Here is a true, sobering story:

"I spent the better part of 2002 repairing the damage caused by a criminal in Dallas who stole my identity. Finally, after countless hours on the phone and Internet, piles of paper and untold trips to the post office, I came out of the experience with my credit restored and my sense of security destroyed.

Now two years later, the same criminal is trying again to get credit using my identity. The first question to ask is how did this happen again? I did everything I was supposed to do. In my opinion, I was attacked a second time because the system put in place to combat identity theft doesn't work.

An identity theft victim is told to notify the three credit bureaus to place a "fraud alert" on your credit reports. When you do this, creditors are supposed to notify you if someone applies for credit using your information. I found out the criminal is attacking me again when two creditors notified me. There are, however, other creditors who did not.

A victim is told to file a complaint with the Federal Trade Commission. According to the Department of Justice Web site, the FTC is responsible for "receiving and processing complaints from people who believe they may be victims of identity theft ... referring those complaints to appropriate entities, including the major credit reporting agencies and law enforcement agencies."

According to the FTC Web site in a database that law enforcement can access, the only use I can determine for the complaints is to compile statistics to tell me that identity theft is rising. A victim is advised to file a report with local law enforcement. During my first attack, local law enforcement would not take a report, and the local state attorney's office told me they didn't have the resources to investigate. I also notified the Las Vegas police because a $15,000 loan was processed there. They did nothing. The Dallas police were the only law enforcement agency that tried to help me. During this second attack, local law enforcement took the report but can't investigate; they can only forward the complaint to Dallas .

In 1998, Congress passed the Identity Theft and Assumption Deterrence Act making identity theft a federal crime. According to, this law, the [Federal Bureau of Investigation] is supposed to investigate identity theft, and the DOJ prosecutes. When I contacted the Baltimore FBI office, they treated me like a fly at a picnic. The Dallas FBI office told me they don't have the resources to investigate identity theft unless the victim incurs a monetary loss. A "monetary loss" does not include out-of-pocket expenses to clear my credit history.

In my case, the creditors must file the complaint because they incurred the loss. The creditors don't have a real motivation to file a complaint because they can write off the bad debt and they get a tax credit.

The federal government has enacted laws to protect you, but you can't get the appropriate law enforcement agencies to investigate and prosecute. Your local government is not able, in most cases, to prosecute identity theft. They must, instead, prosecute credit card fraud. The federal penalty for identity theft is up to 15 years in prison and an unspecified fine. In Maryland , the penalty for credit card fraud is up to 18 months in jail and a $500 fine, so I assume most states are about the same.

If you are an identity theft victim, the system will not help you unless an outrageous amount of money is involved or multiple victims are attacked (like the recent George Mason University case). The federal government passes laws that aren't enforced for the average victim. Local law enforcement is often powerless to stop the criminal. Creditors are not accepting responsibility for their part in the problem.

You are on your own.  Alicia A. Morris, Waldorf"

(Scanned this from a letter to the editor of the Maryland Independent in Feb., 2005.)

Techniques Used By Criminals to obtain your personal information and identity:

(summarized from McAfee White Paper)

Traditional-Physical Methods:

• Computer and Backup Data Theft - from corporate offices, homes, while being transported

• Direct access to information - house cleaners, babysitters, nurses, friends, roommates

• Dumpster diving - retrieving information from trash bins is more common than you think

• Theft of purse or wallet - pickpockets on the street, exercise rooms, public transportation

• Mail theft and rerouting - easy to steal from a mailbox and receive priceless information

• Shoulder surfing - people loiter around ATMs can be on the lookout for your personal details

• Dishonest or mistreated employees - can access your personal data with bad intent

• Telemarketing and fake telephone calls - an effective method on unsuspecting people. A caller can pretend to be from your bank and ask victim to immediately verify information over the phone.

• False or disguised ATMs (skimming) -  bank ATM can be imitated or altered, below:

Internet-related Methods:

• Hacking - compromised systems and observed, stolen and diverted information

• Unauthorized access - stolen passwords or hacked into a system online

• Database theft - through unauthorized access through remote means

• Phishing - fraudulent email and web sites appear legit but fool user into revealing personal information. This eBay form below is a fake site:

• Pharming - advance form of Phishing that redirects the internet connection between the user and the target server so that the user instead keeps going to a "mirror site." This can happen because of an installed Trojan, by social engineering manipulation or by Internet DNS server cache poisoning of address mappings.

• Redirectors - malicious programs redirect the user's network traffic to fraudulent sites. The Hosts file could be edited to insert incorrect address mappings on the user's local hard drive or DNS servers compromised in the Internet or corporate or campus network. The fake Bank site below is an example of an attack that happened to South American users of several banks in Dec. 2003:

• Advance-fee fraud - a scam where someone receives an email requesting advance money so a wealthy deposit of money can be freed from some third-world country and a reward will be paid back to you for your help. Similar to a fake email or letter announcing that you have won some lottery and need to respond and pay some fee to collect.

• Fake IRS Tax Form - you receive this fake form asking you to respond in 7 days or lose some special exemptions. You follow directions and fax it to a different location other than the IRS.

• Keyloggers, backdoors and password stealers - malicious program gets installed onto your computer, capturing and transmitting your keystrokes up to a hacker using your email or internet connection. Parental control programs for legitimate observation of children's computer behaviors can be easily misused to spy on the computer user or an ex-spouse.

Hardware-based Methods:

• A tiny device ($20-200) can be inserted between keyboard cable and computer port captures and stores information for later retriever by the hacker.

Who is behind identity theft?

• Petty Criminals

• Organized crime network

• Terrorists

 SPECIFIC STEPS TO PROTECT YOUR IDENTITY

• Never respond to unsolicited requests for your Social Security Number (SSN) or financial data ... bank account or credit card number. Follow this practice even if you receive a letter or phone call from someone claiming to be from your bank. People engaging in account fraud typically ask their intended victims to help with an "investigation," then ask for sensitive personal or financial information. If you did not initiate the contact, consider it a scam!
• Before discarding, shred credit card, check card, and ATM receipts and any pre-approved credit offers you have received but don't plan to use.
• Shred or burn all mailed paper trash containing personal information.  
• Protect your delivered mail with prompt retrieval or stop the delivery at the post office when away.
• Check all credit card and bank statements for accuracy. Check your balance periodically between statements.
• Avoid using access and personal ID (PIN) codes that are easily deciphered.
• Report lost or stolen checks immediately. Your bank will block payment on the checks you specify.
• Obtain a copy of your credit report yearly (free) and check it for accuracy.
• Use only secure Web sites when making online purchases. Secure pages begin with "https" and a little yellow padlock icon shows up at top or bottom of your browser window.
• Opt out of unsolicitated offers by marketing; follow opt-out procedures in those policy statements that financial institutes send to you. Most only require a simple phone call with automatic response you can complete in 2 minutes.
• Don't carry unnecessary cards or information in your purse or wallet.
• Use your credit card only with reputable businesses. Almost anyone can set up a merchant account and they obtain a lot of information from you for a purchase from them.  A basic merchant account consists of an imprinter and a terminal.  The imprinter is the device that you position the customers card into with a receipt and run it back and forth to imprint the card’s info. Then you write the person’s address, zip and phone as well as their ccvc number, and the amount of the sale onto that receipt. Later, the merchant plugs their terminal, which is just a little square electronic box, into the phone line, punch in the info for each sale, and it automatically dials into the database that debits the card and gives the merchant an approval code to let them know the card was good.  After the merchant runs all the sales through, he push a few buttons that adds up all the sales and automatically dials into a different server, that then eventually credits his checking account at his back with the money - minus their 2.3% cost and their transaction fees, of course.  That last step is called "settle the account".  The imprinter has my merchant DBA (doing business as) name and number on it that imprints on the reciept.  So you will see the merchant’s DBA name and number on your credit card statement with the transaction code and amount debited from your account.   All that setup, the imprinter, the terminal, the whole thing costs about $10 a month plus the 2.3% of each sale.  The risk to you is that any merchant set up for credit card purchases could potentially charge your credit card fraudulently and obtains more information about you than you would prefer they have.
• Safeguard your social security number, and check your Earnings and Benefit statements annually for fraudulent use.
• Do not respond to e-mail that may warn of dire consequences unless you validate your information immediately. Contact the company to confirm the e-mail's validity using a telephone number or Web address you know to be genuine.
• Consider installing a free Web browser tool bar, such as NETCRAFT to alert you of suspicious phishing web sites. The new Internet Explorer version 7 browser adds more alerts with color coding to assist you in identifying phishing web sites.
• Ensure that your browser is up to date and security patches are applied.
• Be selective in giving out your email address. Your friend might not protect their computer like you do and a hacker retrieve your email address from their computer. Avoid using your personal email address on Internet site forms except when necessary. Use a "disposable" email address you can change if it does become a tool of scammers.
• Always be suspect when receiving emails and instant messages. The sender can be faked and the links go to sites other than advertised. Go directly to the web site mentioned rather than click on a supposed link.
• Be wary in opening any email attachment from a supposed aquaintence.
• Before disposing of a computer, use a trusted program to permanently erase data off the drive. Reformatting is not enough! Don't donate that old PC to charity without purchasing and using a file shredder security program first. Ditto for cell phones which store personal contact and other data. Especially important as cell phones are enabled to perform financial transactions.
• Use Strong Passwords for all online accounts. Don't write down passwords. Use a password management tool to help you use difficult and strong passwords.
• Verify that a web site is a secure site before transmitting a form: https is in the address field and a yellow padlock is visible.
• Review a web site's privacy policy to see how they use and protect your personal information.
• Protect your data backup devices and storage of files from theft.
• Secure Laptops, memory sticks and any device with data when on travel.
• Avoid using guest accounts or public kiosk computers at a hotel lobby or internet cafe unless you can assure it is securely maintained.
• Be very careful when accessing a wireless  access point in any public place. It may be a hacker sponsored network you are accessing in your hotel room!
• Be careful using social networking sites like MySpace, Facebook, Friendster, Bebo and Linkedin. Some pages can have embedded scripts, malicious attachments or links to malicious web sites. Storing personal information in your online profile provides hackers lot of information to attack your privacy with.
• Blogs and online personal diaries are rich sources for hackers to capture personal data and build their pseudo-profiles.
• Use caution in surfing "magnet web sites" that have a high percentage of hacking tricks: any site providing something free like music lyrics, pornography, free software or software license keys, gaming tips. The star\celebrity web sites actually are more prolific distributors of malware than adult and pornography sites.
• Avoid free P2P (peer-to-peer) file sharing programs like Napster, Limewire; allowing outsiders permission to get files off your local hard drive is dangerous. Obtaining free files from strangers can be very dangerous as well. Spyware can be embedded in files shared around the internet or off of stranger's hard drives.
• Be wary of contemporary news event ploys. Emails about some recent event with a link or attachment can be a malicious threat. Free screensavers, images, charts, etc.
• All major search engines serve risky sites when searching for popular keywords. Use free tools like SiteAdvisor and Netcraft and Internet Explorer version 7 to alert you.
• Telephone calls over the internet - VoIP - may not be encrypted and can be sniffed and conversations recorded.
• Browsing web newsfeeds can contain embedded malicious code.
• If you need to supply contact information to sign up on a web site, don't use your real contact information and use a disposable email address!
  

IF YOU BECOME A VICTIM

If you find or suspect that you have become a victim of identity theft or account fraud, immediately take the following actions:

• File a police report
• Contact your banker.
• Notify all of those with whom you have a financial relationship.
• Tag accounts closed due to fraud, "Closed at consumer's request."
• Notify credit bureau fraud units.
• Establish a password for telephone inquiries on credit card accounts.
• Place a fraud alert statement on your credit report.
• Request bi-monthly copies of your credit report until your case is resolved (free to fraud victims).
• Report check theft to check verification companies.
• Check your post office for unauthorized change of address requests.
• Follow up with contacts in writing and keep copies of all correspondence.
• Report suspicious activity to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center .
• If you have responded to an e-mail, contact your bank immediately so they can protect your account and your identity. For information on identity theft, visit Consumer Connection.
• For more information on phishing, visit the Federal Deposit Insurance Corporation, Federal Trade Commission or the Anti-Phishing Working Group 

REMAIN ALERT

• Suspect ID theft if you're denied credit for no apparent reason or if routine financial statements stop arriving in a timely manner.
• Notify your banker of suspicious phone inquiries...such as those asking for account information to "award a prize," "verify a statement," as part of a "fraud investigation," or so-called "advance fee fraud" schemes.
• Learn about new ways to eliminate paper documents. Ask us about electronic billing and payment options available to you today. BUT protect your emails that contain any account infortmation or receipts! Strong Password protect these email stores or store emails offline not on your local hard drive.

Lose your Wallet or Purse?  See What to do if you lose your wallet?

Where to Get Help? - See Resources links at page bottom

Personal data found hidden in iTunes tracks

Rhys Blakely 6/3/07 http://business.timesonline.co.uk/tol/business/industry_sectors/media/article1871173.ece

Names, e-mails and other sensitive information embedded in files.

Fresh privacy fears have been sparked after it emerged that Apple has embedded personal information into music files bought from its iTunes online music store. 

Technology websites examining iTunes products discovered that personal data, including the name and e-mail addresses of purchasers, are embedded into the AAC files that Apple uses to distribute music tracks. 

The information is also included in tracks sold under Apple’s iTunes Plus system, launched this week, where users pay a premium for music that is free from the controversial digital rights (DRM) software that is designed to safeguard against piracy. 

The Electronic Freedom Foundation, the online consumer rights group, added that it had identified a large amount of additional unaccounted-for information in iTunes files. It said it was possible that the data could be used to “watermark” tracks so that the original purchaser could be tracked down were a track to appear on a file-sharing network. 

Ars Technica, among the first websites to unveil the hidden information, said: “Everyone should be aware that while DRM-free files may lift a lot of restrictions on our personal usage habits, it doesn't mean that we can just start sharing the love, so to speak. Sharer beware.” 

An Apple spokeswoman was unable to comment when contacted by Times Online. 

The discovery of the data, of which most iTunes users will have been unaware, underscores the reluctance of music groups to allow music to circulate freely over the web. 

With estimates suggesting that 40 tracks are digitally bootlegged for every legally downloaded track, piracy remains a massive problem for the industry and music groups have largely proven reluctant to withdraw the controversial DRM technologies. 

Apple had sought to present itself as a consumer champion, with the group’s chief executive, Steve Jobs, insisting earlier this year that his company would drop DRM “in a heartbeat” if allowed to by the labels. 

Previously, Apple’s DRM system had been criticised by several European regulators for being anti-competitive because it only allowed tracks to be played on Apple's iPod digital music players. 

Apple's iTunes Plus service, launched this week, offers DRM-free music of a higher quality than standard iTunes tracks for 99p a song – compared with 79p for a standard track. Users who opt to pay extra for iTunes Plus tracks will be able to play the music without limitations on the type of music player or number of computers that purchased songs can be played on. 

The service is launching with EMI’s digital catalogue of outstanding recordings, including singles and albums from Coldplay, The Rolling Stones, Norah Jones, Frank Sinatra, Joss Stone, Pink Floyd and John Coltrane. 

Steve Jobs, the Apple chief executive, said: “We expect more than half of the songs on iTunes will be offered in iTunes Plus versions by the end of this year.” 

Online music sales still account for only 10 per cent of the total market and are not yet growing at a rate which compensates for the decline in revenues from CDs – approximately 2 to 3 per cent per year. 

EMI, which has previously released tracks by Norah Jones and Lily Allen without copyright protection, shelved plans to drop DRM on a more widespread basis after iTunes competitors refused to make “risk insurance” payments designed to offset potential losses that would result from the move. It is unclear whether Apple has made any such payment. 

Other labels, including Universal Music and Sony BMG, have experimented with offering music without DRM, but none has pursued the strategy as aggressively as EMI. 

The iTunes Store has sold over 2.5 billion songs, 50 million TV shows and over two million movies, making it the leader in each of those markets. 


===============
Gee, guys... my name and often my email address is found in many of the software applications that I have installed on my computer... What's different? It hasn't been hidden. Highlight the iTunes song, click "Get Info" on Macs, click "Properties" on Windows, and there is the so-called "hidden" information. It's been there since Apple instituted iTunes sales. 

This is merely FUD in anticipation of the WWDC announcements in a couple of weeks and the release of the iPhone on June 29th. 

Andrew Smith, Stockton, CA


I don't see why people are complaining, if you bought a cd or an LP (remember those) with your name and address on it would you see it as a problem? I think not. Just don't buy anything from Apple if it's a problem, I don't. If you have a decent hi-fi even CD only sounds so-so anyway, so I don't see why you would want to degrade it any further unless on the move.

Keith , Copenhagen, Denmark


How can you possibly equate lending a book to someone with posting music on a website for people to help themselves to!!!? Try this then run off a couple of thousend copies of your favourite book and set up a website were anyone can request a copy for free. .... see how long you can do that for. 

Steve , Sunshine Coast, Australia

Can ID Theft Be Solved with More Regulation? 
By Brian Prince February 8, 2007  Source


SAN FRANCISCO—Early one morning several years ago, the police knocked on Robert Maynard's door and told him he was under arrest for fraud. There was just one problem: The Robert Maynard the police were looking for did not actually exist. 

Maynard was the victim of identity theft. Today, he is co-founder and chief operating officer of LifeLock, a company that works with credit bureaus to prevent the crime to which he fell victim. He was also one of four officials from the federal government and technology industry who sat on a panel at the RSA Conference here Feb. 7 at a town hall meeting on identity theft—a meeting marked with calls for stronger government regulation of ISPs and increased crackdowns on cyber-criminals. 

It is a subject that is not going away. According to the Federal Trade Commission, in 2006 identity theft topped the list of consumer complaints filed with the agency for the seventh year in a row. The FTC received 246,035 complaints of identity theft last year, accounting for 36 percent of the 674,354 complaints it received. 

The government should mandate that ISPs control what they are putting on their network. His opinion was seconded by a member of the audience, and another man suggested the government take the offensive and attack hackers. 

But authorities can't simply "hack back," said Christopher Painter, principal deputy chief of the U.S. Department of Justice's Computer Crime and Intellectual Property Section. Painter served on the panel with Maynard, Winkler and FTC Chief Privacy Officer Marc Groman. 

Such offensive actions may not be legal, Painter explained. In addition, the attacks may not hit their intended targets—instead taking down an innocent system that has been hijacked, he said. Painter added that law enforcement officials have conducted undercover operations to take down rings of cyber-criminals. 

But enforcement is just one aspect of the solution, he and others said. Education is a key element of combating identity theft, said Groman, who added that the FTC has embarked on an expansive campaign to inform the public on how it can protect itself. 

In remarks prior to the panel discussion, FTC Chair Deborah Platt Majoras lamented the prevalence of identity theft even as she outlined the work the agency is undertaking to protect consumers. If personal data is not protected, consumers will lose confidence, she said. 

"Unfortunately, [the thefts are] becoming all too familiar," she said. 

____________________________________________________________

Report Shows Spike in Online Identity Theft 
By Brian Prince January 16, 2007  McAfee White Paper


A white paper from McAfee Avert Labs on global identity theft trends uncovered a dramatic increase in online and computer-based identity theft through the use of keyloggers. 

According to the report, the number of keyloggers—malicious software code that tracks typing activity to capture passwords and other private information—increased by 250 percent between January 2004 and May 2006. 

The findings come on the heels of similar reports decrying the increase of spam and instant messaging attacks in 2006, including a study by San Diego-based Akonix Systems that uncovered nearly 20 percent more new IM-borne attacks last year than it did in 2005. 

Akonix officials predict that many IM attacks this year would be from organized groups of criminals looking to commit identity fraud. 

Additional findings from the McAfee report show the number of phishing alerts tracked by the Anti-Phishing Working Group multiplied 100-fold from January 2004 to May 2006. 

"Identity theft is a global phenomenon that threatens all of us, which means we all need to become more aware, more vigilant and less trusting to protect ourselves," said Jeff Green, senior vice president of McAfee Avert Labs in a statement. 

"By learning where we are vulnerable, and how and why criminals engage in identity theft, we can then take the necessary precautions to avoid being victimized." 

Identity theft exacts a high toll on the global economy. According to the Federal Trade Commission, the annual cost for consumers and businesses in the United States alone reaches $50 billion, McAfee officials said. 

The white paper reviews identity theft techniques, from non-technical approaches like dumpster diving to sophisticated keyloggers that monitor computer keyboard keystrokes to steal online usernames and passwords. 

The report presents high-profile examples of identity theft cases from around the world along with an overview of the types of criminals and organizations that engage in identity theft for profit or to facilitate terrorist acts. 

WHERE TO GET HELP:

Credit Reporting Bureaus:

• Equifax (www.equifax.com)
  Report Fraud - 800-525-6285
  Order Credit Report - 800-685-1111

• Experian (www.experian.com)
  Report Fraud - 888-397-3742
  Order Credit Report - 888-397-3742

• Trans Union (www.tuc.com)
  Report Fraud - 800-680-7289
  Order Credit Report - 800-888-4213

Get your credit report free each year - read the background history on credit bureaus and why you don't have to pay for a report.

There are only 2 ways to get your free credit report without running these risks:

1. Call 877-322-8228 and order it over the phone - This is the preferred method because the privacy policy for phone orders is much better than the one for ordering over the internet.

2. Visit the www.AnnualCreditReport.com website - This will give you immediate access to your credit report but there are certain privacy risks. ACCESS suggests that you read their privacy policy in its entirety before ordering this way. You will also notice that we do not provide a link to the website here. That is because we strongly believe that ordering over the phone is the only way to protect your privacy.

If you need to put a credit freeze on an account due to fraud, read this first!

Social Security Administration: 
Report Fraud - 800-269-0271
Order Benefits and Earnings Statement - 800-772-1213

Reporting Fraudulent Check Use: 
Check Rite - 800-766-2748
Chexsystems - 800-428-9623
CrossCheck - 707-586-0551
Equifax - 800-437-5120
National Processing Co - 800-526-5380
SCAN - 800-526-5380
TeleCheck - 800-710-9898 

MORE INFORMATION ABOUT IDENTITY THEFT AND HOW TO AVOID IT:

• Federal Trade Commission: www.consumer.gov/idtheft

• National Fraud Information Center: www.fraud.org/

• Americans For Consumer Education and Competition: www.acecusa.org/tips/

• The Privacy Council: www.privacycouncil.com/