Volume 5, Issue 5    |    Back to Publications

Spyware Beware

New York Attorney General Eliot Spitzer is at it again. This time New York's top cop has targeted spyware; those nasty little programs that crooks, identity thieves and unscrupulous advertisers secretly load onto your computer in order to control it or monitor its use. Last week Spitzer sued Los Angeles based Internet marketer, Intermix Media Inc., claiming it illegally sticks hapless computer users with spyware and intrusive adware. To gain access to its victim's computers, Intermix lures users to one of its Websites-such as MyCoolScreen.com or CursorZone.com where they download screensavers, cursors, games, gags and greetings. According to Spitzer many of these freebies contain spyware and adware that download unnecessary and annoying toolbars and direct computers to unrequested Websites with pop-up ads. Spitzer alleges that his six-month investigation revealed that Intermix dumped 3.7 million unwanted downloads on New Yorkers alone. "These fraudulent programs foul up machines, undermine productivity and in many cases frustrate consumers' efforts to remove them from their computers," says Spitzer.

Spitzer is known for his bare knuckle negotiating tactics, often squeezing massive settlements from defendants before even getting them to trial. Says one observer, "A call from Spitzer's office can ruin your day, and your pocketbook."

Stores Blame Checkout Software for Identity Losses

Some of the big retailers say there is a common thread to many of the recent security breaches they and their customers have suffered: software that they say improperly stores credit card data. Merchants say that the software that processes customer credit card information is supposed to purge the data after each transaction. However, a programming glitch has enabled criminals to capture it and use it for illegal purposes. Retailer Polo Ralph Lauren Corp. is one such merchant. A spokeswomen for the firm said that software used at checkout counters at more than 180 stores improperly retained customer credit card data.

According to sources close to the problem, the magnetic strip on the back of credit cards contains encoded information that does not appear on the front of the card. If in the wrong hands, the information, including a three-digit verification code, could allow criminals to "validate" a fake card.

As concerns mount, retailers are fighting back. BJ's Wholesale Club Inc. has sued IBM to compensate it for losses stemming from a credit card breach last fall. BJ's claims that hackers stole 40,000 customer's credit card numbers by means of a defect in IBM's software. The Natick, Massachusetts retailer has set aside $16 million to cover potential claims resulting from the loss. In legal papers filed by IBM, it says it is not responsible.

According to the Wall Street Journal, recent computer breaches have raised questions about the security some credit card processing software offers.

Merchant	Software/Vendor	Alleged Breach
Polo Ralph Lauren Chipotle Mexican Grill DSW	Tradewind/Datavantage Aloha Suite/Radiant Systems Advanced Store/NCR	Fall 2004 October 2004 November 2004-February 2005

ChoicePoint's Troubles Continue

ChoicePoint, a leading data wholesaler, faces problems on several fronts. In September 2004 the company became suspicious of several small business customers. An internal investigation eventually revealed that identities of over 140,000 consumers had been compromised. The investigation led to the arrest and conviction of one man. Because some 35,000 of the consumers lived in California, which has a notification law requiring consumer notification in the event of illegal access to their personal data, all 140,000 were notified. So far only 750 of them have been victimized. But according to Security Business Newsletter, ChoicePoint CEO, Derek Smith and COO Doug Curling, knowing the violation of internal controls had occurred, sold about $18 million in stock they owned. The price of the stock has since declined. SBN has called for their termination. In the meantime, ChoicePoint has begun to audit its customers and to truncate Social Security numbers when providing consumer information to its customers. The firm estimates that the loss of business and resultant litigation will result in a charge of about $20 million.

Another result of much greater consequence is the avalanche of new legislation proposed by lawmakers to restrict the access to consumer information and more severely punish those that steal identities. However the unintended consequence of much of this legislation, if enacted, will restrict those in the private sector that fight identity theft and chase down fraudsters. NPR's Larry Abramson reports on the affects this has had on private investigators, which have come to rely on personal data to solve cases. His report, "All Things Considered" can be heard at http://www.npr.org/templates/story/story.php?storyId=4626713

NCISS Fights Back

In response to recently proposed identity theft legislation, The National Council of Investigation and Security Services, has mobilized. NCISS, which has nearly 1000 members, recently published this release:

Recent developments following breaches at data brokers and financial institutions have led to calls for immediate regulatory and legislative action. Private investigators agree that regulatory and/or legislative mandates for timely notification of breaches are an appropriate response. We support Senator Feinstein's bill, S 115 "Notification of Risk to Personal Data Act''. The recent disclosures have also led data providers to renew and upgrade their vetting of clients, including private investigators, who require the data. The National Council of Investigation and Security Services (NCISS) agrees that data providers should do appropriate due diligence to assure that information is used only for legitimate purposes.

Legislative Responses Should be Focused

Investigators are extremely concerned that in the current atmosphere public officials will be pressured to create an overbroad regulatory scheme that will be harmful to the court system and commerce. And ironically, some of the suggestions being made would be counterproductive to the goal of fighting identity theft and other frauds. Statutory solutions should focus on securing personal data, not restricting its use by legitimate entities.

The National Council of Investigation and Security Services (NCISS) has learned from experience that the best of legislative and regulatory intentions can lead to harmful unintended consequences. The 1996 amendments to the Fair Credit Reporting Act ultimately led to an unanticipated requirement that employees suspected of theft be notified when an employer retained third parties to investigate the theft. It took years before Congress was able to remedy that error with passage of the Fair and Accurate Credit Transactions Act (FACTA).

Privacy groups have been using the public's legitimate concern over the recent breaches to push a far broader agenda. Their suggestions would result in limiting the ability of businesses to verify the identity of customers, to conduct background checks, and collect debt. If barriers are erected to prevent legitimate businesses from accessing identifying information about an individual, then the identity thieves will have an easier time. If one can't confirm a Social Security number or other unique identifier, then the ID thief will have an easier time claiming to be Bob Jones.

Private Investigators Use Data for the Public Good

Private investigators use data from brokers to facilitate justice. We use the data to locate witnesses, find heirs, locate lost children, obtain child support, and detect fraud. Police authorities do not have adequate resources to solve ID theft cases, and many victims end up using private investigators. If the services investigators use to solve these cases are restricted, we'll not be able to serve clients as effectively and an additional burden will be placed on public authorities.

Recent Legislation

Congress has not been idle in recent years with regard to identity theft and personal information. FACTA, which includes many provisions affecting identity theft, was enacted only last Congress. In addition, more severe penalties for ID theft were imposed with enactment of the Identity Theft Penalty Enhancement Act. The impact of these statutes is only now being felt. Congress should gauge the success of these measures before acting to broadly limit access to information that is so essential to commerce.

End

For more information about NCISS or its legislative efforts contact:

Bruce H. Hulme
Chairman, NCISS Investigations Legislative Committee
914.767.0625

United States 1, Bin Laden 0

Zacarias Moussaoui, the only person charged in connection with the 9/11 attacks against the United States, last month pleaded guilty to six counts, including conspiracy to commit terrorism, commit aircraft piracy, destroy aircraft, murder government employees, and destroy property. Moussaoui told federal Judge Leonie Brinkema that he was part of a broader plot to fly a jetliner into the White House. The surprise plea ended Moussaoui's rollercoaster trial, in which he represented himself and had to be delayed three times since beginning in October 2002. He now awaits sentencing, which could result in his being put to death. Moussaoui said he is opposed to the death penalty for religious reasons and would fight such a sentence.

Surprise: While Moussaoui held a six-month temporary Visa and was in the U.S. legally at the time of his arrest, he had a valid state drivers' license in his pocket-a license that would not expire for six years after the expiration of the Visa!

Quote of the Month: "You are the only person on earth who can use your ability." - Anonymous

TSA Adds Lighters to Its List of Contraband

Last month the TSA added all types of lighters to its list of items that can no longer be carried aboard commercial airliners. Lighters have long been prohibited from checked baggage because of the potential fire hazard, so the change is an extension of an existing safeguard says the TSA. The new rule allows passengers to possess up to four books of matches and relaxes the restriction on nail clippers, disposable razors, knitting needles and tweezers. For a complete list of prohibited items go to the TSA Website and enter prohibited into the search box.

Quote of the Month: The successful person makes a habit of doing what the failing person doesn't like to do. - Thomas Edison.

Office Dating Gets Hot

Office dating, a taboo in many workplaces, has gained new popularity. Because so many workers spend so much time at work, it has been increasingly difficult for singles to find dates outside of the office. According to the American Management Association, office dating indeed often leads to marriage. Among colleagues who dated, 44 percent married, another 23 percent had a long-term relationship.

Employers quickly respond however, that office dating is the leading cause of sexual harassment claims against them and their managers.

Cool Tools

Stamps.com is at it again. The company that last year briefly allowed customers to turn their favorite image into a custom postage stamp - quickly stopped the offer when pranksters turned images of Ted Kaczynski and Linda Lovelace into legal postage - is back. This time Stamps.com has stricter rules on the kinds of images that can be placed on stamps. No longer will the firm allow the images of celebrities, politicians, world leaders or convicted criminals be put onto stamps. Obscene, offensive, pornographic and menacing images are out also. To monitor images submitted for stamps, the firm has assembled a library of tens of thousands of images it has deemed prohibited. In a recent test of just two months, Stamps.com said it sold 2.75 million custom postage stamps. Of the 83,000 images submitted about 9 percent were rejected. While some stamps of questionable taste did slip through, the U.S. Postage Service has given Stamps.com the green light to again sell custom stamps. Stamps.com will again be taking orders starting May 17th. A sheet of 20 37-cent stamps costs $16.99.

Check Fraud Self-Defense

Security experts agree that it is only a matter of time before criminals figure out ways to find and exploit security holes in Check 21's new check processing technology. In the meantime, consumers can do more to protect themselves. Here's what we recommend:

• Never make checks payable to Cash.
• Order your checks from your bank. Mail-order checks are often less expensive but typically are easier to alter than bank checks.
• Protect deposit slips. A common scam is to deposit worthless checks into your account and get some of the deposit back as cash.
• Review all deposited checks and ensure they are still made out to and endorsed by the original intended party.
• Protect your signature. Use your real signature for checks and important documents; use another for forms, questionnaires and other routine documents.
• Report suspicious transactions to your bank immediately. The sooner the bank is aware of a problem, the sooner it can investigate it and take corrective action.

Want a Customized Electronic Newsletter for Your Organization?

Now you can market your products, services and ideas with a customized professional electronic newsletter just like this one. The means to affordably communicate with your customers, clients or team members has never been easier. Our IT and design team will help you select a design and color scheme that suits your needs. Your customized monthly newsletter will display your organization's name, logo, address and phone number. Each issue will contain at least five topical articles professionally written by our editors. We can even add articles, messages and news releases contributed by you or your organization. Hyperlinks to your Website and automated subscribe and unsubscribe feature is included. All you do is re-mail your finished newsletter to your email list. It's fast, easy and affordable. To receive your own customized electronic newsletter, call Eugene Ferraro, CPP at 800.650.7005 or visit http://www.securitynewsletters.com/ today!