ID Thieves Now Targeting Social Networking Sites, Medical Records
Tuesday, September 8, 2009
Identity theft is getting more sophisticated. Nowadays, teams of thieves work to attack large organizational systems with the goal of stealing thousands of credit card numbers. Your medical records are also at risk, and there are many questions being raised about the privacy on social networking sites, like Facebook. We discuss the newest forms of ID theft, and what you can do to protect your privacy online.
MAUREEN CAVANAUGH (Host): I'm Maureen Cavanaugh and you're listening to These Days on KPBS. If we needed proof that anyone can become the victim of identity theft, we got some evidence from a news story last month. Thieves who stole the purse of Federal Reserve Chairman Ben Bernanke's wife started writing checks on the Bernanke private checking account. So, one of the most powerful men in American finance was forced to change his accounts and cancel his credit cards. Purse snatching is, of course, old school in comparison to the high-tech, high-volume modern identify theft industry. Also last month, a Florida man was indicted for a record breaking credit card theft. He stole the information on 130 million credit cards used by customers of five retailers including the 7-Eleven chain. The technology of theft is now outpacing our ability to keep information secure. It's a problem that needs to be tackled on many fronts, but there are things individuals can do to cut down on the chance of becoming victims of identity theft. We'll be discussing everything from medical records to Facebook accounts with two people who are experts in the field of cyber crime and privacy issues. I'd like to welcome my guests. Pam Dixon, executive director of the World Privacy Forum, a non-profit public interest research and consumer education group that focuses on privacy matters. Pam, welcome to These Days.
PAM DIXON (Executive Director, World Privacy Forum): Good morning. What a pleasure to be here.
CAVANAUGH: Thank you. And Murray Jennex is professor of Information Systems at San Diego State University, and an expert in the area of cyber crime and identity theft. Murray, welcome to These Days.
MURRAY JENNEX (Professor, Information Systems, San Diego State University): Good morning. Thanks for having me on.
CAVANAUGH: I tell you, let's start out by talking about this recent case out of Florida where the information of 130 million credit cards was stolen. Murray, how was that identity theft done?
JENNEX: Well, this was actually a very low tech attack on a high tech target. What he did is he went searching for unsecured wireless access points. And once he found a unsecured wireless network into a major company, he used that to bypass their perimeter security and install a root kit and attack software that the rest of his ring then used to go in and attack the databases and such. So from that standpoint, it was actually fairly low tech but it required someone to be physically near the offices and to drive around and find an access point.
CAVANAUGH: Is that what they call war driving?
JENNEX: Yes, ma'am.
CAVANAUGH: And so there was no – was there or wasn't there a problem with the company's security systems?
JENNEX: Well, there is. They all had good security because we're not just talking 7-Eleven, we were talking a credit card serving company, we were talking Sports Authority, TJ Maxx, a lot of large companies who have good perimeter security except that they weren't checking to see if their employees weren't installing wireless access points or having a wireless computer that was hooked into the network that was bypassing their perimeter security.
CAVANAUGH: I see. Pam, would it be fair to say that ID thieves are one step ahead of the game right now?
DIXON: It really depends on what kind of identity thieves you're talking about. Right now there are a variety of kinds of identity thieves. There are thieves who specialize in insurance fraud, healthcare fraud, what we call medical identity theft, and then there are folks who specialize in more of the financial form of the crime, and then there are just your basic, you know, kind of hackers that just try to get information and then sell that information to the highest bidder. The Florida case with Alberto Gonzalez is one of those cases where you had some people with some technical expertise who, you know, in some ways, it was a low tech attack but in some ways it was a very sophisticated attack in that they were shaping software to evade various virus detection programs and whatnot. So you have people who are focused on various pieces, so I'm not sure that the criminals are always a step ahead but it only takes a few at this point because those who are a step ahead tend to focus on large scale attacks now. The days of people ripping off your wallet, a roommate taking your identity, those cases still exist. But the real headlines you see now are about the 130 million, you know, names or credit cards or, you know, the VA losing those millions of records.
CAVANAUGH: Right, right.
DIXON: So that's the headline grabbers now.
CAVANAUGH: And, Murray, I'm wondering, what do they do with 130 million names and credit card accounts? I mean, not everybody's identity is stolen, right?
JENNEX: No, but they can bundle those and sell them on the market. There's a market on – you can get to it on the internet. I'm not encouraging anybody to go look for it, but they can bundle them in groups of 1,000 or 100 and sell them as a bulk commodity.
CAVANAUGH: And – and who buys?
JENNEX: Well, all the other criminals.
CAVANAUGH: Oh, okay.
JENNEX: I think from their standpoint, for them, their moneymaker was to get the huge number and instead of trying to fence all that themselves, they broke it off and sold it and made money that way.
CAVANAUGH: And then what's the next step, Pam? What do people do with this huge amount of information in a nefarious way?
DIXON: It depends on what kind of information you've bought. The street value of some of this information ranges from anywhere from ten cents to fifty dollars. It really depends on what you're buying. But, for example, let's say that you've bought 1200 medical files. There's a case of this in Florida, surprise, surprise, where a person sold just over 1000 files to a gang. And that gang set up a fake medical billing operation and proceeded to bilk Medicare, Medicaid out of millions of dollars. And they billed very small amounts so that it wasn't detected until a couple months down the road. This is a very frequently encountered kind of situation. Other folks will do a – what I call a smash and grab. They'll take a host or a rack of credit card numbers, make large purchases and then dump the numbers. Or they'll make a lot of small purchases and then dump the numbers. Then there's something that we call credit card aging where you'll buy a list and then you'll age it for awhile and see what credit cards are still good after about a year and then you'll use those for a little while. So there are a variety of ways but they all entail buying things and making money off of other people's names and credit and information.
CAVANAUGH: That's really fascinating. So, you know, Pam, we're told, you know, get a shredder, shred your documents and so forth, but it seems almost futile when you're up against what these massive hackers can do with the information that they can get from, you know, from 7-Eleven or other retailers that just have this huge amount of information on us.
DIXON: Well, you want to take away the low-hanging fruit, so doing the shredding bit and all that, that's actually really important to continue doing. But it's just – it's kind of like are you going to catch a flu this season. You can get a shot but it doesn't mean that you won't get the flu. And when you have really systematic risks such as posed by the Alberto Gonzalez case or the, you know, other kinds of cases like that, you can't stop that. But you can stop what you can, and that's always a good idea. So keeping an eye on your credit report, making sure you have recent copies of your healthcare files, these are all things that you should do. It won't be the silver bullet that you'd like it to be but if you don't do that, then you can expose yourself to more risks. So it's best to just check those boxes off and do those things and then really keep a good eye on your credit reports.
CAVANAUGH: And I want to let everybody know the Alberto Gonzalez we're talking about is a man indicted for fraud in Florida, not the former Attorney General of the United States. And let's take a phone call. Sara is calling in from Serra Mesa. Good morning, Sara. Welcome to These Days.
SARA (Caller, Serra Mesa): Good morning. Thank you so much for taking my call. This is an incredibly important topic. I just wanted to share with you twice in the last, I would say, two years I have had service done at—and I don't know if I can say this on the air—Jiffy Lube.
SARA: And both times I returned home to receive a phone call from someone identifying themselves as representing that company. Both times for service, I used my debit card. And the first time, the gentleman wanted to, and I use that term loosely, the gentleman wanted to verify my debit card number. And my response to him at the time was, well, I've already used that so you should probably have the number. The second time was as recent as two months ago when I had service done again and a young woman phoned and said, hi, my name is so-and-so and I represent Jiffy Lube. And I said to her immediately, why are you calling me? And she hung up.
CAVANAUGH: I see.
SARA: So I just wanted to emphasize do not, under any circumstances, give any information over the phone. And I called the company after this young woman called and explained the situation, so there needs to be a firewall everywhere.
CAVANAUGH: Sara, thanks so much for sharing that rather spooky conversation you had. I'm wondering, Murray, is there any legitimate reason that Sara would get those phone calls?
JENNEX: No. And actually it's good she mentioned it was a debit card because actually they're more of a problem than credit cards because usually you have a lot less protection with a debit card and it can be directly used and take money from your account and they probably won't catch it until they – after they drained your account.
CAVANAUGH: I see, because with a credit card you – the credit card companies are better at repaying or not charging you if you've been fraudulently charged, is that the idea?
JENNEX: Right. They have their protection programs and they have a lot of software that's on there monitoring your behavior with your credit card and they catch these – They can catch many of the fraudulent use of your card fairly quickly. But nobody's really monitoring your debit card.
DIXON: Well, plus there are a number of laws that are protective of consumers that really don't touch those debit cards quite the same way. We encourage everyone to, you know, let their debit cards go and if you're going to need to use plastic, go ahead and use your credit card and just pay the balances. It's much more protected than using a debit card.
CAVANAUGH: That's interesting. I had no idea. What about paying bills online?
JENNEX: Well, before you go a little further…
JENNEX: …another thing about this is a lot of these attacks occur from companies because of employees taking advantage. There have been a number of attacks where employees have copied numbers down or captured the information along with the legitimate transaction and then used them later.
CAVANAUGH: I see. I see.
JENNEX: So this is a fairly common attack. The other common way of doing this is to have a recorder over the reader and then capture the information so anytime you're using a debit card or even a credit card, you should really be paying attention to that reader or the machine that you're sliding it through to make sure it looks legitimate, that it doesn't have an extra little space on top where somebody's put something on it, a reader on top of it, and there doesn't seem to be anything around that might be a camera recording your PIN number because, really, once they get the PIN number, you're in trouble.
CAVANAUGH: Well, that's great because they always keep changing those slider things so we don't know what we're looking for.
DIXON: You know, he brings up a very important point and that is when most people think of security and online security or any kind of security, the image in most people's mind is a castle and a moat. If you build a big enough perimeter around something, then no one can get in and everything is safe. And I think this must be human nature because it's a fairly pervasive image that most people have, whether they realize it or not. But the reality is, is that a great deal of the problems that we're seeing in identity theft cases are coming from inside. So in the healthcare sector, it's coming from inside the healthcare sector, people who are medical billers, for example, or front desk clerks or assorted other individuals from the inside. In this case, you have a situation where there is a business and it looks like there might be a little bit of a problem there. You'd have to, you know, check into it more but that certainly sounds really questionable to me, this caller getting two calls like that. That's a real red flag.
JENNEX: Somebody there's doing something.
CAVANAUGH: All right.
DIXON: Yeah, that – there's some red flags there and the caller had the right instinct of just absolutely not giving out information like that over the phone.
CAVANAUGH: Let me ask again about paying bills online. Everybody wants you to start doing that, it's supposed to be good for the environment and so forth. Do – Is there enough security in place, Pam, for us to be able to pay our bills online without worrying about identity theft?
DIXON: Oh, this is one of my favorite questions because it opens up so many different conceptions about privacy and security. Really, here's the deal. When you cross the perimeter of a bank and you're doing your banking online, there's a lot of security, and thoughtful security, that's typically been put in place. The real problem is, you know, the ecosystem of the whole computer setup and that includes your computer setup. So, for example, are you at a Starbucks or another unsecured wireless location doing your online banking at this secure site? If you are, that could be problematic for a number of reasons. Are you storing this information in a completely unprotected way on a laptop that you then lose or a USB drive? So there are a lot of security holes that have nothing to do with the banks. So online bill paying can be a very happy thing but not if it's done without a lot of thought.
CAVANAUGH: Murray, I hear that you have two separate computers.
JENNEX: Yeah, because most of the time when you have a problem with online banking, as Pam said, it's from your own computer. And in particular, if you have children who are doing social networking or if you like doing social networking, a lot of the social networking sites are notorious for having a lot of malware downloads. They can get onto your computer and then, say, put a key logger there and record your information as you're typing it into your bank and then transmit that back to the person who put it on there. So I do use two computers. I use a clean computer just for online banking and financial transactions because that way I know I haven't let my two 20-year-old sons do stuff that have downloaded things. I can trust it. And I think that's a kind of an important thing is that families with one computer where you have teenagers or kids doing online gaming, doing Facebook, doing MySpace, YouTube, you're running a lot of risk. You are – They're going out there into the wild world and downloading things. Every time you go to a website, you're downloading software and you don't know for sure what you're getting. And even with the best malware detection software and virus software, you're not really protected because they can only protect you against known attacks, not against new ones.
CAVANAUGH: Well, I want to talk just a question or two about medical records and social networking before we have to wrap it up. I want to ask you, Pam, I think you've already explained because when I heard that the medical records were being stolen, I was saying, well, why does anybody want that? But what you're saying, if I understand correctly, is people are using that information to fraudulently bill insurance companies for payments, is that correct?
DIXON: Yes, and it's both public and private. So, for example, an Aetna, a Cigna or even Medicare, Medicaid, it's one of the most profitable things you could possibly do as a criminal right now. It's more profitable than selling drugs.
CAVANAUGH: Now, but what do you do if, indeed, someone has access to your medical records? Are you being asked to pay bills for medical procedures you've never had?
DIXON: Oh, yes, and then some. Yeah, it's not unusual for us to get calls from people who owe $150,000.00 or more for surgeries or other medical goods and services that they've never even heard of. And there's one case where one of the medical identity thieves skipped from state to state and did something like 83 different procedures. It's a very well known case. So this is an unfortunate and growing reality that we're all going to have to face.
CAVANAUGH: What do we do to stop that from happening to us?
DIXON: Ah, unfortunately, the laws in the healthcare sector are completely different than the financial laws that govern identity theft. The law that really talks about medical data flows is HIPAA. I think most people have heard that because they've signed HIPAA privacy policies in their doctors' offices. That particular law actually does nothing to help you with medical identity theft. What you need to do, basically, the very best thing you could do to be proactive is through a calendar year, as you go through your routine appointments with your eye doctor, your dentist, and if you've had surgeries, do this, if you have kids, when they get their shots, basically as you go through your year always remember when you're in the office go ahead and make a written request for your medical files. And you'll get them in between 30 and 60 days. It's the law, you have to get them, with some very limited exceptions. And have a nice backup copy of your own paper files. And the reason I say this is because when victims call us—and we have hundreds and hundreds of cases now that we've dealt with—one of the first things everyone says is I'm a victim of medical identity theft. I can't get my medical files. Because when this happens to you, what tends to happen is people will go to the healthcare institution where this happened and they'll say, I just got a bill for surgery that's not me, I need to look at this medical file so I can get it straightened out. And the healthcare provider will say, umm, this isn't you, we can't give you the file…
CAVANAUGH: I see. I see.
DIXON: …even though it's your name. So having your medical records beforehand is so helpful.
CAVANAUGH: And let me ask you, you know, Murray, we need to talk about this for so much longer but we just are running out of time this morning. I wanted to ask you about – I know that the social networking because you bring that up a lot and how it opens the door to a lot of people being able to gain access to your computer and your personal information. Now, congress is going to be looking into this issue this fall. I wonder what kind of optimism you have that this problem can actually be legislated away in some way?
JENNEX: Oh, I don't think it can be. I think the real problem is the social networking is, one, people going to the sites and downloading stuff and not paying attention. But also it's their behavior. We tend to be a fairly trusting society and kids in particular are very trusting and they put lots of information out about themselves. And it's this information that people are gathering off of Facebook and MySpace and stuff, and building a profile of your family. And this is where, really, education comes into play. We have to teach our kids not to tell the world about our life. And, of course, the social networking approach is to blog everything and to tell everybody all the intimate details.
CAVANAUGH: Right, yeah.
JENNEX: Well, that's a bad. I do an exercise in my class where I get my roster and I have my son just go collect stuff off of Facebook and MySpace and stuff to see what we can find on the students. Then I show them what I could find out about them. And many times they're shocked.
DIXON: And we…
CAVANAUGH: Yeah, that would shock me, as well.
DIXON: Yeah, you know, there is – I think that people would be truly shocked if they knew what companies are doing with the information that has been publicly posted. And the way I like to explain this is it's a lot like environmental damage. Environmental damage accrues over time and you might not see it immediately but eventually you're going to end up with birth defects or some horrifying problem, and information problems and privacy problems that are related to those information problems is – it's exactly the same way. And what happens is that you wake up one day and all of a sudden you have a lot of consequences that have built up and you don't even realize how it happened but it happened slowly over time and with post after post. It's like a trickle that ends up being a huge profile. And one of the things that's a subject of this congress is these profiles.
CAVANAUGH: We have to end it there. I'm so sorry. I want to thank my guests, Pam Dixon and Murray Jennex. We are just simply going to have to have both of you back because this is too big an issue for the time we allotted to it. Thanks so much both of you. Murray, thanks.
JENNEX: Thank you.
CAVANAUGH: And Pam, thanks.
DIXON: Thank you.
CAVANAUGH: And thank you all for listening to These Days on KPBS.
To view PDF documents, Download Acrobat Reader.