimming”. This method of stealing someone’s credit card or ATM card information by using a portable reader is easy to do and difficult to trace. It also can pay off big time for the id thief who chooses to steal using this method.

Skimming can happen to you anytime your credit/ATM card is out of your possession. Restaurants, gas stations, and bars are common places that a less than forthright employee can obtain all the information they need to make online purchases or create a copycat card. The out of sight id thief will also make sure to take note of the 3 digit security code on the back of the card.

Skimming can also happen at an ATM that has a skimming device affixed to the card slot. The device will pick up the information from the magnetic strip and store it for later use. A small camera is often used in conjunction with the skimmer to get the ATM users PIN so the id thief can drain the unsuspecting victim’s bank account later on.

The magnetic stripe readers go for around $200-$300 dollars on EBay last time I checked, (do a search for portable magnetic credit card reader to see for yourself). The mini ones are kind of cute, and come in various shades of gray, black, white, and tan.

So, what should you do to avoid being “skimmed?” Obviously we can’t follow employees around and look over their shoulder when we hand off our credit card for payment. Just be AWARE of your surroundings. Making sure that your ATM transactions are secure and that there is not a device attached to the card slot is a start. But really, the best defense in this situation is a good offense. Check your credit card and bank statements as regularly as you can. If you see any transactions that you are not responsible for, let the company or bank know RIGHT AWAY.

The Fair Credit Billing Act (FCBA) limits consumer liability for unauthorized or fraudulent charges on credit cards, with a liability limit of $50.00 per card. The Electronic Fund Transfer Act (EFTA) that provides consumer protection states that if the loss or unauthorized ATM/debit card transaction is reported within two (2) business days, the consumer’s liability for losses is limited to $50.00.

If reported quickly, your bank should refund the entire amount. If they don’t, or try to hassle you, be firm with them and escalate the situation to a manager or branch manager if that’s what it takes. They should also assign you a new debit card number and PIN. If your credit card company gives you a hard time, ask to speak with someone in the fraud department and request an affidavit/affirmation to sign and deny responsibility for all fraudulent charges. They should close your existing account and open a new one with a new account number. You also should notify your local police department to report the incident. This will help to protect your rights as a victim in case the situation escalates.

More ID Theft Protection Offered By State of Ohio

by Rick Kam

On July 24, 2007 the State of Ohio announces additional identity theft protection offered to help hearing impaired.

"The Ohio Department of Administrative Services announced Tuesday that it has contracted with Identity Safeguards, a respected national leader in identity protection and restoration services, to provide a one-year membership to the deaf community affected by the recent theft of a state accounting and financial system backup tape."

Over 350 institutions have been in the news since ChoicePoint went public with their data breach in February 2005. Many public and private organizations have to comply with recent privacy notification laws. 36 States have enacted similar legislation today that require an organization to notify affected individuals if information they lose or is stolen may be misused. State and Federal legislators struggle with whether it is better to notify or not.

On side of the argument says that people will become complacent if they receive lots of notification letters -- "over notification". For example, if you are a VA, accountant, and have a B of A account, you could have received three notification letters last year. The other side says, it is better for you to know what happened so that you can assess your risk and take appropriate action to protect your identity. This is what we believe is most appropriate.

What do you think? Vote.

Support for the Illinois Troops

by Heather Wells (Recovery Advocate)

This month, Governor Rod Blagojevich of Illinois signed a bill that will increase penalties for identity theft committed against members of the military who reside in Illinois and are serving abroad. House Bill 1236 is sponsored by State Representative Jil Tracy and State Senator John O. Jones.

This bill increases the penalties for identity theft by one class if the Illinois victim is an active duty member of the armed services, reserve forces of the US or of the Illinois National Guard serving in a foreign country. Each identity theft offense increases the penalty by one class. This new bill goes into affect on January 1st 2008.

Military personnel serving overseas are often victims or potential victims of identity theft. Thieves target service members when they have been deployed because it is harder for them to monitor their finances. Recently, a marine from Iowa had his good credit ruined by an identity thief while he was stationed in Iraq. According to this news story, the marine returned to the States and was turned down for a VA home loan.

Stories like this are extremely disheartening, but there is something that can be done for military personnel to decrease their chances of becoming victims of identity theft. It is advisable that all deployed military personnel place an “active duty” alert on their credit files to decrease the chances of their social security number being used fraudulently. This special alert is good for one year, as opposed to the 90-day initial alert available to all consumers. Both of these types of alerts are free and easy to place.

To place an “active duty” alert, or to have it removed, call one of the three credit bureaus (Equifax, TransUnion, Experian) and follow the appropriate voice prompts. Individuals will need to provide personal information including social security number, date of birth, address, and a phone number for notification purposes. The phone number provided to the bureaus will be the one a business may use for verification purposes if someone tries to apply for an account. A personal representative of the individual in the military may place or remove the alert.

Equifax: 1-800-525-6285; http://www.equifax.com/
Experian: 1-888-EXPERIAN (397-3742); http://www.experian.com/
TransUnion: 1-800-680-7289; http://www.transunion.com/

Contact only one of the three credit bureaus to place an alert – that bureau is required to contact the other two bureaus, who will also place fraud alerts on their files. If the contact information changes before the alert expires, remember to update it.