Category Archives: Identity Theft

Less Pretext?

It seems HP (and others) may soon have less pretext, since Congress just passed a law to criminalize pretexting:
“Stealing someone’s private phone records is a criminal act that can now be prosecuted,” said Sen. Chuck Schumer, D-N.Y., lead sponsor of the proposal in the Senate. “Phone information and call logs should be protected with the same safeguards as financial data or medical records.”

The issue became big news late last summer following revelations that investigators working for executives at Hewlett-Packard Co. used deception to obtain phone numbers of board members and reporters in an effort to track down news leaks.

Senate Approves Anti-Pretexting Bill, By JOHN DUNBAR, The Associated Press, Saturday, December 9, 2006; 5:17 AM

Three or four months is pretty quick for Congress. Let’s hope not so quick but that they took time to study the problem and to write a law that will actually do some good. As seen with other laws passed after corporate malfeasance, hastily written laws can produce as many problems as they help solve.

-jsq

Elastigirl’s Seven Powers

Kim Cameron has posted seven very sensible Laws of Identity. Numbers 2 and 3 add up to more or less Need to Know:

2. Limited Disclosure for Limited Use

    The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.

3. The Law of Fewest Parties

    Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.

Kim Cameron’s Laws of Identity

But user identities have aspects that go beyond traditional spook security.

Continue reading

Pro Status Quo Ante

About the new UK RFID passports:
Fatally, however, the ICAO suggested that the key needed to access the data on the chips should be comprised of, in the following order, the passport number, the holder’s date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a “machine readable zone.”

Cracked it! Steve Boggan, The Guardian, Friday November 17, 2006

The UK Home Office says not to worry. Continue reading

APWG eCrime @NCSF

Thursday and Friday I spent at the APWG 2006 eCrime Researchers Summit at the National Center for Forensic Science, Orlando, Florida. It was a fascinating mix of law enforcement from a local sheriff to the National Institute of Justice, of researchers from academic grant-funded to big-company in-house, and of commercial from tiny startups to the biggest banks. Continue reading

FBI Fishes Phishers

FBI finally does something about phishing:
A large group of suspected internet fraudsters has been arrested following an investigation by the FBI.

Seventeen individuals have been arrested, four in the US and the rest in Poland, after being chased by over 20 different FBI offices.

The group is accused of carrying out a phishing attack against a major financial institution in the three months from August 2004, it is claimed.

Police arrest suspected phishing gang Richard Thurston, ZDNet UK, 03 Nov 2006

Good on the FBI! Continue reading

Passport Shields Considered Illegal

Spire Security Viewpoint notes that Colorado and several other states are passing laws against any theft detection shielding device, which is a device intended to elude property theft detection devices by shielding the loot as the miscreant walks out of the store. This, according to the Colorado bill,
includes, but is not limited to, any laminated or coated sack or container that is capabile of avoiding detection by a theft detection device.
Er, what about those aluminum pouches commonly used to shield toll road cards when not in use? Or aluminum passport covers used to keep miscreants from reading RFID passports? Seems to me both of those would be capable of being used to shield small merchandise during theft.

The bill does include wording about “intent to use during theft” but it seems to me we have a collision between the idea of an enabling device for theft of physical items, and a prevention device for theft of information.

How long will it be before someone walks out of a store with a toll card protector and a passport cover in their pocket, and are arrested for intent to steal because they had multiple “theft detection shielding devices” on their person?

-jsq

Criminals, Old Folks

Brian Krebs reports on a study by AARP about data breaches over the past 16 months.

The study attributes about a third of breaches to deliberate software breakins, slightly less (29%) to theft of laptops, and most of the rest (23%) to improper display of sensitive information. Employee theft came in at 7%, and lost backup tapes at 2%. Of course, some of the actual individual lost tape incidents have lost millions of identities.

Continue reading

Does HP Have Any Pretext?

The HP self-spying story seems to have legs. Some of the stories are spinning it as a personal story about HP’s chair:

Now Dunn faces a furor over her handling of the board. Critics say she could take a fall, possibly losing her role as board chair, for spurring an investigation that spied on her fellow board members and reporters to find out who was leaking information to the press. The outside investigators called telephone companies pretending to be board members and reporters to get telephone records — actions that could be illegal.

California Attorney General Bill Lockyer is investigating and said Thursday that laws have been broken, although it’s unclear by whom. The Securities and Exchange Commission is looking into the matter as well.

HP board chair’s leadership in question, By Michelle Quinn and Therese Poletti, Mercury News, Posted on Fri, Sep. 08, 2006

Easy enough to do, given all the colorful characters: the board member who was the target of the spying refused to resign; one of the most famous and influential venture capitalists resigned instead and took the story public after HP refused to; everybody from ethicists to the California Attorney General is weighing in.

Let’s look at a few perhaps less obvious angles.

Continue reading