Jump to content

Protecting the office from cyber-attack


Recommended Posts

Protecting the office from cyber-attack





Wednesday, September 22, 2004 Posted: 1:00 PM EDT (1700 GMT)



Any Internet-connected computer can be hijacked and used to send spam by an expert hacker.


What's this?


Compare Mortgage Offers

Up to four free mortgage, refinance or home equity offers - one easy form.


Mortgage Rates Hit Record Lows

Get $150,000 loan for $690 per month. Refinance while rates are low.


MyCashNow - $100 - $1,000 Overnight

Payday Loan Cash goes in your account overnight. Very low fees. Fast decisions....


LendingTree.com - Official Site

Lendingtree - Find a mortgage, refinance, home equity or auto loan now. Receive...






Virus expert Mikko Hypponen offers his advice on keeping viruses at bay.


1. Know your enemy

"We can basically group our enemy in four main groups. We have the hobbyists, the kids who sit in basements and take out their frustrations by writing viruses. That's by far the largest group and that's where most of the caught virus-writers come from. Then we have the criminals who write viruses to make money and that's grown drastically. The last two groups are activists and anarchists and possibly even terrorists who want to write viruses for a higher cause. And then of course we also have the spying element, which may be for industrial espionage or something even more sinister."


2. Get protected

"Protection hasn't really changed drastically. There's still the three main rules that you have to have an ant-virus on every single computer, you have to have a firewall on every single computer and you have to keep the patches up to date on every single computer."


3. Turn your computer off

"If your computer is off, nothing can hit it. That's what I often recommend to people who have cables or modems in their home. When you're not using your computer just turn it off or at the very least just disconnect the cable. There's no need to have your computer online 24 hours as a target of an attack when you're sleeping or away from your computer."


4. Be prepared

"The situation on the internet right now is so bad that if you go and buy a brand new computer and turn it on and plug it into the Internet it will be infected by a worm within five to 10 minutes. You won't even have enough time to go online and download all the patches to your computer before it already is infected."


(CNN) -- Companies are spending an increasing amount of time and money protecting their systems from viruses and spam -- and the problem is worsening.


Even the latest anti-virus software and expensive firewalls cannot fully protect the unsuspecting office or small business computer from the latest hacker attacks.


The latest technique -- identity theft -- where computers are hijacked and turned into spamming machines -- have led many analysts to believe cyber-crooks maybe gaining the upper hand on Internet security.


The activity is being assisted by the proliferation of high-speed Internet connections, where computers are left permanently connected, both at home and at work.


"The situation on the Internet right now is so bad that if you go and buy a brand new computer and turn it on and plug it into the Internet, it will be infected by a worm within five to ten minutes," Mikko Hypponen of virus research firm F-Secure Corp. told CNN.


"You will not even have enough time to go online and download all the patches to your computer before it is infected."


Hundreds of thousands of PCs worldwide have been plagued by viruses and spam. According to Microsoft's Anti-Spam technology division it is costing up to $20.5 billion annually in lost business and repair work.


Earlier this year the MyDoom.M virus tempted office workers to open an e-mail folder containing details about a supposed undeliverable message.


Cleverly it was sent to staff after the weekend when they faced inboxes full of mail. The virus then sent copies of itself to all e-mail addresses on the PC's hard drive.


By fooling tens of thousands of technology-savvy office workers the virus knocked out Internet search engines Google, Yahoo, Lycos and AltaVista for several hours.


Yet the formula for virus protection has changed little for users over the years, Hypponen advocates three main rules in order to protect a PC.


"You have to have anti-virus software on every single computer," he says. "You have to have a firewall on every single computer and you have to keep the patches up to date on every single computer."


In many cases having the computer always turned on allows infected terminals to be turned into "zombies," allowing spammers and digital saboteurs to hijack a machine, which is then used to send out malicious code.


A harnessed network of zombie PCs creates a more powerful resource for fraudsters -- experts call this a "botnet."


"If your computer is off, nothing is going to hit it. That is what I often recommend to people who have cables or modems -- at the very least just disconnect the cable," explains Hypponen.


"There is no need to have your computer online 24 hours (a day) as a target of an attack when you are sleeping or away from your computer."


Not all is lost on the virus front -- as cyber-crime goes global and becomes more time consuming for anti-virus companies, firms are turning to more efficient labor sources to produce "patches" or virus solutions.


"(Today) the ability to counter (viruses), is a lot greater because ultimately it takes a lot of new code to (create) little patches," according to Bundeep Singh Rangar, founder and chief operating officer of global investment firm Ariadne Capital.


"When you have a larger pool of labor out there at a lower price, (such as in India) you have the ability to write a patch software to fix a program, it is probably better than having a scalable resource."







The Most Popular Passwords Are...

...the names of family members, sports teams, and pets.





That's the word from the organizers of the Infosecurity Europe conference who conducted a sneaky, impromptu man-on-the-street survey at the Liverpool Street Station in England, reports Security Pipeline. It was sneaky because the pollsters randomly offered people a chocolate candy bar if they would give up their password. Fully 71 percent did just that. And once they told their password, they revealed lots of other information as well.


To whom would you reveal your password?


* When first asked if they would reveal their password, 37 percent did it right away.

* For those who wouldn't tell immediately, the pollsters used social engineering tactics, suggesting their password was a child's name or a pet's name. Once that discussion started, another 34 percent told their password and many even explained the origins.

* 53 percent said they would not give their password to a telephone caller claiming to be calling from their company's IT department. (Good!)

* Four out of 10 said they knew their colleagues' passwords.

* 55 percent said they'd give their password to their boss.


How many passwords do you have?


* Two thirds of workers use the same password for work and personal use, such as banking and online access.

* Workers used an average of four passwords, although one systems administrator used 40 passwords, which he stored on a program he wrote himself to keep them secure.


How often do you change your password?


* 51 percent of passwords were changed on a monthly basis, 3 percent changed passwords weekly, 2 percent daily, 10 percent quarterly, 13 percent rarely, and 20 percent never.

* Workers who regularly had to change their passwords said they kept them on piece of paper in their drawers, or stored on Word documents so they wouldn't forget them.


The most common password of all? ADMIN


Last year, when this same survey was conducted, the most common password was PASSWORD. The change likely occurred because a lot of new equipment, including some PDAs and all Linksys, D-Link, and Netgear broadband and Wi-Fi routers are now shipped with a default password of ADMIN.






How Identity Theft Works




How To Protect Yourself

Protecting yourself from identity theft takes proactive effort. You can't simply assume it's not going to happen to you and go on about your life -- it can happen to anyone. It even happens to celebrities. Oprah Winfrey, Tiger Woods, Robert De Niro and Martha Stewart have all had their identities stolen. While you can't ever totally protect yourself from these thieves, you can at least make yourself less attractive as a victim by doing what you can to make it more difficult for them to access your information. Here are some things you can do to protect yourself:


* DON'T give out your Social Security number unless it is absolutely necessary. Many companies collect more information than they really need. Make sure that it's something they have to have and make sure they'll protect your privacy.


* DESTROY any unwanted credit card offers. This means rip, shred, burn, whatever you can do. These pre-approved offers come almost daily. If you don't want the three major credit bureaus to sell your name to these companies, you can "opt out" by either writing to the three major credit bureaus or by calling (888) 5OPTOUT (567-8688). This will remove your name, for two years, from mailing and telemarketing lists that come from TransUnion, Equifax, Experian, and INNOVIS. You can also write to the Direct Marketing Association's mail preference service to have your name removed from some mailing lists.


* DON'T put any other information besides your name and address on your checks, and keep a close watch on your checkbook both when you're writing checks and when it is lying around. Someone can memorize your name, address and phone number during the short time it takes you to write a check.



* SHRED (cross-cut) any sensitive documents before you throw them into the trash. This may seem like an extreme measure, but dumpster diving happens all the time and turns up a lot more personal information than you may realize.


* DON'T carry your Social Security card, passport, or birth certificate in your wallet or purse. Also, only carry as many credit cards as are absolutely necessary. It has also been suggested that you photocopy everything you carry in your wallet to make canceling things easier in the event that your wallet is stolen.


* REVIEW your credit report every year to make sure there haven't been any new credit cards or other accounts issued (to someone other than you) and to make sure there haven't been inquiries by people you haven't initiated business with. There are also services you can subscribe to (such as CreditExpert) that will alert you to any changes in your credit file.


* NEVER give out personal information on the phone to someone you don't know and who initiated the call. Often, scam artists phone unsuspecting victims pretending to be their financial services company and request information to be provided over the phone. Usually, the story is to "update records" or sell a product. Get their name, phone number and address, and then call them back at the number you have on file or that is printed on the statements you receive.


* REVIEW your monthly credit card statement each month to make sure there aren't any charges showing up that aren't yours. Also, make sure you get a monthly statement. If the statement is late, contact the credit card company. You never know when someone may have turned in a change-of-address form so they could make a few more weeks of purchases on your credit card without you noticing.


* DON'T mail bills or documents that contain personal data (like tax forms or checks) from your personal mail box. Take them directly to the post office or an official postal service mailbox. It's too easy for someone to take mail out of your mailbox on the street. From there, they can dip your checks in special chemicals to remove the ink and then rewrite them to themselves!


* If you're ever denied credit, FIND OUT WHY, especially if you haven't reviewed your credit report lately. This may be the first indication you get that someone has stolen your identity and is racking up charges in your name.


* REACT QUICKLY if a creditor or merchant calls you about charges you didn't make. This too may be the first notice you get that someone has stolen your identity. Get as much information from them as you can and investigate immediately.


* GUARD deposit slips as closely as you do checks. Not only do they have your name, address and account number printed on them, but they can also be used to withdraw money from your account. All a thief has to do is write a bad check, deposit it into your account and use the "less cash received" line to withdraw your money.


Identity Theft Insurance?

Some insurance companies offer identity theft insurance. While these policies don't cover everything, they certainly help out by covering a portion of lost wages for time spent dealing with the theft, mailing and other costs associated with filing paperwork to correct the problem, loan re-application fees, phone charges and even some attorney fees.


These steps can help lessen your chances of becoming a victim of identity fraud, but nothing is a sure thing. The thing to remember is that documents you throw away often have all the information a thief needs to steel your identity and wreak havoc on your life.






Take Charge: Fighting Back Against Identity Theft






In the course of a busy day, you may write a check at the grocery store, charge tickets to a ball game, rent a car, mail your tax returns, change service providers for your cell phone, or apply for a credit card. Chances are you don't give these everyday transactions a second thought. But an identity thief does.


Identity theft is a serious crime. People whose identities have been stolen can spend months or years and thousands of dollars cleaning up the mess the thieves have made of a good name and credit record. In the meantime, victims of identity theft may lose job opportunities, be refused loans for education, housing, or cars, and even get arrested for crimes they didn't commit. Humiliation, anger, and frustration are among the feelings victims experience as they navigate the process of rescuing their identity.


Working with other government agencies and organizations, the Federal Trade Commission (FTC) has produced this booklet to help you remedy the effects of an identity theft. It describes what steps to take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch for in the future.




I first was notified that someone had used my Social Security number for their taxes in February 2004. I also found out that this person opened a checking account, cable and utility accounts, and a cell phone account in my name. I'm still trying to clear up everything and just received my income tax refund after waiting four to five months. Trying to work and get all this cleared up is very stressful.


From a consumer's complaint to the FTC, July 9, 2004


Despite your best efforts to manage the flow of your personal information or to keep it to yourself, skilled identity thieves may use a variety of methods to gain access to your data.


How identity thieves get your personal information:


* They get information from businesses or other institutions by:

o stealing records or information while they're on the job

o bribing an employee who has access to these records

o hacking these records

o conning information out of employees

* They may steal your mail, including bank and credit card statements, credit card offers, new checks, and tax information.

* They may rummage through your trash, the trash of businesses, or public trash dumps in a practice known as "dumpster diving."

* They may get your credit reports by abusing their employer's authorized access to them, or by posing as a landlord, employer, or someone else who may have a legal right to access your report.

* They may steal your credit or debit card numbers by capturing the information in a data storage device in a practice known as "skimming." They may swipe your card for an actual purchase, or attach the device to an ATM machine where you may enter or swipe your card.

* They may steal your wallet or purse.

* They may complete a "change of address form" to divert your mail to another location.

* They may steal personal information they find in your home.

* They may steal personal information from you through email or phone by posing as legitimate companies and claiming that you have a problem with your account. This practice is known as "phishing" online, or pretexting by phone.


How identity thieves use your personal information:


* They may call your credit card issuer to change the billing address on your credit card account. The imposter then runs up charges on your account. Because your bills are being sent to a different address, it may be some time before you realize there's a problem.

* They may open new credit card accounts in your name. When they use the credit cards and don't pay the bills, the delinquent accounts are reported on your credit report.

* They may establish phone or wireless service in your name.

* They may open a bank account in your name and write bad checks on that account.

* They may counterfeit checks or credit or debit cards, or authorize electronic transfers in your name, and drain your bank account.

* They may file for bankruptcy under your name to avoid paying debts they've incurred under your name, or to avoid eviction.

* They may buy a car by taking out an auto loan in your name.

* They may get identification such as a driver's license issued with their picture, in your name.

* They may get a job or file fraudulent tax returns in your name.

* They may give your name to the police during an arrest. If they don't show up for their court date, a warrant for arrest is issued in your name.


If Your Personal Information Has Been Lost or Stolen


If you've lost personal information or identification, or if it has been stolen from you, taking certain steps quickly can minimize the potential for identity theft.


Financial accounts: Close accounts, like credit cards and bank accounts, immediately. When you open new accounts, place passwords on them. Avoid using your mother's maiden name, your birth date, the last four digits of your Social Security number (SSN) or your phone number, or a series of consecutive numbers.


Social Security number: Call the toll-free fraud number of any of the three nationwide consumer reporting companies and place an initial fraud alert on your credit reports. An alert can help stop someone from opening new credit accounts in your name. See consumer reporting company contact information. For more information about fraud alerts, see the Fraud Alerts box.


Driver's license/other government-issued identification: Contact the agency that issued the license or other identification document. Follow its procedures to cancel the document and to get a replacement. Ask the agency to flag your file so that no one else can get a license or any other identification document from them in your name.


Once you've taken these precautions, watch for signs that your information is being misused. See STAYING ALERT.


If your information has been misused, file a report about the theft with the police, and file a complaint with the Federal Trade Commission, as well. If another crime was committed for example, if your purse or wallet was stolen or your house or car was broken into report it to the police immediately.




If you are a victim of identity theft, take the following four steps as soon as possible, and keep a record with the details of your conversations and copies of all correspondence.


1. Place a fraud alert on your credit reports, and review your credit reports.


Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number of any of the three consumer reporting companies below to place a fraud alert on your credit report. You only need to contact one of the three companies to place an alert. The company you call is required to contact the other two, which will place an alert on their versions of your report, too.


Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374- 0241


Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013


TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790


Once you place the fraud alert in your file, you're entitled to order free copies of your credit reports, and, if you ask, only the last four digits of your SSN will appear on your credit reports.Once you get your credit reports, review them carefully. Look for inquiries from companies you haven't contacted, accounts you didn't open, and debts on your accounts that you can't explain. Check that information, like your SSN, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate information, get it removed. See Correcting Credit Reports to learn how. Continue to check your credit reports periodically, especially for the first year after you discover the identity theft, to make sure no new fraudulent activity has occurred.


Fraud Alerts


There are two types of fraud alerts: an initial alert, and an extended alert.


* An initial alert stays on your credit report for at least 90 days. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial alert is appropriate if your wallet has been stolen or if you've been taken in by a "phishing" scam. When you place an initial fraud alert on your credit report, you're entitled to one free credit report from each of the three nationwide consumer reporting companies.

* An extended alert stays on your credit report for seven years. You can have an extended alert placed on your credit report if you've been a victim of identity theft and you provide the consumer reporting company with an "identity theft report." When you place an extended alert on your credit report, you're entitled to two free credit reports within twelve months from each of the three nationwide consumer reporting companies. In addition, the consumer reporting companies will remove your name from marketing lists for pre-screened credit offers for five years unless you ask them to put your name back on the list before then.


To place either of these alerts on your credit report, or to have them removed, you will be required to provide appropriate proof of your identity: that may include your SSN, name, address and other personal information requested by the consumer reporting company.


When a business sees the alert on your credit report, they must verify your identity before issuing you credit. As part of this verification process, the business may try to contact you directly. This may cause some delays if you're trying to obtain credit. To compensate for possible delays, you may wish to include a cell phone number, where you can be reached easily, in your alert. Remember to keep all contact information in your alert current.


2. Close the accounts that you know, or believe, have been tampered with or opened fraudulently.


Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. It's important to notify credit card companies and banks in writing. Send your letters by certified mail, return receipt requested, so you can document what the company received and when. Keep a file of your correspondence and enclosures.


When you open new accounts, use new Personal Identification Numbers (PINs) and passwords. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers.


If the identity thief has made charges or debits on your accounts, or on fraudulently opened accounts, ask the company for the forms to dispute those transactions:


* For charges and debits on existing accounts, ask the representative to send you the company's fraud dispute forms. If the company doesn't have special forms, use the sample letter to dispute the fraudulent charges or debits. In either case, write to the company at the address given for "billing inquiries," NOT the address for sending your payments.

* For new unauthorized accounts, ask if the company accepts the ID Theft Affidavit. If not, ask the representative to send you the company's fraud dispute forms. If the company already has reported these accounts or debts on your credit report, dispute this fraudulent information. See Correcting Credit Reports to learn how.


Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and has discharged the fraudulent debts. This letter is your best proof if errors relating to this account reappear on your credit report or you are contacted again about the fraudulent debt.


Proving You're a Victim


Applications or other transaction records related to the theft of your identity may help you prove that you are a victim. For example, you may be able to show that the signature on an application is not yours. These documents also may contain information about the identity thief that is valuable to law enforcement. By law, companies must give you a copy of the application or other business transaction records relating to your identity theft if you submit your request in writing. Be sure to ask the company representative where you should mail your request. Companies must provide these records at no charge to you within 30 days of receipt of your request and your supporting documents. You also may give permission to any law enforcement agency to get these records, or ask in your written request that a copy of these records be sent to a particular law enforcement officer.


The company can ask you for:


* proof of your identity. This may be a photocopy of a government-issued ID card, the same type of information the identity thief used to open or access the account, or the type of information the company usually requests from applicants or customers, and

* a police report and a completed affidavit, which may be the Identity Theft Affidavit or the company's own affidavit.



3. File a report with your local police or the police in the community where the identity theft took place.


Then, get a copy of the police report or at the very least, the number of the report. It can help you deal with creditors who need proof of the crime. If the police are reluctant to take your report, ask to file a "Miscellaneous Incidents" report, or try another jurisdiction, like your state police. You also can check with your state Attorney General's office to find out if state law requires the police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check www.naag.org for a list of state Attorneys General.


4. File a complaint with the Federal Trade Commission.


By sharing your identity theft complaint with the FTC, you will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them. The FTC can refer victims' complaints to other government agencies and companies for further action, as well as investigate companies for violations of laws the agency enforces.


You can file a complaint online at www.consumer.gov/idtheft. If you don't have Internet access, call the FTC's Identity Theft Hotline, toll-free: 1-877-IDTHEFT (438-4338); TTY: 1-866-653- 4261; or write: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.


Be sure to call the Hotline to update your complaint if you have any additional information or problems.


The Identity Theft Report


An identity theft report may have two parts:


Part One is a copy of a report filed with a local, state, or federal law enforcement agency, like your local police department, your State Attorney General, the FBI, the U.S. Secret Service, the FTC, and the U.S. Postal Inspection Service. There is no federal law requiring a federal agency to take a report about identity theft; however, some state laws require local police departments to take reports. When you file a report, provide as much information as you can about the crime, including anything you know about the dates of the identity theft, the fraudulent accounts opened and the alleged identity thief.


Note: Knowingly submitting false information could subject you to criminal prosecution for perjury.


Part Two of an identity theft report depends on the policies of the consumer reporting company and the information provider (the business that sent the information to the consumer reporting company). That is, they may ask you to provide information or documentation in addition to that included in the law enforcement report which is reasonably intended to verify your identity theft. They must make their request within 15 days of receiving your law enforcement report, or, if you already obtained an extended fraud alert on your credit report, the date you submit your request to the credit reporting company for information blocking. The consumer reporting company and information provider then have 15 more days to work with you to make sure your identity theft report contains everything they need. They are entitled to take five days to review any information you give them. For example, if you give them information 11 days after they request it, they do not have to make a final decision until 16 days after they asked you for that information. If you give them any information after the 15-day deadline, they can reject your identity theft report as incomplete; you will have to resubmit your identity theft report with the correct information.


You may find that most federal and state agencies, and some local police departments, offer only "automated" reports a report that does not require a face-to-face meeting with a law enforcement officer. Automated reports may be submitted online, or by telephone or mail. If you have a choice, do not use an automated report. The reason? It's more difficult for the consumer reporting company or information provider to verify the information. Unless you are asking a consumer reporting company to place an extended fraud alert on your credit report, you probably will have to provide additional information or documentation when you use an automated report.


Tips For Organizing Your Case


Accurate and complete records will help you to resolve your identity theft case more quickly.


* Have a plan when you contact a company. Don't assume that the person you talk to will give you all the information or help you need. Prepare a list of questions to ask the representative, as well as information about your identity theft. Don't end the call until you're sure you understand everything you've been told. If you need more help, ask to speak to a supervisor.

* Write down the name of everyone you talk to, what he or she tells you, and the date the conversation occurred. Use Chart Your Course of Action to help you.

* Follow up in writing with all contacts you've made on the phone or in person. Use certified mail, return receipt requested, so you can document what the company or organization received and when.

* Keep copies of all correspondence or forms you send.

* Keep the originals of supporting documents, like police reports and letters to and from creditors; send copies only.

* Set up a filing system for easy access to your paperwork.

* Keep old files even if you believe your case is closed. Once resolved, most cases stay resolved, but problems can crop up.



See this page for the charts






I received a copy of my credit report and saw about a half a dozen items that I didn't know anything about. It's affected my credit rating so badly that I couldn't get a student loan. I didn't realize there was a problem until my student loan application was denied.


From a consumer's complaint to the FTC, May 25, 2004


While dealing with problems resulting from identity theft can be time-consuming and frustrating, most victims can resolve their cases by being assertive, organized, and knowledgeable about their legal rights. Some laws require you to notify companies within specific time periods. Don't delay in contacting any companies to deal with these problems, and ask for supervisors if you need more help than you're getting.


Bank Accounts and Fraudulent Withdrawals


Different laws determine your legal remedies based on the type of bank fraud you have suffered. For example, state laws protect you against fraud committed by a thief using paper documents, like stolen or counterfeit checks. But if the thief used an electronic fund transfer, federal law applies. Many transactions may seem to be processed electronically but are still considered "paper" transactions. If you're not sure what type of transaction the thief used to commit the fraud, ask the financial institution that processed the transaction.


Fraudulent Electronic Withdrawals


The Electronic Fund Transfer Act provides consumer protections for transactions involving an ATM or debit card, or another electronic way to debit or credit an account. It also limits your liability for unauthorized electronic fund transfers.


You have 60 days from the date your bank account statement is sent to you to report in writing any money withdrawn from your account without your permission. This includes instances when your ATM or debit card is "skimmed" that is, when a thief captures your account number and PIN without your card having been lost or stolen.


If your ATM or debit card is lost or stolen, report it immediately because the amount you can be held responsible for depends on how quickly you report the loss.


* If you report the loss or theft within two business days of discovery, your losses are limited to $50.

* If you report the loss or theft after two business days, but within 60 days after the unauthorized electronic fund transfer appears on your statement, you could lose up to $500 of what the thief withdraws.

* If you wait more than 60 days to report the loss or theft, you could lose all the money that was taken from your account after the end of the 60 days.


Note: VISA and MasterCard voluntarily have agreed to limit consumers' liability for unauthorized use of their debit cards in most instances to $50 per card, no matter how much time has elapsed since the discovery of the loss or theft of the card.


The best way to protect yourself in the event of an error or fraudulent transaction is to call the financial institution and follow up in writing by certified letter, return receipt requested so you can prove when the institution received your letter. Keep a copy of the letter you send for your records.


After receiving your notification about an error on your statement, the institution generally has 10 business days to investigate. The institution must tell you the results of its investigation within three business days after completing it and must correct an error within one business day after determining that it occurred. If the institution needs more time, it may take up to 45 days to complete the investigation but only if the money in dispute is returned to your account and you are notified promptly of the credit. At the end of the investigation, if no error has been found, the institution may take the money back if it sends you a written explanation. For more information, see Electronic Banking and Credit, ATM and Debit Cards: What To Do If They're Lost or Stolen.


Fraudulent Checks and Other "Paper" Transactions


In general, if an identity thief steals your checks or counterfeits checks from your existing bank account, stop payment, close the account, and ask your bank to notify Chex Systems, Inc. or the check verification service with which it does business. That way, retailers can be notified not to accept these checks. While no federal law limits your losses if someone uses your checks with a forged signature, or uses another type of "paper" transaction such as a demand draft, state laws may protect you. Most states hold the bank responsible for losses from such transactions. At the same time, most states require you to take reasonable care of your account. For example, you may be held responsible for the forgery if you fail to notify the bank in a timely manner that a check was lost or stolen. Contact your state banking or consumer protection agency for more information.


You can contact major check verification companies directly for the following services:


* To request that they notify retailers who use their databases not to accept your checks, call:

o TeleCheck at 1-800-710-9898 or 1-800-927-0188

o Certegy, Inc. (previously Equifax Check Systems) at 1-800-437-5120

* To find out if the identity thief has been passing bad checks in your name, call:

o SCAN: 1-800-262-7771


If your checks are rejected by a merchant, it may be because an identity thief is using the Magnetic Information Character Recognition (MICR) code (the numbers at the bottom of checks), your driver's license number, or another identification number. The merchant who rejects your check should give you its check verification company contact information so you can

find out what information the thief is using. If you find that the thief is using your MICR code, ask your bank to close your checking account, and open a new one. If you discover that the thief is using your driver's license number or some other identification number, work with your DMV or other identification issuing agency to get new identification with new numbers. Once you

have taken the appropriate steps, your checks should be accepted.




* The check verification company may or may not remove the information about the MICR code or the driver's license/identification number from its database because this information may help prevent the thief from continuing to commit fraud.

* If the checks are being passed on a new account, contact the bank to close the account. Also contact Chex Systems, Inc., to review your consumer report to make sure that no other bank accounts have been opened in your name.

* Dispute any bad checks passed in your name with merchants so they don't start any collections actions against you.


Fraudulent New Accounts


If you have trouble opening a new checking account, it may be because an identity thief has been opening accounts in your name. Chex Systems, Inc., produces consumer reports specifically about checking accounts, and as a consumer reporting company, is subject to the Fair Credit Reporting Act. You can request a free copy of your consumer report by contacting Chex Systems, Inc. If you find inaccurate information on your consumer report, follow the procedures under Correcting Credit Reports to dispute it. Contact each of the banks where account inquiries were made, too. This will help ensure that any fraudulently opened accounts are closed.


Chex Systems, Inc.: 1-800-428-9623; www.chexhelp.com

Fax: 602-659-2197

Chex Systems, Inc.

Attn: Consumer Relations

7805 Hudson Road, Suite 100

Woodbury, MN 55125


Where to Find Help


If you have trouble getting a financial institution to help you resolve your banking-related identity theft problems, including problems with bank-issued credit cards, contact the agency that oversees your bank (see list below). If you're not sure which of these agencies is the right one, call your bank or visit the National Information Center of the Federal Reserve System at www.ffiec.gov/nic/ and click on "Institution Search."


Federal Deposit Insurance Corporation (FDIC) www.fdic.gov


The FDIC supervises state-chartered banks that are not members of the Federal Reserve System, and insures deposits at banks and savings and loans.


Call the FDIC Consumer Call Center toll-free: 1-800-934-3342; or write: Federal Deposit Insurance Corporation, Division of Compliance and Consumer Affairs, 550 17th Street, NW, Washington, DC 20429.


FDIC publications:


* Classic Cons... And How to Counter Them

* A Crook Has Drained Your Account. Who Pays?

* Your Wallet: A Loser's Manual


Federal Reserve System (Fed) www.federalreserve.gov


The Fed supervises state-chartered banks that are members of the Federal Reserve System.


Call: 202-452-3693; or write: Division of Consumer and Community Affairs, Mail Stop 801, Federal Reserve Board, Washington, DC 20551; or contact the Federal Reserve Bank in your area. The Reserve Banks are located in Boston, New York, Philadelphia, Cleveland, Richmond, Atlanta, Chicago, St. Louis, Minneapolis, Kansas City, Dallas, and San Francisco.


National Credit Union Administration (NCUA) www.ncua.gov


The NCUA charters and supervises federal credit unions and insures deposits at federal credit unions and many state credit unions.


Call: 703-518-6360; or write: Compliance Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314.


Office of the Comptroller of the Currency (OCC) www.occ.treas.gov


The OCC charters and supervises national banks. If the word "national" appears in the name of a bank, or the initials "N.A." follow its name, the OCC oversees its operations.


Call toll-free: 1-800-613-6743 (business days 9:00 a.m. to 4:00 p.m. CST); fax: 713-336-4301; or write: Customer Assistance Group, 1301 McKinney Street, Suite 3710, Houston, TX 77010.


OCC publications:


* Check Fraud: A Guide to Avoiding Losses

* How to Avoid Becoming a Victim of Identity Theft

* Identity Theft and Pretext Calling Advisory Letter 2001-4


Office of Thrift Supervision (OTS) www.ots.treas.gov


The OTS is the primary regulator of all federal, and many state-chartered, thrift institutions, including savings banks and savings and loan institutions.


Call: 202-906-6000; or write: Office of Thrift Supervision, 1700 G Street, NW, Washington, DC 20552.


Bankruptcy Fraud


U. S. Trustee (UST) www.usdoj.gov/ust


If you believe someone has filed for bankruptcy in your name, write to the U.S. Trustee in the region where the bankruptcy was filed. A list of the U.S. Trustee Programs' Regional Offices is available on the UST website, or check the Blue Pages of your phone book under U.S. Government Bankruptcy Administration.


In your letter, describe the situation and provide proof of your identity. The U.S. Trustee will make a criminal referral to law enforcement authorities if you provide appropriate documentation to substantiate your claim. You also may want to file a complaint with the U.S. Attorney and/or the FBI in the city where the bankruptcy was filed. The U.S. Trustee does not provide legal representation, legal advice, or referrals to lawyers. That means you may need to hire an attorney to help convince the bankruptcy court that the filing is fraudulent. The U.S. Trustee does not provide consumers with copies of court documents. You can get them from the bankruptcy clerk's office for a fee.


Correcting Fraudulent Information in Credit Reports


The Fair Credit Reporting Act (FCRA) establishes procedures for correcting fraudulent information on your credit report and requires that your report be made available only for certain legitimate business needs.


Under the FCRA, both the consumer reporting company and the information provider (the business that sent the information to the consumer reporting company), such as a bank or credit card company, are responsible for correcting fraudulent information in your report. To protect your rights under the law, contact both the consumer reporting company and the information provider.


Consumer Reporting Company Obligations


Consumer reporting companies will block fraudulent information from appearing on your credit report if you take the following steps: Send them a copy of an identity theft report and a letter telling them what information is fraudulent. The letter also should state that the information does not relate to any transaction that you made or authorized. In addition, provide proof of your identity that may include your SSN, name, address, and other personal information requested by the consumer reporting company.


The consumer reporting company has four business days to block the fraudulent information after accepting your identity theft report. It also must tell the information provider that it has blocked the information. The consumer reporting company may refuse to block the information or remove the block if, for example, you have not told the truth about your identity theft. If the consumer reporting company removes the block or refuses to place the block, it must let you know.


The blocking process is only one way for identity theft victims to deal with fraudulent information. There's also the "reinvestigation process," which was designed to help all consumers dispute errors or inaccuracies on their credit reports. For more information on this process, see How to Dispute Credit Report Errors and Your Access to Free Credit Reports, two publications from the FTC.


Information Provider Obligations


Information providers stop reporting fraudulent information to the consumer reporting companies once you send them an identity theft report and a letter explaining that the information that they're reporting resulted from identity theft. But you must send your identity theft report and letter to the address specified by the information provider. Note that the information provider may continue to report the information if it later learns that the information does not result from identity theft.


If a consumer reporting company tells an information provider that it has blocked fraudulent information in your credit report, the information provider may not continue to report that information to the consumer reporting company. The information provider also may not hire someone to collect the debt that relates to the fraudulent account, or sell that debt to anyone else who would try to collect it.


Sample Blocking Letter Consumer Reporting Company



Your Name

Your Address

Your City, State, Zip Code


Complaint Department

Name of Consumer Reporting Company


City, State, Zip Code


Dear Sir or Madam:


I am a victim of identity theft. I am writing to request that you block the following fraudulent information in my file. This information does not relate to any transaction that I have made. The items also are circled on the attached copy of the report I received. (Identify item(s) to be blocked by name of source, such as creditors or tax court, and identify type of item, such as credit account, judgment, etc.)


Enclosed is a copy of the law enforcement report regarding my identity theft. Please let me know if you need any other information from me to block this information on my credit report.



Your name


Enclosures: (List what you are enclosing.)



Credit Cards


The Fair Credit Billing Act establishes procedures for resolving billing errors on your credit card accounts, including fraudulent charges on your accounts. The law also limits your liability for unauthorized credit card charges to $50 per card. To take advantage of the law's consumer protections, you must:


* write to the creditor at the address given for "billing inquiries," NOT the address for sending your payments. Include your name, address, account number, and a description of the billing error, including the amount and date of the error. See Sample Letter.

* send your letter so that it reaches the creditor within 60 days after the first bill containing the error was mailed to you. If an identity thief changed the address on your account and you didn't receive the bill, your dispute letter still must reach the creditor within 60 days of when the creditor would have mailed the bill. This is one reason it's essential to keep track of your billing statements, and follow up quickly if your bills don't arrive on time.


You should send your letter by certified mail, and request a return receipt. It becomes your proof of the date the creditor received the letter. Include copies (NOT originals) of your police report or other documents that support your position. Keep a copy of your dispute letter.


The creditor must acknowledge your complaint in writing within 30 days after receiving it, unless the problem has been resolved. The creditor must resolve the dispute within two billing cycles (but not more than 90 days) after receiving your letter.


For more information, see Fair Credit Billing and Avoiding Credit and Charge Card Fraud, two publications from the FTC.


Sample Dispute Letter For Existing Accounts



Your Name

Your Address

Your City, State, Zip Code

Your Account Number


Name of Creditor

Billing Inquiries


City, State, Zip Code


Dear Sir or Madam:


I am writing to dispute a fraudulent (charge or debit) on my account in the amount of $______. I am a victim of identity theft, and I did not make this (charge or debit). I am requesting that the (charge be removed or the debit reinstated), that any finance and other charges related to the fraudulent amount be credited, as well, and that I receive an accurate statement.


Enclosed are copies of (use this sentence to describe any enclosed information, such as a police report) supporting my position. Please investigate this matter and correct the fraudulent (charge or debit) as soon as possible.



Your name


Enclosures: (List what you are enclosing.)



Criminal Violations


Procedures to correct your record within criminal justice databases can vary from state to state, and even from county to county. Some states have enacted laws with special procedures for identity theft victims to follow to clear their names. You should check with the office of your state Attorney General, but you can use the following information as a general guide.


If wrongful criminal violations are attributed to your name, contact the police or sheriff's department that originally arrested the person using your identity, or the court agency that issued the warrant for the arrest. File an impersonation report with the police/sheriff's department or the court, and confirm your identity: Ask the police department to take a full set of your fingerprints, photograph you, and make a copies of your photo identification documents, like your driver's license, passport, or travel visa. To establish your innocence, ask the police to compare the prints and photographs with those of the imposter.


If the arrest warrant is from a state or county other than where you live, ask your local police department to send the impersonation report to the police department in the jurisdiction where the arrest warrant, traffic citation, or criminal conviction originated.


The law enforcement agency should then recall any warrants and issue a "clearance letter" or "certificate of release" (if you were arrested/booked). You'll need to keep this document with you at all times in case you're wrongly arrested again. Ask the law enforcement agency to file the record of the follow-up investigation establishing your innocence with the district attorney's (D.A.) office and/or court where the crime took place. This will result in an amended complaint. Once your name is recorded in a criminal database, it's unlikely that it will be completely removed from the official record. Ask that the "key name" or "primary name" be changed from your name to the imposter's name (or to "John Doe" if the imposter's true identity is not known), with your name noted as an alias.


You'll also want to clear your name in the court records. To do so, you'll need to determine which state law(s) will help you with this and how. If your state has no formal procedure for clearing your record, contact the D.A.'s office in the county where the case was originally prosecuted. Ask the D.A.'s office for the appropriate court records needed to clear your name. You may need to hire a criminal defense attorney to help you clear your name. Contact Legal Services in your state or your local bar association for help in finding an attorney.


Finally, contact your state Department of Motor Vehicles (DMV) to find out if your driver's license is being used by the identity thief. Ask that your files be flagged for possible fraud.


Debt Collectors


The Fair Debt Collection Practices Act prohibits debt collectors from using unfair or deceptive practices to collect overdue bills that a creditor has forwarded for collection, even if those bills don't result from identity theft.


You can stop a debt collector from contacting you in two ways:


* Write a letter to the collection agency telling them to stop. Once the debt collector receives your letter, the company may not contact you again with two exceptions: They can tell you there will be no further contact, and they can tell you that the debt collector or the creditor intends to take some specific action.

* Send a letter to the collection agency, within 30 days after you received written notice of the debt, telling them that you do not owe the money. Include copies of documents that support your position. Including a copy (NOT original) of your police report may be useful. In this case, a collector can renew collection activities only if it sends you proof of the debt.


If you don't have documentation to support your position, be as specific as possible about why the debt collector is mistaken. The debt collector is responsible for sending you proof that you're wrong. For example, if the debt you're disputing originates from a credit card you never applied for, ask for a copy of the application with the applicant's signature. Then, you can prove that it's not your signature.


If you tell the debt collector that you are a victim of identity theft and it is collecting the debt for another company, the debt collector must tell that company that you may be a victim of identity theft.


While you can stop a debt collector from contacting you, that won't get rid of the debt itself. It's important to contact the company that originally opened the account to dispute the debt, otherwise that company may send it to a different debt collector, report it on your credit report, or initiate a lawsuit to collect on the debt.


For more information, see Fair Debt Collection, a publication from the FTC.


Driver's License


If you think your name or SSN is being used by an identity thief to get a driver's license or a non-driver's ID card, contact your state DMV. If your state uses your SSN as your driver's license number, ask to substitute another number.


Investment Fraud


U.S. Securities and Exchange Commission (SEC) www.sec.gov


The SEC's Office of Investor Education and Assistance serves investors who complain to the SEC about investment fraud or the mishandling of their investments by securities professionals. If you believe that an identity thief has tampered with your securities investments or a brokerage account, immediately report it to your broker or account manager and to the SEC.


You can file a complaint with the SEC's Complaint Center at www.sec.gov/complaint.shtml. Include as much detail as possible. If you don't have Internet access, write to the SEC at: SEC Office of Investor Education and Assistance, 450 Fifth Street, NW, Washington DC, 20549-0213. For answers to general questions, call 202-942-7040.


Mail Theft


U.S. Postal Inspection Service (USPIS) www.usps.gov/websites/depart/inspect


The USPIS is the law enforcement arm of the U.S. Postal Service, and investigates cases of identity theft. The USPIS has primary jurisdiction in all matters infringing on the integrity of the U.S. mail. If an identity thief has stolen your mail to get new credit cards, bank or credit card statements, pre-screened credit offers, or tax information, or has falsified change-of-address forms or obtained your personal information through a fraud conducted by mail, report it to your local postal inspector.


You can locate the USPIS district office nearest you by calling your local post office, checking the Blue Pages of your telephone directory, or visiting www.usps.gov/websites/depart/inspect.


Passport Fraud


United States Department of State (USDS) www.travel.state.gov/passport_services.html


If you've lost your passport, or believe it was stolen or is being used fraudulently, contact the USDS through their website, or call a local USDS field office. Local field offices are listed in the Blue Pages of your telephone directory.


Phone Fraud


If an identity thief has established phone service in your name, is making unauthorized calls that seem to come from and are billed to your cellular phone, or is using your calling card and PIN, contact your service provider immediately to cancel the account and/or calling card. Open new accounts and choose new PINs. If you're having trouble getting fraudulent phone charges removed from your account or getting an unauthorized account closed, contact the appropriate agency below.


* For local service, contact your state Public Utility Commission.

* For cellular phones and long distance, contact the Federal Communications Commission (FCC) at www.fcc.gov. The FCC regulates interstate and international communications by radio, television, wire, satellite, and cable. Call: 1-888-CALL-FCC; TTY: 1-888-TELL-FCC; or write: Federal Communications Commission, Consumer Information Bureau, 445 12th Street, SW, Room 5A863, Washington, DC 20554. You can file complaints online at www.fcc.gov, or e-mail your questions to fccinfo@fcc.gov.


Social Security Number Misuse


Social Security Administration (SSA) www.ssa.gov


If you have specific information of SSN misuse that involves the buying or selling of Social Security cards, may be related to terrorist activity, or is designed to obtain Social Security benefits, contact the SSA Office of the Inspector General. You may file a complaint online at www.socialsecurity.gov/oig, call toll-free: 1-800-269-0271, fax: 410-597-0118, or write: SSA Fraud Hotline, P.O. Box 17768, Baltimore, MD 21235.


You also may call SSA toll-free at 1-800-772-1213 to verify the accuracy of the earnings reported on your SSN, request a copy of your Social Security Statement, or get a replacement SSN card if yours is lost or stolen. Follow up in writing.


SSA publications:


* SSA Fraud Hotline for Reporting Fraud

* Social Security: Your Number and Card (SSA Pub. No. 05-10002)

* Identity Theft And Your Social Security Number (SSA Pub. No. 05-10064)


Student Loans


Contact the school or program that opened the student loan to close the loan. At the same time, report the fraudulent loan to the U.S. Department of Education. Call the Inspector General's Hotline toll-free at 1-800-MIS-USED; visit www.ed.gov/about/offices/list/oig/hotline.html?src=rt; or write: Office of Inspector General, U.S. Department of Education, 400 Maryland Avenue, SW, Washington, DC 20202-1510.


Tax Fraud


Internal Revenue Service (IRS) www.treas.gov/irs/ci


The IRS is responsible for administering and enforcing tax laws. If you believe someone has assumed your identity to file federal Income Tax returns or to commit other tax fraud, call toll-free: 1-800-829-0433. Victims of identity theft who are having trouble filing their returns should call the IRS Taxpayer Advocates Office, toll-free: 1-877-777-4778.


For More Information


Federal Trade Commission (FTC) www.ftc.gov


The FTC wants consumers and businesses to know about the importance of personal information privacy. To request free copies of brochures, visit www.consumer.gov/idtheft or call 1-877-FTC-HELP (382-4357).


FTC publications:


* ID Theft: What's It All About?

* Avoiding Credit and Charge Card Fraud

* Credit and ATM Cards: What to Do If They're Lost or Stolen

* Credit Card Loss Protection Offers: They're The Real Steal

* Electronic Banking

* Fair Credit Billing

* Your Access to Free Credit Reports

* Fair Debt Collection

* Getting Purse-onal: What To Do If Your Wallet or Purse Is Stolen

* How to Dispute Credit Report Errors

* Identity Crisis... What to Do If Your Identity Is Stolen

* Identity Thieves Can Ruin Your Good Name: Tips for Avoiding Identity Theft


Department of Justice (DOJ) www.usdoj.gov


The DOJ and its U.S. Attorneys prosecute federal identity theft cases. Information on identity theft is available at www.usdoj.gov/criminal/fraud/idtheft.html.


Federal Bureau of Investigation (FBI) www.fbi.gov


The FBI, a criminal law enforcement agency, investigates cases of identity theft. The FBI recognizes that identity theft is a component of many crimes, including bank fraud, mail fraud, wire fraud, bankruptcy fraud, insurance fraud, fraud against the government, and terrorism. Local field offices are listed in the Blue Pages

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...