The Dallas Morning News doesn't mention whether or not the DISD will be contacting the people who have had their SSNs appropriated, but they did offer this detail:

The DISD-issued Social Security numbers began with "200" – a prefix assigned to people in Pennsylvania, and Mr. Phillips' office noted that many ended with sequential numbers.

In general, though, with the exception of the occasional criminal background check, the fake SSNs were supposedly kept away from any legitimate use, and even if your SSN fits the description above the odds are low anything bad has happened. We're just amazed at the school district's monumentally bad judgment.

"Dallas ISD faulted for using fake Social Security numbers" [Dallas Morning News] (Thanks to AttorneyWrangler!)
(Photo: Getty)

When Someone Else Uses Your Social Security Number [SSA.gov]

The Americans would beg and plead with the Filipinos to not unblock the account, and over and over again they would. Says our insider, "if US security had been able to intervene from the get-go, he would never have been able to do so much financial damage. For the rest of his life, the true owner of that account will be dealing with the effects of this crime." It's not the outsourced place's fault, though. They're just following orders. It's whoever designed the laminated binder they were blindly following that should really be held accountable. Read the whole messed-up story below.

Our insider writes:

A guy calls up on the direct number, his voice is distinctive: deep, but nasal, like he has a cold. I ask for his name and account number. He tells me his name but says he doesn't have his card with him. Step two: I ask for his social security number. He "ums" and "uhs" for a second and I'm certain I hear a faint rustling of papers in the background. The number he gives me isn't linked to any account on file. As soon as I tell him this, he hangs up. It was odd, but I wrote it off. Calls came at a snails pace and it wasn't unusual to have 20 minutes in between them. So when a couple of minutes later I got another one, it was strange. Once again it was a call from the direct number. I ask for name and number and the voice is strikingly similar. The name he gives is different but again he has no number. I ask for the SSN and again I can hear papers rustling while he stalls. This time an account pops up. He fails verification of the mother's maiden name and immediately hangs up. By this point I'm laughing about it with my co-workers because he seems such an inept thief. As the nights go on, we start to get more calls from him. I say "we" because this was the only call center that the phone number goes to and there were only about 15 of us on staff at any given time. He had the same mannerisms for every interaction and it became such that as soon as any of us got one of these calls we immediately put him on hold (usually making up some innocent sounding excuse) and tried to put him through to security. The problem with the Philippine security department quickly became apparent.

The US security department had access to LexisNexis. If you're not familiar with it, it's basically a encyclopedia of everybody's life. Previous addresses, family member's names, jobs, schools, anything and everything that could be linked to your name and/or social security number. As an example of how incredibly (and frighteningly) thorough it is, when my now 30 year old brother was a tot, he liked to respond to junk mail with a fake name; this fake name came up as a former occupant of my parent's address when I got a chance once to do a search on myself (we had it in collections). Chase didn't trust the Philippine department to have it though. In fact, the only information they had the ability to verify was what was on the account: name, social security number, mother's maiden name, and recent purchases if they felt like being that diligent.

Here's the part of the story where some poor guy's account get's completely f-ed. This thief had been bounced to the out-sourced to security so often that he must have made a check list of any possible questions they would ask him. Through whatever means, he managed to get the answers to these questions. Now when he called, he could give us the information we were asking for, but by this point we knew his voice so well that we still tried to get him to security. It worked like this: We put him on hold and dial the extension for security. We get a security rep and start to explain the situation; we tell them he was able to give the right information, but that we know is the same guy that's been calling for weeks and we are certain he is not the account holder. They begrudgingly take the call. Minutes later another one of us gets a call from a security rep saying they are giving us a customer who has been cleared by them. And here the thief was back in our department. For those of us who had come to know him, the fight waged on night after night.

Chase is a revolving door. If you work there longer than a year, you're considered to have seniority. The few of us who knew this account was being raped could do nothing to protect it. Some newbie wouldn't know about the situation and would let the thief have his way with the account. The US security department became aware of the issue and put blocks on the account as well as incredibly long notes that explicitly said to not remove the block for any reason at any time. But sure enough, over and over, the guy would call in overnight, talk to the out-sourced security, and the block would be removed. Again, they were only able to verify with him with information that he was already known to have, yet that never seemed to deter them from clearing him.

Things got quiet for a while, and we thought maybe he'd finally been stopped from unblocking the account. Turns out that he'd actually been caught, but only after more than $40,000 in fraudulent charges on this one account. I cannot stress enough that if US security had been able to intervene from the get-go, he would never have been able to do so much financial damage. For the rest of his life, the true owner of that account will be dealing with the effects of this crime.

I wish I could this was the only time I saw the security department failing at securing an account. There was a consistent problem with the overt cultural difference. A man calls in and says he's the cardholder "Angela" and you find yourself trying to explain to security that Angela isn't a man's name and the odds of it really being his name are slim. And they just see it as cut and dry: He says he's Angela, so he must be.

To be fairer than Chase deserves, I'll note that I've been out of there for almost two years, so it's quite possible that it's all ponies and rainbows now. I'm gonna go ahead and assume though that it's run as poorly as ever.

(Photo: brycej)

Sarkozy bank account raided in internet scam [Daily Telegraph] (Photo: malias)

• A NYT article today talks about how the FBI is understaffed to investigate financial crime because it shifted almost 1/3 of its force to anti-terrorism duties.
• A UK bank group says phishing attacks rose 186% from January to June 2008 over the same period last year.
• According to this phone-survey study, both the frequency and dollar amount involved in identity theft has gone down over the past three years.
• The FTC is a great resource, but the most recent, relevant, report I found was from 2007

F.B.I. Struggles to Handle Wave of Financial Fraud Cases [NYT]
Bank turmoil fuels phishing boom [BBC]
2008 Identity Fraud Survey Report [Javelin Strategy]
FTC Releases Consumer Fraud Survey [FTC]

If you have a friend who's working overseas, let her know to watch out for this:

I'd like to tip you about a scam going around Japan right now, and possibly Asia (I live and work in Japan), and maybe other places. It's a fax from being sent to foreigners, and in my case to schools. I've received it once and many of my friends have too.

The form is attached [pdf], claiming to be from "Internal Revenue Service IRS.gov", and prompts the recipient to complete form W-8BEN, which is a tax withholding form. Sure, sounds legit at first, but scroll to the 2nd page (page 1 of the fax) which has a W-8BEN "Substitute Form" that asks for personal info including your bank account number, SSN, and a copy of your passport among other things.

Then it asks the person to fax the form back to +1-206-888-1766 within one week to get a ficticious w-9095. Please inform your readers that this is a scam! I (nor my boss) don't know how this person got the fax numbers, and one of my friends recieved this even though she's from England so perhaps they are trying random numbers.

If you receive one of these faxes, report it to the Treasury Inspector General for Tax Administration at ustreas.gov/tigta.

Install a VPN program and run it every time you go online using a public Wi-Fi hotspot.

Using a public Wi-Fi spot without a VPN is like shouting everything across the room in plain English—anyone who wants to listen in, can. Using a VPN is more like shouting in a made-up language that only you and your twin sibling understand. A VPN will encrypt anything you send from your laptop to the Wi-Fi router, so that nobody else in the coffee shop, student center, or hotel can see what you're doing.

If you work for a large company, odds are your IT department has already got you using a VPN when you're traveling or working away from the office. If you're everyone else—a freelancer, a student, a small business owner with one or two computers and no real "back-end" system—then many of those VPN solutions are out of your reach. Either they're too complicated to set up without computer skillz or they're too expensive.

Luckily, there are cheap VPN programs you can install on your laptop that are more or less self-contained: you install the app, then launch it when you log on to a Wi-Fi network, and everything you do online from that point forward will be encrypted. There's also a hardware-based solution—a USB drive that you can plug into any computer for a quick VPN environment.

A couple of things to note:

1. When the website you're on uses https, your data is already encrypted. For some Google-based services (like Gmail and Google Docs), you'll be using https automatically or you can add the "s" yourself to force the encryption. But not every site offers this extra security.
2. These VPN programs are not the end-all in security solutions. If you're really serious about security, don't get your advice from this blog. Find a skilled computer security technician to help you set up an awesome home-based VPN solution (where you route all your laptop traffic through a home network remotely), or teach yourself how to do it with freeware and your router.

So with those caveats, here are some options you can consider. The first two programs listed below install the same as any other app, but I haven't tested the other three. If you've tried any of these and can share an opinion, please join in the comments below.

AnchorFree's Hotspot Shield
Free, but ad-supported. While browsing, you'll see ads appear occasionally at the top of the browser window. It's great if you infrequently need it, but annoying if you find yourself in a Starbucks once a week.

Witopia's PersonalVPN
$40 per year

HotSpotVPN
$9 per month (listed as a temporary price reduction as of October 2008)

iPig
Free with a 10MB cap / $30 for 30GB of data transfer

PublicVPN
$70 per year, or $7 per month

About that hardware solution: IronKey is a USB flash drive that offers a few extra features you can't get with the software above. It encrypts any files you store on it, and it comes with its own VPN software that runs automatically when you plug it into a Windows PC. It comes with the Firefox browser included, so you can surf the web through the IronKey no matter what PC you're using. It costs $80 for a 1 GB drive with a 1-year VPN subscription.

And finally, Consumerist reader Ein2015, who provided an invaluable service by vetting this article before I posted it, pointed out that there's an awesome open source VPN solution called OpenVPN. It's cross-platform and free, so if you're feeling techy and want to set up your own virtual private network using your home computers, you might check it out.

(Many, many thanks to Ein2015!)
(Photo: Getty Images and stevecadman)

Or, if you want to go the really cash-conscious route, make your own.

roguewallet.com (Thanks to Wells!)

Jeremy writes:

Just got a replacement card from Citi due to possible “compromise of information” but when I asked customer service who the merchant was who may have been compromised, she said she did not have that information, but that it came straight from Visa and Mastercard and that it happened in the last 6-8 months.

Trevor writes:

I logged onto my CitiCard professional account today and discovered an "important security messsage" that my account may be at risk due to a problem with a merchant's database. The CSR said someone had "hacked in" to a database. His manager said she didn't know which merchant was involved, and invoked the TJ Maxx case as an example. When I asked if this was of comparable size, she said it was, and the CitiBank was issuing new cards to people, and that mine should be in the mail already.

Update 09/19/08: We received another report this morning:

Just yesterday, I received a replacement card.

Logging onto their site, I got a message saying my card had been compromised. I decided to activate the new card, but pressed 5 for a consumer rep. This was not the ordinary rep with noise in the background. She had no "sell-up" scripts nor an ebullient demeanor.

She said my card had to be replaced due to a database compromise.

Lil ole me. A twenty-seven year old female, simply a poor writer in LA.

Capital One Bank— while I appreciate them sending me a letter telling me they sent a credit card to someone with my SS# yet a different spelling of my name AND address than what is on my records at all three Credit Bureaus— why ON EARTH would they still send out a card?

I called Capital One immediately and successfully prevented the criminal from getting that MasterCard card approved. They went ahead and froze the account. After reporting this to Capital One, they send a fraud claim not to me, the victim, but idiotically to the CRIMINAL who stole my identity. This, in turn, alerted the thief (thieves) to take quicker actions with fraudulently using my identity.

This was an act of negligence as well as an unsavory business practice on Capital One's behalf. Capital One Bank has obstructed the law by aiding these identity thieves who are involved with a federal offense.

I mean, wouldn't it make sense for Capital One (and ALL creditors) to make it a company-wide, mandatory practice to alert the customer BEFORE processing ANY requests with mismatched information from the credit bureaus?

So, I called the Social Security and the Credit Bureaus to put a Fraud Alert on all accounts. Then, the LAPD. Capital One was "gracious" enough to give me the address that the criminal used— [redacted]. And courtesy of the White Pages, the residence of one Magdalena C.

What do I do now? Wait until the LAPD finds her? Call the cops on her? I mean, have they thought of looking this woman up on www.whitepages.com? The internet make identity theft so easy, and perhaps catching the criminals easier too.

I hope this Magdelena C. gets locked up for a LONG time.

Sincerely,
A Victim of Identity Theft

We agree that Capital One showed some extra special incompetence there with the fraud claim form. Maybe you should report what happened to the FBI too—that's a link to their local office locator.

Update: As our editor Ben Popken and some of our readers point out in the comments below, there are a few other things you should do, Lisa, to protect yourself.

• Place a freeze on your credit reports. A fraud alert won't necessarily prevent future abuse. A freeze will.
• File a report with the FTC's ID Theft Hotline: 1-877-IDTHEFT (438-4338) or http://www.ic3.gov/complaint/default.aspx
• And make sure you filed an actual police report with the LAPD if you haven't already.

(Photo: Getty)

Preferring not to have his credit report read without a written agreement, Steve said no. A week later, a card arrived in the mailing congratulating him on signing up with free credit report monitoring services from Intersections Inc! It even included the Terms of Service that the rep said they were supposedly unable to send out.

A conference call later between his bank and Intersections his problem is on the way to resolution, but of the experience Steve writes, "Identity theft is a real problem. It happened to one of our staffers recently. But after this experience, I think "services" like this are part of the problem, not part of the solution."

Identity Protection . . . Not?! [Steve Jackson Games Daily Illuminator] (Thanks to John!)

March 25, 2004; March 26, 2004; June 23, 2004; July 2, 2004; July 3, 2004; August 4, 2007; August 5, 2007; August 13, 2007; and August 14, 2007. You could also be at risk if you shopped at their Fresno Cali store between November 26, 2003 and October 24, 2005. If the above describes you, review your credit card statements for unexpected charges and monitor your credit report for strange activity. Affected customers may receive a notice from their credit card company.

Forever 21 also announced the problem to its customers via a small link on its site labeled "Important Customer Info Notice" that no one will ever click on.

Press Release

It is believed an Indian hacker succeeded in bypassing the security software and placing a Trojan virus on one of the firm's machines used for reservations.

The next time a staff member logged in, his or her username and password were collected, stored then put up for sale on a website operated by a branch of the Russian mafia.

The stolen data includes a range of private information such as home addresses, telephone numbers, credit card details and place of employment.

Best Western fixed the security breach on Friday after being alerted by a Sunday newspaper, which had discovered the crime.

Best Western is "investigating further" and has temporarily handed control of their systems to its American team.

If you visited an affected hotel, you may want to immediately freeze your credit report and call your bank for replacement cards.

Hackers steal details of millions of Best Western hotel guests [The Telegraph]
Indian behind major cyber-crime in UK [Press Trust of India]
(Photo: Getty)

"We didn't piece any of this together. We just taped it to hold it together. None of this has torn through at all," Amelia McBride said.

"You get the wrong people get a hold of this information, oh my gosh! They could have a heyday with this one box," Michelle McBride said.

"I was just in shock. I just couldn't believe that they're using shredded up checks as packing material," Amelia added.

The McBride's contacted the company that shipped and packed the peppers, WHH Ranch Company.

Owner Bill Hamzy says the family owned and operated business has been using shredded paper from the same Texas bank for years.

He says the McBride's are the first to notice the problem and one he will fix immediately.

It's great that WHH Ranch agreed to stop packing goods in shredded checks, but what sort of insanely reckless bank was handing them out to begin with?!

Packing material poses threat to customers of one Texas bank [KTKA] (Thanks to Aaron!)

1. Enter all of the email addresses in the "BCC" or Blind Carbon Copy field.
2. DO NOT enter them in the "To" field.

(Photo: Getty)

U.S. charges 11 in theft of TJX customer data [Forbes]

Chris only noticed the massive withdrawals after the police arrested the thief.

They said they caught this guy at BestBuy trying to use somebody else’s credit card to buy a whole bunch of computers. Apparently BestBuy’s register system pops up an alert code if there is somebody trying to use a card that has been reported lost or stolen, and they call the cops. Impressive. The police caught the guy red handed. With drugs. And paraphernalia. And a bunch of people’s personal information.

At the time, I thought they got the sucker before he could do any real damage. But just to be safe, I checked with Bank of America. I was shocked to see my account was overdrawn by almost $300. Last I checked, I had almost 40k in there.

A quick review turned up 5 suspicious transactions. Two were deposits, and three were withdrawals. All five transactions occurred *inside* five different Bank of America banking centers. What amazed me most is the final two transactions. A withdrawal of 26k. And later that day, another withdrawal of 12.5k. Way to spot suspicious activity Bank of America. They handed the guy almost 40k in cash in one day.

Turns out the first two transactions where not just deposits. They were checks written to me, Christopher Hooley. The first one was $6200. The guy kept $5k and left $1200 in my account. The next one was a day later at a different center for $7500. Again, the guy kept $5k. I saw the debit slip online, and this guy’s signature wasn’t even a remote attempt to copy mine. To make matters worse, it turns out he was forging checks from another valley business, who subsequently called the police on ME!

Great work protecting your customers, Bank of America!

Way to Spot Suspicious Activity Bank of America [Chris Hooley's - ThinkBait-]
(Photo: Getty)

We wrote about Hoofnagle's research in February, when he was analyzing identity theft at banks. Since then, he's expanded his research to include incidents at all companies.

Although the research is useful, Hoofnagle concedes that it is imperfect: a customer who falls for a phishing scam doesn't necessarily impart any fault to the company. On the other hand, the amount of phishing-related identity thefts is dwarfed by other types of fraud, such as new accounts created from pre-approved credit solicitations. Hoofnagle asks for increased transparency by businesses, which would provide more useful data and lead to better analysis.

Measuring Identity Theft (Version 2.0)

According to neighborhood gossipers on the Brooklyn Heights Blog, which tipped us to the story, Kaufman has a bit of a reputation for being shady. Several of the commenters also report fraudulent charges on their own accounts after eating at one of Kaufman's restaurants. Many of the reviews of Blue Pig online accuse it of using cheap factory-made ice cream and selling it as homemade, so maybe that was an early sign that honesty wasn't a high priority for Blue Pig's owners.

"Busted Chef; Heights food shop owner arrested on identity theft, forgery" [Brooklyn Paper]
(Photo: jere-me)

This SlickDeals forum thread talks about how if a merchant manually bills an account, without sending it through their credit card processor to get appropriate authorization, the bank will pay them without question. The good thing is that charges that are received by the bank that come through without an authorization attached are very easy to initiate a chargeback on.

Once again, it is up to the consumer to examine his bills and make sure his ass is protected.

Virtual credit cards are no protection [SlickDeals] (Photo: Getty)

"Step 1: Place a fraud alert on your credit files and monitor your credit reports regularly."
Contact at least one, but preferably, all three of the credit reporting companies and tell them to place a fraud alert on your credit report. Also provide a "victim's statement" asking them to notify you before making changes on current accounts or opening new accounts. You can reach the credit bureaus a few different ways:

Equifax : 1-800-525-6285; P.O. Box 740241, Atlanta, GA 30374-0241

Experian : 1-888-EXPERIAN (397-3742); P.O. Box 9532, Allen, TX 75013

TransUnion : 1-800-680-7289; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

There are also several other ways to get your credit report and a monitoring service.

"Step 2: Close the accounts that you know, or believe, are not opened by you or have been tampered."
Call each creditor and close any account that has been compromised by the identity thief. Request that the accounts be "closed by creditor's request," a simple "closed account" can reflect negatively on your credit report. Ask each creditor to send you the transaction records the identity thief made on your account. Creditors must provide this service, and do so at no charge.

If you encounter difficulty getting these records, send your requests by certified mail with return receipt requested so you have a document of when the creditor received your request.

"Step 3: File a complaint with the Federal Trade Commission (FTC) ."
You can file a complaint with the FTC online by filling out an online complaint form or you can call them at the Identity Theft Hotline at 1-877- 438-4338; TTY: 1-866-653-4261. You can also notify them by sending a letter to Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

"Step 4: Contact your local police or the police in that community where the identity theft took place and lodge a complaint."
Contact and inform your local police department about the crime and submit as much proof as you can. It is recommended to supply them with a copy of your FTC ID Complaint form, your cover letter and any other paperwork that support your claims of identity theft. Once you make sure the police report contains all the affected accounts, send it to all the applicable creditors.

"Step 5: Change all your account passwords."
If the identity theft involves your ATM or debit card, change their PINs. Add passwords to any account that doesn't have one and avoid obvious passwords.

5 Steps To Take If Your Identity Is Stolen [DebtConsolidationCare]
(Photo: Getty)

Reader Adam writes in to let us know his relative found a working Dell computer in the dumpster at his office complex. It appeared to be in functional condition, so he took it home. Sure enough, it took only a bit of tweaking before it was back to working order—as a Curves Fitness employee and customer information smorgasbord.

Adam dug around a little bit on the computer and found employee phone numbers, customer addresses, and credit card info. The Curves in question is located on 134th Street in Vancouver, WA. Adam called to let them know what happened, here was their response:

Before I posted this I tried twice to talk to the manager of the offending Curves… both times I called they were “busy” or “out”. No one offered to take a message so I never left one.



I’m not sure if it’s that they are not used to men calling (Curves is a women’s club) or if their customer service is just as crappy as their data destruction policy. In any case, as I said in the post, I contacted the corporate office. After I made this post I did call again and got voice mail; so I left a message inviting the manager to [read this post].

Adam also contacted Curves corporate before contacting the local franchise. They told him that, although each franchise is responsible for its own IT and privacy policies, they agreed that this franchise's actions were inappropriate and they'd get in touch with the franchise.



Dear Curves, Respect Your Client and Employee

A reader named Ben writes,

Chase.com doesn't know how to protect their customers passwords. Their login page does not use a secure connection
(see attached). It uses http instead of https. That means that your password is not encrypted when submitted, which is pretty bad for a financial site. (However, they do care enough to include a meaningless, fake "secure" lock icon next to the login form.) I spoke with them a month ago, but they haven't changed anything.

Once you've logged in, everything is encrypted, but that initial password transmission on the home page isn't. Fortunately, if you're a Chase customer you can change the address manually to https (just add an "s" to the end of the "http" and hit your enter key) to trigger the encryption.

Note: A couple of initial comments were lost from this post, but we thought this one from beavis88 was good to know:

As long as the target of the form is an https url (and it is), the data will be encrypted. This is bad form, no question, but they are not total and complete idiots at least.

"At the time that the woman passed away the family tried to cancel all of her credit cards, but it's believed that this one was inadvertently left out and a renewal card was sent in the mail. We think the granddaughter got a hold of that and took advantage of the situation,” said Officer Katie Flood.

Our favorite detail: the couple used the card to pay for the boyfriend's $500 DWI court costs. Grandma would be proud.

"Police: Couple Used Dead Grandma's Credit Card" [KOLN KGIN]
(Photo: Getty)

"Taking it seriously" is a phrase companies use over and over again in public statements whenever they have bad PR. Our series of posts on occurrences of the phrase is our attempt to question how seriously companies are really taking these matters if every time they trot out this phrase by rote.

(Thanks to Michael!)
(Photo: cmorran123)

The victims purchased gas at Arco stations, which only accepts cash or debit cards. Thieves attached a card-reading device to the payment machine's keypad that allows them to steal bank card numbers and personal identification codes.

It can be hard to spot a modded card reader or ATM machine, although if you see something that looks blatantly tacked-on you might want to think twice before swiping your card there. Snopes suggests you "get into the habit of using the same ATM for almost all of your transactions so as to better recognize when something is different with the machine."

"ATM card thieves have struck statewide" [MercuryNews.com]
(Photo: blmurch)

1. Don't write checks.

Here's the reason: If I write a check at Walgreens or CVS, I'm leaving that check behind with the clerk. And on that check is my name, address, phone number, my bank's name and address, my bank account number, routing number, and my signature. And if that store clerk writes down my driver's license on the front of the check, in nine states—including the one I live in—that's my Social Security number, too. Then, next to it he writes my date of birth.

"Well, I don't get that check back. So I don't know if CVS destroyed the check, if they put it in a warehouse for seven days or 30 days. What I do know is that anyone who sees the front of that check has more than enough information to draft on my bank account.

2. Make sure the IRS cashed your tax check. Crafty thieves look for envelopes addressed to the IRS and, like resourceful squirrels, rip out the delicious fruit inside and claw off the IRS' name and replace it with their own.

3. Don't put checks in your mailbox. "That's like putting the flag up [for fraudsters] to come get my mail." Entrust your check-filled envelopes to the post office.

4. Treat your checkbook like cash. Leaving a checkbook exposed in your car is like hanging a sign on your windows reading "Smash Me!"

5. Balance your checkbook, or at least keep an eye on your online bank statement:

About 51 percent of Americans do not reconcile their bank statement—they don't even open it. Banks love this because we have a law in the United States called Article 3, Section 406 of the Uniform Commercial Code. It says that you have 30 days from receipt of your statement to notify the bank of any discrepancies that may appear on your statement. If you don't do that, then the bank has no liability to pay you.

Our online banking setup keeps us from hunting down the checkbook lurking somewhere in our apartment. Do people still use checks?

5 Ways to Avoid Being a Check-Fraud Victim [U.S. News & World Report]

It's alleged that while Jackson worked at Time Warner, she received a payment on a customer's account through a credit card and kept the victim's credit card numbers. This allegedly happened at a call center located in Blue Ash, according to a Time Warner representative.

In the following weeks, Jackson allegedly ordered items over the internet and over the phone using the numbers.

Investigators said Jackson had the items sent to her home, but it is not yet clear whether that led to her arrest.

Wait, she used the stolen info to shop and mail things to her own address? We're going to allege that Jackson was an idiot.

"Former Time Warner Cable Employee Arrested For ID Theft" [WCPO News]

Remember TJX's gigantic security breach problems last year, where data on 94 million accounts was stolen? Good for you, because apparently TJX doesn't. A former employee of a TJX store in Lawrence, Kansas was fired recently for posting anonymous complaints online about the current sorry state of his store's security, which included the store manager writing server login and password information on a sticky note, and the store resetting employee passwords to blank fields.

According to The Register,

Benson's May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company's network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

TJX says the former employee divulged confidential information, but Benson claims that he's acting as a whistleblower to get them to improve their security:

"My information is still on that server," he continued, referring to the machine that sits in an office at the TJ Maxx where he once worked. "So if their network is insecure, then my information is insecure. I'd prefer they get it fixed."

"TJX employee fired for exposing shoddy security practices" [The Register] (Thanks to Will!)
(Photo: crazytales562)

From May through July, 2006, Hartman went on a spending spree with a shopping list that included:

• 1 Pickup truck for $48,000 on June 5th

• 1 Pickup truck for $49,000 on June 10th
• 2 Dodge Durangos for $77,000 on June 14th
• 1 Dodge Viper for $94,000 on June 24th

Additionally, Hartman signed agreements to buy 2 ATV's, an RV, 2 houses and mountain property which came to $3.2 million. "Did I go overboard in buying a few vehicles. Probably did," Hartman said from the Jefferson County Jail. "But it wasn't identity theft. My brother approved of all of it. I didn't have the credit. He did. So we used his driver's license and Social Security number to make the purchases." Yeah, right.

Hartman's brother Ed was unaware of any of the purchases until he received a call from a suspicious employee at the ATV dealer. She asked for the original driver's license and when Hartman couldn't produce it she called the cops and he was arrested. Ultimately, all the purchased vehicles were recovered.

We're amazed to see how much damage can be done with a mere social security number and photocopied driver's license. It underscores the importance of keeping your identification safe and your SSN private. It seems like common sense that businesses should require an original, non-photocopied piece of identification, especially for extravagant items. Apparently, these businesses were too eager to make the big sale to consider such trivialities.

Convicted felon spent $3.2 million in 3 months [9 News] (Thanks Naughtyconsumer!)
(Photo: 9 News)

The clerk told Pete it was for loss prevention. Wait, what? Pete had the parts in his hand, and the receipt that showed he'd paid cash for the parts the day before. You mean there's no way RadioShack can track its purchases more precisely than matching up mailing addresses of anyone who walks into the store?
 
Here's Pete's email:

Dear Consumerist,
 
I have been avoiding RadioShack for ages ever since they started asking you for your street address and phone number just to sell you something. Once they stopped that practice, I reluctantly began returning to buy the odd piece for my electronics projects when I ran out of something and didn't want to wait for an order to be shipped from on-line retailers. At any rate, I was out running errands the other weekend and saw a RadioShack, remembering that I needed a couple of potentiometers for an amplifier I was working on, I stopped to make my purchase. Wading through the overly "helpful" employees I found the electronic components area. But, I couldn't remember the exact values of the potentiometers I needed so I grabbed all they had, paid with cash and was on my way.
 
I went back the following day to return the un-opened potentiometers that I did not need - receipt in hand. The process went smoothly until the clerk asked for my street address. I told him that I prefer not to give that information out. They claimed that it was for "loss prevention purposes". I say "they" because another cashier came over, presumably for moral support to his co-worker. I told them to make an address up - no dice, claiming the "system" "will kick you out". I tried to explain that I have the receipt and the un-opened parts and that I paid with cash so they would have no way of knowing that I was the person who originally purchased them anyway, no luck. I tried for store credit, same result.
 
I suppose, I could have made up an address, or even given them my real one but i didn't feel like it. I shouldn't have to be put through a personal information wringer to complete a legitimate transaction that happens every day at normal stores. I felt like I was being accused of theft or had to in some way, justify my actions.
 
I will say that the employees weren't rude and they were just carrying out what they were trained to do. In the end, I took the ~$10 worth of potentiometers home with me, where they sit waiting for a new project.
 
Is this normal business practice, or is it time for RadioShack to get with the times for its data mining?

(Photo: Brave New Films)

Earlier today I got a call from a Chase telemarketer.  He called to inform me about a great Fraud Protection service.  The caller vaguely described what was covered over the next minute as he read his prepared script.  Toward the end of the script, he said that Chase would be sending an informational brochure and that I would have the opportunity to review the information with my family before I proceeded with the purchase of the Fraud Protection service.
 
At this point, I initiated the end of the conversation by saying: "I'll review the materials when it comes in the mail".
 
Chase telemarketer mumbled: "Ok, I'll charge you $7 and ship the information out to [Address]".
 
I cut him off mid sentence and asked him to repeat and clarify to make sure what just happened.  He indeed signed me up without my permission.
 
I proceeded to tell him "NO" in a strong and firm voice.  "I did not agree to pay anything, I did not agree for any service".
 
I politely requested that he send me the information, and not sign me up for the fraud protection.
 
At this point, I was about to hang up the phone when he came back with "Mr. XXXX, don't you know that some one's identity is stolen every 4 minutes"
 
I replied, "No, I don't want the service"
 
Chase telemarketer rudely cuts me off: "but Mr.  XXXX, what are you going to do when someone steals your identity?"
 
"No, Didn't you hear me?"
 
Chase telemarketer cuts me off again, "but you arent safe...."
 
I slam the phone down.
 
You just lost another customer Chase.
 
Now I have to call back and make sure that he didn't sign me up.  I feel like I need protection from Chase's employees from stealing my identity rather than some stranger who might steal my credit card or something to that effect.

(Photo: jebb)

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."

"Identification of potential donors who were active in the philanthropic community was one objective, along with identifying individuals who had corporate relationships, such as board service, or were affiliated with relevant community programs and health care biomedical organizations," Kaarlela said.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

To Dixon, the expert on medical identity, the disclosure lag was far too long.

"In Internet years, that's a century," she said.

In January, California began requiring health care providers to alert consumers if their medical information is breached. Swift notification is considered important so consumers can monitor credit reports and bills.

According to Joanne McNabb, chief of the California Office of Privacy Protection, notice should be given "in the most expedient time possible, without unreasonable delay."

"It's a judgment call, the how and the when part," McNabb said. "The idea is to give early warning so that people can take defensive action. On the other hand, you don't want to needlessly worry people."

It's not the worst case of lost records we've seen, but mining for donors seems so much worse than "whoops, lost another laptop!" At least people's social security numbers weren't included with the data. People who think their identity may have been stolen should pour themselves a stiff drink before sitting down to read this comprehensive post.

6,000 UCSF patients' data got put online [San Francisco Chronicle] (Thanks to Paul!)
(Photo: Getty)

Here's Cole's email. We're going to pull out the actual URLs so we don't encourage more snooping, but we tried Cole's method and were able to pull up customer infor screens on our own:

My friend pre-ordered GTA4 from BestBuy.com and since he doesn't have a printer he forwarded me the confirmation email of his purchase so I could print it out. The confirmation email contained a link to print out the page if you were having trouble viewing the email from within your email client. I was (since the message was forwarded to me the styles and images were all messed up), so I clicked the link which took me to [redacted]. I was curious how random the &e parameter was so I decided to play around with it and discovered it isn't really random at all and by incrementing a certain part of it I was able to find home addresses of other users of BestBuy.com who had packages shipped to them.
 
This seems like a pretty serious privacy issue as I am now able to find full names and addresses of people that have bought something from BestBuy.com and had it shipped to them.
 
Cole

N.J. Class Action Lawsuit Filed Against LifeLock Alleging Deceptive Marketing Regarding Limited Level of Protection Against Identity Theft [CNBC]

First up:

I believe all credit card companies print "not valid unless signed" on the back of the cards they issue. The credit agreement is with the credit card company, so why would someone think they can circumvent this requirement? Many say they are protecting themselves against fraud.

[...]

Technically, cards must be signed with the holders' names, according to both Visa Inc. and MasterCard International Inc., the two largest payment networks, and cards with "See ID" or "Ask for ID" written on the back are not a valid substitute.

Next up:

Some customers may think writing the terms on the panel on the back of the cards would deter fraud or forgery. But Visa's rules for merchants say that "In reality, criminals don't take the time to practice signatures: They use cards as quickly as possible after a theft and prior to the accounts being blocked. They are actually counting on you not to look at the back of the card and compare signatures - they may even have access to counterfeit identification with a signature in their own handwriting."

Some readers don't like showing identification, which is fine. Nothing in the cardholder agreement forces you to take out your driver's license.

"Ask for ID" appears on our card next to our signature. Few people ask for ID. The ones that do, though, almost always ask when we're making a large purchase, the kind we don't want surprising us on our credit card statement.

It doesn't relieve us from protecting our card from misuse, but those three simple words make an excellent last line of defense.

What do you think? Annoying invasion of privacy, pointless distraction, or essential safeguard? Duke it out in the comments.

'See ID' phrase on back of credit cards doesn't deter fraud [Boston Globe]
(Photo: Getty)