Here are some tips to help prevent identity theft:

1. In Part I of this series, I discussed the importance of generating secure and strong passwords. Make sure your corporate files are safe and all passwords are required to be at least 8 characters long. Make sure they have a random mixture of characters and numbers.
2. One way to ensure your computer is secured is to drop it in a vat of concrete and build a 10-foot tall statue over it. But of course this would make your computer very difficult to use. Keeping your computer safe is much easier than that. First, make sure only authorized people have access to your network. Use a secure network router between your computer and network connections so hackers will have a tougher time finding the computer.
3. Make sure you are keeping your website, software and operating systems updated with the latest patches. You may want to consider purchasing hard drive data encryptors.
4. You should know who has access to your mail (personal and company’s). Access to bank statements, social security numbers, insurance statements, utility bills, and any other mail that may contain financial information. It is also important to protect your trash by always asking yourself the question “Is there any personal information written on this document?” Make sure to shred all important documents, as well as seemingly innocent items like credit card offers and sky miles statements.
5. Order free credit reports to monitor your score and activity every year.

There are ways to fight back if your site has been compromised or your identity has been stolen. You may find local police unable to assist because of the complexity of these types of crimes, as well as their lengthy investigations. But if you persist, you can get a report filed. Make sure to keep adequate records of all occurrences, police filings, and contacts.

Part one of this series talked about identity thieves wanting your password, and we discussed ways to protect against having your passwords compromised. Securing your password seems to be only 25 percent of the battle these days. Many network security breaches, like the Heartland Breach, occurred from within. So it is important to be PCI Compliant internally and know who is working for you.

I wish there were a specific set of characteristics I could post to detect an identity thief, but unfortunately they are as broad as the criminal population itself.  I like to divide attacks by criminals into two categories: internal attacks and external attacks.

Internal attacks are usually traced back to disgruntled, dishonest, and/or careless employees. Some common characteristics of an internal attack are:

1. Computer and data theft:  An employee stealing a PC, laptop, memory stick, or external hard drive.
2. Desk snooping: Look out for employees snooping around a co-workers’ desk for reminders and notes. Sometimes they might even ask a coworker to look something up to see if they should happen to keep a sticky note under a tissue box with their password.
3. The roaming employee: This employee typically wanders around looking over cubicle walls and observing keys that other employees type.

External attacks are usually done by a person that has no direct access to the company or its website. These types of thieves are crafty. They come in many different forms and are always coming up with new ways to get into a website. Some examples of theft to look out for are:

1. Bogus websites: I have only recently learned about how these actually work. These website ape legitimate sites. The design is so similar it can often fool the website owner himself. Consumers enter in their personal information and the thief captures it for their own use.
2. Forceful attacks: The techies call this a brute force attack. This is where a computer is set up to methodically try every combination of letters, numbers, and symbols to break a password.
3. Web page hijackers: These savvy criminals load malicious code on to your computer. The code is designed to redirect your typed web address to another site. This also can cause you to be redirected to one offensive site after another.

Protecting your network and website against identity theft can be costly, but there are many cost effective ways to secure your network. Privacy protection laws must inform customers that their private information has been compromised. This notification alone can cost around $20 per customer. Better to be safe and secure now, than pay the price later.

It is important to first understand what different types of identity theft occur, and then you can find out how to get protection.

The easiest item for a criminal or hacker to obtain is your password. Some common mistakes made when setting up passwords is using names of kids, birthdates, or hometowns. Spelling your child’s name backwards is another frequent mistake. I have even seen people write their passwords on a sticky note, in a notebook or in your PDA. Do not give office assistants your passwords. Remember passwords are used in more than 90 percent of all online network security practices. People use passwords for online banking, shopping, stock trading, and network logons. It is imperative to create a strong password. 

A password alone may not secure your online purchases. Many are turning to smart card security and Power LogOn. Power LogOn combined with Smart Card technology provides the ability to securely store your passwords in a smart card chip, like an electronic safe. This can help prevent a criminal from getting your passwords and personal information. A smart card is a plastic card with an embedded chip that can offer advanced security features to prevent unauthorized access to retrieve and modify stored data.

Power LogOn provides many security benefits such as:

• Passwords can be created by using 20 out of 96 available keyboard characters.
• PIN protected smartcard technology locks the data after three wrong authorization attempts.
• The software works with your PC or network logon, password protected data files, windows-based applications and web accounts.

Password security, without convenient implementation, is not free to the company or website that lacks it. Resetting passwords can take 20 to 50 percent of IT support’s time and costs approximately $70 per incident. This is time and money that could be more wisely used to increase other aspects of a company’s network security.

This decision to extend is said to be largely due to complaints from creditors that they were unaware of the existence of the new regulation and some say they only found out after the deadline had passed. This deadline according to the official press release only applies to organizations that are not under the jurisdiction of any of the other regulatory agencies other than the Federal Trade Commission. FACTA requires financial institutions and creditors to implement a written identity theft prevention program that should help detect identity theft, hopefully before any damage is done. If identity theft is not detected, the regulation calls for the financial institution or the creditor to reduce the risk to the consumer and the organization.

Many creditors have complained that there is not a clear cut way of indicating how they will be audited, and it has not been indicated how penalties will be assessed. The FTC Enforcement Policy now clearly defines all the parameters for creditors to follow. Going forward there will be no question that if you fit into the category of “creditor” you will be required to comply with Red Flag Rules. Still many organizations feel they are flying under the radar or won’t be caught. What does a company have to gain by allowing identity theft to occur?

Rules to be followed range from watching for suspicious social security numbers that may be on the Security Administration’s Death Master File to suspicious, or repeated, address or phone number tracking. Plain and simple, following Red Flag Rules will reduce identity theft and every business should want to participate in keeping our personal information safe.

For example, car dealerships fear they will not be able to comply. Since car dealers extend auto financing, they are considered creditors. Dealerships argue that it is very difficult to detect suspicious or unusual activity, and most of their staff is not trained to look for these types of things. According to Andrew Koblenz, the National Automobile Dealers Association’s general counsel, “We want to fight identity theft, and dealers have a tremendous self-interest in not selling a car to an identity thief, but the real world impact is that it would burden dealers.” Auto dealers speculate it could add as much as five hours to the loan application process.

The healthcare industry also falls into the category of creditor. If a hospital offers payment plans so patients can pay in installments, the hospital would be considered a creditor as well. Non-profit organizations and government entities that defer payment for goods or services are also considered a creditor. For the healthcare industry, the Federal Trade Commission is responsible for interpreting and enforcing the Red Flag Rules.

Any industry that processes multiple payments or transactions such as credit card accounts, mortgages, car loans, or cell phone accounts, or any industry that has a reasonably foreseeable risk to the customers or the creditor of identity theft, is subject to these Red Flag Rules.

If you are in an industry that fits any of the above criteria, your time is winding down. Here are some basic steps to becoming compliant:

1. You must put your process for identifying theft in writing.
2. Your program must include policies and procedures for identifying Red Flags, and incorporate those Red Flags into the program. Ensure your program is updated periodically.
3. Make sure the program is appropriate for the size and complexity of the company and scope of activities.
4. The program must be approved, and regularly reviewed by a board of directors and appropriate committee of the board.  It must include training for staff to effectively implement the program.
5. Creditors must frequently conduct risk assessment to determine whether it offers or maintains revolving accounts.

In similar news, thieves made off with ATM PIN Codes and account numbers from Citibank ATMs. Does this mean that Citibank ATM PIN numbers were not encrypted like they were supposed to be? The bank has about 5,700 ATMs, owned and operated by Cardtronics Inc and Fiserv Inc, inside 7-Eleven stores across the United States. How were these hackers able to access the system? Citibank has refused to comment much like Wells Fargo.

It appears that banking institutions have not learned their lesson after the Card Systems Breach in 2005.  As consumers and business owners, we would like to think that the banks are on our side. Homecomings, a subsidiary of GMAC Financial Services that originated $18 billion in residential mortgages last year, claimed that the Korinkes family had been negligent on a $75,000 line of credit. The Korinkes were slow to discover and report the identity theft that was found while refinancing their home, and that “caused the injury to Homecomings,” according to the lawsuit. “As such, Korinke is liable for any and all sums attributed to his negligence.” In many cases banks don’t hold identity theft victims liable for bills incurred by imposters.  Other victims are finding out the hard way that consumers really can lose their money.  Are banks getting off to easy?  Should we impose stricter guidelines on banks to ensure more security against identity theft?

On November 1^st 2008 FACTA has a deadline in place called the Identity Theft Red Flags Rule. Red Flags are indicators of a possible risk of identity theft. Red Flag rules listed in Section 114 of FACTA explains each rule and how to develop ID theft prevention programs. These rules apply to any business, bank, or issuer that offers credit or any type of finance option. Many financial institutions are not taking the deadline seriously since the first Office of Thrift Supervision audits will not occur until February of 2009. Merchants all together have become savvier and typically try to comply and report any red flags, but some may not know who to report these red flags to.

Although we all want our credit card information to be secure, it seems that merchants are not getting a fair shake when it comes to FACTA. Many class action lawsuits have been filed against a number of retailers. Recently, there was a class action law suit filed seeking willful damages based on printing of credit card expiration dates on receipts. The merchant was seeking $100 to $1000 for each violation. This applies to both paper and electronic receipts. Most mom and pop merchants would expect that their card processor would ensure that they are up to code. This is not always the case. Merchants should review the FACTA rules regardless of their size. The Supreme Court is currently reviewing willfulness and “reckless disregard” and expects to have a decision this quarter.