This week I’m giving a presentation on fraud in the payments industry and how identity verification fits into the equation.  In developing my presentation, I’ve been researching and updating some identity related statistics and I thought I’d share a few of my findings:

• The Privacy Rights Clearinghouse reports that the number of total records that have been breached since 2005 is now 346,512,902.  Remember this is the number of records, not the number of people, which means some unlucky soul might have had his/her information compromised several times while someone else not at all.  However, to give you some context, the US Census Population Clock reports that the U.S. has 308,834,197 people in it.  So really one could argue that it’s only a matter of time before everyone in the U.S. becomes a victim of some sort of data compromise.
• The #1 consumer compliant in 2009 was identity theft.  The FTC received 278,078 complaints, representing 21% of all complaints.  The 2nd ranked item was Third Party and Creditor Debt collection at 9% of all complaints with the total number of these complaints being less than 1/2 the identity theft complaints.  Sure, the FTC reports that id theft complaints are down 5% from 2008, but given 2009’s economic climate, the gap between these two complaints astounds me.

The Payments 2010 Conference is a little over a month away and I’m sure after it I will have many more interesting payments and fraud facts to share with you.  Just by glancing at the conference website, there is a high research focus on mobile and P2P payments.  If you happen to be going to the conference, stop by and see us at Booth #232.

PlainsCapital bank in Lubbock, Texas is suing its customer, Hillary Machinery Inc., who was hit by a $800,000 cybertheft incident involving unauthorized wire transfers to accounts in Romania and Italy last November.

While the bank later recovered $600k, the customer demanded the bank repay the other $200k claiming the theft happened because the bank’s security measures were inadequate.  This then prompted the bank to file a lawsuit against the customer asking only for the court to certify that its security procedures were “commercially reasonable.”

As a spokesperson for Hillary explains in this ComputerWorld article:

While the transfers were initiated using valid log-in credentials, there were several details that should have alerted bank authorities that all was not right…The biggest red flag should have been that the money was being transferred to foreign destinations which had never happened before on Hillary’s account.

The fact that dozens of transfers were made ina two-or three- day period, many of them involving sums that were outside the normal range of transfers initiated by Hillary, should have been another clue about fraudulent activity.  Some of the transfers involved sums in excess of $100,000, while others were as small as $2,500.  Each of the transfers was also made to a different account, which was highly unusual….typical money transfers involve the same limited set of accounts.

According to Owen, the thefts were enabled by the weak authentication measures employed by the bank.  In addition to usernames and passwords, the only other authentication the bank required was for users to register the systems they used for online banking transactions.  However, that measure was clearly not strong enough, because in this case, the cyber-thieves were able to log into Hillary’s account using systems that were based in Romania and Italy, he said.

A memo supplied by the bank to Hillary shows that the bank received two requests to register computers on teh company’s behalf just before the attacks.  Though the requests appeared to come from a HIllary e-mail address the computers from which they were sent had IP addresses based in Italy and Romania, Owen said.

They never challenged whoever logged in with a different computer.  There was never any red flag…Though PlainsCapital has claimed that registering the computer represents a second form of authentication, the thefts show that it wasn’t a strong enough measure, he contended.

I’m going to have to agree with him.  It  sounds as if there were plenty of Red Flags associated with this incident and the bank failed to detect them.  Bankinfosecurity recently interviewed Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corporation (FDIC) about the top 3 deficiencies with Red Flag Compliance since the regulations went into effect for banks over a year ago.  What is the most common?  Banks are not including certain types of commercial accounts in their identity theft prevention program.

Far and away the most common deficiency is that there is a portion of the regulation that says under certain circumstances, certain types of commercial accounts, as opposed to consumer accounts, should be included in the identity theft prevention program and in some cases banks that should have included those commercial accounts did not do so, and that is far and away the most common deficiency that examiners are talking about.

Perhaps this incident can be chalked up to PlainsCapital expanding its type of covered accounts under Red Flag since the security of the account in question is a commercial account.  Or perhaps the bank needs to look at implementing a comprehensive fraud detection system (such as Oracle’s OAAM) to monitor and manage all of its transactions.  Regardless, it’s clear that the bank’s current authentication protocols failed here and PlainsCapital needs to take a hard look at its process and systems.

I’m sure no one will argue with me that the one thing that has heightened Internet privacy concerns the most is the explosion of Social Networking sites, particularly Facebook.  Last summer I blogged about privacy and pointed out a blog post by Burton Group’s Ian Glazer on his Facebook Privacy Mirror experiment related to 3rd party applications.  In response to Facebook’s privacy system changes this past December, Ian revisted the Facebook privacy issue and blogged:

The more things change, the more they stay the same…Facebook’s inconsistent treatment of privacy still remains.

In his post, Ian points out other articles and blog posts from people in the identity and privacy-related Internet world who assess the changes with some harsh criticisms.  One item in particular is Facebook’s “recommended” and default privacy settings being too open.

As the privacy debate rages on, I’m willing to bet most of the privacy features and settings available today go unnoticed by the majority of Facebook users (which I equally blame User apathy and Facebook’s limited education/awareness efforts.)

Admittedly, I shamefully still operate under the “Facebook for mostly personal connections and LinkedIN (and Twitter) for professional use” because of the limited way to separate status updates and photos for 300+ friends! Of course working in the identity industry means I’m (just slightly) more savvy than the average Facebook user and have figured out a few things like blocking specific people from certain things and not accepting Facebook’s recommended privacy settings automatically, I still had no idea on how to truly use “Lists.” That is, until today when I visited The SuperGroup’s website.

Chris Wallace, a former colleague and Facebook friend, has a great web tutorial titled “Facebook for Professionals” which shows you how to better manage your privacy settings and create Personal and Professional personas that I highly recommend watching, especially if you don’t want to fuss with learning it on your own. Be sure to also check out the Unofficial Facebook Resource and the 10 Privacy Settings Every Facebook User Should Know where you can download “The Holy Grail of Facebook Privacy.”

Here we are a full month into 2010 and I’m just now finding the time to blog.  I resolve that for the rest of the year I will not let so much time between posts.  Of course, I can’t speak for John.

Things are in full swing at IDology for the new decade.  Already, we have announced a partnership with ARX, a digital signature company, been involved in the launch of Wikiloan, a financial social network that offers a peer-to-peer lending platform, and made some changes to our website including launching a new partners page.  Be on the lookout for more partner announcements this month, as well as some product news.

And if you happen to be in Vegas the week of February 21st, stop by and see us at Booth #534 during the PrePaid Expo at the Rio.

Some of the regular blog visitors might have noticed our new Facebook block on the right-hand side of the blog.  While we aren’t new to social networking, our “official IDology Facebook fan page” is new and we hope you, loyal reader (or first time visitor), will identify yourself  by joining our page!

We have a goal to have a 1000 fans by 2010 (can you believe it’s less than 4 weeks away?!)  We’re more than a quarter of the way there…please won’t you help us out?

Sorry both John and I have been missing in action for a few weeks.  But on the bright side, the lack of blog posts of late means this one is jammed packed full of relevant identity news!

I’ll start by highlighting a blog post on identity verification from our partner Oracle.  Brian Mozinski does a great job of spelling out some use cases for identity proofing as well as explaining in layman terms how it works.

This past summer IDology made an official announcement about our launch into the lead verification market.  Earlier this month we exhibited at AdTech New York to help educate companies that are buying and/or selling leads understand the importance of identity and how our solution helps drive more conversions.  During the show, I was interviewed by WebmasterRadio.fm on the importance of identity verification in this market.  Take a listen to the podcast to learn more or even just to hear how this true Southerner did in the big city!

The latest drama indicating the importance of adult age verification in social networks - especially chat rooms - comes from the U.K. where a suspicious wife posed as a schoolgirl to trap her pedophile husband.  The U.S. media hype over these types of issues has definitely died down this year since the Internet Safety Technical Task Force disjoined and Facebook and Twitter seem to be surpassing MySpace’s popularity.  Now the focus is more on celebrities and Twitter and figuring out if the “real Brad Pitt” really is the “real Brad Pitt.”  Hats off to a new beta service from Crederity that is addressing this issue by giving you a way to verify your Twitter account.  Crederity is using dynamic knowledge-based authentication (KBA) as part of the verification process and they link with several social networks including Facebook and LinkedIN.  And best of all — it’s free (right now)! What’s exciting to me about this service is not only is it a step in the right direction for identity in social networks — it’s also a step in the right direction for portable, trusted identities.  It’s not quite Information Cards yet but it’s getting there.  You can help make more strides in both areas by getting a Crederity seal and linking to your Twitter, Facebook and/or LinkedIN account.

Of course, I can’t talk about social networking without addressing privacy.  A blog-debate on privacy between Burton Group’s Bob Blakley and Gartner’s Andrea DiMaio ensued last month.  Coincidentally, I just watched some of the privacy issues being discussed in the blog on a TV show I was catching up on my TIVO this past weekend.  One of the daughters in a MEDIUM episode video-taped her neighbor, unbeknown to him, doing things that she found funny such as getting frustrated while changing a tire, spraying a nest of bees and getting swarmed, etc. and then uploaded these videos to a YouTube-type of site.  The neighbor decided to sue under a violation of privacy.  The lawyer for the main character felt it wouldn’t be much of a case since these videos were taped in a public place but that they should settle to avoid going to court and accumulating a bunch of fees.  In the end, the neighbor decided to drop the suit because through these videos he reunited with a long lost love that never would have happened otherwise.  So in this context, because the invasion of privacy led to a happy, better outcome in his life, he overlooked it.

This show - and the many comments to Blakley’s post - brings up an interesting point about the role individual tolerance levels play in the privacy debate.  We are more likely to have loose guidelines when the information being shared improves our situation or the public perception of ourselves than if the information is harmful or embarrassing.  For example, my tolerance is a lot higher when I’m tagged in what I think is a cute picture of me on Facebook versus being tagged in one taken of me on the beach in my bathing suit.  Factoring in the blurring line between our professional and personal life, privacy tolerance levels completely change.  After all, it’s one thing to be embarrassed over a bathing suit picture with my friends, and another matter entirely if it involves male co-workers.

Tell me, what are your thoughts?

2 points to anyone who identifies what type of bird this is!

OK, I know, I gave it away. Let’s keep playing.  10 extra points if you know the exact species.

10 extra points if you identify the species!

The first one to get 12 points wins a prize.  What that prize is yet, I’m not sure.  But it’s definitely something you’ve always dreamed of having like a Homer Simpson chia pet or a Snuggie.  (Come on, fall is coming.  You know you want a Snuggie!)

Even more disturbing is the reach fraud rings have.  As NEWSWEEK points out, “Big Head” the leader of the fraud ring involved in the Bernanke crime:

employed an army of pickpockets, mail thieves, and office workers to swipe checks, credit cards, military IDs, and other personal records.

One member of the ring had infiltrated an office of the Combined Federal Campaign, the official U.S. government-sponsored charity, and supplied the crime ring with stacks of checks mailed in by federal workers, the records show. Another worked in a Washington, D.C., doctor’s office, with access to patients’ records and their bank-account information.

Those who are victims of a pickpocket, burglary, etc. are aware of their risk and can monitor their financial records and credit reports to look for unusual activity.  But what if your information was stolen from the check you sent in to a charity?  Or from the office manager at your doctor’s office?

Knowing that these fraud rings are penetrating places that we typically consider safe should be a big eye opener to all of us to be a lot more vigilant in reviewing our credit reports each year.   And remember, identity theft increases your risk beyond just financial crime.  Your information can be used for anything – from your SSN being used by an illegal immigrant to healthcare fraud or even criminal activity being committed in your name.  If any of your personal information has been compromised, you should consider signing up for a monitoring service from a company like ID Watchdog. They will monitor all your records and watch for things beyond just what appears on your credit report.

Case in point is the latest impersonation of Former Governor Sarah Palin on Facebook:

In mid-June of this year, Alex Grossman – a former film executive who has since written and directed commercials and short films that appear on sites like funnyordie.com — began to work on a screenplay.

“I was messing around with the theme of those who put ‘faith over fact’ in this country,” Grossman said. “I started thinking about Sarah Palin and her following: ‘What would it be like to be her? What are these people like? And do they really know her?’” Under the guise of research, he decided to attempt to pass himself off as Palin on Facebook. He tried every variation on Palin’s name he could think of. To his surprise, he was able to claim the Facebook name “Governor Palin.”

What took Facebook over a month to figure out – that “Governor Palin” wasn’t who she said she was—could have been accomplished instantly at the time Grossman opened the fake Facebook account using identity verification.

Reminiscent of this time last year, the Internet Safety Technical Task Force was mid-way through its “evaluation” of technologies that could be used to keep kids safe. One of IDology’s arguments was the fact that technologies existed that could be deployed today to verify adults (anyone 18+) to prevent fraud and identity theft. And, as we repeatedly pointed out, these technologies are being used hundreds of thousands of times a day by companies in industries such as financial, telecommunications, insurance, healthcare, and more.

But alas, our arguments always fell on deaf ears.

I still firmly believe verifying adults in social networks would go a long way to protecting kids.  And celebrities. Not to mention all us “average Joes” who don’t want to fall victim to identity theft and fraud. Even using just a basic level of identity verification (e.g. Is this identity real? Are there any fraud flags associated with it?), Twitter, Facebook, MySpace, Yahoo, etc. could all overcome their issues of fraud in a heartbeat.

First, be sure to download the new whitepaper published jointly by the Information Card Foundation and OpenID Foundation titled “Open Trust Frameworks for Open Government: Enabling Citizen Involvement through Open Identity Technologies.” This gives a good overview on both OpenID and Information Cards and how these open identity technologies can be used to help foster President Obama’s Memorandum on Transparency and Open Government.

Another thought-provoking read is this post by Ian Glazer at Burton Group who blogs about his Facebook privacy experiment as it relates to 3^rd party applications. Admittedly, it didn’t take long for the social butterfly in me to be drawn to Facebook’s allure and how easy (and fun!) it is to connect (and re-connect) with friends, colleagues, and family. Ian points out some real concerns we all should probably consider before taking that “Which 80s movie most resembles your life” quiz.

And while on the social networking subject, here’s something Robin Wilton with the Future Identity discussed during a privacy session at Catalyst which he also points out on his blog:

There’s no such thing as “social networking”. There’s “social interaction” and there’s “networking”. If you assume that both operate by the same rules (regardless of how tempting appearances may make that assumption) you’re fooling yourself. Admittedly, that’s just what a lot of us are doing these days - but we don’t yet know what the implications of that mass consensual delusion are.

In the identity world, consumers are helping blur the privacy lines by self publishing everything from what they are doing at the moment to a list of their “Top 25 Friends” on their social networking site du jour without realizing some of the privacy and personal safety ramifications.

Robin’s presentation was based on how to have a productive multi-stakeholder discussion on privacy and something that really resonated with me is this concept that privacy isn’t about data or secrecy; it’s about people and their personal dignity.  A very logical, common sense approach but we know putting it in action in way that satisfies all the stakeholders (legal, IT, marketing, consumers, businesses,etc.) can be difficult.  If you ever have the chance to hear Robin speak, I highly recommend that you attend.  In the meantime, check out a recent blog post he wrote on social networking and privacy.