Congratulations on Emmy Win!

December 10, 2008

The Consumer Warning Network congratulates our Angie Moreschi on winning two Emmy awards. Angie won for two stories she produced for Smart Health , a health magazine program she hosts on PBS’s WEDU in Tampa, Florida. Read more

Nothing’s Certain, Even Death

December 8, 2008

Sooner or later, it happens to everyone. Some computer system somewhere scrambles your personal information, melding your identity, credit or some other detail of modern life with those of a stranger.

No one can explain it. But even the smallest snafus can take hours, days or weeks to sort out.

Now, imagine what would happen if the United States government declared you dead.

More than 20,000 live Americans don’t have to conjure up a vision of bureaucratic purgatory. They’ve lived through it, some for years, thanks to the Social Security Administration, according to a report by the agency’s inspector general.

Social Security – the agency that warns us all to protect our identity from thieves by keeping our SSN confidential – every year publicly reports more than 9,000 live Americans as dead in an electronic file called, the Death Master File (DMF), largely due to typing mistakes.

Once Social Security creates the DMF file, a second government agency sells it to credit bureaus, financial institutions, data aggregators, genealogy groups and anyone else that pays $1,725 for the complete file, including internet sites that provide free access.

It contains the social security number; first, middle and last names; dates of birth and death; and, the state and zip code of the last known address of the “deceased.”

Corporate America uses it to verify identity and prevent fraud. Genealogists use it to build family trees. Auditors worry thieves will steal the identity of live Americans once mistakenly labeled as dead.

“The accuracy of death data is a highly sensitive matter for SSA,” said Inspector General Patrick P. O’Carroll, Jr. in a June 2008 report. “Erroneous death entries can lead to benefit termination, cause severe financial hardship and distress to affected individuals, and result in the publication of living individuals’ PII (personally identifiable information) in the DMF (Death Master File).”

A Social Security number is the key to receiving government benefits, completing many financial transactions and getting and holding a job.

Though Social Security was aware of “errors” in its files it didn’t tell living Americans their personal information had been made public until questioned by the inspector general.

From January 2004 through April 2007, Social Security deleted more than 44,000 individuals from the master death file, the auditors said.  While auditors didn’t check who was dead or alive, they reported 20,623 of those originally marked deceased were receiving benefits from Social Security in May 2007, indicating that “SSA determined the individuals were alive.”

Social Security deletes the living from the list of the dead once it becomes aware of an error. About 90 percent are cured in less than a year. The deletions, auditors said, set the record straight in the current list, but have little effect on previous listings sold to credit agencies, financial institutions, data aggregators and internet sites.

Auditors selected at random 250 instances where the entries of living individuals were deleted. In May 2007 – from four to 43 months after the names of live Americans were deleted by Social Security – auditors found more than one in four still listed as deceased on three genealogical websites.

Why wasn’t the information cleaned up?

Neither Social Security nor the National Technical Information Service, which sells the list, bothers to check whether buyers apply the required updates.

Auditors described it this way:

Social Security staff believed “this oversight activity” was National Technical Information Service’s job, since it’s collects fees for each sale. The National Technical Information Service “provided no oversight” because the DMF list is “exclusively” a Social Security product.

What of the living Americans declared dead by Social Security?

“SSA recognizes the undue hardship individuals may experience when their personal information is erroneously compromised and is fully committed to finding ways to reduce any risk of [personally identifiable information] exposure,” the agency told auditors.

Still, Social Security wasn’t committed enough to tell the living that it had published their names, social security numbers and dates of birth and “dates of death” until auditors raised questions, despite guidelines requiring notification to anyone whose personal information has been compromised so they can “take steps to help protect themselves from the consequences of the breach.”

Social Security was quick to respond.

First, it told auditors that its report covered information released through April 2007 and the federal guidelines weren’t put in place until May 2007. Then, it pointed out that the death file contains a disclaimer that in “rare instances” a live individual’s information was erroneously included in the death index.

In April 2008, it set up a task force to improve the death reporting process and evaluate whether they comply with federal notification rules. Finally, the agency said that in a May 6, 2008 it “currently” notifies individuals when they correct the death index.

“This is a unique and complex issue. While we recognize the small percentage of error in the DMF, we are concerned with the characterization of those errors as [personally identifiable information] breaches,” the agency said. “Nonetheless, we will take a cautious approach and initiate breach notification evaluation procedures.”

The agency added: “To the best of our knowledge, no case of fraud or abuse has occurred as a result of errors in the DMF. This may be largely due to the fact that living persons erroneously placed in the DMF are reported as being deceased. Therefore, it is difficult for identity thieves to distinguish these records from other deceased individuals in the DMF.”

Identity thieves would have a difficult time abusing the information because banks and credit bureaus would block activity, assuming the individual was dead, Social Security administrators said.  They also pointed out less than 0.4 percent of the data contains errors.

Yet, agency executives argued the Inspector General should keep his report secret, lest it encourage “misuse.”

“As we assess this issue, we strongly caution the (Office of Inspector General) against releasing this report publicly. We believe limited distribution would be more responsible,” Social Security said. “We recognize that this information may already be known to some, but this report highlights the issue and could encourage misuse.”

CNN: Countrywide’s Broken Promise

December 8, 2008

Countrywide made a promise to help homeowners struggling after Hurricanes Katrina and Rita, but is now reneging on that promise and cashing in on their hardship.  The company is slapping homeowners with interest and penalties and sending homeowners into foreclosure if they don’t pay.  CNN Money profiled one family who’s been victimized and a former Countrywide employee who’s come forward. Read more

The Real Unemployment Number 16.4% —We Are Closer To A Depression

December 5, 2008

The Government just released the unemployment numbers for May 2009.

The published unemployment rate is a gloomy 9.4%.

If you feel like more than 9.4% of people are out of work, you are right. As CWN pointed out months ago (see related story below) the actual number of people out of work is much higher.  If you count workers who have been out of the workforce for more than a year or who have given up hope of finding a job, the real unemployment number is a staggering 16.4 %.

During the Great Depression the unemployment rate climbed to 25%. Yes, we are more than half way there!

How Dangerous Are BB, Pellet and Paintball Guns?

December 5, 2008

“You’ll shoot your eye out, kid.” So warned Santa, when Ralphie confessed that what he really wanted for Christmas was an “Official Red Ryder Carbine-Action 200 Shot Range Model Air Rifle” in the movie “A Christmas Story.” Later, when his wish is fulfilled, he almost does exactly that.

BB guns, pellet rifles and paintball guns are still on many Christmas wish lists. The danger they pose to children is obvious, but does that rule them out as gifts for children? Careful parents should do their research. The U.S. Consumer Product Safety Commission reported that between 1990 and 2000 there were 39 air gun related deaths, of which 32 were children younger than 15 years.

BB’s and paintballs projected by air or CO2 gas (as opposed to bullets propelled by gunpowder) can reach some incredible speeds. The classic Daisy Red Ryder (still available) shoots BB’s with a velocity of 350 feet per second (fps). At that speed, a BB can traverse the full distance of a football field in less than a second. Daisy BB pistols, using CO2, can reach speeds of 485 fps.

Paintball guns are harder to gauge. Sellers of such guns do not often reveal the actual speed of the paintball projectiles, but one study showed they reached average velocities of about 270 fps, almost as fast as a BB gun.

Pellet guns are in an even more dangerous category. With velocities of over 1000 fps, they can be as deadly as a bullet.

The Consumer Product Safety Commission warns that high velocity air guns with muzzle velocities of 350 fps or greater pose  risk of death and should not be used by children younger than 16. Daisy labels its air guns accordingly and states that velocities under 350 fps are appropriate for children between 10 and 16, with more powerful guns (e.g., the Red Ryder) limited to ages 16 or over.

With their velocities under 350 fps, paintball guns may be appropriate for children between 10 and 16, but only with the strictest of supervision, including face, eye and body protection and warnings about shooting at anyone’s face or open skin.

In 2004, the Journal of the American Academy of Pediatrics published a study on the injury risk of air guns. 12% of air gun injuries were to the eye, 24% to other parts of the head or neck, and the rest to extremities. The seriousness of such injuries are often under appreciated by care givers, especially since the light weight of the projectiles may allow them to be swept by blood flow much more quickly than bullets. Wearing eye protection is a must, but some people have been injured, for example, when they temporarily removed their paintball goggles which were fogging up.

Many states have laws covering air guns. In New York City, air rifles are prohibited altogether. In Florida it is against the law for minors under 16 to use a BB gun unless supervised by an adult and only with the express consent of the parent.

Another danger posed by such guns is their realistic looks, which could easily be confused for a real rifle or gun by a law enforcement officer.

In summary, BB guns are not toys. Under 10? Forget it. For older children, only age-appropriate guns (no pellet guns, please)  should be provided and only under strict adult supervision. Such guns can in the right context serve as good educational tools for learning about gun safety. “You’ll shoot your eye out, kid,” remains, however, good advice indeed.

“Account Services” – Watch Out for the Scam

December 3, 2008

Consumer Warning Network has been getting reports of a telephone scam that seeks to obtain your credit card or bank account information. Watch out for this one!

credit cardsA company calling itself “Account Services” calls you and tells you: “Don’t be alarmed, there is nothing wrong with your account, but this might be your last chance to lower your interest rate on your credit card.” If you pursue the conversation, you are informed that this “company” negotiates with your credit card company to lower your interest rates, and can get you rates as low as 6.9%.

If you express interest, the caller asks you how much debt you are carrying, the number of cards you have, the interest rates you are paying, and the name of the bank you making payments to. They ask you to look on your card and find the telephone number of the bank so that they can call it. Then comes the kicker: “Please turn the card over and read the account number.”

If you’ve come this far, and give the caller this information, you may find yourself the victim of identity theft. Do not EVER give out this information to such an unknown caller. Besides, whoever heard of a company called “Account Services”?

One person who got such a call asked to speak to the supervisor when the caller got evasive about the company. He was put in touch with another person who immediately asked for his address so that he could be sent his four jars of pickled pigs feet, two regular and two barbeque!

**Click here to read more about how to make the telemarketing and robocall Madness Stop.

 

Privacy, Security Issues Surround High Tech Cards

December 3, 2008

 

Prompted by privacy and security issues, two states outlawed electronic eavesdropping and capture of personal data transmitted over radio waves by a wide array of identification, access, credit cards and other devices.

California last month imposed a $1,500 penalty and up to a year in prison for anyone convicted of unauthorized reading of signals from Radio Frequency Identification (RFID) cards. Washington earlier this year passed a law against theft of RFID dat.

Used in an ever growing variety of applications worldwide, RFID-enabled microchips store small amounts of information for transmission to electronic readers. Information stored on the cards can be read through a wallet, a handbag or item of clothing by any nearby reader.

The chips are found in everything from implanted medical devices to passport cards to driver licenses to keyless entry cards and car keys. Some, such as passport cards, can be read from up to 160 feet away. Others, such as credit cards, have a range of less than three inches.

While RFID cards employ various mechanisms to make it more difficult to steal data, these chips have come under increased scrutiny based on incidents such as these over the last three years:

  • Dutch security experts published a paper this month showing how to circumvent the security mechanism of RFID cards which are widely used to provide access to buildings and public transportation systems.
  • A hacker used free software and cheap hardware to manipulate personal data on a passport, tricking airport security. The hacker provided a video showing a machine in Amsterdam’s airport, reading Elvis Presley’s personal information off a chip.
  • MIT students this August reverse engineered the RFID-enabled transit pass, called the CharlieCard, in Boston, riding the rails for free. The Massachusetts Bay Transportation Authority (MBTA) obtained a restraining order to keep the students from presenting their findings. The order later was overturned.
  • High tech criminals in April 2007 used a laptop and a transmitter to open the locks, start the ignition and steal an armor-plated, custom-designed BMW X5 belonging to David Beckham.  It was the second car stolen from Beckham by high-tech thieves.
  • Researchers at the University of Massachusetts in late 2006 used a receiver and laptop to extract a credit card holder’s name from a brand-new RFID-enabled card hidden in a plain white envelope. The chip broadcast the cardholder’s name in plain text, without encryption.
  • Johns Hopkins researchers in 2005 used cheap computer hardware and six microchips purchased for about $200 each to crack the secret encryption code found in more than 150 million automobile keys and 6 million tags that purchase gasoline. Once the key is cracked, an attacker can bypass security and fool the readers in cars or at gas stations.  The Johns Hopkins researchers made their findings available to the chip manufacturer.

Researchers at UMass found in tests on 20 cards from Visa, Mastercard and American Express that the cardholder’s name and other data was being transmitted without encryption and in plain text.  They could skim the information from the cards with a book-sized device. As of 2008, some of the cards were still broadcasting names in the open.

Tens of millions of these cards have been issued with the equipment needed to read them at locations across the country.

The credit card industry acknowledges that the information contained on the “smart cards” can be intercepted by unauthorized readers, but maintains that there is no economic benefit for thieves capturing the information.

“They’ve demonstrated some techniques in lab conditions,” said Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit industry association promoting the adoption and use of the technology. “None of these relies on any single source of protection. There are multiple sources of prevention.”

Still, in 2007, Mastercard and Visa eliminated cardholder names from the information store on the chips, Vanderhoof said.  American Express cards never included the cardholder name, he said.

Today, the magnetic strip found on the back of a traditional, non-RFID credit card contains more information and poses more of a threat than the microchip on a smart credit card, he said.

“It is not going to create an economic benefit to skim,” he said.

How Do Radio Tagged Cards Work?

December 1, 2008

Radio Frequency Identification (RFID) systems have three components: a small silicon microchip attached to an antenna; a reader and a computer database.

The RFID tags themselves can be as small as half a millimeter square, the size of a tiny seed. Some are thin enough to be embedded in paper. Most tags today are passive – meaning they don’t have an independent power source.

Instead, they are powered up when scanned by a reader. Once powered up, the tag transmits information by radio wave to the reader. The reader, in turn, transmits the information it receives from the tag to a computer database, where the information is stored an analyzed.

Readers can access the low-powered RFID tags from only a few inches away. Ultra high frequency chips can be read from up to 50 meters away. The effective reading distance depends on many factors, but the tags can be read without being taken out of a handbag or a wallet by any nearby reader.

As late as June, some RFID-enabled credit cards transmitted unencrypted customer names to nearby readers. 

RFID tags already are quite common.  In 2005, 1.3 billion RFID tags were sold.  Just a year later, sales increased to 3.1 billion. The industry estimates sales of RFID tags at more than In 1 trillion a year by 2015.  The price is expected to drop from about 30 cents to 3 cents over the next several years.

Today, they are found in:

  • Proximity cards, which have replaced many metal door keys and allow entrance to offices and buildings.
  • Automated toll payment devices, such as EZ Pass and SunPass.
  • Tens of millions of pets worldwide. The tags have been surgically embedded to make it easy for owners to identify a lost pet.
  • Warehouse inventory systems
  • Car keys, credit cards, driver licenses, U.S. Passports, identification cards, library books and some pharmaceuticals.

The most expensive RFID tags are capable of encrypting information. The least expensive tags lack the computer power necessary to perform even the most basic encryption, storing only an identifier.

The identifiers, however, when coupled with a database can link together an immense amount of information. In the case of a product, it can show where it was manufactured, shipping information, when and where it was sold.

In 2003, Alexandra Hospital in Singapore began a trial tracking system in its accident and emergency department in the wake of the Severe Acute Respiratory Syndrome (SARS).

Upon entering the hospital, all patients, visitors and staff are issued a RFID-embedded card. The card is red by sensors installed in the ceiling, which record exactly when a person enters and leaves the department.

Hospital officials said the system would allow them to use a database to determine who could have been in contact with whom in the event of an outbreak.

Civil liberties advocates say that the ability to track people, products, vehicles and even currency would create an Orwellian world where law enforcement and retailers could read the contents of a handbag or wallet without a person’s knowledge, simply by installing RFID readers nearby.

Weak Security Measures Allow Passport Card Cloning

December 1, 2008

Weak security on government-issued electronic identification cards allows anyone with off-the-shelf equipment to copy them from afar and masquerade as the cardholder, according to researchers at the University of Washington.

These “enhanced” identity cards – some state driver licenses and U.S. passport cards – contain an embedded microchip with an antenna that transmits a secret identification number to electronic readers at U.S. borders. The idea is to speed up crossings.

But researchers found in an October 2008 study that the transmissions aren’t secure.

Using off-the-shelf readers, they captured the identification number on a U.S. Passport Card and a Washington State driver’s license from as far away as 50 meters, or about 160 feet, in less than 5 seconds.  It can be transferred to another card that costs about 10 cents, they said.

The chips – EPC tags – were created to replace bar codes used to track consumer goods. They now are found in enhanced driver licenses, border crossing documents used by the Department of Homeland Security and a variety of other applications.

These U.S. Passport cards and enhanced driver licenses can be used like a passport when traveling between the United States, Canada and Mexico. When the tag is scanned by the reader, the confidential 10-digit identification number is compared to a government watch list. The number acts like a pointer to an internet web site and also pulls up a picture of the cardholder.

“Even though the EPC values of these cards do not reveal the owner’s name directly, there are many straightforward indirect methods for exploiting these EPC values to compromise an individual’s privacy and safety,” the study found.

Enhanced driver licenses containing these chips already are available in Arizona, New York, Vermont, and Washington State.  The Michigan legislature approved these cards earlier this year.

The October 2008 study found:

  • The anti-cloning feature proposed by the Department of Homeland Security hasn’t been deployed in the passport cards.
  • Electronic readers scanned the Washington State drivers licenses through a sleeve that is supposed to protect it from view.
  • Anyone with a RFID reader can permanently “kill” the microchip on the enhanced driver’s license without the cardholder knowing it.
  • The read range of these cards is long enough for an attacker to monitor movements and target victims based on their patterns of border crossings.

Disabling the enhanced driver licenses could wreak havoc, researchers said.

“This leads to at least three classes of scenarios in which an attacker might wish to leverage the EDL’s vulnerability to cause havoc: attacks against targeted individuals, malicious pranks against random individuals, and attacks against the entire border crossing system,” the study said.

Privacy issues likely will increase as enhanced driver licenses are used for other purposes, such as verifying age for liquor sales, the researchers said. These uses, they said, will have to be carefully controlled to protect privacy.

« Previous Page