Skip to content
Feb 6 12

4 things you might not know about identity theft

by Neal O'Farrell

One of the biggest surprises for many victims of identity theft is the realization that many things they assumed about the crime and its aftermath were actually wrong. And by the time they realize the truth about identity theft, it’s too late.

So with that in mind, I thought I’d clear up some of the assumptions you may be making and which may be completely wrong. Let me know if any of these sound familiar:

Zero liability is a promise, not a law
It’s a mistake victims often make assuming that if they fall victim to credit card fraud the credit card company is obliged by law to make them whole. Only it’s not. There’s no zero liability law, just a promise by credit card companies not to hold victims liable for fraudulent charges. It’s self preservation really, and the cost of calming consumers and making sure they don’t worry unnecessarily about using their credit cards.

If your Social Security number is being used by 100 other people, don’t expect the Social Administration to do much
You’d think that given the Social Security number is the crown jewel for identity thieves, and loss of your number could lead to a lifelong fight for your identity, the Social Security Administration would be leading the fight against identity theft. Sadly no. Even on their own web site they don’t hesitate to explain that they don’t investigate identity theft and instead will refer you to other sites, like the FTC and Internet Crime Complaint Center, who also won’t investigate your case.

If you’re a victim of identity theft, you could be blacklisted by your bank

This is a growing trend, where victims of identity theft are not held liable for any losses but instead suffer the humiliation of being told by their bank or credit union that they must close their accounts and take their business elsewhere.

Talk about insensitivity, but I can only assume that banks regard victims as an ongoing liability likely to be victimized again and again. So rather than carry that risk they’d prefer to push it on to their competitors.

Don’t expect the thief to be caught or prosecuted
One of the many facts that set identity theft apart from most crimes is the lack of any real satisfactory resolution. If you’re ever a victim, don’t expect to get your day in court to watch your thief face justice and head to prison for the next decade. Identity theft is not a priority for law enforcement, and most police departments investigate less than 1% of identity theft cases. Of those investigated, only a tiny minority is ever prosecuted, and in those very few cases the thief is often allowed to strike a deal that results in little real punishment.

Why zero liability could be meaningless

I’m pretty sure that you’ve heard of zero liability by now – that promise by your credit card company that in the event of a fraud using your credit card, you won’t be liable for any losses. It was a concept introduced years ago by the credit card industry to allay fears consumers had about using their credit cards and shopping online.

Banks were just as quick to jump on the bank wagon and start throwing about similar promises, which unfortunately led consumers to believe that their ATM/debit cards and their bank accounts were covered by zero liability too.

Victims of fraud, however, are finding out the hard way that they were wrong. The truth is, most banks don’t offer zero liability in the case of ATM or debit card fraud, or unauthorized transfers from your bank account. Instead, they’re covered by something known as the Electronic Fund Transfer Act, which has much looser rules when it comes to reimbursing defrauded customers.

For starters, even if you report the theft or scam within 48 hours of discovering it, you’re still on the hook for $50. If you report the fraud outside the 48 hour window, you’re on the hook for the first $500 in losses. And for many victims that’s a month’s rent or a month’s worth of groceries.

And as banks face a tough economy and limits on the fees they can charge their customers, they’re getting tougher on victims of fraud and identity theft. As head of the Identity Theft Council, I’m seeing an increasing number of victims being told by their bank that for a variety of reasons their claim for fraud has been denied and they will not be reimbursed their losses.

Some of the banks rely on outdated security advice that doesn’t seem to take into consideration threats like skimming. Banks will often deny a claim for fraud if both the victim’s card and PIN were used in the transaction and if the victim did not previously report the card as missing. The banks are assuming that if the card and PIN were used, and the victim did not report the card missing, then the transaction could not have been conducted by anyone other than the victim.

But in skimming cases, especially those using compromised card readers, the thieves are able to steal the victim’s card and PIN to make new cards, and start withdrawing money on the other side of the country. So either fraud help desks are not aware of frauds that can capture both the card and PIN, or are simply using that as an excuse to avoid liability.

And is if that were not bad enough, I’m also hearing from victims who, after they’ve notified their bank that they have been a victim of identity theft, are told to close their accounts and take their business elsewhere. It’s as though the banks regard victims of identity theft as a greater liability and would rather push that liability to a competitor.

Jan 23 12

Could your identity be funding terrorism?

by Neal O'Farrell

If you’re still looking for a reason to get more serious about protecting against identity theft, then do it for your country. In a series of recent hacks on customers of AT&T, attackers were apparently able to steal more than $2 million by making fake calls to premium call services.

It now appears that the money made from the attack was funneled to a Saudi-based militant group that is also believed to have helped fund the deadly 2008 terror attacks in Mumbai India where the coordinated series of attacks claimed more than 160 lives.

Identity theft for terrorism is nothing new. According to a report by MSNBC as far back as 2004, the 911 Commission raised the troubling reality that stolen identities are aiding terrorists. The Millennium Plot, which consisted of a number of planned attacks around the world back in 2000, was organized by a terror cell that used credit card fraud to fund its activities, and there are even claims the terrorists planned to invest in a gas station to make it easier to steal multiple identities.

The MSNBC report also claimed that Ali Saleh Kahlah al-Marri, suspected of being connected to the 9/11 attacks, had a laptop in his possession that contained 1,000 stolen credit cards when he was arrested.

And an expert on identity theft at the University of Michigan claims that al Qaida manuals she has seen include instructions on how to commit fraud and steal identities, to live off stolen identities when in hiding, and even requires students to leave their training camps with at least five fake identities.

Yet another reason to take identity more seriously. It’s about much more than zero liability, and the impact the crime can have on you personally. If you’re careless with your identity and it makes it into the wrong hands, who knows what horrors could be committed in your good name.

Manila says arrested hackers funded by Saudi group

Dec 27 11

Identity Theft Council cautions consumers to think twice about using an ATM/debit card

by Neal O'Farrell

In light of an increase in the number and sophistication of skimming scams around the country, the Identity Theft Council ( is warning consumers and business owners to be especially careful and selective when using an ATM or debit card to make purchases.

While a credit card fraud can be an inconvenience, consumers should realize that it’s the bank’s money that is being stolen, and it should not affect the funds the consumer has in their bank or credit union account.

If an ATM or debit card is stolen however, the funds will be taken directly from the victim’s bank account. And while victims should get their money back eventually, it may not be in time to pay important bills like rent, mortgage,  and even groceries. In the case of the recent skimming breach that affected 24 Lucky Supermarkets in Northern California, some victims are reporting that they’re unable to buy groceries because of delays with their bank either in replacing compromised debit cards or in accessing their accounts.

And the nation’s 27 million small businesses are also vulnerable because many are not aware that zero liability does not apply to business accounts. Which means that a small business owner’s cash reserves could be wiped out by a single card theft, and the money will not be reimbursed by their financial institution.

The Identity Theft Council recommends the following precautions:

  • The easiest way to avoid skimming is to use cash, especially in places where it’s easy for thieves to tamper with a device.
  • Be vigilant and do a cursory inspection of the card reader, ATM, or gas pump for anything that looks unusual. However, don’t rely on a visual inspection because many skimmers are hidden inside the card reader or gas pump where a consumer will never spot them.
  • Use a credit card instead of a debit card. A debit or ATM card takes money directly from your bank account, and while you should get it all back, it may not be in time to pay important bills like rent. If you use a credit card (and pay it off fully each month) it’s the bank’s money that’s at risk.
  • Resist offers by merchants, especially gas stations, to give a discount for using a debit card instead of a credit card. The small savings at the pump may not be worth the price of an emptied bank account.
  • If you’re a small business owner, don’t use an ATM or debit card at all because if thieves do manage to steal from your account, you don’t have zero liability and will not be compensated.
  • Always check your bank and credit card statements carefully each month for any unusual charges, and challenge them immediately.
  • If account alerts are an option, use them. Many financial institutions offer free alerts by email or text if there are any transactions on your account, allowing you to challenge or dispute them quickly.
  • If you do fall victim and money is removed from your account, contact your financial institution immediately, cancel the card, and have a new one issued with a new PIN. It shouldn’t be necessary to close your account completely, which can be a big inconvenience, but you should ask your bank for their advice on this.
  • If you’re notified or suspect that your card has been compromised in a breach, and you don’t close the account, monitor your accounts closely for the next few months. Thieves often wait until media coverage of an incident blows over and guards are down before using stolen information.
  • Don’t share ATM or debit cards with other family members or employees because it only increases the chances that someone will ignore your rules and expose you to theft.
  • Be on the alert for bogus calls pretending to be from your bank, credit union, or credit card company, claiming to be in connection with a recent breach, and asking you to confirm account or personal information. If in doubt, contact your financial institution through the customer service or fraud number provided on the card or their web site.

Thieves are more determined than ever to attack point-of-sale systems because of the financial returns. In early December the Department of Justice announced the indictment of four Romanian nationals accused of compromising point-of-sale devices at more than 200 different businesses and stealing the card information of more than 80,000 customers. The losses are believed to be in the millions of dollars and the scam may have gone undetected for nearly three years.

Nov 29 11

Thief uses identity theft to fund a business

by Neal O'Farrell

In one of the most bizarre and creative identity thefts I’ve come across recently, a Florida car salesman was recently arrested and charged with a multi-million dollar identity theft scheme that helped fund his car business.

The alleged thief had somehow managed to steal the identities of hundreds and perhaps thousands of victims. According to authorities, the Florida man used information stolen from the State Department of Children and Families and Department of Juvenile Justice. How he got that information is unclear, although assistance from insiders in cases like this is not unusual.

Armed with the new identities, the alleged thief then filed more than 1,500 tax returns in the names of his victims, and had the money deposited in a network of bank accounts he had set up. But here’s the twist. Rather than pocket the money like most thieves, instead the suspect used the money to purchase cars which he then sold on his car lot.

Apart from being a very creative way to fund a business and buy stock, it’s also a great way to launder money and make the money look like it legitimately came through car sales. The scheme may have netted the thief more than $5 million, which has yet to be recovered. And once again, the scam was discovered only by the vigilance of a postal worker who reported an unusual amount of IRS-related mail going to the one address.

And it’s not the first time thieves in Florida have exploited huge holes in the tax refund system to make money. A few weeks ago I wrote about Operation Rainmaker, a Florida-wide law enforcement that took down a massive identity theft scam that netter local drug dealers an estimated $130 million by filing bogus tax refunds using stolen identities.

Nov 23 11

Identity thieves start working the phones

by Neal O'Farrell

One of the reasons identity theft is such an epidemic is that there are so many ways to commit it – steal mail, blast out phishing emails, hack a database, or simply buy identities on a street corner. But for years, security experts have been suggesting, and maybe hoping, that at least you should never expect to get a phone call from the thief.

Time to start rewriting the manual. A security firm called Trusteer recently announced that it has discovered criminal support organizations that provide real people operating customer service-style phone banks to personally call targets and try to swindle them out of their identity.

Experts believe thieves are going to such new extremes because when they steal a victim’s identity online, they may not have quite enough information to maximize that theft. So they hire these criminal dialers to call selected victims, use the personal information they already have about the victim to build trust, and then trick the victim into handing over the last piece of the puzzle.

Here’s how Trusteer believes these calls might go. The scam would start when the criminals try to reset a password or initiate a transaction, and the bank sends a text message to the victim that includes a one-time password for verification.

Step 1: Caller Establishes Credibility

The caller would use data collected by malware to gain credibility, for example the caller will ask “Are you John Smith, living at their address, with credit card number ending in 2345?”

Step 2: Caller Collects Missing Data

Once the caller has established credibility, they will go on to collect:

a) The one-time password sent by their bank as a text message – for example “We have just sent you a one-time password so we can make sure you are John Smith, can you please read it for me?”

b) Collect any other additional authentication information, for example “For verification, can you please give me the last four digits of your SSN?”

c) They can even get the user to generate a transaction signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction signing reader so could you please enter the following details online and then tell us what happens.”

According to Trusteer “While everyone’s attention is focused on protecting themselves in the ‘virtual’ world, they’re still very much at risk back here in the ‘real’ world. Fraudsters are turning to phone call services in an endeavor to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organizations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realize.”

Trusteer offers the following advice:

  • Make sure to use up-to-date anti-malware solutions, especially any recommended by their bank, to prevent data theft in the first instance
  • Treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer.
  • Use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.