Uncategorized

Texas auto dealerships should be on the lookout for these two men, who have stolen 19 cars worth $750 thousand from three Houston dealers:

Benigno “Benny” Diaz, 49, and Jorge Demichelli, 59, sought employment at the dealerships and used false information to obtain credit and/or property from the dealerships.

We’re familiar with this scam since a similar incident happened to one of our customers before they hired us.  The thief was hired as a salesperson at the dealership.  His accomplices came to the store and provided data from stolen identities.  The “salesman” would fill out the credit app for them, get a blurry photocopy of the stolen ID, and generally run interference for the “customer” so nobody else at the dealership would look too closely at the customer or the ID data.  The dealership had no indication anything was amiss until they received notification from the banks that the first payments had not been made.  When the dealership started to connect the dots, the “salesman” disappeared.

Adding insult to injury, not only did the dealership lose the inventory, but they paid the thief commissions on the “sales”.

When you create your Red Flags Program, you must take into account any previous experiences your dealership has had with identity theft.  Also, if you experience identity theft afterward, you must update the Program to reduce the likelihood of the same incident happening again.   For our customer, we recommended that they add a second ID check at closing, where F&I would examine the ID (not a copy) before handing over the keys.  We also recommended that they restrict spot deliveries and prohibit remote sales; the customer must show up at the dealership in person to complete the deal.

Finally, in the case of Diaz and Demichelli, the identity data they used was stolen from people in Puerto Rico.  Dealerships are obligated by the Address Discrepancy rule to have policies and procedures “to enable them to form a reasonable belief that the consumer report they’ve received relates to the consumer on whom they requested the report”.  In other words, when you pull a credit report, if the address the customer provides doesn’t match the address the credit bureau has on record, you should investigate further.

If the thieves gave Houston area addresses, the credit bureau would have flagged that to the dealership as an address discrepancy and the dealership should have requested  utility bills or other address data to verify the customer’s identity.  If the thieves gave the Puerto Rico addresses of their victims, the situation is a bit trickier; there is nothing wrong with selling cars to out of state customers, however F&I should have done a double take and investigated a bit further, especially if there were a sudden glut of “customers” from Puerto Rico.

This is the second time the Federal Trade Commission has delayed enforcement of the Red Flags Rule; it was originally scheduled to start enforcement on Nov 1st, 2008 but that was delayed until the following May 1st when the FTC realized that very few businesses knew about the rule.    The FTC’s press release.

The FTC responded to the American Medical Association’s stance that the Red Flags Rule should not apply to physicians and related health care providers.  That’s right - your trusty GP must have an Identity Theft Prevention Program.  In the FTC’s letter to the AMA, the FTC acknowledges that, yes, doctors take a confidentiality oath, and yes, there’s HIPAA, but that does not cover the “respond to and mitigate identity theft” provision of the Red Flags Rule.  In other words, they focus on two scenarios:

• The doc suffers a data breach and patient data is exposed when it shouldn’t be.
• A thief tries to someone else’s data to fool the doc, thus potentially exposing a real person to the perils of false entries in their medical records or false insurance billing.

To address these scenarios, the FTC suggests that for smaller doctors offices, which are presumably low risk, checking a drivers license and determining what to do if notified of identity theft involving the office would be sufficient.

BancInfoSecurity.com summarizes a study from the Fraud Management Institute. The article focuses on the cost of mailing address change confirmations (estimated at $300 million):

During the current financial crisis, it is critical for institutions to streamline and reduce costs and boost fraud prevention efforts, yet the survey shows that many are still doing address confirmation manually and spending much more time on ID Theft Red Flags Rule compliance that originally predicted by regulators.

FMI is absolutely correct about regulator disconnect on the time needed to comply with the Red Flags Rule.  From the text of the Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (i.e., the Red Flags Rule):

The Agencies estimate the annual burden per respondent is 41 hours (25 hours to develop a Program, four hours to prepare an annual report, four hours for training, four hours for developing policies and procedures to assess the validity of changes of address, and four hours hours for developing policies and procedures to respond to notices of address discrepancy).

No way.  You can judge for yourself by reading the Red Flags Rule on the FTC’s web site, all 59 single-spaced pages of it.  Further, the estimate does not include actual implementation time - the time it takes to do the checks, keep abreast of methods of identity theft, update the program accordingly, etc.

And the training time estimate is ludicrous.  It takes longer than four hours for a single competent trainer to prepare for a class.  In a typical business, if I want to get funding for a project, I would have to submit an analysis that includes time x labor costs.  If I have a hundred employees who need to be trained for four hours, the burden is four hundred hours, not four.  If I am an auto dealership, the cost of having my sales force off the floor for half a day is certainly significant.

The Providence Journal has a story about a proposed identity theft law in Rhode Island:

The new law, if enacted, would require companies to take reasonable steps — shredding or erasing — to make sure that sensitive information is indecipherable. Such information includes Social Security numbers, passports, bank accounts and drivers’ license numbers.

Businesses found not in compliance would be subject to civil penalties ranging from $500 to $50,000.

The story is notable for its lead-in:

Attorney General Patrick C. Lynch is going after “Dumpster divers,” those bottom-feeding scoundrels who are often involved in identity theft.

Actually, it sounds like he’s is going after businesses; there is nothing further in the article about the people who actually commit identity theft related crime.  Lynch cites a recent settlement with CVS/Caremark for $2.5 million for violating HIPAA regulations regarding proper disposal of customer medical and financial information, and a two-year old dumpster diving case, as proof that additional laws are needed.

The Disposal Rule does not already cover this?  Or the Red Flags Rule?  Or the Safeguards Rule?  Lynch does not mention that in the CVS case, not only did the company settle with the Dept of Health and Human Services for $2.5 million, but they were also prosecuted by the FTC:

The FTC’s complaint charges that CVS Caremark failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws. In particular, according to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

Wired Magazine reports on the Security Breach Notification seminar in Berkely.  I’m glad somebody is asking this question.  From the article:

It’s clear that the laws have made the public more aware of breaches and the vulnerability of their data, and have exposed poor security practices at many businesses. A 2005 study by the FBI showed that in the absence of a legal requirement to report breaches, only 20 percent of firms would report serious breaches to law enforcement.

…

As notifications have become more ubiquitous — 55 percent of respondents in a survey by the Ponemon Institute last year said they’d received two or more notices within 24 months — many consumers have become inured to them, simply tossing them in the trash rather than acting on them to protect their identity.

The article also links to a study by Alessandro Acquisti of Carnegie Mellon University.  From the summary:

We find no statistically significant effect that [breach notification] laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce.

The study goes on to state that there may be various data quality or quantity reasons for that finding (and ultimately recommends a federal breach notification law to aid in research efforts and reduce conflict among state laws).  The study also cites Javelin Research’s finding that 90% of the cost of identity theft and fraud falls on businesses - merchants, credit card companies, banks - and therefore consumers may not be harmed as much as thought.

Here is an Identity Theft Article from the Phoenix Business Journal, notable for a good quote from Identity Theft 911’s Eduard Goodman:

“Businesses need to treat personal identifiable information like they would money,” Goodman said. “You wouldn’t leave cash lying around.”

Simple, easy to remember, and accurate.  Your employees eyes will glaze over when you start talking about FACTA and the FTC during Red Flags Training, so why not use that analogy before you get to the boring stuff?

RedFlagsMadeEasy has launched a logo design contest on 99Designs and will be accepting entries from graphic artists until February 27th (7:17pm GMT).   Read the design brief and join the contest here!

What if, as part of your strategy to Prevent and Mitigate Identity Theft, you make a business decision to downplay an incident that occurs at your company?  Heartland Payment Systems announced on Jan 20th that they had been hacked by an apparently “global cyber fraud operation”.  Based on the timing of the announcement (inauguration day) and their press releases, they made a clear decision to do exactly that:

• Heartland’s initial press release, from January 20th, is subtitled in bold, “No Merchant Information or Cardholder Social Security Numbers Compromised”.   There is no reason for a payment processor (as opposed to a creditor) to have SSNs; this is akin to announcing that they were hacked, but the Statue of Liberty is still standing.

• They also list a number of items that definitely weren’t compromised - PINs, addresses, etc.  And conversely, they go to some lengths to avoid saying what data was breached.  If they know what wasn’t compromised, then they know what was compromised, but they don’t disclose it.

• They say that they were notified by Visa and MasterCard of “suspicious activity surrounding processed card transactions” rather than detecting the breach internally at first.  Does “suspicious activity surrounding processed card transactions” mean fraudulent charges were appearing on credit cards that had been through their processing system?

• Also from the Jan 20th press release, they had brought in forensic auditors who discovered malware that compromised data “that crossed Heartland’s network” - as opposed to malware installed on Heartland’s network?

• In their next press release, on Jan 23rd, Heartland finally admits, in a roundabout way, that credit card numbers were breached.  “Heartland does not yet know how many card numbers were obtained.”

• On January 26th, Heartland CEO Robert Carr issued a letter that (finally!) included this:

Potentially exposed through this breach are card numbers, expiration dates and other data from the card’s magnetic stripe. In a small percentage of cases, the cardholder name of your customers who used a credit or debit card in your store during part of 2008 may also have been exposed.

Since Heartland processes $55 billion dollars worth of transactions a year (per their Dec 2007 annual report), this is not a small breach.

Heartland President and CFO Robert Baldwin conducted interviews that were somewhat more informative.  With Brian Klebbs, who blogs on security issues for the Washington Post, Baldwin provided more detail:  “”The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”  One thing that jumps out from the Klebbs interview, though:

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”

Whoever has the names and numbers can figure out how to do a bulk query on a name and address database, especially if they have the terminal (point of sale) location and can narrow it down by city.  Also, Heartland does not say one way or the other whether the credit card security codes were accessed.

Business Decision to Downplay Impact

Heartland has known about the breach since late October and clearly made an effort to downplay it.  Was this a good decision?  Certainly Carr and Baldwin have a responsibility to their company, their shareholders,  and their customers to not incite a panic.  And they are correct when they point out that credit card customers are not liable for fraudulent charges as long as they report them in a timely manner.

There are two problems, though.

First, Heartland has downplayed the impact to the point where it appears that they’re trying to totally obfuscate it.   Somebody is going to pay for fraudulent charges - the banks, the credit card companies, the merchants - and it would have been helpful for Heartland to say, in their first press release, exactly what data was breached and from what dates.  In fact, there has already been a class-action suit brought against them alleging, among other things, that Heartland “made unreasonably belated and inaccurate statements concerning the breach.”

Second, Heartland’s image and marketing efforts are built around reliability, trust, and transparency.  But their response to this crisis has been neither timely or accurate.  Their company motto, embossed on their logo, is “The highest standards.  The most trusted transactions.”  Heartland’s home page boasts about “peace of mind”.  And in Heartland’s second press release on the 23rd, they continue to assert this while providing absolutely no information that could be considered helpful to consumers, banks, or merchants:  “Our record of candor…is highly valued,” according to Carr.  Not so much, anymore.

Related Articles

BancInfoSecurity’s roundup coverage of the Heartland breach and its aftermath.  Gets a gold star for best and most thorough coverage.

AP News Article on the breach.  It appears AP just copied the press release for the most part, but it’s notable for saying Heartland “asserted that merchant and customer data were not affected,” in one sentence and “the only information breached were card numbers and cardholders’ names” in another.

Information Week Interview with Heartland President Robert Baldwin

Information Week Blogger George Hulme also takes issue with Heartland’s lack of forthrightness.

Anthony Freed wonders if Heartland waited so long because Carr was busy dumping stock.  One of the side effects of a perceived lack of candor.

Evan Schuman of Storefront Backtalk writes about the technical aspects of the breach.

UPDATE 2/17/09

Infoweek follow up.  Three men were arrested in Tallahassee for using some of the credit card data.  From the Tallahassee’s Sheriff’s Office press release:

“…it was determined that Acreus, Frazier and Johns have been using stolen credit card numbers to electronically encode VISA Gift Cards which were then used to make fraudulent purchases at local businesses, including several Tallahassee Wal-Marts. The group would then sell the fraudulently obtained merchandise for cash. The stolen credit card numbers utilized by the group were stolen in an international computer hijacking of records from the Heartland Processing Center in New Jersey. The total actual and declined fraudulent transaction in Leon County is currently in excess of $100,000. This amount is expected to be much higher as this investigation continues.”

It looks like whoever hacked Heartland sold the data to other thieves - I assume, maybe incorrectly, that the people going into WalMart are not the same people who planted the malware.  It will be interesting to see what further arrests happen as this plays out.

The city of Sallisaw rolled out their Red Flags Program and issued a public announcement about it so their customers know what to expect. (While municipalities are not subject to the Red Flags Rule, utilities are).

Before rolling out your program, take a page from Sallisaw’s book and make every effort to set customer expectations in advance.