Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“)

I don’t want to minimize the issue here. Assuming the allegations are correct, the company’s assurance in their trust of their employees is diminished, they may face compliance or contractual issues, and they’re out at least 1.4 million dollars, most of which has likely been spent. A good number of folks are having bad days, and I don’t want to add to that.

At the same time, I do have a number of comments.

First, Those background check services sure are expensive! I wonder how many people that was.

Hmmm, according to their website, “In the past six years Noble has grown from 1,500 employees to over 14,000.” I do wonder how many of the “background checks” came back with false allegations of past misconduct. If there were 14,000 people with no red flags, isn’t that something of a red flag in and of itself? I also wonder (in a law school hypothetical sort of way, and assuming with no evidence that Wright or an accomplice fabricated false reports on some people so that his fraud went undetected) what sorts of claims might be available to those denied employment based on those untrue statements?

Second, there’s something of a natural experiment here that lets us assess the value of background checking. Assuming Noble Americas Corporation runs a second set of background checks, I’m very curious to know how well spent that $2m* will have been: how many employees do they fire, having learned of something so heinous that the employee can’t be kept, and how many do they fire, having been handed a reason to get rid of a poor performer? (Naturally, those 2 numbers will be rolled into one.)

Lastly, there’s an interesting social engineering angle here. There’s a real company “ChoicePoint” now part of LexisNexis. (ChoicePoint was made famous for their awesome handling of a 2003 data breach, which this blog diligently covered.) So when naming a false background check company, Choice Point Screening seems like it might be a new brand for the company. An auditor, seeing all those background checks, is unlikely to focus in on the extra space. It’s a nice touch.

Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over the telephone or re-set a password.

All banks in the report used some version of the Social Security number as a means of authenticating the customer, Javelin found. The pervasive use of Social Security numbers was surprising, given the importance of Social Security numbers as a tool for identity theft, said Phil Blank, managing director of security, risk and fraud at Javelin. (“Banks Rely Too Heavily On Social Security Numbers, Report Finds“, Ann Carrns, New York Times)

Previously here: “Social Security Numbers are Worthless as Authenticators” (2009), or “Bad advice on SSNs” (2005).

“Proof” that E-Passports Lead to ID Theft

A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC.

And poor Frank was working so hard to claim that e-passports wouldn’t lead to impersonation or ID thefts.

I’m sorry that someone is impersonating Frank and using his passport to try to drain funds, but we told him that this would happen.

passport.png

ID theft, its Aftermath and Debix AfterCare

In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your good name. It’s not just the financial costs of dealing with mistakes (although those are important), it’s the sense of dread in connecting to today’s society and the reputation infrastructures that have been overlaid onto our lives. It’s the fear of victims that they’re perceived as irrationally fearful, whingers or a burden.

And so I want to quote from a blog post from Debix:

It’s Bo here, CEO of Debix. Today, I’m excited to announce another industry first for Debix – a new feature of our OnCall Credit Monitoring™ product called AfterCare™.

The idea came directly from thousands of conversations with our concerned data breach consumers. The number one complaint we receive is about the gap between the “lifetime risk” the consumer perceives when told their identity is breached, and the 1-2 years of credit monitoring normally offered as a remedy.

We always do our best to explain why it is not feasible to provide 5, 10, 20 year or “lifetime” credit monitoring subscriptions, but none of reasons are very satisfying. It is hard for the consumer to feel good about a remedy where the protection expires quickly but the perceived risk lives on. (Original in Debix blog post.)

That’s why I find Debix’s offer of a lifetime of repair to be so exciting. It’s someone on your side through all of that.

In other news about identity theft, there’s an interesting story about the head of Interpol having his ID stolen via Facebook. In the past, I’d be very skeptical of such a claim, but a great many folks present themselves to the world on Facebook, and:

One of the impersonators used the fake profile to obtain information on fugitives targeted in a recent Interpol-led operation seeking on-the-run criminals convicted of serious offences, including rape and murder.

Identity is hard, and all sorts of interesting stuff emerges from that chaos. Today’s news about AfterCare™ is on the good and interesting side of that.

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores.

I’d like to add one more danger of credit scores: deceptive advertising. The way it works is that a bank advertises a great rate for those with “perfect credit.” What it doesn’t advertise is what the curve of credit scores versus rates looks like. There are two issues here. The first is that the market is inefficient, as figuring out what actual rates are often involves talking to a human, and usually disclosing enough personal information to make a fraudster drool. Inefficient markets favor the side with more information (the loan offerer) and lead to less trade than more transparent markets.

The second issue is that everyone is mislead by the headline rate. I’ve looked for data on what fraction of Americans are listed as having “perfect credit” or data on the distribution of interest rates people are really paying, and I’ve been unable to find it. For publicly traded companies, it’s sometimes possible to reverse engineer some of this, but not very much.

Puerto Rico: Biggest Identity Theft ever?

puerto-rico-birth-certificate.jpgApparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people

Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer.

A law enacted by Puerto Rico in December mainly to combat identity theft invalidates as of July 1 all previously issued Puerto Rican birth certificates. That means more than a third of the 4.1 million people of Puerto Rican descent living in the 50 states must arrange to get new certificates. (“Shock over voided Puerto Rican birth certificates,” Suzanne Gamboa, AP)

If I’m parsing that right, all 4.1 million identities were stolen from their legitimate holders, and 1/3 of those are outside Puerto Rico, leading to an unclear level of actual effort to get the documents replaced.

Now, some people may take umbrage at my claim that this is identity theft. You might reasonably think that fraud by impersonation requires impersonation. But the reason that it’s called identity theft is that the victim loses control of their identity. False claims are tired to their name, ssn, birth certificate, etc. Those claims show up at random. Their sense that they have “a good name” is diminished and assaulted.

You might also claim that I’m exaggerating, but I’m not the one who titled the article “shock.” People are feeling shocked, confused and assaulted by this action.

So despite the not for profit nature of the crime, this is identity theft on the largest scale I’ve heard about in years.

Image from the Oritz family showcase.

Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII:

Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash the ID and credit card in front of the camera. That way, he could sell the credit card number and address of someone who had no reason to report their card as stolen. Presumably they could then use it on the internet as many sites require the billing address when using a credit card. The corporation decided that there was too much liability in a restaurant employee having access to someone’s drivers license and began specifically requesting servers to not do so except to verify that the person was of legal drinking age. (“How I Learned To Start Worrying And Hate Showing My ID“, Consumerist)

I hadn’t thought about this particular aspect of stealing credit cards. It seems pretty helpful to have address and date of birth. When I think about this, the chaotic nature of how those around us accumulate and use information is hard to predict or track. There’s a value of minimal disclosure here. It’s yet another example of how protecting privacy protects security as well. Asking people to be aware of what emerges from the chaotic swirl of information is expensive.

Historically, the card brands have demanded that their cards be honored based only on the card system. They used to back you if a store asked for ID. As the system has come under attack, they’ve backed away from that, but the current state is hard to discern.

Consistency is an important part of how people form mental models. The whole world is making different demands about what’s secret (is your address a security string? Your frequent flyer number? The first street you lived on?) The demands banks and merchants are changing rapidly from a consumer perspective. (Quick, do you know what the CARD act changes?) When the rules for consumers are chaotic, what emerges is misconceptions, superstition and best practices.

In the world of security, we’re going to have to work hard to provide a comprehensible set of workable and effective advice for people to follow.

Jail Time For ID Fraud

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI.

According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit.

It’s good to see more prosecutions and convictions for ID fraud. Hopefully this trend will continue.

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

Identity Theft

Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…

Today’s Privacy Loss – English Soldiers’ Details Published

Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at www.medievalsoldier.org, exposing them to the chance of identity theft after nearly 500 years. They soldiers served from the years 1369-1453. There is no word as to whether they will get credit card protection yet.

Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.

The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an “architecture of vulnerability” around personal digital information, the researchers said.

“My hope is that publishing these results may open a window of opportunity, so to say, to finally take action,” Mr. Acquisti said. “That S.S.N.’s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.”

So reports John Markoff in “Social Security Numbering System Vulnerable to Fraud.”

We’ve all known for a long time that the SSN makes a godawful authenticator. And now Alessandro Acquisti and Ralph Gross have put a final nail in the coffin for anyone using the SSN as an authenticator. I would really hate to be on the witness stand defending a decision to let anyone authenticate to my business with “the last four” because “everyone else is doing it.” Now is the time to go to management and talk to them about improving things.

My favorite response is from the Social Security Administration, “There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide:”

For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier.

Ahh, decades of advice. How’s that working out for you guys? I’m sure if you tell everyone just once more, they’ll listen. For the rest of you: not getting going on a fix now will turn out to be career limiting.

Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers I sit in.

I suppose Publius isn’t completely blameless, but the only thing I’d criticize him for is his taste in names. “John J” would have been cuter, and heck why not just use “Jim Madison”?

However, the particulars aren’t really important. What’s important is the issues of pseudonymity, and so on. So I will move on to those.

Let’s get something straight from the start: pseudonymity and anonymity are not the same thing. I feel like it shouldn’t need constant repeating, but hey, if law professors can’t get it right, how can we expect other people to get it right? A pseudonym is an identity. It is an identity that is earned, because you don’t get to use any of your previous reputation. You’re starting from zero, especially when blogging.

There are many reasons people use a pseudonym. Publius did it because he’s a reasonably young law professor and has heard that there can be tenure issues for controversial blogging.

Maybe. If what you write isn’t very good, there’s a low cost to it, personally. But if what you write is good, then ironically, being known to be a pseudonym is better than the pseudonym itself. Mark Twain, Voltaire, and are better known than their so-called real names. Think of all the great actors and musicians who are known far better by their stage names.

This is why outing a pseudonym is a two-edged sword. It will likely irk the person using a pseudonym, but it’s less likely to hurt them, especially if they’re reasonably good. John Blevins is probably not going to have tenure problems, especially now that Whelan outed him. Ironically, he’s probably better off for having been outed than not and part of that is who outed him.

Well-known personages who are irked by pseudonymous writers may think they’re being attacked by some anonymous little nobody who is hiding, but no, they’re being attacked by an identity that’s just not easily tied to some SSN. The power relationship is such that the better-known person is unlikely to look good. Whelan certainly hasn’t come out on top on this one. While pseudonymity is somewhat controversial, it cuts across political lines and some of the most thoughtful criticism of Whelan comes from his admirers. And in the future, everyone in the law biz who remembers Publius will think better of Blevins. We human beings do that; that’s why the old movie star’s dictum about publicity is, “spell my name right.”

In other cases, the pseudonym still wins. Dan Lyons wasn’t hurt by being outed as Fake Steve Jobs. Joe Klein wasn’t hurt by being shown to be Anonymous. Juan Non-Volokh was probably helped by being outed, too, and Prof. Brian Leiter, who outed him, probably suffered in his reputation.

This is perhaps, I think the most important point, as it’s simply practical. If a pseudonym ticks you off, you’re better off letting them stew in their own juices. The better known a pseudonym is, the better it is for the author to be known as the pseudonym.

There are exceptions to this, of course. If Publius were a politically conservative professor blogging out his inner liberal, there’d be a hypocrisy issue that would hurt him, but it doesn’t make it any more right. Thoughtful people who out hypocrites usually talk about the outing being necessary despite it being questionable.

Nonetheless, an important lesson to this is that as Feedie said, outing a nym is “a matter of basic decency” and “unworthy of someone with [his] impeccable professional credentials”.

The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!)

Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, in essence and aim, an infrastructure of control. Even so, I didn’t realize how far it had gone as a tool of compliance enforcement.

There’s more to say than I can get into this blog post. Short form: go read it. Slightly longer form:

There are lots of details that are just great. For examples:

“The More ID checks in society, the more ID theft matters.” (page 11)

In a discussion of a 2005 deficit reduction act attempt to reduce medicaid fraud: “A GAO study instead found that the major effects of the program were higher administrative costs …and denial of medical benefits to eligible US citizens” (page 14)

“In addition, some state will not issue a state ID until a person has caught up on all outstanding payments due the staet, including traffic fines and child support payments. As ID requirements spread, persons who cannot afford to make all such payments may be denied the right to vote, to receive health insurance, or to become lawfully employed.” (page 16)

“…independent reviews of the E-Verify program have found that employers engage in prohibited employment practices…” (page 18)

My copy of this report is covered in markup, about “the computer is always right,” about linkability, about data shadows. In fact, about the only thing I don’t like is the title. I don’t think this is a divide, I think that identity has become an archepelago, a la the Soviet Gulag system.

In the preface to The Gulag Archepelago, Solzhenitsyn wrote:

And this archipelago crisscrossed and patterned that other country
within which it was located, like a giant patchwork, cutting into its
cities, hovering over its streets. Yet there were many who did not
even guess at its presence, and many, many others who had heard
something vague.

I think the argipelago is a better metaphor than a divide. A divide
exists, and most of us exist on one side of it. But the identity
archipelago! At a moments notice, we can be thrust onto its other
side. A phone call, a letter, and our identity’s connection to the
machine is broken. Our data shadow has sinned, and we are cast into
the archipelago, forced to learn its ways.

In conversation, Peter has said that the Gulag analogy is too over-used, which is a shame. Maybe identity is more like an accident–you’re driving along and 35 and boom, you wake up in the hospital. Maybe it’s more like a vase, dropped and you’re cutting yourself picking up the shards. What’s the right description for the fragile system we have where people get violently yanked into the nightmares?

[Comments have been closed because of a flood of spam against this single entry.]

New ID Theft Research And Blog For Debix

id-theft-frame.jpg
Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them.
Debix now has a blog, which will be covering issues around identity theft, breaches and privacy.
Debix also released a new research study examining child identity theft. The most recent blog post, contains some highlights from the study, including that one in twenty people (or one in every classroom) suffers from some sort of compromise to their identity before they reach their maturity with an average of over $12K in fraudulent debt assigned to their names.
As the post says:

Kids are a great target for identity theft, because the younger you target them, the longer you have before it is likely that the act will be discovered and as a result the corresponding amount of fraud that is committed prior to discover is significantly higher with minors than with adults.

Check out the post and the full research study for much more detailed information.
[Image is identity-theft-2 from j_lovefool on flickr]