The Grinch Stole My Identity!
How to Protect Yourself this Holiday Season

With the winter holidays come the hassles, frustrations and stress of buying gifts, planning parties and keeping everybody happy. As if that wasn't enough, thieves see your frustrations as a golden opportunity to steal your identity.

With crowded malls, rushed people and lots of distractions, thieves find it easy to monitor your shopping habits without getting caught. Your life is too busy to think about identity theft protection. However, a real-life grinch can make your life miserable in the days, weeks and months afterward. All a professional needs to do is glance over your shoulder while you punch in your PIN number or snap a discreet picture of your credit card with a cellphone. Some go the old-fashioned route, snatching your purse or pickpocketing your wallet and quickly blending into the crowd.

To make matters worse, criminals know that they are less likely to be detected at this time of year. A few purchases with a stolen credit card might be overlooked, since credit and debit card transactions are so numerous. You might miss something you would certainly spot at any other time of year when your purchases are fewer and unauthorized transactions are easier to spot.

Playing Safe This Season

To protect yourself this holiday, practice a few simple techniques to minimize theft. Identity thieves aren't looking for a challenge - they want the convenience of finding easy targets.

• Cover your hand or use your body to block anybody from seeing your PIN number.
• Keep all receipts of your transactions, and compare them to your bank or credit card statement. That way no unauthorized transactions will be missed. It also lessens the chance for clerical errors, which will undoubtedly be higher due to the frantic pace of the season
• Leave all unnecessary cards at home. Better yet, place your passport, Social Security card, birth certificate and other pieces of personal identification in a safety security box.
• Online shopping is highest this time of year. Keep your computer up to date with the latest security fixes and anti-virus software. Shop only at websites you trust, and look for the locked key at the bottom of your browser to make sure the site is secure when you're about to pay.

Protecting Yourself After the Holidays

Dumpster diving or looking through your trash is another common way for thieves to steal your information. There isn't a better magnet for criminals than announcing to the world your expensive, new big-screen television you got for Christmas. How do you announce this? By throwing the box out with the trash.

To protect yourself, shred all financial documents with a cross-shredder and place your garbage out the day of garbage collection. For big-ticket items you received as gifts, cut the box down and bind it inside out - that way potential thieves only see blank cardboard.

These are a few tips to help prevent identity theft during the holiday season. For extra protection, there are some great services available that specialize in protecting your credit. These include monitoring your credit for suspicious transactions, monthly fraud and scam alerts, and tips and advice from professionals.

Article courtesy of Creditidentitysafe.com, a resource site with tips and articles on the best identity theft solutions for you.

A World Full of Fraud - How to Not Lose Your Shirt to Scammers

Where money exists, scammers will always be hiding in the shadows, preying on the unsuspecting. From phony lotteries to the widows of leaders offering you millions of dollars to fake businesses promising services that are never performed, fraud has always existed to smooth-talk and pressure you from your hard-earned money with dreams of secret opportunities and untold riches that could be yours.

It would be simple to simply go through life with the thought that "if it's too good to be true, it is." However, fraud and scams are getting ever more complex and authentic-looking, and anybody can be fooled. While some scams are easy to spot, others are almost impossible to detect, and can run for years until complaints pile up.

To reduce your chances of getting caught up in a scam, it's best to know some of the common techniques currently circulating, and how to avoid them.

Advance Fee or Nigerian Scams

This is one of the most common types of fraud, yet is still one of the most successful. You'll probably recognize it as an email that begins "Request for business arrangement" or "Private and Confidential." A large amount of cash is frozen in some foreign (usually African) country, and a widow of a general or a family member needs your help to unlock it. They will give you a good percentage of this money as thanks. If you respond, they will then ask you for a wire transfer for processing fees, bribes, etc. If you send money, then something will "go wrong" and that they need progressively more money. This will continue until you realize you've been misled.

This scam preys on a person's greed, sense of international intrigue, and the excitement of receiving money for doing nothing - except sending some cash to the supposed widow or family member. Avoiding this type of scam is relatively easy. Delete the email or throw out the letter. There is no such thing as getting money for doing nothing. If it's too good to be true . . .

Another very common variation on the advance fee fraud is supposedly winning an international lottery. Legitimate lotteries and sweepstakes will NEVER ask for any sort of money up front, nor will they ask for your information.

Email Phishing

This techniques uses email to try and trick you into revealing your personal information. You will receive an official-looking email from Ebay, Paypal, or your financial institution stating that you need to update your account immediately or it will be shut down. If you click the link in the email, it will send you to a website that looks exactly like Ebay, Paypal or your bank's. However, it is actually a fake site. If you log in, the criminals operating the website will then have your personal login and password information, and can use it to commit identity theft or drain your bank account.

To avoid this scam (and there are many variations), close the email and type in the actual website address. That way you do not go to the fraudulent website. The reason why this fraud is so easy to accomplish is because it is easy to disguise a web link. A link that says "Ebay.com" may actually have a completely different address within the link code. Websites are also easy to copy, using simple programs to exactly recreate the official site.

Credit Repair Scams

Con artists and unscrupulous businesses always take advantage of crises. In this case, with the downturn of the economy, many people turn to credit repair services to try and lower their interest rates. Unfortunately, this industry is plagued with fraud - businesses that ask for money up front and don't deliver, those who recommend illegal techniques, and those who promise results when it is impossible to do so.

There are some general guidelines to avoid getting scammed - do not pay for any services up front (it is against the law), avoid offers of creating a new identity for you to avoid your debts (this is illegal and can result in jail time), and ask how they repair your credit - a record of accurate bad credit can not legally be removed from your reports.

Work at Home and Make Thousands per Month!

Finally, we take a look at another all-too common scam - the promise of getting rich while working at home. Really, who doesn't want this lifestyle? Late-night infomercials, emails, websites and business seminars abound with these promises of riches. Remember your mantra - if it's too good to be true, it is. In this case, you spend hundreds or thousands of dollars in exchange for nearly worthless information you could have learned yourself with time and energy. Many will likely be nothing more than multi-level marketing (MLM) schemes where you only make money by recruiting others.

Work at home schemes prey on our desires to get rich quick and easily. They over-hype and sell you on misinformation and calculated sales tactics. Often, you will see a tiny "results not typical" disclaimer during customer testimonials. The only ones getting rich are those near or at the very top.

There are a few common threads typical to any scam or fraud - a sense of urgency, an emotional appeal, and the unsustainable generation of hope and excitement. We've seen this in all the frauds listed. Scammers know all these tricks, and they will do what it takes to get at your hard-earned money.

Brought to you by CreditRepairAbility.com, a guide to bad credit repair. Learn how to manage your debts, find help if needed, and how to spot and avoid credit scams.

Online Fraud Techniques - How Thieves Grab Your Money Through Your Computer

There has been a lot of publicity surrounding the dangers of thieves and criminals lurking online. From viruses to security breaches to hackers gaining access to your computer, there's a constant barrage of horror stories about online fraud and theft. Is it time to unplug your Internet connection? Of course not! A bit of knowledge, safe practices and a bit of common sense will help you avoid the minefields lurking in cyberspace.

So, how do thieves and fraudsters try to trick you out of money? Think of old time snake-oil salesmen trying to persuade you to buy a fake product, and tie that in with modern technology like email, viruses and building fake websites. Here are the most common techniques:

Phishing

Yes, it is pronounced "fishing," and that is exactly what criminals are trying to do. By sending out thousands or millions of spam email, they hope to catch a couple dozen unsuspecting Internet users. The bait is an email that looks like an official letter sent from Paypal, Ebay, or your bank. The email could be anything from asking you to update your information to a message of congratulations for receiving a large payment. Usually the email will have a sense of urgency or deadline to it.

The criminal is hoping you click the official looking link in the email. The link will appear to lead you to the official institution. However, it will actually lead you to a spoofed website - a site set up to look exactly like the official site. If you type in any of your personal information, the criminal will be able to record everything you type. This is a common form of online identity theft.

Fortunately, there is an easy way to avoid all this - ignore the email. Paypal, Ebay and your bank will NEVER ask you to confirm your information. If in doubt, simply close the email and type in the actual web address yourself. This way, you know you will be going to the real website.

Computer Viruses, Trojans and other Nasties

I'm sure you've heard of it before - nasty viruses that infect your computer. This is a real problem that is not going away. However, like phishing emails, you can avoid most problems by not clicking on suspicious attachments or links to websites that contain viruses.

Malicious pieces of code take advantage of known security vulnerabilities in computer operating systems and browsers. Viruses can infect and harm your entire system, while trojans are pieces of code that hide in your system and record the sites you visit and what you click on your keyboard, such as logins and passwords into banking websites. Other viruses allow the criminal to take control of your system, turning your computer into a "zombie" to attack other computers or send out spam.

Pharming

A relatively new technique is a virus that will change certain settings in how your computer interacts with the Internet. For instance, if you visit your favorite bank, it will actually redirect you to a criminal website without your knowledge. Even worse, your bank's website address will still appear in your browser bar! Most of these viruses are spread through phishing emails. Clicking on the email link may send you to a website, where the virus will silently infect your system.

To avoid this, don't click on suspicious links, keep up to date with your anti-virus software, and download security updates for your operating system and browser. A good security service can also help protect you by sending out alerts on the latest scams.

More Traditional Online Fraud

Now that you've read the scariest techniques, it's time to list the more obvious scams. These mainly appear in your inbox or in chat rooms. A golden rule of thumb is that if you didn't ask for the information, it is likely fraud. Simply delete the email or ignore the sales pitch and move on with your life. Here are a few common fraud schemes:

Work at home - An email or someone in a chat room promises you easy riches to work at home. These schemes actually ask you to buy a nearly worthless product, and once you register with them, the only way to make money is to recruit others.

Pump and Dump - You receive a tip touting a hot stock. What is actually happening is the scammer has bought a lot of stock in a worthless company, and tries to convince others to also buy. This will dramatically raise the price. The scammer then sells at a profit, and everybody else loses when the price goes back down once the scam is known.

Advance Fee Fraud - Any sort of communication promising you wild riches is to be treated with caution. This includes international lotteries or Nigerian widows pleading for help to get millions of dollars out of the country. In all cases, the criminals ask for money up front, such as bank fees, bribes, taxes, shipping costs, etc. You receive nothing but grief once you realize you've been misled. These types of fraud are very popular because they work on our emotions to "get something for doing nothing." If it's too good to be true, it likely is.

Article courtesy of Creditidentitysafe.com. Read reviews, articles and tips on preventing id theft, scams and fraud.

Congress offers competing ideas on fighting ID theft
Proposals include licensing data brokers, notifying potential victims
News Story by Grant Gross

JUNE 17, 2005 (IDG NEWS SERVICE) - WASHINGTON -- Several U.S. senators pushed for new identity theft regulations on U.S. businesses, but a number of conflicting ideas were presented at a hearing yesterday, including a proposal requiring licensing of companies that sell personal data.

U.S. companies reported that 9.6 million personal records have been lost since early February, prompting members of the Senate Commerce, Science and Transportation Committee to say they're ready to act, although they have competing ideas of what to do.

"If this isn't an eye-opening threat to Americans' privacy, then I don't know what is," said Sen. Bill Nelson (D-Fla.), a co-sponsor of a wide-ranging ID theft bill. "Consumers are losing trust in our system of electronic commerce."

A survey released Wednesday by the Cyber Security Industry Alliance advocacy group seemed to support Nelson's concern. Of 1,003 likely voters surveyed, 97% said identity theft is a serious problem. Forty-eight percent indicated that they avoid making purchases on the Internet because they are afraid their financial information may be stolen. Seventy-one percent of those surveyed said new laws are necessary to protect consumer privacy on the Internet.

Beyond the 20-plus bills in Congress that deal with ID theft in some way, committee members came up with more ideas at the hearing. Sen. Conrad Burns (R-Mont.) suggested that all so-called data brokers -- businesses that sell personal data -- be licensed by the government. Data broker ChoicePoint Inc.'s disclosure in February that it had given data on 145,000 U.S. residents to ID thieves was the first in a series of large-scale data breaches this year.

"I'm coming down on the side of [saying that] anybody who collects information has to have a license to do so, or is outside the law and should be shut down," Burns said. "I think they need to have some reasonable license that gives them guidelines to do business in this arena."

Some senators pushed for a national law that would require businesses that have data breaches to inform potential victims, but witnesses disagreed on what form such a law should take. William Sorrell, the attorney general of Vermont, urged the committee to pass a national data-breach notification law that wouldn't preempt tougher state laws.

State law enforcement officials can help investigate and prosecute ID thieves, he said, and states can pass "innovative" laws to protect consumers, such as recent laws passed by seven states that allow consumers to freeze credit to prevent new accounts from being opened in their names. A national law shouldn't preempt those laws, he said.

But Deborah Majoras, chairman of the Federal Trade Commission, disagreed, saying it would be expensive for businesses to comply with up to 50 different state breach-notification laws.

"If you provide a federal standard that is a floor, as opposed to a ceiling, I'm not sure why you'd spend time imposing it at all," she said. "I think that businesses are going to have to spend time responding to the very highest [state] standard. I don't think they can chop up their customer lists into 50 different standards."

Majoras also questioned some proposals, backed by some privacy advocates, that would require companies to inform potential victims in nearly all data-breach cases. Consumers could become numb to notifications if they are notified of every breach, even those with little risk of ID theft, she said. Asked what constitutes a substantial risk of ID theft that should trigger a notification, Majoras said she wasn't sure.

Sen. Dianne Feinstein (D-Calif.), who has sponsored two data-breach notification bills, acknowledged that several disagreements over a breach-notification bill still need to be worked out, including whether it should preempt state law and what type of breach should trigger a notification.

Feinstein's most recent bill, the Notification of Risk to Personal Data Act, would require notification in almost all data breaches, with companies that delay notification fined $1,000 per victim, up to $50,000 per day.

Feinstein is trying to work with consumer groups and businesses to iron out the differences, she said. But Sen. Gordon Smith (R-Ore.) told witnesses he plans to introduce another ID theft bill with other committee members.

Smith's bill could incorporate pieces of Feinstein's bill and the legislation sponsored by Nelson and Sen. Charles Schumer (D-N.Y.). The Schumer-Nelson bill would require breach notification, would require companies to notify consumers when they plan to sell their personal information and would require companies to take reasonable steps to protect personal information.

Schumer and Nelson announced an addition to their Comprehensive Identity Theft Prevention Act that would require companies that ship personal data on tapes or disks to take security measures such as encryption. The addition to the bill is a response to recent announcements by the Bank of America Corp. and Citigroup Inc. that tapes containing millions of personal records were lost during transit using commercial delivery services, Schumer said.

Schumer compared the value of personal information such as Social Security and drivers license numbers to gold. "All companies ... need to guard our identities as if they were gold, because in the hands of identity thieves, they are gold," he said. "We don't transport gold the way we transport a crate of oranges."

But FTC members also questioned a piece of the Schumer-Nelson bill that would create an ID theft clearinghouse at the FTC. With an estimated 10 million cases of ID theft a year in the U.S., the FTC doesn't have the resources to handle every case, even with a $60 million budget increase in the bill, said Orson Swindle, an FTC commissioner. "That would be too much for any one agency," he said.

To personally handle just 120,000 cases of ID theft a year, the FTC would have to add about 1,000 employees, nearly doubling its size, Swindle added.

The FTC already works to educate U.S. residents about ID theft, and it does impose fines on companies that are careless with personal data, Majoras added. The FTC has taken action against five companies that didn't comply with their own data-protection policies, and on Thursday, it announced a settlement with a sixth company, BJ's Wholesale Club Inc.

2004 identity theft statistics put Arizona at the top
Arizona City News
Raising Awareness About Identity Theft
Staff Reports, Arizona City Independent June 21, 2005

According to 2004 figures released by the Federal Trade Commission (FTC), Arizona is number one in the country for the number of cases of identity theft followed by Nevada, California and Texas. In the FTC's National and State Trends in Fraud & Identity Theft report, employment-related fraud and credit card fraud make up the largest number of identity theft complaints.

Many people don't realize that bits and pieces of their personal information can be a gold mine to an identity thief. In fact, a person's name, address and phone number may be enough for an identity thief to commit fraud or damage a person's good name or credit.

"It's a very serious problem in Arizona," said David Mitchell, AARP Arizona State Director.

According to recent figures released by the Federal Trade Commission, Arizona is number one in the country for identity theft.

"In the most serious cases, people who have had their name stolen are refused loans, have lost their job or have even been arrested for crimes they haven't committed." Mitchell adds that cleaning up after an identity thief can also take years, hard work and money. In an effort to raise awareness of the rising problem of identity theft in the state, AARP Arizona has launched a campaign to inform people about this type of fraud and what people can do to protect themselves.

"The first thing to remember is to exercise caution when anything involves the release of your personal information especially your Social Security number," said Mitchell. "It's also good practice to ask how your personal information will be used or if it will be shared with others."

Mitchell suggests that people keep their Social Security card in a secure place and limit the amount of credit cards and other personal information carried in wallets or purses.

Another step to protecting against identity theft is to guard mail and trash. "It's wise to use official post office collection boxes for outgoing mail instead of unsecured cluster mailboxes. Identity thieves can easily break into them and steal mail that contains personal information."

AARP advises that people shred any mail that is discarded in the trash.

"Identity thieves dumpster dive, which means they forage in dumpsters for personal information that people throw away, they then take that information and commit fraud," said Mitchell.

AARP recommends that consumers order their credit reports at least once a year to monitor for any suspicious activity.

To report the theft or loss of your credit card, driver's license, social security number, etc. (or to get your credit report), contact: Equifax at (800) 685-1111; Experian at (888) EXPERIAN; or TransUnion at (800) 916-8800.

After reporting your case of identity theft, these agencies will forward your report to various state and local agencies around the country. This puts bank tellers, merchants, etc. on alert that your information and/or identity were reported as stolen.

Saturday, June 18, 2005
Identity theft drags name through mud
By GAIL SCHONTZLER Chronicle Staff Writer

Having your identity stolen is a lot like having a venereal disease, says the attorney for Montana's consumer protection office.

"It's not ever going away," Cort Jensen said. "It's going to flare up. And you've got to call everyone you've ever had credit with and tell them you have this problem."

Jensen shared lessons on protecting yourself from consumer fraud with 120 business and consumer-science teachers from across the nation, who attended this week's conference organized by Montana State University's Family Economics and Financial Education Program.

People worry about their identity or credit card information being stolen through the Internet, and there are ingenious scam artists operating online.

But identity theft doesn't require high technology, Jensen said.

If your driver's license number is still the same as your Social Security number, every time you write a check at a local store, you are giving a minimum-wage worker your most valuable financial information -- your banking account and Social Security numbers.

Waiters who take your credit card in a restaurant can secretly use scanning devices to steal your numbers, or simply go in a back room and write them down.

"Most are honest, fine people," Jensen said, "but it only takes one to ruin your life."

Burglars can sneak into your house, steal your credit card and bank numbers, and start charging up a storm in your name. Thieves can grab unsolicited credit card applications out of your mailbox or your garbage and apply for credit in your name, using a change of address form. Roommates, or the strangers who move into your old apartment, can do the same.

On the Internet, there are two big ways of stealing your identity, called "phishing" and "pharming," Jensen explained.

In phishing, you receive an e-mail from what appears to be a bank or PayPal, for example, saying your account has been jeopardized and you need to change your password. You click on the e-mail's link and go to a Web site that appears legitimate, but is actually a look-alike counterfeit site. Once you give the crooks your password, bank or credit card or Social Security numbers -- they're off and running.

"They throw out a hook and bait, and reel you in," Jensen said.

Pharming is even more dangerous, he said. The hacker maliciously plants a "seed" in your computer, often by e-mail, and it sits there doing nothing, until you go on-line to a secure site, like Amazon's. The moment you do, it takes over and steers you to a look-alike site, which harvests your credit card numbers and passwords.

Phishing is easy to avoid -- just don't respond to the e-mail. But pharming is tougher. It can only be stopped by using good spyware-removal software, like Spybot and Ad-Aware, Jensen said. They're available free at www.download.com.

"Pharming is relatively new, but we think in the next year it's going to be the big way to do it," he said.

There's no magic cure for identity theft. Once you're a victim, you face a series of awkward, painful steps that you will have to take "forever."

Victims should go to the Federal Trade Commission's Web site, ftc.gov, Jensen said. It explains how to download an identity theft form, fill it out, and take it to local police.

You also need to contact at least one of the three major credit bureaus, preferably all three. Keep a copy of your correspondence, and send every letter to creditors by certified mail to document when you notified them.

Most victims want vengeance, or want police to bring the bad guys to justice. Odds are that's never going to happen, Jensen said. White-collar crime tends to be a low priority, and the crooks may be in Georgia, Russia or Africa.

For the next 18 months or longer, your credit rating is going to be in the toilet. That means no home loans, and even your health insurance rates will go up.

"You're going to have to fight, send lots of letters, talk to lots of debt collectors, who are not going to believe you," Jensen said. "If all that happens is you spend two years fighting debt collectors over debts you did not incur, you're lucky."

If the bad guys get arrested -- for theft, murder, whatever -- and give the cops your name, and disappear, arrest warrants may be issued for you. You may end up being stopped at a traffic light and thrown in jail.

College students may go to a bank to find out why their financial aid was canceled and end up behind bars. College students should check their credit reports before they leave for college, he said.

If your identity is stolen, you can request a "credit freeze" from credit bureaus so that no new credit cards are issued in your name. In some states, you can place a "credit lock" on your accounts, adding a new password for protection.

Even that isn't foolproof -- thieves have stolen people's identities, then called up credit bureaus claiming to be the victim and requesting a credit lock password -- beating the real victim to the punch.

Montana doesn't yet have the credit lock option, but it will be proposed for the 2007 Legislature, Jensen said.

Montana has two new laws taking affect this year that should help, he added. One will allow a victim of identity theft to go to police and get a "passport" identifying the individual as someone whose identity has been stolen.

The other law requires businesses to protect the confidential information they gather, and if there's a security breach, they are required to notify individuals whose information has been compromised.

Posted on Wed, Jul. 20, 2005
How our home burglary became an identity-theft battle
IF STREET-LEVEL CRIMINALS GET INTO YOUR HOME, YOUR PERSONAL DATA IS AT RISK
By Miguel Helft

It was a garden-variety burglary: The crooks walked into our back yard through an unlocked gate, shattered a window with a brick and made off with all of my wife's jewelry, some personal papers and other items.

In a matter of days we dealt with the expected headaches. We filed police reports and insurance claims, got our house in order and worked to put the nasty incident behind us.

But other headaches came along and they were Tylenol busters. Months after the burglary, we realized we were caught in a dangerous cat-and-mouse game with identity thieves. We had taken steps to protect ourselves, but the thieves were persistent. Eighteen months later, we're still ahead, but I count my blessings. The experience taught me valuable lessons about identity theft:

• Petty criminals are in on the game.

We often hear that identity theft is the domain of sophisticated international rings that break into the databases of big business to steal thousands of electronic records. The petty thieves who broke into our home were nothing of the sort. But they were savvy enough to know it's not just watches and necklaces that can be sold for cash. My personal data had a street value too. That's why they took the trouble to find my Social Security card, mortgage statements, checkbook and passport.

It's unlikely the thieves who broke into my house are the ones who tried to steal my identity, the local cops told me. Instead, street criminals are now part of the identity-theft supply chain. If it looks like petty thieves stole your mail or dipped into your recycling, suspect the worse. Better yet, get a locking mailbox, never throw personal papers into your recycling without shredding them first, and keep a close eye on all your financial records.

• Once your personal information is stolen, it pays to be paranoid.

Immediately after the burglary, we changed bank account numbers. Yet several months later, a man walked into one of my bank's San Francisco branches. He carried a driver's license with my name and his picture. He had my Social Security card and knew my new bank account number and exact balance. He wanted to close the account and walk away with my savings. I was lucky because the bank teller got suspicious long enough to make the guy nervous. He walked away empty-handed.

It turns out that changing bank account numbers had given me a false sense of security. My bank should have told me that I'd be better off changing banks because with all the information the thief had, he could easily get my new account number. All he had to do was claim that he had forgotten his account number, offer some additional information -- such as my Social Security number, place and date of birth -- and he could get my new account number and balance. And he could do all this on an automated phone system, without ever coming into contact with a bank employee.

• Strong consumer laws are necessary so potential victims can protect themselves.

Five months after the burglary, Target called me saying someone at a San Bruno location had tried to get a store credit card in my name. My alter ego was thwarted because I had placed a ``freeze'' on my credit report. With it, no one could get access to my credit.

California is one of four states that allow residents to freeze their credit reports. The best that residents of other states can do is place a ``fraud alert'' on their credit report. The alert is supposed to prod banks to call you before they issue credit in your name, to ensure that you have indeed requested it. But the San Diego-based Identity Theft Resource Center says that about one in three times, banks don't bother. In other words, fraud alerts are ineffective.

Seven other states have passed credit-freeze laws this year and Congress is considering a national law. But large retailers, mortgage lenders and other businesses oppose them. They warn that consumers with frozen credit files will not be able to get mortgages or access to instant credit.

That's nonsense. When I applied for a new mortgage two months after the burglary, I simply lifted my credit freeze temporarily and got my loan without a hitch. Technology allows financial institutions to process such requests in as little as 15 minutes.

Congress needs to stand firm and give everyone the tools to take control of his or her credit -- and identity.

Miguel Helft is a Mercury News editorial writer. His column on technology policy appears the first and third Wednesdays of each month.

ID theft ring hits 50 banks, security firm says
By Ingrid Marson
Special to CNET News.com

Published: August 8, 2005, 12:06 PM PDT

A major identity theft ring has been discovered that affects up to 50 banks, according to Sunbelt Software, the security company that says it uncovered the operation.

The operation, which is being investigated by the FBI, is gathering personal data from "thousands of machines" using keystroke-logging software, Sunbelt said Monday. The data collected includes credit card details, Social Security numbers, usernames, passwords, instant-messaging chat sessions and search terms. Some of that data is then saved in a file hosted on a U.S.-based server that has an offshore-registered domain, according to Sunbelt.

In the two days that Sunbelt has been monitoring the file, the company has seen confidential financial details of customers of up to 50 international banks, said Eric Sites, vice president of research and development at the Clearwater, Fla.-based security software maker.

"For almost every bank that is listed (in the file), it's possible to get into the person's account," Sites said.

Along with passwords for online banking sites, information on credit cards also has been gathered. Sites said that Sunbelt had found one customer's credit card number, expiration date and security code, in addition to name and address. That information would allow anyone to use the credit card, he said.

"The types of data in this file are pretty sickening to watch," Sunbelt President Alex Eckelberry wrote in a blog posting dated Saturday. "In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money."

Sunbelt said that the people behind the scheme have obtained access to a considerable amount of bank information, including details about one company account containing more than $380,000 and another account that has "readily accessible" funds of more than $11,000.

An FBI representative was unable to confirm whether or not an investigation was taking place.

The data theft is carried out by a Trojan horse downloaded at the same time as CoolWebSearch and a mail zombie, Sunbelt said. Patrick Jordan, a Sunbelt employee, discovered the identity theft ring while researching a variant of CWS, which is a malicious program that hijacks Web searches and disables security settings in Microsoft's Internet Explorer Web browser.

"During the course of infecting a machine, he (Jordan) discovered that a) the machine he was testing became a spam zombie and b) he noticed a call back to a remote server. He traced back the remote server and found an incredibly sophisticated criminal identity theft ring," Eckelberry wrote in the blog posting. "We are still trying to ascertain whether or not this is directly related to CWS."

The malicious code is hosted on a Web site that mainly hosts pornography, which Sites was unwilling to name. Users of Windows XP who have not installed Service Pack 2 are particularly vulnerable, as the code could be automatically downloaded without the user's knowledge, Sites said. Sunbelt is currently investigating whether users of earlier Windows versions, such as Windows 2000 and Windows ME, are also vulnerable.

"If you have an unpatched Windows machine, when you go to the URL it will automatically download everything from the Web site, including the Trojan. All you have to do is type in the URL and you're hosed," Sites said.

The Trojan is a new variant, so antivirus and anti-spyware vendors do not yet block it, Sites said. Sunbelt plans to send information on the Trojan to security companies as soon as possible.

The activity could be the latest attempt by a criminal gang to use spyware for financial gain. In March of this year, Britain's National Hi-Tech Crime Unit foiled an attempt to steal about $390 million from the Japanese bank Sumitomo Mitsui. In that case, keyloggers were used to relay passwords and access information to the criminals who intended to transfer the funds electronically. A man in Israel was arrested after allegedly trying to transfer $25 million of the funds.

"We are aware of (Sunbelt's claims) that personal information was captured. But we can't confirm it until we can take a look at it," said an eBay spokesman. "If it is the case, we will act accordingly and appropriately."

eBay owns online payment service PayPal.

Ingrid Marson of ZDNet UK reported from London. CNET News.com's Dawn Kawamoto contributed to this report.