National Webcast Initiative

Identity Theft

Thursday, February 16, 2006

 

Questions and Answers Transcript

 

The following is a compilation of questions submitted to the presenters through the written
Q and A tool during the webcast. The transcript has been edited for relevance.

 

Question: As webmaster of a secure site involving credit card transactions, how can I test my server for security?

Answer: Periodic vulnerability scanning and penetration testing of your web server will help.   It is important to get appropriate permission from you organization’s management prior to commencing testing.

Question: Why aren't businesses required to confirm identity before accepting a credit card?

Answer: Businesses are required to confirm identity of the card holder as part of the transaction process.   If your question is regarding online businesses, there are 4-5 ways they can confirm your identity.   These are: card number, billing address, a security code on the back of the card, and your name. Most businesses will only ship merchandise to your billing address as an additional precaution.   On the other hand, some businesses are required to confirm the ID of the person before accepting credit cards.

Question: I received, almost daily at the office, emails from various online services that my account is about to be disabled or has been breached. I have reported this several times but continue to receive them. What can be done to stop these?

Answer:  It is nearly impossible to track these back to the source. Best bet is to delete them or set your spam filter to block them.   The important thing is to recognize that the emails may be spoofed and to not fall into the trap of responding to them with sensitive information.

Question:  Is Two-Factor Authentication going to be enough to maintain secure electronic transactions?

Answer: Experts disagree on this point. Certainly, two-factor authentication is better than single-factor authentication. However, the main issues revolve around education and awareness. If an attacker can trick you into disclosing your two-factor authentication credentials (such as through a bogus website), you're still at risk -- in which case the extra cost and overhead of two-factor authentication will not prevent compromise.

Question:  How effective are credit monitoring services, like Equifax, Experian and TransAmerica with alerting you of credit problems?

Answer: If you subscribe to a monitoring service, you will be alerted on different levels of activity associated with your account such as someone applying for credit under your name or someone reviewing your credit, which may be a precursor to identity theft.  

Question:  Is there a website that has additional resources for later reference?

Answer: Yes, you can visit the MS-ISAC website on additional resources that are available by going to http://www.msisac.org/webcasts/02_06/info/resourses.cfm and you can visit the US Department of the Treasury website by going to:  http://www.treas.gov/offices/domestic-finance/financial-institution/cip/identity-theft.shtml

Question:  What is the phone number to contact Credit Reporting Agencies if fraud has occurred?

Answer:

Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013

TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

The information can also be obtained at http://www.consumer.gov/idtheft/con_steps.htm

 Question:  What is the URL for on guard online.gov?

Answer: http://onguardonline.gov/index.html

Question:  Are there any laws covering the theft of information through wireless access points?

Answer: The same laws that apply to wired connections apply to wireless.

Question: Will logging off your computer be safe enough, compared to turning off a home computer?

Answer: No.   If you log off but leave your computer running and connected to the Internet, it is still possible for someone to break into your computer - especially if you are not using a firewall.

Question:  Is it OK to keep account numbers in money management programs on your computer?

Answer: It is not a good practice to keep your account numbers on your computer.   If your system is compromised, that information will be available to the malicious user.

Question:  Who is enforcing the identity theft laws at the federal level? (FBI? FTC?) Are Internet transactions covered by federal or state law (or both)?

Answer: Different federal agencies are responsible for enforcing different identity theft laws.   The following site: http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm may be helpful in identifying specific agencies to contact as it relates to specific identity theft issues.

Question:  Is there anything being done to address the practice of credit card companies sending out pre-printed checks? These ads are easy to identify and allows access to your account.

Answer: The FTC has a helpful document on opting out - http://www.ftc.gov/bcp/conline/pubs/alerts/optoutalrt.htm

Question:  How do we remember all these different passwords? It's not practical without writing them down.

Answer: At minimum, you should use separate passwords for each account that grants access to sensitive information. You could also use passwords created based on a common criteria or algorithm for each service. Alternatively, there is software available to store passwords in a central, secure location.

Question:  Where is there information on cleaning hard drives for home use?

Answer: There are a number of different products that will work. Most are available from your local computer store.

Question:  How is the SSN used and how are the Credit Reporting Agencies handling it regarding ID theft?

Answer:   Further information regarding Identity Theft and SSN numbers can be found at http://www.ssa.gov/pubs/10064.html

Question:  What about password software?  Do you think an electronic "vault" program would be a good place to safely store all the different user ids and passwords you use?

Answer: Password management software is an option. However, if your computer is compromised, your master password lists may be at risk. You should only run password management software obtained from a trusted, secure source and use a strong password/passphrase to secure your other passwords.

Question:  Do all three Credit Reporting Agencies ( Equifax, Experian, TransUnion) provide the same report?

Answer: They all provide similar but not necessarily the same information.   The reports format may be different also.

Question:  I have heard of people taking over someone’s identity to establish accounts, but not stealing from the user. Instead, they get loans, purchase items, and pay their bills. From what I understand, there isn't anything a person can do about that; is that true? They are still impersonating someone...

Answer:   This type of identity theft may be the worst of all. The impersonator has now taken on the identity of the victim. This is usually not discovered for some time and it is the most difficult to clear up. The victim will be responsible for first showing that the debt was not incurred by him/herself and then going through the time consuming process of cleaning up there credit. There have also been examples of impersonation that resulted in warrants being issued against the victim for crimes they did not commit.

Question:  Where should I forward any phishing email attempts that I receive?

Answer: If your internal IT/Helpdesk/Security organization tracks and responds to this information, you can forward it to them. Additionally, some online services have dedicated email drops for phishing messages targeting their service. You can also report them to the Anti-Phishing Working Group at http://www.antiphishing.org/.

Question:  What is your opinion of using credit "freezes" if authorized by the state legislature?

Answer: Putting a credit "freeze" on your account means that the reporting agency has to call you first and get your permission before releasing your credit report. This may create some issues if you apply for a credit card or a loan and you are not home to get the phone call; your credit report will not be released and you will be denied of a service. So, you might want to be careful about it.   This becomes an issue of security over convenience.  

Question:  Is there any exact software you recommend for AV/spyware/software firewall? And is there any other particular software you recommend?

Answer: We can't recommend specific products; however your local computer store can provide you with guidance in that regard.

Question:  Why won't the free online credit report companies give the credit score? Most will give the report but will charge to see the score.

Answer: The legislation only requires the three credit companies to provide free reports once a year. The credit score was not included in the legislation.   Further the credit score may vary among credit reporting agencies since they all use their own formulas for computing.

Question: If someone misused my social security number to gain employment under his own name, what should I do?

Answer: I f you believe that someone is using your social security number to gain employment, contact the Social Security Administration (SSA) at 1-800-269-0271, in addition to the steps indicated in the presentation for victims of Identity Theft.

Question:  How hard is it to clean up a credit report? How long might it take?

Answer: It usually takes a long time to clean up incorrect information on your credit report. You have to make sure you contact all the credit reporting agencies, convince them and provide them with proof that they have incorrect information.   It is very important to get the report files with your local police department. This document will give you proof that a crime has occurred when dealing with the reporting agencies during the process of removing the fraudulent activity from your reports.

Question:  Please clarify if the annual report creditreport.com provides is all 3 credit reports or only 1 report?

Answer: Creditreport.com will supply all 3 reports at the same time. It is recommended that you request a report from one of the three every 3 - 4 months to cover the year and next year start all over again.

Question:  We cannot place a credit freeze without our identity theft having already been compromised. What about placing a fraud alert without being a victim?

Answer:  Some states are allowing consumers to put credit freezes on their credit reports without a crime having taken place; other states limit this ability.   Anyone can place an initial fraud alert to be placed on their account, this will last for 90 days. For an extended alert you are required to show proof that a crime has occurred (identity theft report).

Question:  Why do the credit bureaus easily offer up our consumer information and we get credit marketing offers in the mail?

Answer: Please visit http://www.ftc.gov/bcp/conline/pubs/alerts/optoutalrt.htm for more information.

Question:  I was recently called by someone who presented me with the opportunity to purchase ID theft insurance. A mailing was sent as follow-up. The service cost is just under $100 per year. Is this a scam or is it a valid offering, and how would I know?

Answer: Some of these offers are legitimate. Check with your local better business bureau to confirm that the company is in good standing.