• Understanding ID Theft: Info for Consumers, Businesses, Organizations
• Self-Assessment
• White Papers about Fraud
• Trend Pieces about Fraud
• Expert Analyses
• Legislative Alerts
• Resources/Links
• Identity Theft Glossary

Understand All the Risks of ID Theft and Sensitive Personal Information Fraud

• Business and Organization Risks - Businesses, Hospitals, Universities, and other organizations that collect personal information face special risks. Learn how to minimize those risks and recover from a data breach.
  New! Top 10 Tips for Businesses: A Guide to Data Breach Prevention and Response
• Consumer Risks - The risks of ID Theft are extend far beyond credit card fraud. Learn how to protect yourself from all the risks you face when someone steals your personal information.
  New! A Consumer’s Guide to ID Theft Awareness and Avoidance

Business and Organization Risks

Savvy businesspeople know that sensitive personal information can leak from the organization in a growing number of ways – it’s not just about IT anymore. Kroll’s Security Consulting group and Licensed Investigators stay acutely aware of the evolving tactics of identity thieves, and encourage you to be wary as well. Here are a few examples of where sensitive personal information threats may hide.

Be On the Lookout

Vendors and Services Suppliers

Your organization may be especially vigilant about screening employees and performing background checks. You also want to be certain that appropriate background screening is being conducted by the companies you contract with, whose employees will have access to your physical – and sometimes electronic – locations where SPI may be accessed. So much activity is outsourced these days:

• Facilities Cleaning and Maintenance
• Photocopy Equipment and Hardware Service
• Live Plant Rental or Care
• Benefits Consultants or TPAs
• Staffing Services and Temporary Help Agencies
• Remodelers
• Accounting Firms and Tax Preparers
• Movers
• Collection Agencies
• Billing Offices
• Software Developers
• ASPs

Social Networking

Also called ‘pretexting’, this scheme is simply the practice of gaining critical information by pretending to be someone else. For example:

Chances are the larger your operation, the more folks on your IT staff – which makes it easier for fraudsters to disguise themselves long enough to steal keystrokes, then data. When “Steve” from the Help Desk phones an unsuspecting staffer, there may be no hesitation about talking Steve through a character-by-character system log-on to “conduct a routine update’.

Former and Current Staff

Your employees would never intentionally try to harm your organization by breaching sensitive data. But sometimes even the most trustworthy just don’t think about what could happen…

Computer consultant hacked secret passwords of FBI director, others
By MARK SHERMAN Associated Press Writer
The Associated Press
July 06, 2006
http://news.tmcnet.com/news/-computer-consultant-hacked-secret
-passwords-fbi-director-others-/2006/07/06/1705747.htm

<Excerpt>
An FBI computer consultant gained access to the secret passwords of Director Robert Mueller and others using free software found on the Internet, the latest embarrassment in the bureau's long struggle to modernize its computers.

The consultant, Joseph Thomas Colon of Springfield, Ill., has pleaded guilty to four misdemeanor counts of intentionally exceeding his authorized computer access, and prosecutors are recommending roughly a year in prison.

Colon's lawyer is asking U.S. District Judge Richard Leon for probation, contending that an employee in the FBI's Springfield office gave Colon a password to get into the secret system to speed the installation of a new computer system. The work was part of the ill-fated Trilogy project that Mueller abandoned last year.

Consumer Risks

So much attention is paid to credit card fraud related to identity theft, it’s easy to believe that credit abuse poses the greatest risk for an individual victim. That’s not exactly true – and precisely why Kroll Fraud Solutions extends its restoration services beyond credit, to the often-hidden risks.

About Identity Theft

How can someone steal my identity?
From: http://www.consumer.gov/idtheft/con_about.htm

Despite your best efforts to manage the flow of your personal information or to keep it to yourself, skilled identity thieves may use a variety of methods to gain access to your data.

• They get information from businesses or other institutions by:
  • stealing records or information while they're on the job
  • bribing an employee who has access to these records
  • hacking these records
  • conning information out of employees
• They may steal your mail, including bank and credit card statements, pre-approved credit card offers, new checks, and tax information.
• They may rummage through your trash, the trash of businesses, or public trash dumps in a practice known as "dumpster diving."
• They may get your credit reports by abusing their employer's authorized access to them, or by posing as a landlord, employer, or someone else who may have a legal right to access your report.
• They may steal your credit or debit card numbers by capturing the information in a data storage device through a practice known as "skimming." They may swipe your card for an actual purchase, or attach the device to an ATM machine where you may enter or swipe your card.
• They may steal your wallet or purse.
• They may complete a "change of address form" to divert your mail to another location.
• They may steal personal information they find in your home.
• They may steal personal information from you through email or phone by posing as legitimate companies and claiming that you have a problem with your account. This practice is known as "phishing" online, or pretexting by phone.

What are the effects of identity theft?

Once identity thieves have your personal information, they use it in a variety of ways.

• They may call your credit card issuer to change the billing address on your credit card account. The imposter then runs up charges on your account. Because your bills are being sent to a different address, it may be some time before you realize there's a problem.
• They may open new credit card accounts in your name. When they use the credit cards and don't pay the bills, the delinquent accounts are reported on your credit report.
• They may establish phone or wireless service in your name.
• They may open a bank account in your name and write bad checks on that account. It’s not uncommon for offenders to open multiple accounts in multiple places, and write bad checks on each.
• They may counterfeit checks or credit or debit cards, or authorize electronic transfers in your name, and drain your legitimate bank account.
• They may file for bankruptcy under your name to avoid paying debts they've incurred under your name, or to avoid eviction.
• They may rent a house or apartment, and sign up for utilities, in your name.
• They may buy a car by taking out an auto loan in your name.
• They may get identification such as a driver's license issued with their picture, in your name.
• They may get a job or file fraudulent tax returns in your name.
• They may give your name to the police during an arrest. If they don't show up for their court date, a warrant for arrest is issued in your name.

What is "pretexting" and what does it have to do with identity theft?

Pretexting is the practice of getting your personal information under false pretenses. Pretexters sell your information to people who may use it to get credit in your name, steal your assets, or to investigate or sue you. Pretexting is against the law.

Pretexters use a variety of tactics to get your personal information. For example, a pretexter may call, claim he's from a survey firm, and ask you a few questions. When the pretexter has the information he wants, he uses it to call your financial institution. He pretends to be you or someone with authorized access to your account. He might claim that he's forgotten his checkbook and needs information about his account. In this way, the pretexter may be able to obtain personal information about you such as your Social Security number, bank and credit card account numbers, information in your credit report, and the existence and size of your savings and investment portfolios.

Keep in mind that some information about you may be a matter of public record, such as whether you own a home, pay your real estate taxes, or have ever filed for bankruptcy. It is not pretexting for another person to collect this kind of information.

By law, it's illegal for anyone to:

• use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
• use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
• ask another person to get someone else's customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.

When should I give out my Social Security number?
From: http://www.consumer.gov/idtheft/con_minimize.htm

Your employer and financial institutions will need your Social Security number for wage and tax reporting purposes. Other businesses may ask you for your Social Security number to do a credit check if you are applying for a loan, renting an apartment, or signing up for utilities. Sometimes, however, they simply want your Social Security number for general record keeping. If someone asks for your Social Security number, YOU ask:

• Why do you need my Social Security number?
• How will my Social Security number be used?
• How do you protect my Social Security number from being stolen?
• What will happen if I don't give you my Social Security number?

If you don't provide your Social Security number, some businesses may not provide you with the service or benefit you want. Getting satisfactory answers to these questions will help you decide whether you want to share your Social Security number with the business. The decision to share is yours.

I have a computer and use the Internet. What should I be concerned about?

You may be careful about locking your doors and windows, and keeping your personal papers in a secure place. Depending on what you use your personal computer for, an identity thief may not need to set foot in your house to steal your personal information. You may store your Social Security number, financial records, tax returns, birth date, and bank account numbers on your computer. These tips can help you keep your computer – and the personal information it stores – safe.

• Virus protection software should be updated regularly, and patches for your operating system and other software programs should be installed to protect against intrusions and infections that can lead to the compromise of your computer files or passwords. Ideally, virus protection software should be set to automatically update each week. The Windows XP operating system also can be set to automatically check for patches and download them to your computer.
• Do not open files sent to you by strangers, or click on hyperlinks or download programs from people you don't know. Be careful about using file-sharing programs. Opening a file could expose your system to a computer virus or a program known as "spyware," which could capture your passwords or any other information as you type it into your keyboard.
• Use a firewall program, especially if you use a high-speed Internet connection like cable, DSL or T-1 that leaves your computer connected to the Internet 24 hours a day. The firewall program will allow you to stop uninvited access to your computer. Without it, hackers can take over your computer, access the personal information stored on it, or use it to commit other crimes.
• Use a secure browser – software that encrypts or scrambles information you send over the Internet – to guard your online transactions. Be sure your browser has the most up-to-date encryption capabilities by using the latest version available from the manufacturer. You also can download some browsers for free over the Internet. When submitting information, look for the "lock" icon on the browser's status bar to be sure your information is secure during transmission.
• Try not to store financial information on your laptop unless absolutely necessary. If you do, use a strong password with a combination of letters (upper and lower case), numbers and symbols. A good way to create a strong password is to think of a memorable phrase and use the first letter of each word as your password, converting some letters into numbers that resemble letters. For example, "I love Felix; he's a good cat," would become 1LFHA6c. Don't use an automatic log-in feature that saves your user name and password, and always log off when you're finished. That way, if your laptop is stolen, it's harder for a thief to access your personal information.
• Before you dispose of a computer, delete all the personal information it stored. Deleting files using the keyboard or mouse commands or reformatting your hard drive may not be enough because the files may stay on the computer's hard drive, where they may be retrieved easily. Use a "wipe" utility program to overwrite the entire hard drive.
• Look for website privacy policies. They should answer questions about maintaining accuracy, access, security, and control of personal information collected by the site, how the information will be used, and whether it will be provided to third parties. If you don't see a privacy policy or if you can't understand it consider doing business elsewhere.