Smart phone technologies are continuing to surge in popularity across the country. As these ultra-portable devices further penetrate the business world, there are many important issues surfacing regarding their responsible ownership and use. As Apple’s iPhone continues to grow as one of the most utilized smart phones, experts have been concerned about the practice of “jailbreaking” the iPhone, and the potential hazard this could pose to information security. However, U.S. federal regulators have officially declared this week that jailbreaking is not illegal.

“Jailbreaking,” or hacking the device to be able to use any application including those who are not authorized or distributed by Apple, was accepted as an explicit exception to the Digital Millennium Copyright Act’s anti-circumvention provisions according to Wired.com’s Threat Level blog Monday. Whether or not this will have an immediate impact on id verification and fraud using mobile devices will be seen in the coming weeks following the release of legal instructions on how to perform the jailbreak.

Secuina’s research has shown Apple to now be first among its peers in terms of sheer number of vulnerabilities contained in its software—double the amount from just 2007 to 2009. This record number is expected to double again in 2010.

Considering that the use of Apple products, particularly the iPhone, is becoming increasingly mainstream for both on-the-go and workplace productivity, employers should now more than ever consider implementing standards of id verification and educating their employees about smart public Wi-Fi usage.

But for those of you who can’t make it to MWAA 2010, we’re happy to announce that the latest EVS whitepaper, Point of Enrollment: ISOs and Merchants Collaborating to Reduce Corporate Loss, is now available for free, direct download from our website.

In addition to the exclusive distribution of our latest whitepaper, Point of Enrollment: ISOs and Merchants Collaborating to Reduce Corporate Loss, EVS will be exhibiting with interactive demonstrations of our comprehensive id verification solutions. If you’ve been looking for an all-inclusive answer to your id verification, id authentication, or fraud prevention needs, stop by our booth and let us show you how easy and efficient implementing EVS solutions can be. 

Industry experts give their opinions regarding the long-term impact of revisions to FFIEC guidance in Credit Union Info Security’s Linda McGlasson’s latest article. Stay tuned to see more on how the id verification industry will be affected.

If you’re not going to be able to make it to MWAA 2010, you can still receive this valuable document by signing up to have our id verification whitepapers delivered right to your inbox.

Those who follow current events within the id verification and fraud prevention industry are all too familiar with the amount of international cyber crime that is conducted on a daily basis. In fact, a large percent of the complex data breaching or mining operations brought to light have their roots overseas. However, new research data reminds us not to forget about just how much cyber crime takes place right here at home.

According to newly released data from SecureWorks (via Softpedia),“the United States is still responsible for the largest number of attempted cyber attacks in the last six months, with a rate of 1.6 incidents for every PC in the country.” In other words, our country is responsible for a total of 441,003,516 attempted cyber attacks over a period of seven months—from January to July 2010.

In fact, says Cnet, the two contending manufacturers have comparable—however different—styles of security implemented on their smart phones. For example, Apple must approve every application for the iPhone before distribution via the iTunes store, using a basic set of limited security permissions for each one. However, this doesn’t mean every app is secure. On the contrary, some apps were found to be collecting data without user knowledge. Only after Swiss researchers discovered the data gathering were the apps pulled from the iTunes store.

However, Google does not review apps for the Android. Android allows the user to see what permissions each app will be allowed, and he or she must give approval before download—but not every user is going to be tech-savvy enough to spot a malicious application before approving it.

So which phone is the most secure choice for your employees? Read the full story on Cnet news to help you decide.

In contrast to the length and detail of our professional whitepapers, EVS articles address more broad security subjects in only a few pages, making them a valuable resource for your business’ fraud prevention efforts. Feel free to browse our article database for recent and archived articles that may be valuable when considering investing in fraud prevention and mitigation software.

Internet Fraud Alert is a centralized alert system which seeks out and notifies the appropriate corporate stakeholders when sensitive consumer data has been published online or otherwise compromised. The program brings together a host of different institutions, including government agencies, consumer advocates, financial institutions, retailers and more to keep a watchful eye on cyber crime.

Thanks to Ars Technica for bringing this to our attention.

Abrams recently visited a sports bar in Cyprus where an outdoor advertisement claimed free Wi-Fi with a provided laptop was available to patrons. Upon further investigation, Abrams found that this public computer had no firewall or antivirus, and automatic security updates had been disabled. The computer also allowed the user full administrative access, meaning that a potential identity thief could theoretically program whatever malicious software he or she wished onto the device before being accessed by the next unfortunate customer.

Consumers and businesses persons alike should be sure to avoid entering any administrative or login information into any personal, corporate or financial account when using a publically available device.

EVS is happy to be a part of MWAA 2010, and we will be exhibiting each of our award-winning IdentiFraud id verification and id authentication solutions, as well as our IdentiFlo compliance management suites.

MWAA 2010 will be held July 21-23 at the Renaissance Convention Center and Hotel in downtown Schaumburg, Illinois, located northwest of Chicago. Take a look at the MWAA homepage to register your attendance, and check back in the weeks to come to find out more about what EVS will be offering at this special event!

These original documents offer unique opportunities for our readers to expand their knowledge of the issues facing the fraud prevention and id verification industry, while becoming more aware of the services EVS is proud to offer.

It only takes a moment to sign up to receive these comprehensive documents via e-mail, or to download them directly by visiting the corresponding solution page.

The article references a new proposed bill, New Employee Verification Act (NEVA), which would require employers to verify employment identification and employment eligibility and set penalties and consequences for noncompliance. Employee protections would also be put in place to prevent NEVA from discriminatory hiring practices.

The Red Flags Rule is designed to help prevent id theft from occurring and protecting business owners from unnecessary losses by mandating id verification and id authentication of individuals with whom companies due business. The Red Flags Rule subjects all organizations who have a creditor relationship with the public to meet Red Flags Rule compliance.

A similar lawsuit brought about by the American Bar Association led to the Red Flags Rule extended in November 2009.

The recent surge in smart phone popularity has made the versatile mobile devices a prime target for hackers and identity thieves. KrebsOnSecurity made an excellent post this week that explains how even casual use of smart phone technology in unsafe wireless space could be exposing both corporate and personal financial information to cybercriminals.

Just by accessing the wrong public Wi-Fi network, your employees and customers could be sending sensitive data right into the waiting hands of fraudsters. If not properly configured, smart phones may automatically connect to any accessible wireless signal within range. This setting may seem convenient to save a few moments while on the go, but it is all too easy for thieves to broadcast fake Wi-Fi signals under common default wireless network names. Once connected to an unsafe network, any access to online banking, or other sensitive data entries may be recorded for later criminal activities.

Enacted on January 1, 2008, the rule insists a series of mandatory prevention and detection policies on all applicable businesses in order to standardize the level of awareness and action against the crime of id theft. Originally set for November 1, 2008, the FTC enforcement deadline marks the date by which all bodies covered by the Red Flags Rule must reach minimal federal compliance standards, under penalty of heavy fining and possible prosecution.

Take a look at how EVS can help your business reach Red Flags compliance.

This type of cyber fraud scheme is one of the fastest growing types of Internet fraud. As a business, you must be proactive and understand the threats that exist to your business. In understanding your threats, it is imperative for your business to have a comprehensive fraud prevention plan in place to protect against known threats and prepare for the unknown attacks.

The doppelganger in question mimics the popular video entertainment service Steam, and uses a convincingly detailed interface to con visitors into filling out surveys in order to receive their free software. Sunbelt provides a detailed look at the phony website and includes illustrations to help quickly drive home the reality of just how much effort hackers will go to steal consumer identities.

If you are a business using social networking sites, EVS suggests updating your privacy polices to include how you handle personal information gathered online. Once you have updated your privacy policy, make it available to consumers so they feel safe using your business. As a business, if you collect personal information from consumers, it is imperative you have a sound fraud prevention plan in place. The ability to quickly run an id verification and id authentication program against your consumers can help prevent your business from catastrophic loss from cyber criminals and identity thieves.

Fortunately, the tool is not automatic in and of itself. If not integrated into additional malicious software, it can be avoided by the end-user by being aware of any and all executable files (.exe) he or she downloads from e-mail messages or chat programs. Jacoby also states that the code for the original software is easily identifiable by a quality, up-to-date virus scanner. Read more on the TwitterNET phenomena at SecureList.

Following a successful presentation at this week’s EICAR conference in Paris, France, ESET Director of Malware Intelligence David Harley announced via the ESET blog that he has made available several research papers pertaining to the field of Mac security. Further information about the research can be found on Mac Virus, with links available to those interested in downloading the documents.

Take a look at Krebs’ original post for more details. In the event any suspicious activity is detected, contact Visa and your local law enforcement.

Some say that the best defense is a strong offense. In the world of fraud prevention and online security, what better offense is available than training your employees to look for the same vulnerabilities as hackers and identity thieves?

Brian Leban of Google made a post in the company’s Online Security Blog this week revealing that employees of the online giant are thoroughly trained to anticipate software vulnerabilities by learning the same techniques used by cybercriminals to exploit web applications. To this extent, Leban reveals the release of an educational “codelab” entitled “Web Application Exploits and Defenses,” an interactive tool designed to allow engineers to learn various hacking techniques through experience. The codelab is available for use online, with an accompanying instructor guide available through Google Code University.

If you are concerned about the possible exploitation of applications used by your business, we highly recommend considering evaluating this and other Google tools for possible employee education.

Author Mikko brings us a simple but very effective look at how corporate identity theft occurs, including the nature of money mules and phony website recruitment. His detailed entry goes on to demonstrate the separation of legitimate online business and its fraudulent counterparts using simple networking commands. It’s a valuable read for industry professionals, corporate readership and vigilant consumers alike.

By now, most everyone is familiar with the basic principals of fraudulent e-mails, or "phishing" e-mails, that attempt to fool recipients into surrendering personal information. There are literally thousands of possible forms these e-mails can take, from phony e-banking login screens to traditional fake lottery notifications. Now, as Trend Micro’s Malware Blog reported earlier today, phishing attempts are now surfacing under the guise of Twitter e-mail notifications.

Two primary types of fake Twitter e-mails have been reported, one which attempts to steal personal identifying information and one which infects the targeted computer with malicious software. Trend Micro provides more details, as well as screenshots so readers know what to look for.

As Twitter is now considered an essential part of both personal and corporate social networking, we would recommend taking a look at the information provided, and keeping a watchful eye on your inbox in preventing identity theft.

In an interesting post made to Krebs on Security last week, blog contributor Aaron Jacobson of Authentify revealed an interactive map charting the locations of all major banking fraud incidents reported on by Krebs, both at his current blog and former work for The Washington Post. Jacobson also made a point to respond to user comments, indicating that the map will continue to be updated in accordance with stories appearing on the blog.

The map is useful for both following the trends of major bank fraud incidents, as well as making initial observations about connections to location and rate of attack. While the map is far from comprehensive, it is worth critical review, and could act as a starting point for larger, more accurate real-time fraud prevention tracking projects.

In an industry which is consistently and rapidly evolving to counteract cyber security threats, regular peer-review and analysis is critically important. And while security reports can range from promotional whitepapers to brief annual reviews, the Symantec Global Internet Security Report is highly regarded as one of the most in-depth and far-reaching annual issue in the industry.

PC Magazine’s Security Watch blog announced the release of the report today and summarizes a few key facts presented within the document. We encourage our readers to consider the report and how it could possible affect the security of your businesses as we continue into 2010.

Sabina Datcu of Malwarecity.com brings to our attention a current piece of malware disguised as an extension for Google Chrome. Following a link in a phishing e-mail guides the user to a copy of the Google Chrome Extensions page, where initiating the download allows the disguised application to infect the target system.

We at EVS strongly suggest consider the author of the web extension before downloading it into your web browser. Being cautious of malicious software is a step in any fraud prevention solution.

Elinor Mills at RSA’s FraudAction Anti-Trojan services recently showed that “88% of the Fortune 500 companies have been accessed to some extent by computers infected by the Zeus Trojan,” one of the most prolific key logging programs in recent years. Zeus targets banking information, login credentials for social networks and e-mail accounts, and spreads primarily through the use of phishing and drive-by downloading

Thanks to Elinor Mills at Cnet’s InSecurity Complex blog for bringing the story to our attention.

Last week, Brian Krebs of Krebs on Security made an informative post on ways that both businesses and their banks can improve their efficient e-banking protections, and possibly mitigate or significantly decrease the risk of falling victim to cyber attacks. Krebs’ information comes from a senior member of the Office of the Comptroller of the Currency, a key federal banking regulatory body.

All Krebs’ suggestions are sound and informative, but what specifically caught our eye was his emphasis on the use of verification in addition to authentication in the recommended security measures for small and medium-sized businesses. According to Krebs, verification also plays a leading role in what federal regulators will be searching for when examining your business’ security measures.

EVS understands the important role that verification now plays in thorough security systems, and integrates id authentication and id verification measures into comprehensive single-lookup.

EVS will be participating in the showcase from our booth during ETA 2010, where we will be leading interactive demonstrations of EVS products and solutions and educating expo attendees on the benefits of choosing an integrated fraud prevention and compliance security package.

Join us at ETA 2010, and follow us on Twitter to get up-to-date information about EVS activities, demonstrations, and more!

According to Dave Rosenberg’s Software, Interrupted at Cnet News, Forrester’s report shows that federal compliance rather than data protection is the focus of most security programs, to the extent that most businesses are actually still at significant risk for data breach even with a compliant security system in place.

Clearly, these findings make the case for integrated security solutions that can provide both security and compliance, instead of simply one or the other.

As an electronic security leader, EVS will be taking part in this year’s events and activities. Come join us this April 13-15 in Las Vegas, NV, and be sure to follow us on Twitter and Facebook for updates and insight into what EVS will be offering during this special event.

Spam e-mails are a popular method of delivering malicious software—usually in the form of an attachment or a link pointing unsuspecting readers toward infected websites. However, a recent study released by Ipsos Public Affairs Messaging Anti-Abuse Working Group (MAAWG) is shedding disturbing light on the fight against spam as we know it: a staggering number of users are choosing to open—and sometimes respond to—junk e-mails, despite years of warning and countless pieces of defense technology.

As most in the fraud prevention industry are aware, it only takes one prolific piece of spyware to open the door to a computer for hackers and identity thieves. But according to Cnet News, this new data shows tens of millions of Internet users intentionally making themselves vulnerable to viruses, hacks and identity thieves. Customers and/or employees may be posing an unintentional, but costly risk, to your business.

Participants successfully hacked into some of the major digital interfaces used by consumers and in some cases, assumed total control over the device on which the software was installed without every coming into contact with the machine.

The Apple iPhone and Safari web browser running on the Snow Leapord OS, as well as both Mozilla Firefox and Microsoft Internet Explorer 8 running on Microsoft Windows 7, failed to stay secure when attacked by contest participants. Ironically, the majority of these security breeches were conducted by exploiting components of the software designed to increase security, and one specifically, the Safari hack, was possible only after malicious code was downloaded from an infected website.

Staying secure while online at home or while at work, especially when using social networking sites, requires a bit more diligence than a complex password. In order to avoid becoming a victim of identity fraud, or leading fraudsters to your website, double-check the security settings on all social sites, and make sure that your private identifying information stays that way. You may even consider a standard of social networking security for yourself and your employees to make sure seemingly innocuous conversation doesn’t lead fraudsters to your door.

The main goal of our participation in the SEAA seminar is to educate our industry about the advantages of using comprehensive, one-search id verification tools like those from EVS. To that end, the focus of our exhibition will be live, interactive demonstrations of our integrative fraud prevention solutions. Those attending SEAA can experience using EVS products first-hand, with representatives standing by to help answer any questions you might have, and schedule follow-up demonstrations. So you can see exactly how EVS solutions can integrate into your existing security platform.

When considering this information, remember these numbers only account for those incidents that were registered with the IC3. Innumerable instances of unreported fraud and loss most certainly would inflate these findings.

These statistics demonstrate just one more reason why protecting yourself and your business should be priority one.

Thanks to Krebs on Security for bringing this topic to our attention.

PayPal, one of the most recognized companies in the secure online payment market, has now begun encouraging users to install a free browser plug-in, made available by Iconix, which verifies incoming e-mails as being genuine when originating from a cache of reputable business sources. PayPal, Apple, Ebay, and Capital One are among the 1500 sources the tool verifies using DNS-based e-mail id authentication protocols. Among the protocols used is DKIM, or DomainKeys Identified Mail, a collaborative e-mail authentication system made available by Yahoo! and Cisco.

Thanks to PC Magazine’s Security Watch blog for bringing this to our attention.

Those who take a moment to stop by the EVS exhibit during SEAA will also be able to enroll in a free 90-day trial of IdentiFlo, our premiere regulatory compliance suite. Let us show you how IdentiFlo makes compliance with the Red Flags Rule, OFAC, FinCEN, the USA PATRIOT Act and other applicable federal regulations a simple, yet powerfully comprehensive process that will revolutionize the security and efficiency of your business. Any EVS representative can help you enroll, so make plans now to join us at SEAA.

Prepaid Expo USA 2010 will be held in Las Vegas, beginning on Monday, February 22 and concluding Wednesday, February 24. This year’s focus will center on past, present and immediate legal and regulatory issues facing the prepaid transaction industry. We look forward to seeing you there and demonstrating the capacity of EVS identity fraud solutions to make a true impact on the way you do business.

If you have any questions concerning EVS’ participation in exposition events, feel free to contact us.

WSAW-TV in Wausau, Wisconsin ran a story reporting a recent case of attempted grandparent scamming that demonstrates just how meticulous modern day con artists can be. A grandparent scammer contacted Katherine Westfall, 81, of Merrill during the first week of February. The caller informed Westfall that her granddaughter was being held in a Canadian prison and required that bail funds be wired immediately. The scammer even went as far as to allow Westfall to talk to a person impersonating her granddaughter.

Convinced, Westfall attempted to wire the money, a total of $885, at a Check ‘n Go payday loan center. Fortunately, the manager on duty was able to stop the transaction on suspicion that she was being misled. According to police, the impersonator identified herself to Westfall using personal information taken from publically accessible social networking sites.

WSAW-TV did not specify whether or not specific identity theft tools were used in the prevention of the scam targeting Westfall; however, this situation is a prime example of why identity fraud prevention systems are an essential part of any business that deals directly with the consumer, either online or in person. Not only did the Check ‘n Go manager prevent his or her store from participating in the con, but he or she also protected a consumer from this and future scamming attempts.

The situation is under investigation by American and Canadian authorities.

According to the report, which details the results of a survey of more than 300 online retailers of various sizes and annual revenues, the total estimated online revenue losses from fraud dropped 18% in 2009, down to $3.3 billion from $4 billion in 2008. Additionally, the average percent of revenue lost to payment fraud dropped to the lowest level since the survey’s inception 11 years ago.

We at EVS feel that this information presents an opportunity for all businesses that use online commerce in whole or in part to interact with their customers. Investing in a fraud prevention utility in 2010 can help businesses do their part to reduce the overall industrial losses due to fraudulent transactions.

In a January 29 article on PCMag’s Security Watch blog, McAfee reported at the World Economic Forum Annual Meeting that robotic distributed denial of service (DDoS) attacks are so commonplace that major industries experience them multiple times per month.

“64 percent of those surveyed have experienced [DDoS attacks] that disrupted operations; 29 percent get them multiple times per month.”

In terms of verification security protecting these major enterprises, which include banks and utility corporations, conditions are actually getting worse in spite of the evidence of identity theft. McAfee states that only one-fifth of those surveyed believed their networks to be secure, with one-third claiming their state of security worse than in years past due to funding issues.

With evidence as clear as McAfee has provided, shouldn’t all American businesses be strengthening their security measures?

EVS is committed to helping businesses conduct safe online transactions by providing the tools you need to get to know your customers. Preventing data fraud and verifying consumer information are just a few ways that we do our part to maintain the dignity and control of your private information circulating on the Internet. Our commitment to secure genuine online interactions is why we’re recognizing January 28 as International Data Privacy Day.

Celebrate the holiday by doing your part to secure yourself, your business and your customers against online privacy violations and identity theft. You should always have confidence that your daily online interactions are safe and that your customers are genuine. We encourage all of our readers to set aside time today to learn about the current state of online data privacy by taking advantage of educational resources such as those available on the Data Privacy Day homepage. You may wish to evaluate your own personal Internet security measures or those of your business or place of employment. Finally, consider any opportunities you may have to become involved in the fight against identity fraud and cyber crime.

Ars Technica brings the widespread lack of consumer protection into perspective with its recent article, in which iMPERVA performed an analysis of the password compilation left behind after the RockYou social networking hack. The results are disturbing—of the 32 million passwords studied, half are susceptible to basic dictionary attacks based on their simplicity. The most common passwords were found to be as easily guessable as “12345” and “password.”

While Ars Technica comments on the lack of security measures being taken by RockYou in particular, we feel this bears noting as a call for all businesses to pay close attention to their own security measures, including consumer id verification and id authentication procedures. The prevalence of such simple passwords suggests that other accounts such as e-mail and more personalized social networking sites, like Facebook, might be just as easily accessible, leading to a much higher risk of identity theft and fraud. It is up to businesses to make sure they themselves are secured against fraudulent transactions and cyber attacks stemming from consumer exploits.

This year at Prepaid Expo USA, EVS will make it possible to schedule personalized post-show demonstrations and conferences so that you can experience firsthand how our fraud prevention services work within your established security system. Visitors to EVS at booth #123 will be able to schedule follow-up calls and in-house demonstrations, sign up for informative e-mails through the IdentiNews monthly publication, and participate in a 90-day trial of IdentiFlo at no additional cost.

Stay updated with forthcoming entries containing information about EVS’ presentation at Prepaid Expo USA 2010.

IE 0-Day is an issue that has been talked about across most major cyber security blogs and communities since it was exploited to gain access to the Gmail accounts of human rights activists in December. According to Ars Technica, while IE 0-Day’s originating code is still present in IE 7-8 and Windows 7, the exploit of the code will only successfully breach IE 6 being run by users of Windows 2k and Window XP.

While IE 0-Day was used to target specific persons during the Google attacks, the exploit has been publically released and may be used for other cyber crimes, such as identity theft and business fraud. Be sure to read more about IE 0-Day and assess the potential risk to yourself and your business before upgrading.

The Federal Bureau of Investigation (FBI) published a press release this week warning consumers seeking to donate to the Haitian emergency relief to do so with caution. Fraudulent sites often employ search engine optimization (SEO) tactics to cause their listings to appear in the top tier of search results using major engines, making the unwary consumer likely to visit their sites instead of those that would contribute to the relief. In addition to the criminal redirection of well-intended funds, visiting these sites can cause malicious software to be downloaded onto consumer computers, which can result in identity theft.

The FBI also suggests refraining from opening e-mails claiming to contain images or video of the Haitian earthquake, as they are also very likely to be vehicles for malicious software.

To make a genuine donation to Haitian relief without the risk of encountering malicious Web sites or software, we recommend doing so directly through the American Red Cross.

The announcement was made by Evgeny Legerov of Russian research firm Intevydis, following a statement of frustration toward the general software vendor community. And, while the move brings up many points of business ethics for debate, the fact remains that following Intevydis’ release of the exploit pack, major Web servers, databases, and directory servers in use by businesses worldwide will suddenly be exposed to attack by cyber criminals.

While vendors will presumably rush to patch and correct the exploits revealed by Intevydis’ revelation, businesses can take security into their own hands by making sure their security protocols are thorough and up to date.

One of the major components of the Federal Trade Commission’s (FTC) Red Flags Rule is going beyond integration of a fraud prevention security measure and adequately training all applicable staff members for the system’s proper operation. Undertrained staff can often miss opportunities to detect and isolate identity theft red flags.

With this point in mind, EVS believes that being able to see a fraud prevention tool in action is one of the best ways to determine whether integration into your existing security layout is right for you and your employees. It’s the ideal introduction for assisting your business in reaching Red Flags Rule compliance.

EVS will be offering interactive workstations and hands-on demonstrations of our fraud prevention systems at booth #123 at this year’s Prepaid Expo USA. Primary products can be used online and in full operation, with EVS representatives available to answer any questions you may have and to help you schedule any follow-up, post-show demonstrations you would like to conduct at your home office.

More information regarding EVS’s Prepaid Expo USA presentations will be made available in forthcoming blog entries. Check back often for more updates.

In order to further encourage the use of integrated identity verification and authentication services as a safeguard against fraudulent transactions, Electronic Verification Systems (EVS) will be participating in February’s Prepaid Expo USA in Las Vegas, Nevada. Prepaid Expo USA stands as a prepaid industry hub for networking among industry peers, showcasing exhibitions and discussing significant industry issues. EVS will be presenting information and literature to expo attendees from booth #123.

According to Network World, Schmidt has an extensive history in regards to his involvement in the security industry, including former positions as chief security officer for giants Microsoft and Ebay. Hopefully, Schmidt’s new position will mean a greater opportunity for security enhancement and the reduction of cybercrime in 2010.

However, businesses and consumers alike should still take steps to solidify their personal security efforts. Businesses looking ahead to the Federal Trade Commission’s (FTC) Red Flags Rule, which will go into effect on June 1 of the coming year, should also examine their preexisting security programs and consider incorporating extensive fraud prevention measures.

Bank Info Security recently released its top eight security threats for the coming year and has placed authentication fraud prominently at number two on its list. Disturbingly, hackers are proving that they are learning to dodge even the most personalized of standard authentication measures.

Gartner’s Avivah Litan details “man-in-the-browser” attacks, which circumvent one-time password (OTP) authentication like those formerly used by AOL. OTP authentication requires a physical key to be owned by the consumer and used to generate single-use passwords that expire in a matter of seconds. Hackers have also concocted new means of fraudulent call forwarding that dupe phone, text message, and voice authentication measures. Both of these measures of defense are widely employed by banks and financial institutions to protect their most valuable consumer and business accounts.

But, even more disturbing is that hackers aren’t stopping there. According to the article, two-factor authentication systems are already coming under early fire, with more intense hacking attempts predicted in 2010. There’s no doubt that the most up-to-date, comprehensive fraud prevention services will be essential for the protection of businesses and financial institutions—especially in the new year.

This year has been an unfortunately busy one for the fraud prevention and identity security industry, with the rate of corporate data breaches, business fraud and identity thefts continuing to rise. In 2009, phishing attacks alone increased by as much as 600 percent according to Bank Info Security’s Linda McGlasson.

McGlasson recently published an article detailing the ten most prevalent types of fraud that the industry can expect to battle in 2010. The article stands as an urgent advisory that fraud prevention services are now a necessary part of any security program. Furthermore, as the Federal Trade Commission (FTC) initiates its Red Flags Rule next year, these measures will become even more important as a way to combat evolving hacking methods. “It started in earnest in 2009 and will only get worse in 2010 until banks put effective controls and fraud detection in place,” said Avivah Litan, an analyst at a prominent information technology research firm.

The responsibility of protecting personal, consumer and national information from fraudsters goes well beyond the banks. In fact, all business entities across the nation and around the world should take note. Scam artists can operate wide international operations quietly and undetected right in our neighborhoods, as many major data breaches have proven in the past 12 months.

The Washington Post’s Brian Krebs reports on the story in his Security Fix blog. Adobe Systems Inc. recently confirmed a report issued by the not-for-profit Shadowserver Foundation, a group that monitors the movements of malicious Internet activity. The security exploits are currently known to affect the most recent versions of both Adobe programs (9.x and 8.x), and there are no fixes or patches available at this time. Only five of the 41 commonly available anti-virus software packages detect this exploit accurately.

Both reports suggest disabling JavaScript within Acrobat and staying up-to-date with the issue via Adobe announcements and trustworthy tech blogs. Businesses that use these Adobe products should be especially aware of any suspicious or possibly fraudulent activity until the issue is resolved.

Unfortunately, and more often than not, the average consumer will choose the more convenient option that satisfies his or her busy lifestyle. This tendency is one of the most prevalent reasons for securing businesses with fraud prevention solutions, for hackers and identity thieves will seize every opportunity to take advantage of consumer vulnerabilities.

PC Magazine’s  Security Watch blog provides an excellent example. According to an article published December 7, AOL (formerly America Online) is now officially ending support for the previously praised RSA SecurID 2-factor authentication devices used to issue one-time only passwords (OTP) for secure services logins. The tokens themselves are physical devices that create temporary, unique pass codes to be entered at the same time as the subscriber’s username and password. The tokens thus provide a dual-layer id authentication service: authentication of knowledge of the username and password, as well as clear ownership of the registered device. The devices are virtually immune to theft by phishes and other password-theft techniques, providing an excellent security measure.

So why remove support? According to Security Watch, the devices are inconvenient, and “a pain to use…probably [constituting] a cost which had to be eliminated.” As an alternative, AOL will emphasize strong password creation. But, regardless of how strong a password is, a keylogger, virus or other well-disguised hack could pilfer it, leading to identity theft and possible consumer or business fraud. While it represents a step back in AOL security measures at the consumer level, the move serves as a reminder to online businesses that their customers may be vulnerable to identity theft, and fraud prevention tactics are a must.

A document released by Symantec  (best known as the publishers of the Norton Anti-Virus program) revealed yesterday that extensions, the popular customization tools offered to Firefox users to give their browsers new functionality, are now being shown to carry malware. Once infecting the user’s browser, malware can be used to exploit browser vulnerabilities and transmit sensitive data like passwords, login credentials, financial information and consumer Social Security numbers back to their sources, which are often skilled identity thieves or fraudsters. Malware can also simply act as a loophole through which malicious websites can perform the actual information theft and transmission.

Businesses that rely on Firefox as a trusted business tool should take heed of the warning by advising employees to be careful when entering any qualifying or administrative information while connected to the Internet. An id verification or id authentication tool implemented into a business’s in-house security measures could potentially help avoid risks brought on by attacks on the Firefox line of software.

Data breaches like the one reported in Wired magazine’s Threat Level blog are the reasons that the Federal Trade Commission’s (FTC) Red Flags Rule will be a groundbreaking—and necessary—call for standardization and compliance of consumer and business security measures. According to the story, a class action lawsuit is now being brought against the manufacturer of a bank-card-processing system that failed to meet industry security standards for payment systems. The lack of security resulted in consumers having their personal financial data stolen by a hacker operating in Romania.

Radiant Systems, the manufacturers of the Aloha POS System, designed its product to copy and store magnetic card stripe data after the card has been swiped to complete payment. This left a cache of consumer data on the machine that was easily accessible to hackers. The program, PCAnywhere, allowed Radiant technicians to address IT issues remotely. The out-of-date software was “secured” with simple, and very guessable, usernames and passwords that allowed the hack to take place with minimal effort. The data breach was allowed to continue for over three weeks, resulting in an undetermined—but substantial—number of thefts.

The FTC Red Flags Rule , when implemented, will mandate the use of frequently updated security protocols by financial institutions. Id verification and id authentication tools like those offered by EVS can secure and restrict access to payment information stored in compliance with Payment Card Industry (PCI) security standards. And, while the Aloha POS system was far from compliant, the Red Flags identity security standard could have made the difference in keeping consumer information safe.

The Identity Theft Research Center (ITRC) revealed late last month that the number of successful security and data breaches in 2009 tallied 435, marking a 50% decrease from 2008. Under different circumstances, those numbers would be a cause for celebration for the IT security industry, as the decrease is the first since 2005 when the tallies began. However, the ITRC reports only signify an even greater need for cyber security and fraud prevention technology than ever before.

The number of personal documents exposed by hackers leapt from 35 million to 220 million from 2008 to 2009. Forbes reports that nearly all of these records were exposed due to “super breaches” of Heartland Payment Systems and the National Archive and Records Administration (NARA). But, this is nowhere near comforting news. “Super breaches” are the result of more widespread, sophisticated and intelligent cybercrimes, crimes that demand security attention from both consumer and corporate America. These crimes overshadow smaller incidents of data loss, making it easier for quieter crimes to slip through the cracks.

November marks the one-year anniversary of one of the largest and most complex cyber crimes in history. A network of international criminals executed an attack on an American credit card processor that, in less than 12 hours, saw more than 2,100 ATM machines vandalized in 280 different cities across the globe. The thieves’ coordinated attack netted more than $9 million in stolen cash.

This month, after one year and an extensive international investigation, the FBI is formally charging the four young men behind the incident. According to an FBI, Russian Viktor Pleshchuk, 28, Estonian Sergei Tsurikov, 25, and Moldovian Oleg Covelin, 28, along with an anonymous fourth party dubbed “Hacker 3,” exploited the computer network of RBS Worldpay, the U.S. payment processing center of the Royal Bank of Scotland (RBS). Using a sophisticated hack, the group altered the security encryptions used by RBS to protect those employees who received payroll on RBS debit cards. Cloned debit cards were then distributed worldwide to provide access to the compromised accounts.

Four other individuals residing in Estonia have also had charges brought against them for access device fraud. The total indictment charges sixteen different counts, including conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit computer fraud, substantive computer fraud, and aggravated identity theft.

More information is available through the official FBI website.

Ars Technica reported the story earlier this month of two new bills passing through the Senate that would change the way both consu mers and businesses are impacted by corporate data breaches. These bills are the Data Breach Notification Act (S. 139) and the Personal Data Privacy and Security Act (S. 1490). If passed, these bills would speed up the processes of notifying data breach victims of their at-risk information, while also punishing those who have been breached for not disclosing the events appropriately.

The Data Breach Notification Act is unfortunately not without gray areas. The reporting article specifically highlights two questionable areas, including a lack of a defined timeframe for notifying affected consumers, and the ability for businesses to claim exemption from the requirement to notify if they themselves conclude there is no significant risk to the consumer. Consumer advocates are calling for adjustments of these terms, and while previous bills addressing the same subjects have not had much luck passing into law, they are holding out hope that S. 139 and S. 1490 may be the documents that lead the industry in a more informed direction.

Some businesses, though, have not jumped on board this movement quite so thoroughly. An article by PC World  highlights a civil contempt complaint being filed by the FTC against Thomas Villwock and James Danforth of G7 Productivity Systems. The defendants’ website, Qchex.com, issued electronic checks and delivered them without verifying the identities of the people writing them.

PC World writes that criminals both domestic and international used the check service to make illegal withdraws from victims’ accounts as part of wire transfer schemes. The FTC took legal action against Qchex in January, which resulted in a $535,358 fine and a court order to implement fraud prevention securities, which Qchex “disregarded” according to the FTC. The business continues to operate unsecured at FreeQuickWire.com.

Qchex appealed the court’s ruling in January, stating that it cannot be held responsible for the actions of Qchex users. The company said, “The Qchex system consisted of nothing more than software and a website, sitting dumb and inactive unless and until a user chose to use it…. It is this unlawful activity that is the cause of any consumer injury here.”

The defendants have been ordered to appear in court on February 16.

With all this data rushing through the airwaves, it’s not a surprise that someone has found a way to take advantage of smart phone technology. Visage Mobile highlighted new risks to smart phone security in a blog post this past Monday. A report released by cell phone security firm SMobile Systems revealed the disturbing ease with which hackers can intercept sensitive data sent via four of the most-popular models of smart phones: the Android G1, IPhone 3GS, HTC Tilt and Nokia N95.

The problem lies in the lack of security present in most smart phone technology and the lack of encryption in most Wi-Fi hotspots. With simple and widely available software, a knowledgeable hacker can easily intercept any data transmitted between an unsecured smart phone and an unencrypted wireless signal—including personal financial and identifying information or any information an employee may enter to access business websites or documents on-the-go. By accessing business data at the wrong place and time, employees using their smart phones could put themselves, their employers, and their clients at risk.

Until these security issues are addressed in smart phone technology, these hacking techniques present one more immediate threat to business and personal security—and just one more reason why businesses should protect their operations by implementing comprehensive fraud prevention services.

While perhaps not as frequently considered, address verification is an essential component to a comprehensive business security system; when overlooked, there can be serious consequences. Consider a story posted Monday at Experian QAS. Inaccurate address data used by the California Department of Motor Vehicles (DMV) has resulted in millions of dollars in payouts being misplaced. Courthouse News Service explains that residents of Tehama County are accusing the DMV of using ZIP codes alone to retrieve address data, which has resulted in consumer revenue being mailed to neighboring Shasta County instead of the rightful recipients.

ZIP codes alone do not distinguish between county lines, which is why the DMV’s method of mailing payouts was not adequate. Ideally, when utilizing consumer addresses, either for physical mailers or for an additional means of id verification, businesses should use complete address information from a reliable data provider.

Bank Info Security released an article yesterday detailing the results of examinations conducted by the Office of Thrift Supervision (OTS). OTS Safety and Soundness (S&S) examinations began incorporating ID Theft Red Flags compliance testing into their examination process on November 1, 2008; exams have been administered every 12 to 18 months for applicable institutions. The results have allowed greater insight into what guidance will be needed from the FTC in the coming year.

The majority of results are positive, showing a great number of OTS-regulated institutions already having achieved full Red Flags compliance. But, a few particular occurrences of non-compliance have continued to arise, such as small businesses failing to formalize their Red Flags security measures in the required written format and others bypassing the mandatory risk assessment altogether. Other non-compliance issues include lack of employee security training and misidentification of covered accounts.

Those who have been failed in compliance standards are expected to have corrected the error by their next review. According to Bank Info Security, all OTS-regulated banks will have been examined for Red Flags compliance by the end of the second quarter in 2010.

Computer technician Adeniyi Adeyemi of Brooklyn, NY is now facing a 149-count indictment, including Grand Larceny in the First Degree, Money Laundering in the First Degree, and 138 counts of Identity Theft in the First Degree. The 27-year-old hacker worked in the Information Technology department for Bank of New York, from which he conducted the elaborate network of identity fraud.

Between November 2001 and April 2009, Adeyemi opened over 30 bank and brokerage accounts using stolen personal information, and used them to deposit fraudulently acquired funds, including those stolen from charities, ministries and nonprofit organizations.

Adeyemi also exploited his co-workers financial information directly. The defendant seized control of employee’s electronic bank accounts and used wire transfer services to move funds to various storage accounts, including those overseas. Overall, the announcement states Adeyemi stole over $128,000 directly from Bank of New York employee’s personal accounts.

Complete information about Adeyemi’s criminal investigation and indictment can be found at the New York Count District Attorney’s Office.

According to an official press release from the FTC, the new deadline for national compliance with the Red Flags Rule is June 1, 2010. The rule will still apply to all businesses defined as “financial institutions” or “creditors” in the FTC’s documentation; all of the affected businesses will be subject to enforcement and possible fines after the enactment date.

The FTC’s Red Flags compliance guide will remain available to help businesses that may have questions about the Rule’s application and how they can successfully reach compliance. One change to the Rule is cited in the press release, which states that as of October 30, 2009, the Red Flags Rule will no longer apply to attorneys. However, any additional changes to that exception or any actions taken by other federal divisions within their jurisdictions remain unaffected by the pushback of the compliance date.

We highly recommend addressing any questions or concerns you may have about implementing a successful Red Flags compliance plan as soon as possible. EVS offers a wide range of id verification and id authentication services that can play important roles in the identification of Red Flags and the prevention of fraud.

The largest cyber crime investigation in United States history concluded this month with the arrest of over 100 participants both at home and abroad. The two-year investigation, called “Operation Phish Pry,” was a collaborative effort between American law enforcement, including the Federal Bureau of Investigation (FBI), and Egyptian law enforcement. The collaboration was the first of its kind. The phishing operation targeted consumers of American banks and stands as a testament to the complexity and reach of organized cyber fraud.

The indictment includes 51 individual accounts of conspiracy to commit wire and bank fraud, as well as additional charges of computer and bank fraud and identity theft. An addition 47 participants were apprehended in Egypt. The primary means of identity fraud committed by these scammers was the use of online usernames and passwords obtained through deceptive means to conduct fraudulent transactions with banks such as Wells Fargo and Bank of America.

Establishing a Red Flags Rule compliant security program, including id authentication and id verification services from a reliable data provider like Electronic Verification Systems (EVS), will be an important step in bank and business fraud protection when the rule goes into effect on November 1, 2009.

In 2004, the data broker ChoicePoint was the target of a security breach that affected 160,000 consumers and resulted in 800 cases of identity theft. In addition to fines and consumer compensation payments, the Federal Trade Commission (FTC) required ChoicePoint to implement a stronger security program to prevent the breach from happening again.

Now, according to Bank Info Security, ChoicePoint’s failure to comply with FTC security regulations has earned them another fine of $275,000. In explaining the fine, the FTC described a second data breach that occurred in 2008 and that could have been detected and addressed much sooner had the broker not disabled an electronic security monitor. The personal identifying information of 13,750 people was compromised as a result of nearly a month of hacking that went unnoticed by ChoicePoint.

In addition to the large fine, the FTC is requiring ChoicePoint to regularly report its methods of database security in detail over the next two years—a measure which mandates independent reviews of the company’s security procedures every other year until 2026.

According to Ars Technica, a rumor surrounding the falsified death of controversial celebrity rapper Kanye West has become an active malicious software (malware) scam. Hackers have exploited Google Search Engine Optimization (SEO) strategies in order for their trap sites to appear at the top of the search results page for the rumor, which is currently in circulation as a forwarded e-mail (similar to those that users are accustomed to receiving from friends and co-workers). Once the links have been visited, malware can invade the user’s computer and attempt to ransom a fix for a sum of real cash.

It’s not the first time hackers have exploited popular culture in attempts to trick Internet users and it won’t be the last. You can learn more about Electronic Verification Systems and the identity fraud and identity theft prevention solutions available.

A “red flag” is the Federal Trade Commission’s term for suspicious activities or signs that should alert a business to possible security breaches or identity fraud. It is the basis for the Red Flags Rule, the nationwide standard of  fraud prevention service that will be enforced on November 1, 2009. And, although not specifically outlined as such, a recent data breach provides an excellent example of the preventative power of recognizing red flags.

In an article from CU Info Security, PayChoice a New Jersey payroll processor, was victim of a data breach in September, in which attackers obtained e-mail addresses, login IDs, and passwords for a payroll Web site. The red flag occurred later when customers of PayChoice reported employees on their payrolls who that didn’t actually work for them. PayChoice took immediate action.

Recognizing the possible fraud, PayChoice shut down its Online Employer Web site and alerted its customers to potential fraud. They are currently working with law enforcement specialists to find the hackers responsible.

Identity fraud breaches happen every day. The targets vary in size from individuals to entire companies. Now, according to the Chicago Tribune, nearly every doctor in America is at risk for identity theft. More specifically, 800,000 practicing physicians are now being notified of a possible breach of their personal information.

According to the Tribune, an employee of the Blue Cross Blue Shield Association (BCBSA) violated security protocol by transferring sensitive provider data to a personal computer, which was then stolen out of a vehicle in August. The laptop reportedly contained information such as Social Security numbers, identification numbers and addresses for practicing physicians across the country.

The BCBSA represents 39 Blue Cross Blue Shield insurance companies nationwide.

There is currently no evidence to prove that the data has been used maliciously, and a statement from the American Medical Association (AMA) claims that the theft was not believed to have been committed with the intent to steal physician identities since other vehicles in the vicinity were also vandalized. With this in mind, the AMA urges physicians not to worry, and just in case, the BCBSA is providing preventative credit monitoring services to those affected.

BBC News reported last week that in addition to the 10,000 Hotmail passwords made available by phishing scammers on developer website PasteBin, another 20,000 credentials were made available from an amalgam of popular sources. Google has also made it known that they are aware of yet another list of passwords that has been leaked, emphasizing that the breach was not an attack on the firms themselves but a scheme designed to fraudulently obtain personal identity information directly from the users.

Google has reportedly implemented mandatory password resets for customers confirmed to be affected, and will continue to do so as they learn more.

It’s more important than ever to take additional precautions to verify the identity of any source requesting your personal information. Phishing scammers are becoming more sophisticated every day, and the fraud may be less than obvious. Take care of your information by creating complex passwords for every online account and by educating yourself on the dangers of phishing and pharming information scams.

An extensive and insightful article by White Hat security founder Jeremiah Grossman considers the importance of consumer passwords. Grossman comments that ideally, a website should maintain a balance of necessary security with acceptable consumer experience. He explains the different aspects of password policy, and relates its significance in protecting against cybercrime and its effect on the consumer based on several different studies of consumer passwords from various popular websites.

Grossman’s article goes on to suggest several methods being used by websites to encourage more hacker-proof password choices by consumers. Finally, he suggests an absolute minimal amount of requirements for creating and maintaining passwords so that an effective password policy can be upheld without sacrificing the user experience. The policy suggested may not be universal, but considering Grossman’s extensive experience in the cyber security industry, the article is definitely worth reading.

Examples range from businesses such as IDSure, which advertises an identity verification service as a complete Red Flags compliance policy, to download sites offering Red Flags compliance programs in simple web browser toolbars. Seasoned compliance officers may understand that identity verification is simply one part of a larger compliance strategy, but for business owners who may still be confused with implementing the proper procedures to avoid the costs of noncompliance, products labeled as “complete” compliance solutions can be potentially misleading.

While it’s true that id verification and id authentication services are a valuable part of any Red Flags Rule compliance program, the FTC has released extensive how-to documentation detailing the importance of detecting red flags unique to your business and keeping your compliance program updated accordingly. It is highly unlikely that any product provides a complete package for compliance that is suitable for every business, and businesses that try to opt for convenience over detail might find themselves paying fees after November 1.

If you and your business need to become Red Flags Rule compliant, please visit the FTC’s how-to compliance guide. Take an active role in building a unique compliance program. Your decisions affect both the health of your business and the security of your customers. You can use tools such as comprehensive identity verification and authentication services to create a thorough fraud prevention program, but don’t rely on a company, or a toolbar, to provide you with total compliance.

The government extended the deadline after the rule’s ambiguous language failed to clearly specify the businesses needing to meet the requirements. Now, the FTC has launched a new official Red Flags Rule website that acts as a how-to guide for business owners who may be wondering whether the rule applies to them. It includes clear definitions of the businesses that will need to adjust for compliance as well as advice on how to implement the appropriate compliance standards. It also offers other valuable tips and suggestions for spotting fraud attempts and how to properly manage them in real business situations.

Even if you have already identified your business’s Red Flag responsibility and implemented a compliance program, the new FTC site is a valuable tool for improving your current fraud prevention process.

An article from the Charlotte Observer provides an excellent example. The Carolina Mammography Registry, a 14-year-long compilation and analysis project conducted by the University of North Carolina at Chapel Hill (UNC) and sponsored by a multi-million dollar grant from the National Institute of Health (NIH) has recently discovered a hack penetrating one of its two primary data housing servers. The hack is thought to have exposed more than 163,000 Social Security numbers. What’s worse, the hack is suspected to have happened more than two years ago!

After two months of investigation by UNC officials, it’s still unclear what happened. No evidence has been found detailing the hacker, where the data went, or even if it was downloaded. But, they did uncover viruses dating back to 2007, suggesting to investigators that the information contained on the server has been compromised for at least two years.

Matthew Mauro, UNC Department of Radiology Chairman, explains, “The compromised server had all required security measures.” However, no information was given in the article about how regularly these required security measures were updated, or if they were updated at all from the time at which they initially met requirements. Hopefully, the Red Flags Rule will see systems like this updated to current levels of security compliance to help prevent the fraud that results from this type of identity theft.

According to BankInfo Security, a new report contests that hackers generally attack where businesses least expect it—and from where they are less likely to be detected. The report is entitled “The Top Cyber Security Risks” and contains research conducted by the SANS Institute, the Internet Storm Center, TippingPoint and Qualys. It reveals that the two most popular weaknesses exploited by security hackers are online applications and client-side applications. These areas are also among the least protected areas of online business and often work hand-in-hand.

Web application exploitations account for more than 60 percent of all of the cyber attacks observed while researching the report. These attacks turn trusted, secure websites into websites delivering content that hosts client-side exploits. These exploits can be injected into everything from multimedia content to simple PDFs and commonly downloaded documents. The clients receive them en masse under the assumption that the website is secure, thus completing the exploitation cycle.

Most businesses, however, overlook these areas when performing scans and strengthening security measures. The report shows that major businesses take twice as long to patch client-side vulnerabilities as they do operation system vulnerabilities. Security professionals urge the industry to recognize the report’s claims and make a swift change to protect against web and client-side application exploits without taking attention away from traditional security concerns.

Late last year, Ohio resident Scott Graham purchased the commercially available keylogging software SpyAgent and succeeded in convincing a woman who he was interested in to install the program.

SpyAgent, by SpyTech Software, is designed for comprehensive monitoring of activities on personal computers. The software is intended for use by parents, spouses, employers and other cautious parties. However, as Graham’s situation demonstrates, such programs can easily be misused.

Graham’s intention had been to coerce the women to install SpyAgent in order to monitor her activity on her personal computer, but when the woman used a more public work computer to explore the program, she unknowingly infected the network at Akron Children’s Hospital. The program sent more than 1,000 screenshots back to Graham, detailing medical examinations and procedures, confidential information relating to 62 patients, and financial records for four hospital employees.

Graham is expected to formally plead guilty to charges of illegally intercepting electronic communications on September 30, but such an exploitative situation demonstrates how easy it can be to expose personal identity information, even from “protected” facilities such as a children’s hospital.

An excellent article posted by Larry M. White over at Enegociate articulates the importance of Red Flag compliance. From beginning to end, the article addresses the complex and often confusing details of the Red Flags Rules with language that speaks clearly to business owners, CEOs and employees alike.

Topics covered in detail include:

• What is a “Red Flag”?
• Who has to comply with Red Flags Rules, and why?
• What is required to become Red Flags Rule compliant?
• What is the required ID verification and ID authentication process?
• What should businesses looking to become compliant be wary of?

White emphasizes the need to have a compliance plan that meets the specific needs of your business. He says, “ Your [Red Flag compliance] policy, and training for that matter, must be relative and appropriate to the compliance requirements specific to your type of industry. … [T]here a few compliance providers available that offer … compliance services at an affordable price, and this may be your best bet.”

According to an article published on Friday at BankInfo Security, a Chase computer tape containing consumer information has been confirmed missing from a third-party storage facility. Tom Kelly, a spokesperson for Chase, has not disclosed exactly what kind of information was on the tape. The notification letter informs consumers that it did not include any banking or financial information; however, the tape may have contained names, addresses, and Social Security numbers.

"We have no evidence to indicate any of the information has been viewed or used inappropriately," Kelly said. Those affected will be offered a free one-year enrollment in Chase’s identity protection program.

These procedures, of course, are to make sure that applicants are who they say they are. But as the article from The Consumerist demonstrates, an id verification and id authentication solution is only as foolproof as its data provider.

According to author Phil Vilarreal, potential ING Direct customer Rick attempted to open an online checking account when he found himself confused during the id authentication questionnaire. Rick’s testimony claims that he was asked questions pertaining to a person with which he was “not familiar” and, because his answers were incorrect, an ING Direct representative informed him he would “never” be able to open an online checking account with ING.

While the reasons for the inaccurate questions are not confirmed in Vilarreal’s article, comments from fellow Consumerists suggest that the data provider may have confused him with someone else based on its sources of data. Rick’s story is an excellent example of why any online business needs to be aware of the accuracy of its data provider as well as the security measures it has in place to protect itself from fraud.

The EVS blog has been frequently reporting incidents of identity negligence on the part of businesses, in an effort to make clear the importance of id verification and id authentication to your business. It’s truly astonishing how often sensitive identity information is improperly discarded, lost or stolen worldwide. And depending on in whose hands that misplaced information ends up, it could mean a legitimate business, without the proper security measures in place, could be a victim of fraud.

Today we cover an identity theft situation right in our own backyard. WKYT in Lexington, KY reported at the first of the month that a file had been reported stolen from Bluegrass Community and Technical College.  The file contained the personal identity information of over 100 students.

Students were informed by mail last week, that their names, school identities and social security numbers might be at risk. One unnamed source told WKYT that the letter sent by the college did not elaborate about the file, only that it had been stolen, and that those at risk were encouraged to place fraud alerts on their credit reports.

WKYT estimates that those at risk include 1 in every 11 students.

Representatives of the hospital believe that the computer may have been disposed of due to its damaged condition and that there is a low chance for criminal use of the information. However, the Navy is still contacting patients whose information may have been compromised, as they still can’t account for the computer.

An investigation is being conducted as to whether or not the laptop was stolen, as only staff should have been able to access the secure area where it was housed. However, according to Fox 10 TV, there is currently no evidence that any of the SSNs have been used.

If you’re a business owner or have access to your business’s important financial information, situations like this one could possibly put your business at risk for identity fraud. You can protect yourself and your business by integrating comprehensive id verification and id authentication solutions into your existing information security plans.

According to Experian, the Broadband Information Services Consortium (BISC), which is comprised of New America Foundation, BroadMap and One Economy, will help states track the supply and demand of broadband among their residents. This will in turn allow states to assess their current broadband needs.

The federal government has begun offering funding for the expansion of broadband infrastructures on a regional level. With $4 billion available, states will undoubtedly want to take the opportunity to grow their broadband networks. The BISC will play an integral part in letting states know how to spend this funding most effectively.

Address Verification and Address Standardization like those systems used by the BISC are key products offered by Electronic Verification Systems (EVS) as part of all three IdentiFraud security and compliance solutions. Read more about IdentiFraud and how it can integrate seamlessly with your security systems for Red Flags Rule compliance.

In a press release that hit the web August 5, the TSA announced it has finalized the standards for the CrewPASS program, paving the way for nationwide expansion. The CrewPASS program is an id verification system that will provide a new level of security for both the flight crew and passengers, and will reduce flight delay time by expediting crewmembers through specialized security checkpoints.

Under the CrewPASS program, flight crewmembers will pass through a special area where their credentials will be verified against records in the Cockpit Access Security System (CASS). Id verification will be enhanced during this process using an approved biometric. Crewmembers will also be subject to random screenings, observation and other approved security measures.

This pending nationwide upgrade is another example of how id verification is becoming a staple in different aspects of consumer life. When the Red Flags Rule goes into effect November 1, consumers can look forward to additional security both at home and while traveling.

Are you Red Flag compliant? Read more and get ready by integrating id verification solutions at Electronic Verification Systems.

Daniel Goncalves, a 25-year-old computer technician, was arrested Thursday on charges of stealing and selling the domain P2P.com. According to the news report, Goncalves was able to steal the domain from partners Albert Angel, his wife Lesli Angel and domain name investor Marc Ostrofsky by hacking into the Angels’ AOL email account. Goncalves then used the information contained in the email to retrieve login details for P2P.com via Godaddy.com, the host of the domain name.

Goncalves was also able to create false PayPal records to cover his trail. The records made it appear as if he had legally purchased P2P.com from the Angels for $1,500—much less than the $160,000 the partners paid when they acquired the domain from Port to Print, Inc. in 2005.

While Goncalves has been brought to justice, there are thousands more cases of hacking and information theft leading to identity fraud every year. The FTC’s Red Flags Rule will help to stop many of those cases before they happen by enforcing requirements for all creditors and financial institutions to implement identity fraud detection and response programs. Read more about Red Flag compliance at Electronic Verification Systems .

At the Federal Trade Commission website, it has been announced an expanded business education campaign will be launched during the three-month delay period to help clarify obligations and compliance issues. The FTC will be stepping up to further educate those businesses that may not consider themselves subject to compliance requirements. These redoubled efforts include plenty of time for creditors and financial institutions to develop and implement compliant programs.

The FTC will provide resources to help businesses determine if they are included in the rule. If obligated to adhere to these requirements, businesses can use this information to guide their compliance efforts. Among the available resources is an online compliance template to help businesses create their own compliance packages.

The FTC is taking special care to make sure all of these resources are thorough, detailed, and user-friendly so the Red Flags Rule will launch successfully at the newly decided date.

Carnegie Mellon University released Predicting Social Security Numbers from Public Data earlier this month with disturbing evidence in favor of identity thieves. Findings indicate Social Security numbers can be accurately predicted using basic personal information that is widely accessible via the Internet. These fraudulently acquired SSNs can be verified using legitimate online services for purposes of later exploitation.

This new evidence further reinforces the need for businesses to invest in a comprehensive Red Flag Rule-compliant identity solution. With the tools for fraudulent SSN access readily available online, it’s more important than ever for businesses to put measures in place to detect and respond to fraudulently acquired personal information.

Read more about the implications of the study at Realtime IT Compliance blog, or more about Red Flag compliance at Electronic Verification Systems.

The AATL is a white list of trusted “root” digital certificates housed on Adobe’s servers. The list is directly linked to the embedded certificate found in all Adobe products. Inclusion on the AATL is available only to Certificate Authorities (CAs) and certificate-issuing businesses and governments that satisfy a rigorous list of technical requirements.

Open a document containing digital signatures in Adobe Acrobat or Reader (9 or later) and by default, all the signatures on the document are traced for relationships to AATL-approved certificates. Then, the program goes a step further, checking for digital certificate validity and document integrity. Products that use the AATL will automatically reach out to update the list every 90 days—but not before verifying that the list came from Adobe

AATL members already include security companies GlobalSign and VeriSign, and the governments of the United States and the Netherlands.

DOWNLOAD: ISO&Agent: Finding Profit in the Identity Crisis

A worm can run independently and spread itself through network connections, according to virusall.com.

A 1988 worm copied infected every Sun-3 and VAX system with so many copies of itself that it destroyed those systems.

Types of worms

E-mail

Spread via infected e-mail messages. Any form of attachment or link in an email may contain a link to an infected website. Activation can start when the user clicks on the attachment or when clicking the link in the e-mail.

Known methods of proliferation:

• Microsoft Outlook
• Direct connection to SMTP servers
• Windows MAPI functions

Instant Messaging

Spread via instant messaging applications by sending links to infected websites to everyone on the local contact list.

Internet Worms

These virulent worms scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines to gain full access to them.

Worms also scan the Internet for machines still open for exploitation. Data packets or requests will be sent, installing the worm or a worm downloader.

IRC Chats

Chat channels are targeted by sending infected files or links to infected websites.

File-sharing Networks

Copies itself into a shared folder, most likely located on the local machine. Worm is ready for download via the P2P network and spreading of the infected file will continue.

For more information, go to www.virusall.com.

Don't use TCP/IP for File and Printer sharing!

"Access Points are usually installed on your LAN, behind any router or firewall you may be using. If someone successfully connects to your Access Point, they’ll be on your LAN, just like any of your other clients. But since they’ll be using TCP/IP to make the connection, you can easily deny access to MS File and Printer sharing by using a protocol other than TCP/IP for those services. That way, they may get access to your Internet connection, but they won’t get access to your files!"

Follow secure file-sharing practices

"Share only what you need to share (think Folders, not entire hard drives), and password-protect anything that is shared with a strong password."

Use WEP Encryption

"A weak lock is better than no lock at all, so enable WEP encryption and use a non-obvious encryption key."

Secure your wireless router

Your router should require a password to access its administrative features. Change your password from the default and use a complex one (numbers and letters).

Use VPN

If you don't want to take chances with your data, run a virtual private network tunnel over your wireless connection, too.

For more information, visit www.practicallynetworked.com.

What do you do now?

There's no shortage of advice:

The Federal Trade Commission advises all identity theft victims to take these steps immediately:

1. Place a fraud alert on your credit reports, and review them.

   Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Call these credit bureaus.

   • Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
   • Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
   • TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
2. Close any accounts you know, or believe, have been tampered with or opened fraudulently.

   Call and speak to someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. It's important to notify credit card companies and banks in writing. Send letters by certified mail, return receipt requested, so you can document what the company received and when. Keep a file of your correspondence and enclosures.

   Also, the FTC says, "When you open new accounts, use new Personal Identification Numbers (PINs) and passwords. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or consecutive numbers."

3. File a police report in the city where the theft occurred.

   Then, get a copy of the police report, or at the very least, the number of the report. It can help you deal with creditors who need proof of the crime. If police are reluctant to take your report, ask to file a "Miscellaneous Incidents" report, or try another jurisdiction, like your state police.

4. File a complaint with the Federal Trade Commission.

   The FTC can refer victims' complaints to other government agencies and companies for further action, as well as investigate companies for violations of laws the agency enforces.

   You can file a complaint online at www.consumer.gov/idtheft. If you don't have Internet access, call the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TDD: 202-326-2502; or write: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

They're viruses that were discovered infecting computers in the first week of May, according to Symantec's Antivirus Research Center.

On a personal computer, viruses can replicate themselves into the machine's registry repeatedly as the machine is rebooted to obstruct the machine's performance.

Not even mobile devices are safe now.

A Feb. 2006 article on IDG News Service alerted consumers to a virus that jumps from your computer to your PDA. The virus waits for a connection through Microsoft ActiveSync, "copies itself to the device, and if the device is running the Windows CE or Mobile OS, all files are erased in the My Documents directory," the story says.

There's a wealth of information on the net regarding viruses, and Symantec maintains a virus encyclopedia at its online antivirus research center, securityresponse.symantec.com.

• Colorado, which had the fifth highest number of identity theft victims in 2005, is considering making identity theft a felony. Previously, thieves were charged with fraud, forgery and other related offenses, according to the Fort Collins Coloradoan, www.coloradoan.com.
• People between the ages of 18 and 34 are more likely to share their personal information, according to Javelin Research's 2006 Identity Fraud Survey.
• The Utah State Attorney General introduced a new identity theft reporting system in an effort to cut down on the amount of time victims spend proving their identity has been stolen, KUTV.com reported. The system will be used to identify trends in these thefts across multiple jurisdictions.
• The Federal Trade Commission announced its support for the 30-nation Organization for Economic Cooperation and Development (OECD) in advocating new, more aggressive action against SPAM. Additionally, the OECD recommended that nations take action against spammers foreign and domestic, provide investigative assistance to police in other countries and cooperate with industry and consumer groups to educate users about spam.
• North Carolina's Department of Justice has received complaints from some job seekers who are wary of suspicious activity on career-building websites, the Greensboro News-Record reported, www.news-record.com. They fear thieves may be using check-cashing and work-at-home schemes to get customers' financial information.
• More and more companies and state and local governments are investing in redaction software that will remove sensitive personal information from records to prevent identity theft. Aptitude Solutions provides its aiRedact software to Broward and Hillsborough counties in Florida, as well as to counties in other states, according to Computerworld.com.

You are limited to three replacement cards in a year and 10 during your lifetime.

You must:

• Complete an "Application For A Social Security Card"
• Show documents proving:
  • U.S. citizenship, immigration status and work eligibility
  • Identity
• Take, or mail, your completed application and documents to your local Social Security office.

The Social Security Administration, www.ssa.gov, advises consumers to treat their Social Security number as “confidential information and avoid giving it out unnecessarily. You should keep your Social Security card in a safe place with your other important papers. Do not carry it with you unless you need to show it to an employer or service provider.

Be sure to ask:

• Why your number is needed
• How your number will be used
• What happens if you refuse
• What law requires you to give your number

For more information, check out www.ssa.gov.

Spyware, malware and adware are programs downloaded onto your computer from the Internet.

Spyware – secretly installed onto a machine without permission. Spyware collects personal or proprietary information about a user or corporation that is then sent to an unauthorized third party.

Spyware is now used to gather:

• passwords
• e-mail addresses
• contact information
• credit card and account numbers
• confidential documents and records

Malware – hardware or software intentionally included or inserted in a computer system to harm the machine

Adware – is installed at the same time as a shareware or similar program to continue to generate advertising even when the user is not running the originally installed program.

If only one law did it all.

It's up to you, dear consumer, to ensure spam doesn’t clog your inbox, or worse, steal vital personal information you use to conduct business and go about your daily life.

Spam.getnetwise.org, a site maintained by the Internet Education Foundation, offers tactics you can do to prevent spam from getting to your inbox:

• Use a unique e-mail address: Pick an address, using both letters and numbers, that will be hard for spammers to guess and easy for you to remember. Also, if you chat online, use a unique screen name not associated with your e-mail address.
• Use multiple e-mail addresses: Consider creating separate addresses or accounts that can be used for online purchases, chat rooms and other public postings. You can also use a free forwarding address. More Information.
• "Mask" your e-mail address: If you post your e-mail address online consider masking your address. There are several ways to correctly mask your address and thwart spammers. More Information.
• Check the privacy policy when you submit your address to a site: Always be familiar with a Web site's privacy policy before submitting any information. Learn more about how to read a privacy policy.

For business owners, there are a few warning signs to look out for, according to a recent piece by business writer Ana Rincon at onlinebusiness.about.com.

Ten signs your business might be experiencing suspicious fraudulent activity are:

1. Larger than normal orders
2. Orders containing several units of the same item
3. Orders shipped overnight
4. Orders shipped to an address other than the billing address
5. Change of destination
6. Orders that fail address verification
7. Anonymous (or free) e-mail address
8. Multiple orders on the same card, in a short amount of time
9. Multiple card numbers from one IP address
10. Multiple card numbers shipped to the same address

Rincon advises that if your business is small enough to where you can keep track of orders by hand, put policies and procedures in place to tag suspicious orders. If your business is larger, make sure your payment processing company has sufficient payment and address verification measures in place.