Identity theft is the information age’s new crime. A criminal collects enough personal data on the victim to impersonate him to banks, credit card companies and other financial institutions. Then he racks up debt in the victim’s name, collects the cash and disappears. The victim is left holding the bag.
While some of the losses are absorbed by financial institutions--credit card companies in particular--the credit-rating damage is borne by the victim. It can take years for the victim to completely clear his name.
So far, we’ve seen several “solutions” to this problem: forcing companies to disclose when they lose personal information, forcing companies to secure personal information, forcing financial institutions to enhance their authentication procedures. Unfortunately, these won’t help.
To see why, we need to start with the basics. The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. Someone’s identity is the one thing about a person that cannot be stolen.
The real crime here is fraud--more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin.
A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. He impersonates a victim to the post office and gets the victim's address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one’s identity is stolen; instead, identity information is being misused to commit fraud.
Such crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud.
This is what you read about in the news: personal information stolen from companies, banks, universities, government databases.
But data privacy is about more than just fraud. Whether it is the books we take out of the library, the Web sites we visit or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn’t take much personal information to apply for a credit card in someone else's name. It’s not that hard to conduct fraudulent bank transactions in someone else’s name.
And it’s surprisingly easy to get an identification card in someone else’s name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue--making personal data harder to steal--whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial institutions. That means that any solution can't involve the account holders.
That leaves only one reasonable answer: financial institutions need to be liable for the cost of fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
They should not be able to demand that the user must keep his password secure or his machine virus-free. They should not be able to require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren’t reasonable requirements for most users. The bank must be responsible, regardless of what the user does.
If you think this won’t work, look at credit cards. Credit card companies like American Express (nyse: AXP - news - people ) are generally liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud either.
They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around are trying to authenticate the cardholder.
That’s an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it's two-factor authentication--ID cards, biometrics, or whatever--there’s a widespread myth that authenticating the person is the way to prevent these crimes.
But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the transaction, not the person, is the way to proceed.
Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone or Internet, where no one verifies the signature or even that you have possession of the card.
Even worse, no credit card company mandates secure storage requirements for credit cards. They don't demand that cardholders secure their wallets in any particular way. Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.
This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don’t know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions.
Maybe there will be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling in a bunch of information on a form.
Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we'll never know until the financial institutions have the financial incentive to put them in place.
Right now, the economic incentives result in financial institutions that are so eager to allow transactions--new credit cards, cash transfers, whatever--that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants.
But if they're liable for losses and damages to legitimate users, they'll pay more attention. And they'll mitigate the risks. Security technologies can work wonders in preventing identity theft, once the economic incentives to apply them are there.
By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by other misuse of third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act such as exists in the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation.
To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity, which is in the best position to mitigate the risk, responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.
Doing anything less simply won't work.
Wednesday, February 07, 2007
Credit Card Companies Watchful after Retailer's Customer Data Breach
anks and credit card companies scrambled to tell their customers in the United States and overseas to watch for fraudulent activity after TJX Cos., parent of retailers Marshalls and T.J. Maxx, disclosed thefts of customer data from its computer system.
TJX said hackers had broken into a system that handles credit and debit card transactions, as well as checks and merchandise returns for customers in the U.S. and Puerto Rico. Customer accounts from the U.K. and Ireland may be affected, it said.
TJX officials refused to say how many customers were affected, but The Wall Street Journal reported Thursday that more than 40 million cards may be affected.
-- advertisement --
St. Bernard - Click Here.
Spokeswoman Sherry Lang said TJX has identified a "limited number" of credit and debit card holders whose information was stolen from its computer system, adding that the number was "substantially less than millions."
A smaller number of customer names with driver's license information was stolen from the system, she said.
Visa USA said in a statement it has provided the affected accounts to banks that issue its cards so they can take steps to protect consumers. The company said it is assessing all credit card transactions in real time to help banks distinguish fraudulent transactions from legitimate ones.
Bank of America and American Express also said they are monitoring their credit cards for unusual activity. Christine Elliott, a spokeswoman for American Express, said the company has not seen any fraudulent purchases.
Visa and other credit card companies pointed out that consumers are not responsible for fraudulent purchases.
Lang said the company believes the breach happened in May but involves credit card information dating back to 2003. The break-in was discovered in mid-December but was kept confidential until Wednesday at the request of law enforcement officials.
TJX has not been informed of any fraudulent purchases at this point, Lang said. The company posted advice on checking credit records on its Web site. The company said it has hired General Dynamics Corp. and IBM Corp. to upgrade its security system.
Mike Cook, a co-founder of ID Analytics, a San Diego-based company that detects and prevents identity fraud, said only a small percentage of accounts involved in a data breach end up misused.
"If you are a consumer and you're part of the TJX breach, you are hoping it's 10 million people because the chance of your name being misused goes down considerably depending on the size of the data breach," Cook said.
TJX said hackers had broken into a system that handles credit and debit card transactions, as well as checks and merchandise returns for customers in the U.S. and Puerto Rico. Customer accounts from the U.K. and Ireland may be affected, it said.
TJX officials refused to say how many customers were affected, but The Wall Street Journal reported Thursday that more than 40 million cards may be affected.
-- advertisement --
St. Bernard - Click Here.
Spokeswoman Sherry Lang said TJX has identified a "limited number" of credit and debit card holders whose information was stolen from its computer system, adding that the number was "substantially less than millions."
A smaller number of customer names with driver's license information was stolen from the system, she said.
Visa USA said in a statement it has provided the affected accounts to banks that issue its cards so they can take steps to protect consumers. The company said it is assessing all credit card transactions in real time to help banks distinguish fraudulent transactions from legitimate ones.
Bank of America and American Express also said they are monitoring their credit cards for unusual activity. Christine Elliott, a spokeswoman for American Express, said the company has not seen any fraudulent purchases.
Visa and other credit card companies pointed out that consumers are not responsible for fraudulent purchases.
Lang said the company believes the breach happened in May but involves credit card information dating back to 2003. The break-in was discovered in mid-December but was kept confidential until Wednesday at the request of law enforcement officials.
TJX has not been informed of any fraudulent purchases at this point, Lang said. The company posted advice on checking credit records on its Web site. The company said it has hired General Dynamics Corp. and IBM Corp. to upgrade its security system.
Mike Cook, a co-founder of ID Analytics, a San Diego-based company that detects and prevents identity fraud, said only a small percentage of accounts involved in a data breach end up misused.
"If you are a consumer and you're part of the TJX breach, you are hoping it's 10 million people because the chance of your name being misused goes down considerably depending on the size of the data breach," Cook said.
Protect yourself from ID theft
There's a way for you to protect yourself from fraud and identity theft while improving your credit card score at the same time.
The Better Business Bureau says it's much easier than you might think.
From email and spam to phone calls from telemarketers and junk mail, they can all be summed up with one word - annoying.
"Spam is a bother, a phone call is a bother,” said Tom Bartholomy, President of the Better Business Bureau in Charlotte.
A website from the Consumer Credit Reporting Industry allows people to keep unwanted credit cards out of their mailbox.
He says an increasing number of consumers are turning to things like the Do-Not-Call Registry and spam blockers. When it comes to junk mail, there's one particular piece of mail you need to watch out for, and that’s credit card offers.
“That's what they're looking for,” he continued. “Those types of opportunities to say ‘Oh look, Jane Smith got this credit card offer, I can just fill it out, change the address, have the card sent to the scammer.’ Boom, you're a victim of credit card fraud."
Even if the cards haven't been activated, they can still lead to fraud or identity theft. There's an easy way to protect yourself. OptOutPrescreen.com allows people to keep unwanted credit cards out of their mailbox.
“This is one of the biggest consumer secrets that's out there right now,” Batholomy added.
"OptOutPrescreen.com has been a great tool that we've used to increase their credit score by as much as 50 points within five days,” said Heather Goodall, an account executive at the First National Bank of Arizona. She says she tells all her customers to opt out of getting credit card offers.
"I don't know of any other tool that you can use and potentially increase your credit score potentially that much in such a short period of time,” she continued.
Bartholomy said, "That's a win, win, win all the way around."
The Better Business Bureau says, unfortunately, there's little people can do to cut down on junk mail. If you'd like to stop getting credit card solicitations, visit OptOutPrescreen.com.
The Better Business Bureau says it's much easier than you might think.
From email and spam to phone calls from telemarketers and junk mail, they can all be summed up with one word - annoying.
"Spam is a bother, a phone call is a bother,” said Tom Bartholomy, President of the Better Business Bureau in Charlotte.
A website from the Consumer Credit Reporting Industry allows people to keep unwanted credit cards out of their mailbox.
He says an increasing number of consumers are turning to things like the Do-Not-Call Registry and spam blockers. When it comes to junk mail, there's one particular piece of mail you need to watch out for, and that’s credit card offers.
“That's what they're looking for,” he continued. “Those types of opportunities to say ‘Oh look, Jane Smith got this credit card offer, I can just fill it out, change the address, have the card sent to the scammer.’ Boom, you're a victim of credit card fraud."
Even if the cards haven't been activated, they can still lead to fraud or identity theft. There's an easy way to protect yourself. OptOutPrescreen.com allows people to keep unwanted credit cards out of their mailbox.
“This is one of the biggest consumer secrets that's out there right now,” Batholomy added.
"OptOutPrescreen.com has been a great tool that we've used to increase their credit score by as much as 50 points within five days,” said Heather Goodall, an account executive at the First National Bank of Arizona. She says she tells all her customers to opt out of getting credit card offers.
"I don't know of any other tool that you can use and potentially increase your credit score potentially that much in such a short period of time,” she continued.
Bartholomy said, "That's a win, win, win all the way around."
The Better Business Bureau says, unfortunately, there's little people can do to cut down on junk mail. If you'd like to stop getting credit card solicitations, visit OptOutPrescreen.com.
South Africa: Card Fraud Suspect Wins Bail
A Bulgarian woman has been released on bail while her Cape Town fiancé awaits formal charges of fraud involving close on R1 million.
Antoinette Pitkova, 25, and Mario de Oliveria were arrested at their Table View home late last year. They appeared before Magistrate Mogamad Esau in the Cape Town Magistrate's Court yesterday.
Pitkova had been denied bail in her last court appearance, despite her attorney's appeal for medical treatment.
He said she displayed suicidal tendencies and had chest pains.
The State alleges that the couple manufactured illegal credit cards at their home.
State advocate Zama Matayi said the State no longer opposed bail. He proposed a bail amount of R10 000 and suggested strict bail conditions.
Defence attorney George Catsicadellis, the third attorney to go on record for both accused since their arrest on December 28, read out Pitkova's affidavit and confirmed the recommended bail and conditions.
The accused were arrested during a raid in which police seized about R200 000 of electronic equipment used in the manufacture of credit cards.
The equipment included a skimming device used to read, write and encode credit cards and an embossing machine to imprint the details of the alleged cardholder.
Police also seized 100 blank plastic cards ready for production, five computers and two unlicensed firearms.
Esau set bail at R10 000 on condition that Pitkova handed over her two passports and any other travel documents to the investigating officer, that she reported to the Table View police station every second day, and that she stayed away from the country's border posts.
A smiling Pitkova seemed in good spirits, unlike her crying and disorientation in her previous court appearances.
Matayi requested a postponement. Catsicadellis confirmed the request for the charge sheet and asked that the postponement be marked for a bail application.
Matayi said the case was still being investigated and that alleged offences so far involved more than R500 000.
Esau remanded De Oliveria and postponed the case to next Tuesday for a provisional charge sheet and a bail application hearing.
Antoinette Pitkova, 25, and Mario de Oliveria were arrested at their Table View home late last year. They appeared before Magistrate Mogamad Esau in the Cape Town Magistrate's Court yesterday.
Pitkova had been denied bail in her last court appearance, despite her attorney's appeal for medical treatment.
He said she displayed suicidal tendencies and had chest pains.
The State alleges that the couple manufactured illegal credit cards at their home.
State advocate Zama Matayi said the State no longer opposed bail. He proposed a bail amount of R10 000 and suggested strict bail conditions.
Defence attorney George Catsicadellis, the third attorney to go on record for both accused since their arrest on December 28, read out Pitkova's affidavit and confirmed the recommended bail and conditions.
The accused were arrested during a raid in which police seized about R200 000 of electronic equipment used in the manufacture of credit cards.
The equipment included a skimming device used to read, write and encode credit cards and an embossing machine to imprint the details of the alleged cardholder.
Police also seized 100 blank plastic cards ready for production, five computers and two unlicensed firearms.
Esau set bail at R10 000 on condition that Pitkova handed over her two passports and any other travel documents to the investigating officer, that she reported to the Table View police station every second day, and that she stayed away from the country's border posts.
A smiling Pitkova seemed in good spirits, unlike her crying and disorientation in her previous court appearances.
Matayi requested a postponement. Catsicadellis confirmed the request for the charge sheet and asked that the postponement be marked for a bail application.
Matayi said the case was still being investigated and that alleged offences so far involved more than R500 000.
Esau remanded De Oliveria and postponed the case to next Tuesday for a provisional charge sheet and a bail application hearing.
Rs 13.5-cr credit card scam busted
Amid concerns over rising credit card fraud cases across the country, the Mumbai police has unearthed a massive Rs 13.5 crore online air ticket scam, sending shockwaves among credit card users across the country.
According to Mumbai police sources, the Economic Offences Wing of its crime branch on Wednesday busted the Rs 13.5-crore credit card racket that cheated Kingfisher Airlines by fraudulently booking more than 15,000 tickets on the Internet using credit card numbers. The police have arrested one person, Ahmed Sheikh, in this connection.
The police claim the gang had floated a travel agency, called KGN Aviation, and used to book airline tickets online using credit card numbers obtained from hotels, shopping malls, restaurants and other retail outlets.
The scam came to light after the airlines lodged a complaint with the EOW December 21 last year, regarding the massive scale on which online tickets were being booked fraudulently. Most of the credit cards used for the transactions were from the ICICI Bank.
"Consumers, whose credit card numbers the gang had got hold of, were stunned after receiving bills of transactions which they never made. As a result, they began complaining to the bank. The complaints swelled between July and November last year," news agency IANS quoted a senior EOW official as saying.
"Suspecting fraud, the bank asked the customers not to pay the money they had not actually spent on the tickets and instead charged the amount of Rs 135 million back to Kingfisher Airlines."
"It was then that the airlines lodged a complaint with us, saying 15,255 tickets were fraudulently booked through the net and in each case the gang had used a different credit card number," the EOW official told IANS.
"After receiving complaints from Kingfisher Airlines, we began our investigations and stumbled upon KGN Aviation. The gang had intercepted details of all the 15,225 credit cards from accomplices in various hotels, restaurants, malls and retails outlets," he said.
"They knew the credit card numbers, expiry dates and customer verification value (CVV) numbers — the additional three digits printed on the signature strip on the back of the card," the official said.
"The modus operandi of the gang was to log on to the websites of leading private airlines that issued email confirmations of bookings. The gang used the details to book tickets online and take printouts of the email confirmations which could be exchanged with boarding passes or tickets," he added.
The members of the gang would then hang around at international air transport association (IATA) offices, restaurants and bars and befriend frequent as well as first time flyers, by offering them tickets at a much cheaper rate than offered by travel agents, the official said.
"Though, we have arrested Sheikh, we are on the lookout for Sameer Kasam Sheikh, the mastermind of the scam, and also trying to locate the computers from which the gang operated. Several cyber cafes are also under the scanner, from where the gang is believed to have operated. More arrests are likely to be made soon," he said.
According to Mumbai police sources, the Economic Offences Wing of its crime branch on Wednesday busted the Rs 13.5-crore credit card racket that cheated Kingfisher Airlines by fraudulently booking more than 15,000 tickets on the Internet using credit card numbers. The police have arrested one person, Ahmed Sheikh, in this connection.
The police claim the gang had floated a travel agency, called KGN Aviation, and used to book airline tickets online using credit card numbers obtained from hotels, shopping malls, restaurants and other retail outlets.
The scam came to light after the airlines lodged a complaint with the EOW December 21 last year, regarding the massive scale on which online tickets were being booked fraudulently. Most of the credit cards used for the transactions were from the ICICI Bank.
"Consumers, whose credit card numbers the gang had got hold of, were stunned after receiving bills of transactions which they never made. As a result, they began complaining to the bank. The complaints swelled between July and November last year," news agency IANS quoted a senior EOW official as saying.
"Suspecting fraud, the bank asked the customers not to pay the money they had not actually spent on the tickets and instead charged the amount of Rs 135 million back to Kingfisher Airlines."
"It was then that the airlines lodged a complaint with us, saying 15,255 tickets were fraudulently booked through the net and in each case the gang had used a different credit card number," the EOW official told IANS.
"After receiving complaints from Kingfisher Airlines, we began our investigations and stumbled upon KGN Aviation. The gang had intercepted details of all the 15,225 credit cards from accomplices in various hotels, restaurants, malls and retails outlets," he said.
"They knew the credit card numbers, expiry dates and customer verification value (CVV) numbers — the additional three digits printed on the signature strip on the back of the card," the official said.
"The modus operandi of the gang was to log on to the websites of leading private airlines that issued email confirmations of bookings. The gang used the details to book tickets online and take printouts of the email confirmations which could be exchanged with boarding passes or tickets," he added.
The members of the gang would then hang around at international air transport association (IATA) offices, restaurants and bars and befriend frequent as well as first time flyers, by offering them tickets at a much cheaper rate than offered by travel agents, the official said.
"Though, we have arrested Sheikh, we are on the lookout for Sameer Kasam Sheikh, the mastermind of the scam, and also trying to locate the computers from which the gang operated. Several cyber cafes are also under the scanner, from where the gang is believed to have operated. More arrests are likely to be made soon," he said.
Bank card users get fraud warning
Central Kentucky consumers who have used a credit card or debit card when shopping at T.J. Maxx, Marshall's or HomeGoods will want to watch their bank or credit card statements carefully.
And some of them may want to watch the mail for a new debit card.
TJX, a Massachusetts-based company that operates T.J. Maxx, Marshall's, HomeGoods and several other retail chains in the United States and abroad, announced last week that an "unauthorized intruder" had hacked into the system that the company uses for credit and debit card transactions, checks and merchandise returns.
Because of the possibility of fraud, TJX notified the credit card companies of individuals whose credit and debit card information might have been compromised, and the credit firms have since been notifying financial institutions of their customers' situations.
Banks and credit unions decide whether to issue new cards to those customers or to keep an eye on their accounts for fraudulent transactions.
At JP Morgan Chase, "we constantly are monitoring and are involved in the fraud prevention," said spokeswoman Nancy Norris.
The company is not automatically issuing new cards to individuals whose account numbers might have been stolen, she said.
"We continuously monitor accounts for any suspicious behavior and notify cardmembers immediately if something unusual is detected," Chase said in a statement.
About 200 debit cards issued by the Lexington Postal Credit Union have been compromised and are being replaced, said Sharon Moore, president of the organization.
The likelihood that those debit cards would be used to make fraudulent purchases is slim, she said. But to be safe, the credit union is immediately blocking affected cards and ordering new ones for those customers.
"The risk is probably really low, but we don't want to play with that risk," Moore said.
After blocking the cards, Moore said, the credit union has been notifying the customers of the situation.
However, some customers who use their cards frequently have been learning of the issue the hard way Ð as they try to use their card and it is declined.
When the University of Kentucky Federal Credit Union was notified of compromised accounts, it flagged the accounts and ordered new debit cards for the customers, said interim CEO Greg Baker.
In the meantime, rather than blocking all transactions to those cards, Baker said the UK credit union has been lowering the limits on the charges that can be applied while still allowing the customer to use the card.
Baker declined to say how many credit union members have been affected, but he said none have been the victims of fraudulent purchases.
TJX has not said how many people's information might have been stolen nationwide.
The company said the stolen customer data included information from 2003 transactions, as well as information from mid-May 2006 through December, when the breach was discovered.
Avivah Litan, a data security analyst for Garter Inc., said it could be difficult for the company to determine the scope of the breach because the thieves had a lot of time to sell and circulate the information before the hacking was discovered.
Some of the customer data has been used to make fraudulent debit card and credit card purchases in Florida, Georgia, and Louisiana, and in Hong Kong and Sweden, according to the Massachusetts Bankers Association.
"We expect that this is going to continue and the fraud may widen," said Bruce Spitzer, spokesman for the Massachusetts group.
He said the cost to banks of reissuing hundreds of thousands of cards alone will be "enormous."
This kind of information breach is not uncommon in today's technology-driven economy.
But Heather Clary, spokeswoman for the Better Business Bureau of Central and Eastern Kentucky, said consumers can use technology to their advantage.
Rather than having to wait for a monthly statement, consumers now have the ability to catch fraud more quickly by checking their bank and credit card accounts online frequently.
"Diligence is the key," she said.
Clary also said consumers who notice something suspicious on their statements should notify their financial institutions immediately.
"Don't delay if you see something that's unauthorized," she said.
Credit card companies have noted that consumers are not responsible for fraudulent purchases, but it's easier to correct such situations when they're caught quickly.
Consumers should also protect against fraud by taking advantage of free annual credit reports, which are available at 1-877-322-8228 or at www. annualcreditreport.com.
Although major thefts of information like this one get lots of attention, Norris, of JP Morgan Chase, said most fraud "is still done the old fashioned way" Ð by thieves who steal cards, sift through the trash for account numbers or peek over consumers' shoulders to see their card numbers.
"You're more at risk if you aren't personally protecting your number," she said.
And some of them may want to watch the mail for a new debit card.
TJX, a Massachusetts-based company that operates T.J. Maxx, Marshall's, HomeGoods and several other retail chains in the United States and abroad, announced last week that an "unauthorized intruder" had hacked into the system that the company uses for credit and debit card transactions, checks and merchandise returns.
Because of the possibility of fraud, TJX notified the credit card companies of individuals whose credit and debit card information might have been compromised, and the credit firms have since been notifying financial institutions of their customers' situations.
Banks and credit unions decide whether to issue new cards to those customers or to keep an eye on their accounts for fraudulent transactions.
At JP Morgan Chase, "we constantly are monitoring and are involved in the fraud prevention," said spokeswoman Nancy Norris.
The company is not automatically issuing new cards to individuals whose account numbers might have been stolen, she said.
"We continuously monitor accounts for any suspicious behavior and notify cardmembers immediately if something unusual is detected," Chase said in a statement.
About 200 debit cards issued by the Lexington Postal Credit Union have been compromised and are being replaced, said Sharon Moore, president of the organization.
The likelihood that those debit cards would be used to make fraudulent purchases is slim, she said. But to be safe, the credit union is immediately blocking affected cards and ordering new ones for those customers.
"The risk is probably really low, but we don't want to play with that risk," Moore said.
After blocking the cards, Moore said, the credit union has been notifying the customers of the situation.
However, some customers who use their cards frequently have been learning of the issue the hard way Ð as they try to use their card and it is declined.
When the University of Kentucky Federal Credit Union was notified of compromised accounts, it flagged the accounts and ordered new debit cards for the customers, said interim CEO Greg Baker.
In the meantime, rather than blocking all transactions to those cards, Baker said the UK credit union has been lowering the limits on the charges that can be applied while still allowing the customer to use the card.
Baker declined to say how many credit union members have been affected, but he said none have been the victims of fraudulent purchases.
TJX has not said how many people's information might have been stolen nationwide.
The company said the stolen customer data included information from 2003 transactions, as well as information from mid-May 2006 through December, when the breach was discovered.
Avivah Litan, a data security analyst for Garter Inc., said it could be difficult for the company to determine the scope of the breach because the thieves had a lot of time to sell and circulate the information before the hacking was discovered.
Some of the customer data has been used to make fraudulent debit card and credit card purchases in Florida, Georgia, and Louisiana, and in Hong Kong and Sweden, according to the Massachusetts Bankers Association.
"We expect that this is going to continue and the fraud may widen," said Bruce Spitzer, spokesman for the Massachusetts group.
He said the cost to banks of reissuing hundreds of thousands of cards alone will be "enormous."
This kind of information breach is not uncommon in today's technology-driven economy.
But Heather Clary, spokeswoman for the Better Business Bureau of Central and Eastern Kentucky, said consumers can use technology to their advantage.
Rather than having to wait for a monthly statement, consumers now have the ability to catch fraud more quickly by checking their bank and credit card accounts online frequently.
"Diligence is the key," she said.
Clary also said consumers who notice something suspicious on their statements should notify their financial institutions immediately.
"Don't delay if you see something that's unauthorized," she said.
Credit card companies have noted that consumers are not responsible for fraudulent purchases, but it's easier to correct such situations when they're caught quickly.
Consumers should also protect against fraud by taking advantage of free annual credit reports, which are available at 1-877-322-8228 or at www. annualcreditreport.com.
Although major thefts of information like this one get lots of attention, Norris, of JP Morgan Chase, said most fraud "is still done the old fashioned way" Ð by thieves who steal cards, sift through the trash for account numbers or peek over consumers' shoulders to see their card numbers.
"You're more at risk if you aren't personally protecting your number," she said.
Canadian banks say no signs of credit card fraud victims after Winners breach
Several Canadian banks said Thursday they have had no reports of credit card fraud after a security breach at the parent company of Winners and HomeSense.
Officials at Royal Bank, Bank of Montreal, and TD Bank all told CBC News that they have seen no cases of fraud stemming from the breach at Massachusetts-based TJX Cos. Visa officials in Canada also said they have not seen cases of abuse from the case.
In an interview with CBC News, RBC spokeswoman Beja Rodeck encouraged customers to examine their accounts for any signs of credit card fraud. She added that customers will not be held responsible in cases of fraudulent use of their cards.
Customer information stolen from TJX has been used to make fraudulent debit and credit card purchases, the Massachusetts Bankers Association confirmed Wednesday. The fraudulent purchases were made in Florida, Georgia and Louisiana, as well as in Hong Kong and Sweden, the association said.
While the association made no mention of Canada, the Globe and Mail, quoting financial sources, reported Thursday that thousands of Canadians are indeed among the fraud victims.
Last week, TJX said hackers stole customer information from its computer systems.
Continue Article
<A TARGET="_blank" HREF="http://ad.doubleclick.net/click%3Bh=v8/34f2/3/0/%2a/g%3B71726569%3B0-0%3B0%3B11710857%3B4307-300/250%3B19898344/19916238/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/OMT/go/cbcngint0030000042omt/direct/01/"><IMG SRC="http://m1.2mdn.net/1036098/qtw_en1_jan19_300x250_en.gif" BORDER=0></A>
The company has refused to say how many customers had their data stolen or accessed by a computer hacker, but the Globe and Mail reported it could be two million Visa credit card accounts in Canada and roughly 20 million worldwide.
The Massachusetts Bankers Association said it has heard from 60 of its 205 member banks and is expecting the number of fraud cases to grow.
TJX has not commented on these latest reports.
The company is considering offering free credit card monitoring to customers whose cards have been exposed.
A customer alert notification remains on the company's website — including on the Winners and HomeSense sites in Canada — advising people to find out whether they have been victims of fraud.
Officials at Royal Bank, Bank of Montreal, and TD Bank all told CBC News that they have seen no cases of fraud stemming from the breach at Massachusetts-based TJX Cos. Visa officials in Canada also said they have not seen cases of abuse from the case.
In an interview with CBC News, RBC spokeswoman Beja Rodeck encouraged customers to examine their accounts for any signs of credit card fraud. She added that customers will not be held responsible in cases of fraudulent use of their cards.
Customer information stolen from TJX has been used to make fraudulent debit and credit card purchases, the Massachusetts Bankers Association confirmed Wednesday. The fraudulent purchases were made in Florida, Georgia and Louisiana, as well as in Hong Kong and Sweden, the association said.
While the association made no mention of Canada, the Globe and Mail, quoting financial sources, reported Thursday that thousands of Canadians are indeed among the fraud victims.
Last week, TJX said hackers stole customer information from its computer systems.
Continue Article
<A TARGET="_blank" HREF="http://ad.doubleclick.net/click%3Bh=v8/34f2/3/0/%2a/g%3B71726569%3B0-0%3B0%3B11710857%3B4307-300/250%3B19898344/19916238/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/OMT/go/cbcngint0030000042omt/direct/01/"><IMG SRC="http://m1.2mdn.net/1036098/qtw_en1_jan19_300x250_en.gif" BORDER=0></A>
The company has refused to say how many customers had their data stolen or accessed by a computer hacker, but the Globe and Mail reported it could be two million Visa credit card accounts in Canada and roughly 20 million worldwide.
The Massachusetts Bankers Association said it has heard from 60 of its 205 member banks and is expecting the number of fraud cases to grow.
TJX has not commented on these latest reports.
The company is considering offering free credit card monitoring to customers whose cards have been exposed.
A customer alert notification remains on the company's website — including on the Winners and HomeSense sites in Canada — advising people to find out whether they have been victims of fraud.
Credit card fears widen
Anne Marie Jean of Brockton wasn't scared away from shopping at A.J. Wright in Brockton this week, but since reports that credit and debit card numbers were stolen from its parent company, TJX Companies, she'll think twice about using anything but cash.
“I would be worried,” she said of using her card, even though she has done so in the past.
Local bankers are worried, too. Local banks and credit unions are reissuing thousands of cards to their customers who may have been affected, but the scope of the data theft is still unclear. Framingham-based TJX Companies, the parent company of U.S. stores T.J. Maxx, HomeGoods, Marshalls, A.J.Wright and Bob's Stores, reported Jan. 17 that computer hackers gained access to an undetermined number of credit card and debit card numbers in a security breach in December — possibly committed by a high-tech, international organized crime ring.
Hackers may have data associated with purchases made in 2003, and between May and December in 2006, according to a statement from the company.
The company has determined that transactions at Bob's Stores were not involved in the security breach, according to an advertisement in today's paper.
Last week, evidence of the stolen data began to appear on the bank statements of innocent consumers. According to news reports on TheBostonChannel.com, Paula O'Rourke, of Holbrook was a victim of credit card fraud in December after shopping at HomeGoods in Florida.
She believes the fraudulent purchases stem from the use of her card there.
Meanwhile, bank and credit union workers scrambled to protect their customers.
“We have a whole team of people working on this,” said Jim Blake, president and CEO of Brockton-based HarborOne Credit Union.
While the company is still investigating the records of Bob's Stores purchases, customers who made purchases at any of its other American stores may have had their credit card or debit card information stolen, said a TJX customer service representative.
While the card numbers weren't associated with names or addresses, some of them have been used to make fraudulent purchases in Florida, Georgia, Louisiana, and abroad in Hong Kong and Sweden.
“That says to me that this information has been sold,” said Blake. “These are not people operating out of a basement in a building. They are highly trained — some at U.S. universities — working for organized crime units around the world, mostly outside of the U.S.”
In addition to using the numbers to make purchases, thieves are also mining sources for data associated with those numbers to steal entire financial identities, Blake said.
“You could wake up one day with a $300,000 mortgage on a house in Florida, but no house,” he said.
To protect members of HarborOne Credit union, 9,000 new cards will be issued to some of its 97,000 members. Rather than wait for a report of fraudulent activity, the credit union will issue new cards to any account identified by Visa or Mastercard as associated with the TJX security breach, Blake said. The processing and replacement cards will cost the credit union $100,000, he added.
Security breaches occur on nearly a monthly basis, Blake said, but this is the largest to date.
Randolph Savings Bank will issue 1,500 new cards to its affected members, said Tom Trummey, senior vice president and chief operating officer. The compromised accounts represent a small percentage of the 12,000 cards issued by that bank, he said.
But Trummey himself had to get a new card, since he had used his Randolph Savings Bank debit card to holiday shop at area T.J.Maxx and Marshalls stores, and his account was compromised.
But he hasn't been scared away from making electronic purchases, he said. Neither was Andrea Beaumont of Taunton, who was shopping at T.J. Maxx in Taunton Friday. “I just figure I'll be lucky, I guess.”
Many consumers continue to try their luck, and rightly so, said John Hurst, president of the Retailers Association of Massachusetts. “People shouldn't feel they should pay for everything with cash. Making electronic purchases can be safer than carrying around a lot of cash, and you are protected,” he said.
Consumers are “held harmless” for fraudulent purchases, he said. “They're not going to charge you for criminal activity on your account. Report it immediately, and you'll be OK,” he said.
Some consumers forego the conscientious approach, but still aren't worried. Sarah Seavey, of Norton, was shopping with her card Friday at T.J. Maxx in Taunton, but she doesn't think the number would do thieves any good. “There no money in the account anyway,” she said.
Officials at Bristol County Savings Bank in Taunton declined to be interviewed for this story.
“I would be worried,” she said of using her card, even though she has done so in the past.
Local bankers are worried, too. Local banks and credit unions are reissuing thousands of cards to their customers who may have been affected, but the scope of the data theft is still unclear. Framingham-based TJX Companies, the parent company of U.S. stores T.J. Maxx, HomeGoods, Marshalls, A.J.Wright and Bob's Stores, reported Jan. 17 that computer hackers gained access to an undetermined number of credit card and debit card numbers in a security breach in December — possibly committed by a high-tech, international organized crime ring.
Hackers may have data associated with purchases made in 2003, and between May and December in 2006, according to a statement from the company.
The company has determined that transactions at Bob's Stores were not involved in the security breach, according to an advertisement in today's paper.
Last week, evidence of the stolen data began to appear on the bank statements of innocent consumers. According to news reports on TheBostonChannel.com, Paula O'Rourke, of Holbrook was a victim of credit card fraud in December after shopping at HomeGoods in Florida.
She believes the fraudulent purchases stem from the use of her card there.
Meanwhile, bank and credit union workers scrambled to protect their customers.
“We have a whole team of people working on this,” said Jim Blake, president and CEO of Brockton-based HarborOne Credit Union.
While the company is still investigating the records of Bob's Stores purchases, customers who made purchases at any of its other American stores may have had their credit card or debit card information stolen, said a TJX customer service representative.
While the card numbers weren't associated with names or addresses, some of them have been used to make fraudulent purchases in Florida, Georgia, Louisiana, and abroad in Hong Kong and Sweden.
“That says to me that this information has been sold,” said Blake. “These are not people operating out of a basement in a building. They are highly trained — some at U.S. universities — working for organized crime units around the world, mostly outside of the U.S.”
In addition to using the numbers to make purchases, thieves are also mining sources for data associated with those numbers to steal entire financial identities, Blake said.
“You could wake up one day with a $300,000 mortgage on a house in Florida, but no house,” he said.
To protect members of HarborOne Credit union, 9,000 new cards will be issued to some of its 97,000 members. Rather than wait for a report of fraudulent activity, the credit union will issue new cards to any account identified by Visa or Mastercard as associated with the TJX security breach, Blake said. The processing and replacement cards will cost the credit union $100,000, he added.
Security breaches occur on nearly a monthly basis, Blake said, but this is the largest to date.
Randolph Savings Bank will issue 1,500 new cards to its affected members, said Tom Trummey, senior vice president and chief operating officer. The compromised accounts represent a small percentage of the 12,000 cards issued by that bank, he said.
But Trummey himself had to get a new card, since he had used his Randolph Savings Bank debit card to holiday shop at area T.J.Maxx and Marshalls stores, and his account was compromised.
But he hasn't been scared away from making electronic purchases, he said. Neither was Andrea Beaumont of Taunton, who was shopping at T.J. Maxx in Taunton Friday. “I just figure I'll be lucky, I guess.”
Many consumers continue to try their luck, and rightly so, said John Hurst, president of the Retailers Association of Massachusetts. “People shouldn't feel they should pay for everything with cash. Making electronic purchases can be safer than carrying around a lot of cash, and you are protected,” he said.
Consumers are “held harmless” for fraudulent purchases, he said. “They're not going to charge you for criminal activity on your account. Report it immediately, and you'll be OK,” he said.
Some consumers forego the conscientious approach, but still aren't worried. Sarah Seavey, of Norton, was shopping with her card Friday at T.J. Maxx in Taunton, but she doesn't think the number would do thieves any good. “There no money in the account anyway,” she said.
Officials at Bristol County Savings Bank in Taunton declined to be interviewed for this story.
Credit card fraud could be stopped
In the future, identity thieves and Internet hackers may find themselves out of a job - or at least that's what one Calgary scientist is hoping.
Wolfgang Tittel, from the University of Calgary's Centre for Information Security and Cryptography, is working on a way to secure personal information to stop those trying to gain unauthorized access.
His approach marries quantum information science with encryption technology. The offspring of these - he hopes - will be a system that moves data on light particles so fast, it essentially teleports it from one end to another.
Tamper-proof info
To achieve this ultra-secure state, Dr Tittel is using fibre optics to send data on photons. The fibre optics would act as superhighways for bits of information. Hypothetically, this data would move so fast that any attempt by a hacker to obtain private information would interrupt the flow and alter the encryption in such a way that it would show it has been tampered with.
A fundamental law in quantum physics holds that it is impossible for a hacker to access a key without changing it: In this application, security codes would be carried in bundles with a particular configuration. If the bundles were disrupted during transmission, they re-configure and the information scrambles.
Today and tomorrow
At the moment, there is no way to tell whether a key has been accessed. Some technologies are capable of scrambling the information for short periods of time, but they still leave questions as to whether it was copied.
But Dr. Tittel is working to change that in the next several years. While he notes that initial uses will likely be the military, he projects that one day, everything from Internet banking to medical records will be hacker-proof.
Wolfgang Tittel, from the University of Calgary's Centre for Information Security and Cryptography, is working on a way to secure personal information to stop those trying to gain unauthorized access.
His approach marries quantum information science with encryption technology. The offspring of these - he hopes - will be a system that moves data on light particles so fast, it essentially teleports it from one end to another.
Tamper-proof info
To achieve this ultra-secure state, Dr Tittel is using fibre optics to send data on photons. The fibre optics would act as superhighways for bits of information. Hypothetically, this data would move so fast that any attempt by a hacker to obtain private information would interrupt the flow and alter the encryption in such a way that it would show it has been tampered with.
A fundamental law in quantum physics holds that it is impossible for a hacker to access a key without changing it: In this application, security codes would be carried in bundles with a particular configuration. If the bundles were disrupted during transmission, they re-configure and the information scrambles.
Today and tomorrow
At the moment, there is no way to tell whether a key has been accessed. Some technologies are capable of scrambling the information for short periods of time, but they still leave questions as to whether it was copied.
But Dr. Tittel is working to change that in the next several years. While he notes that initial uses will likely be the military, he projects that one day, everything from Internet banking to medical records will be hacker-proof.
Subscribe to:
Posts (Atom)